Daniel Miessler's Blog, page 127

Woke up in attack mode today.

Consider the common tone of many social media posts complaining about various brands.

I’ve met elementary school kids with more tech knowledge than the average Best Buy store manager.

or…

Anyone know a better bank than Bank of America? I’ve had enough of their mistreatment of customers.

In both of these cases, when made public, the target (yes, let’s call them that) has done something fascinating.

Companies commonly send emails right after in-store or online interactions, so by telling us about the bad experience they’ve just had, they’ve not just told us what businesses they have relationships with—they’ve told us that they would not be surprised at all to receive some sort of email from them.

Oops. OSINT fails are labyrinths of potential negative outcomes.

Phishing tool concept

So how about a phishing tool that parses a target’s social media feeds looking for experiences with any brand, and provides a top 3 list of recent and negative interactions.

Then you build your phishing template for that brand, because they’ll be expecting it.

Then, when they receive it, they immediately find and click the unsubscribe button, and that’s where you’ve placed the malware.

Profit.

Public persona hacking tool concept

Or, better yet, how about an OSINT tool called Adaptash0n that takes any username as an input and provides the following outputs by scrubbing dozens of social media feeds:

Any services that they use (a basic username check on a couple of hundred services)
Any service they complain about (a combination of mention, with an indicator of recent experience, with a negative sentiment)

So the tool basically tells you what type of phishing emails the target is likely to click on, or which services you can go after belonging to them that they might not have maintained good password security for.

Did you remember to change your password for all 113 services you have accounts on, where the password is something well known now from HIBP breaches?

Yeah, didn’t think so.

So basically a personalized targeting tool that gives you suggestions for the best way to hack any particular person with a social media presence.

Summary


When people talk about where they’ve had bad experiences they’re primed to receive an email from that company because it’s common practice for companies to send emails right after you interact with them.
If the experience was negative, they’ll still be pissed at the company, and the email will make them even more angry, which means they’re likely to find and click the unsubscribe button immediately. And that’s where you put the malware.
You can extend this to a full targeting tool that learns all about a given target in an automated way and gives you surface area to attack.

Now for breakfast and coffee.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

One of the best talks I saw at Enigma 2017 was this one by Ian Haken (@ianhaken) of Netflix about establishing a trust scaffolding within the cloud.

When building complex IT infrastructure you always have to create/retrieve/and store secrets, and when you’re doing this quickly, at scale, like we do in modern cloud environments, you have to start wondering where the trust chain begins.

Ian does a great job of explaining this in his talk, using the metaphor of turtles standing on turtles. Eventually you realize it’s turtles all the way down, and it gets a bit hopeless.

A solution

Ian explains that the solution to the problem comes from AWS itself.

In order to grant secrets to something or someone, you have to first confirm their identity. There are many ways to do this, but none of them really scale well in ephemerally paced cloud environments. But AWS has an API where an instance can ask who it is and what it’s meant to do.

AWS then returns a signed document attesting to the identify of that instance, and the instance can then send that document to the service that grants secrets, whether that’s some microservice, HSM, or whatever.

Summary


Secret management is hard.
Traditional ways of solving the problem tend to be impractical in ephemeral and large scale cloud environments.
The stack of turtles ultimately comes down to identity validation at the lowest level.
AWS is able to validate the identify of any instance in a programable and verifiable way.
You can use that capability to bootstrap the pulling of keys from a secret service.
BONUS: You can even bootstrap additional secret service instances using the same method.

I think this talk by Ian should be a lot more popular than it is. There are thousands of companies out there struggling with this same issue and that aren’t aware of a provider-based solution to the turtle problem.

If you know anyone grappling with secret management in the cloud, make sure they’re aware of this talk.

Notes


As Ian noted, the solution here is not specific to AWS; it can be any similar service that has the infrastructure to guarantee the identity and characteristics of a given instance.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

On March 22nd, 2017 a man drove his car into pedestrians on the Westminster Bridge in London, and then attacked a police officer inside New Palace Yard. He killed three people and injured more than 50. The perpetrator had converted to Islam during one of his periods in jail, and the attack had much of the classic structure of an ISIS approach—which encourages individuals or small groups to do whatever they can to harm the west.

It seems likely to me that it was ISIS-inspired, but perhaps it wasn’t. Either way, the image above was passed around on social media. It’s quite well done, and definitely produced a smile from me, but the underlying idea is misguided.

The message is that the IRA and ISIS are basically the same, and that when the IRA was blowing things up all throughout England, nobody was targeting young Irish people the way we’re targeting Muslims today. And since they weren’t, there’s clearly a bias based on race.

This is dumb for two main reasons:

Image from Victor Patterson.

Britain absolutely targeted Irish men during the time that the IRA was active. They actively sought out where young Irish groups were meeting, tried to figure out their connections, their ties to radical ideas, harassed them, searched them, etc.
There is an actual fundamental difference between the IRA and ISIS: the IRA wanted independence from Britain in a tiny part of the world, whereas ISIS wants actual world domination.


The ideology danger test

Here’s a great way to tell how dangerous an ideology is: imagine a world where this particular group gets exactly what it wants.

