Unsupervised Learning

There's a Linux vulnerability called SACK Panic (among other names) that takes advantage of a kernel feature called Selective ACK. The feature lets systems tell the other side of the conversation how much data it's received, and it turns out it can be overflowed or fuzzed. The former creates a crash, and the latter creates a slowdown. You should patch. And if you have any services facing the internet running Linux, you should definitely patch. More A Florida city paid $600,000 in bitcoin to get access to their data back from a ransomware gang. More Magic Leap is suing former engineer Chi Xu for allegedly using his knowledge of the headset to make a version for China. More The average security group is running over 50 security tools. As my friend Jeremiah once said when looking at a Momentum Partners slide, "Are we secure yet?" More Amazon just got a patent for using delivery drones for surveillance. I don't necessarily think that means they'll use delivery drones for surveillance though. That's what a lot of the conspiracy theorists will say, though—just based on them getting a patent for using delivery drones for surveillance. Actually, the patent is a bit more benign than my joke implies. It's designed to monitor opted-in people's property, a lot like a house camera or a Ring device. Makes sense. But still. More

The US is supposedly ramping up attacks against Russian power grid through the use of new cyberattack powers granted by Trump. I am happy to hear of this, but it's an example of where we as outsiders can only know a tiny fragment of the story. But any signs that this administration sees Russia as a foe, and are treating it as such, are positive in my view. More Adobe is entering the deepfakes arena by showing off research tools designed to detect manipulated photos. More Target stores have been hit by major outages. More Many places are using very granular bluetooth beacon tracking to watch you move throughout their businesses, including airports, malls, subways, buses, gyms, hotels, festivals, museums, etc. More The US is going after ethnic Chinese researchers in the medical field, and specifically at cancer centers. I'm all for becoming more aggressive towards the Chinese government pilfering the world's intellectual property, but, um, cancer research is one thing that I think it's ok to spread widely. It's not like they're stealing the only copy of the research; they're just sharing it. Maybe I'm missing something, but if that something is just about who makes the profit, then I'm calling Meh. More Firewalling outbound DNS could save companies billions. Yes! I've been on about this for years. More

Some absolutely fascinating research has just come out on what percentages and types of vulnerabilities are actually exploited in the wild. It found that only 5.5% of vulnerabilities discovered between 2009 and 2018 were actually exploited, with most of those being issues with a CVSS score of 9 or 10. The best part of the paper, however, was a discussion of optimal patching strategies, where they looked at different methodologies for what to patch and measured them against each other based on coverage (no misses) and efficiency (not patching what you don't have to). Options included patching by CVSS, whether or not there are public exploits, by vulnerability tags, etc. The ML model performed best, but it seemed that patching the CVSS 7 and above was decent as well, and for more efficiency but less coverage—CVSS 9 and above. Super interesting paper. More The US is going to start requiring 5 years of social media account history from Visa applicants, as part of the filtering process. I'm genuinely curious as to how effective this is going to be. On the one hand, there will now be a market for creating and maintaining fake social media accounts that people can use for this purpose. But on the other hand, there will be many who don't want to go to that effort and either won't try to come, or will get caught in the filter. As with most things, the efficacy will come down to execution. More A team at Stanford has made it possible to edit video using a text editor. So, editing the things that were said by the actual subject, to say something else entirely, but having it seamlessly injected into the video so it looks completely natural. More

An argument that we should acknowledge grit as one of the most powerful causal factors in success, and figure out ways to bring its benefits to everyone.

A concise explanation of why software continues to have security and quality problems after decades of supposedly trying to address the problem.

The Deepfakes thing is already starting to have an impact, and it didn't even involve actual Deepfake (GAN ML) technology. A video was spread of Nancy Pelosi speaking very slowly and seeming to stumble over her words, which made her look quite bad. The video was virally shared throughout social media on the right. Problem is, it was intentionally slowed down to make her look old/stupid/crazy. What this shows us is that it's not the machine learning that makes Deepfakes dangerous; it's the willingness of a massive percentage of the US population to believe total garbage without an ounce of scrutiny. It doesn't matter if Deepfakes can be shown to be fake because people are matching evidence to their emotions, not the other way around. The vulnerability is our ignorance and cynicism, not a spoofing technology. And as I wrote about a couple of years ago, this will be used as a weapon against us. More Essay A real estate insurance website for First American Financial Corp was vulnerable to a simple IDOR (where you change the account number in the URL to get another account), and it evidently resulted in the exposure of hundreds of millions of insurance records that included extremely sensitive information. IDOR is still one of the most common and dangerous vulns a web app can have, and for companies like this they can be devastating. More The US Military is trying to learn how popular movements form and evolve, and to do so they're studying 350 billion social media messages. But it's a Bloomberg article, so maybe they're actually studying bullfrogs for clues about hypertension. More Moody's has downgraded Equifax's rating in some significant part due to its 2017 cyber breach. This is noteworthy because until now, breaches have largely been spackled over in terms of the major financial perspective and at the 6-24 month timescale. This is a positive indication that companies could actually start taking cybersecurity more seriously, and not just at the CISO and IT level, but from the boardroom down. More Advisories: TP-Link Routers

Trump has semi-banned the use of foreign telecom gear, which is really a direct shot at Huawei and China. more Baltimore’s IT systems are still being held hostage after 2 weeks. Of all the cities in the world that I could imagine this happening to, Baltimore is towards the top of the list. If you don’t have good schools or a good police force, I don’t expect you’d have good IT security hygiene either. more Crime is so bad in Mexico that people buy fake mobile phones so they can give them to muggers instead of their real one. I have to assume this is also happening in Brazil. more This is a stunning audio Deepfake of Joe Rogan doing a few different routines. It sounds exactly like him. Not a little bit. Exactly. Now imagine that for politicians and celebrities, where there is plenty of source material to train from. We’re about to move to a world where you can only trust authenticated voices and personalities, using sources and clients that are trusted to serve you their actual content. Expect a massive industry around serving authentic content and detecting fakes. more Salesforce had to disable access to millions while the fixed an access control issue that allowed open reading of tons of customer data. more

