Unsupervised Learning is my weekly curation of the most interesting stories and ideas in infosec, technology, and humans.
No podcast due to RSA week.
Infosec news
Another NSA contractor has been indicted over a massive leak of classified data. Harold Martin is alleged to have stolen data from the NSA over 20 years, but the government isn't saying what he did with it. These stories are far too common for my taste. Link
An Australian researcher found a persistent XSS bug in the Steam gaming platform. Gaming is about to becoming mainstream, and so is game security. This is why my buddy Jason and I have started the Game Security Framework: to capture and classify the various attack surfaces, vulnerabilities, and negative business outcomes that can occur within video games. Link
Pacemaker data may be used against a man in an arson / insurance fraud case. Expect a lot more of this as we start capturing bio data and sharing it with various entities. Link
Intercontinental Hotels has reported a credit card breach for over a dozen properties. They found malware on POS servers at restaurants and bars between August and December of 2016. Link
Radware has acquired Seculert for machine learning technology. I find the mixing of business intelligence and security analytics fascinating. It's really very similar if you think about it: it's about classification and prediction, which is precisely what machine learning is enhancing. Link
People are losing bitcoin left and right, and one of the techniques is having your mobile phone number hijacked which grants access to many of your systems. If that includes your computer, people can swipe your bitcoin wallet files. Link
U.S.-born NASA scientist with Global Entry detained by Homeland Security and forced to give employer's phone PIN before he could leave. Link
The Grugq has done his first piece analyzing possible cyber operations in the upcoming French elections. He taks you through the various incentive structures around Russia and the various candidates, and why they might support one vs. another. Link
Russian hackers have figured out a way to predict payouts on some slot machines with vulnerable PRNGs. The person in front of the machine sends the backend team some codes, they process them using the knowledge of the broken PRNG, and they then send vibrations to the local person's mobile phone that tell them when to hit the button. A team using the system can evidently make around $250K/week. Link
Australia finally has a mandatory data breach notification. Link
A number of Polish banks have been hacked and are scrambling to find the malware responsible. The worst part is that the infection vector looks to have been the site dedicated to cybersecurity for Polish banks. Link
There's a new type of cash machine attack called "Shimming" that works against cards/banks with poor implementations of chip-based debit and credit cards. The issuer is supposed to check the code on the chip before authorization, but if they don't then this new piece of MiTM hardware can steal the data from the chip and use it to create a functional magnetic strip version of the card. Link
Arby's recently remedied a breach involving malware on payment card systems at hundreds of restaurants. They called Mandiant. Link
Technology news
Automation is taking out high-end knowledge workers at a faster rate than most people think. Goldman Sachs used to have 600 traders, now they have 2 equity traders left, with the rest being replaced by automated trading software. Link
What software engineers are making around the world right now. Link
Ford is investing $1.3 billion in autonomous vehicle technology from a company called Argo AI. They're an AI and robotics firm focused on what Ford calls a "virtual driver system". Ford says they'll have a fully automated driving solution by 2021. Link
MIT has developed a wearable that can determine the tone of the current conversation. Link
Google researchers have figured out a way to go from blurry pixelated images to usable ones, just like in the movies. Link
Spotify might be in trouble due to the arithmetic of paying for contracts with record companies and publishers. Link
SAP has added AI and integrated analytics into its latest release. AI-powered analytics are becoming a lot like accounting or Excel: sure, you could run a business without it, but it probably wouldn't last long. Link
There's a service called Visa Account Updater that lets merchants know your new card number know your credit card information even before you get it, if it's linked to a valid card they have that just expired. Link
Digital Assistants are about to get really good at conversational question and answer, including follow-up links between previous responses. Link
China has 656 million smartphone users, which is more than double the population of the United States. Link
Apple took 92% of smartphone industry profits in Q4 2016. Link
Uber hires veteran NASA engineer to work on flying vehicles. Link
Apple Pay now supported by 36% of merchants in the United States. Link
Human news
It looks like the gig economy in its current state is more of a stop-gap while people are between jobs, as opposed to a new career like people thought it was going to be. My belief is that this will change as more and more regular jobs disappear, and as the full spectrum of peoples' skills become available through centralized work/hire apps. Link
A Chinese factory in Dongguan, China replaced 90% of its human workers with robots and production rose by 250% and defects dropped by 80%. Start thinking about Basic Income; it's no longer a fringe idea. Link
Speaking of becoming obsolete, there used to be a dog breed called the Turnspit which would run in a wheel to turn meet so it would cook evenly. It went extinct when that job was given to a machine. Link
SIDS has largely been determined to be a matter of babies sleeping in unsafe conditions and dying of suffocation. Link
Merriam-Webster has added over 1,000 new words to their dictionary. Link
It's been a bad few months for statisticians. First Trump wins against all predictions, and then New England comes back when many statisticians gave them a 90-99% chance to lose at one point. Link
Ancestry.com has a new DNA services that uses 770,000 genomes to track your family's immigration story through the America. Link
The Met museum has made 375,000 images free to the public. Link
PacketTotal -- Online analysis of pcaps that shows connections, certs, encryption algorithms, etc. I'm sure you know this already, but be careful what you send to random websites. Link
Blue Feed, Red Feed -- See liberal and conservative facebook side by side. Link
Consume more content by speeding up your audio and video. I listen to a lot of audiobooks at 2-3x. Link
A Whirlwind Tour of Technology Trends in China, by a16z Link
The daily practices of 200 ultra-high performers, collapsed into 15 takeaways. Link
A collection of Chris Valasek and Charlie Millers' car hacking research. Link
Superset -- AirBnB's platform for visual, intuitive, and interactive data exploration. Link
Threat Landscape Dashboard -- A new project by Intel that shows you the top 10 threats and the relationships between them. Link
Cybersecurity Snapshot -- A view of the various players in the cybersecurity space, by Momentum Partners. Link
A team of researchers have released a fascinating paper on the ubiquitousness and implications of TLS interception. Link
Bill Nye is starting a science show on Netflix in April, called Bill Nye Saves the World. Link
CTF Tools -- Configure a full set of tools to compete in a CTF. Link
Notes
I'll be giving a talk at RSA on Thursday at 1:30pm at Moscone West, Room 2005. The talk is on using Adaptive Testing Methodologies to test medical devices. Link
I'll also be spending a good amount of time during the conference at IOActive's IOAsis, which is right down the street from Moscone. It's like a sanctuary away from the show floor where you can come talk about security, get a massage, etc. Stop by and say hello. Link
I was quoted in a Register article about gaming security. Link
I was quoted in a ZDNet article about medical device security. Link
I was quoted in a TechTarget article about IoT security. Link
I've finished Lexicon, and I can virtually guarantee that anyone who likes this newsletter will love this book. It's in my top 5 fiction books for sure. Link
I just started reading Hamilton's Biography, Alexander Hamilton. Link
Recommendations
When you're at RSA this week, ask vendors a simple question: "How should I change my behavior on Monday based on the information you're providing me with your product?" If they don't have a good answer, thank them for their time.
Aphorism
"People don't seem to realize that their opinion of the world is also a confessor of character." ~ Ralph Waldo Emerson
Get my new book on the predictable way in which timeless human drives will manifest through technology, The Real Internet of Things.