Daniel Miessler's Blog, page 116

This is one of those ideas that I debate a bit before posting. Either 1) it’s seriously evil and I shouldn’t give anyone the idea, or 2) anyone wicked enough to do it will have already thought about it and/or is already doing it. I’m posting it here because I’m convinced it’s #2.

So the idea is that attackers could pivot from getting users to pay to unlock their files to getting companies to pay not to expose their weak security to the public.

So instead of saying the following to consumers and SMBs:

Hey, I know you need these files, and if you don’t pay me you’ll never get to access them again…

They instead say this to well-known companies that can lose millions of dollars if they make the news:

Hey, you have a reputation of safeguarding customer data, but here’s a ton of evidence that you’re not very good at it (screenshot). Pay us $5,000 or we will tell the following journalists (list) how easy it was to steal this data from your company.

I think a lot of companies would pay that. And even if the journalist angle didn’t work they could just announce it on Twitter and post the content on Pastebin.

Having good backups fixes the ransom problem because you don’t care that they can delete it. But disclosing that they could get to the data in the first place—that’s different. Backups don’t help you there.

Think about all the security vendors out there—all the companies whose business models are based on people trusting them. What would they lose by being embarrassed in this way? What would they lose in lost customers and revenue?

A lot more than they’d pay for the first ransom, probably. And it’d at least give them some time to formulate a PR response.

Like I said, this is probably already happening, and it just might get more popular.

Remember that defenses can be good against one attack (backups against ransom) while being weak against another (extortion vs. loss of trust).

Prepare for both.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Information Security as Insurance
Why You Should Start Backing Up to the Cloud
The Cloud: Reducing Security To Way Above Where It Is Today
T1SP: Episode 21
4 Things You Should Do in the First Week of Every January

Apple released its iPhone X (ten, not ex) today. I’m a complete Apple acolyte but can’t help but notice that all the main features (edge-to-edge display, wireless charging, and facial authentication) have already been out for months or years from other vendors.

I get that most of those vendors do those things poorly, and Apple will finally do them well, but that feels to me like evolution instead of revolution. And the truly new stuff they released (the new camera effects, the hardware improvements, etc.), while industry-crushing once again, seem similarly incremental.

Of course it’ll still probably be the most popular high-end phone in the world because it’ll likely execute so well on all these things, and I’ll absolutely be camping for one like I have for the last 9 years. But to truly have been a 10 year anniversary device it seems they should have done something nobody’s done before, and I just didn’t see that.

Perhaps it’s just too hard to do that in today’s market. You can only have so many iPhone-level leaps, and it’s pretty unrealistic to think they (or anyone else) could have timed the next one to an arbitrary anniversary date.

Other things of note:

The number of leaks this time around was insane. It really seems like they could do better there.
The Watch announcement was pretty exciting as well. I’m all about the space grey ceramic, and I hope this release gives us the true futuristic communication device we’ve been wanting all along.
The part that sticks out at the top of the screen is a spear in my side. It’s unbelievably unattractive, and belongs on an Android phone. I get how hard it is, I get that it was probably impossible. Still. It hurts me.
I’m super excited about all the camera upgrades. Can’t wait for this to be my new daily shooter.
The AppleTV looked fantastic as well. I invested in an OLED TV so I’ll definitely be trying to do as much as possible on 4K, and I hope that the final season of GoT will be 4K as well.

All in all, extremely happy with the release. Would have loved to have seen new AirPods, but also happy to have that be more of an event on its own when they get upgraded.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

My Thoughts on the 10-year Anniversary iPhone
My Favorite Feature of the New iPhone 3GS
Apple’s Plans for the iPhone 6S and iOS 9
Google Latitude and the iPhone
The iPhone 5 Doesn’t Need to be Revolutionary

This is episode No. 92 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 30 minute summary. The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well…

This week’s topics: Equifax, Hutchins got Krebs’d, Russia used Facebook, Energy hacking, Anti-protester AI, High-pitched Assistant hacking, tech news, human news, ideas, discovery, recommendations, aphorism, and more…

Listen and subscribe via…

Read below for this episode’s show notes & newsletter, and get previous editions…

