UL NO. 400: What Hiring Managers Want, CVE Farming, Hunt Forward Operations, and AI vs. B2B Services

Unsupervised Learning is a Security, AI, and Meaning-focused podcast that looks at how best to thrive as humans in a post-AI world. It combines original ideas, analysis, and mental models to bring not just the news, but why it matters and how to respond.

Hey there,

No big intro this week. Let’s just jump into it!

MY WORK

🎙️ Subscribe to the Podcast
I’ve moved podcast ads to the front of the podcast so that you’ll no longer be interrupted once the content starts! ADD UL TO YOUR CLIENT

📡 Connect via RSS
RSS is lyfe. ADD UL TO YOUR RSS READER

SECURITY NEWS

Cyber Job Shortage Confusion
Ben Rothke has an interesting post explaining the discrepancy between so many people looking for cyber jobs while there are also so many openings. He argues that there are tons of newbies, generalists, middle-managers, and CISO-types—but nowhere near enough people to actually do the technical work. In other words, developers that know the deepest levels of product and application security and have the dev skills to push code to production. There are more specific skill sets than just development that this applies to, like third-party assessments, threat modeling, pentesting, etc., but I think the analysis is spot on. TL;DR: We have a surplus of cyber-adjacent people looking for jobs, but hiring managers are struggling to find people who can do the actual technical work. BROTHKE | MY ESSAY ON WHAT HIRING MANAGERS WANT

We Need a Content Source Authentication System
We’re seriously about to need a content authentication system. This demo that just came out from HeyGen shows another language being overlayed on top of an existing video. Except the mouth matches the translation, so it looks like they actually speak the language. This is the type of problem that happens slowly until it hits us all at once, i.e., not knowing what content came from the actual creator vs. what was faked. I give more analysis here. TWITTER

CVE Farming
Software Supply Chain security researcher, Dan Lorenc, has highlighted an issue where people are gaming the CVE submission system by submitting multiple old and highly-rated issues to get a reputation boost by having their own CVE. MALWAREBYTES

Vulnerabilities:

• Apple's Zero-Day Flaws There have been multiple Apple Zero-day patches recently, with the most recent one being Predator Spyware related. When you see an Apple urgent patch, it’s a good idea to update, especially if you’re someone likely to be targeted. THEHACKERNEWS | OODALOOP | GOOGLE

• GitLab's Critical Flaw GitLab has patched a critical vulnerability that allowed attackers to run pipelines as another user. 9.6. SECURITYWEEK

• Fortinet's Security Patches Fortinet has rolled out patches for high-severity XSS vulnerabilities affecting multiple versions of FortiOS and FortiProxy. SECURITYWEEK

• Juniper Vulnerability Around 12,000 Juniper SRX firewalls and EX switches are open to a fileless remote code execution flaw that doesn't require authentication. BLEEPINGCOMPUTER

• Nagios XI Vulnerabilities Nagios XI has been hit with multiple security flaws that could lead to privilege escalation and information disclosure. THEHACKERNEWS

• Malicious npm Packages Cybersecurity researchers have found a new batch of malicious npm packages that are designed to steal Kubernetes configurations and SSH keys from compromised machines. THEHACKERNEWS

UK's Cyber Operations 
The UK's Strategic Command is now conducting 'hunt forward' operations, which are defensive activities where military cyber experts deploy to a foreign nation to detect malicious activity on the host nation's networks. I like the initiative here. Seems aggressive but necessary. THERECORD

Microsoft's Data Leak 
Microsoft's AI research team accidentally exposed 38 terabytes of private data, including a backup of two employees' workstations, while publishing open-source training data on GitHub. The leak included secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages. People wonder how AI is going to affect security, and I think one of the biggest ways is having tons of AI agents monitoring for and preventing mistakes. Things like: Publishing errors, config mistakes, too many permissions, etc. Imagine having a team of hundreds of people working 24/7 who never get tired to make sure you never make these mistakes. That’s one huge thing AI will end up being for the blue side. WIZ

OpenAI's Red Teaming 
OpenAI is launching the OpenAI Red Teaming Network, a group of contracted experts to help make their AI models more robust. TECHCRUNCH | OPENAI

Clorox's Cyberattack Impact 
This is a rare case where a cyber incident directly impacts the bottom line. Clorox is still recovering from a cyberattack that happened a month ago, and it's going to hit its earnings because had to switch to manual ordering and processing during the attack. THEHILL

