Category Archives: All

Your semi-definitive guide to #blackhat #bsideslv and #defcon 2017 – Vegas hacking!

2017-06-15 00.44.241

(my last year’s DEFCON badge – it winks at you with those terminator LED’s!)

Here is my subjective take on Vegas hacker’s Disneyland that’s happening end of July 2017. Please keep in mind that this year I’m trying to make it useful for web site/web service security – to that end, I sifted through 70+ talks to come up with a summary of what’s particularly interesting this year.

As for the parties… that’s for the follow-up post : )

High-level

BlackHat at Mandalay is more practical and by far the most expensive, it consists of three parts:

  1. 2-day trainings – ~$3k a piece
  2. Several days of hour-long briefings/talks – ~$2.5k includes all, and
  3. Expo floor which is free with either 1 or 2

Last year I took trainings, but this year I’m very much interested in website security briefings, so I plan to attend as many of the latter as possible.

BSidesLV is much more mellow, it’s under $100 bucks and more informal, people basically chill out in Tuscany Suites in between the “serious” stuff and present research, which can be interesting.

DEFCON, this year at Caesars, is definitely the most fun one, under $300 for everything. It has crazy talks, workshops, hackathons, CTF’s and just like the Renaissance Faire for geeks. They hack everything from poker to pacemakers to 747’s to implanting circuitry into your hands, also have tons of fun contests and a geek marketplace. It’s just super-fun, tho probably less useful for safeguarding a web service.

BlackHat Briefings – Totally Subjective Shortlist

Now, since BlackHat is absurdly expensive, I filtered out a few specific talks that seem worth visiting for website/web service security – all included with the admission ($2,395):

Cracking The Lens: Targeting HTTP’s Hidden Attack-surface

Don’t Trust The Dom: Bypassing XSS Mitigations Via Script Gadgets

Web Cache Deception Attack

A New Era Of SSRF – Exploiting URL Parser In Trending Programming Languages!

Friday The 13th: JSON Attacks

Practical Tips For Defending Web Applications In The Age Of Devops – potentially very interesting talk from Etsy on how to properly set up the whole security engineering process

Splunking Dark Tools – A Pentesters Guide To Pwnage Visualization

The Epocholypse 2038: What’s In Store For The Next 20 Years

Ichthyology: Phishing As A Science (walk through a series of real-world attacks conducted against a Bay Area tech company)

BlackHat (Web Security) Trainings

Those are very useful, they typically take 2 days, but tend to cost a ton (~$3k each). I took some last year, but this year I’m more interested in the briefings above. But still, these are the ones that I found very interesting for web security:

Engineering/app-level security training:

Whiteboard Hacking aka Hands-on Threat Modeling

Abilities Inc – Metasploit Mastery

Applied Data Science for Security Professionals

Visual Analytics – Delivering Actionable Security Intelligence

The Web Application Hacker’s Handbook, Live Edition – good intro as usual, but honestly, focuses too much on the obsolete and made-up simple attacks, could really benefit from a 2017-overhaul. But hey, maybe it will be brand new this year.

Talks I expect to be very useful for DevOps

Cloud Security Hands On (CCSK-Plus)

Advanced Cloud Security and Applied SecDevOps

 

And that’s it for now – see you there!! After all, it’s Vegas – good times all around!

#wtf @microsoft? #rant

TLDR: the whole process of buying consumer Windows is surprisingly user-hostile for a company that is supposed to move quickly to survive.

Splurged on a Windows 10 Home license (sooo 90’s….) for my family. Normally, I would not inflict Windows upon myself or people around me, but my family is stubborn. Now trying to simply download. the. thing. and I get this:

Screen Shot 2017-06-05 at 12.36.43 AM

Wtf is “Creators Update”??? What is “Windows 10 N” and how is it different from “Windows 10”? What is all this crap? Oh, it’s a special edition for sale in Switzerland that has media player removed, that’s great! But what moron decided to drop these acronyms on a person simply trying to download Home edition, no explanation provided? Too little space on that page for a couple of explainer sentences? Which one should I pick for the ensuing 35-minute download and not screw up? (answer: “Windows 10 Creators Update Windows 10”)

Of course, no mention of how big is the actual download anywhere, including Amazon’s product description (answer: 3-4GB depending on the architecture, so throw away that 2GB thumb drive you were planning on using) – and I bought this on Amazon, in advance distrusting MS purchase experience, and was still forwarded to MS website. Who cares if I have to run to the store to buy a bigger thumb drive? Stupid details, this petty consumer nonsense is beneath Microsoft. I thought Nadella turned that place around… or something…

Real concerns about #robo-advisors and #Betterment

Quick summary from reading up on tons of links and discussions on Betterment, Wealthfront, WiseBanyan, etc.

