Skip to content

Elon's Doxxing FSD, ATHI AI Threat Modeling Framework, Cardboard Drones, and GPT Enterprise…

August 28, 2023   |   Read Online


Unsupervised Learning is a Security, AI, and Meaning-focused podcast that looks at how best to thrive as humans in a post-AI world. It combines original ideas, analysis, and mental models to bring not just the news, but why it matters and how to respond.

Happy Monday!

Forever too soon

I’ve been wondering a lot about why security is getting hit so hard in this…um…whatever this is. I feel like I’ve seen more CISOs get laid off in the last few months than I’ve ever seen. And startups are seriously struggling to sell into companies.

I think it has a lot to do with orgs spending way too much on new tools in the boom times, often at the expense of doing the basics better, and then they realize a year or two later that they haven’t actually used them. So it’s a constant push-pull of install-and-rip.

Let me know if you’re seeing something similar, or if you see a bigger cause.

And have a great week!

In this episode:

🤔 Thoughts on the Eliezer vs. Hotz AI Safety Debate
🎥 Musk's FSD and Privacy Demo
🔒 Duolingo Data Breach
💥 MOVEit Mass Hack
🔎 Putin Critics' Fate
🚨 Leaseweb Security Breach
🔬 Lazarus's New Malware
🚁 Cardboard Drones in Combat
🕵️ Taiwan Espionage Alert
🔐 CloudNordic Ransomware Attack
📱 Kroll's SIM Swap
👾 GPT-4's API Misuses
🔭 Tool & Article Discovery
➡️ The Recommendation of the Week
🗣️ The Aphorism of the Week

MY WORK

Thoughts on the Eliezer vs. Hotz AI Safety Debate
How I think the debate went, and what I think these discussions are missing. READ IT

What Happens to Content When Top-tier Production Quality is Commoditized?
Some thoughts on the insane power of look & feel when we interpret content. Spawned by August’s UL Book of the Month. READ IT

ATHI — An AI Threat Modeling Framework
My thoughts on a clear, conversational framework for discussing AI threats, using a structure called ATHI (Actor, Technique, Harm, Impact. READ IT

🎙️ Listen to the Newsletter++
If you’re not getting the podcast yet, please subscribe. It’s a way to listen to the newsletter instead of reading it when you’re driving, working out, etc. ADD UL TO YOUR CLIENT

📡 Connect via RSS
RSS is not dead. You can follow all UL content with via the following RSS feed. ADD TO YOUR RSS READER

SECURITY NEWS

Musk's FSD and Privacy Demo
Elon Musk's livestreamed demo of Tesla's Full Self-Driving (FSD) beta software had a few hiccups, including a near miss at a red light and a casual doxxing of Mark Zuckerberg. He basically showed exactly where he lives to everyone on stream. Unbelievable. THEVERGE

Duolingo Data Breach
Scraped data of 2.6 million Duolingo users has been leaked on a hacking forum, making it possible for threat actors to conduct targeted phishing attacks. The data, which includes both public and non-public information, was scraped using an exposed API that Duolingo has yet to secure. BLEEPINGCOMPUTER

MOVEit Mass Hack
The mass-exploitation of MOVEit Transfer software has become the largest hack of 2023, with over 1,000 known victims and 60 million impacted individuals. The attack, attributed to the Clop ransomware gang, began in May when a zero-day vulnerability was disclosed in MOVEit Transfer, a service used by thousands of organizations to transfer large amounts of often-sensitive data. TECHCRUNCH


Sponsor

CNAPP for Dummies

The guide to mastering CNAPP - the hot new category in cloud-native security that's taking the industry by storm!

Wiz partnered with Wiley to create the Cloud Native Application Protection Platform (CNAPP) for Dummies eBook. This free 48-page PDF includes everything you need to know to secure the changing landscape of cloud-native applications and protect your cloud environment today.

You’ll learn:

  • The fundamentals of cloud-native security
  • Powerful tactics to strengthen security measures
  • Best practices for getting started
  • Techniques to shift security up the pipeline (and ahead of threats)
  • 10 strategies for maximizing the potential of your CNAPP

Get your free guide here.

