UL NO. 398: Storm Vuln Stacking, CloudRecon, The S-Tier Guide to AI Whispering, Full-body MRIs…

Unsupervised Learning is a Security, AI, and Meaning-focused podcast
that looks at how best to thrive as humans in a post-AI world. It combines
original ideas, analysis, and mental models to bring not just the news, but
why it matters and how to respond.

Hey there!

I hope you’re having a good start to the week.

This week I need your help. I need you to help convince me I don’t need
an espresso machine. I have enough hobbies. And this one is expensive and
takes a lot of counter space. Please help deliver me from evil.

Also, I made some tweaks to the show this week; let me know what you
think!

MY WORK

The Great Bifurcation
We’re explosively separating into the Thriving 10% vs. the Suffering 90%,
and it’s possible to be part of the 10% just by copying them. READ IT

Topics, Insights, and Resources from the Neri Oxman and Lex Fridman
Podcast
Simply one of the best conversations I’ve ever heard. Unspeakably
beautiful and inspiring.
READ IT

🎙️
Subscribe to the Podcast
If you’re not getting the podcast yet, please subscribe now.
ADD UL TO YOUR CLIENT

📡 Connect via RSS
RSS is not dead. You can follow all UL content with via the following
RSS feed.
ADD TO YOUR RSS READER

SECURITY NEWS

This Microsoft/Storm situation is a great example of stacked real-world
failures. The actor used a Microsoft account consumer key to access
enterprise email, which was inadvertently included in a crash dump due to a
race condition, which was later moved to a debugging environment, where it
was compromised. Or as they say in the offsec space, lows and mediums can
become criticals with the right situation/patience/timing.
MSRC

China’s state-affiliated hackers are getting better at using AI to create
content meant to go viral on U.S. and other democracies’ social networks,
according to Microsoft researchers. The campaign focuses on divisive topics
and has successfully engaged audiences in at least 40 languages, reaching
over 103 million people.
OODALOOP 

Hackers are spamming iPhones with pop-ups using a Flipper Zero. They can
basically keep prompting you to connect to a bluetooth device, which stops
you from being able to use the device.
TECHCRUNCH 

Chinese-speaking cybercriminals are running a large-scale smishing campaign
in the U.S., using compromised Apple iCloud accounts to send iMessages and
conduct identity theft and financial fraud. The group, known as Smishing
Triad, offers ready-to-use smishing kits via Telegram for $200 a month,
impersonating popular postal and delivery services in multiple countries.
THEHACKERNEWS

Vulnerabilities:

• Apple recently released updates to fix two zero-day vulnerabilities that
  might have been actively exploited by attackers. These bugs, identified
  as CVE-2023-41064 and CVE-2023-41061, affected the Image I/O framework
  and the Wallet function respectively.
  THERECORD 

• Zavio IP cameras have been hit with multiple critical vulnerabilities,
  including 34 RCEs and 7 pre-auth BoFs. | Critical | CVE-2023-3959,
  CVE-2023-4249 |
  REDDIT

• Cisco has released fixes for multiple security flaws, including a
  critical bug in the BroadWorks platform that could allow an attacker to
  take control of an affected system. The most severe issue,
  CVE-2023-20238, has a maximum CVSS severity rating of 10.0 and could
  allow an unauthenticated, remote attacker to forge credentials and
  access an affected system.
  THEHACKERNEWS

Sponsor

World-Class Email Protection – Simplified

📧 More than 90% of cyberattacks start with email and attacks are growing in volume and sophistication.

🐟From phishing and ransomware to credential theft and zero-day attacks, organizations of all shapes and sizes face a new world of risk.

Get the most advanced email protection in the industry, delivered in the simplest way possible.