My Takeaways from the 2019 DBIR Report My Summary The Report The DOJ has unsealed the indictment against those who they believe hacked Anthem in 2015, and they are Chinese Nationals. They didn't reveal the suspected motive, however. But as I wrote about last year, I don't think we need an explanation. I think it's obvious. More An Airbnb host in China has been arrested for watching guests using a hidden camera. More The Mossad has released an interesting challenge in something of a spy CTF style. More Chinese scientists have created a small, portable camera system that uses LIDAR to resolve human features from up to 28 miles away. Good news—it also penetrates smog. More

A short essay that attempts to wrap a simple narrative around what's currently happening with the exodus of the New Left, and what it's doing to the moderate left, center, and right that they left behind.

Deepfakes are about to seriously erode our collective ability to tell truth from fiction, and this is already a big enough problem without them. Think of every problem you care about, and realize this represents an exponent on each one. This video captures it extremely well. Link Slack has warned the world that it's being targeted by Nation State actors. I'm glad they said it, but we already knew that. Think of what an attacker could get if they could access any company's internal Slack communication without being detected. Link Scientists have captured the brain waves of someone hearing speech, run that through an algorithm that created it's own speech from the recordings, and got a 75% recognition rate from humans on that speech. So the algorithm knew what the person heard, and turned that into spoken language that people actually understood. The next step is for the algorithm to know what people thought, instead of heard. In other words, machine learning is taking very close to mind-reading—but we still have potholes and cancer. Link

Today's standalone episode of Unsupervised Learning is a political conversation with Jeremiah Grossman, who many of you will know as the founder of Whitehat Security, current CEO of BitDiscovery, Jujitsu Blackbelt, and all-around great individual. In this episode, however, we’re not going to be talking about Information Security, but Politics. We have remarkably different and similar views on politics, which we’ve been discussing in private for years, and we thought now was the perfect time to show that it’s possible to disagree with someone, respect them, and have a conversation about those disagreements in a positive and useful way. This is the first experiment of this kind on Unsupervised Learning, and I’m quite pleased with how it turned out. So with that, Here’s Jeremiah Grossman.

Amazon has many thousands of people doing quality control on Alexa, meaning that they're listening to incoming audio captured on Echo devices. This shouldn't be surprising. The question is how they're doing it, and what policies they have around privacy when doing so. I don't personally see a major problem here. But at the same time I'd never put a Facebook device in my home. To me it's more about the company and its incentives than anything else. Link A number of FBI-affiliated websites were hacked, and information on thousands of federal agents and law enforcement officers are now being sold online. Link Chinese schools are using facial recognition on students, and using ML to determine whether or not they're currently paying attention, distracted, etc. Link Sift is a service that builds a risk profile on you so merchants can determine whether you're a benign actor or someone about to commit fraud. I think people need to accept that continuous risk scoring for people and situations is both inevitable and actually already happening. The moment you try to block bad actors by looking at their behavior, you quickly end up with a score that determines action based on various thresholds. And the moment you do it for bad actors, you're kind of implicitly doing it for good actors as well. There are better and worse ways to approach this, but profile scoring is not something we're going to be able to avoid going forward. Let's accept this reality and start having the conversations about how to make (and keep) this functionality as benign as possible. Link A Dutch F-16 was damaged by rounds from its own 20MM cannon. So it fired bullets, and then flew into them. Life is awesome. Link

Mastercard is looking to create a Digital ID service that can bind your digital presence to your mobile device, which will be able to verify you to various services. Link Palantir has won an $800 million contract to build the next combat intelligence system (to replace DCGS-A) for the Army. Link Putin appears to be causing brain drain in Russia. Link Dropbox has an interesting proposal for improving vendor security assessments. TL;DR: They turned their requirements into contractual points. LOVE IT. Link

Multiple governments have now blacklisted Huawei, which Huawei seems very confused by. The best explanation I've heard so far about why this move makes sense for western countries came from Rob Joyce of NSA. He basically said that just like Kaspersky in Russia, the reason you can't trust Huawei is that it's a Chinese company, and even if they're not already infiltrated by the Chinese government, they can be at any moment without anyone knowing that it happened. And there's nothing Huawei or anyone else could do to stop it. Strong argument. Link 2/3 of Android antivirus apps are hot garbage. Gasp. Link DARPA is building an open-source, secure voting system. That's their goal, anyway. I'm skeptical of being able to build truly secure systems, but I have lots of confidence in DARPA, and I also know the bar for improvement over the current state is quite low. So, yeah, go forth and prosper. Link The RAND Think Tank conducts wargames between the U.S. and its potential enemies, such as Russia and China, and one analyst said that we keep losing. The issue seems to be that our key advantages can be neutralized rather easily, and it'd take a lot of money to fix the biggest issues. Link

This is a description of cyberwar that sounds quite realistic to me, and it's based around the thousand-cuts idea. Ring Doorbells have a vulnerability that allows one to capture clear-text videos and other data from the cameras if you can get on the wireless network that the camera is using. An independent security researcher found the Dow Jones Watchlist database sitting open on the internet. Schneier talks here about how easy it is to influence people in sensitive positions, similar to my post on China building a database on us.…