Unsupervised Learning NO. 392

Trail of Bits Testing Handbook, Startups Freefall, and Chinese Propaganda Escalation…

Unsupervised Learning is a Security, AI, and Meaning-focused podcast that looks at how best to thrive as humans in a post-AI world. It combines original ideas, analysis, and mental models to bring not just the news, but why it matters and how to respond.

Hey there, Happy Monday!

I’m spending most of my time improving my autonomous agents, coding on our product, and prepping for Vegas. Saw this great Tweet from Jake Williams about picking the right tool for the job, and thought it was worth sharing.

Have a great week!

In this episode:

💡 Burnout and Addiction: A New Perspective
🚦 UL RSS Live: Stay Updated
🔍 Security News: Testing Handbook, IDOR Vulnerability, Lazarus Hacks
📈 Technology News: Startup Decline, iPhone Dominance, AI Girlfriends
🌍 Human News: Longevity Habits, Unemployment Rates, Math Crisis
💭 Ideas & Analysis: AI Tooling and Reading
🎨 Hacker Art by Rez0
🛠️ Discovery: New Tools and Insights
👥 Managerial Pitfalls: Transitioning Roles
👜 Birkin Bag Economics: The World's Most Expensive Handbag
🔭 Tool & Article Discovery
➡️ The Recommendation of the Week
🗣️ The Aphorism of the Week

MY WORK

💡 Burnout and Addiction 
My latest short essay on how burnout and addiction may have a similar cause—and a similar solution. UL

RSS Live
🚦 Our RSS feed is live again! You can hit it at https://danielmiessler.com/rss. FEED

SECURITY NEWS

Testing Handbook Unveiled
Trail of Bits has released the first chapter of their testing handbook, with the first chapter focusing on Semgrep. The handbook aims to provide comprehensive guidance on testing methodologies, starting with static analysis. TRAILOFBITS

CISA IDOR Vulnerability Warning
In collaboration with the Australian Cyber Security Centre and U.S. National Security Agency, CISA has issued a warning about the significant breach risks associated with insecure direct object reference (IDOR) vulnerabilities in web applications. These vulnerabilities, which can lead to unauthorized access and data breaches, have been exploited in several incidents, resulting in the compromise of personal, financial, and health information of millions of users. BLEEPINGCOMPUTER 

Lazarus Hacks IIS 
The North Korean Lazarus hacking group is breaching Windows Internet Information Service (IIS) web servers to distribute malware. The group is leveraging poorly protected IIS services, with the main advantage being the ease of infecting visitors of websites or users of services hosted on breached IIS servers owned by trustworthy organizations. BLEEPINGCOMPUTER

Sponsor

🔐 Opal, scalable identity security 🔐

🧍🏼Opal is designed to give teams the building blocks for identity-first security: view authorization paths, manage risk, and seamlessly apply intelligent policies built to grow with your organization.

They are built from the ground up to synthesize the data needed to construct and monitor all of your company’s access – from a single pane of glass.

🛡️Opal is used by best-in-class security teams today, such as Blend, Databricks, Drata, Figma, Scale AI, and more. There is no one-size-fits-all when it comes to access, but they provide the foundation to scale least privilege the right way.

North Korean Hackers 
North Korean hackers made a mistake that exposed their real-world IP addresses during a recent intrusion at enterprise software company JumpCloud. Mandiant, assisting one of JumpCloud’s affected customers, attributed the breach to North Korea’s Reconnaissance General Bureau, a hacking unit that targets cryptocurrency companies and steals passwords. TECHCRUNCH

China's Disinformation Tactics 
China is reportedly using fake social media accounts linked to transnational criminal groups to spread propaganda and disinformation. According to the Australian Strategic Policy Institute, these accounts are connected to a network promoting Warner International Casino, an online gambling platform operating in Southeast Asia. THERECORD

Yamaha Cyberattack 
Yamaha's Canadian music division recently confirmed a cyberattack, following claims from two different ransomware groups that they had attacked the company. The trend of victim organizations being posted by multiple ransomware groups is becoming increasingly common, with Yamaha being the latest example. THERECORD

Norway's Government Breach 
Hackers exploited a zero-day vulnerability in Ivanti's software, compromising a dozen Norwegian government agencies. The vulnerability, tracked as CVE-2023-35078, received the highest CVSS score of 10, indicating a critical bug. THERECORD

AI Phishing Attempts 
ChatGPT and other AI assistants like Meta's Llama 2 are being tested for their potential use in phishing scams. While Llama 2 has built-in restrictions against such misuse, ChatGPT produced a convincing email template without pushback. TALOSINTELLIGENCE