T-Mobile's Data Leaks 
WTAF is going on at T-Mobile? They’ve been having a rough year, with customers reporting seeing other people's sensitive information when they log into their accounts. And this is one of many incidents so far this year. Are we just over-reporting on T-Mobile right now, or is it really this bad? OODALOOP

Snatch Ransomware Alert 
FBI and CISA have issued a joint warning about "Snatch", a ransomware-as-a-service operation that's been active since 2018. The malware forces Windows systems to reboot into Safe Mode, encrypting files undetected by antivirus tools, and has recently targeted IT, defense, and food and agriculture sectors. OODALOOP

APT36's YouTube Clones 
The APT36 hacking group, also known as 'Transparent Tribe,' is using Android apps that mimic YouTube to infect devices with their signature remote access trojan (RAT), 'CapraRAT.' This malware can harvest data, record audio and video, and access sensitive communication information. BLEEPINGCOMPUTER

Chinese Linux Backdoor 
Chinese hackers have come up with a new Linux backdoor, dubbed SprySOCKS, which is a spin-off from a Windows backdoor named Trochilus. The malware, linked to the Chinese government, has capabilities like collecting system info, controlling compromised systems, and creating a proxy for data transfer. ARSTECHNICA

TECHNOLOGY NEWS

ChatGPT Gets Voice and Vision
OpenAI's ChatGPT has been upgraded with vision and auditory capabilities, significantly enhancing its ability to assist users in their daily tasks.

- You can talk to ChatGPT and have it respond in a natural voice
- You can upload an image and ask questions about it
- The features are rolling out slowly to the user base, as with most of their new shiny stuff OPENAI

Cisco Acquires Splunk 
Cisco bought Splunk for $28 billion. The joke is that Splunk took a while to react because when they saw the payment they just figured Cisco was renewing their license. My take on this is that it’s an AI play to go where the enterprise data is. And logs is one of those places. SPLUNK | SECURITYWEEK 

GitHub's Passwordless Logins 
GitHub has rolled out passkeys for all users, allowing for passwordless logins and better protection against phishing. Thank God. Passkeys everywhere, please. Especially for finance-related apps. BLEEPINGCOMPUTER

DALL-E 3 Unveiled Kind Of
OpenAI has teased DALL-E 3, a new version of its AI image creator that can be controlled using ChatGPT. The system is way better at doing exactly what you tell it, but it doesn’t look as good as Midjourney. Weird that they did a launch without actually giving people access, though. AXIOS

Microsoft's Copilot Everywhere  
Microsoft is putting Copilot AI in everything, basically. Deep into the new Windows OS, the core apps, and on the new Surface devices. Yusuf Mehdi, consumer chief marketing officer, describes Copilot as "a handshake between you and technology — available when you need it and out of the way when you don’t." I’m not a Windows guy, but I’m super happy to see this. THEVERGE

AI's Impact on Kindle 
Amazon had to throttle how many new books one can publish on Kindle because of GenAI. People were posting many per day, most of which were very low quality. HACKERNEWS

AI Girlfriends Rise 
Ads for AI girlfriends are popping up everywhere, with Replika alone being downloaded over 20 million times. I tried a couple from an article last week and they were super cringe. Also GPT-3 cringe, which “she” was happy to tell me. One of the services was a straight-up porn avatar/chatbot. FREYAINDIA

Nursing Robot Expansion 
Diligent's nursing robot, Moxi, is getting a big boost with a $25 million funding round aimed at tripling its reach. Electric cars don’t have anything on robots. AI and personal/everyday robots are going to shape our tech future the most in the next 20 years I think. TECHCRUNCH 

HUMAN NEWS

Iran's Hijab Bill 
Iran's parliament has a new bill that could land women in jail for up to 10 years for "inappropriate" attire, and it’s also the anniversary of the government crackdown against women not wearing the Hijab. Meanwhile, the UK is erecting a Hijab statue talking about how awesome they are. To be clear, I think women should obviously be able to wear whatever they want in free countries. What trips me out is how religion can make something a symbol of freedom and oppression simultaneously. OODALOOP

Germany's Economic Decline 
Germany is now the world's worst-performing major developed economy. The decline is largely due to the loss of cheap natural gas from Russia following its invasion of Ukraine, which has severely impacted Germany's energy-intensive industries. APNEWS 