Infosec news 





Equifax has been hacked using a long-existing but newly discovered Apache Struts deserialization vulnerability. It’s one of the worst breaches in history because of the combination of the size (143 million accounts) and the sensitivity of the data (SSNs, Credit Card Numbers, DOBs, Names, Addresses, etc.). There’s a lot of emotion in the infosec community around this breach, with a lot of people claiming that attacking Equifax is victim shaming, while others say that WE are the victims, not the negligent company that lost the data. I’m reminded of what someone said about the difference between people who have access to top secret information and those who don’t. Basically, if you don’t have information and you’re fiercely “debating” morality and facts with people who do, you will look like an idiot no matter how smart you are. My advice is to defend yourself and those you care about (more in the recommendations section) and withhold your opinions until more information is revealed. There’s likely to be a lot of motion in the facts within the next month or so, and until then most vocal responses are likely to either be obvious or wrong. Link



Brian Krebs decided to look into Marcus Hutchins’ past, and revealed that he was in fact a prolific malware author for a good part of his digital life. Many are confused about whether he’s a good guy or a bad guy, and the situation reminds me a lot of Snowden in this way. As I write about here, it’s a false dichotomy. He used to be a malware author, but appears to have largely stopped a while ago, and then he did a great thing for the internet recently. These facts don’t oppose each other; they co-exist as truths in a complex reality. People are multiple people, and my guess (based on knowing very little) is that he’s probably a good-hearted guy who likes hacking, making money, and has been transitioning into a more mature and responsible guy over the last several years. His past simply caught up with him because of the positive exposure from stopping the worm recently. We shouldn’t immediately jump to saying someone is good because they did something good, or bad because they did something bad. You have to take the person as a whole, and only someone who knows you very well can do that. Link



Facebook has revealed that Russia spent $100K on 3,000 ads over two years—ending in May of 2017—to seed social conflict in the U.S. on topics like immigration, race, and equal rights. Virtually everyone I know who is both in information security and has any military / intelligence background agrees that Russia has been doing this sort of tampering with the U.S. for a very long time. As I wrote about here, too many pure infosec people take skepticism so far as to render themselves useless. Their response to the idea that Putin might be trying to sow dissent in the U.S.? “Attribution is hard.” Yeah, well, evidently common sense is harder. Link



It appears that some (likely) Russian hacking groups are gaining deeper and deeper access to some U.S. power companies using similar techniques that have been used against the Ukraine. Symantec analysts are saying that the access in some places includes the ability to actually disable the flow of electricity to parts of the U.S. population. Link



A strong writeup on an interesting hashing bug in the MasterCard Internet Gateway Service, along with a keen observation that companies should pay far more for critical bugs in payment systems. Link



Chinese researchers have found a way to interact with Siri and Alexa at frequencies that humans can’t hear. I love the concept here of hitting an attack surface (a voice interface) right in front of us without our knowledge, but it’s important to note that you should only be able to access commands that are already allowed. So it’s not a matter of too much access, it’s a matter of unknown access. Link



Researchers have developed an AI that can identify protesters effectively even when they’re wearing a disguise. Link



Patching: Apache Struts





Technology news 





Atlassian has launched a Slack competitor called Stride. Seems to me like deep integration with Atlassian’s other products will be a major feature, but I most hope they solve the disjointed Slack authentication problem where you have to manually add all your accounts on every new endpoint. Link



A new AI can tell with 91% accuracy whether someone self-identifies as gay or straight after looking at just a few pictures of them. Link



Lyft is releasing self-driving cars into the Bay Area. Link





Human news 





The NFL is basically walking dead, not because of political protest or pampered pros, but because parents aren’t letting their kids play anymore because of concussions and brain damage. So it’s just a matter of time before the water runs out of the hose. Link



Scotland is looking seriously at Basic Income. Link



Cannabis use in the U.S. is falling among teenagers while it’s rising with adults. Link



Blizzard is opening the U.S.’s first e-sports arena in Burbank, CA for hosing live events. It’s said to be around 50,000 square feet with seating, sound studios, control rooms, and player lounges. Link



Bacteria use brainlike bursts of electricity to communicate with each other. Link





