I spend my time reading 3-6 books a month on security, technology, and society—and thinking about what might be coming next. Every Monday I send out a list of the best content I've found in the last week to around 50,000 people. It'll save you tons of time.
STANDARD EDITION | UPGRADE TO THE WEEKLY MEMBER EDITION | October 16, 2017
This is episode No. 97 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 30 minute summary. The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well…
This week’s topics: Major WPA2 Flaw, Suburu hack, Vulnerable Container Ships, F-35 Data Stolen, Accenture S3 Buckets, tech news, human news, ideas, discovery, recommendations, aphorism, and more…
Listen and subscribe via…
Read below for this episode’s show notes & newsletter, and get previous editions…
It looks like WPA2 might be broken in some major way, with a vulnerability name of KRACK for Key Reinstallation Attack, and the full paper is going to be released soon. The upshot seems to be people eavesdropping on your wireless traffic and extracting the data, even if you’re using WPA2. Expect this to be a favorite vulnerability for a long time, keeping in mind that TLS still helps significantly. Link
A vulnerability in Suburu key fobs allows an attacker to steal vehicles and lock out the owner due to the use of predictable codes. The researcher, Tom Wimmenhove, also showed how to build the car stealing device, which costs around $25 to make. Link
Container ships are basically floating ICS systems connected to the internet, and one researcher has found a bunch of them on Shodan and says they often use default and weak credentials. Link
The DoD has confirmed that an Australian defense firm was hacked, and the attackers stole classified data on the F-35 fighter jet. They evidently popped a public-facing server and used shared credentials to move laterally once inside. The malware used was called China Chopper, which has been used by Chinese hackers in the past. Link
Accenture got caught with their S3 buckets down, and disclosed a bunch of sensitive keys, credentials, and customer data, including up to 40,000 plaintext passwords that might belong to Accenture customers. At this point these stories are producing a nervous laughing/weeping. It’s like we know exactly what the problem is but people still aren’t seeing if they have it. Link
Hyatt hotels has had its second breach in 2 years. They said their cybersecurity team discovered signs of unauthorized access of payment information of certain Hyatt-managed locations. I’d tell you to change your credit cards, but it really wouldn’t matter. This is the new normal. Link
Google is nerfing their Home Minis because they were deployed in an “always listen” mode and someone figured it out and went public about it. I can’t imagine Amazon or Apple making this mistake, but I could imagine from Facebook and Google. This is why I won’t be deploying any of their home assistant technology anytime soon. Link
Forrester had a data breach on its website allowing attackers to steal the content it provides to its customers. The PR release was quite nimble. Link
Lockheed Martin, Boeing, Raytheon, and Northrop Grumman all lack HTTPS on their main websites. Ridiculous. Link
Patching: October Windows Security Updates, Windows DNS Client, WPA2, Flash
The MICrONS project, conducted through Baylor, CMU, Harvard, and Princeton and IARPA, are looking to spend $100 million to reverse engineer the brain once and for all. Link
Alibaba is doubling its R&D spend to $5 billion, but that’s less than a third of what Amazon is spending. Fear Amazon. I don’t care if you make toilet paper or airplanes—be afraid of anyone spending more than $15 billion on R&D who’s willing to fail and is shipping products. Link
Bitcoin has topped $5,700. Link
? A startup in Silicon Valley is working on a revolutionary approach to depression that uses chatbots. Patients text the bot with feelings like, “Nobody remembers me on my birthday.”, and the bot responds back with pertinent descriptions of the feelings you’re experiencing. The entire methodology is based on the idea that it’s not what happens to us but how we react to those things that matter. Link
A 50-100 foot asteroid just flew by within around 27,000 miles of Antartica. How hard does an asteroid like that hit if it were to land on Earth? Around 30 Hiroshimas. Link
61% of California inmates released from prison come back within 3 years. If the inmate does any sort of educational program while in their chances of recidivism drops by 43%, and if they do any college work while in it drops by 51%. Also, people given probation are less likely to re-offend than those sent to prison. Link
Tokyo is the safest city in the world, followed by Singapore, Osaka, Toronto, and Melbourne. Link
The new M-1 tank model is now equipped with “smart rounds” that can be automatically programmed to perform four different functions: piercing armor, penetrating a wall, anti-air, or shrapnel. Link
American households are massively changing, with increasing numbers of unmarried and non-family households. Link
Russia is Trying to Destroy America, and Here’s How They’ll Do It Link
My 3 Essential Podcasts Link
It’s Time to Let Go of Our Data Link
Tesla seems to be in danger of getting passed by traditional car makers. There is common wisdom in the valley that says it’s not always the first company to a space that ends up winning. It’s often someone who sees it, gets hungry, and then releases something better or at scale. And that is precisely what could happen if Tesla can’t move fast enough in producing what its promised.
