Unsupervised Learning NO. 389

Unsupervised Learning is a Security, AI, and Meaning-focused podcast
that looks at how best to thrive as humans in a post-AI world. It combines
original ideas, analysis, and mental models to bring not just the news, but
why it matters and how to respond.

Hey there!

Heading into a busy week. Working on a super exciting new product under
the TELOS banner—the first of our products built using the SPQA
architecture, and I’m absolutely pumped for it. I’m also working on a
bunch of talks for Vegas and other places.

Also, felt like this newsletter was juicier than usual, hope you like it!

In this episode:

📚 The Real Internet of Things: A Look into the Future of Technology
🔒
Pentera’s Unique Approach to Automated Security Validation
🌐 AI and
the Reduction of the Creativity Friction Coefficient
🔐 LockBit vs.
TSMC: A Tale of Ransomware and Supply Chain Dependencies
☁️ The US’s
Move to Block Chinese Cloud Usage: A National Security Matter
🔥
Fortinet Fallout: A Critical Bug in FortiGate Firewalls
🇨🇳 New Chinese
APT Tradecraft: Volt Typhoon’s Stealthy Approach
🔍 Google’s Privacy
Policy Update: Feeding the AI
🌞 Solar Hacking: The Exposure of
Renewable Energy Units
📋 And more…

MY WORK

I wrote a book in 2016 about the future of technology, called
The Real Internet of Things. To be honest I didn’t like it that much at the time; I just wanted to get
the ideas out there and locked in time.
Well, now the ideas are starting to happen!

I can now happily recommend that you pick up a copy. If you like any of my
content, and you’ve been following what’s happening with AI,
I think you’ll really enjoy the book. Not just for the stuff that’s already happened,
but for the stuff that’s coming next that’s already in the book!

I wish I could say go to your local Barnes & Noble, but they only have
bookstores in London these days, and it’s currently Kindle and Paperback
only anyway. Oh, and if any members want a signed copy let me know in Member
Chat.

📚Purchase on Amazon

I’m finally sharing my book from 2016, because it’s just now sounding
realistic.

AI and the World’s Most Important Economic Metric
Introducing the concept of a Creativity Friction Coefficient, and how
AI will help reduce it.
MORE

Pentera Sponsored Interview
I had a great conversation recently with Aviv Cohen, CMO of Pentera.
They do something like automated pen-testing and attack surface management,
but they have a different take on it and call it Automated Security
Validation. It was a great conversation about the whole space, the problem
they’re addressing, and how they approach it differently. Worth a listen if
you’re adjacent to that space in any way.
LISTEN
|
PENTERA.IO

SECURITY NEWS

Lockbit vs. TSMC
The now-famous LockBit ransomware group has hit TSMC, one of the
world’s leading chipmakers, demanding a $70 million ransom after breaching
security at Kinmax, TSMC’s hardware supplier.

— LockBit was able to access server configurations and settings of TSMC
through a compromised test environment at Kinmax.

— LockBit threatened to go public with the data if the ransom isn’t paid.

— Despite the breach, TSMC maintains that its operations have not been
impacted, and crucially, no customer information has been compromised.

The tangled web of supply chain dependencies continues to produce for
attackers. I honestly can’t wait until AI is good enough to take an
inventory of a company’s environment, find all the vendors and dependencies,
and build a Business Resilience Risk report based on that. Threat scenarios,
backup plans, etc. Honestly it’s not the AI that’s the problem, but finding
the right artifacts to feed the AI to show it the whole picture.
MORE

The US to Block Chinese Cloud Usage 
The Biden administration reportedly looks to restrict Chinese
firms’ access to US cloud-computing services, which could significantly
exacerbate tensions between the two economic giants.

– If adopted, the rule would mandate US cloud-service providers like Amazon
and Microsoft to obtain government permission before offering cloud services
using advanced AI chips to Chinese clients.

– The proposed cloud restrictions are viewed as a way to address a
significant loophole—Chinese AI companies potentially bypassing existing
export control rules by leveraging cloud services.

– The $53 billion Chips Act aims to curtail US reliance on foreign-made
semiconductors, particularly those used by the Pentagon, making this a
crucial national security matter.

I’m nervous about escalating tensions but I’m happy the Biden administration
is playing hawkish on China in general. I feel like the US has just had
enough of their blatant attempts to hack and steal everything, and I just
wish more of the world have the vision or the freedom to do take a similar
stance.
MORE

Fortinet Fallout
A new bug has left roughly 70% of FortiGate Firewalls vulnerable, propelling
alarm within cybersecurity circles, especially given how widely these
products are used by government organizations.

— The bug, tracked as CVE-2023-27997, has a “critical” severity score of 9.8
out of 10.

