UL NO. 398: Storm Vuln Stacking, CloudRecon, The S-Tier Guide to AI Whispering, Full-body MRIs…
2023-9-12 01:17:14 Author: danielmiessler.com(查看原文) 阅读量:13 收藏

Unsupervised Learning is a Security, AI, and Meaning-focused podcast that looks at how best to thrive as humans in a post-AI world. It combines original ideas, analysis, and mental models to bring not just the news, but why it matters and how to respond.

Hey there!

I hope you’re having a good start to the week.

This week I need your help. I need you to help convince me I don’t need an espresso machine. I have enough hobbies. And this one is expensive and takes a lot of counter space. Please help deliver me from evil.

Also, I made some tweaks to the show this week; let me know what you think!

MY WORK

The Great Bifurcation
We're explosively separating into the Thriving 10% vs. the Suffering 90%, and it’s possible to be part of the 10% just by copying them. READ IT

SECURITY NEWS

This Microsoft/Storm situation is a great example of stacked real-world failures. The actor used a Microsoft account consumer key to access enterprise email, which was inadvertently included in a crash dump due to a race condition, which was later moved to a debugging environment, where it was compromised. Or as they say in the offsec space, lows and mediums can become criticals with the right situation/patience/timing. MSRC

China's state-affiliated hackers are getting better at using AI to create content meant to go viral on U.S. and other democracies' social networks, according to Microsoft researchers. The campaign focuses on divisive topics and has successfully engaged audiences in at least 40 languages, reaching over 103 million people. OODALOOP 

Hackers are spamming iPhones with pop-ups using a Flipper Zero. They can basically keep prompting you to connect to a bluetooth device, which stops you from being able to use the device. TECHCRUNCH 

Chinese-speaking cybercriminals are running a large-scale smishing campaign in the U.S., using compromised Apple iCloud accounts to send iMessages and conduct identity theft and financial fraud. The group, known as Smishing Triad, offers ready-to-use smishing kits via Telegram for $200 a month, impersonating popular postal and delivery services in multiple countries. THEHACKERNEWS

Vulnerabilities:

  • Apple recently released updates to fix two zero-day vulnerabilities that might have been actively exploited by attackers. These bugs, identified as CVE-2023-41064 and CVE-2023-41061, affected the Image I/O framework and the Wallet function respectively. THERECORD 

  • Zavio IP cameras have been hit with multiple critical vulnerabilities, including 34 RCEs and 7 pre-auth BoFs. | Critical | CVE-2023-3959, CVE-2023-4249 | REDDIT

  • Cisco has released fixes for multiple security flaws, including a critical bug in the BroadWorks platform that could allow an attacker to take control of an affected system. The most severe issue, CVE-2023-20238, has a maximum CVSS severity rating of 10.0 and could allow an unauthenticated, remote attacker to forge credentials and access an affected system. THEHACKERNEWS

Sponsor

World-Class Email Protection - Simplified

📧 More than 90% of cyberattacks start with email and attacks are growing in volume and sophistication.

🐟From phishing and ransomware to credential theft and zero-day attacks, organizations of all shapes and sizes face a new world of risk.

The Pentagon is planning to build a massive network of AI-powered tech, drones, and autonomous systems in the next two years to counter threats from China. The project, which is expected to cost hundreds of millions of dollars, aims to develop thousands of air-, land-, and sea-based AI systems that are "small, smart, cheap." Go read Kill Decision by Daniel Suarez if you haven’t yet. This shit is happening in real-time. THEVERGE 

Cars are officially the worst product category for privacy, according to a review by Mozilla. The review highlighted that cars collect a significant amount of personal data, often without clear user consent or control. MOZILLA

Meta disrupted two major covert influence operations from China and Russia, blocking thousands of accounts across its platform. The Chinese network, linked to individuals associated with Chinese law enforcement, posted content about China, criticism of the U.S, and Western foreign policies, while the Russian operation mimicked mainstream news outlets to post fake articles weakening support for Ukraine. I’d love to see a list of these campaigns somewhere. Wouldn’t it be cool to see all the various propaganda that we’re being exposed to, and the themes they’re trying to push? THEHACKERNEWS

North Korean state hackers have targeted security researchers with at least one undisclosed zero-day exploit. This campaign is similar to one exposed in January 2021, where the same actors used social media platforms to initiate contact with their targets. BLEEPINGCOMPUTER 

Swatting (where someone calls a SWAT team to raid your house) is becoming an issue beyond just the gaming world. THERECORD 

Sponsor

 Revolutionize Your Security Program with Vanta’s Top-Tier Compliance Automation

💸 Save not just time, but up to a whopping 85% of costs!

