Unsupervised Learning is a Security, AI, and Meaning-focused podcast that looks at how best to thrive as humans in a post-AI world. It combines original ideas, analysis, and mental models to bring not just the news, but why it matters and how to respond.
Happy Monday!
Forever too soon
I’ve been wondering a lot about why security is getting hit so hard in this…um…whatever this is. I feel like I’ve seen more CISOs get laid off in the last few months than I’ve ever seen. And startups are seriously struggling to sell into companies.
I think it has a lot to do with orgs spending way too much on new tools in the boom times, often at the expense of doing the basics better, and then they realize a year or two later that they haven’t actually used them. So it’s a constant push-pull of install-and-rip.
Let me know if you’re seeing something similar, or if you see a bigger cause.
And have a great week!
In this episode:
🤔 Thoughts on the Eliezer vs. Hotz AI Safety Debate
🎥 Musk's FSD and Privacy Demo
🔒 Duolingo Data Breach
💥 MOVEit Mass Hack
🔎 Putin Critics' Fate
🚨 Leaseweb Security Breach
🔬 Lazarus's New Malware
🚁 Cardboard Drones in Combat
🕵️ Taiwan Espionage Alert
🔐 CloudNordic Ransomware Attack
📱 Kroll's SIM Swap
👾 GPT-4's API Misuses
🔭 Tool & Article Discovery
➡️ The Recommendation of the Week
🗣️ The Aphorism of the Week
MY WORK
ATHI — An AI Threat Modeling Framework
My thoughts on a clear, conversational framework for discussing AI threats, using a structure called ATHI (Actor, Technique, Harm, Impact. READ IT
🎙️ Listen to the Newsletter++
If you’re not getting the podcast yet, please subscribe. It’s a way to listen to the newsletter instead of reading it when you’re driving, working out, etc. ADD UL TO YOUR CLIENT
SECURITY NEWS
Musk's FSD and Privacy Demo
Elon Musk's livestreamed demo of Tesla's Full Self-Driving (FSD) beta software had a few hiccups, including a near miss at a red light and a casual doxxing of Mark Zuckerberg. He basically showed exactly where he lives to everyone on stream. Unbelievable. THEVERGE
Duolingo Data Breach
Scraped data of 2.6 million Duolingo users has been leaked on a hacking forum, making it possible for threat actors to conduct targeted phishing attacks. The data, which includes both public and non-public information, was scraped using an exposed API that Duolingo has yet to secure. BLEEPINGCOMPUTER
MOVEit Mass Hack
The mass-exploitation of MOVEit Transfer software has become the largest hack of 2023, with over 1,000 known victims and 60 million impacted individuals. The attack, attributed to the Clop ransomware gang, began in May when a zero-day vulnerability was disclosed in MOVEit Transfer, a service used by thousands of organizations to transfer large amounts of often-sensitive data. TECHCRUNCH
Sponsor
CNAPP for Dummies
The guide to mastering CNAPP - the hot new category in cloud-native security that's taking the industry by storm!
You’ll learn:
The fundamentals of cloud-native security
Powerful tactics to strengthen security measures
Best practices for getting started
Techniques to shift security up the pipeline (and ahead of threats)
10 strategies for maximizing the potential of your CNAPP
Putin Critics' Fate
In an absolute shock to everyone, Yevgeny Prigozhin, the guy who used to be Putin’s personal chef, and who staged an offensive against him (sort of), has met an untimely death. CNN
Leaseweb Security Breach
Leaseweb, a major cloud and hosting provider, is busy fixing "critical" systems after a recent security breach. The company, which serves over 20,000 customers worldwide and operates more than 80,000 servers, noticed "unusual" activity in its infrastructure leading to downtime for some cloud customers. BLEEPINGCOMPUTER
Lazarus's New Malware
North Korea's notorious Lazarus hacking group is using a new malware strain, QuiteRAT, to target healthcare entities and internet infrastructure in the US and Europe. THERECORD
Cardboard Drones in Combat
Ukraine is now using cardboard drones, courtesy of Australian company SYPAQ. These low-cost Corvo drones, initially designed for light transport, are now performing reconnaissance missions after feedback from Ukrainian soldiers. AIR&COSMOS
Taiwan Espionage Alert
Microsoft has warned about a new espionage operation, dubbed Flax Typhoon, linked to China's government that's been targeting Taiwanese organizations since mid-2021. The group's main targets are government agencies, education, critical manufacturing, and IT organizations in Taiwan, but victims have also been spotted across Southeast Asia, North America, and Africa. THERECORD
CloudNordic Ransomware Attack
CloudNordic, a large Danish cloud provider, has been hit hard by a ransomware attack, leaving all customer data lost and the company paralyzed. The attack occurred on August 18, wiping out both company and customer websites and email systems, with even the backups being trashed. THEREGISTER
Sponsor
Building a SaaS business? It’s time to automate compliance.
