Author Archives: fancymollusk

Programmers wiped out by robots

There are 3.5 million truck drivers in the US. They will all be gradually replaced by robots in the next few years, and then we will have a massive bloodbath caused by 3.5 million (no offense) low-skilled, unemployed people hunting for food.

From their perspective, this may look unrealistic – heavy driving seems like a really taxing and complex activity: it demands lots of attention, it has many special cases, it often requires reading social cues from other humans that only humans can understand. Yet, the switch to robots (and the ensuing social cataclysm) look inevitable in short few years.

In my line of work, I’ve been long puzzled by a similar issue. Why in the field of computer science and engineering, which is ultimately governed by the physics of the circuits, switches, math and formal logic that stems from that, why so much of the routine daily work programming those soul-less machines involves so much of: human judgement, uncertainty, doubt, debates/flame wars over “patterns”, and straight up insane (for any other engineering line of work) rates of errors, crashes and bugs?

I mean, it’s hard to imagine a modern-built physical bridge that just crashes “because bugs”. Or take air travel: in the US, 0.2 deaths per 10 billion passenger-miles for the first decade of this century. For the whole second decade – 0 deaths (almost).

Modern planes are heavily computerized, is that software written by some kind of a different breed of humans than, say, web software? Because my online banking from Citi goes down every week, and it’s a freaking banking service with the same use cases since the 14th century, repeated many times daily by 7000 banks in the US, nowhere near as complicated as the software that’s automatically, near-flawlessly flying and landing the jets in this country.

But wait, the higher are the regular software stakes, the bigger seems the reliance on human judgement. “Our web service is facing unique performance challenges and only the team XYZ has enough experience to scale it to that level.” Mind you, human programmers still haven’t sorted out if something as long-used as OOP is even a viable concept – some say that it is an unmaintainable disaster, a non-starter, others have been building stable systems with it for decades. With stubborn opinions so polarized, mutually exclusive in a field, again, governed by the laws of physics, it seems kind of very wrong that so much of the programming and design is still performed manually by fickle, biased mortals.

I don’t see any replacement yet. But maybe I’m just a truck driver.

The end of #lendingclub’s most lucrative note grades

The return on my portfolio with LendingClub – my choice was mostly low-grade notes – steadily dropped all the way down to 5.88% over the last year and a half. Until we finally run into this:

As of 11/7/2017, F & G grade Notes are not available for purchase by investors.

because LendingClub

noticed an increase in prepayment and delinquency rate in F and G grade Notes

Seems like the 20+% APY party came to an end. Even without any major event or recession in sight yet. My guess would be that with a spike in demand, LendingClub had to loosen up some criteria and let in a bunch of borrowers they wouldn’t and shouldn’t have otherwise, so now all of us are paying the price. Still might get much worse when the economy starts to tank.

Your #SSN DOB credit cards were leaked. Go do a credit freeze at all 3 agencies (FTC): https://goo.gl/RXZAVL

Equifax Says Cyberattack May Have Hit 143 Million Customers (Bloomberg)

That’s 60% of all US adults, or pretty much everyone with a credit card. There is a big file floating around somewhere that has enough info on you for anyone to take out a bunch of money in your name and dump that debt on you. You can prevent that by putting a credit freeze on your personal info, which you can lift when you need to apply for credit yourself – here is an FTC link on how to do all three.

The most maddening thing about this leak is that – unlike Ashley Madison – this time you cannot opt out of this shit or “just stop doing it”. If you are a functioning human in USA, you are pretty much forced to store your most sensitive financial and personal info with these scumbags, and then they go on and leak all of it. I hope they get sued to death for being a bunch of incompetent de facto extortionists.

Of course, it’s another issue altogether that what used to be called impersonation and bank’s failure to verify its borrower, the same thing now is referred to by an idiotic oxymoron identity theft and somehow it became not the bank’s problem but yours.

In case you wondered why Travis #Kalanick got kicked out from #Uber

Quote 1, June 9, 2016:

I say we are going to IPO as late as humanly possible. It’ll be one day before my employees and significant others come to my office with pitchforks and torches. We will IPO the day before that. Do you get it?

Quote 2, August 30th, 2017:

In response to a question about going public, Khosrowshahi said it would probably happen in 18 to 36 months, according to two people who listened to the meeting. “It’s my opinion that the company should go public,” he said.

Of course it’s your opinion, that why you just got hired!

Looks like the IPO will happen shortly after the VC’s came to TK’s office with pitchforks. Everything else was just clowning and smear campaigning by Benchmark to depose him. Everyone who jumped onboard the righteous moralizing Uber-bashing train should be really ashamed now. HR incidents happen at any company, everyone involved in them must be prosecuted to the full extent of the law. That doesn’t excuse a ridiculous anti-PR attack that almost took down the entire company. And even now it’s not clear if Uber will fully recover.

