Unsupervised Learning is a Security, AI, and Meaning-focused podcast
that looks at how best to thrive as humans in a post-AI world. It combines
original ideas, analysis, and mental models to bring not just the news, but
why it matters and how to respond.
Greetings,
So this is the first episode on the new Beehiiv platform. Super excited
to be consolidating platforms from like 6 to 1 or 2. Can’t tell you how
good it feels to reduce the cruft built up over two decades into a
clean, modern solution. I’ve lots more to say about the transition and
why I’m breaking my own rule of unifying on a new platform, so expect
that post soon.
In the meantime, I’m looking forward to being able to spend less time
on administration and operations and more time on thinking, writing, and
building.
Let’s kick some butt this week!
In this episode:
🔥 Human Immortality Using LLMs
🤖 Generative AI Reshaping
Enterprises
🔒 Verizon DBIR 2023 Analysis
🪳 Chrome Zero-Day
Patched
💰 Lazarus Atomic Wallet Link
🚀 Tame Your Compliance
Beast
🪳 MOVEit Vulnerability Exploitation
📰 North Korean Hackers
Impersonate Journalists
📱 Apple ID-sharing
🌐 Apple Vision
Announced
🔑 Password Crackdown Success
📈 AI-Driven Stock
Surge
📱 iOS17 Features Summary
🔐 Apple Passkey Sharing
MY WORK
🔥 Human Immortality Using LLMs
My new essay on why using LLMs to back ourselves up is closer and
more realistic than most might think. Discusses human identity variance,
indeterminism in human preferences, change over time, and more.
MORE
How Generative AI Will Reshape the Enterprise
I went on Security Weekly last week with Adrian Sanabria and crew to
talk about how AI will impact the enterprise. It was a solid conversation
that covered a lot of ground.
MORE
SECURITY NEWS
Verizon DBIR 2023 Analysis
Every year I do an analysis of
the DBIR report
and provide a summary and analysis. Here’s this year’s key points and
analysis.
Takeaways:
Social engineering attacks are up, with Business Email Compromise and
ransomware leading the charge.
Most breaches involve human error and external actors, and the primary
motives are still financial.
Business Email Compromise (BEC) attacks have almost doubled and
represent more than 50% of incidents in the Social Engineering pattern.
74% of all breaches involve human error; 83% involve external actors.
Financial motives underlie 95% of breaches.
Ransomware is present in 24% of reported breaches and remains a
significant threat.
Log4j vulnerability, while initially concerning, was less prominent in
breaches than anticipated but still requires attention.
Stolen credentials, phishing, and exploitation of vulnerabilities are
the top attack methods for gaining access to organizational systems.
More than 32% of all Log4j scanning activities occurred within 30 days
of its release.
Despite the heightened focus on Log4j, exploitation of vulnerabilities
remained relatively stable in incidents and saw a decrease in their
presence in breaches.
Banks and exchanges have become prime targets for cybercriminals, with a
fourfold increase in cryptocurrency-based attacks compared to previous
years.
Organizations of all sizes and industries remain vulnerable to
ransomware. Ransomware is present in 62% of incidents involving
organized crime actors and 59% of financially motivated incidents.
Analysis:
I found it interesting that human error was so high on the list. Not so
much surprising, but interesting.
It makes sense that BEC is so dominant since that’s where the money is,
and it’s also notable that only 5% of breaches are
non-financially-oriented. Meaning most of the movie-plot stuff is a tiny
percentage of attacks compared to good-ol’-fashioned money.
Ransomware still dominates the scene, which makes sense because of how
mature it’s become as a business. I knew we were in trouble when we
started seeing a specialized economy of entry, pivoting, exfil, and
customer service.
I still can’t shake the idea of ransomware being like natural burns in
forests. They suck a lot, but maybe they harden us against even worse
events.
🪳Chrome Zero-Day Patched
Google has fixed a zero-day vulnerability in Chrome, marking the
third such exploit addressed this year. The company has not released details
about the exploit, which is unusual, but urges users to update their
browsers.