Download Now


Putin Critics' Fate
In an absolute shock to everyone, Yevgeny Prigozhin, the guy who used to be Putin’s personal chef, and who staged an offensive against him (sort of), has met an untimely death. CNN

Leaseweb Security Breach
Leaseweb, a major cloud and hosting provider, is busy fixing "critical" systems after a recent security breach. The company, which serves over 20,000 customers worldwide and operates more than 80,000 servers, noticed "unusual" activity in its infrastructure leading to downtime for some cloud customers. BLEEPINGCOMPUTER

Lazarus's New Malware
North Korea's notorious Lazarus hacking group is using a new malware strain, QuiteRAT, to target healthcare entities and internet infrastructure in the US and Europe. THERECORD

Cardboard Drones in Combat
Ukraine is now using cardboard drones, courtesy of Australian company SYPAQ. These low-cost Corvo drones, initially designed for light transport, are now performing reconnaissance missions after feedback from Ukrainian soldiers. AIR&COSMOS

Taiwan Espionage Alert
Microsoft has warned about a new espionage operation, dubbed Flax Typhoon, linked to China's government that's been targeting Taiwanese organizations since mid-2021. The group's main targets are government agencies, education, critical manufacturing, and IT organizations in Taiwan, but victims have also been spotted across Southeast Asia, North America, and Africa. THERECORD

CloudNordic Ransomware Attack
CloudNordic, a large Danish cloud provider, has been hit hard by a ransomware attack, leaving all customer data lost and the company paralyzed. The attack occurred on August 18, wiping out both company and customer websites and email systems, with even the backups being trashed. THEREGISTER


Sponsor

Building a SaaS business? It’s time to automate compliance.

Achieving compliance can unlock major growth for your company and build a foundation of trust.

Vanta automates up to 90% of compliance for SOC 2, ISO 27001, HIPAA, and more, getting you audit-ready in weeks and saving you up to 85% of costs.

And Vanta scales with your business, helping you enter new markets, land bigger deals, and earn customer loyalty.

Get $1000 off Vanta at

👉vanta.com/unsupervised👈

Learn More


Kroll's SIM Swap
Kroll, a risk and financial advisory solutions provider, disclosed that one of its employees was a victim of a sophisticated SIM swapping attack. The incident, which occurred on August 19, 2023, allowed the attacker to gain access to files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX, and Genesis. THEHACKERNEWS

GPT-4's API Misuses
Turns out, GPT-4, the large language model, is generating code with a lot of API misuses. A recent study shows that 62% of the code generated by GPT-4 contains API misuses, which could lead to severe problems like resource leaks and program crashes. ARXIV

Personal Data for Sale
Hackers are using a tool on Telegram to access and sell personal data, including addresses, phone numbers, and driver's license details, for as little as $15 in Bitcoin. The tool taps into credit header data from credit bureaus like Experian, Equifax, and TransUnion, which is then sold to debt collectors, insurance companies, and law enforcement. 404MEDIA

Whiffy Recon Malware
A new malware strain called Whiffy Recon is causing a stir, as it triangulates the location of infected devices every minute by scanning nearby Wi-Fi access points. The malware, delivered via SmokeLoader, has been offered for sale to Russian-based threat actors since 2014. THEHACKERNEWS

AI Military Race
The U.S. and China are very close in a global race to integrate artificial intelligence into their militaries, with a focus on autonomous weapons and AI tools for target identification. A recent study found that about a third of all known contracts in both countries were for intelligent and autonomous vehicles, the largest share in both nations. OODALOOP

Ubuntu's Snap Push
Canonical is doubling down on its snap packaging format, planning to block .deb versions of apps in Ubuntu's app store if a snap version is available. This move is part of Canonical's broader plan to release a snap-based immutable version of Ubuntu next year. WEBPRONEWS

AI Surveillance
AI is now being used to analyze data from license plate scanners, identifying "suspicious" vehicle behavior. In Westchester County, the ALPR system was scanning over 16 million license plates a week, across 480 cameras, taking notes on vehicles’ make, model, and color. SCHNEIER

