Unsupervised Learning NO. 389


Unsupervised Learning is a Security, AI, and Meaning-focused podcast that looks at how best to thrive as humans in a post-AI world. It combines original ideas, analysis, and mental models to bring not just the news, but why it matters and how to respond.

Heading into a busy week. Working on a super exciting new product under the TELOS banner—the first of our products built using the SPQA architecture, and I’m absolutely pumped for it. I’m also working on a bunch of talks for Vegas and other places.

Also, felt like this newsletter was juicier than usual, hope you like it!

📚 The Real Internet of Things: A Look into the Future of Technology
🔒 Pentera’s Unique Approach to Automated Security Validation
🌐 AI and the Reduction of the Creativity Friction Coefficient
🔐 LockBit vs. TSMC: A Tale of Ransomware and Supply Chain Dependencies
☁️ The US’s Move to Block Chinese Cloud Usage: A National Security Matter
🔥 Fortinet Fallout: A Critical Bug in FortiGate Firewalls
🇨🇳 New Chinese APT Tradecraft: Volt Typhoon’s Stealthy Approach
🔍 Google’s Privacy Policy Update: Feeding the AI
🌞 Solar Hacking: The Exposure of Renewable Energy Units
📋 And more…

I wrote a book in 2016 about the future of technology, called The Real Internet of Things. To be honest I didn’t like it that much at the time; I just wanted to get the ideas out there and locked in time. Well, now the ideas are starting to happen!

I can now happily recommend that you pick up a copy. If you like any of my content, and you’ve been following what’s happening with AI, I think you’ll really enjoy the book. Not just for the stuff that’s already happened, but for the stuff that’s coming next that’s already in the book!

I wish I could say go to your local Barnes & Noble, but they only have bookstores in London these days, and it’s currently Kindle and Paperback only anyway. Oh, and if any members want a signed copy let me know in Member Chat.

I’m finally sharing my book from 2016, because it’s just now sounding realistic.

Pentera Sponsored Interview
I had a great conversation recently with Aviv Cohen, CMO of Pentera. They do something like automated pen-testing and attack surface management, but they have a different take on it and call it Automated Security Validation. It was a great conversation about the whole space, the problem they’re addressing, and how they approach it differently. Worth a listen if you’re adjacent to that space in any way. LISTEN | PENTERA.IO

Lockbit vs. TSMC
The now-famous LockBit ransomware group has hit TSMC, one of the world’s leading chipmakers, demanding a $70 million ransom after breaching security at Kinmax, TSMC’s hardware supplier.

— LockBit was able to access server configurations and settings of TSMC through a compromised test environment at Kinmax.

— LockBit threatened to go public with the data if the ransom isn’t paid.

— Despite the breach, TSMC maintains that its operations have not been impacted, and crucially, no customer information has been compromised.

The tangled web of supply chain dependencies continues to produce for attackers. I honestly can’t wait until AI is good enough to take an inventory of a company’s environment, find all the vendors and dependencies, and build a Business Resilience Risk report based on that. Threat scenarios, backup plans, etc. Honestly it’s not the AI that’s the problem, but finding the right artifacts to feed the AI to show it the whole picture. MORE

The US to Block Chinese Cloud Usage 
The Biden administration reportedly looks to restrict Chinese firms’ access to US cloud-computing services, which could significantly exacerbate tensions between the two economic giants.

– If adopted, the rule would mandate US cloud-service providers like Amazon and Microsoft to obtain government permission before offering cloud services using advanced AI chips to Chinese clients.

– The proposed cloud restrictions are viewed as a way to address a significant loophole—Chinese AI companies potentially bypassing existing export control rules by leveraging cloud services.

– The $53 billion Chips Act aims to curtail US reliance on foreign-made semiconductors, particularly those used by the Pentagon, making this a crucial national security matter.

I’m nervous about escalating tensions but I’m happy the Biden administration is playing hawkish on China in general. I feel like the US has just had enough of their blatant attempts to hack and steal everything, and I just wish more of the world have the vision or the freedom to do take a similar stance. MORE

Fortinet Fallout
A new bug has left roughly 70% of FortiGate Firewalls vulnerable, propelling alarm within cybersecurity circles, especially given how widely these products are used by government organizations.

— The bug, tracked as CVE-2023-27997, has a “critical” severity score of 9.8 out of 10.

