UL NO. 400: What Hiring Managers Want, CVE Farming, Hunt Forward Operations, and AI vs. B2B Services

Unsupervised Learning is a Security, AI, and Meaning-focused podcast
that looks at how best to thrive as humans in a post-AI world. It combines
original ideas, analysis, and mental models to bring not just the news, but
why it matters and how to respond.

Hey there,

No big intro this week. Let’s just jump into it!

MY WORK

AI Will Likely Crush the B2B Services Economy

Some back-of-napkin analysis of how much AI could impact B2B services and
overall GDP.

danielmiessler.com/p/ai-will-likely-crush-b2b-services-economy

🎙️
Subscribe to the Podcast
I’ve moved podcast ads to the front of the podcast
so that you’ll no longer be interrupted once the content starts!
ADD UL TO YOUR CLIENT

📡 Connect via RSS
RSS is lyfe.
ADD UL TO YOUR RSS READER

SECURITY NEWS

Cyber Job Shortage Confusion
Ben Rothke has an interesting
post
explaining the discrepancy between so many people looking for cyber jobs
while there are also so many openings. He argues that there are tons of
newbies, generalists, middle-managers, and CISO-types—but nowhere near enough people to actually do the technical work. In other words, developers that know the deepest levels of product and
application security and have the dev skills to push code to production.
There are more specific skill sets than just development that this applies
to, like third-party assessments, threat modeling, pentesting, etc., but I
think the analysis is spot on. TL;DR: We have a surplus of cyber-adjacent
people looking for jobs, but
hiring managers are struggling to find people who can do the actual
technical work.
BROTHKE
|
MY ESSAY ON WHAT HIRING MANAGERS WANT

We Need a Content Source Authentication System
We’re seriously about to need a content authentication system. This
demo that just came out from
HeyGen
shows another language being overlayed on top of an existing video.
Except the mouth matches the translation, so it looks like they
actually speak the language. This is the type of problem that happens slowly
until it hits us all at once, i.e., not knowing what content came from the
actual creator vs. what was faked. I give
more analysis
here.
TWITTER

CVE Farming
Software Supply Chain security researcher,
Dan Lorenc, has highlighted an issue where people are gaming the CVE submission
system by submitting multiple old and highly-rated issues to get a
reputation boost by having their own CVE.
MALWAREBYTES

Vulnerabilities:

• Apple’s Zero-Day Flaws
  There have been multiple Apple Zero-day patches recently, with the most
  recent one being
  Predator Spyware related. When you see an Apple urgent patch, it’s a good idea to
  update, especially if you’re someone likely to be targeted.
  THEHACKERNEWS
  |
  OODALOOP
  |
  GOOGLE

• GitLab’s Critical Flaw
  GitLab has patched a critical vulnerability that allowed attackers to
  run pipelines as another user. 9.6.
  SECURITYWEEK

• Fortinet’s Security Patches
  Fortinet has rolled out patches for high-severity XSS vulnerabilities
  affecting multiple versions of FortiOS and FortiProxy.
  SECURITYWEEK

• Juniper Vulnerability
  Around 12,000 Juniper SRX firewalls and EX switches are open to a
  fileless remote code execution flaw that doesn’t require authentication.
  BLEEPINGCOMPUTER

• Nagios XI Vulnerabilities
  Nagios XI has been hit with multiple security flaws that could lead to
  privilege escalation and information disclosure.
  THEHACKERNEWS

• Malicious npm Packages
  Cybersecurity researchers have found a new batch of malicious npm
  packages that are designed to steal Kubernetes configurations and SSH
  keys from compromised machines.
  THEHACKERNEWS

Sponsor

Cloud Visibility?

Cloud-first security teams are leading the pack in adopting Cloud Native
Application Protection Platforms (CNAPP). This CNAPP Buyer’s Guide contains everything you need to know to make sure you’re adapting to the evolving threatscape and staying ahead of attackers, including:

• What exactly is CNAPP

• Why Gartner predicts that 80% of teams will move to CNAPP by 2026 

• How leading security orgs are consolidating their security stack (CSPM, CWPP, CIEM, CDR)

• Bonus: An RFP template with a scorecard to assess potential
  solutions

Get the complete breakdown in the CNAPP Buyer’s Guide.