MORE
Lazarus Atomic Wallet Link
North Korean hacking group Lazarus has been linked to the recent
Atomic Wallet hack, resulting in the theft of over $35 million in crypto.
Blockchain experts at Elliptic traced the stolen funds and attributed the
attack to Lazarus with a high level of confidence.
MORE
Sponsor
🚀 Tame Your Compliance Beast! 🚀
🔒 Drata’s got your back with automated evidence collection and 24/7 risk monitoring for 14+ frameworks, including SOC 2, ISO 27001, GDPR, and HIPAA. Say goodbye to manual mess
and hello to streamlined compliance! 📈
🌟
Join industry leaders like Notion and Lemonade who trust Drata to supercharge their compliance programs. 🏆
👉 Don’t miss out! Book a demo NOW
and unlock the secret to effortless compliance. 🗝️
http://drata.com/partner/unsupervisedlearning
🪳MOVEit Vulnerability Active Exploitation
The critical vulnerability in MOVEit Transfer (CVE-2023-34362) has
been exploited by ransomware groups like cl0p and other threat actors,
leading to remote code execution. Researchers found that the bug, initially
thought to be a SQL injection vulnerability, could allow unauthenticated
adversaries to deploy ransomware or perform other malicious actions.
Software maker Progress has released patched versions to address the issue,
but organizations yet to upgrade should disable all HTTP and HTTPS traffic
to mitigate risks.
MORE
🪳Fortigate RCE Flaw Patched
Fortinet released firmware updates addressing a critical
pre-authentication remote code execution vulnerability in SSL VPN devices,
urging admins to apply the security updates immediately.
MORE
North Korean Hackers Impersonate Journalists
North Korean government-backed hackers have been impersonating
journalists to gather strategic intelligence from academics and think tanks.
SentinelLabs researchers linked the social engineering campaign to the North
Korean advanced persistent threat group Kimsuky. The group targeted
subscribers of NK News, an American website providing analysis about North
Korea, using spoofed Google Docs links and weaponized Microsoft Office
documents to capture victims’ credentials and exfiltrate information.
MORE
Chinese AirDrop Legislation
The Chinese government plans to further restrict AirDrop usage
despite Apple’s changes, fearing its potential for spreading anti-government
materials. The Cyberspace Administration of China issued a draft proposal
targeting Bluetooth-enabled file-sharing features, which could force Apple
to ensure users set their iPhone name to their real name.
MORE
AI Spots Undeclared Pools
French tax officials used AI to discover 20,000 undeclared swimming
pools, resulting in €10m in additional tax revenue. The AI system, developed
by Google and Capgemini, identified pools in aerial images and
cross-referenced them with land registry databases. The successful trial
will now be extended nationwide. This is another example of the
transparency added by AI
I talked about in a previous essay.
MORE
Fake Hug Political Ad
We’ve all anticipated deepfakes being used in politics, but now we
have a direct and solid example. DeSantis’ team ran a political ad with a
picture of Trump embracing and seemingly kissing Fauci. The picture is fake.
MORE
Apple Working on ID-sharing
Apple’s working on ways to share your ID securely via iPhone
and Watch. Arizona already accepts it for the driver’s licence, but they’re
working on business integrations as well. This has always been a dream of
mine for situations like doctors’ offices. Imagine tapping instead of
filling out 13 forms of redundant and sensitive crap. Digital information
exchange is precisely the type of problem that only Apple seems to have the
organization and oomph to push through with states and companies. Can’t
wait.
MORE
TECHNOLOGY NEWS
Apple Vision Announced
Apple announced the Apple Vision and the general consensus seems to be
that it’s much better than people anticipated. But that price, tho.