👉mimecast.com/work-protected👈

Learn More

   

The Pentagon is planning to build a massive network of AI-powered tech,
drones, and autonomous systems in the next two years to counter threats from
China. The project, which is expected to cost hundreds of millions of
dollars, aims to develop thousands of air-, land-, and sea-based AI systems
that are “small, smart, cheap.” Go read
Kill Decision
by Daniel Suarez if you haven’t yet. This shit is happening in real-time.
THEVERGE 

Cars are officially the worst product category for privacy, according to a
review by Mozilla. The review highlighted that cars collect a significant
amount of personal data, often without clear user consent or control.
MOZILLA

Meta disrupted two major covert influence operations from China and Russia,
blocking thousands of accounts across its platform. The Chinese network,
linked to individuals associated with Chinese law enforcement, posted
content about China, criticism of the U.S, and Western foreign policies,
while the Russian operation mimicked mainstream news outlets to post fake
articles weakening support for Ukraine. I’d love to see a list of these
campaigns somewhere. Wouldn’t it be cool to see all the various propaganda
that we’re being exposed to, and the themes they’re trying to push?
THEHACKERNEWS

North Korean state hackers have targeted security researchers with at least
one undisclosed zero-day exploit. This campaign is similar to one exposed in
January 2021, where the same actors used social media platforms to initiate
contact with their targets.
BLEEPINGCOMPUTER 

Swatting (where someone calls a SWAT team to raid your house) is becoming an
issue beyond just the gaming world.
THERECORD 

Sponsor

 Revolutionize Your Security Program with Vanta’s Top-Tier Compliance
Automation

💸 Save not just time, but up to a whopping 85% of costs!

⌛ Join Vanta’s global network of 5,000+ customers who have slashed over 300 hours of manual work for SOC 2, ISO 27001, HIPAA, GDPR, and more.

🕸️ Vanta’s 200+ integrations let you effortlessly monitor and secure your essential business tools. From hot-ticket frameworks to third-party risk management and security
questionnaires, we offer a one-stop solution for SaaS businesses to manage risk and demonstrate security in real-time.

Exclusive for the Unsupervised Learning community: Claim your $1000
discount at Vanta.com/Unsupervised. Act now, secure your business, and save big!

👉vanta.com/unsupervised👈

Claim Your Savings Now

   

MITRE and CISA have launched an open-source tool that simulates attacks on
operational technology (OT). The tool, an extension for the Caldera
platform, was developed to help identify and patch vulnerabilities in
critical infrastructure systems like transportation, water, and electricity
facilities.
OODALOOP 

The National Security Agency (NSA) has wrapped up a strategic study on how
to use artificial intelligence (AI) and machine learning (ML) for its
missions. The study, led by Gen. Paul Nakasone, explores the potential use
of generative AI and ML in various missions and their impact on NSA workers.
DEFENSEONE 

The IRS is using artificial intelligence to catch tax evasion, focusing on
big players like hedge funds, private equity groups, and real estate
investors. Once this gets going they are going to find so much more income
this way.
NYTIMES

TECHNOLOGY NEWS

MBA students competed against ChatGPT to come up with the most innovative
ideas. The results weren’t even close. People who don’t believe AI has
creativity need to really introspect on what that means if it can win
competitions like these. It’s very much like the
No True Scotsman fallacy, where any challenge that humans lose
“doesn’t test the real thing”.
WSJ

Huawei’s new smartphone, powered by an advanced Chinese-made chip, has
raised interest and policy questions globally. The chip is more advanced
than any previously produced in China, challenging Biden’s trade policy
aimed at blocking China from acquiring cutting-edge computer chips.
POLITICO 

Horace Dediu’s piece at Asymco reveals that an iPhone customer is
economically 7.4 times more valuable than an Android customer, a significant
increase from the 4x rule he had a decade ago. Sounds cool, but this just
means iPhone people click more and buy more.
ASYMCO

China’s central government officials have been told to ditch their iPhones
at work, as part of a bigger plan to limit foreign influence. Apple, and the
US in general, better hope this doesn’t turn into a nationwide ban. Seems
unlikely, but the prospect is terrifying.
TECHCRUNCH
|
9TO5MAC 

Grindr just lost nearly half its staff due to a strict return-to-office rule
implemented over two days. Half. Half said no thanks. But like I said
before, that might have been the number they were looking for.
BLOOMBERG