For the IRA, they wanted Ireland to be left alone. They’d be Catholic, England would be Protestant, they’d mind their own business, and life would go on for everyone. The problem—in their minds—was that England was in their city, in their politics, in their churches, and it had to be opposed. It doesn’t justify what they did, but it’s a pretty classic story of struggling for independence from an external force.

ISIS wants to subjugate the entire planet Earth under Sharia Law.

ISIS makes no secret of its ultimate ambition: A global caliphate secured through a global war. To that end it speaks of “remaining and expanding” its existing hold over much of Iraq and Syria. It aims to replace existing, man-made borders, to overcome what it sees as the Shiite “crescent” that has emerged across the Middle East, to take its war — Islam’s war — to Europe and America, and ultimately to lead Muslims toward an apocalyptic battle against the “disbelievers.”

Source: ISIS: What does it really want? – CNN.com

So, a global battle against the disbelievers in order to subjugate the world under Sharia Law. That’s literally what ISIS is working towards. Quite a bit different from the Irish wanting the English out of one particular part of their country, right?

One wants independence from an oppressing external force, and the other wants world domination that institutionalizes slavery, rape, and dozens of other ancient and horrific practices.

Summary


The image above is cute and funny, but it doesn’t represent reality.
Irish men were absolutely targeted by British soldiers and police during the IRA’s time. When over 95% of your attackers have very specific things in common, not applying additional scrutiny to that group constitutes incompetence.
It’s ridiculous to compare the the IRA with ISIS because the IRA just wanted to be left alone in a small part of Ireland, whereas ISIS wants to dominate 7 billion people under Sharia Law.

Don’t accept narratives just because they’re pleasing to your (and my) liberal worldview. Take the time to think about what’s being said.

Notes


Just to be clear, banning Muslims en masse from anything is not a solution here, and I fully oppose the Trump administration’s handling of that issue. But applying some measure of additional scrutiny to people who are likely to have these types of views is not racism, it’s common sense—just as it was for young Irish guys while the IRA was active. We have to understand the difference between intelligent adjustment of scrutiny based on who’s attacking us, vs. overt racism. One is smart and logical, the other is ugly and bad.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

This week’s topics: Half of Android devices haven’t been patched in over a year, Tavisclosure, NEST camera flaws, senate vs. privacy, electronics ban, bad Let’s Encrypt certs, Moodle SQLi, infosec venture capital drying up, IBM employees heading into the office, Twitter going paid model, Google killing Talk, Quiet spaces, Age of the influencer, AI vs. jobs, tools, aphorisms, and more…

This is Episode No. 71 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.

The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.

The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can view and subscribe to here.

Newsletter

Every Sunday I put out a curated list of the most interesting stories in infosec, technology, and humans.

I do the research, you get the benefits. Over 4K subscribers.

Recent Newsletters

03/26/2017 – Daniel’s Unsupervised Learning Newsletter: No. 71


03/19/2017 – Daniel’s Unsupervised Learning Newsletter: No. 70


03/13/2017 – Daniel’s Unsupervised Learning Newsletter: No. 69


03/06/2017 – Daniel’s Unsupervised Learning Newsletter: No. 68


02/27/2017 – Daniel’s Unsupervised Learning Newsletter: No. 67


02/21/2017 – Daniel’s Unsupervised Learning Newsletter: No. 66


02/13/2017 – Daniel’s Unsupervised Learning Newsletter: No. 65


02/06/2017 – Daniel’s Unsupervised Learning Newsletter: No. 64


02/06/2017 – Daniel’s Unsupervised Learning Newsletter: No. 63

The podcast and newsletter usually go out on Sundays, so you can catch up on everything early Monday morning.

I hope you enjoy it.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

I think we’re entering a new era of human creativity and productivity—one that is focused around individual influencers and the value that they bring to the world by themselves. This transition is being driven by several factors:

Companies shedding their workforces due to advancements in AI, automation, and robotics, leaving people to come up with alternative ways to make money.
Mass adoption of mobile technologies that allow anyone to consume anyone else’s content.
The rise of streaming platforms that allow individuals to project their personalities and skillsets into the world.
The commoditization of production and creativity tools that allow smaller organizations and even individuals to produce high quality content.
The realization by business people that—because of the other factors above—value creation increasingly comes from the content creator, and not with the middlemen that stand between them and the consumer.

The combination of these forces are pushing people to platforms like YouTube and Twitch to broadcast themselves, grow an audience, and to monetize their following. There are already a couple hundred thousand people doing this, with the top percentages doing the work full-time and making a significant living from it.

The future of work

As I wrote about here back in 2014 and talked about in my book, the Future of Work is everyone being an Uber driver—except for every skill they have.

We’ll all run an application called Work, and within this system you’ll have all your skills, your work history, your certifications in each skill, the ratings you’ve received for previous jobs you’ve done, recommendations from people you’ve worked with in the past, etc.

Think LinkedIn + FICO + the Uber app, except for any job type. People are often able to do many different jobs, with varying degrees of skill, and those will be reflected in the system. People will be listed as a paralegal, a catsitter, an EMT, a Krav Maga instructor, a personal organizer, a public speaking coach, writer, a Good Listener, a plumber, a bassist, a poet, an editor, a bouncer, etc.