Lazarus Group's New Tactics
The North Korean state-sponsored Lazarus Group is switching up its game, increasingly using open-source tools and frameworks in the initial access phase of their attacks. In a recent campaign, they exploited a ManageEngine ServiceDesk flaw to deploy QuiteRAT, a remote access trojan with similar capabilities to MagicRAT, but with increased code complexity. DECIPHER

Space Espionage Alert
The U.S. space industry is getting hit with more cyberattacks from foreign intelligence entities, according to the Office of the Director of National Intelligence. This isn't just about global competition, it's also a matter of national and economic security. OODALOOP

Space Force Activation
Related to that, the US Space Force has activated a new unit, the 75th Intelligence, Surveillance and Reconnaissance Squadron, dedicated to targeting adversary satellites. The unit, part of Space Delta 7, will analyze potential targets, track them, and participate in 'target engagement', which could involve disrupting or destroying adversary satellites. OODALOOP


Vulnerabilities:

  • Chrome Security Update
    Google's latest Chrome 116 security update tackles five memory safety vulnerabilities, including four high-severity ones. The most severe, a use-after-free bug in Vulkan, earned the reporter a $10,000 bug bounty reward. SECURITYWEEK
  • NPM Package Malware
    A fake email validation NPM package has been found to contain Command and Control (C2) and sophisticated data exfiltration capabilities. The malicious package was discovered by the user /u/braincaviar on Reddit's r/netsec forum. PHYLUM
  • WinRAR Vulnerability
    WinRAR, the world's most popular compression tool, has a high severity vulnerability that allows code execution when a RAR file is opened. The flaw, identified as CVE-2023-40477, has a CVSS severity rating of 7.8 and has been fixed in the latest version, WinRAR 6.23. THEREGISTER
  • Barracuda Patch Failure
    The FBI has warned that patches for a recent Barracuda Email Security Gateway vulnerability have failed, urging organizations to remove all affected appliances immediately. SECURITYWEEK

TECHNOLOGY NEWS

ChatGPT Goes Enterprise
OpenAI just launched ChatGPT Enterprise, a business-focused version of their AI chatbot app, offering enhanced privacy, data analysis, and customization options. The new version is powered by GPT-4 and offers priority access to the AI model, delivering faster performance and a larger context window. TECHCRUNCH

Waymo's Robotaxis in SF
NY Times got a chance to ride in Waymo's autonomous taxis in San Francisco, and they found the ride to be smooth and safe, albeit a bit slower than a human driver. I honestly can’t wait until AI is driving more cars. Humans are far more dangerous. I just worry about the job loss. NYTIMES

Decentralized Identity
Decentralized Identity (DID) is an emerging technology that aims to give individuals control over their own digital identities, but it's not quite ready for prime time. The technology, which uses cryptographic keys to verify identity, is gaining interest from governments and cryptocurrency projects, but it still faces significant challenges, including the need for widespread government support and concerns about accessibility and exclusion. CENDYNE

Code Llama Unveiled
Facebook has launched Code Llama, a large language model (LLM) that uses text prompts to generate and discuss code, aiming to make developers' workflows faster and more efficient. The model, which supports popular programming languages like Python, C++, Java, and more, is available in three sizes (7B, 13B, and 34B parameters) to cater to different serving and latency requirements. FACEBOOK

Parallels Desktop 19 Update
Parallels Desktop 19 is out with some cool updates including macOS Sonoma integration, a design refresh, and a new Password-less Sign-in with Touch ID. The update also includes enhanced compatibility with macOS, a re-engineered Shared Printing functionality, and improved display and resolution refresh when resizing screens. I wonder if it plays Diablo IV. 9TO5MAC

AI Art Copyright Denied
AI-generated art can't be copyrighted, says a U.S. district court judge. The decision came after scientist Stephen Thaler tried to copyright a piece of art created by his AI tool, the "Creativity Machine". THEHILL | OODALOOP

Neo4j's Vector Update
Neo4j, the graph database vendor, has introduced vector search capabilities to its database, enhancing its ability to understand relationships across data and content. This addition is aimed at improving search, enabling generative AI, and supporting large language models. VENTUREBEAT

