Here's the new MITRE 2019 25 Most Dangerous Software Errors. Memory corruption bugs are huge right now. More

There's a ton of recent DDoS activity that's leveraging IoT devices for UDP amplification attacks. Specifically, the WS-Discovery service (WSD) is being used because the response to request ratio is so large (from 43% to 15,000%). More

There's a lot of chatter out there about Snowden due to his new book coming out, the NSA suing to keep him from making money off of it, him saying he'd like to come home, and him reiterating that he was just trying to do the right thing. Oh, and him saying he's never cooperated with the Russians. This whole situation makes me cautious of anyone with a singular and strong opinion about this, including myself. In 2016 I wrote a short piece about my opinion, and I am pretty much still in the same place with it. In short, if you think he's a hero you're probably wrong, and if you think he's a traitor you're probably wrong. He seems to be some combination of these two things, and from day to day, article to article, and book to book, I simply can't tell how much of which. Book

IARPA (CIA Research) is working on technology that can identify people at long range using stationary and drone-based cameras. The plan is to combine multiple factors, like faces, movement, etc. to get better results, and they need to do that while dealing with negative environmental effects like haze, rain, etc. Awesome and scary. More

A private company specializing in reposession of cars built a license plate scanning technology, and it now has a database of over 9 billion plates. And they sell access to the database to private investigators. As it turns out, this type of system isn't that hard to make. More

So the thing with the Coalfire pentesters that were arrested pentesting a courthouse is a total mess. The state courts released some records, and it appears that there was clearly authorization for a physical pentest, but there's confusion on whether or not certain floors where they were found were out of scope. The contractually forbidden floors might have been in a completely different building than they were found in. So this is really all coming down to the exact agreement made by the two groups. The lesson here—which I'm sure most pentest companies are now working on—is that you need to have your paperwork, agreements, and communication completely in order when the target is sensitive. More

When we kicked out those Russian diplomats in 2016, it was because they were running an aggressive counter-intelligence operation in the US targeting FBI communications. They were disrupting the FBIs ability to track Russian spies on US soil. More

Attackers continue to go after IT and Security services providers to gain access to their customers. More

The startup (Checkr) that runs background checks on Uber and Lyft drivers is now worth 2.2 billion. More

Advisories: Chrome, VMware

Breaches/Exposures: 24 million medical records exposed through public-facing medical image systems, Every Ecuadorian Compromised, 15,000 private webcams exposed

Companies: HP has purchased Bromium, Stripe is now worth $35 billion, HackerOne has raised a $36 million dollar Series D, Ping Identity has IPO'd at $15/share


IBM has a new 53-qbit quantum computer available to hack on in the cloud. Google says it has a 72-qbit version, but it's only available internally. More

Google temporarily published a paper (which was then removed) showing that a quantum computer they have calculated something in 3 minutes that would have taken Summit (IBM's current #1 supercomputer in the world) over 10,000 years. More

Twitter is rolling out the ability to hide specific replies (to your own tweets) from other users. So if someone is particularly trollish or hateful, you can stop their trash from being seen by others. More

There are evidently 200 million robocalls per day. Which is a lot. Anecdotally, mine have decreased significantly by using my carrier's security app and the RoboCaller app together. I get very few now. More


China's economy continues to slow, with its industrial output falling to a near 18-year low. More

The NEA did a study a while back and evidently 23% of Americans are "light" readers, which means finishing 1-5 books per year,  10% are "moderate" readers, which is 6-11 books, and 13 % were "frequent" with 12-49 books, and 5% were "avid" with 50 or more books read per year. More

Colt is ending production of AR-15s due to a lack of demand. I thought they were going to say they did it for moral reasons, but alas, no. They did it because they weren't selling well due to the rise in public shootings. More

London has around 420,000 CCTV cameras, which is higher per-capita but lower than total numbers than Beijing. But people in the UK are starting to ask questions about how many is enough, and what the tradeoffs are. More


My Favorite Security Podcasts, and How They're Different From Each Other More

Reaction Videos Show the Best of Humanity More

The future of LinkedIn, in my opinion, is to power the soon-to-be-ubiquitous Work app, which will have ratings on everyone's skills, experience, and how they interact with others. This move into testing by them gets them closer to that. More