👉wiz.io/lp/cnapp-buyers-guide👈

Download Now

   

UK’s Cyber Operations 
The UK’s Strategic Command is now conducting ‘hunt forward’ operations,
which are defensive activities where military cyber experts deploy to a
foreign nation to detect malicious activity on the host nation’s networks.
I like the initiative here. Seems aggressive but necessary. THERECORD

Microsoft’s Data Leak 
Microsoft’s AI research team accidentally exposed 38 terabytes
of private data, including a backup of two employees’ workstations, while
publishing open-source training data on GitHub. The leak included secrets,
private keys, passwords, and over 30,000 internal Microsoft Teams messages.
People wonder how AI is going to affect security, and I think one of the
biggest ways is having tons of AI agents monitoring for and preventing
mistakes. Things like: Publishing errors, config mistakes, too many
permissions, etc.
Imagine having a team of hundreds of people working 24/7 who never get
tired
to make sure you never make these mistakes. That’s one huge thing AI will
end up being for the blue side.
WIZ

OpenAI’s Red Teaming 
OpenAI is launching the OpenAI Red Teaming Network, a group of
contracted experts to help make their AI models more robust.
TECHCRUNCH
|
OPENAI

Clorox’s Cyberattack Impact 
This is a rare case where a cyber incident directly impacts the
bottom line. Clorox is still recovering from a cyberattack that happened a
month ago, and it’s going to hit its earnings because had to switch to
manual ordering and processing during the attack.
THEHILL

Sponsor

Revolutionize Your Security Program with Vanta’s Top-Tier Compliance
Automation

💸 Save not just time, but up to a whopping 85% of costs!

⌛ Join Vanta’s global network of 5,000+ customers who have slashed over 300 hours of manual work for SOC 2, ISO 27001, HIPAA, GDPR, and more.

🕸️ Vanta’s 200+ integrations let you effortlessly monitor and secure your essential business tools. From hot-ticket frameworks to third-party risk management and security
questionnaires, we offer a one-stop solution for SaaS businesses to manage risk and demonstrate security in real-time.

Exclusive for the Unsupervised Learning community: Claim your $1000
discount at Vanta.com/Unsupervised. Act now, secure your business, and save big!

👉vanta.com/unsupervised👈

Claim Your Savings Now

   

T-Mobile’s Data Leaks 
WTAF is going on at T-Mobile? They’ve been having a rough year,
with customers reporting seeing other people’s sensitive information when
they log into their accounts. And this is one of many incidents so far this
year. Are we just over-reporting on T-Mobile right now, or is it really this
bad?
OODALOOP

Snatch Ransomware Alert 
FBI and CISA have issued a joint warning about “Snatch”, a
ransomware-as-a-service operation that’s been active since 2018. The malware
forces Windows systems to reboot into Safe Mode, encrypting files undetected
by antivirus tools, and has recently targeted IT, defense, and food and
agriculture sectors.
OODALOOP

APT36’s YouTube Clones 
The APT36 hacking group, also known as ‘Transparent Tribe,’ is
using Android apps that mimic YouTube to infect devices with their signature
remote access trojan (RAT), ‘CapraRAT.’ This malware can harvest data,
record audio and video, and access sensitive communication information.
BLEEPINGCOMPUTER

Chinese Linux Backdoor 
Chinese hackers have come up with a new Linux backdoor, dubbed
SprySOCKS, which is a spin-off from a Windows backdoor named Trochilus. The
malware, linked to the Chinese government, has capabilities like collecting
system info, controlling compromised systems, and creating a proxy for data
transfer.
ARSTECHNICA

TECHNOLOGY NEWS

ChatGPT Gets Voice and Vision
OpenAI’s ChatGPT has been upgraded with vision and auditory capabilities,
significantly enhancing its ability to assist users in their daily tasks.

