Your #SSN DOB credit cards were leaked. Go do a credit freeze at all 3 agencies (FTC): https://goo.gl/RXZAVL

Equifax Says Cyberattack May Have Hit 143 Million Customers (Bloomberg)

That’s 60% of all US adults, or pretty much everyone with a credit card. There is a big file floating around somewhere that has enough info on you for anyone to take out a bunch of money in your name and dump that debt on you. You can prevent that by putting a credit freeze on your personal info, which you can lift when you need to apply for credit yourself – here is an FTC link on how to do all three.

The most maddening thing about this leak is that – unlike Ashley Madison – this time you cannot opt out of this shit or “just stop doing it”. If you are a functioning human in USA, you are pretty much forced to store your most sensitive financial and personal info with these scumbags, and then they go on and leak all of it. I hope they get sued to death for being a bunch of incompetent de facto extortionists.

Of course, it’s another issue altogether that what used to be called impersonation and bank’s failure to verify its borrower, the same thing now is referred to by an idiotic oxymoron identity theft and somehow it became not the bank’s problem but yours.

In case you wondered why Travis #Kalanick got kicked out from #Uber

Quote 1, June 9, 2016:

I say we are going to IPO as late as humanly possible. It’ll be one day before my employees and significant others come to my office with pitchforks and torches. We will IPO the day before that. Do you get it?

Quote 2, August 30th, 2017:

In response to a question about going public, Khosrowshahi said it would probably happen in 18 to 36 months, according to two people who listened to the meeting. “It’s my opinion that the company should go public,” he said.

Of course it’s your opinion, that why you just got hired!

Looks like the IPO will happen shortly after the VC’s came to TK’s office with pitchforks. Everything else was just clowning and smear campaigning by Benchmark to depose him. Everyone who jumped onboard the righteous moralizing Uber-bashing train should be really ashamed now. HR incidents happen at any company, everyone involved in them must be prosecuted to the full extent of the law. That doesn’t excuse a ridiculous anti-PR attack that almost took down the entire company. And even now it’s not clear if Uber will fully recover.

Level 5 #SelfDrivingCars by 2021, by 2030 gas cars drop near zero?

We’ll see… I’ll just leave this here : ) Will check back in a couple of years to see if gas and personal cars have gone the way of Kodak and the typewriter by then. Might be a bit upsetting for the Uber-bashing crowd out there, too. Some really interesting forecasts here and here:

  • Self-driving cars will launch around 2021
  • A private ride will be priced at 16¢ per mile, falling to 10¢ over time.
  • A shared ride will be priced at 5¢ per mile, falling to 3¢ over time.
  • By 2022, oil use will have peaked
  • By 2023, used car prices will crash as people give up their vehicles. New car sales for individuals will drop to nearly zero.
  • By 2030, gasoline use for cars will have dropped to near zero, and total crude oil use will have dropped by 30% compared to today.

 

Vegas hacker party schedule #defcon #blackhat #bsides

Just a couple of pointers, nothing major here. A pretty comprehensive-looking party schedule (in addition to the official page). Filling up crazy fast.

One event I don’t see there though is the DEF CON Shoot, Wed 26 18:00 and Thu 27 9:00

Part of why I love being in this field – I’m not really aware of any other global community with annual weeklong bashes in Vegas.

Your semi-definitive guide to #blackhat #bsideslv and #defcon 2017 – Vegas hacking!

2017-06-15 00.44.241

(my last year’s DEFCON badge – it winks at you with those terminator LED’s!)

Here is my subjective take on Vegas hacker’s Disneyland that’s happening end of July 2017. Please keep in mind that this year I’m trying to make it useful for web site/web service security – to that end, I sifted through 70+ talks to come up with a summary of what’s particularly interesting this year.

As for the parties… that’s for the follow-up post : )

High-level

BlackHat at Mandalay is more practical and by far the most expensive, it consists of three parts:

  1. 2-day trainings – ~$3k a piece
  2. Several days of hour-long briefings/talks – ~$2.5k includes all, and
  3. Expo floor which is free with either 1 or 2

Last year I took trainings, but this year I’m very much interested in website security briefings, so I plan to attend as many of the latter as possible.

BSidesLV is much more mellow, it’s under $100 bucks and more informal, people basically chill out in Tuscany Suites in between the “serious” stuff and present research, which can be interesting.

DEFCON, this year at Caesars, is definitely the most fun one, under $300 for everything. It has crazy talks, workshops, hackathons, CTF’s and just like the Renaissance Faire for geeks. They hack everything from poker to pacemakers to 747’s to implanting circuitry into your hands, also have tons of fun contests and a geek marketplace. It’s just super-fun, tho probably less useful for safeguarding a web service.