Ideas 





Authentication Types and Their Impact on Forced Device Access Link



I Finally Found a Book Summarization Service Link



Facebook’s Unexpected Usefulness as a Product Discovery Service Link





Discovery 





The New York Times did a tremendous piece of analysis on where Amazon should base its new headquarters. Spoiler: They came up with Denver, but you should really see how they got there. Link



A project around things Every Programmer Should Know Link



A philosopher argues that we don’t actually want equality, but rather fairness. Link



A collection of adversarial example resources for attacking AI systems. Link



Managing secrets with Git. Link



The incredible growth of Python. Link



Pharos — A static binary analysis tool. Link



LiMEaide — Remotely dump RAM off a Linux system. Link





Notes 





I’m working with my buddy Jason to re-work the SecLists project. The primary thing we’re doing is creating SecList-branded recommended lists that sit in the root of each section. So rather than just giving you dozens of various lists, we’re going to do the work of curating and consolidating the best lists into a combined few that start with “SecLists”. All the others will still be available in a subfolder, but the idea is that you should be able to take one of the curated lists and quickly get the best results. Link



I wanted to say thanks to everyone who’s subscribed so far on the new support page. A number of people have already opted for support at the mentorship levels of $50 and $100, and I’ve already started working them to help launch or further their infosec careers. It’s really rewarding to help people out in this way, and I look forward to doing more of it. Link





Recommendations

 



There is a good chance that you might have been affected by the Equifax breach, and even if you weren’t it’s probably time you took these steps anyway.



Ensure your mobile phone carrier has a good (not easily guessable) pin on your account so that someone can’t call and change your primary password reset mechanism (phone/text).



Monitor your credit constantly using Credit Karma or one of a number of other services.



If you know or suspect you might be at extreme risk for whatever reason, and you understand the tradeoffs, consider freezing your credit. 



If you believe your credit or identity has been compromised, use identitytheft.gov to start fixing it.



Use extended fraud alerts to monitor your credit going forward.





Aphorism



“Everything in moderation—including moderation.” ~ Harvey Steiman

You can also sign up below to receive this newsletter—which is the podcast’s show notes—every week as an email, and click here to get previous editions.

Newsletter

Every Sunday I put out a curated list of the most interesting stories in infosec, technology, and humans.

I do the research, you get the benefits. Over 10K subscribers.

And if you enjoy this content, please consider supporting the site, the podcast, and/or the newsletter below.

Monthly Support

A subscription is the most helpful way to help me continue making content.

Supporter - $5 / monthMember - $25 / monthPartner - $50 / monthPatron - $100 / monthOther amount

$

Subscribe

One-Time Support

You can also make a one-time contribution of any amount.

$

Send

Thanks for listening. I’ll see you next week.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Unsupervised Learning: Episode 39
My Twitter Infosec List
Time to Switch From Debit to Credit When Paying for Things?
Denying Medics Access to the Battlefield
Rethinking My Approach to Twitter

I’ve been going to EDC for a number of years now, and every year I tell myself I’m going to make myself a quick guide to the main EDM types.

Not an exhaustive guide, because those are arguably so detailed as to be unhelpful. Just a quick list with a quick description.

Genres


Ambient: Atmospheric and background.
Drum and Bass: Lots of breakbeats and bass.
Hardcore: Faster than most, pronounced and distorted kicks, often aggressive themes.
Hardstyle: Almost as fast as hardcore, kicks are almost as hard as hardcore, and lots of storytelling.
House: Slow and repetitive 4/4 beats, drum machines, off-beat hi-hat, and synthesized bass lines.
Techno: A bit slower, repetitive 4/4 beats, often with fictional or futuristic themes.
Trance: Also slower, repeating melodic phrases, and tension building that end up with one or two drops.


Notes


I got many of these descriptions from their respective Wikipedia articles as well as other guides. I certainly don’t have the three decades of experience required to make them myself.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

The Universal Arc
Hardcore History is How the Subject Should Be Taught
The Starcraft 2 Debate
The Day I Learned Heroes Are People
The Difference Between Fedora, Redhat, and CentOS

For like the last 10 years I’ve been looking for a solid book summarization service.

