Unsupervised Learning Newsletter No. 267

News & Analysis

I spend my time reading 3-6 books a month on security, technology, and society—and thinking about what might be coming next. Every Monday I send out a list of the best content I've found in the last week to around 50,000 people. It'll save you tons of time. 
 

STANDARD EDITION | Ep. 267 | February 8, 2021 

SECURITY NEWS

Supercookie is a crafty method for semi-persistently tracking web users even if they're trying to avoid it. It uses the loading of favicon.ico paths to fingerprint a particular user based on the contents of their F-Cache, which is different than their normal cookie storage. Code Paper

The New York Times has a remarkable piece on how mobile phone app data can be used to track people through supposedly anonymous systems, resulting in the Times being able to quickly find over 2,000 actual individuals around the Capitol on January 6th who had their data associated with emails, birthdays, ethnicities, and other PII. Beyond the Capitol incident, this is raising serious questions about the privacy implications of running multiple location-tracking apps on your phone combined with services like Quebiq that use that data to make it easier to market to individuals. More Ad ID Tracking Flow

The former director of the National Counterintelligence and Security Center, Bill Evanina, says China is working to gather American DNA and health information, and that they already have the PII of 80% of American adults. Eighty Percent. More

Moody's says cyberinsurance prices have increased by low double-digits due to the rise in ransomware claims. It's a strange game because unlike most types of insurance, cyber and ransomware have the ability to affect many customers globally at the same time. More

California implemented a facial recognition system called ID.me to help vet unemployment claims by matching uploaded documents with an uploaded selfie. They claim to reduce $1 billion in fraudulent payments per week across the 21 states that use the service, but there are complaints of false positives and bad support. I am sure some of those complaints are valid, but the question should be how bad that problem is compared to not using the system. More
 
China's ministry of education says young Chinese men are too feminine, and they're pushing efforts to elevate sports stars as role-models. If you're wondering why this is in the security section, it's because a top government official was quoted saying, young Chinese men were trending towards feminization, which, "would inevitably endanger the survival and development of the Chinese nation unless it was effectively managed." More

Google paid $6.7 million to bug bounty hunters in 2020, which is up from $6.5 million in 2019. I'm not sure why, but this just seems extremely low. Either the attack surface is much smaller than I am thinking, the surface is much more secure than I'm thinking, or the payouts are way too small. Or some combination. If I would have guessed I'd have put a proper number closer to $50 or $100 million. I mean it's only the software running the planet, right? I think they should 10X their payouts and see what happens. Oh shucks, we paid $70 million instead of $7 million. Like that's a high price for finding even 20% more or better bugs. More

The UK has expelled three Chinese spies that were posing as journalists. This comes as tensions are high between the two countries due to the UK banning Huawei 5G and complaining about crackdowns in Hong Kong and Xinjiang. More

Vulnerabilities:

  • There's a nasty Chrome vulnerability affecting Windows and Mac users. Update if you haven't. More

  • Sonicwall has a serious issue with its Secure Mobile Access 100 Series that it said was being exploited in the wild. There's a patch available now. More

  • Cisco has released multiple fixes for multiple products, including routers, the sudo issue, and a number of other packages. More

  • Plex Media servers are being used to amplify DDoS attacks. In some configurations, they listen on the internet on SSDP via UDP port 32414. SSDP is especially juicy in terms of spoofed UDP responses (around 4.68X), so these servers are a good vector for DDoS reflectors. More

Incidents:

  • British Mensa had its website hacked, resulting in the loss of personal data for not just its 18,000 members but for people who tried to join and couldn't get in. More


TECHNOLOGY NEWS

Jeff Bezos has stepped down as CEO of Amazon, and has handed the reigns to the leader of the AWS division, Andy Jassy. More

Google Pixel users are about to be able to measure their heart and respiration rate just using ther phone's camera. They're using AI to be able to detect subtle changes in the person's appearance, from motion to color changes, to be able to get the metrics. I give Google a lot of grief, but this is cool stuff here. This is the future we were promised. More

A UK research team has developed an AI that can look at the radio waves bounced off a subject and tell them with 71% accuracy whether they're feeling relaxation, fright, disgust, or joy. More

Google has completed its Dunant subsea cable between Virginia Beach and Saint-Hilaire-de-Reiz in France. It's capable of 250 terabits per second. More

23andMe is going public soon. More

Innovation:

  • SuperbAI has raised $9.3 million to help companies label training data for use with AI. More

  • Soda is a Belgian startup that's raised €11.5 million to make sure large datasets are kept 'fit for purpose' in terms of verifiability and trustworthiness. More

  • Latitude is building AI-generated infinite storylines for games, and just raised $3.3 million. More

Companies:

  • Amazon's cloud division increased revenue by 28% last quarter. More

  • Google's ad business made up 81% of Alphabet's $57 billion in fourth-quarter sales, which is up 23% over last year. More