Honestly, I thought it would be a rough first version, kind of like with
the Apple Watch, but I was like 5x more impressed than I thought I would
be. Having had a week to think about it, I think it’s going to do exactly
what it needs to do, which is: 1) establish Apple as the leader in AR/VR,
2) get enough early adopters using it in business and creative industries
to create a few practical applications, and 3) motivate people to take the
space seriously and either use their devices or create alternatives. It
seems to me like they’re on-course do hit all three of these. For me the
biggest win was the completely new interface of sight+hands. That was the
bit that took it from just another entry into the space to a
space-defining Apple entry into the space. Similar to iPhone entering the
personal communicator space in 2007. My expectation is that many rich
people will buy one and love it, and that many businesses will create apps
on it that are more useful to them than any other platform, and that these
two combined will propel innovation on the second version. So once again,
similar to Apple Watch, which is now the best-selling watch in the world
by far. I personally will be getting one for sure, and I anticipate using
it for movies and games. I anticipate games being a big part of Apple’s
future now that they’ve made it easy to port Windows games, and I think
Apple Vision will be huge for that (once they’re affordable at v2 and v3). TOM’S GUIDE REVIEW
| THE VERGE REVIEW
Password Crackdown Success
Netflix saw a surge in sign-ups after implementing password-sharing
restrictions in the US, with nearly 100,000 daily sign-ups on May 26 and 27,
according to research firm Antenna. Despite increased cancellations, the
overall ratio of sign-ups to cancels rose by 25.6% compared to the previous
60-day period.
MORE
AI-Driven Stock Surge
I predicted this around February or so, and now it’s coming true. The
release of ChatGPT by OpenAI has sparked a wave of enthusiasm for artificial
intelligence, leading to a boom in tech company valuations. The S&P 500
index has risen by 8% since ChatGPT’s launch, with AI-exposed firms like
Nvidia experiencing significant growth. As I wrote back then, the stock
market is based significantly on optimism and pessimism, and my prediction
was that investors would see all the stuff created by AI and realize there’s
a mountain of potential upside.
MORE
iOS17 Features Summary
Here’s what Apple announced last week for iOS17. I am on the beta and
it’s pretty great already. My personal favorites are the improvements to
Emoji/Stickers on iOS and Namedrop that lets you share contact info by
bringing iPhones close to each other. Looking for more people to test
Messages features with, so hit me up. FEATURES LIST
| LESSER FEATURES
Apple Passkey Sharing
You can now share Passkeys (hardware-tied strong authentication) with
groups, family members, and external providers. So you can store them in
1Password, for example. Really cool that this functionality is going
cross-platform.
MORE
Sponsor
🚀 Unleash the Power of CrowdSec 1.5 – Collaborative Security Reimagined
🚀
🔥
Experience the cutting-edge CrowdSec Engine 1.5, packed with groundbreaking features to supercharge your security! Empower your SOC teams
with streamlined management, automation, and performance enhancements.
Seamlessly integrate DevSecOps and embrace cloud support for AWS Cloudtrail and Kubernetes Audit. Unlock the potential of new Premium Blocklists, providing laser-focused
threat intelligence to pinpoint IPs like VPN and Tor Nodes.
💥 Dive into CrowdSec 1.5 !!!
👉Take a tour of CrowdSec 1.5 !
HUMAN NEWS
Startup Shutdowns
The pace of startup shutdowns, fire sales, and sharp
business-strategy changes is increasing as fresh capital from venture
investors and bank loans becomes scarce and expensive. The venture boom of
2021 is struggling, with many startups running out of money and facing hard
choices. The yearly internal rate of return for venture firms was negative
7% in the third quarter of 2022, the lowest value since 2009.
MORE
IDEAS & ANALYSIS
When to Break Rules vs. Follow Them
A few people might be
wondering why I moved to Beehiiv after talking so much garbage about Medium.
Haven’t I been preaching for years that consolidating on new, hyped
platforms is dangerous? Isn’t this doing exactly that? Yes and yes. Kind of.