Exclusive for the Unsupervised Learning community: Claim your $1000 discount at Vanta.com/Unsupervised. Act now, secure your business, and save big!

MITRE and CISA have launched an open-source tool that simulates attacks on operational technology (OT). The tool, an extension for the Caldera platform, was developed to help identify and patch vulnerabilities in critical infrastructure systems like transportation, water, and electricity facilities. OODALOOP 

The National Security Agency (NSA) has wrapped up a strategic study on how to use artificial intelligence (AI) and machine learning (ML) for its missions. The study, led by Gen. Paul Nakasone, explores the potential use of generative AI and ML in various missions and their impact on NSA workers. DEFENSEONE 

The IRS is using artificial intelligence to catch tax evasion, focusing on big players like hedge funds, private equity groups, and real estate investors. Once this gets going they are going to find so much more income this way. NYTIMES

TECHNOLOGY NEWS

MBA students competed against ChatGPT to come up with the most innovative ideas. The results weren’t even close. People who don’t believe AI has creativity need to really introspect on what that means if it can win competitions like these. It’s very much like the No True Scotsman fallacy, where any challenge that humans lose “doesn’t test the real thing”. WSJ

Huawei's new smartphone, powered by an advanced Chinese-made chip, has raised interest and policy questions globally. The chip is more advanced than any previously produced in China, challenging Biden's trade policy aimed at blocking China from acquiring cutting-edge computer chips. POLITICO 

Horace Dediu's piece at Asymco reveals that an iPhone customer is economically 7.4 times more valuable than an Android customer, a significant increase from the 4x rule he had a decade ago. Sounds cool, but this just means iPhone people click more and buy more. ASYMCO

China's central government officials have been told to ditch their iPhones at work, as part of a bigger plan to limit foreign influence. Apple, and the US in general, better hope this doesn’t turn into a nationwide ban. Seems unlikely, but the prospect is terrifying. TECHCRUNCH | 9TO5MAC 

Grindr just lost nearly half its staff due to a strict return-to-office rule implemented over two days. Half. Half said no thanks. But like I said before, that might have been the number they were looking for. BLOOMBERG

Apple is supposedly dropping millions daily on artificial intelligence, working on multiple AI models across several teams. Put it in Siri or it didn’t happen. By Tuesday if possible. Thanks. THEVERGE 

Occidental Petroleum is investing billions in technology to extract carbon dioxide from the atmosphere, a move that's both hopeful and controversial. The American oil company plans to store some of the captured carbon underground, but also use some to extract more oil, causing a divide among climate advocates. NPR

HUMAN NEWS

Morocco is reeling from a devastating earthquake that has claimed over 2,100 lives and thousands more critically injured. The quake's epicenter was in the rural Atlas Mountains, making rescue efforts challenging due to damaged roads and remote communities. NBCNEWS 

Silicon Valley's wealthy are increasingly turning to full-body MRIs as a preventive health measure, despite no official medical body sanctioning the practice. $2,500? I’m doing it. WASHINGTONPOST

Goldman Sachs has revised the odds of a US recession next year, dropping it to a mere 15%. This comes as a positive outlook amidst the economic uncertainties. FOXBUSINESS

Gen Z is increasingly opting out of college, with four million fewer teenagers enrolling in 2022 than in 2012. I wonder how much of this has to do with ChatGPT. Like why learn stuff anymore? Not saying that’s valid, but it could be a factor? BUSINESSINSIDER

Semaglutide, marketed as Ozempic and Wegovy, is showing promise beyond just diabetes control and weight loss. New research indicates it also has cardiovascular benefits, potentially improving life quality for overweight heart patients. In a trial involving over 500 patients, those receiving weekly semaglutide injections for a year saw reduced symptoms and improved physical abilities. WIRED 

Despite the increasing popularity of therapy in the US, suicide rates have risen by about 30% since 2000, and almost a third of US adults now report symptoms of either depression or anxiety. That’s around three times as many as in 2019. But we don’t know how much worse (or better) it’d be if we weren’t doing the therapy. Like is the therapy just uncovering what was underreported before? Or is this net new? TIME 

Childless not by choice, men like Robert Nurden experience a deep sense of grief and isolation, often heightened on occasions like Father's Day. Research by Dr. Robin Hadley reveals that 25% of men over 42 do not have children, and half of those who wanted to be fathers describe significant grief and societal isolation. THEGUARDIAN