Vanta automates up to 90% of compliance for SOC 2, ISO 27001, HIPAA, and more, getting you audit-ready in weeks and saving you up to 85% of costs.
And Vanta scales with your business, helping you enter new markets, land bigger deals, and earn customer loyalty.
Get $1000 off Vanta at
Kroll's SIM Swap
Kroll, a risk and financial advisory solutions provider, disclosed that one of its employees was a victim of a sophisticated SIM swapping attack. The incident, which occurred on August 19, 2023, allowed the attacker to gain access to files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX, and Genesis. THEHACKERNEWS
GPT-4's API Misuses Turns out, GPT-4, the large language model, is generating code with a lot of API misuses. A recent study shows that 62% of the code generated by GPT-4 contains API misuses, which could lead to severe problems like resource leaks and program crashes. ARXIV
Personal Data for Sale
Hackers are using a tool on Telegram to access and sell personal data, including addresses, phone numbers, and driver's license details, for as little as $15 in Bitcoin. The tool taps into credit header data from credit bureaus like Experian, Equifax, and TransUnion, which is then sold to debt collectors, insurance companies, and law enforcement. 404MEDIA
Whiffy Recon Malware
A new malware strain called Whiffy Recon is causing a stir, as it triangulates the location of infected devices every minute by scanning nearby Wi-Fi access points. The malware, delivered via SmokeLoader, has been offered for sale to Russian-based threat actors since 2014. THEHACKERNEWS
AI Military Race
The U.S. and China are very close in a global race to integrate artificial intelligence into their militaries, with a focus on autonomous weapons and AI tools for target identification. A recent study found that about a third of all known contracts in both countries were for intelligent and autonomous vehicles, the largest share in both nations. OODALOOP
Ubuntu's Snap Push
Canonical is doubling down on its snap packaging format, planning to block .deb versions of apps in Ubuntu's app store if a snap version is available. This move is part of Canonical's broader plan to release a snap-based immutable version of Ubuntu next year. WEBPRONEWS
AI Surveillance
AI is now being used to analyze data from license plate scanners, identifying "suspicious" vehicle behavior. In Westchester County, the ALPR system was scanning over 16 million license plates a week, across 480 cameras, taking notes on vehicles’ make, model, and color. SCHNEIER
Lazarus Group's New Tactics
The North Korean state-sponsored Lazarus Group is switching up its game, increasingly using open-source tools and frameworks in the initial access phase of their attacks. In a recent campaign, they exploited a ManageEngine ServiceDesk flaw to deploy QuiteRAT, a remote access trojan with similar capabilities to MagicRAT, but with increased code complexity. DECIPHER
Space Espionage Alert
The U.S. space industry is getting hit with more cyberattacks from foreign intelligence entities, according to the Office of the Director of National Intelligence. This isn't just about global competition, it's also a matter of national and economic security. OODALOOP
Space Force Activation
Related to that, the US Space Force has activated a new unit, the 75th Intelligence, Surveillance and Reconnaissance Squadron, dedicated to targeting adversary satellites. The unit, part of Space Delta 7, will analyze potential targets, track them, and participate in 'target engagement', which could involve disrupting or destroying adversary satellites. OODALOOP
Vulnerabilities:
Chrome Security Update
Google's latest Chrome 116 security update tackles five memory safety vulnerabilities, including four high-severity ones. The most severe, a use-after-free bug in Vulkan, earned the reporter a $10,000 bug bounty reward. SECURITYWEEK
NPM Package Malware
A fake email validation NPM package has been found to contain Command and Control (C2) and sophisticated data exfiltration capabilities. The malicious package was discovered by the user /u/braincaviar on Reddit's r/netsec forum. PHYLUM
WinRAR Vulnerability
WinRAR, the world's most popular compression tool, has a high severity vulnerability that allows code execution when a RAR file is opened. The flaw, identified as CVE-2023-40477, has a CVSS severity rating of 7.8 and has been fixed in the latest version, WinRAR 6.23. THEREGISTER
Barracuda Patch Failure
The FBI has warned that patches for a recent Barracuda Email Security Gateway vulnerability have failed, urging organizations to remove all affected appliances immediately. SECURITYWEEK
TECHNOLOGY NEWS
ChatGPT Goes Enterprise
