This week’s topics: Amazon’s S3 outage, Uber greyballing, fooling AI, DNS RATs, automating human jobs, suicide and ML, post-work IQ and creativity, greatness vs. imperfection, media choice, tools, projects, and more…
This is Episode No. 68 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.
The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.
The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can view and subscribe to or read below.
Infosec news Amazon S3 had a major outage this week, which took down much of the internet. S3 is the backend for so many websites and applications that many are call it "The internet's hard drive". What I found most fascinating about the outage was Amazon's post-mortem, which identified the cause of the issue as a typo. But rather than saying the sysadmins would be retrained, i.e., blaming the human, they said they'll be implementing tech that will make it impossible for anyone to do this in the future—even if the typo were repeated. I think that's a great answer. Now we just need that for development frameworks. LinkUber is in (more) trouble because of its use of a technique called Greyballing, which is a play on Blackballing. It's alleged that in cities where Uber was not allowed to operate, Uber would identify city officials and potential investigators and push them a fake version of the app. When they would call a car, it would look like cars would accept, but they would cancel immediately afterwards so they were never able to gather evidence against the company. LinkIt's possible to fool a lot of AI systems using what are called Adversarial Examples. Basically they are purposely crafted inputs that cause the AI system to make a mistake, usually involving labeling. You might be able to convince a camera that someone has a gun, for example, or an autonomous car that there's a yield sign instead of a stop sign. The way I characterize this is that if you understand the limitation of the training data, and you have a way to attack it. LinkSecurity professionals everywhere are rejoicing in Marissa Mayer losing her multimillion dollar cash bonus because of the security issues at Yahoo!. They've felt for years that there could be egregious disregard for infosec but there were never any solid repercussions. LinkHackerOne is offering a free service for Open Source projects. The offering basically allows vetted projects to use the Hacker One platform to manage interaction with the community, but without customer support. LinkCisco's Talos Intelligence have found a RAT called DNSMessenger that uses DNS TXT records to run PowerShell commands and for C2, preventing the system from having to write any files to disk locally. LinkA researcher found a vulnerability in Google Apps that allowed him to query internal Google domain names, including those for its Active Directory infrastructure. It was essentially an SSRF in their toolbox application, where if you rotated your queries you could pull all sorts of nasty stuff. The researcher received a bounty from Google and the issue has been fixed. LinkCloudPets, a smart stuffed animal that records voice conversations of children and parents, had its MongoDB database compromised, resulting in the exposure of 2 million voice conversations and data from around 800,000 registered users. Then it got hacked and ransomed. LinkAmazon is developing a Voice ID technology. LinkGoogle has increased all its bounty payouts by 50%, and Microsoft doubled theirs. LinkGoogle's ReCaptcha has been successfully attacked again. LinkTechnology news New software called Contract Intelligence (COIN) performs in seconds a task that used to take staff 360,000 hours. LinkYouTube has launched YouTube TV, which allows you to stream ABC, CBS, FOX, NBC, ESPN, regional sports, and dozens of other cable networks. LinkChevrolet is about to offer an unlimited 4G LTE data plan on all cars sold in the U.S. for just $20/month. LinkFord is exploring a mobile van full of drones for last mile delivery. LinkHuman news A researcher at Florida State University has used machine learning to accurately predict the chance of someone committing suicide to around 80% accuracy. This is stunning given the previous decades of work yielding no better than a 50/50 coin flip. The system looked at 2 million health records and identified 3,200 people it knew had committed suicide, and machine learning did its regular magic of finding what those people had in common that humans couldn't see. Around 120 Americans commit suicide daily. LinkSweden has reinstated military conscription because of Russian moves in the Baltic. LinkJapanese universities are struggling to remain elite and relevant. LinkBabies evidently give their mothers stem cells that they can use to heal themselves if needed. LinkThere's a new tech where you lock up your smartphone at parties. LinkSpaceX is sending two people on a trip around the moon next year. LinkIdeasIQ and Creativity Bias in a Post-work World LinkThe Mea Culpa Game: Analysis of IT Post-mortems LinkGreatness vs. Imperfection: How Should We Rate Our Leaders? LinkGovernments, Markets, and Media LinkCompanies Exist to Serve Customers, Not Employ People LinkDiscoveryThe Car Hacker's Handbook is now available for free. LinkGoPhish — An open source phishing framework that has just been updated. LinkA presentation on a car hacking tool called CANToolz. LinkA collection of red team related resources. LinkHackr.io — A search engine for online programming courses and tutorials. LinkThe rise of the Useless Class. LinkAWS Lambda best practices. LinkPaddlePaddle — An open and easy-to-use deep learning platform for enterprise and research. LinkThe human body as a transit map. LinkMy company, IOActive, released some new research on vulnerabilities in robots. LinkAdvice Bill Gates would give his 19-year-old self. LinkReflect — Design, publish, and share your data. A data visualization platform. LinkA pretty cool Critical Controls PDF. LinkAn article on creating macros for Burpsuite. LinkNotesThis newsletter (and podcast) won #4 on a list of 35 security podcasts. It was particularly rewarding since the three that beat us are all super professional, highly produced, have tons of sponsors, etc. Over here it's just you and me, so I'm happy with our #4 spot. Thanks for reading! LinkI'm in the middle of making a new primer—this time on OSINT! It's going to be a fairly major one, and I'm going through hundreds of resources by hand to pick the best ones. I will hopefully release it within the next week or two. I'm still reading Hamilton, but I took a break and am reading Sapiens. It's unbelievably good. Next up after that might be Homo Deux, another book by the same author.I'm going to Stanford this week to speak about Cybersecurity and AI. Super excited about that.My buddy Ty has me thinking about getting one of these. LinkRecommendationsIf you're a parent, start thinking about what skills in the future are most resistant to AI and machine learning, because that's where you probably want to point them. It's about life skills, too, not just vocation. I'm going to be doing an essay on this soon.Aphorism"The problem with humanity is the following: we have Paleolithic emotions, medieval institutions, and godlike technology." ~ E.O. Wilson
Thank you for listening, and if you enjoy the show please share it with a friend or on social media.
No related posts.