I occasionally see one and get excited about one, but upon inspection they usually turn out to have like eleven books, or the summaries are crap, or the interface is unusable.

Well I think I might have just found an actual solution, and from Facebook no less, and it’s called Blinkist (referral link included).

I can’t believe I actually found it on Facebook. As I mention here I have actually found tons of good stuff via ads on Facebook, and I get virtually no other value from the service.

Anyway.

I see an ad earlier tonight for book summaries, and I’m like, “Go on…”

Turns out it’s a small outfit out of Berlin, and they produce not only book summaries, but audio versions of them. And they have lots of titles. Too good to be true, except not.

Some of the features I like so far:

Lots of books
Good summaries and good writing
A combination of text and audio
A solid iOS app
The ability to speed up the audio speed
Integration with Kindle, so you can send a “Blink” to your Kindle device
Good tracking of what you’ve completed
A solid UI / UX

I can’t even describe how happy I am to have found this. I’m going to read like 12 books this weekend.

If you’re interested (as you should be), here’s my referral code. Not sure what I get if you use it, but I know it doesn’t affect you at all.

So excite!

I hope you enjoy it as well, and if you have any comments let’s talk about it on Twitter, Facebook, or email. Would love to hear if you like it as much as I do.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Facebook’s Unexpected Usefulness
Kindle X-Ray
Summary: Willpower
Some Thoughts on the Economic Viability of E-Books
Summary: Left of Bang

I don’t use Facebook much in my personal life, but I do have a page for me as a business or brand or whatever.

Over the last couple of years I’ve started to notice the high quality of ads on Facebook in the rare times that I do go on. So much so that I’ve actually bought several things that I saw on there first.

I just did that again tonight and found Blinkist, a service that evidently gives you quick summaries of the best nonfiction books out there. It’s something I’ve been seeking for years.

So I’m left with the strange realization that my best use for Facebook is to find products I want to see—from ads.

In other words, it’s a service where the main value proposition (networking) is extremely worthless to me, and the supposed downside (ads) actually performs curated product discovery that I find useful.

It’s a strange world.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

K-12 Teachers Discouraged from Using Social Networking
FriendFeed’s Real Purpose
How to Display Content From Other Services Within Facebook Automatically
Facebook’s Big Play
One Answer to Failing Advertising is Customized Product Discovery

We’re hearing a lot about what Apple is doing with the new iPhone, specifically around facial authentication replacing TouchID.

I think there is some cool stuff around this, particularly how it seems that there are a lot more authentication points with a facial scan then with a fingerprint scan.

But there’s one thing that I find interesting about the switch: forced unlock—especially by law enforcement.

Since the explosion of smartphones there’s always been a risk of law enforcement forcing you to give access to that device, potentially to learn of something malicious you’ve done.

It started with passwords. They could compel you to give yours up—or not—based on the law. That one’s pretty clear: either they scare you into giving up a secret that’s in your head, or they confiscate the phone and attack the password mechanism (enter the San Bernardino situation).

Then there was Touch ID. Touch ID is interesting because it’s more secure in a lot of ways but at the same time allows a different mechanism for police compelling access. In many jurisdictions it’s a different type of law that determines if they can force you to divulge a password vs. forcing you to supply your finger. Apple has gone so far as to build a Cop Mode feature into iOS 11 that allows you to disable TouchID if you think you’re going to deal with law enforcement.

And now we’re entering the world of facial and iris based authentication. This is another model entirely. So now you don’t have to get a secret out of somebody’s head, and you don’t even have to get their physical body to touch something. All you have to do to unlock the device is to show it to their face.

It’s a weird mix of more and less secure, and in ways that people are going to have to understand better.

Passwords are easier to guess than brute-forcing TouchID. Facial scanning probably has way more data points than fingerprints. But it’s also getting easier and easier to force someone to authenticate using those methods.

TouchID works if the person is unconscious. And it’ll be interesting to see how easy it is to authenticate someone’s face while they’re asleep (or worse) as well.

The whole evolution of personal device authentication is a great example of the necessity of threat modeling to understand how effective various controls are.