– You can talk to ChatGPT and have it respond in a natural voice
– You can upload an image and ask questions about it
– The features are rolling out slowly to the user base, as with most of
their new shiny stuff OPENAI

Cisco Acquires Splunk 
Cisco bought Splunk for $28 billion. The joke is that Splunk
took a while to react because when they saw the payment they just figured
Cisco was renewing their license. My take on this is that it’s an AI play to
go where the enterprise data is. And logs is one of those places.
SPLUNK
|
SECURITYWEEK 

GitHub’s Passwordless Logins 
GitHub has rolled out passkeys for all users, allowing for
passwordless logins and better protection against phishing. Thank God.
Passkeys everywhere, please. Especially for finance-related apps.
BLEEPINGCOMPUTER

DALL-E 3 Unveiled Kind Of
OpenAI has teased DALL-E 3, a new version of its AI image creator
that can be controlled using ChatGPT. The system is way better at doing
exactly what you tell it, but it doesn’t look as good as Midjourney. Weird
that they did a launch without actually giving people access, though.
AXIOS

Microsoft’s Copilot Everywhere  
Microsoft is putting Copilot AI in everything, basically. Deep
into the new Windows OS, the core apps, and on the new Surface devices.
Yusuf Mehdi, consumer chief marketing officer, describes Copilot as “a
handshake between you and technology — available when you need it and out of
the way when you don’t.” I’m not a Windows guy, but I’m super happy to see
this.
THEVERGE

AI’s Impact on Kindle 
Amazon had to throttle how many new books one can publish on
Kindle because of GenAI. People were posting many per day, most of which
were very low quality.
HACKERNEWS

AI Girlfriends Rise 
Ads for AI girlfriends are popping up everywhere, with Replika
alone being downloaded over 20 million times. I tried a couple from an
article last week and they were super cringe. Also GPT-3 cringe, which “she”
was happy to tell me. One of the services was a straight-up porn
avatar/chatbot.
FREYAINDIA

Nursing Robot Expansion 
Diligent’s nursing robot, Moxi, is getting a big boost with a
$25 million funding round aimed at tripling its reach. Electric cars don’t
have anything on robots. AI and personal/everyday robots are going to shape
our tech future the most in the next 20 years I think.
TECHCRUNCH 

HUMAN NEWS

Iran’s Hijab Bill 
Iran’s parliament has a new bill that could land women in jail
for up to 10 years for “inappropriate” attire, and it’s also the anniversary
of the government crackdown against women not wearing the Hijab. Meanwhile,
the UK is
erecting a Hijab statue
talking about how awesome they are. To be clear, I think women should
obviously be able to wear whatever they want in free countries. What trips
me out is how religion can make something a symbol of freedom and oppression
simultaneously.
OODALOOP

Germany’s Economic Decline 
Germany is now the world’s worst-performing major developed
economy. The decline is largely due to the loss of cheap natural gas from
Russia following its invasion of Ukraine, which has severely impacted
Germany’s energy-intensive industries.
APNEWS 

Single-Parent Households 
The U.S. has the highest rate of children living in
single-parent households in the world, with almost a quarter of U.S.
children under 18 living with one parent and no other adults. This is more
than three times the global average of 7%.
PEWRESEARCH 

Religious Identification Declines 
Americans are increasingly identifying as spiritual rather than
religious, according to a recent Gallup poll. The survey found that 47% of
Americans identify as religious, down from 54% in 1999, while 33% identify
as spiritual but not religious, and 18% say they are neither, up from 9%
in 1999. GALLUP

Alcohol’s Heart Risks 
The World Heart Federation’s recent policy brief debunks the
myth that alcohol, including red wine, is heart-healthy, linking it to
several heart-related risks. I learned this from Huberman, and have removed
all alcohol from my house. I no longer drink unless I’m out with friends and
it’s a special occasion. Or at conferences. Turns out it’s just poison at
any dosage, so I’m done with it as a regular thing.
HEALTH.HARVARD