OpenAI just launched ChatGPT Enterprise, a business-focused version of their AI chatbot app, offering enhanced privacy, data analysis, and customization options. The new version is powered by GPT-4 and offers priority access to the AI model, delivering faster performance and a larger context window. TECHCRUNCH
Waymo's Robotaxis in SF
NY Times got a chance to ride in Waymo's autonomous taxis in San Francisco, and they found the ride to be smooth and safe, albeit a bit slower than a human driver. I honestly can’t wait until AI is driving more cars. Humans are far more dangerous. I just worry about the job loss. NYTIMES
Decentralized Identity
Decentralized Identity (DID) is an emerging technology that aims to give individuals control over their own digital identities, but it's not quite ready for prime time. The technology, which uses cryptographic keys to verify identity, is gaining interest from governments and cryptocurrency projects, but it still faces significant challenges, including the need for widespread government support and concerns about accessibility and exclusion. CENDYNE
Code Llama Unveiled
Facebook has launched Code Llama, a large language model (LLM) that uses text prompts to generate and discuss code, aiming to make developers' workflows faster and more efficient. The model, which supports popular programming languages like Python, C++, Java, and more, is available in three sizes (7B, 13B, and 34B parameters) to cater to different serving and latency requirements. FACEBOOK
Parallels Desktop 19 Update
Parallels Desktop 19 is out with some cool updates including macOS Sonoma integration, a design refresh, and a new Password-less Sign-in with Touch ID. The update also includes enhanced compatibility with macOS, a re-engineered Shared Printing functionality, and improved display and resolution refresh when resizing screens. I wonder if it plays Diablo IV. 9TO5MAC
AI Art Copyright Denied
AI-generated art can't be copyrighted, says a U.S. district court judge. The decision came after scientist Stephen Thaler tried to copyright a piece of art created by his AI tool, the "Creativity Machine". THEHILL | OODALOOP
Neo4j's Vector Update
Neo4j, the graph database vendor, has introduced vector search capabilities to its database, enhancing its ability to understand relationships across data and content. This addition is aimed at improving search, enabling generative AI, and supporting large language models. VENTUREBEAT
AI Trained on King
Stephen King's books have been used to train AI, sparking a debate about machine creativity. King argues that while AI can mimic style, it lacks the genuine creative moments that come from human sentience, but concedes that this may change if AI achieves sentience. THEATLANTIC
Late-stage Venture Decline
If you're a startup founder looking to raise a venture round this year, brace yourself for a lower valuation than you might have seen in 2021 or 2022. According to new data from CB Insights, there's been a sharp decline in valuations across nearly all startup stages globally. TECHCRUNCH
CodeLlama Beats GPT-4
Phind's fine-tuned CodeLlama-34B and CodeLlama-34B-Python models have outperformed GPT-4 on HumanEval, scoring 67.6% and 69.5% pass@1 respectively. These models were trained on a proprietary dataset of ~80k high-quality programming problems and solutions, over two epochs, totaling ~160k examples. PHIND
AI Wildfire Detection
California's Department of Forestry and Fire Protection is using AI to detect wildfires before they get out of hand. The system, which has been in operation for two months, has already identified 77 fires before any 911 calls were made, allowing for rapid response and containment. LATIMES
Human Content Badge
The "Not By AI" badges are designed to encourage human content creation and help users identify human-generated content, amidst predictions that 90% of online content could be AI-generated by 2025. The badges can be used by content creators and businesses that estimate at least 90% of their content is human-created. NOTBYAI
X Challenges LinkedIn
LinkedIn's reign as the go-to job hunting platform might be over, as X (formerly Twitter) rolls out its new job posting feature. The feature, currently in beta, allows verified organizations to integrate job postings directly into their X profile. BGR
HUMAN NEWS
Zoom's Office Return
Zoom CEO Eric Yuan is sending some employees back to the office, saying that Zoom doesn't allow for as much trust-building or innovation as in-person work. Yikes. Understandable, but not a great story to tell. BUSINESSINSIDER
Living Paycheck to Paycheck
The typical American worker is struggling to make ends meet, with essential expenses such as rent, mortgage, food, and health costs accounting for over 85% of the median take-home pay. The median monthly rent in the U.S. was $2,029 as of June, which already accounts for about 61% of the median take-home pay. METAFILTER
AI Reskilling Crisis