TLDR: real concerns:

  1. You can actually do it better yourself if you put in enough time: both rebalancing and tax loss harvesting (the latter actually only kicks in when there are losses)
  2. Betterment just jacked up their fees, and there is no telling whether they will do it again at any point in the future, which leads us to the third point that is more general for all robo-advisors:
  3. An argument can be made that the whole robo-advisor business model is unsustainable, especially with low initially advertised fees that are the key competitive edge over an ocean of other funds, choice quotes:
    • Charles Schwab is already undercutting both companies with no fees (0.00%), and despite what Betterment will tell you, it’s a great deal.

    • 25 basis points is not a business model, it’s a temporary growth tactic.

Even shorter TLDR: it’s worth paying them if you really want to automatically rebalance and diversify across a range of funds and ETFs for a still-low fee, and hope they can make their model work out. If you are not particularly bent on having, e.g. a slice of bonds and overseas equities, then VTI/VOO/what have you is the way to go.

(Of course, in the context of present day, this assumes you are either not of the opinion that we are in an equities bubble, or it’s not a concern for your portfolio choice)

A healthy bit of #conspiracy theorizing for 2017

Why doesn’t anyone see the obvious? Many years of near-zero interest rate and dumping cheap money into the system produced mediocre economic growth combined with a huge debt and equity bubble (though surprisingly little inflation).

The rate will have to go up to realistic levels at some point, and with it will evaporate the equity bubble, mortgage affordability and the housing market – with debt servicing (consumer, corporate and government) draining all other parts of the economy.

Wouldn’t it be nice if we had a temporary figurehead with historic unfavorable rating to use as a scapegoat to do some bloodletting in this system?

Oh, wait…

Does #SharingEconomy work? Can you make money renting out cars on Turo?

TLDR: Of course not : ) To grow your income, it’s better to invest in your individual strengths (e.g., improving coding skills) and spend less time playing other peoples’ games.

My overall take on sharing services (Airbnb – can never figure out how to cap this word! Uber, Turo, etc): they are temporary exploits of outdated technology and regulation, and people who rely on these services for income too much will not be happy in the long term. There are lots of posts out there tearing up both Airbnb and Uber. I personally don’t believe they are doomed, just do not consider either one as a stable long-term income option. But today let’s take a look at another poster child of the sharing wave of the future: Turo, formerly known as Relay Rides.

Casually browsing the Interwebs you might notice some numbers getting thrown around that may give you an impression that it’s an easy way to get an additional income stream. But after a quick round of research things become significantly less rosy. Let’s do some quick math – first, the fun part:

Revenue

Let’s say we start on the pragmatic side and offer up a boring but practical car for $40/day. After Turo’s cut of 15% (actually 25% with extra protection features, but let’s say we are too cheap) and a pretty optimistic utilization rate of 70% (which means pretty much a non-stop stream of customers to be serviced), we settle at a healthy $714 of revenue per month.

Expenses

For simplicity, let’s consider a new or a lightly used leased car. It is actually a violation of your lease contract to rent it out on Turo, but technically doable and does not affect our calculations too much if we chose to buy instead.

If we take a pretty average lease of a Corolla or an Elantra, it will set us back by about $1500 in down payment+tax+registration plus a monthly payment of about $100, let’s say for 36 months. Let’s also assume that we magically get enough miles to go with it (basis for this assumption: even though you may need up to 3k miles/month for heavy utilization, you can find takeover leases that may actually fit that need for a short period of time, or again, price out a purchase, which will not be very different). That will give us $141.67/mo if we spread out all those expenses over the lease period.

Next, operational expenses. A typical heavy utilization rental takes about three days. This means we rent out 7 times a month. If we decide to do an express wash every time, and a more thorough wash once a month, that’s $65/month in cleaning. Let’s also set aside about $70 a month for arranging the pickups and resolving any logistical problems (e.g., if someone runs late, or an occasional TaskRabbit for a delivery if you are out of town). Let’s also set aside $100/month for repairs – even if there is a warranty, you can and will get into out-of-pocket situations, and about a grand a year does not seem unreasonable. Finally, we need to add the car to the personal insurance to be able to drive it between the rentals, e.g. to the shop. Let’s throw in about $20/mo for some kind of  a super-minimalistic plan (which technically we could skip, but that would be uncool).

All in all this gives us $396.67 in monthly expenses.