An injection of bad options can help make people make better decisions. It’s an interesting idea. I was listening to a Sam Harris podcast recently and he had a guy on who is working on a bot system that shows up in conversations and injects noise into conversations, and what they’ve found is that the noise can have an improvement effect on the exchange between the actual humans. Link
How Israel Caught Russian Hackers Scouring the World for U.S. Secrets Link
Firmware Analysis for IoT Devices Link
The 2017 Best of Information is Beautiful Data Visualizations Candidates Link
You Should Learn Regex Link
Someone’s Favorite Books to Sell After 20 Years of Owning a Bookstore Link
A Visualization of the Time it Takes to Crack a Password Using Different Character Types Link
The Dangers of CSV Injection Link
How the CIA Recruits Academics Using Fake Conferences Link
The Missing Career Path for the Technical Expert Link
Technical Interview Performance by Editor/OS/Language Link
? RobotsDisallowed — I have upgraded my RobotsDisallowed project that helps you find juicy content during web assessments. I not only re-ran the Alexa 100K to create updated lists, but also rewrote and re-organized the code quite a bit. Link
I have almost completed my new site design, and it’s now live. If you’re into design at all, or just want to give feedback, I’d really appreciate it. The big focus was on having the content be the center of attention, so I removed the sidebar and put the content right in the center. I also focused heavily on typography. Here’s a short post about me comparing an early version of it to Medium. Anyway, I’d love to hear your thoughts on it. Link
I spent a week in Maui, and it was splendid. Got to hang with my friend Jeremiah and spent around 10 hours in the ocean. It’s so rejuvenating to spend time in the water and the sun.
I spent some time last week reading Bertrand Russell’s The Conquest of Happiness, and I’ll be finishing it and doing a summary for it soon. Some of the quotes are simply fantastic, and they’re even more so given the fact that he was wrote the book in 1930. It’s hilarious to hear him talking about the difficulty of attaining happiness in “modern life” back before, well, before most everything. Link
I also updated my support page and am now using a different membership service. The payment processing is still handled through Stripe (which I love) but the whole process is just more seamless. There are now just two plans: Membership for $10/month or $100/year, and Mentorship for $100/month or $1000/year. There’s also the option to give one-time amounts, and I’m today announcing discounts for the Mentorship support level for women or military. If you’re a woman looking to get into infosec (or advance in it), or you’re active or former military, I’m going to offer my Mentorship level at a 20% discount. Email me at email@example.com for a discount code! Link
You should be listening to these 3 podcasts Link
Get ready to upgrade your wireless infrastructure at work and at home. And to help your loved ones do the same. Sounds like it could be a major one that will take months to roll out.
This is a set of personal computer security recommendations that you can distribute to loved ones. It isn’t perfect, but it’s quite good. Link
“Two people can never go to each other’s funerals.”
You can also sign up below to receive this newsletter—which is the podcast’s show notes—every week as an email, and click here to get previous editions.
And if you enjoy this content, please consider supporting the site, the podcast, and/or the newsletter below.
Thanks for listening. I’ll see you next week.