First, there are always exceptions to rules, and those exceptions don’t
negate the rules; in fact they often bring them into focus. In this case I
have been waiting to move platforms for multiple years, with the pressure of
too many platforms, and legacy kruft building up over time. It was like a
Yellowstone supervolcano ready to blow. So I have been waiting for Ghost to
get their stuff together, which they haven’t yet. I was waiting for a new
up-and-comer to replace Ghost. And that just happened to be Beehiiv. Their
pedigree is from an extremely successful similar type of company, they have
a tiny and super efficient team, and they ship product like nobody I’ve ever
seen. So they have lots of markers indicating they are a rare gem. Then
there’s the product, which has a combination of simplicity and functionality
I’ve never seen. They basically became an existential threat for Mailchimp
and ConvertKit and WordPress overnight, which is quite impressive. And
finally, I acknowledge the risk that I have been talking about all this
time. I have easy export options out of the platform and I’ll be ready to
pivot if necessary if they get bought by someone reprehensible in the
future. To me the top priority was getting somewhere that wasn’t where I
was. Namely with 5-6 platforms and lots of duck tape and silly string. We’ve
been successful in that. There are lots of downsides to the move, namely a
million 404s for previous krufty functionality, custom URL breakage, and all
sorts of stuff. But the main goal of being able to quickly create content in
a unified way, using a product from a known team that doesn’t seem bent on
bait and switch, feels really great. I hope you enjoy the new platform as
much as I have so far, and that this continues for both of us. And feel free
to ask more questions in our UL Chat!
NOTES
Super excited to get this episode out on the new platform. The biggest
advantage is that the blog post and the newsletter are the same thing! So no
more delay between one and the other. And the formatting will be perfectly
matched. You can’t know how happy this makes me. Plus, this editor is
infinitely easier to work with than Mailchimp. Oh, and probably 1/10th of
the cost. Now I have more time to get the podcast out on time as well, which
I’m going to be prioritizing from now on! Great times ahead.
My buddy
Stök
got accepted to speak at Blackhat on Weaponizing Plain Text! Great job man!
MORE
DISCOVERY
🧱Smol-Developer — Automated program generation using GPT-4. But rather than
just write a function, or a basic app, you can give it complex requirements
and it’ll build all the separate components and stitch them together!
Think GPT-4 + AutoGPT for complete apps. Probably the biggest AI project of
the week.
WEBSITE
| GITHUB REPO
🧱Gorilla: An API-powered LLM Model — UC Berkeley and Microsoft researchers
introduced Gorilla, an API-augmented LLaMA-7B model that outperforms GPT-4,
Chat-GPT, and Claude. Gorilla leverages self-instruct fine-tuning and
retrieval techniques to accurately select from a large set of tools
expressed through APIs and documentation, improving LLMs’ knowledge and
reasoning abilities.
MORE
| GITHUB REPO
| JUPYTER NOTEBOOK
LLMs are good at playing you.
MORE
Get phones out of schools now.
MORE
Quick VPN setup with AWS Lightsail and Wireguard.
MORE
Mental Liquidity
MORE
12 Threat Modeling Methods
MORE
Buy Well, Buy Once
MORE
RECOMMENDATION OF THE WEEK
Ask yourself if you’re ever rude to friends, or to anyone you care about or
value. If the answer is yes, look out for a lesser version of yourself to
offer an excuse. “Oh, it’s only when I’m mad.” “It’s only in a business
context.” “It’s only when they really push me!” Allow me to offer that this
is never ok. Disconnecting is fine. Dialing-back a relationship is fine. But
rudeness to friends is never ok. Directness, hard-talk? Even talk that can
cause pain and offense? Sure. But not rudeness. Not meanness. Not being an
asshole. Don’t let the fact that you’re nice most of the time give you an
excuse to be an asshole sometimes. That’s just weakness. Find a way to
extricate it from your personality, and if you have a friend who does this
maybe share this with them.
APHORISM OF THE WEEK
❝
The creative adult is the child who survived.
Ursula K. Le Guin
Meet Mary — Your Smart AI ICT Teacher for O-Level Secondary Education in Uganda! Welcome…
Journey Through Faith: An Introduction to Senior Three Islamic Religious EducationWelcome, students, to an enriching…
Meet Isha Karungi — Your Smart AI Islamic Studies Teacher for O-Level! Welcome to the…
Having studied Spanish for over 6 years, I knew what dulce de leche meant. Sweet.…
I found kiwis on sale. Five for $1! In the middle of winter. In January.…
An experience. That’s what Ghirardelli is to me. For many years, San Francisco was a…
Leave a Comment