Unsupervised Learning

Here's the new MITRE 2019 25 Most Dangerous Software Errors. Memory corruption bugs are huge right now. MoreThere's a ton of recent DDoS activity that's leveraging IoT devices for UDP amplification attacks. Specifically, the WS-Discovery service (WSD) is being used because the response to request ratio is so large (from 43% to 15,000%). MoreThere's a lot of chatter out there about Snowden due to his new book coming out, the NSA suing to keep him from making money off of it, him saying he'd like to come home, and him reiterating that he was just trying to do the right thing. Oh, and him saying he's never cooperated with the Russians. This whole situation makes me cautious of anyone with a singular and strong opinion about this, including myself. In 2016 I wrote a short piece about my opinion, and I am pretty much still in the same place with it. In short, if you think he's a hero you're probably wrong, and if you think he's a traitor you're probably wrong. He seems to be some combination of these two things, and from day to day, article to article, and book to book, I simply can't tell how much of which. BookBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Not sure how this isn't bigger news, but Saudi Arabia shut down half its oil production after a number of drones attacked the largest oil processing plant in the world. Yemeni rebels claimed credit, but the US blames Iran. MoreDNS over HTTPS is coming to Chrome as well, so it's not just Firefox. So this is basically where browsers have a preferred DNS server, which works over HTTPS, and ISPs therefore won't be able to see every DNS request that users make. This will be a good thing for reducing the risk of ISPs (and actors with access to their logs) seeing what people are requesting, but it raises questions around filtering, caching networks, and other major components of the status quo. MoreA couple of Coalfire Pentester's got arrested and are still in custody for trying to break into a courthouse that they were actually paid to break into. Evidently, it's not clear whether the physical part was in scope or not. So, no, the get out of jail free card wouldn't have helped. Everyone already knows they were doing it thinking it was ok; the question is next steps. And meanwhile they sit in jail, probably spending all their time mentally working on DEFCON slides. MoreBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

AIG says BEC has overtaken ransomware as the primary claim type against their cyber insurance policies in EMEA, accounting for 23% of claims. More PaperThe NSA Cyber Chief wants to share digital threat information early and often. I like the fact that they're opening up a bit, and I think it's only good for everyone (except bad guys). The more they share the higher the bar is for attackers, and the less time they have to use certain TTPs. This is exactly the type of Government-Industry interaction that we need to be doing more of to stay ahead of China. MoreNYU did a report on how social media is likely to be used for misinformation campaigns in 2020. They say Instagram will be a much bigger player this time around, which makes sense given that images are the dominant meme carrier. Article StudyBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Ring has already partnered with over 400 police departments. As you know, I'm torn on this kind of tech. Neighborhood watch can be a good thing, and it can also be a bad thing. Technology tends to magnify both weaknesses and strengths, so it can make neighborhood watch really great, or it can turn it into a nightmare. The problem is that you can easily start on the positive side, build it all the way up, and then in a few legal, policy, and tech changes have it turn into the oppressive form. Some say this is a reason not to do any of this stuff, but I disagree. We know someone is going to do it, so I think the best thing that can be done is to build a benign version and hope it wins in the market. More People are drawing comparisons between China's social credit system (which is actually multiple systems) and the Silicon Valley's various apps that have internal rating systems. They're saying that these ratings will eventually be used to make decisions about things that matter. Sure, but this has existed throughout human history. Word of mouth, blacklists, etc.: these are all ways of extending the reach of good or bad reputation. I think whenever someone points out the downside of a technology, we should ask ourselves whether that dynamic exists already in the real world, and adjust our opinions accordingly. MoreThe Pentagon is worried that China will beat the US in AI if we don't create a stronger link between the government and both academia and industry, which China is good at. We basically need to move faster from edge concepts to practical implementations, but it's damn hard to do this when we have all sorts of legal and ethical constraints that China doesn't have. Our caution and morality are a definite weakness in this case. MoreBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Protestors in Hong Kong are physically attacking and destroying facial recognition cameras. MorePalo Alto says 7 out of 10 new domain registrations (NDRs) are either malicious or not safe for work, and they encourage companies to block them. MoreLt. Gen. Fogarty is fighting to change the name of Army Cyber Command to Army Information Warfare Command, and to give the group a much larger scope in its mission. MoreWe continue to see attacks against open source supply chains, in packages like NPM, RubyGems, Webmin, and many others. It's about to become imperative for people to understand—and to be able to validate—the entire chain of trust that a given application sits upon before they use it. There have been many companies in this space in the past, but I expect to see them (and new players) get a lot more attention soon. MoreBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

The terms intelligence, information, and data are thrown around pretty loosely in most tech circles, and this inevitably leads to people confusing and/or conflating them. What follows is a simple explanation of how the related terms are different from each other, and how they work together.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

There are some seriously nasty Windows RDP bugs out there. If you have RDP facing the internet, make sure you're patched. And try to get to VPN as soon as possible. MoreA huge survey of firmware security has found virtually no improvement over the last 15 years. People seem surprised by this, but it is exactly what I would have predicted based on my analysis here. Basically, for most people not in the industry, our current state is actually fine. MoreNYPD has over 82K peoples' DNA in a database, and the program has little visibility and oversight. MoreBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Ring is developing two-way relationships with hundreds of police departments in the US. This allows Ring users to be alerted to crime in their area via 911 data, and police departments to pull video from participating Ring devices. This is the type of functionality that most people will see and think, “Wow, I'd love to have that!”, which is why it's going to be very successful. But it's also one tiny step away from something terrifying. MoreA number of critical bugs in VxWorks are going to cause issues with infrastructure for years to come. MoreDARPA is building a $10 million dollar, open source voting system with a focus on security. MoreIt looks like China's social credit system might not be a giant monolithic system, but rather a series of siloed experiments. MoreBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Marcus Hutchins got off with time-served, and people have feelings. The range basically goes from 'he did nothing wrong', to, 'he should rot in prison'. In my mind this outcome was close to perfect. Remember, he went through two years of hell since being brought up charges, he's still a convicted felon, and he also is largely banned from the US. I think it's good that he admitted guilt, faced consequences, and is being offered a chance to continue giving back to the community. MoreAttorney General Barr said recently that companies should put backdoors in their products that bypass encryption, or else the government will pass laws that require it. This is unspeakably stupid. Without even getting into the philosophy of whether the internet can host a private conversation (which requires a warrant to tap), we can just start with the fact that backdoors present a clear and present danger to security, right now, due to the weaknesses of those who create them. If the NSA can be hacked or somehow lose its sensitive tools and materials, there's no company this cannot happen to. Purposefully installing backdoors therefore equates (effectively) to giving such access to attackers. Unacceptable. MoreEquifax is offering people $125 dollars in reparations for them losing all your data. But to get it, you have to log in and give a bunch of data about yourself. It's hilarious. They made money offering credit protection after the breach, and now they're going to collect updated information on anyone who wants to collect $125. On Twitter I called this a sadder and more permanent form of giving plasma. MoreBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

Unpacking the evolution-granted bliss of prep schools and elite institutions, and why they resonate so much with us.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.