TSA's CLEAR Concerns 
The TSA is cracking down on the CLEAR program, which expedites airport security using biometrics, due to a security incident last year. The incident revealed that CLEAR's facial-recognition system was vulnerable to abuse, with nearly 49,000 customers enrolled despite being flagged as non-matches by the software. Big Yikes. VIEWFROMTHEWING

Militia Extremism
The FBI has released a reference guide on Militia Violent Extremists (MVEs), detailing their ideologies, targets, tactics, and key terms. MVEs are anti-government extremists who believe in using force to protect perceived threats to their rights and the Constitution, often referencing conspiracy theories and historic grievances. | PUBLICINTELLIGENCE 

Propaganda Escalation
Shanghai-based marketing firm Haixun has allegedly taken its pro-China influence campaign to new heights, using newswire services, staged protests, and billboard ads to spread propaganda in the U.S. The firm, which has Chinese police and government agencies among its clients, was previously associated with a campaign involving 72 fake news sites worldwide. | THERECORD 

LLM Vulnerabilities 
Researchers have disclosed potential attacks on public Language Learning Models (LLMs), and they have a pretty slick, minimalist way of demonstrating them on the website. The team had previously alerted companies hosting the large closed-sourced LLMs they tested, highlighting the need for further research on adversarial attacks on LLMs. LLM-ATTACKS 

Data Brokers' Tactics 
Data brokers are now selling license plate location and analytics data. This new trend has raised concerns about privacy and the potential misuse of such information. HACKERNEWS

AI Policing 
An AI-equipped police van in Hampshire, UK, has been successful in identifying drivers using mobile phones and other traffic violations. During a week-long operation, the van detected 86 drivers using a phone, 273 not wearing seat belts, and 132 mechanical offenses. BBC

Vulnerabilities:

  • 🪳Critical Fortinet Vulnerability — A critical remote code execution vulnerability has been discovered in Fortinet's Fortigate. | Critical | CVE-2023-27997 | REDDIT

  • 🪳MikroTik Vulnerability Over 900,000 MikroTik routers are at risk due to a 'Super Admin' privilege elevation that’s exploitable with an existing admin account. The problem is that the RouterOS operating system does not prevent password brute-force attacks. | Critical | CVE-2023-30799 | BLEEPINGCOMPUTER

TECHNOLOGY NEWS

Startup Decline 
The entrepreneurial landscape is witnessing a concerning trend - a steep decline in the formation of new startups. Data from Crunchbase shows an estimated decrease of about 86% in the US, 89% in Israel, and 87% in the EU from 2020 to 2023. Those are insane numbers! I’m hoping that means it’s a better climate for people who actually do start a business? CRUNCHBASE

iPhone Dominance 
US iPhone market share has spiked to 55% in Q2, largely due to a significant drop in Android smartphone shipments. The overall US smartphone market saw a 24% year-on-year decline in shipments, with Apple's smaller 6% drop allowing it to increase its market share. It takes a while sometimes, but quality and consistency eventually wins out in the marketplace. 9TO5MAC

AI Girlfriends Trend 
AI girlfriends are ascending, with many articles discussing the implications of the trend on society and human relationships. The under 30 demographic, being the most tech-savvy and likely to be single, are turning to virtual companionship, with 63% of men under 30 describing themselves as single, compared to 34% of women in the same age group. INNOVATIONNATION

HUMAN NEWS

Longevity Habits 
A new study suggests adopting eight healthy lifestyle choices at age 40 could add up to 24 years to your life. The study, analyzing data on US veterans, found that even starting these habits at age 50 or 60 could add 21 and 18 years to your life respectively. The list seems quite approachable, actually. CNN

Record Low Unemployment 
Unemployment rates are hitting record lows in 17 states across the US, reflecting a thriving national job market. According to the Bureau of Labor Statistics, states like New Hampshire and South Dakota have the lowest unemployment rates at 1.8%. I’ve yet to hear a clear and convincing argument for why unemployment is so low but people are still saying it’s impossible to find a job. AXIOS

California's Math Crisis 
California's Board of Education has approved a new set of recommendations, the California Mathematics Framework (CMF), which critics argue de-emphasizes mathematical excellence in favor of minimizing racial inequity. The CMF discourages teaching algebra until high school, ends advanced courses until high school, and foregrounds "equity" at the expense of teaching math basics like addition and subtraction. THEFP