Airlines Turned Banks 
Airlines have become more like financial institutions, creating
points out of nothing and selling them for real money to banks with
co-branded credit cards.
THEATLANTIC

Charging for Returns 
H&M, following other brands like Zara and Uniqlo, has
started charging for returns in the UK, which might be a bummer for your
wallet but could be a win for the environment. But I suspect the reason is
that it discourages returns and improves the bottom line. Imagine if Amazon
did this.
THEVERGE

COVID Vaccine Uptake 
According to Politico and Morning Consult polling, 57% of
registered voters said they would “probably” or “definitely” get the
vaccine, nearly triple the uptake of last year’s updated vaccine.
ARSTECHNICA 

IDEAS & ANALYSIS

Who Wins AI? Open or Closed Source?
I think open-source AI has a high chance of ending up with tons of
market share for a simple reason. AI only needs to be “good enough” for most
tasks. There’s a bar for perfect that isn’t actually perfect at all. So open
source AI models don’t have to beat GPT-N, they just have to exceed that
bar. Also, look at macOS vs. Linux. What’s more popular with high-end
consumers? iOS and macOS. But only for their personal devices. What’s
running the consoles and the machines all around us all day? The millions of
electronic systems and machines embedded all over the planet. Linux. I think
open source AI might be the same. Mostly open for most things, and then
closed for the premium use cases.
SUBSTACK 

NOTES

Strong UL book club this week. Great discussion of the current book and
surrounding issues, and we picked the next book as well. Can’t wait for
everyone to read this one!

DISCOVERY

⚒️
Sling Shot R3con
— A new open-source tool that simplifies the initial phase of bug bounty and
penetration testing by automating tasks like subdomain discovery, DNS
resolution, port scanning, and website crawling. The tool, written in Bash
and powered by Project Discovery tools, is designed to save time and
increase efficiency for developers and security enthusiasts.
MEDIUM

⚒️ Tracker-Radar
— A dataset of the most common third-party domains on the web with
information about their behavior, classification, and ownership.
TWITTER

⚒️
Go Exploit — A Go-based framework designed to help developers create portable and
consistent exploits.
GITHUB 

⚒️
FFUF v2.1.0
— A new release of the popular web fuzzer, FFUF, is out now. | by
joohoi
|
GITHUB 

Bypassing SSL Pinning in TikTok
TWITTER

WSL 2.0: Now with Windows Snapping for GUI Apps
GITHUB

Six Weeks to a New Brain
BBC

Vim + LLMs
REZ0

MBA grads are buying entire companies through a phenomenon called
“entrepreneurship through acquisition” (ETA).
MORNINGBREW

The SATs are changing next year to a new format that will de-emphasize
speed.
NYTIMES

Building Knowledge Graphs with Langchain and Matplotlib
DATADRIVENINVESTOR

Marriage as a Poverty Solution
THEATLANTIC

Orwell’s Complete Works
HACKERNEWS

Project Gutenberg has just turned thousands of its titles into audiobooks
using synthetic speech.
TECHCRUNCH

Exploiting Okta for Penetration Testing
REDDIT

There’s a whole branch of math that’s all about knots.
YOUTUBE

Training Smaller AI Models to Outperform Giants
GOOGLE

Social Media’s Impact on Teen Girls
NYTIMES

RECOMMENDATION OF THE WEEK

Re-evaluate your task list with the retrospective view of December 31st,
2023.

• What have you done this year?

• What did you set out to do?

• Where are you on that list?

• Look at your current daily/weekly plans this week and reframe them
  based on this

• If your goals haven’t changed, and you’ve not accomplished them yet, are
  the things you’re doing this week and next that high of a priority?

Zoom out. Look at your goals and your progress. Re-evaluate.

APHORISM OF THE WEEK

❝  

We first make our habits, then our habits make us.

  John Dryden