And everyone—both people who need jobs done, and those who are available and qualified to do those jobs—will be running the Work app. Incoming jobs will simply flow into you based on your qualifications, your work history and ratings, your preferences, your location, and your availability.

Imagine incoming offers of various kinds being displayed Tinder style—first on a mobile phone like today, but they’ll soon be read to you by your digital assistant, or shown to you in AR. Either way, you’re simply accepting or rejecting various gigs based on your own criteria.

A job creator will say to their digital assistant:

Find me someone to edit this article I just wrote.

And in 15 seconds they’ll return with 3 bids for you to choose from, which were handpicked from among 1,112 good options, which were picked from 234,981 options available. 10 seconds later you’ve made your selection, and within 15 minutes someone highly qualified is working on the job.

With fewer and fewer people working exclusively for one company doing one thing, this will become the Future of how work is done throughout the world.

The role of the influencer

Being an influencer in this new economy will be a massive advantage. It’ll still be possible to have a successful career (if you can call it that) without marketing oneself because the Work platform will make your skills and ratings visible to people who need them, but it won’t be nearly as effective as being an influencer as well.

Most importantly, influencers will become known for doing what they do. That might be professional gaming, it might be music, art, comedy, blacksmithing, executive protection, martial arts, short stories—whatever. There are already many (and will soon be infinitely more) ways to broadcast oneself as an influencer.

You don’t have to sing or even be social necessarily. Some people just draw, or paint, or do whatever they do with their fans watching, and rarely say much at all. Others have very little content and just be their crazy selves. Both approaches can and will attract followings, as long as there is some core value being transferred.

Ultimately what this means is higher ratings in your actual skills, and the ability to receive targeted jobs within the Work model. So instead of telling your digital personal assistant that you need a personal class on a certain drawing style, you instead say:

Sign me up for a one week class with TheSketcher.

*TheSketcher then raises her prices and is soon making incredible money doing a few high-paid gigs per year. This will still be possible without being an influencer, but it will be harder and take more time.

A new platform model

IMAGE 1. — Removal of the middleman.

Another major change I see coming to the concept of influencing is in the way platforms work. Right now platforms such as YouTube and Twitch are very much middlemen. They’re quite analogous to the record companies, Hollywood, and other organizations that serve as gatekeepers between content creators and audiences. You must use them in order to reach your fans, and if you don’t you cannot be heard.

But that is changing, too.

In the entertainment world we’re seeing the lines blur between content creator, distributor, network, and whatever other categories used to exist. They seem to be collapsing into two main entities: content creators, and the audience.

Distributors and other support entities are now having to justify their existence, which is a change I absolutely welcome.

So what I think we’re about to see is a completely different kind of platform—an agnostic one that provides mostly bandwidth and sets of enablement tools for content creators and influencers.

So instead of an influencer being forced to live on YouTube, or Twitch, or Beam, or wherever—where they don’t have a direct tie to their audience, they aren’t able to easily reach out to that audience directly, and where the benefits most from monetization—I think we’re going to see agnostic broadcast platforms that allow audiences to connect to the influencer directly.

The difference is subtle, but transformative.

Rather than platforms being a middleman making all the money and controlling influencer audiences, the platform will just be the broadcast medium for the influencer themselves, and any services that want to benefit from the influencer’s reach will have to market themselves to the influencer.

They won’t be in the middle.

So the bandwidth platform still gets paid, but the conversation switches from this:

OLD PLATFORM-CENTRIC MODEL: You’re lucky I let you live on my platform and give you access to our unbelievable audience. You will pay me this amount or I will kick you off. You will abide by all of our rules, or I will kick you off. And you’ll like it.

to this…

NEW INFLUENCER-CENTRIC MODEL: I’ve selected your bandwidth platform from among one of many, and I agree to give you 4% of my profits. While I’m small I won’t cost you much, and when I get big you’ll make a lot off of me, which I’m happy to give due to your great service.

And it’ll be the same with sponsors, advertisers, free gifts, promotions, and the dozens of new services and monetization models that will emerge to serve the influencer and benefit from their reach.

Prepare yourself

Not everyone needs to try to become some internet celebrity in order to prepare for what’s coming. The best thing you can do is start asking yourself the following questions.

How would you summarize yourself?
What are the top skills that you would like to be known for?
What are your interests?
What are you passionate about?
What could you just talk for hours about if someone would listen?
What are you trying to achieve in life?
What do you find interesting in the world?
What are your favorite books?
Your favorite movies?
And for all of these questions…why?

The answers to these questions are you, and they constitute what you project onto the world.

Summary

Knowing what you’re about and what you can offer to others is going to become extremely essential in the new economy. In the past we had companies marketing themselves, with the employees doing the work that they found.

When people are forced to work for themselves, that marketing falls on the individual.