Apple is supposedly dropping millions daily on artificial intelligence,
working on multiple AI models across several teams. Put it in Siri or it
didn’t happen. By Tuesday if possible. Thanks.
THEVERGE 

Occidental Petroleum is investing billions in technology to extract carbon
dioxide from the atmosphere, a move that’s both hopeful and controversial.
The American oil company plans to store some of the captured carbon
underground, but also use some to extract more oil, causing a divide among
climate advocates.
NPR

HUMAN NEWS

Morocco is reeling from a devastating earthquake that has claimed over 2,100
lives and thousands more critically injured. The quake’s epicenter was in
the rural Atlas Mountains, making rescue efforts challenging due to damaged
roads and remote communities.
NBCNEWS 

Silicon Valley’s wealthy are increasingly turning to full-body MRIs as a
preventive health measure, despite no official medical body sanctioning
the practice. $2,500? I’m doing it. WASHINGTONPOST

Goldman Sachs has revised the odds of a US recession next year, dropping it
to a mere 15%. This comes as a positive outlook amidst the economic
uncertainties.
FOXBUSINESS

Gen Z is increasingly opting out of college, with four million fewer
teenagers enrolling in 2022 than in 2012. I wonder how much of this has to
do with ChatGPT. Like why learn stuff anymore? Not saying that’s valid,
but it could be a factor? BUSINESSINSIDER

Semaglutide, marketed as Ozempic and Wegovy, is showing promise beyond just
diabetes control and weight loss. New research indicates it also has
cardiovascular benefits, potentially improving life quality for overweight
heart patients. In a trial involving over 500 patients, those receiving
weekly semaglutide injections for a year saw reduced symptoms and improved
physical abilities.
WIRED 

Despite the increasing popularity of therapy in the US, suicide rates have
risen by about 30% since 2000, and almost a third of US adults now report
symptoms of either depression or anxiety. That’s around three times as many
as in 2019. But we don’t know how much worse (or better) it’d be if we
weren’t doing the therapy. Like is the therapy just uncovering what was
underreported before? Or is this net new?
TIME 

Childless not by choice, men like Robert Nurden experience a deep sense of
grief and isolation, often heightened on occasions like Father’s Day.
Research by Dr. Robin Hadley reveals that 25% of men over 42 do not have
children, and half of those who wanted to be fathers describe significant
grief and societal isolation.
THEGUARDIAN

New York City’s Local Law 18 has effectively made the city’s roughly 38,500
Airbnb listings illegal, limiting short-term rentals to situations where the
host is present and there are no more than two guests.
REASON 

NOTES

A new friend of mine,
Hrishi Olickel, put out this prompting guide, and it’s not like the others. Absolute best
I’ve seen since November when everything went silly.
OLICKEL

My friend Caleb Sima created a presentation on how he protects his and his
family’s safety and privacy. He outlines his two-phase approach of
“Lockdown” and “Disappearing”, and discusses the importance of privacy in
security, the creation of various personas, and the use of services like
Privacy.com, Private Mailbox, VOIP Service, and Fastmail.
SIMA 

A UL member tested GPT-3.5, Claude 2, and GPT-4 to see which AI model is
best at threat modeling. GPT-4 came out on top, proving less sensitive to
changes in prompts and capable of building robust threat modeling automation
with the right assumptions.
XVNWP 

Just finished reading
Darkness at Noon, and am now reading
Man’s Search for Meaning
and
The Gulag Archipelago. I think Man’s Search for Meaning is going to be one of my favorite
books of all time. The intro basically sets up my exact approach to meaning
and stoicism and the like.