— An exploit developed by security firm Bishop Fox has reignited concerns,
as this could lead to data breaches, ransomware attacks, and other serious
consequences.

— Experts urge immediate patching, since many unpatched instances are
running outdated versions, some of which have reached end-of-life years ago.
MORE

Google Moving to Scrape for AI
Google is updating its privacy policy, and it’s all about feeding the
AI. Publicly available content – think blogs, photos, music – will now be
used to train Google’s in-house AI models. While this isn’t necessarily new,
it’s the scope that’s been widened – Translate, Bard, Cloud AI are all on
the list.
MORE

Sponsor

💡Illuminate Your Path to Cloud Security Mastery

Dive into the FREE Cloud Security Workflow Handbook and unlock:

1️⃣ The Triad of Modern Security

2️⃣ A 4-Stage Security Roadmap

3️⃣ KPI Templates from Leading Hyper-Scaling Enterprises

🛡️Navigate the evolving threat landscape with confidence. Claim your FREE copy today! 🚀

➡️ wiz.io/lp/cloud-security-workflow-handbook ⬅️

Download Now

New Chinese APT Tradecraft Chinese 
Cyber-espionage group Volt Typhoon, tracked by CrowdStrike as
Vanguard Panda, has been active since mid-2020, using uncharted tradecraft
to maintain remote access to critical infrastructure targets. Vanguard Panda
employs initial exploits and custom web shells for persistent access, and
living-off-the-land techniques for lateral movement. The group shows a
strong emphasis on operational security, using an extensive set of
open-source tools against a limited number of victims.
MORE 

S3 Takeovers
In a new twist on subdomain takeovers, attackers have found a way to
poison NPM packages by hijacking the S3 bucket serving the necessary
binaries and replacing them with malicious ones. This reminds me of old C
code vulnerabilities where you have big trouble if you delete things and
don’t clean up afterwards. Same with domain takeovers. It’s also like
deprovisioning employees. Interesting parallels for all these. Basically any
time something gets removed you have to execute a meticulous cleanup plan.
MORE 

Solar Hacking
Cyble’s threat analysts have found that 134,634 PV utility products,
used for remote monitoring and management of renewable energy units, are
exposed on the internet, showing that we’re not learning anything and don’t
deserve nice things.

– The systems came from vendors including Solar-Log, Danfoss Solar Web
Server, and SMA Sunny Webbox
MORE

TECHNOLOGY NEWS

GPT-4 Releases GPT-4 API Access
API access is now available for all paying customers, and OpenAI has
also opened access to the
Code Interpreter
plugin, which is an absolute marvel. You can upload complete spreadsheets,
raw datasets, and ask it to find patterns in the data. Not just find the
patterns, but it can make you visualizations of them. Great release week for
OpenAI.
MORE 

Canada Goes Hard on Tech Immigration
Canada has launched its first-ever Tech Talent Strategy aiming to
draw and keep top tech talent to stimulate the nation’s high-growth
industries and drive technological advancements. The strategy introduces an
open work permit stream for H-1B specialty occupation visa holders in the US
to apply for a Canadian work permit. I love the hustle!
MORE 

GPT-4 Diss
George Hotz and some others are claiming that GPT-4 wasn’t some major
breakthrough model, but rather multiple smaller models rigged up to work
together. My response? Sure. And consciousness is just some “brain activity
leading to subjective experience.” Like Dennett said, consciousness is just
a “bag of tricks”, but he doesn’t make the mistake of concluding that it’s
therefore uninteresting. Yes, OpenAI uses a series of hacks to get their
results. So what. Put me in line for the next set of hacks.
MORE

HUMAN NEWS

Fewer People Quitting
As the Federal Reserve continues to increase interest rates and the
U.S. labor market cools, fewer Americans are voluntarily leaving their jobs
– a trend that’s inching closer to pre-pandemic levels. The rate of
voluntary job departures, or quits rate, has seen a decline from 4.5 million
in November 2021 to 4 million in May 2023.
MORE 

Aspartame WHO Warning
The World Health Organization’s cancer research arm is set to declare
aspartame, a widely used artificial sweetener, as “possibly carcinogenic to
humans”, following a safety review, causing potential upheaval in the food
and beverage industry worldwide. We’ve seen this movie many times before;
the question will be what new research showed that the previous, very large
studies did not find.
MORE

Gen-Z Finances
The Gen Z generation, facing societal and economic uncertainties, are
reshaping their financial habits, prioritizing quality of life and personal
growth over traditional financial markers of success. This seems healthy
compared to unbridled materialism, but I worry that they could also limit
their success overall and thus limit their ability to have those
experiences.
MORE