BlackHat Briefings – Totally Subjective Shortlist

Now, since BlackHat is absurdly expensive, I filtered out a few specific talks that seem worth visiting for website/web service security – all included with the admission ($2,395):

Cracking The Lens: Targeting HTTP’s Hidden Attack-surface

Don’t Trust The Dom: Bypassing XSS Mitigations Via Script Gadgets

Web Cache Deception Attack

A New Era Of SSRF – Exploiting URL Parser In Trending Programming Languages!

Friday The 13th: JSON Attacks

Practical Tips For Defending Web Applications In The Age Of Devops – potentially very interesting talk from Etsy on how to properly set up the whole security engineering process

Splunking Dark Tools – A Pentesters Guide To Pwnage Visualization

The Epocholypse 2038: What’s In Store For The Next 20 Years

Ichthyology: Phishing As A Science (walk through a series of real-world attacks conducted against a Bay Area tech company)

BlackHat (Web Security) Trainings

Those are very useful, they typically take 2 days, but tend to cost a ton (~$3k each). I took some last year, but this year I’m more interested in the briefings above. But still, these are the ones that I found very interesting for web security:

Engineering/app-level security training:

Whiteboard Hacking aka Hands-on Threat Modeling

Abilities Inc – Metasploit Mastery

Applied Data Science for Security Professionals

Visual Analytics – Delivering Actionable Security Intelligence

The Web Application Hacker’s Handbook, Live Edition – good intro as usual, but honestly, focuses too much on the obsolete and made-up simple attacks, could really benefit from a 2017-overhaul. But hey, maybe it will be brand new this year.

Talks I expect to be very useful for DevOps

Cloud Security Hands On (CCSK-Plus)

Advanced Cloud Security and Applied SecDevOps

 

And that’s it for now – see you there!! After all, it’s Vegas – good times all around!

#wtf @microsoft? #rant

TLDR: the whole process of buying consumer Windows is surprisingly user-hostile for a company that is supposed to move quickly to survive.

Splurged on a Windows 10 Home license (sooo 90’s….) for my family. Normally, I would not inflict Windows upon myself or people around me, but my family is stubborn. Now trying to simply download. the. thing. and I get this:

Screen Shot 2017-06-05 at 12.36.43 AM

Wtf is “Creators Update”??? What is “Windows 10 N” and how is it different from “Windows 10”? What is all this crap? Oh, it’s a special edition for sale in Switzerland that has media player removed, that’s great! But what moron decided to drop these acronyms on a person simply trying to download Home edition, no explanation provided? Too little space on that page for a couple of explainer sentences? Which one should I pick for the ensuing 35-minute download and not screw up? (answer: “Windows 10 Creators Update Windows 10”)

Of course, no mention of how big is the actual download anywhere, including Amazon’s product description (answer: 3-4GB depending on the architecture, so throw away that 2GB thumb drive you were planning on using) – and I bought this on Amazon, in advance distrusting MS purchase experience, and was still forwarded to MS website. Who cares if I have to run to the store to buy a bigger thumb drive? Stupid details, this petty consumer nonsense is beneath Microsoft. I thought Nadella turned that place around… or something…

Real concerns about #robo-advisors and #Betterment

Quick summary from reading up on tons of links and discussions on Betterment, Wealthfront, WiseBanyan, etc.

TLDR: real concerns:

  1. You can actually do it better yourself if you put in enough time: both rebalancing and tax loss harvesting (the latter actually only kicks in when there are losses)
  2. Betterment just jacked up their fees, and there is no telling whether they will do it again at any point in the future, which leads us to the third point that is more general for all robo-advisors:
  3. An argument can be made that the whole robo-advisor business model is unsustainable, especially with low initially advertised fees that are the key competitive edge over an ocean of other funds, choice quotes:
    • Charles Schwab is already undercutting both companies with no fees (0.00%), and despite what Betterment will tell you, it’s a great deal.

    • 25 basis points is not a business model, it’s a temporary growth tactic.

Even shorter TLDR: it’s worth paying them if you really want to automatically rebalance and diversify across a range of funds and ETFs for a still-low fee, and hope they can make their model work out. If you are not particularly bent on having, e.g. a slice of bonds and overseas equities, then VTI/VOO/what have you is the way to go.

(Of course, in the context of present day, this assumes you are either not of the opinion that we are in an equities bubble, or it’s not a concern for your portfolio choice)