— An exploit developed by security firm Bishop Fox has reignited concerns, as this could lead to data breaches, ransomware attacks, and other serious consequences.

— Experts urge immediate patching, since many unpatched instances are running outdated versions, some of which have reached end-of-life years ago. MORE

Google Moving to Scrape for AI
Google is updating its privacy policy, and it’s all about feeding the AI. Publicly available content – think blogs, photos, music – will now be used to train Google’s in-house AI models. While this isn’t necessarily new, it’s the scope that’s been widened – Translate, Bard, Cloud AI are all on the list. MORE

💡Illuminate Your Path to Cloud Security Mastery

1️⃣ The Triad of Modern Security

2️⃣ A 4-Stage Security Roadmap

3️⃣ KPI Templates from Leading Hyper-Scaling Enterprises

🛡️Navigate the evolving threat landscape with confidence. Claim your FREE copy today! 🚀

New Chinese APT Tradecraft Chinese 
Cyber-espionage group Volt Typhoon, tracked by CrowdStrike as Vanguard Panda, has been active since mid-2020, using uncharted tradecraft to maintain remote access to critical infrastructure targets. Vanguard Panda employs initial exploits and custom web shells for persistent access, and living-off-the-land techniques for lateral movement. The group shows a strong emphasis on operational security, using an extensive set of open-source tools against a limited number of victims. MORE 

S3 Takeovers
In a new twist on subdomain takeovers, attackers have found a way to poison NPM packages by hijacking the S3 bucket serving the necessary binaries and replacing them with malicious ones. This reminds me of old C code vulnerabilities where you have big trouble if you delete things and don’t clean up afterwards. Same with domain takeovers. It’s also like deprovisioning employees. Interesting parallels for all these. Basically any time something gets removed you have to execute a meticulous cleanup plan. MORE 

Solar Hacking
Cyble’s threat analysts have found that 134,634 PV utility products, used for remote monitoring and management of renewable energy units, are exposed on the internet, showing that we’re not learning anything and don’t deserve nice things.

– The systems came from vendors including Solar-Log, Danfoss Solar Web Server, and SMA Sunny Webbox MORE

GPT-4 Releases GPT-4 API Access
API access is now available for all paying customers, and OpenAI has also opened access to the Code Interpreter plugin, which is an absolute marvel. You can upload complete spreadsheets, raw datasets, and ask it to find patterns in the data. Not just find the patterns, but it can make you visualizations of them. Great release week for OpenAI. MORE 

Canada Goes Hard on Tech Immigration
Canada has launched its first-ever Tech Talent Strategy aiming to draw and keep top tech talent to stimulate the nation’s high-growth industries and drive technological advancements. The strategy introduces an open work permit stream for H-1B specialty occupation visa holders in the US to apply for a Canadian work permit. I love the hustle! MORE 

GPT-4 Diss
George Hotz and some others are claiming that GPT-4 wasn’t some major breakthrough model, but rather multiple smaller models rigged up to work together. My response? Sure. And consciousness is just some “brain activity leading to subjective experience.” Like Dennett said, consciousness is just a “bag of tricks”, but he doesn’t make the mistake of concluding that it’s therefore uninteresting. Yes, OpenAI uses a series of hacks to get their results. So what. Put me in line for the next set of hacks. MORE

Fewer People Quitting
As the Federal Reserve continues to increase interest rates and the U.S. labor market cools, fewer Americans are voluntarily leaving their jobs – a trend that’s inching closer to pre-pandemic levels. The rate of voluntary job departures, or quits rate, has seen a decline from 4.5 million in November 2021 to 4 million in May 2023. MORE 

Aspartame WHO Warning
The World Health Organization’s cancer research arm is set to declare aspartame, a widely used artificial sweetener, as “possibly carcinogenic to humans”, following a safety review, causing potential upheaval in the food and beverage industry worldwide. We’ve seen this movie many times before; the question will be what new research showed that the previous, very large studies did not find. MORE

Gen-Z Finances
The Gen Z generation, facing societal and economic uncertainties, are reshaping their financial habits, prioritizing quality of life and personal growth over traditional financial markers of success. This seems healthy compared to unbridled materialism, but I worry that they could also limit their success overall and thus limit their ability to have those experiences. MORE