AI Trained on King
Stephen King's books have been used to train AI, sparking a debate about machine creativity. King argues that while AI can mimic style, it lacks the genuine creative moments that come from human sentience, but concedes that this may change if AI achieves sentience. THEATLANTIC

Late-stage Venture Decline
If you're a startup founder looking to raise a venture round this year, brace yourself for a lower valuation than you might have seen in 2021 or 2022. According to new data from CB Insights, there's been a sharp decline in valuations across nearly all startup stages globally. TECHCRUNCH

CodeLlama Beats GPT-4
Phind's fine-tuned CodeLlama-34B and CodeLlama-34B-Python models have outperformed GPT-4 on HumanEval, scoring 67.6% and 69.5% pass@1 respectively. These models were trained on a proprietary dataset of ~80k high-quality programming problems and solutions, over two epochs, totaling ~160k examples. PHIND

AI Wildfire Detection
California's Department of Forestry and Fire Protection is using AI to detect wildfires before they get out of hand. The system, which has been in operation for two months, has already identified 77 fires before any 911 calls were made, allowing for rapid response and containment. LATIMES

Human Content Badge
The "Not By AI" badges are designed to encourage human content creation and help users identify human-generated content, amidst predictions that 90% of online content could be AI-generated by 2025. The badges can be used by content creators and businesses that estimate at least 90% of their content is human-created. NOTBYAI

X Challenges LinkedIn
LinkedIn's reign as the go-to job hunting platform might be over, as X (formerly Twitter) rolls out its new job posting feature. The feature, currently in beta, allows verified organizations to integrate job postings directly into their X profile. BGR

HUMAN NEWS

Zoom's Office Return
Zoom CEO Eric Yuan is sending some employees back to the office, saying that Zoom doesn't allow for as much trust-building or innovation as in-person work. Yikes. Understandable, but not a great story to tell. BUSINESSINSIDER

Living Paycheck to Paycheck
The typical American worker is struggling to make ends meet, with essential expenses such as rent, mortgage, food, and health costs accounting for over 85% of the median take-home pay. The median monthly rent in the U.S. was $2,029 as of June, which already accounts for about 61% of the median take-home pay. METAFILTER

AI Reskilling Crisis
AI platforms like ChatGPT are going to force a whopping 40% of the global workforce to learn new skills in the next three years. According to a study by the IBM Institute for Business Value, this translates to about 1.4 billion people needing to reskill to keep up with AI integration in their workplaces. 40%? That’s massive. And what guarantees that their re-skilled activity is safe? Answer: nothing. OODALOOP

Millennial Midlife Crisis
Millennials are redefining the midlife crisis, with less Corvette money and more introspection. According to the Federal Reserve, the median cash that US consumers aged 35 to 44 have in their bank accounts is $4,710, with a median of $60,000 in their retirement account. MORNINGBREW

Housing Affordability Crisis
US housing affordability has hit its worst point in nearly four decades, making it harder for average Americans to buy homes. The surge in mortgage rates is the main culprit behind this squeeze. BLOOMBERG

Job Switching Price
American workers are now demanding an average of $78,645 to switch jobs, a record high that reflects inflation in the labor market. This figure, which has risen by 22% over the past three years, is driving inflation, with wages recognized as a significant factor. CNBC

COVID Variants Update
New COVID variants EG.5, FL.1.5.1, and BA.2.86 are making waves and you should know about them. These variants are spreading and raising concerns as hospitalizations are on the rise. GOOGLENEWS

KPI Psychosis
Companies are increasingly falling into a state of 'KPI psychosis', where decisions are made solely based on numbers, leading to a disconnect from reality. The author suggests a balance of KPIs and human intuition for optimal decision-making, and continuous reflection on the reliability of KPIs. I’d argue, however, that this is actually just people using the wrong KPIs. ROMATON

Wuhan's Hidden Truth
Doctors in Wuhan, China, knew about the severity of the COVID-19 virus in early 2020, but were ordered to remain silent by Chinese authorities. WASHINGTONPOST