AI platforms like ChatGPT are going to force a whopping 40% of the global workforce to learn new skills in the next three years. According to a study by the IBM Institute for Business Value, this translates to about 1.4 billion people needing to reskill to keep up with AI integration in their workplaces. 40%? That’s massive. And what guarantees that their re-skilled activity is safe? Answer: nothing. OODALOOP
Millennial Midlife Crisis
Millennials are redefining the midlife crisis, with less Corvette money and more introspection. According to the Federal Reserve, the median cash that US consumers aged 35 to 44 have in their bank accounts is $4,710, with a median of $60,000 in their retirement account. MORNINGBREW
Housing Affordability Crisis
US housing affordability has hit its worst point in nearly four decades, making it harder for average Americans to buy homes. The surge in mortgage rates is the main culprit behind this squeeze. BLOOMBERG
Job Switching Price
American workers are now demanding an average of $78,645 to switch jobs, a record high that reflects inflation in the labor market. This figure, which has risen by 22% over the past three years, is driving inflation, with wages recognized as a significant factor. CNBC
COVID Variants Update
New COVID variants EG.5, FL.1.5.1, and BA.2.86 are making waves and you should know about them. These variants are spreading and raising concerns as hospitalizations are on the rise. GOOGLENEWS
KPI Psychosis
Companies are increasingly falling into a state of 'KPI psychosis', where decisions are made solely based on numbers, leading to a disconnect from reality. The author suggests a balance of KPIs and human intuition for optimal decision-making, and continuous reflection on the reliability of KPIs. I’d argue, however, that this is actually just people using the wrong KPIs. ROMATON
Wuhan's Hidden Truth
Doctors in Wuhan, China, knew about the severity of the COVID-19 virus in early 2020, but were ordered to remain silent by Chinese authorities. WASHINGTONPOST
Understanding Narcissism
Narcissism, a condition affecting up to 6% of the U.S. population, is more complex than the grandiose self-absorption it's often associated with. It can manifest in a variety of ways, including self-loathing, social isolation, and even antisocial behavior. 👀 SCIENTIFICAMERICAN
High Times
Americans are increasingly using cannabis and psychedelic drugs, with usage hitting record highs last year. The University of Michigan's annual Monitoring the Future study suggests this trend could be driven by relaxed laws, changing perceptions of hallucinogens, and more people self-medicating for mental health issues. MORNINGBREW
On-Demand Media Surpasses Linear (TV)
On-demand audio content has finally overtaken traditional linear audio in the US, according to Edison Research. As of Q2, 2023, 50.3% of all daily audio time consumed by those aged 13+ is on on-demand platforms, while 49.7% is on linear platforms. EDISONRESEARCH
China's Economic Impact
China's economic troubles might not be as bad for the U.S. as you'd think. In fact, there could be some benefits for American interests. NYTIMES
Utopian City Plan
Silicon Valley elites have been revealed as the buyers of $800M worth of land in northern California, with plans to build a utopian city powered by clean energy. THEGUARDIAN
NOTES
Prompt Injection Primer — Friend and UL Member Rez0 has launched a "Prompt Injection Primer for Engineers" to clear up confusion around the topic. The guide addresses the seriousness of prompt injection, what attackers can do with it, and how to prevent it. I’ve seen a million of these and his is the absolute best on Prompt Injection. TWITTER
IDEAS & ANALYSIS
Young Thinking
I think adopting new things keeps one sharp. I force myself to constantly listen to the latest music. I’m now saying “Siri” instead of “Hey Siri”, because that’s a new thing in the iOS17 beta. And I regularly explore things just because they’re new. Especially cultural trends. I find that many people even in their late 20s have lost a lot of this. They’ve already started saying “that’s just how I do it”, and I see that as a kind of death signal. Of course there are some things that I simply say are a matter of taste, and I choose to do them that way. It’s a style thing. And sometimes the old way of doing things is better than the new. And I still listen to my favorite music from my childhood. But not all the time. I spend probably 60% of my time exposing myself to the world. In new ways. New music. New ideas. New ways of interfacing. My pet theory is that this communicates youth signals to the body and mind. It basically says, “Don’t shut down the systems; we’re still here to win.” I don’t know if this is why I’m still performing at this level (and even improving), but I like to think so. Could also be the meth.