Level 5 #SelfDrivingCars by 2021, by 2030 gas cars drop near zero?

We’ll see… I’ll just leave this here : ) Will check back in a couple of years to see if gas and personal cars have gone the way of Kodak and the typewriter by then. Might be a bit upsetting for the Uber-bashing crowd out there, too. Some really interesting forecasts here and here:

  • Self-driving cars will launch around 2021
  • A private ride will be priced at 16¢ per mile, falling to 10¢ over time.
  • A shared ride will be priced at 5¢ per mile, falling to 3¢ over time.
  • By 2022, oil use will have peaked
  • By 2023, used car prices will crash as people give up their vehicles. New car sales for individuals will drop to nearly zero.
  • By 2030, gasoline use for cars will have dropped to near zero, and total crude oil use will have dropped by 30% compared to today.

 

Vegas hacker party schedule #defcon #blackhat #bsides

Just a couple of pointers, nothing major here. A pretty comprehensive-looking party schedule (in addition to the official page). Filling up crazy fast.

One event I don’t see there though is the DEF CON Shoot, Wed 26 18:00 and Thu 27 9:00

Part of why I love being in this field – I’m not really aware of any other global community with annual weeklong bashes in Vegas.

Your semi-definitive guide to #blackhat #bsideslv and #defcon 2017 – Vegas hacking!

2017-06-15 00.44.241

(my last year’s DEFCON badge – it winks at you with those terminator LED’s!)

Here is my subjective take on Vegas hacker’s Disneyland that’s happening end of July 2017. Please keep in mind that this year I’m trying to make it useful for web site/web service security – to that end, I sifted through 70+ talks to come up with a summary of what’s particularly interesting this year.

As for the parties… that’s for the follow-up post : )

High-level

BlackHat at Mandalay is more practical and by far the most expensive, it consists of three parts:

  1. 2-day trainings – ~$3k a piece
  2. Several days of hour-long briefings/talks – ~$2.5k includes all, and
  3. Expo floor which is free with either 1 or 2

Last year I took trainings, but this year I’m very much interested in website security briefings, so I plan to attend as many of the latter as possible.

BSidesLV is much more mellow, it’s under $100 bucks and more informal, people basically chill out in Tuscany Suites in between the “serious” stuff and present research, which can be interesting.

DEFCON, this year at Caesars, is definitely the most fun one, under $300 for everything. It has crazy talks, workshops, hackathons, CTF’s and just like the Renaissance Faire for geeks. They hack everything from poker to pacemakers to 747’s to implanting circuitry into your hands, also have tons of fun contests and a geek marketplace. It’s just super-fun, tho probably less useful for safeguarding a web service.

BlackHat Briefings – Totally Subjective Shortlist

Now, since BlackHat is absurdly expensive, I filtered out a few specific talks that seem worth visiting for website/web service security – all included with the admission ($2,395):

Cracking The Lens: Targeting HTTP’s Hidden Attack-surface

Don’t Trust The Dom: Bypassing XSS Mitigations Via Script Gadgets

Web Cache Deception Attack

A New Era Of SSRF – Exploiting URL Parser In Trending Programming Languages!

Friday The 13th: JSON Attacks

Practical Tips For Defending Web Applications In The Age Of Devops – potentially very interesting talk from Etsy on how to properly set up the whole security engineering process

Splunking Dark Tools – A Pentesters Guide To Pwnage Visualization

The Epocholypse 2038: What’s In Store For The Next 20 Years

Ichthyology: Phishing As A Science (walk through a series of real-world attacks conducted against a Bay Area tech company)

BlackHat (Web Security) Trainings

Those are very useful, they typically take 2 days, but tend to cost a ton (~$3k each). I took some last year, but this year I’m more interested in the briefings above. But still, these are the ones that I found very interesting for web security:

Engineering/app-level security training:

Whiteboard Hacking aka Hands-on Threat Modeling

Abilities Inc – Metasploit Mastery

Applied Data Science for Security Professionals

Visual Analytics – Delivering Actionable Security Intelligence

The Web Application Hacker’s Handbook, Live Edition – good intro as usual, but honestly, focuses too much on the obsolete and made-up simple attacks, could really benefit from a 2017-overhaul. But hey, maybe it will be brand new this year.

Talks I expect to be very useful for DevOps

Cloud Security Hands On (CCSK-Plus)

Advanced Cloud Security and Applied SecDevOps

 

And that’s it for now – see you there!! After all, it’s Vegas – good times all around!