The real privacy barrier is the human mind, and we're already getting good at reading it from the outside, and moving quickly towards tech that does it from the inside. More

America has two different economies, largely separated by the two political parties, and they're quickly diverging. This is very similar to what I've been writing about in my Red vs. Green essays. More

Why some people become lifelong readers. More

The American Brain More


Last week's member episode was quite good. As a reminder, I generally don't repeat content from one newsletter to the next, so just because I loved last week's show doesn't mean it'll end up in this week's. This does two things, 1) it prevents subscribers from having to see repeated content in the free (odd) episodes, and 2) it encourages people to become a member so they won't miss anything. So, yeah, if you don't want to miss every other show, you should become a member. Plus, it helps me keep the sponsor gremlins away. :) Subscribe

Well I finally kicked off the product section properly (see below). I was stuck not knowing what all products to include, and haven't mastered my discovery process, and then it occurred to me to just use the products I already have and love. So that's what these four below are: the stuff I'm actively using all the time. Then from there I'll just cycle them in and out I guess as I find new stuff.

I think I'm going to try again to move to the native podcasting and reading applications on my iPhone. I'd much rather use them than Audible and Overcast.

Thanks to Tim Leonard for all the great stories in the UL Slack Channel. He's becoming a source for the show at this point!


Superhuman is basically my favorite thing right now. It's a high-end email client for desktop and mobile that you actually have to pay for. Think about how good an email client has to be in order to be able to charge for it when every other option is free. Pretty darn good. What I love about it is that it's made to be with the keyboard, not with the mouse (although you can), and it's truly changing the interaction experience with email clients. My favorite example recently is cmd-shift-i to automatically respond to an email intro in an elegant way. I wasn't sure if I was going to like it enough to pay for it, but I just signed up for the annual plan. If you do a lot of email, seriously look into it. Learn More Read My Review

The ŌURA Ring is the only wearable I use besides my watch. My watch does everything I need during the day in terms of life measurement, but I've been annoyed that I didn't have a way to track sleep. I was going to get one of the sheet things, but I held off due to bad reviews. So when I saw a friend wearing one, I thought it was a normal ring and commented on it (it has a very nice Titanium look to it), and he said it was a wearable, and that it did sleep tracking as well! I literally ordered on that night after leaving his house. I've been using it for a couple of months now and I love it. If you want to add sleep tracking to your life tracking game, and do so in a non-obtrusive way that actually looks good, this is the way. Learn More Read My Review

Thinkst Canary Tools is a system that lets you drop realistic-looking services around your network in ways that only bad guys are likely to see and interact with them. And once someone does start playing with them, you now have extremely valuable signal from someone with either mischievous or downright malicious intent. I like using Canaries best in environments where you know you don't have your detect and respond game fully intact, and you need some high-powered deception to help you survive while you build those capabilities. Learn More

GYROSCOPE is my life tracking system. I've been writing for years about an app that could chart everything you're doing in a beautiful way, and while Gyroscope doesn't yet have finances and education and stuff like that, it's absolutely nailing the health aspect. So basically it's one app that pulls all other health feeds from different kinds of apps and hardware, e.g., your smartwatch, your smart scale, various time tracking apps, meditation apps, etc.—into a single interface with seriously beautiful visualizations. I'm a security guy by trade, and I am keenly aware of the tradeoffs with these types of applications, and firmly land on the side of prioritizing the transparency and insights over the (very real) risks of data exposure (I also only use this app to avoid spreading data everywhere). If you have a similar risk model, and you are into seeing everything you're doing in one integrated and attractive interface—you should absolutely try Gyroscope. Learn More 

Curl has some exciting updates, including HTTP/3 and an experimental feature enabling parallel downloads. More

How to ace a data analytics interview. More

A primer on API Security Testing More

Andromeda — Interactive reverse engineering tool for Android applications. More


My Favorite Security Podcasts More

The Four Podcasts I Recommend to Everyone More

Letter.Wiki More


“A friend might well be reckoned the masterpiece of nature.”

~ Ralph Waldo Emerson
If you enjoy the newsletter, you should consider becoming a member so you can get it every week instead of just twice a month! $5/month $50/year
Tweet Tweet
Share Share
Forward Forward