It’s time to get yourself and those you care about ready for what’s coming.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

I think we’re entering a new era of human creativity and productivity—one that is focused around individual influencers and the value that they bring to the world by themselves. This transition is being driven by several factors:

Companies shedding their workforces due to advancements in AI, automation, and robotics, leaving people to come up with alternative ways to make money.
Mass adoption of mobile technologies that allow anyone to consume anyone else’s content.
The rise of streaming platforms that allow individuals to project their personalities and skillsets into the world.
The commoditization of production and creativity tools that allow smaller organizations and even individuals to produce high quality content.
The realization by business people that—because of the other factors above—value creation increasingly comes from the content creator, and not with the middlemen that stand between them and the consumer.

The combination of these forces are pushing people to platforms like YouTube and Twitch to broadcast themselves, grow an audience, and to monetize their following. There are already a couple hundred thousand people doing this, with the top percentages doing the work full-time and making a significant living from it.

The future of work

As I wrote about here back in 2014 and talked about in my book, the Future of Work is everyone being an Uber driver—except for every skill they have.

We’ll all run an application called Work, and within this system you’ll have all your skills, your work history, your certifications in each skill, the ratings you’ve received for previous jobs you’ve done, recommendations from people you’ve worked with in the past, etc.

Think LinkedIn + FICO + the Uber app, except for any job type. People are often able to do many different jobs, with varying degrees of skill, and those will be reflected in the system. People will be listed as a paralegal, a catsitter, an EMT, a Krav Maga instructor, a personal organizer, a public speaking coach, writer, a Good Listener, a plumber, a bassist, a poet, an editor, a bouncer, etc.

And everyone—both people who need jobs done, and those who are available and qualified to do those jobs—will be running the Work app. Incoming jobs will simply flow into you based on your qualifications, your work history and ratings, your preferences, your location, and your availability.

Imagine incoming offers of various kinds being displayed Tinder style—first on a mobile phone like today, but they’ll soon be read to you by your digital assistant, or shown to you in AR. Either way, you’re simply accepting or rejecting various gigs based on your own criteria.

A job creator will say to their digital assistant:

Find me someone to edit this article I just wrote.

And in 15 seconds they’ll return with 3 bids for you to choose from, which were handpicked from among 1,112 good options, which were picked from 234,981 options available. 10 seconds later you’ve made your selection, and within 15 minutes someone highly qualified is working on the job.

With fewer and fewer people working exclusively for one company doing one thing, this will become the Future of how work is done throughout the world.

The role of the influencer

Being an influencer in this new economy will be a massive advantage. It’ll still be possible to have a successful career (if you can call it that) without marketing oneself because the Work platform will make your skills and ratings visible to people who need them, but it won’t be nearly as effective as being an influencer as well.

Most importantly, influencers will become known for doing what they do. That might be professional gaming, it might be music, art, comedy, blacksmithing, executive protection, martial arts, short stories—whatever. There are already many (and will soon be infinitely more) ways to broadcast oneself as an influencer.

You don’t have to sing or even be social necessarily. Some people just draw, or paint, or do whatever they do with their fans watching, and rarely say much at all. Others have very little content and just be their crazy selves. Both approaches can and will attract followings, as long as there is some core value being transferred.

Ultimately what this means is higher ratings in your actual skills, and the ability to receive targeted jobs within the Work model. So instead of telling your digital personal assistant that you need a personal class on a certain drawing style, you instead say:

Sign me up for a one week class with TheSketcher.

*TheSketcher then raises her prices and is soon making incredible money doing a few high-paid gigs per year. This will still be possible without being an influencer, but it will be harder and take more time.

A new platform model

IMAGE 1. — Removal of the middleman.

Another major change I see coming to the concept of influencing is in the way platforms work. Right now platforms such as YouTube and Twitch are very much middlemen. They’re quite analogous to the record companies, Hollywood, and other organizations that serve as gatekeepers between content creators and audiences. You must use them in order to reach your fans, and if you don’t you cannot be heard.

But that is changing, too.

In the entertainment world we’re seeing the lines blur between content creator, distributor, network, and whatever other categories used to exist. They seem to be collapsing into two main entities: content creators, and the audience.

Distributors and other support entities are now having to justify their existence, which is a change I absolutely welcome.

So what I think we’re about to see is a completely different kind of platform—an agnostic one that provides mostly bandwidth and sets of enablement tools for content creators and influencers.

So instead of an influencer being forced to live on YouTube, or Twitch, or Beam, or wherever—where they don’t have a direct tie to their audience, they aren’t able to easily reach out to that audience directly, and where the benefits most from monetization—I think we’re going to see agnostic broadcast platforms that allow audiences to connect to the influencer directly.

The difference is subtle, but transformative.

Rather than platforms being a middleman making all the money and controlling influencer audiences, the platform will just be the broadcast medium for the influencer themselves, and any services that want to benefit from the influencer’s reach will have to market themselves to the influencer.

They won’t be in the middle.

So the bandwidth platform still gets paid, but the conversation switches from this:

OLD PLATFORM-CENTRIC MODEL: You’re lucky I let you live on my platform and give you access to our unbelievable audience. You will pay me this amount or I will kick you off. You will abide by all of our rules, or I will kick you off. And you’ll like it.

to this…

NEW INFLUENCER-CENTRIC MODEL: I’ve selected your bandwidth platform from among one of many, and I agree to give you 4% of my profits. While I’m small I won’t cost you much, and when I get big you’ll make a lot off of me, which I’m happy to give due to your great service.

