The Unsupervised

by Daniel Miessler
The newsletter companion to my Unsupervised Learning podcast–my weekly collection of handpicked articles in InfoSec and Technology, and why they matter.

Listen to the podcast version of this newsletter on iTunes | SoundCloud | Android

InfoSec and technology news

An Israeli company "booter" company called vDOS launched over 150,000 DDoS attacks and made over $600,000 over the last two years has been hacked, revealing tens of thousands of paying customers and their targets. Brian Krebbs initially broke the story, and his site has been having DDoS problems in the time since. Link

US motor company General Motors is recalling four million vehicles worldwide due to a software bug that has been linked to at least one death. The issue can cause the air bags and seat belts to malfunction during a crash. Because this fix cannot yet be fixed via an OTA update, owners will have to physically bring their vehicles in for the update. Given GM's focus on security, I don't expect this to be the case for long. Link

Nation-states possibly building a system for taking down the Internet. They continue probing companies that host the infrastructure, with regular, escalating attacks that start, increase, and then stop. Looks to be part of a campaign to learn what it would take to overwhelm them. Probably China or Russia, according to Schneier. Link

Tech companies - including Uber, Dropbox, Twitter, and Docker - have joined forces to create the Vendor Security Alliance, which aims to vet vendor security practices. Link

Critical vulnerability in MySQL. Patch as soon as you can. Link

General Colin Powell's personal emails hacked, reveals that Clinton hates Obama for beating her, and talks about how sick she was before giving a speech. Link

The head of the National Security Agency, Adm. Michael Rogers, said on Tuesday that he is concerned about the possibility of Russia hacking the U.S. electoral process. Link

NAND mirroring technique confirmed to work at bypassing passcodes for iPhone 5Cs. Link

Four apps have been removed from the Google Play store for including malware called Overseer, which enabled the creators to track the victim's current location and details of who and when you're emailing. Link

A committee of central banks within the Bank for International Settlements (BIS) has set up a task force to oversee the security of banks and establish standards for the financial bodies to follow during cross-border banking, reports Reuters. Link

FBI director James Comey recommends you cover your webcams. Link

HP buys samsung’s printer business. More evidence of a tightened focus. Splitting off the software business into HPE, then splitting more of that software to Micro Focus, and now buying more printer marketshare. Link

Amazon looking to open 100 stores in US malls to push its hardware products. It's a great idea because now people will be able to try out the voice-controlled stuff like Echo and Dot. Link

Github adds tons of features to combat GitLab: projects compete with Trello, code reviews allow approval flows which can be made mandatory, a graphical UI to query their DB, you can now enforce 2FA within organizations, and summarized timelines for your submissions. Link

Xiaomi is known for copying other peoples' phones, including Apple and Samsung, but the issue exploded when their clones of the Samsung Galaxy Note 7 started catching on fire. Link

Bluetooth headphones are already outselling wired alternatives. Link

Onyx Star Trek Communicator walkie-talkies are about to integrate with Alexa Link

Samsung looking at introducing their own proprietary headphone jack. Link

Apple hires AR people from Occulus and Magic Leap. Link

The sugar industry basically created an entire generation of poor health, and spawned the Diabetes epidemic, by paying scientists to redirect blame away from sugar and towards fat. Link

Watch bacteria evolve in just 11 days to overcome 1000x strength antibiotics. Link

Ideas, concepts, and trends

Leaning in on new technologies. To get the full benefit you have to treat it like it works perfectly. Link

The fear of AI actually means two different things. Link

There's no difference between "Things" and the "Internet of Things". Link

IoT + SSRF Link

Misuse of the terms "out-of-band" and "blind" when naming vulnerabilities. Link

The relationship between meaning, hormones, story, and music. Link

I created a new way of conceptualizing security vulnerabilities called Multi-dimentional Vulnerability Hierarchies that's quite different than OWASP and other approaches. It breaks down common vulnerabilities in multiple ways, based on what you care about, e.g., Impact, Testing Methodology, Classification, Who They're Targeting, etc. I also have some unique ways of sub-classifying vulns in the Methodology section. Definitely check it out if you're a tester. Link

Dueling dystopias – Orwell vs. Huxley. Orwell argued that we would be denied knowledge. Huxley argued we wouldn’t even want it. Huxley is winning. Link

Between two ravines: will automation actually make humans unneeded in the traditional workforce this time, or will what humans do just shift to more creative work like some think? Link

Public bounties too much noise, best used to find good researchers, which you then do a private bounty with. Link

My new post on the Disrupt finalist called UnifyID and how it addresses my April 2015 post titled The Future of Authentication.  Link

Google or Apple should buy UnifyID--runner-up in Disrupt SF 2016--to integrate multiple authentication vectors into mobile platforms. Link

My thoughts on Out-of-band and Blind Vulnerabilities. I think people are using the terms incorrectly. Link

Recommended links

The six Disrupt finalists this year are: Blazing DB (database speed spread across thousands of GPUs, Carbon Health (completely mobile and interactive healthcare), EverlyWell (home medical testing kits), Mobalytics (Customized professional gamer training), Sqreen (Application Security for developers), UnifyID (synchronizing your ID everywhere) Link 

An a16z podcast on how "the way" you say something matters as much (or more) than "what you say". They did analysis of Kickstarter projects and could predict with 90% accuracy which would be successful at attracting money–without even looking at the idea. Link

The Joy of Intelligent Proactive Security, by Netflix. A phenomenal talk on how the Netflix team uses their own in-house tools to manage their security program. Link

New features in iOS 10. Some of the most popular are the widget pane to the left of the main screen, swipe left to get to the camera from the lock screen, use Siri with third party apps, interact with notifications on the lock screen, Apple Maps now knows where you parked your car, en-route options during trips, Memories in Photos, get lyrics to songs in Music, copy and paste between multiple devices, voicemail transcripts. Link

Cognitive Bias Cheat Sheet. A fantastic summary of the various ailments. Far more consumable than the Wikipedia entry on the topic. Link

An anti-Snowden (and anti-Snowden movie) perspective from Slate. An interesting take that you might want to read to counter all the fanboyish coverage that we see in most InfoSec pieces. Link

WiFi Pentesting With a Pineapple NANO, OS X and BetterCap Link

Browse the surface of Mars in super-clear resolution. It's unbelievable how similar it feels to being in a desert on Earth. Link

Marc Andreessen's recommended books. Link


"Real life is, to most men, a long second-best, a perpetual compromise between the ideal and the possible." ~ Bertrand Russel

Listen to the podcast version of this newsletter on iTunes | SoundCloud | Android

Subscribe to the podcast.
Subscribe to the newsletter
Copyright © 2016, All rights reserved.
Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.