Tavis Ormandy is stirring up dust on Twitter again for his cavalier bug announcement behavior. He basically announces bugs live on Twitter, calling out the name of the company, the product, and the type of issue, but without giving exact details. The latest example was with some bugs in LastPass, which got fixed quickly. Link
Google says over half of Android devices haven't received a security update in the past year. How is this not a bigger story? Link
ERPScan released a POC for an SAP GUI remote execution vulnerability that was patched last week. Link
Microsoft has disabled docs.com search functionality after many complaints that it was disclosing sensitive files. Link
Flaws in NEST security cameras allow attackers to stop them from recording footage by sending various Bluetooth attacks. Link
The Senate is attacking internet privacy through the FCC. They're looking to make it far easier for internet providers to capture data about customers without their knowledge. Link
Laptops, tablets, and other large electronics are now banned from flights destined for the United States if they are coming from 10 airports in 8 mostly Middle Eastern and North African countries. Link
14,766 Let's Encrypt certificates issued to PayPal phishing sites. Sounds like they have some quality control issues over there. Guess I'll be staying with DigiCert when I renew. Link
There's a nasty SQLi bug in Moodle, which is an open-sourced PHP-based learning system running on tens of thousands of universities, including Stanford, Oxford, etc. Patch if you have it anywhere. Link
WhatsApp is refusing to hand over the messages from the London attacker's phone. Link
Google has reported a 32% increase in the number of hacked sites in 2016 vs. 2015. Link
New York announced 1,300 data breaches in 2016, which was a 60% increase over 2015. I still think most movement in these types of numbers is caused by knowledge of breaches and not breaches themselves. Link
Steve Morgan, CEO of Cybersecurity Ventures, says the venture capital funding for security companies back in 2013-2015 has run out, and that we're about to see significant consolidation in 2017 and 2018. Link
Technology news
IBM is forcing work-from-home employees to go into the office. This seems to be the current trend in big, corporate America. The same thing is happening at HP/E. Then in a few years they'll realize how dumb it was and switch back, for a while. Link
Uber has suspended its self-driving cars after a crash involving one in Arizona. Link
Twitter is considering a paid subscription tier, possibly at around $20/month. Take my money. Whatever you need to do to stay alive is fine by me. Link
Apple has purchased Workflow, an tool for automating tasks on iOS. Link
Scientists have developed a new wireless technology that can do 43Gbit/second at 2.5 meters, which is 100X the speed of current wireless. Link
Samsung has released a new SSD that's so fast it can be used as RAM. It's made for datacenter use, and the 375GB model goes for $1,520. Link
Google is killing off Talk and merging it into Hangouts. Link
Human news
58% of high-performance employees say they need more quiet work spaces. Link
Richard Branson has offered Stephen Hawking a ride into space on Virgin Galactic. He said yes. It costs $250K for normal people to make the trip, and over 700 people have already signed up. Link
PWC says 38% of U.S. jobs are in danger of being replaced by AI and robots within 15 years. These numbers sound about right to me. Link
PWC says people with jobs in education, health care, and social work are least likely to be replaced. But that's a mixed message since those jobs are also not going to pay very much. Link
Some companies are starting to say that product purchases are down because people are buying experiences instead of "stuff". Link
Atheists and the super-religious fear death the least, and those in the middle fear it the most. Link
An interesting article in the NYT about what non-cognitive factors go into life success, e.g., family income, self-control, industriousness, grit, resilience, future-orientation, impulse control, etc. Link
People who are afraid of robots and technology are far more afraid of losing their jobs to them. Link
Someone put the Tianaman Square "Tank Man" image in the Bitcoin blockchain, just to troll China. Link
The suicide rate in rural America has increased over 40% in 16 years. Link
10,000 gaming projects have been successfully funded on Kickstarter. Link
Someone found a Pythagorean theorem proof in a 2100 year old Chinese book. Link
The drought in California has been massively relieved by all the snowfall this year. Link
Ideas
The Age of the Influencer. How we're all going to have to prepare for a post corporate employment world where we have to do our own marketing. Link
Game Design is About to Become a Critical Career. Why designing games will be such an important and automation-resistant career for the next 20 years. Link
The treasury secretary Steve Mnuchin says he's not worried at all about the effects of AI on the economy. He says AI is not even on his radar screen because it's 50-100 years away. I wonder what he thinks of the PWC report that puts the numbers at 38% of jobs within 15 years. Link
"I go to war that my son may be a politician, that his son may be a merchant, that his son may be an artist." ~ Ben Pieratt. I love this quote because it captures a slow, ideal transition from practical and ugly to abstract and beautiful. I see the sciences in a similar way, but less dramatically so. I think a mature civilization would perhaps be 90% arts and 10% sciences.
Here's my take on vulnerability disclosure. There are two types of risk at play: risk from not giving enough information to the defense, and risk of giving too much information to the offense. The idea is to manage both values to keep the overall risk as low as possible. That being said, I don't see any situation where simultaneous announcement to a proactive vendor, and to the public, serves the goal of maximum risk reduction. The exact amount of head start depends on the situation, but if the vendor is listening they should be given some measure of time to prepare before telling the public.
I got in a short Twitter debate with Tavis Ormandy about whether you should give blanket recommendations to use password managers or not. He said no, because some of them are really bad. I say yes, because the people we're giving the advice to are using basically one password for everything, and that risk is much worse. The guy is a demigod when it comes to finding bugs---no question---but I'm not sure he's understanding the magnitude of the password reuse problem for 95% of the population.
Discovery
A fantastic article describing AWS IAM policies in simple terms. Link
A fascinating article about the NGA, which is best described as being to images what the NSA is to voices. They're supposedly capturing 1 million terabytes of data per day. Link
A new type of malware has been found that works on both Windows or MacOS. Link
Neil Gaiman makes a forceful argument for society placing a focus on reading, especially for children. Link
How to explain to a layperson why you should never interrupt a developer. Link
A map of Australia showing its climates in terms of other countries. Link
YETI --- An Open Source Threat Intelligence Platform. Link
IVRE --- A Network Recon Framework that uses zmap, bro, argus, nfdump, and p0f. Link
RFTranceiver --- An IoT testing extension for the Metasploit Hardware Bridge API that lets you detect wireless activity outside 802.11 ranges. Link
Notes
I spoke at HouSecCon last week with Jason Haddix on our Game Security Framework. The session was received well and the recording will be available soon. You can get the slides here. Link
InfoSecurity Magazine posted my video interview with them on the topic of IoT Security. Link