And it’ll be the same with sponsors, advertisers, free gifts, promotions, and the dozens of new services and monetization models that will emerge to serve the influencer and benefit from their reach.

Prepare yourself

Not everyone needs to try to become famous—or to become some internet personality—in order to prepare for what’s coming. The best thing you can do is start asking yourself the following questions.

How would you summarize yourself?
What are the top skills that you would like to be known for?
What are your interests?
What are you passionate about?
What could you just talk for hours about if someone would listen?
What are you trying to achieve in life?
What do you find interesting in the world?
What are your favorite books?
Your favorite movies?
And for all of these questions…why?

The answers to these questions are you, and they constitute what you project onto the world.

From there you can start thinking about how to make that visible to others.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Canada is trying to make it illegal to criticize Islam by labeling all such criticisms as “Islamaphobia”.

That’s dumb.

The hard right in the U.S. and Europe wants to do the exact opposite and label all Muslims as terrorists.

That’s dumb too.

So now the forgotten center of these two countries get to watch the fringe extremes battle back and forth as if they represent the people.

They don’t, but they might as well, because the center is non-existent or silent.

Nothing good can come from two idiotic extremes battling each other and convincing the people that their narratives are the only options. We need a logical third option that shows the flaws in both.

Let me try:

Where Islam opposes humanist ideals it should be criticized and countered.
Where Islam embraces humanist ideals it should be respected.
This applies to any other religion or ideology as well.

See? It’s not hard.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Game Design—defined not just as the visual elements in a game, but the underlying structure, incentives, value systems, and other mechanics—is about to become an extremely important job in our society.

In the past the title was associated with the visual aspects of video games, such as the art, the interfaces, etc., and video games have long been a major source of entertainment, but we’re about to see a fundamental shift in the importance of games.

Because real life is becoming less attractive to the masses due to automation taking jobs, Game Designers will suddenly take on the monumental responsibility of providing humans with meaning.

As more and more people are fired from jobs, fail to get jobs after high school and college, gaming (which I’ll say includes all types of non-reality-based technologies) will become the main way people seek and attain any sense of meaning in their lives.

They’ll do work there. They’ll provide value there. They’ll receive positive reinforcement there. They’ll maintain social bonds there. It’ll be reality remade in a form that AI improves rather than replaces (unlike the real world).

And it will be up to the designers to create and tweak the underlying mechanics for these new realities.

How difficult is it to do things?
What is the penalty for “dying” in the game?
How do you incentivize different things you want to happen?
How do you balance grinding and suffering with rewards and advancement?

These are God questions, and they’re about to be re-explored and answered by a special set of geeks.

The job will be quite cross-discipline, at least at the high levels, because you need to understand not just aesthetics, UI, UX, etc, but also the fundamentals of human psychology. Solid backgrounds for these positions will include evolutionary psychology, psychology, game theory, anthropology, design, etc. It’s a spectacular mashup of talents.

So if you’re wondering what a really solid career choice is, going 10 or 20 years into the future, think about the underlying mechanisms that will need to be in place to support and enthrall billions of people who are not useful to analog society due to AI/automation/robotics.

That is the world that’s about to become most people’s primary reality, and it still needs to be built.

Notes


It’s true that AI will eventually get so good that it can do a lot of this design itself, but for a long while the extremely cross-discipline nature of this type of creativity will still require humans.
Image from Adobe.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

This week’s topics: Russians at it again, Microsoft and Adobe updates, PoS breaches, US-CERT throws TLS shade, epilepsy tweet stalking, Tesla’s billion, lip-reading AI, autonomous BMWs, Fiber Lasers, taxing robots, Green Zones and Red Zones, AI disruption of healthcare, discovery, recommendations, and aphorisms, and more…

This is Episode No. 70 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.

The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.

The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can view and subscribe to here or read below.

Infosec news  





Two Russian FSB members and two Russian hackers collaborated to execute the Yahoo! breach in 2014. This isn't the 2013 Yahoo! hack of a billion accounts. Or the other one. This is the 2013 one. Link



Adobe and Microsoft both pushed out significant patches last week, with Adobe fixing a bunch of Flash issues and Microsoft dropping 18 update bundles. Link



1 million decrypted Gmail and Yahoo! passwords are available for purchase. Link



Brian Krebs is reporting another PoS breach, this time for a restaurant chain called Select Restaurants. His analysis is that the hospitality and restaurant industries are massively owned, and that this is especially true for smaller chains that don't have direct relationships with the banks whose cards are being run through their PoS systems. Link 



In a regular yearly tradition at CanSecWest in Vancouver, vulnerabilities were found in Safari, MacOS, Microsoft Edge, Adobe, Firefox, etc., and someone also escaped a VM. Link



US-CERT has thrown some shade at HTTPS interception applicances and services like Cloudflare by saying they have a negative effect on secure communications. Link