IDEAS & ANALYSIS

Smart People Biases, and What to Do About Them
I’ve been struck recently by the number of logical flaws I’ve seen in people
I greatly admire. Like pundits and such. And this has led me to think a
couple of things: 1) traumas (and other things) can compromise intellectual
integrity, and 2) you have to follow a lot of people’s work and come up with
your own triangulation that suits your lifestyle, and 3) the person you
follow the most might be right about 37 out of 42 topics, but those other 5
could be seriously consequential to you if you don’t realize they’re wrong
there. Example: Andreessen goes on Lex’s podcast and is brilliant for the
whole first part of the show. But then when he starts talking about AI risk
he loses his mind. Why? He’s an AI investor. And he hates regulation. The
worst possible thing that could happen to him is everyone panicking about AI
risk and shutting down investments. So what do you know? He is right about
39 things out of 42, but one he’s wrong about is AI risk. Same with Peter
Zeihan. He’s all pro-West and thinks China is done. He has great points, but
I hear religion in his voice, and it’s scary. So how will I know when he’s
overextended? My only solution so far has been to collect even more, and
even more diverse, opinions. And triangulate and monitor.

Thoughts on Wegovy/Ozempic
You might have heard about some new
diabetic / weight loss drugs that work via weekly injections. I’m taking
Wegovy. It’s pretty awesome. I’ve already lost like 7 pounds and I’m not
even close to full dose yet. But I wanted to raise a yellow flag of warning
on something, in case you’re taking it or are thinking about doing so. It
raises your resting heart rate. Not by a little. I used to sleep at like 49
to 52 beats per minute. I’m now at 61 bpm. I mention this because Scott
Galloway had a doctor on his show a few weeks ago and he mentioned the
heartrate thing, and he added a comment. “I’ve never seen anything that
raises your heart rate by that much that ended up being a good thing.”, or
something like that. I’m still taking it knowing this because my risk
calculation is that being this heavy is a known and higher risk. But I just
wanted to offer that to anyone who it benefits.

Security is Alchemy 
Quick thought I’ll turn into a full
essay later. The biggest reasons security is such a messed up field, and
such a fun field, is that it’s still Alchemy vs. Chemistry. Accounting is
chemistry. Civil Engineering is chemistry. What makes them so? They
understand the inputs and outputs and how they relate to each other. We
don’t have that yet in security. What we have is a bunch of wizards running
around casting spells, mixing elixirs, drinking potions, and then when
something bad happens we blame the evil wizards, or a bad potion. It’s
pretty damn exciting, which is why I love it. But it shouldn’t be exciting,
and it won’t be once we understand the inputs and outputs better. This’ll
probably surprise you, but I think AI will help. The insurance companies are
going to use SPQA to map everything, track controls, track outcomes, and
make the connections. AI will move security from alchemy to chemistry.

NOTES

I’ve got a really cool new strength training technique. It’s basically one
giant set for an exercise. You take 50 lb. dumbbells, for example, and you
do as many as you can. Then you immediately pick up the 40s and do as many
as you can. Then 30’s. Then 20’s. Then 10s. Or you can skip and do like 40’s
and then 20’s and then 10s. The point is you want one long set with no rest
in-between that takes you to COMPLETE failure. I hate wasting time in the
gym so I can do this on a few muscle groups and be out of there in 15-20
mins! Arms are currently sore to the touch, and it’s glorious.

I don’t have CarPlay right now because I have a Tesla, but I definitely miss
it. And now I miss it more because they’re about to add SharePlay, which is
a seamless way for passengers to run the sound system. A timeless problem
finally solved. Oh, and I’ve actually never done SharePlay with anyone.
Anyone in the community up to watch a movie together? We should do an event
for it.

DISCOVERY

⚙️CVSS 4.0 Calculator — A view of the new calculator for Version 4.0 of
CVSS.
MORE 

⚙️DNSAnalyzer — Find DNS vulnerabilities from within Burp.
MORE 

⚙️Carbon — Create and share beautiful images of your source code.
MORE

Advanced macOS Command-line Tools
MORE 

The Reef Knot is evidently the best, and most mathematically sound, way to
tie your shoes. According to this article anyway. Strangely enough I was
looking for something like this.
MORE 

Why I switched from NeoVim to VSCode.
MORE

Why engineers should focus on writing.
MORE

How to 1.5x your salary through negotiation.
MORE

RECOMMENDATION OF THE WEEK

1. Think about the smart people whose work you follow

2. Ask yourself how you’d know if they were wrong about a particular topic

3. Do you have a secondary or tertiary source to counter that person in
   your narrative-forming?

4. Make sure you have enough quality sources coming in that you can use
   them to check each other

APHORISM OF THE WEEK

❝  

The art of being wise is the art of knowing what to overlook.

  William James