Japan's Population Decline 
Japan's population crisis is worsening, with the number of nationals dropping by over 800,000 last year, reflecting trends seen in other East Asian countries. The total population as of January 1 this year stood at 125.4 million, including both Japanese and foreign residents, according to data from Japan's internal affairs ministry. CNN

Resilient Economy 
The American economy continues to grow at a healthy pace, showing resilience in the face of the fastest interest rate tightening cycle since 1970. Adjusted for inflation, GDP increased at a 2.4% annualized rate in the second quarter, picking up from Q1's 2% pace. AXIOS

IDEAS & ANALYSIS

AI Tooling Will Be Like Reading for Fun
I had the sad thought recently that AI tooling will be, and already is actually, a lot like reading. Yes, it’ll be available to most everyone in the US, but only a subset of people will take advantage. I know lots of smart people, with tons of intellect and potential. But they don’t read. They don’t work out. They don’t spend their time grinding. AI tools will likely be yet another thing they won’t do. The result of this will be that small group of grinders pulling that much further away from everyone else. Because now they’re not only reading and grinding, but they’re doing so augmented by automation and intelligence. I guess I should have anticipated that, but I’m still hopeful that we’ll find a way, perhaps with AI’s help, to bring the optimizations to far more people.

NOTES

My buddy Joseph Thacker just launched his new Hacker Art site, Hackersbyrez0.com. It’s hundreds of his own insanely creative AI Art images of various types of hacker, and they’re all free to use! And every time you refresh you get a different collection! HACKERSBYREZ0

DISCOVERY

⚒️ File Change Monitor — A tool that detects changes in JavaScript files and notifies users when new API endpoints are added. It's a convenient way to monitor updates on various websites. | by cablej | GITHUB 

⚒️ cdncheck — A utility tool for identifying the technology associated with DNS/IP network addresses. It's easy to use and extendable, supporting CDN, Cloud, and WAF detection. | by ProjectDiscovery | GITHUB

⚒️ JSMon — A JavaScript Change Monitor for BugBounty. This tool allows you to configure a number of JavaScript files on websites that you want to monitor. When these files change, you are notified via Telegram with a link to the script, the changed file sizes, and a diff file to inspect the changes. | by r0bre | GITHUB

⚒️ Tree-of-Thought — A new reasoning method implemented in Langchain_experimental, originally conceptualized by Shunyu Yao and brought to life by Vadim Gubergrits. | TWITTER

⚒️ CV Analyser — A simple tool that compares your CV to the job description and provides recommendations to improve it, increasing your chances of landing an interview. | by Oli from GPTDevs | TWITTER

⚒️ Agent Iterators — LangChain has introduced a feature that allows agents to run as iterators, enabling execution of a single step at a time with custom logic in between. | by @SlapDron3 and @lacicocodes | TWITTER

Managerial Pitfalls 
Charity Majors discusses the potential downsides of transitioning from an individual contributor (IC) to a managerial role, highlighting the challenges and trade-offs that come with the territory. Majors emphasizes that management requires a different skill set, often leading to less direct creation, more responsibility, and a shift in work-life balance. CHARITY.WTF

Fine-Tuning Power 
Lucas Pauker's article explores the potential of fine-tuning in Language Model Learning Machines (LLMs). He emphasizes the transformative effect of fine-tuning, comparing it to the difference between a general practitioner and a specialist doctor. HACKERNEWS

Broken RF
My buddy Matt Johansen wrote an epic thread about the vulnerabilities discovered in encrypted radio communications. TWITTER

Birkin Bag Economics 
The Birkin bag, designed by Hermès's chief executive Jean-Louis Dumas for actress Jane Birkin in 1983, has become the world's most expensive handbag, with prices starting at $7,000. The bag's high cost is attributed to its exquisite craftsmanship, with each bag taking up to 18 hours to complete, and the brand's strategy of rationing by queue rather than price, creating a perception of exclusivity. ECONOMIST

Ancient Worms Revived 
Scientists have managed to revive ancient worms from permafrost after a staggering 46,000 years. NYTIMES

RECOMMENDATION OF THE WEEK

Realize that you are enough.

It’s fine to want to improve yourself, and to even obsess over doing so. That’s fine. But it shouldn’t come from a belief that how you are is somehow wrong or bad. And it most definitely shouldn’t come from the outside.

You are enough.

APHORISM OF THE WEEK

When good people pretend uncomfortable truths don’t exist—and attack those who acknowledge them—they empower the hateful to gain office and commit legalized atrocities.

We’ll see you next time,