33 million US employees have had their data leaked. The data was discovered by Dun & Bradstreet, and is available in Have I Been Pwned.  Link



GitHub rewards an $18,000 bounty to a researcher who found an RCE issue in GitHub Enterprise. Link



Ubiquity has a critical command injection vulnerability in more than 40 of its products' admin interfaces. Researchers reported the issue(s) to the vendor through its HackerOne bounty program, but went public with it after receiving an unsatisfactory response from the vendor. Link



A Secret Service laptop, security lapel pins, and radio were stolen from a Secret Service vehicle in New York City. Some of the items have supposedly been recovered, but it's not clear which. The incident is yet another entry in the book of recent embarrassments for the group. Link 



Sound waves have been used to confuse common accelerometers. Link



A new version of the Shamoon malware, called StoneDrill, has been found on a European petroleum company's systems. Shamoon was popularized back in 2012 for wiping disks at Saudi Aramco, and the new version does that even better and adds lots of more advanced functionality. Link



38 Android devices infected with malware pre-installed in the supply chain. Link



WhatsApp and Telegram have flaws that can lead to account compromise. The issue is improper parsing of malicious images in the web version of the application. Link



A man has been arrested for cyberstalking after sending a flashing tweet to a journalist who has epilepsy. Link



Trump has put $1.5 billion in the new budget for cybersecurity and critical infrastructure. Link





Technology news                                                    





Tesla is raising over $1 billion to offset the risk of the Model 3 bet. Link



Uber president Jeff Jones has quit among turmoil at the company. Link



Oxford scientists, in cooperation with Google's Deep Mind division, say they've created an AI that can lip-read better than humans. Link



Microsoft is putting ads all throughout Windows 10, including in the explorer window. Link



BMW is shooting for a level 5 autonomous car by 2021. Link



Netflix is dropping their five star ratings for a thumbs up or thumbs down. Basically, nobody ever uses 2-4 stars; it's always 5 or 1. Link



Teslas massive batteries are being used to power everything from breweries to small islands. Link



The U.S. Army gets the first 60kW Beam Combined Fiber Laser Weapon. I'm excited and scared at the same time. Mostly excited though. Link



WePay now supports ApplePay and Android Pay. Link



Intel has purchased MobileEye for $15.3 billion. Their technology does computer vision for autonomous driving. Link



Everyone is spinning up for 5G. "Nothing will be mobile because everything will be mobile." Link



Sony is working on mobile-to-mobile wireless charging technology. Link



Nintendo is doubling production of its wildly popular Switch console. Link



Microsoft's Slack rival, Teams, is now open to all Office 365 users. Link





Human news                                                  





Numerous and sustained studies of "learning styles" have failed to find scientific support for the concept. Link



Police have got a judge to petition Google for an entire city's searches for a given phrase, in order to help solve a fraud case. Link



Tim Cook says globalization is in general great for the world. After reading Naked Economics by Charles Wheelan, I too agree. Link



Bill Gates wants to tax robots. Link





Ideas





Failure, and How to Help People Avoid It Link



Green Zone, Red Zone Link



AI is about to massively change healthcare. Basically, you give more and more of your data, and the system tells you when you're sick, and exactly what to do to optimize outcomes. And it'll do this way better than human doctors. It'll basically be using the power of the entire human dataset each time it looks at you. Link





Discovery





The 6 levels (0-5) of autonomous car autonomy. Link



A list of the crazy cool projects that DARPA is currently working on. Link



Principles of Covert Action. Link



Five myths about obesity in America. Link



Analysis of docker image vulnerabilities. Link



Glitch — A collaborative community for building applications, bots, or webpages. Link





Notes





Brian Romelle, a prominent technologist focused on the voice-first revolution tweeted out my book last week, and generated a solid amount of interest. If you haven't read the book, or you've read it but not reviewed it, please take the time! Link



I'm speaking at HouSecCon this week with Jason Haddix on our Game Security Framework. The session will be recorded and we'll share it when it becomes available. Link



I've finished Sapiens and have started on Homo Deus. And, yes, Homo Deus is about humans becoming gods, like I said originally. Deus is Latin for god. Someone sent me a correction, which turned out to be wrong. Derp on my part. Link



I really wish Apple Watch had a round form factor instead of square. I get that the iPhone is rectangular, and that this is the shape of all their widgets, but high-end watch faces are mostly round. I'd give anything for an Apple Watch face that looked like a NOMOS TANGOMAT DATUM. The bad news for the watch industry is that I'm basically just going to wait for smartwatches to reach this level of craftsmanship. I can't see myself going back. Link



The OSINT primer is still coming along. Being onsite with customers and other projects have extended the timeline a bit. But it's coming. 



I'm working to get some new wordlists (payloads and usernames/passwords) incorporated into SecLists. I've reached out to the creators of the various GitHub projects and they were happy to be incorporated. Will integrate as time allows.





Recommendations





When you patronize hotels and restaurants (especially the smaller ones), expect the chance of POS malware to be far higher. Use a credit card rather than a debit card, and maybe don't use your favorite one. Consider designating a throw-away card that you use for higher-risk transactions, and that you don't mind having replaced frequently.