Bottom Line

These numbers leave us with about $317.33 in taxable income per car. Which, for a purely theoretical exercise, falls pretty close to what this guy is proudly reporting from the field, considering he got his Chevy Cruze almost for free.

To put things in perspective, if you try to scale and operate, say 5 cars like that, you will be making slightly less than a burger flipper at McDonald’s. For that money, you will have to deal with an average of about 2 customers every day (that includes cleaning the car) and any associated overhead such as people flaking, running late, scratching or staining the car, screwing you over on gas, disputing mileage or just randomly giving you a crappy review. If we tighten the numbers to, say, 90% utilization or even completely remove the cost of the car itself! or find perhaps a higher-end vehicle combination that might yield closer to $1000 in profit per car (though I doubt that number can be achieved in a stable long-term way), that’s still not really the business I would like to be in.

To consider scaling further and doing this full time, you would have to deal with 15-20 cars which gives us 7 pickups+cleanings every day, including the weekends. At this point, a private parking lot near a major airport and a carwash would come in handy, too.

Basic Income #basicincome

The subject is all the rage in nerd blogs and progressive debates. But it’s a bit ridiculous how quick people are to forget history and get carried away with hype. Basic income (various versions of it, and much more along those lines) has been extensively debated and tried in real life for many years. It has serious pros and cons that mostly still hold, even in the world of (gasp) iphones and facebooks. There is a rich body of works and real-life data for anyone who cares to set aside a few dogmas and take an unbiased look around. Yet most vocal people just pretend like nothing of that kind has ever occurred, and the dumb humanity just never happened to think of trying out the groundbreaking Finnish new ways…

To all the gun lovers out there

In 2008, the U.S. had over 12 thousand firearm-related homicides. All of Japan experienced only 11

That’s 11 (eleven) incidents, three orders of magnitude less. Japan’s a bit under a half the size of US population.

The U.S. has the loosest gun laws and a gun homicide rate is 15 times higher than the rest of developed countries.

Nuff said. I love guns, rented from a licensed vendor at the range.

The LendingClub debacle: what does it mean from a lender’s perspective

Short-term: it means nothing. The sky isn’t falling and my adjusted return rate over 3 years is still 13.77%. And MMM et al are still collecting a sweet chunk of referral change for sending the general interwebs population in that direction.

Long-term: will see. Short of catastrophic operational disruption (which I don’t think is the case here), I expect things to move along the same way in this established business (ok, so the startup tag on this post looks pretty ridiculous by now, of course). The threat I’m still concerned about is some economic event which may cause people to default much more. But what will take the biggest hit in that case – equities, funds, real estate or peer-to-peer lending – is anyone’s guess.

Battle of the Grids: 10 ReactJS Grids and Tables

Had to whip up a quick UI for a project, and of course one of the key elements that always comes up is the paginateable, lazy, sortable (and maybe even filterable) table aka the grid. Without further ado, here are the contestants that emerged after some interwebs browsing. Me, I’m making an unoriginal choice to proceed with the most popular one.

component name gh stars gh forks npm april dl’s github npm
fixed-data-table 2377 342 53,209 link link
griddle 1365 241 21,388 link link
react-bootstrap-table 404 164 11,787 link link
reactable 853 134 9,870 link link
reactabular 231 55 2,701 link link
react-data-components 167 60 632 link link
react-table-select 4 1 234 link link
react-infinite-grid 96 19 215 link link
react-grid 0 0 145 link link
react-grid-table 65 18 50 link link

Bonus: here is how to also make fixed-data-table truly lazy and never download all of the bazillion rows into memory when you only need to display about 10.

Market is 𝘴𝘵𝘪𝘭𝘭 ~2x 2010 – do you believe avg company 2x richer than 2010? Bar hyperinflation, it has to correct more

Screen Shot 2016-02-13 at 1.43.19 AM

So I painfully moved to cash, bonds, money market and other assets throughout 2015. It was a very lonely and depressing experience, missing out on all those FBIOX gains (I know, right?) But I kept asking myself, do I really believe that all those S&P 500 big old dudes, the General Electrics, the General Motors, IBMs, and Exxons. Do they make twice more money than 5 years ago? Hardly. So why all the craze? We don’t have a noticeable inflation, at least not in the consumer, non-real-estate space. S&P 500 is still almost 2x over 2010, give or take, even after the ongoing correction early in the year. There are no fundamental reasons for these companies to jump 2x in their market cap. Meaning, there might have been some other, non-fundamental reasons – perhaps more speculative in nature – and now we still have some way to go…