Copy


No. 57 | December 11, 2016 | View in your browser.
Unsupervised Learning is a weekly show where I look at what's interesting in the world through the lens of infosec, technology, and humans

Listen to the podcast for this issue.

Infosec news  


The U.S. government is now actively investigating whether, and to what degree, Russia influenced the election. They are now stating with high confidence that Russia did also hack the RNC (in addition to the DNC) but that they didn't release any data from the hack. This reminds me of what I wrote about the topic, basically asking if anyone believes these people who hacked the DNC either tried to hack the republicans as well and failed, or that they succeeded and couldn't find anything interesting? Both seemed highly unlikely to me. Link

A new ransomware concept called Popcorn Time is doing something diabolical---it's giving the decryption key to victims two different ways: 1) you pay the ransom, or 2) you infect two other people using a referral link. That's some cold shit right there. Reminds me of a Twilight Zone episode where someone were promised happiness at the ominous cost of, "Someone you don't know will die…" Link

CMU CERT is warning people to stop using vulnerable Netgear routers, including the R6400, R7000, and R8000. There are numerous interfaces available that allow for remote execution of commands, CSRF, etc. Netgear has yet to issue fixes. Link

The US Senate voted last week to break Cyber Command away from the NSA and turn it into a full-fledged combat unit. Link

The FBI now has additional hacking powers that allow them to remotely access computers in any jurisdiction, including potentially overseas. This can also be used when a suspect is believed to be using anonymization technologies such as Tor. I'm expecting this to get much worse at the end of January, not better. Link

A few new Linux kernel vulnerabilities have been found which could lead to crashing or execution of code as root. Patch now. Patch often. Link

Jouko Pynnonen, a Finish security researcher, has found a second stored XSS in Yahoo! Mail, and has received a second 10K bounty to go with it. It's cool that researchers can specialize in one particular thing and then harvest bounties using that skill. This guy is all about some stored XSS Link

Google has concluded that FIDO U2F keys are a better second factor authentication system than one-time passwords or other previous efforts. Link

A former Expedia employee has been charged with securities fraud for hacking his own executives and using stolen information to make over 300K on the stock market. He's being sentenced in February of 2017 and could face up to 25 years in prison, on top of a 250K fine. Link

It's possible to guess Visa credit card numbers via brute force due to two vulnerabilities in their system: they don't detect invalid payment requests across multiple websites, and there is variation in the parts of the card that are asked for. Combining them lets you guess numbers---including the expiration and CSV in seconds. Link

There's a new malware kit called Stegano that hides the malware within pixels of banner ads in a malvertising campaign. They bought time on multiple big sites through the ad campaign, sent the malicious images combined with some JavaScript, and when the page loads the JavaScritp parses the image and turns the code into characters. Link

The NSA is losing talent much faster than then can replenish it. The problem seems to be morale, with most people seeing the government as the bad guy instead of super cool spy people like they used to. More unexpected fallout from Snowden. Link


Technology news                                                    


Amazon is opening a proof-of-concept grocery store in Seattle where you just swipe your Amazon app when you walk in, you find the stuff you want, and then just walk out. No line, no checkout, no friction. Link

Apple is about to start publishing AI research papers, which is a break from previous practice. It looks like the primary reason is that they can't attract the best talent if they're unable to talk about the cool stuff they're working on. Link

Github has added Review Requests, which allow you to request certain people to review your pull requests. Link

Amazon has a new services called Amazon Rekognition, which identifies the things in any image you give it using AI. The power of these services is becoming quite impressive, and the fascinating thing is that they only get better the more people use them. Link

Google will hit 100% renewable energy in 2017. Evidently they and a number of other big companies are mostly wind-based, while Apple is mostly solar based. Link

Apple is looking to gain the ability to show you movies through Apple TV that are still in the theater. They're in talks with several studios now. Link

Wordpress 4.7 is out. If you run it, make sure you are updated. Link

Apple just released single-sign-on, which means you can sign in once to your cable provider and then watch anything on any other network by using those stored credentials. This is much needed, and is necessary infrastructure for the upcoming and much anticipated "TV" app. Link


Human news                                                  


There's a new movie coming out starring Emma Watson, Tom Hanks, and John Boyega about a tech dystopia where people know too much about you. Seems like so many movies are basically long-form and super-expensive Black Mirror episodes. Link

Taking practice tests has been shown to be a great way to protect against the stresses of actual exams. Basically, if you study normally and then get into the test, you can freeze up and not be able to recall what you know. But if you do a lot of practice tests beforehand you're more likely to perform as if not under stress. Link