Aphorism



"People don't seem to realize that their opinion of the world is also a confession of character." ~ Ralph Waldo Emerson

Thank you for listening, and if you enjoy the show please share it with a friend or on social media.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

One fundamental difference between the left and right is their approach to handling failure.

I was raised in the San Francisco Bay Area, and what I’ve been taught my whole life is that people fail for reasons that are not their own fault, and so we need to help them. That’s liberal canon.

Later in life I learned there was another school of thought that said people make choices all throughout their lives, and that some make good ones and some make bad ones. And if you make the bad ones then you deserve what you get. If you don’t like your condition, change it. Go out there and work hard for what you want.

Most people seem to fall into one of these two camps, and it’s my current belief that the less educated you are the more you lean towards one side or the other.

So if you’re an uneducated liberal in the Bay Area, you likely think that all poor people are actively trying to better themselves at all times, making all the right choices, but are just being held back by the oppressive “system”.

And if you’re an uneducated conservative in…wherever, you likely think that poor people (not of your exact color and religion) are simply lazy. They could be successful if they simply tried. And because they don’t try, they deserve to be poor, suffer, etc., and we shouldn’t be wasting our resources trying to help them.

It seems obvious to me that both of these extremes should be discarded as mythical. The truth is somewhere in the middle of this spectrum.

What I find most interesting is policy questions around how to improve outcomes. I don’t just want to say that both extremes are faulty, and that the answer is somewhere in the middle. I want practical advice for how to deal with individual, real-world situations.

The role of failure

What I’ve come to realize in the last decade or so is the extraordinary motivational power of failure. It’s been the dominant force in both survival and reproduction for millions of years, and in some fundamental sense it’s a very positive thing.

It’s positive because it inspires positive action to improve one’s situation. It pushes you to pursue a better job, a bigger house for your family, more vacations, a more comfortable retirement, whatever.

The question is: what is considered failure? In the past this was very clearly defined by the surrounding community of “normal society”. If you didn’t have a job, you were a failure. If you had nothing to offer the world, you were a failure. If you couldn’t take care of yourself, you were a failure. If you couldn’t take care of your family, you were a failure.

And everyone would let you know this in various ways. The look of pity or concealed condescension when face to face, the whispers behind your back, etc. That’s how you knew you had failed, and it inspired change.

What many cultural narratives have done, however, is remove the shame of failure. They’ve taken the sting from it and made it an acceptable state. Don’t have a job? That’s fine. Don’t have anything to offer? That’s fine. Don’t give back to society in any meaningful way? That’s fine. They spend time with those who share their lack of ambition, they avoid mainstream “success” types who make them feel like…well, failures.

The problem with liberal culture seems to be accepting millions, or tens of millions, of these people into society by providing them a constant stream of benefits that allows them to survive. They then have enough to technically not die, to reproduce, and to transfer a similar philosophy of success and failure to their children.

And so it continues.

The anatomy of failure

So that section might have sounded like it came straight out of a Paul Ryan playbook. It didn’t. It’s just true. Stay with me.

There is another group of poor people who have completely different philosophical DNA. They work constantly—from one job to the next—for horrible pay, atrocious hours, and end up spending far too little time with their kids. And their kids are the main reason they’re working two or three jobs in the first place.

They were told as children that you’re nothing if you’re not providing for your family, and that you’re nothing if you’re not working. And they absolutely look down upon lazy people who don’t provide or give back. But they weren’t told to go to college. They weren’t told how important education is. And they weren’t told that soda, pasta, and other carbohydrates are not the basis of a healthy diet.

So they end up working their butts off every day of their lives, in multiple soul-crushing and low-paying jobs, just to give their kids a chance in the world. But because they don’t understand that world, they end up giving their kids obesity, diabetes, and virtually zero chance of anything other than the exact life they have. So by age 18 those kids are themselves raising a bunch of kids of their own, working 2-3 jobs, feeding them the absolute worst foods, and stressing manual labor over education.

The cycle continues.

Assessing a given individual or group.

Over the last decade I’ve come to believe that the desire for bettering oneself is either there naturally, or it’s not. But I’ve also learned that people have very different ideas of acceptable results.

So to me the fundamental questions are:

What is an acceptable level of life attainment in terms of job type, income, education, etc.?
How passionate will they strive to achieve that level of attainment, and how bad will they feel about themselves if they’re unable to?

Importantly, if you set the bar at “barely surviving” in the first question, then the second question doesn’t matter much in terms of modern society, because it’s easy to achieve.

And if you set the first question bar too low, i.e., at having a manual labor job, or two, or three, and raising a large family so your parents can have grandkids, and giving them all the brand name snacks from the store, and passing along your manual labor work ethic, then you’re in bad shape there as well.

It is good, however, that on the second question, most people who are part of that philosophy will basically kill themselves to ensure they can provide for their kids. Two jobs. Three jobs. Four jobs. 7 days a week. Both parents working. No problem. You do what you have to do.

It truly is admirable, until you think about the fact that this form of suffering is just being perpetuated to the next generation. And this has become dramatically more pronounced over the last twenty years, and it’s about to get far worse because of AI/automation/robots, as I talk about here.