Notes


Here’s an example of how not to do it.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Replacing Passwords with Out-of-band Challenges
We Need an Apple Pay Donation System
TouchID is a Breakthrough, Even Though It’s Breakable
Authentication’s Last Mile
The Future of Authentication

This is episode No. 91 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 30 minute summary. The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well…

This week’s topics: 465K pacemaker patches, instagram leak, DJI bounty, Marketing departments messing up security news, false dichotomy in complex issues, IRS social media mining, death of the Sun, more fake Wells Fargo accounts, human echolocation, facial gestures as interface, discovery, recommendations, aphorism, and more…

Listen and subscribe via…

Read below for this episode’s show notes & newsletter, and get previous editions…

Infosec news 





465,000 patients are being told to visit their doctor and get their Abbott/St. Jude pacemakers patched. As is the case with so many of these types of vulnerabilities, a local attacker can potentially use RF to disrupt or change the operation of the device, which for a pacemaker means potentially causing harm or death. Link



Instagram leaked a bunch of emails and phone numbers through an API vulnerability. The attackers collected data on a number of high profile types, but are also selling a larger dataset of non-verified users. I think API security is going to be a much bigger topic in 2018. So many companies think their attack surface is the website, and that 2FA solves everything, but API access is done via tokens and secrets—a.k.a username and password. API security is at least a couple of years behind other types of web security. Link



An ingenious way of attacking someone on Twitter: take your swarm of spam accounts and follow someone you don’t like. Twitter will see it as a sign that the victim did something shady to gain followers, and they’ll ban their account. Link



AT&T U-verse modems appear to have some serious problems. Not sure why this isn’t bigger news. Link



DJI, the Chinese drone maker, has launched an internal bug bounty program. They’re offering between $100 and $30K for issues, based on severity. Link



New York has started implementing its new laws around cybersecurity for financial institutions. They’re requiring financial institutions of a certain size to have a risk program, follow a policy, have incident response, have a qualified CISO, have trained security people, limit their access privileges, and provide 72-hour notice for certain types of events. It looks to me like massive progress. Link



A professor at WSU’s college of business believes the IRS is mining peoples’ social media data to decide who to audit, and she’s produced a 55-page paper that makes her case. I think there’s a good and a bad way to do this. If they’re digging into personal things and looking for gotchas, that’s one thing, but if they’re using automation to validate things that would otherwise be manual then I say bring on the efficiency. The legitimacy is in the details. Link



Quadium is a security startup out of San Francisco that basically looks like Shodan with nice handles and a GUI. It’s also not publicly available data, and it lets you focus results on a particular target company. It’s backed by Peter Thiel, the CEO is ex-CIA, and they appear to have around $66 million in funding. Link



Australia is going to start using drones to patrol for sharks near popular beaches. The drones will also have speakers, so if they identify a shark nearby they can tell the people on the beach to get out of the water. Link



The data breach at Yahoo evidently costed them around $350 million dollars in purchase price re-negotiations. That’s a large number, but we should be cautious about thinking this is the new standard for data breach impact. As breaches get more common I expect the overall impact (especially from lost confidence in the brand) to go down, not up. Link



Patching: RubyGems





Technology news 





Oracle has killed Sun. They basically laid everyone off and hoped nobody would notice. Growing up in the Bay Area, this is a bit sad. Fun fact: the other side of the Facebook sign (that used to be the Sun campus) is the original Sun logo. I hope they keep it for at least another 10 years. Thanks Sun, you did a lot for this industry. Link



Microsoft is offering a real-time coding editor that you can use to do remote developer interviews over Skype. Link



A company in Thailand has developed a smart dog vest that streams live video when the dog barks. They’re basically trying to turn stray dogs into a security monitoring force. Link



Tinder became the top grossing app on the App Store for the first time. Link



Salesforce and IBM are already integrated via their AI products, but now they’re doing more integration around data. Link



Wells Fargo has added another 1.4 million fake accounts to their previously discovered 2.1 million number, bringing the total to 3.5 million accounts. They were basically signing people up for accounts without their knowledge to raise their sales numbers. Even worse, they started charging fees to almost 200K of them. Gross. Link