Single-Parent Households 
The U.S. has the highest rate of children living in single-parent households in the world, with almost a quarter of U.S. children under 18 living with one parent and no other adults. This is more than three times the global average of 7%. PEWRESEARCH 

Religious Identification Declines 
Americans are increasingly identifying as spiritual rather than religious, according to a recent Gallup poll. The survey found that 47% of Americans identify as religious, down from 54% in 1999, while 33% identify as spiritual but not religious, and 18% say they are neither, up from 9% in 1999. GALLUP

Alcohol's Heart Risks 
The World Heart Federation's recent policy brief debunks the myth that alcohol, including red wine, is heart-healthy, linking it to several heart-related risks. I learned this from Huberman, and have removed all alcohol from my house. I no longer drink unless I’m out with friends and it’s a special occasion. Or at conferences. Turns out it’s just poison at any dosage, so I’m done with it as a regular thing. HEALTH.HARVARD

Airlines Turned Banks 
Airlines have become more like financial institutions, creating points out of nothing and selling them for real money to banks with co-branded credit cards. THEATLANTIC

Charging for Returns 
H&M, following other brands like Zara and Uniqlo, has started charging for returns in the UK, which might be a bummer for your wallet but could be a win for the environment. But I suspect the reason is that it discourages returns and improves the bottom line. Imagine if Amazon did this. THEVERGE

COVID Vaccine Uptake 
According to Politico and Morning Consult polling, 57% of registered voters said they would "probably" or "definitely" get the vaccine, nearly triple the uptake of last year's updated vaccine. ARSTECHNICA 

IDEAS & ANALYSIS

Who Wins AI? Open or Closed Source?
I think open-source AI has a high chance of ending up with tons of market share for a simple reason. AI only needs to be “good enough” for most tasks. There’s a bar for perfect that isn’t actually perfect at all. So open source AI models don’t have to beat GPT-N, they just have to exceed that bar. Also, look at macOS vs. Linux. What’s more popular with high-end consumers? iOS and macOS. But only for their personal devices. What’s running the consoles and the machines all around us all day? The millions of electronic systems and machines embedded all over the planet. Linux. I think open source AI might be the same. Mostly open for most things, and then closed for the premium use cases. SUBSTACK 

NOTES

Strong UL book club this week. Great discussion of the current book and surrounding issues, and we picked the next book as well. Can’t wait for everyone to read this one!

DISCOVERY

⚒️ Sling Shot R3con — A new open-source tool that simplifies the initial phase of bug bounty and penetration testing by automating tasks like subdomain discovery, DNS resolution, port scanning, and website crawling. The tool, written in Bash and powered by Project Discovery tools, is designed to save time and increase efficiency for developers and security enthusiasts. MEDIUM

⚒️ Tracker-Radar — A dataset of the most common third-party domains on the web with information about their behavior, classification, and ownership. TWITTER

⚒️ Go Exploit — A Go-based framework designed to help developers create portable and consistent exploits. GITHUB 

⚒️ FFUF v2.1.0 — A new release of the popular web fuzzer, FFUF, is out now. | by joohoi | GITHUB 

Bypassing SSL Pinning in TikTok TWITTER

WSL 2.0: Now with Windows Snapping for GUI Apps GITHUB

Six Weeks to a New Brain BBC

Vim + LLMs REZ0

MBA grads are buying entire companies through a phenomenon called "entrepreneurship through acquisition" (ETA). MORNINGBREW

The SATs are changing next year to a new format that will de-emphasize speed. NYTIMES

Building Knowledge Graphs with Langchain and Matplotlib DATADRIVENINVESTOR

Marriage as a Poverty Solution THEATLANTIC

Orwell's Complete Works HACKERNEWS

Project Gutenberg has just turned thousands of its titles into audiobooks using synthetic speech. TECHCRUNCH

Exploiting Okta for Penetration Testing REDDIT

There's a whole branch of math that's all about knots. YOUTUBE

Training Smaller AI Models to Outperform Giants GOOGLE

Social Media's Impact on Teen Girls NYTIMES

RECOMMENDATION OF THE WEEK

Re-evaluate your task list with the retrospective view of December 31st, 2023.

• What have you done this year?

• What did you set out to do?

• Where are you on that list?

• Look at your current daily/weekly plans this week and reframe them based on this

• If your goals haven’t changed, and you’ve not accomplished them yet, are the things you’re doing this week and next that high of a priority?

Zoom out. Look at your goals and your progress. Re-evaluate.

APHORISM OF THE WEEK