New York City's Local Law 18 has effectively made the city's roughly 38,500 Airbnb listings illegal, limiting short-term rentals to situations where the host is present and there are no more than two guests. REASON 

NOTES

A new friend of mine, Hrishi Olickel, put out this prompting guide, and it’s not like the others. Absolute best I’ve seen since November when everything went silly. OLICKEL

My friend Caleb Sima created a presentation on how he protects his and his family's safety and privacy. He outlines his two-phase approach of "Lockdown" and "Disappearing", and discusses the importance of privacy in security, the creation of various personas, and the use of services like Privacy.com, Private Mailbox, VOIP Service, and Fastmail. SIMA 

A UL member tested GPT-3.5, Claude 2, and GPT-4 to see which AI model is best at threat modeling. GPT-4 came out on top, proving less sensitive to changes in prompts and capable of building robust threat modeling automation with the right assumptions. XVNWP 

Just finished reading Darkness at Noon, and am now reading Man’s Search for Meaning and The Gulag Archipelago. I think Man’s Search for Meaning is going to be one of my favorite books of all time. The intro basically sets up my exact approach to meaning and stoicism and the like.

IDEAS & ANALYSIS

AI = Augmentation Infrastructure

Terminal background ftw

AI is doing a lot for me. I’m building a product using it. I think about it a lot. And I think it’ll massively impact our future. But the most practical thing it’s doing for me is augmenting my life. To me it’s augmentation infrastructure. What you see above is the list of APIs (and their associated cli commands) that I’ve built to do things since November. My latest one is the vidcon one, which stands for “video conversation”. It lets me extract wisdom from transcripts. It’s godlike. The Neri Oxman conversation summary was created using a version fo this. Point is: I don’t see AI as a standalone tool. I see it as part of my brain that’s not yet fully integrated. But I’m working on it!

DISCOVERY

⚒️PromptTools Unveiled Hegel AI has launched PromptTools, a set of free, open-source tools for testing and experimenting with prompts. The tools can be used to run experiments in notebooks, turn evaluations into unit tests, and integrate them into your CI/CD workflow via Github Actions. PROMPTTOOLS 

⚒️CloudRecon Unveiled CloudRecon is a new suite of tools designed to help red teamers and bug hunters find ephemeral and development assets in their campaigns. The tool, written in Go, includes three parts: Scrape, Store, and Retr, each serving different functions in the process of scanning IP addresses or CIDRs and inspecting SSL certificates. GITHUB 

⚒️Text Generation Web UI The Gradio web UI for Large Language Models, developed by oobabooga, aims to become the go-to tool for text generation, supporting multiple model backends and offering features like custom chat characters, markdown output with LaTeX rendering, and an API for websocket streaming. The project, which received a generous grant from Andreessen Horowitz in August 2023, offers detailed documentation for users and invites contributions from the community. GITHUB 

⚒️Flipper Zero Compilation CyberSecurityUP has compiled a comprehensive list of resources about Flipper Zero, a tamagochi-like device for hackers. This GitHub repository includes everything from user manuals to hardware specs. GITHUB 

📝LLM Testing A developer tested over 60 language learning models (LLMs) with a set of 20 prompts to gauge their performance in real-world workflows. The results, stored in a SQLite database, offer insights into each model's capabilities in basic reasoning, instruction following, and creativity. BENCHMARKS 

Cybersecurity Tool Bonanza Penteston.com is offering a platform that lets you run over 20 top-notch cybersecurity tools with API. It's a one-stop-shop for all your cybersecurity needs. HACKERNEWS 

AI Tool Mastery Microsoft is working on a project to teach large language models (LLMs) how to use digital tools, potentially supercharging AI capabilities. The project aims to compile millions of APIs, enabling AI to perform tasks ranging from ordering pizza to solving complex equations. SCHNEIER 

AI Cloning Delphi, an AI company, has developed a technology that can clone your voice and mannerisms, making a digital version of you. The technology uses machine learning algorithms to analyze your voice and facial expressions. DELPHI 

Undetectable AI Undetectable AI is a new tool that transforms AI-generated content, which often gets flagged, into high-quality writing that's indistinguishable from human work. Their AI solution ensures flawless text that resonates with your audience, making it a game-changer for content creators. UNDETECTABLEAI 

AI Podcast Search Mckay Wrigley has developed an AI tool that can semantically search a podcast in real-time. This innovative technology could revolutionize how we interact with audio content. TWITTER 

