The Unsupervised

by Daniel Miessler
The newsletter version of my Unsupervised Learning show–where I handpick articles each week in InfoSec,Technology, and Humans, and talk about why they matter.
Information Security news  

A nasty DirtyCOW Linux privilege escalation bug has surfaced that's been around for years and that applies to pretty much every Linux distribution. The short version is that there is a flaw that allows unprivileged users write access to read-only memory, and which allows them to ultimately give themselves root access on the box. The longer version is that it's a race condition between two different stages of writes. Link

It's now possible to use ROWHammer to root Android phones. This is the attack where you modify supposedly isolated memory for some sort of benefit. Companies affected include LG, Samsung, and Motorola. Patch early, patch often. Link

The Mirai botnet took down lots of the Internet on Friday. The scariest part is that it looked like a mic check for something much bigger. Some estimates are saying there could be up to 10M devices in total in the botnet, and the turf game is ever-changing. See my article in the Ideas section on resiliency. Link

Google has silently dropped its internal ban on tracking you personally online. When it first bought DoubleClick it said it would not use its knowledge of your emails and such to track you and send you ads. Well, now it's literally removed those promises as part of a policy update, and the two worlds of you using their services and them serving you ads are completely linked. Link

More people are calling for AI watchdog groups to ensure that we don't race to the top, build an AI, and then have it kill us. No, really. Stephen Hawking is on record as saying AI could be the last human invention, and people like Nick Bostrom have been talking about this threat for years. He actually has his own foundation in the Bay Area dedicated to avoiding the threat. Link


Technology news                                                    

Microsoft's bet on cloud massively pays off as its stock hits an all time high. Azure was a big bet by Satya Nadella, and it appears to have paid off. I still think they're missing in the mobile market, however, since the center of the ecosystem is your mobile OS. Link

Microsoft Surface sales are up 38% over last year, and are growing far faster than sales of the iPad. The iPad still has far more business than Surface, but Apple should take notice. We're also about to see the new MacBook Pro's and a 13" MacBook come out, followed by a Surface announcement, so the battle continues. Link

China overtakes the U.S. in iOS App Store revenue for the first time. China spent 1.7 billion in Q3 2017, which is 15% over the U.S. Chinese consumers are now spending 5x what they were spending just two years ago. China is the market everyone's going after. Link

Salesforce is moving heavily into Artificial Intelligence with a project called Einstein. They want to use it to automatically enter leads into the system as well as recommends what should be done next with an account. Interesting (and quite understandable) application of AI (which, by the way, I prefer to call Synthetic Intelligence). Link 

Tim Cook still on about VR, but without what saying Apple is going to do there. He recently talked about a "digital you" and gave an example of people having meetings in real places, presumably meaning having scrums at the beach and such. Can't wait to see how they're going to implement VR since they're going to need glasses or a headset, and the tech is going to require them to be VERY non-Apple, i.e., large, heavy, strange looking. Link

Zwift is merging indoor fitness with MMORPGs. They currently have 170,000 accounts, 2.5 million rides and 45 million miles ridden to date. Link

Human news                                                  

Facebook looking at relaxing its filtering for content that could be offensive to some. They're talking about allowing more nudity and violence and such as long as the story is interesting or important enough. My question is less about the violence and nudity and more about the ideas. What if they ideas are subversive, or make a particular industry or government look bad? What about those types of stories? I think they matter a lot more than boobs and guns, and we don't want the latter to be a shield justifying the continued censorship of the former. Link

In development, experience over 5-10 years matters less than people think it does. What matters far more is the ability to continually learn. Don't talk about your 20 years of experience. Talk about how much learning you have always done and continue to do. Link

The World is Getting Better and Nobody Knows It: A great look at the conclusion that Steven Pinker came up with in his book Better Angles of Our Nature, where he found that human civilization on almost ever measure is improving. This is different research but is quite similar. If you have people constantly talking about how bad things are getting, steer them in this direction. Link

The rich tend to be less compassionate than the poor. This may be intuitive, but it's interesting to see data on it. The article is worth a read. Link


Ideas, trends, and concepts

Disambiguation of Security and Obscurity: Robert Graham called me out on his blog for getting Security and Obscurity wrong. I wrote a response that hopefully set things straight, but have not heard back from him. Essentially my argument is that avoiding being targeted is part of reducing the probability side of the risk equation, and that if obscurity were not an actual security layer then we wouldn't have OPSEC, with examples like hiding the president in one of many limos during a motorcade. It's OPSEC, it's obscurity, and it's security. They're not mutually exclusive. Link

Expect a Move Toward Internet Resilience: I think a coming idea in infosec is about to be resilience over prevention. For the recent DDoS attacks we should perhaps be thinking less about stopping them and more about having the ability to move and adjust when they do. Same for physical attacks. Make it so they don't matter as much instead of trying to stop every single one. We can control how we react, but in an open society we can't keep them from happening. Same with Internet attacks. Link

When policing cheaters in Counterstrike GO, Valve crowdsources the judge, jury, and executioner. They essentially allow users to report people for cheating and even to make decisions about who to ban. If you combine this with reputation so people can't just ban their competitors I think it's a better model than top down. Top down doesn't scale. Bottom-up is harder but ultimately works better when done correctly. Link

P2P lending has significantly better returns than traditional lending, often up between 8% and 13%, but because you're lending to people you should be paying close attention to the economy and to unemployment in particular. Link

Recommended links

Dan Geer's Blackhat 2014 talk on CyberSecurity as Realpolitik. It's my belief that more infosec talks (and all kinds really) should be like this--pure ideas in the form of essay, presented by the author. It's a high bar because the ideas must be strong for it to work, but that's the standard we should be pursuing. Link

NoSQL Data Modeling Techniques: Many particitioners are very confused between what relational databases vs. NoSQL databases can do. This article gives you some idea on how to model in the NoSQL world. Link

Chaos Monkey has been updated. Link

Tips, announcements, and miscellanea 

I'm back from multiple trips. Good to be home.

I continue to experiment with the format of the show--specifically around doing fewer stories with more analysis or more stories with less. If you have an opinion on the matter hit me up on Twitter or via email. Thanks!

Alexa can now factcheck the U.S. election. Where's Siri? Link


“The world is full of magical things patiently awaiting for our wits to grow stronger."

~ Bertrand Russell

Subscribe to the podcast.
Subscribe to the newsletter
Copyright © 2016 Daniel Miessler, All rights reserved.
Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.