What we need to ask ourselves is this:

What level of the first question should be an acceptable bottom, under which we initiate the timeless weapon of looking down on people? And how much should the answer to the second question matter?

I think a lot, but I’m just thinking through this.

Appropriate action

So assuming we have some answers to that question, what should society do to fix itself?

Here are some things that don’t work:

Telling people who have low standards, and no willingness to strive for anything, that it’s ok because they’re disadvantaged in some way. That’s not good because it shuts down their impetus to strive. It gives them an out.
Telling people who are actually striving and facing obstacles that there isn’t real resistance in the world, in different forms, for different groups. Things are harder for women. They are harder for people of color. Acknowledging this and working to improve it does not have to directly lead to excuses for not striving, and it shouldn’t.
Taking an entire benefit-dependent group of people who forgot how to strive years or decades ago, and suddenly forcing them off of those benefits. This will lead to massive hardship and crime. There has to be some sort of transition.


Two options?

I see two major paths for helping both groups of people: those who have stopped striving altogether, and those who are striving mightily but building lives of hardship for both themselves and their kids.

Do nothing, and cut off the benefits. Build more jails; you’ll need them. This will basically destroy the groups who have stopped striving. They’ll move to streets, take to crime as a means of getting by, and mostly end up in jail. Some, though, will have their survival mechanism kick in, and they’ll enter the workforce doing menial jobs that the robots can’t do yet.
Have very honest conversations with both groups (especially the hard workers striving for the wrong things) that what they’re doing is harming their children’s chances to live a good life. Find ways to convey to them that having no education in the world that’s coming is a sentence of suffering, near-slavery, and/or jail. And that not eating healthy will lead directly to obesity, diabetes, and heart disease.

In short, we have to tell those who don’t understand the world that they are doing this to their kids, and that it’s not ok.

But hold on. That’s the opposite of liberal. Liberals love to say nothing, avert their eyes, mumble something about “not judging”, and then go and buy a latte somewhere.

Well, fuck that. I’m tired of liberal policies that hurt more than they help.

If you care about your fellow humans, it’s time to speak truth. Giving your kids a manual labor work ethic and diabetes is not being a good parent, even if you’re a great person trying your best. The world has become too dangerous and unforgiving to allow us to give this a pass any longer.

Many conservatives say, “Fuck em’, if they’re too stupid to demand that their kids eat right and get a solid education then they deserve to suffer. Let them die, but I’m not paying for it.”

Most liberals say, “Well, they just have a different perspective! You don’t live their lives. You don’t know their struggles, or their culture, or their world view. You can’t judge. And you’re a horrible person for having the audacity to try to “fix” them.”

I say fuck you to both of them.

I will not abandon my fellow humans who work their asses off to do the right thing for their families. They’re your family. And they’re my family. All tens of millions of them. So yes, it’s my business. It’s everyone’s business.

And I also won’t sit by quietly and let them poison and sabotage themselves, generation after generation, walking their kids right into the waiting woodchipper of this new economy. It’s fucking inhuman to say nothing. To do nothing. To not try to help them.

And why? Why do you say nothing? Because you respect their choices? Fuck that. Fuck you. You don’t respect shit.

You say nothing because you’re a coward who fears the judgement by the liberal mob. And to avoid scrutiny, to avoid labeling, to avoid unpleasant conversations, you’ll remain silent and let millions be devoured by lions right in front of us.

Order your latte. Get your car washed. Enjoy the Alpha life. And refuse to say anything. You are the problem, not the solution, and I declare you the enemy.

Well-off conservatives have this wrong because they don’t realize the goodness and heart of millions of hard-working and struggling people. They assume that if you’re not succeeding it’s because you don’t deserve to, and it’s cold, callous, and wrong.

Well-off liberals have it wrong because they’re unwilling to help their brothers and sisters by passionately coaching them to avoid a painful lifecycle that provided a livable life thirty years ago, but no longer. They know the truth, but they won’t share it because it might be “uncomfortable”.

Both sides are lost, and it pains me.

There is only one hope of raising a family without unbelievable struggle in the world that’s approaching, and that’s to have a solid education and agile mentality that allows you to adapt to situations. Manual labor doesn’t get you there. Hard work doesn’t get you there. Taking handouts doesn’t get you there.

You have to fight, and you have to have the right information to prepare you. Rich people share this knowledge with each other all the time, in the country clubs and private schools across the country.

Whether you’re conservative or liberal, if you have this information, and you’ve used it to propel your loved ones into the top 10%, but you refuse to offer this knowledge to those who are struggling, then you deserve the worst shame of all.

Speak truth. Help each other. And fuck anyone who shouts you down.

Notes


There are other groups of poor people who actually understand the importance of education, get a decent one, have a strong work ethic, and work their whole lives without making it out of the rat race. There are many different reasons for this, but often they’re simply not sharp enough to grasp underlying concepts, adapt to changing situations, don’t have the required social fluency to create relationships, or some combination thereof. And some tiny group have all the right components but also have rotten luck.
Image from Tiny Buddha.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.