Human news 





Hurricane Harvey destroyed around 40,000 homes and around 1,000,000 cars. The loss of the cars has been estimated at somewhere between $2.7 and $4.9 billion dollars. Link



Some blind people are able to use a series of mouth click sounds for echolocation. Link



A massive new Canadian study on carbs and fat in diets has found that too little fat is bad, too much carbs is bad, and ultimately that moderation is best (no duh). They found that the ideal percentage of carbs for a meal is around 50%, with another 35% coming from the various types of fats. I assume the remaining percentage (15%) would be protein. Link



A psychiatrist at Yale did a brilliant study that showed that people’s expectations of how reality will be can actually alter their perception of it. In other words, if you believe you’re about to hear or see something, you can actually experience that thing happening even if it doesn’t. This is super interesting because it explains (to me anyway) how people who believe ridiculous things about the world can then have those beliefs reinforced by their own brains. It further emphasizes that beliefs matter, not only because they predict action, but also because they affect how someone experiences the world. So maybe that person did see a ghost, or maybe they did hear a god talk to them. But that doesn’t mean it happened. What it means is that they thought it was likely and therefore their brain made it happen and they believed it. Link



Silicon Valley is going after teachers with brands, and it’s making some folks uncomfortable. I personally think most people are going to be heading towards branding for the simple reason that the previous reason for not needing one (having an employer where you’re safe) is going away. In short, when your company sees you as a burden that they’d rather get rid of, you better have a brand that can help you stand out against the crowd. Expect more of this in virtually every industry. Link



Women outnumber men (54% of players) on Tencent’s top game Honour of Kings, which is a more social adaptation of League of Legends. In most similar games, females account for only around 35% of players. Link



China is getting extremely serious about cleaning up pollution and moving to renewable energy. They’re kind of changing everything overnight, and I think they’re going to quickly leave the U.S. far behind. One thing I admire about them is their ability to move quickly for a shared goal. Link Link





Ideas 





Marketing Groups are Junking Up the Security News Link



Facial Gestures and Eye Tracking as Computer Inputs Link



My Problem With Buddhism Link



Reading is Life Link



On complex topics, the truth is probably a hybrid of all the positions that are held by different sides. Don’t fall into the temptation to choose just one of them. Link



Companies are moving to a new model: keep the core competency in-house, and outsource everything else. Contractors are not treated well, they don’t get most benefits, and they can’t necessarily depend on work. As I’ve written about many times before, this is precisely what we should expect. Corporations don’t have an obligation to society; they have an obligation to customers and shareholders. They will do what makes those groups happy, and if that means a massive percentage of the country goes without a job, so be it. Don’t be surprised. Expect it. This article comparing the lives of two janitors—one from the 60s and one from today—captures this new reality really well. Link



Is coding becoming the new middle class, blue-collar job? I think this is a fascinating idea, and the analogy gets even more interesting when you consider how automation will remove it as a source of jobs at some point in the future. Link



$337 Out of Pocket to See a Doctor in Las Vegas Link



The term “vet”–as in–“…that person needs to be vetted…”, comes from horse racing. A vet(erinary) doctor would have to medically clear horses before they could race.





Discovery 





A malware analysis cheat sheet. Link



A Hacker News thread on the books that changed peoples’ minds about how the world works. Link



A curated list of coding music. Link



The Unfortunate Fallout of Campus Postmodernism Link



Some great analysis of a 320M password hash dump. Link



Analysis of the Alexa top 1M from a security standpoint. Link



Someone has built a device that emits various smells when it detects a data leak, like the butane smell we associate with a leak in a gas pipe. Link



An argument that you don’t need that much of a math background to build and get value from ML models, and that you most need data analysis skills instead. Link



Reverse engineering a Google Voice appliance. Link



Damn Vulnerable Docker VM — A VM image that lets you test for Docker vulns in two different difficulty levels. Link



What’s the best real-life plot twist in history? Here’s a pretty good candidate. Link



The updated HTM5 security cheat sheet. Link



ISF — An industrial exploitation framework for iOS based on Python that operates like Metasploit. Link