DISCOVERY
⚒️ Ipfuscator — A blazing-fast, thread-safe tool that generates alternative IP(v4) address representations swiftly and without memory allocations. It's written in Go and it's straightforward to use. | by dwisiswant0 | GITHUB
⚒️ Google/Fuzzing — A comprehensive resource for fuzzing, including tutorials, examples, discussions, and research proposals. Perfect for anyone looking to dive into the world of fuzzing. | by Henryrneh | GITHUB
⚒️ Fuzzing Templates — A community-curated list of fuzzing templates for the nuclei engine, designed to discover previously unknown security vulnerabilities. | by Ehsan Dehghan | GITHUB
⚒️ n8n.io — A powerful workflow automation tool that can streamline your work processes and increase productivity. | by sacrosanct | HACKERNEWS
⚒️ BASH Stack — A web framework that uses Bash, Awk, Sed, and HTMX, with file-based routing and scripts executed on HTTP requests. It's designed to work well with htmx, which is included by default. GITHUB
⚒️ AWS Chat Plugin — A nifty plugin that lets you chat with your AWS infrastructure directly from your terminal. It's like having a direct line to your cloud setup. | by Simon Willison | TWITTER
⚒️ Multi Vector Retriever — A tool that stores multiple embedding vectors per document, generated from smaller chunks, summaries, hypothetical questions, or manually specified text snippets. | by Harrison Chase | TWITTER
Scrum is a Cancer
Santiago, a software developer with 25 years of experience, calls Scrum a "cancer" that renders software teams useless. TWITTER
I Met a Book — Here's a heartwarming piece about the transformative power of books and reading. The author shares a personal story of how a single book changed their life. NATIONALREVIEW
AI Security Implications As General AI and Large Language Models (LLMs) become more integrated into business, understanding their security implications is key. This seminar provides a business-friendly overview of these technologies, focusing on practical security risks and strategies to manage them. YOUTUBE
GPT-4's API Misuses — Turns out, GPT-4, the large language model, is generating code with a lot of API misuses. A recent study shows that 62% of the code generated by GPT-4 contains API misuses, which could lead to severe problems like resource leaks and program crashes. ARXIV
Blogging Strategy — Henrik Karlsson challenges the common advice of frequent publishing for bloggers, arguing that investing more time in fewer, high-quality posts yields better results. HENRIKKARLSSON
Meta's Code Llama — Meta has launched Code Llama, a tool that generates and debugs code, built on its Llama 2 large language model. The tool, which comes in three sizes, scored 53.7 percent on the code benchmark HumanEval and can accurately write code based on a text description. THEVERGE
Writing Sins — Hamilton College has outlined seven common writing mistakes, including misuse of passive voice, improper punctuation in compound sentences, and wordiness. HAMILTON
Excel for Threat Hunting Reddit user m_edmondson has shared a newsletter on how to use Excel for threat hunting in your data. REDDIT
JavaScript De-Minification — LLMs (Latent Language Models) can be used to reverse JavaScript variable name minification, making the code easier to read and understand. The technique was shared by Reddit user jehna1 on the netsec subreddit. THEJUNKLAND
AI Security Implications — This seminar gives a business-friendly overview of General AI and Large Language Models (LLMs), focusing on their practical security implications and risks. It highlights the risk of uncontrolled disclosure of Personally Identifiable Information (PII) using an LLM and explores various LLM deployment scenarios. YOUTUBE
Learning GNU Awk This guide provides a comprehensive introduction to GNU Awk, a programming language primarily used for text processing and data extraction. GITHUB
Web Scraping Hypocrisy — Big companies like Meta and Microsoft are known for their aggressive stance against web scraping on their own properties, while they freely scrape data from others. ERICGOLDMAN
DJ Duo's Cybersecurity Venture The Chainsmokers, known for their music, are also tech investors with a growing interest in cybersecurity startups. Their venture firm, Mantis VC, recently participated in a $4 million seed funding round for iVerify, a mobile security app. WIRED
X's Verification Upgrade — X (formerly Twitter) is stepping up its verification game by requiring users to submit a selfie and a government-issued ID, thanks to Israeli software AU10TIX. JPOST
Time Well Spent — Rez0's blog post offers a framework for evaluating the value of activities, aiming to help readers spend their time more wisely. The framework categorizes activities based on who you're with and what you're doing, ranking them from most to least valuable. REZ0
Sketchbook Chronicles — Matt Kirkland shares his 23-year journey of keeping sketchbooks, highlighting their role as a tool for thinking, planning, and remembering. ATTAINABLEFELICITY
North Korean Sci-Fi — North Korean science fiction is a fascinating genre, often featuring their scientists and technologists as the heroes saving the world. ARSTECHNICA
Number Naming Nonsense — Ever wondered why 11 and 12 aren't called oneteen and twoteen? It's all about our language's old Germanic roots, where "eleven" means "one left" and "twelve" means "two left" after ten. REDDIT
RECOMMENDATION OF THE WEEK
I just finished this new book, Outlive, by Dr. Peter Attia. I’ve been recommending it to everyone I care about, and that includes you.
It’s not just a bunch of health advice; it’s also a completely different way of thinking about fitness overall, within the context of what you want to accomplish in life. Cannot recommend it enough.
APHORISM OF THE WEEK
❝
Children see magic because they look for it.
Christopher Moore