No. 71 | March 26, 2017  | View in your browser.
Unsupervised Learning is my weekly curation of the most interesting stories in infosec, technology, and humans

Get the podcast for this episode.

Infosec news

Tavis Ormandy is stirring up dust on Twitter again for his cavalier bug announcement behavior. He basically announces bugs live on Twitter, calling out the name of the company, the product, and the type of issue, but without giving exact details. The latest example was with some bugs in LastPass, which got fixed quickly. Link

Google says over half of Android devices haven't received a security update in the past year. How is this not a bigger story? Link

ERPScan released a POC for an SAP GUI remote execution vulnerability that was patched last week. Link

Microsoft has disabled search functionality after many complaints that it was disclosing sensitive files. Link

Flaws in NEST security cameras allow attackers to stop them from recording footage by sending various Bluetooth attacks. Link

The Senate is attacking internet privacy through the FCC. They're looking to make it far easier for internet providers to capture data about customers without their knowledge. Link

Laptops, tablets, and other large electronics are now banned from flights destined for the United States if they are coming from 10 airports in 8 mostly Middle Eastern and North African countries. Link

14,766 Let's Encrypt certificates issued to PayPal phishing sites. Sounds like they have some quality control issues over there. Guess I'll be staying with DigiCert when I renew. Link

There's a nasty SQLi bug in Moodle, which is an open-sourced PHP-based learning system running on tens of thousands of universities, including Stanford, Oxford, etc. Patch if you have it anywhere. Link

WhatsApp is refusing to hand over the messages from the London attacker's phone. Link

Google has reported a 32% increase in the number of hacked sites in 2016 vs. 2015. Link
New York announced 1,300 data breaches in 2016, which was a 60% increase over 2015. I still think most movement in these types of numbers is caused by knowledge of breaches and not breaches themselves. Link

Steve Morgan, CEO of Cybersecurity Ventures, says the venture capital funding for security companies back in 2013-2015 has run out, and that we're about to see significant consolidation in 2017 and 2018. Link

Technology news

IBM is forcing work-from-home employees to go into the office. This seems to be the current trend in big, corporate America. The same thing is happening at HP/E. Then in a few years they'll realize how dumb it was and switch back, for a while. Link

Uber has suspended its self-driving cars after a crash involving one in Arizona. Link

Twitter is considering a paid subscription tier, possibly at around $20/month. Take my money. Whatever you need to do to stay alive is fine by me. Link

Apple has purchased Workflow, an tool for automating tasks on iOS. Link

Scientists have developed a new wireless technology that can do 43Gbit/second at 2.5 meters, which is 100X the speed of current wireless. Link

Samsung has released a new SSD that's so fast it can be used as RAM. It's made for datacenter use, and the 375GB model goes for $1,520. Link

Google is killing off Talk and merging it into Hangouts. Link

Human news

58% of high-performance employees say they need more quiet work spaces. Link

Richard Branson has offered Stephen Hawking a ride into space on Virgin Galactic. He said yes. It costs $250K for normal people to make the trip, and over 700 people have already signed up. Link

PWC says 38% of U.S. jobs are in danger of being replaced by AI and robots within 15 years. These numbers sound about right to me. Link

PWC says people with jobs in education, health care, and social work are least likely to be replaced. But that's a mixed message since those jobs are also not going to pay very much. Link

Some companies are starting to say that product purchases are down because people are buying experiences instead of "stuff". Link

Atheists and the super-religious fear death the least, and those in the middle fear it the most. Link

An interesting article in the NYT about what non-cognitive factors go into life success, e.g., family income, self-control, industriousness, grit, resilience, future-orientation, impulse control, etc. Link

People who are afraid of robots and technology are far more afraid of losing their jobs to them. Link

Someone put the Tianaman Square "Tank Man" image in the Bitcoin blockchain, just to troll China. Link

The suicide rate in rural America has increased over 40% in 16 years. Link

10,000 gaming projects have been successfully funded on Kickstarter. Link

Someone found a Pythagorean theorem proof in a 2100 year old Chinese book. Link

The drought in California has been massively relieved by all the snowfall this year. Link


The Age of the Influencer. How we're all going to have to prepare for a post corporate employment world where we have to do our own marketing. Link

Game Design is About to Become a Critical Career. Why designing games will be such an important and automation-resistant career for the next 20 years. Link

The treasury secretary Steve Mnuchin says he's not worried at all about the effects of AI on the economy. He says AI is not even on his radar screen because it's 50-100 years away. I wonder what he thinks of the PWC report that puts the numbers at 38% of jobs within 15 years. Link

"I go to war that my son may be a politician, that his son may be a merchant, that his son may be an artist." ~ Ben Pieratt. I love this quote because it captures a slow, ideal transition from practical and ugly to abstract and beautiful. I see the sciences in a similar way, but less dramatically so. I think a mature civilization would perhaps be 90% arts and 10% sciences.

Here's my take on vulnerability disclosure. There are two types of risk at play: risk from not giving enough information to the defense, and risk of giving too much information to the offense. The idea is to manage both values to keep the overall risk as low as possible. That being said, I don't see any situation where simultaneous announcement to a proactive vendor, and to the public, serves the goal of maximum risk reduction. The exact amount of head start depends on the situation, but if the vendor is listening they should be given some measure of time to prepare before telling the public.

I got in a short Twitter debate with Tavis Ormandy about whether you should give blanket recommendations to use password managers or not. He said no, because some of them are really bad. I say yes, because the people we're giving the advice to are using basically one password for everything, and that risk is much worse. The guy is a demigod when it comes to finding bugs---no question---but I'm not sure he's understanding the magnitude of the password reuse problem for 95% of the population.


A fantastic article describing AWS IAM policies in simple terms. Link

A pentesting tools cheat sheet. Link

A red-teamer's guide to pivoting. Link

A fascinating article about the NGA, which is best described as being to images what the NSA is to voices. They're supposedly capturing 1 million terabytes of data per day. Link

A new type of malware has been found that works on both Windows or MacOS. Link

Neil Gaiman makes a forceful argument for society placing a focus on reading, especially for children. Link

How to explain to a layperson why you should never interrupt a developer. Link

A map of Australia showing its climates in terms of other countries. Link

Running 1,000 containers in Docker Swarm. Link

Apple's official iOS 10 security guide. Link

YETI --- An Open Source Threat Intelligence Platform. Link

IVRE --- A Network Recon Framework that uses zmap, bro, argus, nfdump, and p0f. Link

RFTranceiver --- An IoT testing extension for the Metasploit Hardware Bridge API that lets you detect wireless activity outside 802.11 ranges. Link


I spoke at HouSecCon last week with Jason Haddix on our Game Security Framework. The session was received well and the recording will be available soon. You can get the slides here. Link

InfoSecurity Magazine posted my video interview with them on the topic of IoT Security. Link

I'm still reading Homo Deus. Link

The OSINT primer is still in progress. 


Never trust anyone who is unkind to wait staff. ~ @willrad


"First you learn to read, then you read to learn." 

Get my new book on the predictable way in which timeless
human drives will manifest through technology,
The Real Internet of Things.
Copyright © 2016 Daniel Miessler, All rights reserved.