Smart People Biases, and What to Do About Them
I’ve been struck recently by the number of logical flaws I’ve seen in people I greatly admire. Like pundits and such. And this has led me to think a couple of things: 1) traumas (and other things) can compromise intellectual integrity, and 2) you have to follow a lot of people’s work and come up with your own triangulation that suits your lifestyle, and 3) the person you follow the most might be right about 37 out of 42 topics, but those other 5 could be seriously consequential to you if you don’t realize they’re wrong there. Example: Andreessen goes on Lex’s podcast and is brilliant for the whole first part of the show. But then when he starts talking about AI risk he loses his mind. Why? He’s an AI investor. And he hates regulation. The worst possible thing that could happen to him is everyone panicking about AI risk and shutting down investments. So what do you know? He is right about 39 things out of 42, but one he’s wrong about is AI risk. Same with Peter Zeihan. He’s all pro-West and thinks China is done. He has great points, but I hear religion in his voice, and it’s scary. So how will I know when he’s overextended? My only solution so far has been to collect even more, and even more diverse, opinions. And triangulate and monitor.

Thoughts on Wegovy/Ozempic
You might have heard about some new diabetic / weight loss drugs that work via weekly injections. I’m taking Wegovy. It’s pretty awesome. I’ve already lost like 7 pounds and I’m not even close to full dose yet. But I wanted to raise a yellow flag of warning on something, in case you’re taking it or are thinking about doing so. It raises your resting heart rate. Not by a little. I used to sleep at like 49 to 52 beats per minute. I’m now at 61 bpm. I mention this because Scott Galloway had a doctor on his show a few weeks ago and he mentioned the heartrate thing, and he added a comment. “I’ve never seen anything that raises your heart rate by that much that ended up being a good thing.”, or something like that. I’m still taking it knowing this because my risk calculation is that being this heavy is a known and higher risk. But I just wanted to offer that to anyone who it benefits.

Security is Alchemy 
Quick thought I’ll turn into a full essay later. The biggest reasons security is such a messed up field, and such a fun field, is that it’s still Alchemy vs. Chemistry. Accounting is chemistry. Civil Engineering is chemistry. What makes them so? They understand the inputs and outputs and how they relate to each other. We don’t have that yet in security. What we have is a bunch of wizards running around casting spells, mixing elixirs, drinking potions, and then when something bad happens we blame the evil wizards, or a bad potion. It’s pretty damn exciting, which is why I love it. But it shouldn’t be exciting, and it won’t be once we understand the inputs and outputs better. This’ll probably surprise you, but I think AI will help. The insurance companies are going to use SPQA to map everything, track controls, track outcomes, and make the connections. AI will move security from alchemy to chemistry.

I’ve got a really cool new strength training technique. It’s basically one giant set for an exercise. You take 50 lb. dumbbells, for example, and you do as many as you can. Then you immediately pick up the 40s and do as many as you can. Then 30’s. Then 20’s. Then 10s. Or you can skip and do like 40’s and then 20’s and then 10s. The point is you want one long set with no rest in-between that takes you to COMPLETE failure. I hate wasting time in the gym so I can do this on a few muscle groups and be out of there in 15-20 mins! Arms are currently sore to the touch, and it’s glorious.

I don’t have CarPlay right now because I have a Tesla, but I definitely miss it. And now I miss it more because they’re about to add SharePlay, which is a seamless way for passengers to run the sound system. A timeless problem finally solved. Oh, and I’ve actually never done SharePlay with anyone. Anyone in the community up to watch a movie together? We should do an event for it.

⚙️CVSS 4.0 Calculator — A view of the new calculator for Version 4.0 of CVSS. MORE 

⚙️DNSAnalyzer — Find DNS vulnerabilities from within Burp. MORE 

⚙️Carbon — Create and share beautiful images of your source code. MORE

Advanced macOS Command-line Tools MORE 

The Reef Knot is evidently the best, and most mathematically sound, way to tie your shoes. According to this article anyway. Strangely enough I was looking for something like this. MORE 

Why I switched from NeoVim to VSCode. MORE

Why engineers should focus on writing. MORE

How to 1.5x your salary through negotiation. MORE

RECOMMENDATION OF THE WEEK

  1. Think about the smart people whose work you follow

  2. Ask yourself how you’d know if they were wrong about a particular topic

  3. Do you have a secondary or tertiary source to counter that person in your narrative-forming?

  4. Make sure you have enough quality sources coming in that you can use them to check each other

The art of being wise is the art of knowing what to overlook.

William James



Source link