Understanding Narcissism
Narcissism, a condition affecting up to 6% of the U.S. population, is more complex than the grandiose self-absorption it's often associated with. It can manifest in a variety of ways, including self-loathing, social isolation, and even antisocial behavior. 👀 SCIENTIFICAMERICAN

High Times
Americans are increasingly using cannabis and psychedelic drugs, with usage hitting record highs last year. The University of Michigan's annual Monitoring the Future study suggests this trend could be driven by relaxed laws, changing perceptions of hallucinogens, and more people self-medicating for mental health issues. MORNINGBREW

On-Demand Media Surpasses Linear (TV)
On-demand audio content has finally overtaken traditional linear audio in the US, according to Edison Research. As of Q2, 2023, 50.3% of all daily audio time consumed by those aged 13+ is on on-demand platforms, while 49.7% is on linear platforms. EDISONRESEARCH

China's Economic Impact
China's economic troubles might not be as bad for the U.S. as you'd think. In fact, there could be some benefits for American interests. NYTIMES

Utopian City Plan
Silicon Valley elites have been revealed as the buyers of $800M worth of land in northern California, with plans to build a utopian city powered by clean energy. THEGUARDIAN


NOTES

Prompt Injection Primer — Friend and UL Member Rez0 has launched a "Prompt Injection Primer for Engineers" to clear up confusion around the topic. The guide addresses the seriousness of prompt injection, what attackers can do with it, and how to prevent it. I’ve seen a million of these and his is the absolute best on Prompt Injection. TWITTER

IDEAS & ANALYSIS

Young Thinking
I think adopting new things keeps one sharp. I force myself to constantly listen to the latest music. I’m now saying “Siri” instead of “Hey Siri”, because that’s a new thing in the iOS17 beta. And I regularly explore things just because they’re new. Especially cultural trends. I find that many people even in their late 20s have lost a lot of this. They’ve already started saying “that’s just how I do it”, and I see that as a kind of death signal. Of course there are some things that I simply say are a matter of taste, and I choose to do them that way. It’s a style thing. And sometimes the old way of doing things is better than the new. And I still listen to my favorite music from my childhood. But not all the time. I spend probably 60% of my time exposing myself to the world. In new ways. New music. New ideas. New ways of interfacing. My pet theory is that this communicates youth signals to the body and mind. It basically says, “Don’t shut down the systems; we’re still here to win.” I don’t know if this is why I’m still performing at this level (and even improving), but I like to think so. Could also be the meth.

DISCOVERY

⚒️ Ipfuscator — A blazing-fast, thread-safe tool that generates alternative IP(v4) address representations swiftly and without memory allocations. It's written in Go and it's straightforward to use. | by dwisiswant0 | GITHUB

⚒️ Google/Fuzzing — A comprehensive resource for fuzzing, including tutorials, examples, discussions, and research proposals. Perfect for anyone looking to dive into the world of fuzzing. | by Henryrneh | GITHUB

⚒️ Fuzzing Templates — A community-curated list of fuzzing templates for the nuclei engine, designed to discover previously unknown security vulnerabilities. | by Ehsan Dehghan | GITHUB

⚒️ n8n.io — A powerful workflow automation tool that can streamline your work processes and increase productivity. | by sacrosanct | HACKERNEWS

⚒️ BASH Stack — A web framework that uses Bash, Awk, Sed, and HTMX, with file-based routing and scripts executed on HTTP requests. It's designed to work well with htmx, which is included by default. GITHUB

⚒️ AWS Chat Plugin — A nifty plugin that lets you chat with your AWS infrastructure directly from your terminal. It's like having a direct line to your cloud setup. | by Simon Willison | TWITTER

⚒️ Multi Vector Retriever — A tool that stores multiple embedding vectors per document, generated from smaller chunks, summaries, hypothetical questions, or manually specified text snippets. | by Harrison Chase | TWITTER

📝 Use of LLMs for Illicit Purposes: Threats, Prevention Measures, and Vulnerabilities — A nice paper providing an overview of existing efforts to identify and mitigate threats and vulnerabilities arising from LLMs. | ARXIV | TWITTER