IDEAS & ANALYSIS

AI = Augmentation Infrastructure

Terminal background ftw

AI is doing a lot for me. I’m building a product using it. I think about it
a lot. And I think it’ll massively impact our future. But the most practical
thing it’s doing for me is augmenting my life. To me it’s
augmentation infrastructure. What you see above is the list of APIs (and
their associated cli commands) that I’ve built to do things since November.
My latest one is the vidcon one, which stands for “video conversation”. It
lets me extract wisdom from transcripts. It’s godlike. The Neri Oxman
conversation summary was created using a version fo this. Point is: I don’t
see AI as a standalone tool. I see it as part of my brain that’s not yet
fully integrated. But I’m working on it!

DISCOVERY

⚒️PromptTools Unveiled
Hegel AI has launched PromptTools, a set of free, open-source tools for
testing and experimenting with prompts. The tools can be used to run
experiments in notebooks, turn evaluations into unit tests, and integrate
them into your CI/CD workflow via Github Actions.
PROMPTTOOLS 

⚒️CloudRecon Unveiled
CloudRecon is a new suite of tools designed to help red teamers and bug
hunters find ephemeral and development assets in their campaigns. The tool,
written in Go, includes three parts: Scrape, Store, and Retr, each serving
different functions in the process of scanning IP addresses or CIDRs and
inspecting SSL certificates.
GITHUB 

⚒️Text Generation Web UI
The Gradio web UI for Large Language Models, developed by oobabooga, aims to
become the go-to tool for text generation, supporting multiple model
backends and offering features like custom chat characters, markdown output
with LaTeX rendering, and an API for websocket streaming. The project, which
received a generous grant from Andreessen Horowitz in August 2023, offers
detailed documentation for users and invites contributions from the
community.
GITHUB 

⚒️Flipper Zero Compilation
CyberSecurityUP has compiled a comprehensive list of resources about Flipper
Zero, a tamagochi-like device for hackers. This GitHub repository includes
everything from user manuals to hardware specs.
GITHUB 

📝LLM Testing
A developer tested over 60 language learning models (LLMs) with a set of 20
prompts to gauge their performance in real-world workflows. The results,
stored in a SQLite database, offer insights into each model’s capabilities
in basic reasoning, instruction following, and creativity.
BENCHMARKS 

📝Demystifying RCE Vulnerabilities
in LLM-Integrated Apps
ARXIV

Cybersecurity Tool Bonanza
Penteston.com is offering a platform that lets you run over 20 top-notch
cybersecurity tools with API. It’s a one-stop-shop for all your
cybersecurity needs.
HACKERNEWS 

AI Tool Mastery
Microsoft is working on a project to teach large language models (LLMs) how
to use digital tools, potentially supercharging AI capabilities. The project
aims to compile millions of APIs, enabling AI to perform tasks ranging from
ordering pizza to solving complex equations.
SCHNEIER 

AI Cloning
Delphi, an AI company, has developed a technology that can clone your voice
and mannerisms, making a digital version of you. The technology uses machine
learning algorithms to analyze your voice and facial expressions.
DELPHI 

Undetectable AI
Undetectable AI is a new tool that transforms AI-generated content, which
often gets flagged, into high-quality writing that’s indistinguishable from
human work. Their AI solution ensures flawless text that resonates with your
audience, making it a game-changer for content creators.
UNDETECTABLEAI 

AI Podcast Search
Mckay Wrigley has developed an AI tool that can semantically search a
podcast in real-time. This innovative technology could revolutionize how we
interact with audio content.
TWITTER 

Le Guin’s Wisdom
Ursula Le Guin, the renowned author, had three guiding questions above her
desk: Is it true? Is it necessary or at least useful? Is it compassionate or
at least unharmful? These precepts served as her starting point for writing.
HACKERNEWS 

Automated Newsletters
The author shares his experience of creating a bespoke newsletter service,
using Google App Engine, Falcon, gunicorn, Firestore, SendGrid, and jinja2.
He discusses the challenges faced, including managing deployment secrets,
setting up billing, and dealing with SendGrid’s outage, but also the ease of
not having to worry about administering a database or managing SSL.
AXLEOS 

Buffett’s Life Lessons
Jimmy Buffett’s songs, like ‘Margaritaville’, have always been about more
than just good times and margaritas, they’re about life, friendship, and
even death. His lyrics, now archived in the Library of Congress, continue to
inspire and teach us about the human condition.
NYTIMES 