Le Guin's Wisdom Ursula Le Guin, the renowned author, had three guiding questions above her desk: Is it true? Is it necessary or at least useful? Is it compassionate or at least unharmful? These precepts served as her starting point for writing. HACKERNEWS 

Automated Newsletters The author shares his experience of creating a bespoke newsletter service, using Google App Engine, Falcon, gunicorn, Firestore, SendGrid, and jinja2. He discusses the challenges faced, including managing deployment secrets, setting up billing, and dealing with SendGrid's outage, but also the ease of not having to worry about administering a database or managing SSL. AXLEOS 

Buffett's Life Lessons Jimmy Buffett's songs, like 'Margaritaville', have always been about more than just good times and margaritas, they're about life, friendship, and even death. His lyrics, now archived in the Library of Congress, continue to inspire and teach us about the human condition. NYTIMES 

Opposites Don't Attract Turns out, the old saying "opposites attract" might not be so accurate. A comprehensive analysis from CU Boulder, involving millions of couples and over 130 traits, found that partners are more likely to be similar than different. COLORADO 

Tailscale Partners Mullvad Tailscale and Mullvad are now buddies, meaning you can use both services together via the Tailscale app. MULLVAD 

Event Likelihood Scoring A Redditor has shared a cybersecurity event likelihood scoring model, which could be a handy tool for risk assessments. REDDIT 

Slack's AI Evolution Salesforce-owned Slack is introducing Slack AI, which includes channel recaps, thread summaries, and search answers, which are designed to help users quickly catch up on important discussions and find information more efficiently. VENTUREBEAT 

Myopia Epidemic Our eyes are getting worse, and it seems screens and lack of outdoor playtime are to blame. We're seeing record levels of clinical myopia, also known as nearsightedness. WSJ 

Risk Calculation Methods Ever wondered how researchers calculate the risk from a health risk factor? It's not as straightforward as you might think. They use different metrics like risk ratios, odds ratios, and risk differences, each with its own interpretation and application. OURWORLDINDATA 

Child Gun Deaths Surge Gun deaths among children in the U.S. reached a new high in 2021, with a particularly distressing impact on communities of color. The study found that nearly 50% of children who died by firearms in 2021 were Black, and the death rate was 11 times higher for Black children compared to white children. AXIOS 

AI Diplomacy Breakthrough Meta AI has developed CICERO, an AI system that outperforms 90% of human players in the game Diplomacy, which requires strategic reasoning and natural language negotiation. OODALOOP 

Effective SOC Management Three CISOs share their insights on running an effective Security Operations Center (SOC) in 2023, emphasizing cost efficiency, automation, clear KPIs, and robust business continuity plans. THEHACKERNEWS 

AI Adoption Accelerated McKinsey & Company and Salesforce are joining forces to expedite the adoption of generative AI in businesses across sales, marketing, commerce, and service sectors. The collaboration aims to integrate Salesforce's CRM software with McKinsey's AI and data models, offering a seamless end-to-end experience for customers. VENTUREBEAT 

LLMs Replace Code The author replaced 50+ lines of code with a single call to a Language Learning Model (LLM) to compare mailing addresses, achieving 100% accuracy in just a few minutes. HAIHAI

AI-Generated Magic Cards A group of friends built Urza's AI, a website that uses artificial intelligence to generate playable Magic the Gathering cards. The project uses a combination of language AI to generate the text of a Magic card and text-to-image AI to create the card's image based on the generated text. COHERE

Espresso Machine Love The author shares a deep affection for her Breville Barista Express espresso machine, not just for the coffee it makes, but for the satisfaction of maintaining it. The machine, priced at $700, is not the cheapest or the most elegant gadget, but it's the perfect balance of complexity and approachability. I’m starting to feel the draw of espresso, and I’m not happy about it. Must. Stay. Drip. THEVERGE 

Trotsky's Secret Alliance CIA documents claim that Leon Trotsky, a key figure in the October Revolution, was an MI6 agent since 1918. SOVINFORM 

RECOMMENDATION OF THE WEEK

Read Man’s Search for Meaning. It might be one of the most important books to read for anyone. It shows how one can find meaning in the worst possible situations, and therefore, how we might find it in other situations as well.

APHORISM OF THE WEEK

More of a piece of poetry this week.

A wave gently lifted him up. It came from afar and traveled serenely onward, a shrug of infinity.

The last two sentences of Darkness at Noon

Unsupervised Learning is reader-supported. When you buy through a link on our site or newsletter, UL may earn an affiliate commission


文章来源: https://danielmiessler.com/p/398
如有侵权请联系:admin#unsafe.sh