Domain Analyzer — Discovery of DNS, mail, IPs, Nmap scans, SPF info, etc. for a target domain. Link





Notes 





I’m almost done with The Gift of Fear. It’s quite short and quite excellent. Link



I’ve moved off of Patreon for multiple reasons and created a new site that uses Stripe where people can support my work. If you like the site, the podcast, or the newsletter, consider throwing me a monthly bit of support over there. Thanks! Link





Recommendations

 



One of the most important things you can have for your business is a list of every third party that has your data. If you don’t have this list then you are blind to a significant amount of risk, and if you do a lot of business in the cloud then the risk is even greater. Asset management is the core of any successful infosec program.



The Gift of Fear is a super short book about recognizing everyday threats. Read it, and give it to everyone you think might need it. Link





Aphorism





“Comedy is a funny way of being serious.” ~ Peter Ustinov

You can also sign up below to receive this newsletter—which is the podcast’s show notes—every week as an email, and click here to get previous editions.

Newsletter

Every Sunday I put out a curated list of the most interesting stories in infosec, technology, and humans.

I do the research, you get the benefits. Over 10K subscribers.

And if you enjoy this content, please consider supporting the site, the podcast, and/or the newsletter below.

Monthly Support

A subscription is the most helpful way to help me continue making content.

Supporter - $5 / monthMember - $25 / monthPartner - $50 / monthPatron - $100 / monthSubscribe

One-Time Support

You can also make a one-time contribution of any amount.

$

Send

Thanks for listening. I’ll see you next week.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Unsupervised Learning: No. 56
Unsupervised Learning: Episode 39
Security Fails at the Weakest Link
Twitter: Should You Follow Someone or Add Them to a List?
Unsupervised Learning: No. 70

This site was started in 1999 at the now closed and migrated dmiessler.com, and initially included writings that I had started from 1996.

It now serves as the umbrella for all of my life projects.

Technology stack


Hosting: AWS, Medium instance
OS: Ubuntu
Web Server: Nginx
Application Server: PHP-FPM
Caching: Nginx in-memory
Reverse Proxy: Cloudflare


Publishing


Content for this site is created in Vim and in the built-in WordPress editor.
Source code is managed with Git.
The site’s fonts are Equity and Concourse, by Matthew Butterick.


Tools


I work at a Rewew desk, by Herman Miller
I sit at an Embody chair by the same manufacturer.
My main computer is a space grey 2017 MacBook Pro with 16GB of memory.
I create my podcast on an ElectroVoice RE27ND.


Software


My podcast is produced with Adobe Audition CC.


Concepts


My podcast and newsletter is called Unsupervised Learning, which is a type of Machine Learning that helps identify patterns in things that might previously have been missed. It also doubles as a statement around learning being best when it’s unstructured and free.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Getting Real IP Addresses Using CloudFlare, Nginx, and Varnish
Google Pagespeed Not a Good Choice For High-traffic Sites
Handling Redirects with Varnish and Nginx
Good Times With Varnish, Nginx, and Apache Bench
I’m Selling a Late 2013 MacBook Pro

There’s a lot of talk of voice becoming a major computer interface in the coming years. I agree with this, and I talked about it in my book.

But there are some major limitations to voice.

It’s audible (that’s the whole point) so it’s not great for use in extremely quiet places like libraries, or extremely loud places where the system won’t be able to hear you.
Compared to other input methods like pressing a button or making a subtle gesture, voice is slow. It takes time to form a response, and it takes time to vocalize that response.

Apple is supposedly releasing an iPhone that uses facial recognition for its authentication system. It’s evidently using some sort of 3D facial scanning technology that is faster and more accurate than TouchID.

While using this for authentication is interesting, I think the idea of using this as an input systems if far more so.

If the tech is good enough, then when you’re looking at your phone you could simply do the following to control your phone.

Smile (like)
Frown (dislike)
Snarl (dislike)
Blink your eyes while looking at something (select)
Look bored (meh)
Have your pupils dilate (involuntary) (love)
Roll your eyes (bored) (meh)
Tilt your head slightly one way or another (control interface)
Slightly nod (accept)
Slightly shake the head (decline)

Etc.

