This week’s topics: CloudBleed, SHA1-1, White House Leaks, Planets, Satellites, Drones vs. Eagles, InfoSec Jobs, ExFil, IQ and Creativity in a Post-work World, Weaponized Narrative, Security Tools, Tons of Great Links, and more…

This is Episode No. 67 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.

The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.

The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can view and subscribe to here or read below.

Infosec news  





Tavis Ormandy of Project Zero discovered a major flaw in Cloudflare this week, which is being called CloudBleed. The best way to describe it is that CloudFlare was randomly injecting content from its protected sites into the browsing sessions of other websites hosted on Cloudflare. So they were protecting OK Cupid for example, and if you were visiting any site hosted by Cloudflare you might get random data from OK Cupid injected into the page you got back. Project Zero and Cloudflare worked to fix the issue quickly. Link



A large number of Google users reported being mysteriously logged out of their accounts last Thursday, which was concerning timing given the situation with the Cloudflare vulnerability. Google said, however, that it was a maintenance issue on their side, and was unrelated to the Cloudflare bug. Link



Google researchers have demonstrated the first successful attack on SHA-1 by creating two different PDF files that produce the same SHA-1 hash. Contrary to what much of the media is saying, this is not an extremely practical or realistic attack vector right now. This was Google working for two years to produce this, so it's pretty unlikely to be used against you. It should, however, slightly speed up your migration to a stronger option. Link



Hayvn is IBM Watson, but for information security analysis. People would think it was less awesome if they realized that IBM Watson has already replaced a decent number of Information Security related jobs. In the short term, though, it'll free security analysts up to do other things. Link



Sean Spicer has inspected his aides' mobile phones for apps like Signal and Confide to make sure they weren't communicating with reporters. He then ordered them not to talk about the fact that he was checking for leaks, which was then leaked. Link



With its 88 new satellites, Planet is about to become the worlds largest space surveillance company. Link



Terrorists are building drones, and France is using trained eagles to counter them. Link



Over half of infosec job openings take 3-6 months to fill, and less than 1/4 of applicants are qualified for the jobs they apply for. Link



A new covert data extraction technique has been developed by having malware blink a light on a computer, which is then monitored by a drone. Link



Netflix released a fascinating new tool called Stethescope, which is a user-focused security recommendations system for employees. Link





Technology news                                                    





Nokia appears to be trying anything, and have relaunched their used-to-be-popular 3310 phone. I have to admit it does look somewhat attractive, but I don't see a legacy form factor device like this selling well until we have separate displays and digital assistants, i.e., until the device isn't the center of the world. Link



Waynmo is suing Uber, saying an employee stole around 14,000 files from them and took them to Uber. The content in the files allegedly lead to innovations that have produced around half a billion dollars in revenue. Link



Facebook has open sourced Prophet, a data science forecasting tool for Python and R. Link



Google is about to start adding a "fact checked" tag to certain stories in their results. Link



Android Nougat was released in August of 2016 but fewer than 1% of devices are running it. Link



Linode is evidently losing customers massively as a result of their repeated DDoS outages. I'm about to be another one who's leaving. Probably heading to AWS. Link



Tesla is looking to sell cars complete with insurance and maintenance. Link





Human news                                                  





Bruce Lee used to write letters to himself about authenticity and personal development, and they've been released for the fist time. Link



NASA found 7 Earth-like planets, just 40 light years away. Link



Kim Jong-Nam was killed by the VX nerve agent, rubbed on his face by a girl at the airport. The entire story is some beyond fiction spy stuff. Link



Fantastic hand-drawn infographics by Wendy Macnaughton. Link



Travel Press is reporting a massive drop in tourism to the U.S. Link





Ideas





IQ and Creativity in a Post-work World Link



Weaponized Narrative is the New Battlespace Link



Companies Exist to Service Customers, Not to Employ People Link



You Should Have Two Different Kinds of Hiring Interview Link





Discovery





Troy Hunt's analysis of the Cloudbleed bug. Link



20 security startups worth paying attention to this year. Link



Analyzing bonnets with Suricata and Machine Learning. Link



A list of sites affected by CloudBleed. Link



If you haven't read about GPDR (the European data privacy law) you should look into it. The short summary is that it gives European citizens back control of their own personal data, and to protect that data from being exported and misused without their knowledge. It includes fines for companies who fail to protect the data of EU citizens of up to 4% of worldwide turnover. Link



Evaluator — An open source tool for strategic information security risk assessment. Link



A fantastic piece on the history of Trump, Putin, and a potential new Cold War. Link



MacOS WiFi Cleaner — A tool by Rob Fuller to remove open wireless hotspots from MacOS. Link



Amazon has launched a new blog dedicated to AI. Link



PayloadsAllTheThings — A list of appsec related attack payloads, coming soon to SecLists as well! Link



Google's API design guide. Link



pURL — An API testing tool written in Python. Link



The ISC/SCADA Top 10 List Link





Notes





If I could do any university program today I'd do the Philosophy, Politics, and Economics degree from Oxford. Link



Still working through Hamilton, and my next book will either be The Federalist Papers or Sapien.



I'll be going to London in the middle of June, so if you're going to be there we should get together.



I'm thinking about doing a live Twitch stream of something I'm calling Office Hours, where people can hit me up on Twitter, YouTube, Facebook, whatever, and ask me anything on the topic of infosec. I'll probably do my first session on my Information Security Career guide, and anyone can ask for more detail on any section, etc. If you're interested let me know on Twitter or via email. Link





Recommendations





Read history. I have learned so much about myself by reading the Hamilton biography. I've seen flaws in Hamilton and Jefferson that I could easily see me making myself, and their experience might be able to help me in my own life. Reading does this for you. It lets you live multiple lives. No matter how much you're reading, you can probably benefit by reading more.





Aphorism





"Never confuse movement with action." ~ Earnest Hemingway

Thank you for listening, and if you enjoy the show please share it with a friend or on social media.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.