This is episode No. 92 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 30 minute summary. The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well…

This week’s topics: Equifax, Hutchins got Krebs’d, Russia used Facebook, Energy hacking, Anti-protester AI, High-pitched Assistant hacking, tech news, human news, ideas, discovery, recommendations, aphorism, and more…

Listen and subscribe via…

Read below for this episode’s show notes & newsletter, and get previous editions…

Infosec news 





Equifax has been hacked using a long-existing but newly discovered Apache Struts deserialization vulnerability. It’s one of the worst breaches in history because of the combination of the size (143 million accounts) and the sensitivity of the data (SSNs, Credit Card Numbers, DOBs, Names, Addresses, etc.). There’s a lot of emotion in the infosec community around this breach, with a lot of people claiming that attacking Equifax is victim shaming, while others say that WE are the victims, not the negligent company that lost the data. I’m reminded of what someone said about the difference between people who have access to top secret information and those who don’t. Basically, if you don’t have information and you’re fiercely “debating” morality and facts with people who do, you will look like an idiot no matter how smart you are. My advice is to defend yourself and those you care about (more in the recommendations section) and withhold your opinions until more information is revealed. There’s likely to be a lot of motion in the facts within the next month or so, and until then most vocal responses are likely to either be obvious or wrong. Link



Brian Krebs decided to look into Marcus Hutchins’ past, and revealed that he was in fact a prolific malware author for a good part of his digital life. Many are confused about whether he’s a good guy or a bad guy, and the situation reminds me a lot of Snowden in this way. As I write about here, it’s a false dichotomy. He used to be a malware author, but appears to have largely stopped a while ago, and then he did a great thing for the internet recently. These facts don’t oppose each other; they co-exist as truths in a complex reality. People are multiple people, and my guess (based on knowing very little) is that he’s probably a good-hearted guy who likes hacking, making money, and has been transitioning into a more mature and responsible guy over the last several years. His past simply caught up with him because of the positive exposure from stopping the worm recently. We shouldn’t immediately jump to saying someone is good because they did something good, or bad because they did something bad. You have to take the person as a whole, and only someone who knows you very well can do that. Link



Facebook has revealed that Russia spent $100K on 3,000 ads over two years—ending in May of 2017—to seed social conflict in the U.S. on topics like immigration, race, and equal rights. Virtually everyone I know who is both in information security and has any military / intelligence background agrees that Russia has been doing this sort of tampering with the U.S. for a very long time. As I wrote about here, too many pure infosec people take skepticism so far as to render themselves useless. Their response to the idea that Putin might be trying to sow dissent in the U.S.? “Attribution is hard.” Yeah, well, evidently common sense is harder. Link



It appears that some (likely) Russian hacking groups are gaining deeper and deeper access to some U.S. power companies using similar techniques that have been used against the Ukraine. Symantec analysts are saying that the access in some places includes the ability to actually disable the flow of electricity to parts of the U.S. population. Link



A strong writeup on an interesting hashing bug in the MasterCard Internet Gateway Service, along with a keen observation that companies should pay far more for critical bugs in payment systems. Link



Chinese researchers have found a way to interact with Siri and Alexa at frequencies that humans can’t hear. I love the concept here of hitting an attack surface (a voice interface) right in front of us without our knowledge, but it’s important to note that you should only be able to access commands that are already allowed. So it’s not a matter of too much access, it’s a matter of unknown access. Link



Researchers have developed an AI that can identify protesters effectively even when they’re wearing a disguise. Link



Patching: Apache Struts





Technology news 





Atlassian has launched a Slack competitor called Stride. Seems to me like deep integration with Atlassian’s other products will be a major feature, but I most hope they solve the disjointed Slack authentication problem where you have to manually add all your accounts on every new endpoint. Link



A new AI can tell with 91% accuracy whether someone self-identifies as gay or straight after looking at just a few pictures of them. Link



Lyft is releasing self-driving cars into the Bay Area. Link





Human news 





The NFL is basically walking dead, not because of political protest or pampered pros, but because parents aren’t letting their kids play anymore because of concussions and brain damage. So it’s just a matter of time before the water runs out of the hose. Link



Scotland is looking seriously at Basic Income. Link



Cannabis use in the U.S. is falling among teenagers while it’s rising with adults. Link



Blizzard is opening the U.S.’s first e-sports arena in Burbank, CA for hosing live events. It’s said to be around 50,000 square feet with seating, sound studios, control rooms, and player lounges. Link



Bacteria use brainlike bursts of electricity to communicate with each other. Link





Ideas 





Authentication Types and Their Impact on Forced Device Access Link



I Finally Found a Book Summarization Service Link



Facebook’s Unexpected Usefulness as a Product Discovery Service Link





Discovery 





The New York Times did a tremendous piece of analysis on where Amazon should base its new headquarters. Spoiler: They came up with Denver, but you should really see how they got there. Link



A project around things Every Programmer Should Know Link



A philosopher argues that we don’t actually want equality, but rather fairness. Link



A collection of adversarial example resources for attacking AI systems. Link



Managing secrets with Git. Link



The incredible growth of Python. Link



Pharos — A static binary analysis tool. Link



LiMEaide — Remotely dump RAM off a Linux system. Link





Notes 





I’m working with my buddy Jason to re-work the SecLists project. The primary thing we’re doing is creating SecList-branded recommended lists that sit in the root of each section. So rather than just giving you dozens of various lists, we’re going to do the work of curating and consolidating the best lists into a combined few that start with “SecLists”. All the others will still be available in a subfolder, but the idea is that you should be able to take one of the curated lists and quickly get the best results. Link



I wanted to say thanks to everyone who’s subscribed so far on the new support page. A number of people have already opted for support at the mentorship levels of $50 and $100, and I’ve already started working them to help launch or further their infosec careers. It’s really rewarding to help people out in this way, and I look forward to doing more of it. Link





Recommendations

 



There is a good chance that you might have been affected by the Equifax breach, and even if you weren’t it’s probably time you took these steps anyway.



Ensure your mobile phone carrier has a good (not easily guessable) pin on your account so that someone can’t call and change your primary password reset mechanism (phone/text).



Monitor your credit constantly using Credit Karma or one of a number of other services.



If you know or suspect you might be at extreme risk for whatever reason, and you understand the tradeoffs, consider freezing your credit. 



If you believe your credit or identity has been compromised, use identitytheft.gov to start fixing it.



Use extended fraud alerts to monitor your credit going forward.





Aphorism



“Everything in moderation—including moderation.” ~ Harvey Steiman

You can also sign up below to receive this newsletter—which is the podcast’s show notes—every week as an email, and click here to get previous editions.

Newsletter

Every Sunday I put out a curated list of the most interesting stories in infosec, technology, and humans.

I do the research, you get the benefits. Over 10K subscribers.

And if you enjoy this content, please consider supporting the site, the podcast, and/or the newsletter below.

Monthly Support

A subscription is the most helpful way to help me continue making content.

Supporter - $5 / monthMember - $25 / monthPartner - $50 / monthPatron - $100 / monthOther amount

$

Subscribe

One-Time Support

You can also make a one-time contribution of any amount.

$

Send

Thanks for listening. I’ll see you next week.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Unsupervised Learning: Episode 39
My Twitter Infosec List
Time to Switch From Debit to Credit When Paying for Things?
Denying Medics Access to the Battlefield
Rethinking My Approach to Twitter