The key thing is that this wouldn’t be the entire interface. You’re also holding the phone, so you could use your thumbs to do some of this, e.g., swiping side to side with the thumb to go backward and forward.

And you’re also using voice at the same time.

So imagine a system where you’re holding your device.

You say “Show me things about the new AirPods.”
It brings you results instantly.
You look at a result and blink quickly, and that link opens.
You very subtly frown, snarl, shake your head, or thumb swipe backward to go back to your results.

ANY of those. Or all of them.

The insane part is how little you’ll have to contort your face. It’s not like you’ll have to make these exxaggerated expressions or head motions.

No.

Over a short training period, combined with billions of human input cases that continually teach the machine learning, you’ll soon be using the system extremely naturally. You’ll feel as if you’re just looking at your phone, and your NORMAL reactions to content and interfaces will be enough to send the commands that you wanted to send.

And of course, the system will also be learning your individual preferences for the mixture of these inputs you prefer, i.e., how much emoting, how much voice, how much touch, etc.

The power here, and the potential for misuse, will be unbelievable.

Apps like Facebook that show you content and want to know how much you liked it will make sure you’re incentivized to enable all the “EUIs” (emoting-based user interfaces) on top of the standard touch and voice options.

Why?

Because they’re going to (with your permission of course, which everyone will give) AUTOMATICALLY record likes, dislikes, loves, etc. So when your pupils dilate, or you focus on something for a long period of time, or you tear up at something sweet, the system will capture that response—no matter how subtle it is—and will do something with it.

At the shady level, companies like Facebook will be able to know exactly what makes people angry, sad, willing to purchase, inspired to act, etc., and it will use that data to serve content that gets more reactions.

Users will like it because the system will “just know” what you wanted to do anyway, in the vast majority of cases. It’ll start by prompting you.

Like this content?

Because it read your face and it knew you did.

The reason that it’s going to require some interaction, though, is because you might see someone’s new boyfriend, or their best piece of artwork, and your natural reaction might be:

Ewww…

(with the face that comes with it)

Imagine automatically sending EWWW to all your friends’ content whenever you genuinely felt that way about something they shared.

It would hurt a lot of friendships.

Ditto for “Should I send LUST?” for pictures of your buddy’s new wife or husband.

Hey Karen, I just noticed you had EUIs turned on and you got all hot and bothered looking at my husband in my wedding video I just posted. Consider yourself uninvited to the ski trip this weekend.

Technology giveth, and technology taketh away. In this case it’s giving you better responsiveness and prediction and taking away some relationships that are based on politely social deception. (see: lots)

The power (and danger) of applying cameras and machine learning to the human face is that it can tell a computer not just what we want to tell it, but also what we want that we didn’t know we wanted, and that’s one very significant step towards reading our thoughts.

When the subconscious controls our expressions, and our expressions can be read and interpreted by computers, this type of interface becomes a window to our actual self.

And our actual self is scary. So much of interacting with people and society is built upon not showing the actual self, but instead the self that you’re actively projecting for a purpose. And cameras + ML will cut right through that for all but a few who know how to control it.

And as I wrote about in my Lifecasting piece in 2008, what kind of society will it be when everyone knows that cameras are watching? Especially when those cameras are basically ML algorithms with eyes.

One result will be obvious: more and more people will become good at not emoting, not saying anything controversial, or—in other words—not being themselves.

You go into public and you become stoic. People will probably wear masks to hide the algorithms from reading their expressions as they are presented content on the street, or as they see people around them. They wouldn’t want to be considered rude for the look of disapproval that their face accidentally sent when they saw someone.

Anyway. Sorry to head down the downside path. I’m a security guy, so it happens.

Expect to see this hybrid type of interface sooner rather than later—especially now that we appear to have the beginnings of the tech that can enable it.

(Blink twice if you liked this article.)

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

The Steam, Water, and Ice of Modern Communication
An Exploration of Human to Computer Interfaces
AirPods Have the Potential to Make Computers Omni-Present
Looking Forward to Voice Texts in iOS 8
Predicting Human Behavior by Combining Public Sensor Data with Machine Learning