The Unsupervised

by Daniel Miessler
My weekly show where I handpick the best stories and ideas in infosec, technology, and humanity, and talk about why they matter.

Information Security news  

Britain has passed what people are calling "the most extreme surveillance law ever passed in a democracy". Introduced by Theresa May in 2012 and just now passed, the bill will require every Internet provider to log every customer's top level browsing history, in realtime, and store it for up to a year. The law also allows intelligence agencies to hack into citizen computers and devices. There is supposedly some protection for journalists and medical professionals, but the protection doesn't seem robust. Link

PoisonTap is a new project by Samy Kamkar that uses a Raspberry Pi system to plug into an unattended computer and massively backdoors the system---capturing insecure HTTP traffic, creating a backdoor that can be accessed remotely, and few other nasty tricks---and it works even after the device is removed. If you're in a place where your laptop won't be stolen when you go to the restroom, but you're still worried about physical access to your laptop, the best defense when you walk away from your system is 1) have your entire filesystem encrypted, and 2) put your computer to sleep when you walk away. This will keep the browser from being in memory while you're away. It's a fantastic attack, and shows again that Samy is awesome and that physical access remains incredibly dangerous. Link

The U.S. Army has developed something they're calling a "Phaser", which can take out an army of drones (or anything else with circuits) with a single shot. That includes phones, tablets, even cars. It's basically a super high-powered microwave EMP blast that fries circuitry before surge protection has a chance to react. It also has a RADAR system that tracks air-based systems to aim the blast. I wrote a while back about needing to be able to defend against, say, swarms of tiny drones, and this appears to be one of the Military's answers. Link

NIST has released a new IoT Security Guideline called 800-160. It's main focus is to address security concerns throughout the systems engineering process rather than after the fact. NIST fellow Ron Ross called it the most important document he's worked on in 20 years at NIST. Link

Two researchers at Cornell are using Supervised Learning to determine whether a person is likely to be a criminal or not based on a still image of their face alone. They studied 1,856 faces, controlled for race, gender, age, and facial expressions, where about half were convicted criminals. One of the most interesting findings seems to be that non-criminal faces are more similar to each other than criminal faces. I find the research to be simultaneously intriguing and alarming. The use and abuse cases here are both legion. Link

A Chinese company called Shanghai ADUPS Technology has been stealing text messages and call records from cheap Android phones sold on Amazon and through BestBuy. My recommendation is to purchase technology from companies where 1) you trust the company you're buying from, and 2) where that company has some significant measure of control over what they're ultimately selling you. For phones that means Apple and Google Pixel to me. Link

If you have two Apple devices connected with the same iCloud account, call history information like who you called, what calls were missed, call durations, etc., are stored in the Apple cloud and can be retrieved by Apple and law enforcement. It's well understood that this happens with other data like contacts and calendar, but there could be some surprise about it applying to call data. To me it isn't surprising---anything that you're keeping synched is ultimately going to be stored. The only question I have is how that data is going to be protected and who is allowed to see it and under what circumstances. Link

SSL Labs will be changing their grades for 2017, essentially making it harder to get top scores. 3DES will get you a lower score. You need Forward Secrecy enabled to get an A. Authenticated encryption will be ranked higher than CBC. Cipher suites will have grading changes. SHA1 will be deprecated. Look out for the changes. Link

Technology news                                                    

Future iPhones could be made in America as Apple has asked Foxconn to consider U.S. manufacturing. The cost difference would be staggering, and that's likely to kill it outright, but it's a fascinating idea. Link

AirBnb is expanding its services to include "experiences", which basically means events or outings. So it's opening up from purely rentals to being more about anything you can do while you're traveling. Much more of an overall travel play vs. just where you're staying. Some of this could be pure expansion, and some could be pivoting because of the friction they're facing in the rental space. Link

Apple's delayed AirPods MAY be shipping towards the end of November or beginning of December, just in time for holiday shopping. The've received far more attention that most anyone anticipated. Not me though---I think they (and ]]]similar offerings that come after them) are going to significantly upgrade mobile computing by taking the friction and annoyance out of both speaking and listening while mobile. Link

Human news                                                  

CRISPR gene editing is tested in a human for the first time. A Chinese team has injected a human with cells that contain genes edited with his new technique. CRISPR is basically the physical editing of genes and then the injection of those cells into people in order to fix a problem. In this case it was used to try to address an aggressive form of lung cancer. But the idea is for it to be able to fix many things in the future. It's basically finding a flaw, editing your actual genes to fix it or address it, and then injecting yourself with the fixed version. It's the biggest thing in biotech right now. Link lets you teach robots how to perform manual tasks, all managed through the cloud. So you could automate the 3D printing of items, the pushing of buttons, etc. The only thing I can think about is how many jobs this type of tech can make obsolete. Link

Harvard researchers discover promising new brain network that looks to be tied to human consciousness. Link

The largest collection of oil ever found in America was just discovered in Texas. Link

Gallup's 8 interesting takeaways from the election. Link

Ideas, trends, and statistics

Solving other peoples' problems is easier than solving our own, according to new research. This seems to reduce to the idea that more abstract thinking enhances creativity. A few recommendations: think about loose couplings of people in your business who can quickly exchange ideas, less on a few static employees with rigid structure, use your peers, swap problems with someone, disassociate yourself however you can when you've been too close to a problem for too long. Link

I think we should expect ISPs to start blocking far more inbound connections to consumer IP ranges on their networks. They're already allowed to do that in the contracts, but I think we should expect them to start enforcing these provisions due to the dangers caused by IoT devices. They'll also likely start proactively scanning for listeners and checking to see if they're vulnerable. This won't defend against outbound 'meet in the middle' connectivity where the IoT devices meets in the cloud to be managed by a mobile application, for example. But doing this will help a little bit, and the overall solution is likely to be 1,000 tiny adjustments rather than 10 big ones. Link

A VR engineer discusses how he experiences sadness after leaving long periods in VR. First it's a physical unease caused by objects being different, and then there's an unhappiness associated with not being able to interact with he world in the way he could before. These are examples of new problem types that we'll have to learn how to handle as we start exposing our brains to new inputs. Link

Recommended Links

Probably the best Cognitive Biases collection I've ever seen. Link

Book Summary: Influence: The Psychology of Persuasion. An unbelievable book about the main ways that humans can be manipulated. This is an extremely well-done summary of the book. Link

Unbelievable image sharpening technology by Google called RAISR. It uses machine learning to fill in detail in fuzzy images. The results are remarkable. Link

How to Decrypt TLS Traffic Using Wireshark Link

A collection of free, video-based Computer Science courses. Link

Announcements, tips, and miscellanea

I'll be doing a Bugcrowd webinar with Jeremiah Grossman and Richard Rushing on 5 Critical Security Issues for 2017. You can sign up here. Link

In this episode I tried to be more concise, have less rambling, fewer throat-clearings, umms and ahhs, etc. Let me know what you thought of this vs. the more open, free, and meandering format. I appreciate the input as I continue to explore my optimum setting for the show.

“Men are born ignorant, not stupid. They are made stupid by education."

~ Bertrand Russell
Subscribe and listen to the companion podcast.
Copyright © 2016 Daniel Miessler, All rights reserved.
Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.