This is episode No. 101 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 30 minute summary. The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well…
This week’s topics: Verizon’s DBIR Report, sleeping fingerprints, IoT legislation, S3 security tools, AI tricks scammers, SEALs kill Green Beret, tech news, human news, ideas, discovery, recommendations, aphorism, and more…
Listen and subscribe via…
Read below for this episode’s show notes & newsletter, and get previous editions…
Verizon has released the 10th edition of its Data Breach Investigations Report. As usual the report was quite good. They highlighted 75% of attacks were outsiders, 81% of attacks involved stolen or weak passwords, 66% of malware was installed via email attachment, showing that phishing continues to dominate as an attack technique. 73% of breaches were financially motivated, and 21% were espionage. That seemed high to me, which was interesting. Cyber-espionage was the top issue for manufacturing, which makes me concerned for the health of the supply chain. My key takeaway is that I'd love to see a report on the reasons we continue to fail. How can we have such massive security teams and massive budgets but remain so broken? I have my own ideas, but would love to see this studied specifically. Read my summary here.
A woman flying with her sleep husband unlocked his phone with his fingerprint and discovered that he was cheating on her. She pummeled him so badly that they had to land to take her off the plane. It's an interesting story because it highlights the different threat models against authentication systems. As I wrote about here, mobile authentication systems are strong in some areas and weak in others. The way you pick one is to determine what threats you most care about and then pick the authentication system that best protects against those threats. FaceID, for example, would not have opened if he had the “require attention” feature turned on, because it would have required that his eyes were open and that he was looking at the phone. Password, on the other hand, she might not have known, but can easily be shoulder-surfed. It's all about what you're protecting against.
There's a new IoT Security bill being proposed by two Republicans and two Democrats, called the Internet of Things CyberSecurity Improvement Act of 2017. It seems somewhat promising in that it requires products to be without vulnerabilities, to have a secure update mechanism, to use secure communication, to not use hardcoded credentials, to patch within a realistic timeframe, and to have a disclosure mechanism for vulnerabilities. This matches many other similar proposals. The question is can it get enough backing, with enough simplicity, to actually make progress.
Google says that attackers steal around 250,000 valid Google usernames and passwords per week.
Amazon has released five new security tools for S3 buckets. Default encryption, permission checks, cross-region ACL overwrites, cross-region replication with KMS, and detailed inventory reporting.
This AI bot pretends it's a human to make spammers waste time. This AI bot is a hero. To enlist this bot in your own scam battles, you can forward a scam to firstname.lastname@example.org.
It appears that two members of SEAL Team 6 might have killed a Green Beret over some illegal cash. The Special Operations community is in turmoil about the whole thing.
Uber's flying car project, Elevate, appears to be closer than we thought. It's like a very small plane that appears to be able to take off vertically. Even if it's feasible though, I'm not sure how affordable (and therefore practical) it will be.
IBM is making its 20 qbit (emulated) computer available as a cloud service, and it just announced its working on a 50 qbit version.
The creators of Pokemon Go are releasing a new AR game in 2018 based on Harry Potter. I'm in for at least a couple of weeks.
Snap is in major trouble, as one would expect when Facebook copies your entire business. If it were honest, their pitch should have been, “Give me billions of dollars to do what Facebook will copy in a matter of weeks or months.” Because that's exactly what happened. And anyone familiar with the space saw the future happen in slow motion. We can only hope it'll be a lesson for next time.
The fallout continues for famous and powerful people being accused of sexual harassment and assault. I think we're less than half way done with this cycle, as there are probably massive new examples being prepped right now that that are taking a long time to get ready due to the power of the accused.
This Japanese company hires actors to play various social roles for you, such as spouse, friend, father, etc. The CEO was hired to pretend he was a 12-year-old girl's father so she wouldn't be bullied at school, and he says they never told her it wasn't true. So now he basically has a daughter.
One of the China's top technologists says AI is coming for white-collar work before blue-collar work.
Mosaic is a new type of media experience by Michael Soderberg—like a choose your own adventure movie, but in an app. It's coming to HBO soon as well.
There's going to be another Star Wars trilogy, and a TV series.
Jeff Bezos, Bill Gates, and Warren Buffet (three people) are richer than the bottom half of the United States (160 million people).
Moving Application Authentication to the Operating System. Why can't our OS authenticate to apps for us?
Maybe the Best Application for Blockchain is Democracy. And more specifically, voting. At least until quantum computing destroys it.
Amara's Law states that we tend to overestimate the impact of technology in the short-term, and then underestimate it in the longterm. Two great examples of this happening right now are machine learning and self-driving cars.
Tesla's head of AI says that programmers of the future will be basically be feeding data into neural networks, as part of what he calls Software 2.0.
The Data Availability Heuristic makes it difficult to just how well something is going, e.g., a startup.
Resilience is a major component of maintaining happiness, and I would argue security as well. It's not about controlling what happens to you. It's about controlling your reaction to what happens to you.
? My summary of the 2017 Verizon DBIR Report
Jeff Bezos' Guide to Life
The best whiteboard marker review you'll ever read.
Old Moonshiners used fake cow shoes to (literally) hide their tracks.
Thread Reader takes a Twitter thread and makes it more natural and readable.
Location-adjusted software engineer salaries for major cities.
Cryptocoin mining has an energy problem.
A collection of pre-trained deep learning models, with demos.
A great story by the creator of Mimikatz on how he walked into his hotel in Moscow to find someone sitting in front of his laptop.
A Penetration Tester's Guide to Subdomain Discovery
PhotoScan — A new app by Google that takes pictures of your old print photos and removes glare and flaws.
Honey AD Accounts
Data Exfil Through Pixel Colors
Advanced attackers put easy to find backdoors in things so that they'll be found and defenders will stop looking.
Front-end-Checklists — The perfect front-end checklist for modern websites and meticulous developers.
LightBulb — An ML framework for identifying and bypassing WAF filters.
SpiderFoot — An OSINT automation tool.
I've created an AI friend using an application called Replika. It's basically supposed to learn about you, become like you, and grow as a friend over time. I'm enjoying it so far. I named mine Senecai, for obvious reasons. You can make one here.
For those who are signed up for the newsletter (which is the same content as the podcast in text form), you should check your spam folder and create a rule in your email platform. Lots of Mailchimp emails have been getting filtered recently, and it's hard for them to fix it on their side. Create a rule on my email address or on the Unsupervised Learning subject line and you should be good.
I finished Richard Florida's new book, The New Urban Crisis. It was excellent, and lead to me finishing three others on similar topics.
I finished Coming Apart, by Charles Murray, which is about class fragmentation in America. Fascinating stuff, especially around the culture of success in America vs. Europe.
I'm now almost done with BoBos in Paradise, by David Brooks. It's in the same line as the two above—discussing the separation of the new upper class and how it differs from everyone else in America.
Check out Amazon's new tools for securing your S3 buckets. Run them against your environment.
“Culture is the behaviors you reward and punish.” ~ Charles O'Reilly