HUMAN NEWS

The Bay Area seems to be experiencing a troubling increase in attacks against Asian American seniors. They're not getting much national coverage at all, which is its own problem that many Asians are upset about. A number of Asian influencers are speaking out, saying attacks against their community aren't fitting into popular national narratives like domestic violence or racism against Blacks, so they're being ignored. I feel like Asians in America are being double-ignored. They get no credit for being the most successful cohort in the US (because it's considered the default behavior), and crimes against them seem to go unnoticed compared to those of other groups. More


CONTENT, IDEAS & ANALYSIS

Summary: Human Hacking — My latest summary, on a great book on social engineering by Christopher Hadnagy. 8/10. More

How to Become Uncancellable — Sam Harris has spent a lot of effort to become uncancellable, which I find quite interesting. I have more freedom than most because I don't use Facebook or Twitter as my primary mechanisms for connecting with my audience, and—most importantly—I am supported directly, not via a platform like Twitch or YouTube. But there are still ways to improve that situation, e.g., taking credit cards more directly instead of using services like Memberful. Sending emails more directly, instead of using Mailchimp. Etc. Maybe we should come up with 5 Levels of Publisher Independence, similar to the levels of autonomous driving. I'm guessing I'm like a 3 right now.

Narrative vs. Fundamentals StocksScott Galloway is my favorite business analyst/commentator, and he says stocks have recently switched from being fundamentals-based (price vs. earnings, etc.), to being narrative-based, i.e., what's the story around the product and the team? He says it used to be like 3/4 fundamentals and 1/4 narrative, and now that's flipped. But he warns that the potential is always there to return back to fundamentals. I think this is a really smart way of thinking about things right now.


NOTES

I'm still looking for additional products or services to include in the Discovery section. Basically, the standard is something that you just absolutely love and few people know about. For me it's my EDC razor knife I've talked about before. Or CrowdSec. Or the firewall you've used since 2005. Or a wine recommendation app. Or your favorite minimalist wallet. Or whatever. If you have a favorite item we should highlight in Discovery, please let me know via email or in our member Slack. I've already got tons of input from the UL Community (here's an LED Light Panel for example), and I am now extending this request to others as well. Thanks!

I'm adding a Premium version of the free newsletter (odd-numbered episodes), which will just be labeled as the MEMBER EDITION for members. It'll be the same content, but will avoid subscribers getting any newsletter that says "STANDARD EDITION". Let me know in our Slack or by replying here if you like this idea, and feel free to sign up here to start getting that new version.

Don't forget to safe-list the newsletter so it doesn't get routed strangely by Gmail, et, al. More

I'm looking forward to seeing this film, Users, which just premiered at Sundance 2021. It's about how integration with tech is becoming increasingly creepy. As a tech-optimist, I don't see it that way, but I still enjoy Black Mirror type stuff. More


DISCOVERY  

CrowdSec Primer — CrowdSec (a modern Fail2Ban replacement) has published a new getting started guide that takes you from install to blocking malicious traffic. [SUP] More

Malwarebytes — This is the main tool I've used for malware protection on Windows and Mac for close to a decade. Happy to have them as a show supporter! [SUP] 25% Off Link

NixOS — An up-and-coming Linux distribution that I keep hearing people talk about. I need to play with this somewhere. More

Roon Music Management (1.8 Release) — If you are into music and haven't heard of Roon, you're missing out. It's a complete music management and listening system, and this week it's releasing version 1.8, which looks super clean. I can't wait. Video About Version 1.8

Think Board — Thin films you can use as whiteboards on multiple surfaces! I've been wanting to find a whiteboard solution for a while now, and a UL Member recommended this solution. I'll be trying them soon. More

Configuring NeoVim using Lua More

A NixOS-based Wireguard Setup More

Someone created a honeypot industrial control system for a power plant online and watched to see what kind of traffic it received. They saw lots of scanner traffic but no attempts to modify anything. I really hope our government has a million of these things out there. More

An interesting Hacker News thread on tech burnout and anxiety. One takeaway: if you're getting really anxious on Sunday nights, it's probably time to change something. More

My response to a Reddit thread asking for a quick explanation of why people don't believe in Free Will. More

A Threat Modeling Manifesto More

Where's the Fastest Place To Put Your Server? More

The Myths, Not So Myths, and Truths About Data Science More

Ticker — A terminal-based stock ticker. More

BugBountyHunting — A website that lets you look for bug bounty tips via a search interface. More


RECOMMENDATIONS

If you've not discovered Lo-Fi music, it's time to get into it. It's a minimalist approach to music designed to play in the background while you do other more important things, like code, relax, or talk with your friends. There's a whole community around it, with tons of available playlists. I have like 10 that I cycle regularly. More Starter Playlist (ChilledCow)

APHORISMS

“The secret to happiness is freedom. And the secret to freedom is courage.”

~ Pericles