Scrum is a Cancer
Santiago, a software developer with 25 years of experience, calls Scrum a "cancer" that renders software teams useless. TWITTER

I Met a Book — Here's a heartwarming piece about the transformative power of books and reading. The author shares a personal story of how a single book changed their life. NATIONALREVIEW

AI Security Implications
As General AI and Large Language Models (LLMs) become more integrated into business, understanding their security implications is key. This seminar provides a business-friendly overview of these technologies, focusing on practical security risks and strategies to manage them. YOUTUBE

GPT-4's API Misuses
Turns out, GPT-4, the large language model, is generating code with a lot of API misuses. A recent study shows that 62% of the code generated by GPT-4 contains API misuses, which could lead to severe problems like resource leaks and program crashes. ARXIV

Blogging Strategy
Henrik Karlsson challenges the common advice of frequent publishing for bloggers, arguing that investing more time in fewer, high-quality posts yields better results. HENRIKKARLSSON

Meta's Code Llama
Meta has launched Code Llama, a tool that generates and debugs code, built on its Llama 2 large language model. The tool, which comes in three sizes, scored 53.7 percent on the code benchmark HumanEval and can accurately write code based on a text description. THEVERGE

Writing Sins
Hamilton College has outlined seven common writing mistakes, including misuse of passive voice, improper punctuation in compound sentences, and wordiness. HAMILTON

Excel for Threat Hunting
Reddit user m_edmondson has shared a newsletter on how to use Excel for threat hunting in your data. REDDIT

JavaScript De-Minification
LLMs (Latent Language Models) can be used to reverse JavaScript variable name minification, making the code easier to read and understand. The technique was shared by Reddit user jehna1 on the netsec subreddit. THEJUNKLAND

AI Security Implications
This seminar gives a business-friendly overview of General AI and Large Language Models (LLMs), focusing on their practical security implications and risks. It highlights the risk of uncontrolled disclosure of Personally Identifiable Information (PII) using an LLM and explores various LLM deployment scenarios. YOUTUBE

Learning GNU Awk
This guide provides a comprehensive introduction to GNU Awk, a programming language primarily used for text processing and data extraction. GITHUB

Web Scraping Hypocrisy
Big companies like Meta and Microsoft are known for their aggressive stance against web scraping on their own properties, while they freely scrape data from others. ERICGOLDMAN

DJ Duo's Cybersecurity Venture
The Chainsmokers, known for their music, are also tech investors with a growing interest in cybersecurity startups. Their venture firm, Mantis VC, recently participated in a $4 million seed funding round for iVerify, a mobile security app. WIRED

X's Verification Upgrade
X (formerly Twitter) is stepping up its verification game by requiring users to submit a selfie and a government-issued ID, thanks to Israeli software AU10TIX. JPOST

Time Well Spent
Rez0's blog post offers a framework for evaluating the value of activities, aiming to help readers spend their time more wisely. The framework categorizes activities based on who you're with and what you're doing, ranking them from most to least valuable. REZ0

Sketchbook Chronicles
Matt Kirkland shares his 23-year journey of keeping sketchbooks, highlighting their role as a tool for thinking, planning, and remembering. ATTAINABLEFELICITY

North Korean Sci-Fi
North Korean science fiction is a fascinating genre, often featuring their scientists and technologists as the heroes saving the world. ARSTECHNICA

Number Naming Nonsense
Ever wondered why 11 and 12 aren't called oneteen and twoteen? It's all about our language's old Germanic roots, where "eleven" means "one left" and "twelve" means "two left" after ten. REDDIT


RECOMMENDATION OF THE WEEK

I just finished this new book, Outlive, by Dr. Peter Attia. I’ve been recommending it to everyone I care about, and that includes you.

It’s not just a bunch of health advice; it’s also a completely different way of thinking about fitness overall, within the context of what you want to accomplish in life. Cannot recommend it enough.

Outlive: The Science and Art of Longevity

www.amazon.com/Outlive-Longevity-Peter-Attia-MD/dp/0593236599

APHORISM OF THE WEEK

Children see magic because they look for it.

Christopher Moore