This is a great article on the benefits of aerobic exercise to brain activity. Running seems to be ideal, but basically getting to a sweat for at least 30 minutes seems to be the key. And people who do it often see even more benefits. Link 

There's growing concern around the quality of search results for critical queries, such as, "Did the Holocaust happen?" This search on Google, for example, returns the top and most results saying it was a hoax and conspiracy by the Jews. The important question is whether Google and others have a responsibility to control those results and properly educate, or if they should continue to allow conspiracy / racist types to game the system. As part of the whole "fake news" debate, this type of thing matters a lot in places where there's honestly no good information, and people look to Google to get educated. Link


Ideas


How improving your skills can hinder your ability to execute. Execution and thought are mutually exclusive. Link

My theory for why music makes us happy. Essentially, beats –> pattern –> story –> struggle –> survival/reproduction –> meaning –> hormones –> happiness. Link

Why You Should Act on Inspiration Immediately. Basically, it has a shelf-life, and if you just make a note and come back later you might easily forget why you liked the idea so much. Capture it while you're feeling the rush. Link

Too many "diagnostics" are an unfortunate hybrid of both a measurement and analysis, with the measurement not actually being stored. This means we can't go back afterwards and use better techniques to analyze the data later because all we have is the analysis result. We have to start keeping the measurements. Link

How to Raise an Employee's IQ by 10 Points in 2 Minutes. Short version: give them a major responsibility and tell them that you trust them. Empowerment can turn a C-player into an A-player. Link

Gratitude is the Epicenter of Happiness. How evolution tricks us into being unhappy with our lives, and how to avoid the trap. Link

Many people are giving up on PGP due to usability. It's been out for 30 years and nobody's figured out how to make it approachable. All that promise, and it failed due to narrative, UI, and UX. Link


Discovery


The Outline is a new news site that takes a really unique approach to what it shows you and how it presents it. Quite intriguing, and worth spending 5 minutes playing with. Not sure if I'll use it long-term yet. Link

Dark Patterns are UIs and UXs that are designed to trick users into doing things they wouldn't otherwise do. This site (darkpatterns.org) takes a stand against them through education. Link

Install Suricata on a Linux box in 5 minutes. Link

Vacuuming Image Metadata from the Wayback Machine Link

Create an IAM User on AWS using Metasploit. Link

Bill Gates' favorite books of 2016. Link

The First 10 things I Do On a New Mac. Link

Pixabay --- a free search engine for free, high-quality images. Link

Saturn's jetstream is shaped like a hexagon. Breathtaking images. Link

Needle --- an iOS Security Testing Framework. Reminds me a lot of a tool called IDB, and a tool I helped develop at my previous job at HPE. Link

Ben Evans' exceptional 'Mobile is Eating the World'. One of the best presentations on tech trends available anywhere. Link

Crytopmancer RPG --- a tabletop role-playing game made for hackers by hackers. Link


Notes


If you're not using Amazon Smile, I highly recommend it. You start by browsing to smile.amazon.com, and then picking a charity. Then, from now on, when you go to buy things on Amazon, go to smile.amazon.com instead, and Amazon will donate a portion of your purchase to that charity with no extra charge to you. I only wish there were a way to make it default within Amazon's settings.

Recently Finished Reading: Left of Bang. Here's my summary for it. Link

Currently Reading: Naked Statistics

Reading Next: Steal Like an Artist, Sapiens, The Docker Book, Tools of Titans, The Gene

Recent podcasts: a16z on health data, Intelligence Squared on Obama's Foreign Policy, Waking Up with Sam Harris on Exceptional Islam


Recommendations


Go to smile.amazon.com, configure a charity, and change your Amazon bookmark (if you have one) to use smile instead of the regular site.

Consider making a Slack channel for your closest friends. It's probably a way better way to keep up, share jokes, arrange get-togethers, etc., than pretty much anything else out there. I've been using it for this and it's quite effective. 

One of the best ways to become very informed on important topics is through the Intelligence Squared podcast. It's Oxford-style debating on key issues, and you always learn a lot about both sides of an issue when you listen to an episode. Every debate ends with a winner. Cannot recommend this enough. Link


Aphorism


“A person who does not read good books has no advantage over someone who cannot read them."
~ Mark Twain

If you like the newsletter, please share it on social media or forward it to a friend!
Share
Tweet
Share
+1
Forward
Copyright © 2016 Daniel Miessler, All rights reserved.