Opposites Don’t Attract
Turns out, the old saying “opposites attract” might not be so accurate. A
comprehensive analysis from CU Boulder, involving millions of couples and
over 130 traits, found that partners are more likely to be similar than
different.
COLORADO 

Tailscale Partners Mullvad
Tailscale and Mullvad are now buddies, meaning you can use both services
together via the Tailscale app.
MULLVAD 

Event Likelihood Scoring
A Redditor has shared a cybersecurity event likelihood scoring model, which
could be a handy tool for risk assessments.
REDDIT 

Slack’s AI Evolution
Salesforce-owned Slack is introducing Slack AI, which includes channel
recaps, thread summaries, and search answers, which are designed to help
users quickly catch up on important discussions and find information more
efficiently.
VENTUREBEAT 

Myopia Epidemic
Our eyes are getting worse, and it seems screens and lack of outdoor
playtime are to blame. We’re seeing record levels of clinical myopia, also
known as nearsightedness.
WSJ 

Risk Calculation Methods
Ever wondered how researchers calculate the risk from a health risk factor?
It’s not as straightforward as you might think. They use different metrics
like risk ratios, odds ratios, and risk differences, each with its own
interpretation and application.
OURWORLDINDATA 

Child Gun Deaths Surge
Gun deaths among children in the U.S. reached a new high in 2021, with a
particularly distressing impact on communities of color. The study found
that nearly 50% of children who died by firearms in 2021 were Black, and the
death rate was 11 times higher for Black children compared to white
children.
AXIOS 

AI Diplomacy Breakthrough
Meta AI has developed CICERO, an AI system that outperforms 90% of human
players in the game Diplomacy, which requires strategic reasoning and
natural language negotiation.
OODALOOP 

Effective SOC Management
Three CISOs share their insights on running an effective Security Operations
Center (SOC) in 2023, emphasizing cost efficiency, automation, clear KPIs,
and robust business continuity plans.
THEHACKERNEWS 

AI Adoption Accelerated
McKinsey & Company and Salesforce are joining forces to expedite the
adoption of generative AI in businesses across sales, marketing, commerce,
and service sectors. The collaboration aims to integrate Salesforce’s CRM
software with McKinsey’s AI and data models, offering a seamless end-to-end
experience for customers.
VENTUREBEAT 

LLMs Replace Code
The author replaced 50+ lines of code with a single call to a Language
Learning Model (LLM) to compare mailing addresses, achieving 100% accuracy
in just a few minutes.
HAIHAI

AI-Generated Magic Cards
A group of friends built Urza’s AI, a website that uses artificial
intelligence to generate playable Magic the Gathering cards. The project
uses a combination of language AI to generate the text of a Magic card and
text-to-image AI to create the card’s image based on the generated text.
COHERE

Espresso Machine Love
The author shares a deep affection for her Breville Barista Express espresso
machine, not just for the coffee it makes, but for the satisfaction of
maintaining it. The machine, priced at $700, is not the cheapest or the most
elegant gadget, but it’s the perfect balance of complexity and
approachability. I’m starting to feel the draw of espresso, and I’m not
happy about it. Must. Stay. Drip.
THEVERGE 

Trotsky’s Secret Alliance
CIA documents claim that Leon Trotsky, a key figure in the October
Revolution, was an MI6 agent since 1918.
SOVINFORM 

RECOMMENDATION OF THE WEEK

Read
Man’s Search for Meaning. It might be one of the most important books to read for anyone. It shows
how one can find meaning in the worst possible situations, and therefore,
how we might find it in other situations as well.

APHORISM OF THE WEEK

More of a piece of poetry this week.

❝  

A wave gently lifted him up. It came from afar and traveled serenely
onward, a shrug of infinity.

  The last two sentences of Darkness at Noon

Unsupervised Learning is reader-supported. When you buy through a link on
our site or newsletter, UL may earn an affiliate commission