For the best reading experience, I recommend you view this content natively at: Unsupervised Learning: No. 101.

—

This is episode No. 101 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 30 minute summary. The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well…

This week’s topics: Verizon’s DBIR Report, sleeping fingerprints, IoT legislation, S3 security tools, AI tricks scammers, SEALs kill Green Beret, tech news, human news, ideas, discovery, recommendations, aphorism, and more…

Listen and subscribe via…

Read below for this episode’s show notes & newsletter, and get previous editions…

Security news





Verizon has released the 10th edition of its Data Breach Investigations Report. As usual the report was quite good. They highlighted 75% of attacks were outsiders, 81% of attacks involved stolen or weak passwords, 66% of malware was installed via email attachment, showing that phishing continues to dominate as an attack technique. 73% of breaches were financially motivated, and 21% were espionage. That seemed high to me, which was interesting. Cyber-espionage was the top issue for manufacturing, which makes me concerned for the health of the supply chain. My key takeaway is that I'd love to see a report on the reasons we continue to fail. How can we have such massive security teams and massive budgets but remain so broken? I have my own ideas, but would love to see this studied specifically. Read my summary here.



A woman flying with her sleep husband unlocked his phone with his fingerprint and discovered that he was cheating on her. She pummeled him so badly that they had to land to take her off the plane. It's an interesting story because it highlights the different threat models against authentication systems. As I wrote about here, mobile authentication systems are strong in some areas and weak in others. The way you pick one is to determine what threats you most care about and then pick the authentication system that best protects against those threats. FaceID, for example, would not have opened if he had the “require attention” feature turned on, because it would have required that his eyes were open and that he was looking at the phone. Password, on the other hand, she might not have known, but can easily be shoulder-surfed. It's all about what you're protecting against.



There's a new IoT Security bill being proposed by two Republicans and two Democrats, called the Internet of Things CyberSecurity Improvement Act of 2017. It seems somewhat promising in that it requires products to be without vulnerabilities, to have a secure update mechanism, to use secure communication, to not use hardcoded credentials, to patch within a realistic timeframe, and to have a disclosure mechanism for vulnerabilities. This matches many other similar proposals. The question is can it get enough backing, with enough simplicity, to actually make progress.



Google says that attackers steal around 250,000 valid Google usernames and passwords per week.



Amazon has released five new security tools for S3 buckets. Default encryption, permission checks, cross-region ACL overwrites, cross-region replication with KMS, and detailed inventory reporting.

 

This AI bot pretends it's a human to make spammers waste time. This AI bot is a hero. To enlist this bot in your own scam battles, you can forward a scam to me@rescam.org.



It appears that two members of SEAL Team 6 might have killed a Green Beret over some illegal cash. The Special Operations community is in turmoil about the whole thing.





Technology news





Uber's flying car project, Elevate, appears to be closer than we thought. It's like a very small plane that appears to be able to take off vertically. Even if it's feasible though, I'm not sure how affordable (and therefore practical) it will be.



IBM is making its 20 qbit (emulated) computer available as a cloud service, and it just announced its working on a 50 qbit version.



The creators of Pokemon Go are releasing a new AR game in 2018 based on Harry Potter. I'm in for at least a couple of weeks.



Snap is in major trouble, as one would expect when Facebook copies your entire business. If it were honest, their pitch should have been, “Give me billions of dollars to do what Facebook will copy in a matter of weeks or months.” Because that's exactly what happened. And anyone familiar with the space saw the future happen in slow motion. We can only hope it'll be a lesson for next time.





Human news 





The fallout continues for famous and powerful people being accused of sexual harassment and assault. I think we're less than half way done with this cycle, as there are probably massive new examples being prepped right now that that are taking a long time to get ready due to the power of the accused.



This Japanese company hires actors to play various social roles for you, such as spouse, friend, father, etc. The CEO was hired to pretend he was a 12-year-old girl's father so she wouldn't be bullied at school, and he says they never told her it wasn't true. So now he basically has a daughter.



One of the China's top technologists says AI is coming for white-collar work before blue-collar work.



Mosaic is a new type of media experience by Michael Soderberg—like a choose your own adventure movie, but in an app. It's coming to HBO soon as well.



There's going to be another Star Wars trilogy, and a TV series.



Jeff Bezos, Bill Gates, and Warren Buffet (three people) are richer than the bottom half of the United States (160 million people).





Ideas





Moving Application Authentication to the Operating System. Why can't our OS authenticate to apps for us?



Maybe the Best Application for Blockchain is Democracy. And more specifically, voting. At least until quantum computing destroys it.



Amara's Law states that we tend to overestimate the impact of technology in the short-term, and then underestimate it in the longterm. Two great examples of this happening right now are machine learning and self-driving cars.



Tesla's head of AI says that programmers of the future will be basically be feeding data into neural networks, as part of what he calls Software 2.0.



The Data Availability Heuristic makes it difficult to just how well something is going, e.g., a startup.



Resilience is a major component of maintaining happiness, and I would argue security as well. It's not about controlling what happens to you. It's about controlling your reaction to what happens to you.





Discovery