UL NO. 400: What Hiring Managers Want, CVE Farming, Hunt Forward Operations, and AI vs. B2B Services
Discover how AI is set to revolutionize the B2B services economy and the implications for GDP. Plus, unravel the paradox of the cyber job market, explore the urgent need for a content source authentication system, and delve into the controversial practice of CVE farming
Unsupervised Learning is a Security, AI, and Meaning-focused podcast that looks at how best to thrive as humans in a post-AI world. It combines original ideas, analysis, and mental models to bring not just the news, but why it matters and how to respond.
No big intro this week. Let’s just jump into it!
Cyber Job Shortage Confusion
Ben Rothke has an interesting post explaining the discrepancy between so many people looking for cyber jobs while there are also so many openings. He argues that there are tons of newbies, generalists, middle-managers, and CISO-types—but nowhere near enough people to actually do the technical work. In other words, developers that know the deepest levels of product and application security and have the dev skills to push code to production. There are more specific skill sets than just development that this applies to, like third-party assessments, threat modeling, pentesting, etc., but I think the analysis is spot on. TL;DR: We have a surplus of cyber-adjacent people looking for jobs, but hiring managers are struggling to find people who can do the actual technical work. BROTHKE | MY ESSAY ON WHAT HIRING MANAGERS WANT
We Need a Content Source Authentication System
We’re seriously about to need a content authentication system. This demo that just came out from HeyGen shows another language being overlayed on top of an existing video. Except the mouth matches the translation, so it looks like they actually speak the language. This is the type of problem that happens slowly until it hits us all at once, i.e., not knowing what content came from the actual creator vs. what was faked. I give more analysis here. TWITTER
Software Supply Chain security researcher, Dan Lorenc, has highlighted an issue where people are gaming the CVE submission system by submitting multiple old and highly-rated issues to get a reputation boost by having their own CVE. MALWAREBYTES
Apple's Zero-Day Flaws There have been multiple Apple Zero-day patches recently, with the most recent one being Predator Spyware related. When you see an Apple urgent patch, it’s a good idea to update, especially if you’re someone likely to be targeted. THEHACKERNEWS | OODALOOP | GOOGLE
Malicious npm Packages Cybersecurity researchers have found a new batch of malicious npm packages that are designed to steal Kubernetes configurations and SSH keys from compromised machines. THEHACKERNEWS
UK's Cyber Operations
The UK's Strategic Command is now conducting 'hunt forward' operations, which are defensive activities where military cyber experts deploy to a foreign nation to detect malicious activity on the host nation's networks. I like the initiative here. Seems aggressive but necessary. THERECORD
Microsoft's Data Leak
Microsoft's AI research team accidentally exposed 38 terabytes of private data, including a backup of two employees' workstations, while publishing open-source training data on GitHub. The leak included secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages. People wonder how AI is going to affect security, and I think one of the biggest ways is having tons of AI agents monitoring for and preventing mistakes. Things like: Publishing errors, config mistakes, too many permissions, etc. Imagine having a team of hundreds of people working 24/7 who never get tired to make sure you never make these mistakes. That’s one huge thing AI will end up being for the blue side. WIZ
Clorox's Cyberattack Impact
This is a rare case where a cyber incident directly impacts the bottom line. Clorox is still recovering from a cyberattack that happened a month ago, and it's going to hit its earnings because had to switch to manual ordering and processing during the attack. THEHILL
T-Mobile's Data Leaks
WTAF is going on at T-Mobile? They’ve been having a rough year, with customers reporting seeing other people's sensitive information when they log into their accounts. And this is one of many incidents so far this year. Are we just over-reporting on T-Mobile right now, or is it really this bad? OODALOOP
Snatch Ransomware Alert
FBI and CISA have issued a joint warning about "Snatch", a ransomware-as-a-service operation that's been active since 2018. The malware forces Windows systems to reboot into Safe Mode, encrypting files undetected by antivirus tools, and has recently targeted IT, defense, and food and agriculture sectors. OODALOOP
APT36's YouTube Clones
The APT36 hacking group, also known as 'Transparent Tribe,' is using Android apps that mimic YouTube to infect devices with their signature remote access trojan (RAT), 'CapraRAT.' This malware can harvest data, record audio and video, and access sensitive communication information. BLEEPINGCOMPUTER
Chinese Linux Backdoor
Chinese hackers have come up with a new Linux backdoor, dubbed SprySOCKS, which is a spin-off from a Windows backdoor named Trochilus. The malware, linked to the Chinese government, has capabilities like collecting system info, controlling compromised systems, and creating a proxy for data transfer. ARSTECHNICA
ChatGPT Gets Voice and Vision
OpenAI's ChatGPT has been upgraded with vision and auditory capabilities, significantly enhancing its ability to assist users in their daily tasks.
- You can talk to ChatGPT and have it respond in a natural voice
- You can upload an image and ask questions about it
- The features are rolling out slowly to the user base, as with most of their new shiny stuff OPENAI
Cisco Acquires Splunk
Cisco bought Splunk for $28 billion. The joke is that Splunk took a while to react because when they saw the payment they just figured Cisco was renewing their license. My take on this is that it’s an AI play to go where the enterprise data is. And logs is one of those places. SPLUNK | SECURITYWEEK
GitHub's Passwordless Logins
GitHub has rolled out passkeys for all users, allowing for passwordless logins and better protection against phishing. Thank God. Passkeys everywhere, please. Especially for finance-related apps. BLEEPINGCOMPUTER
DALL-E 3 Unveiled Kind Of
OpenAI has teased DALL-E 3, a new version of its AI image creator that can be controlled using ChatGPT. The system is way better at doing exactly what you tell it, but it doesn’t look as good as Midjourney. Weird that they did a launch without actually giving people access, though. AXIOS
Microsoft's Copilot Everywhere
Microsoft is putting Copilot AI in everything, basically. Deep into the new Windows OS, the core apps, and on the new Surface devices. Yusuf Mehdi, consumer chief marketing officer, describes Copilot as "a handshake between you and technology — available when you need it and out of the way when you don’t." I’m not a Windows guy, but I’m super happy to see this. THEVERGE
AI Girlfriends Rise
Ads for AI girlfriends are popping up everywhere, with Replika alone being downloaded over 20 million times. I tried a couple from an article last week and they were super cringe. Also GPT-3 cringe, which “she” was happy to tell me. One of the services was a straight-up porn avatar/chatbot. FREYAINDIA
Nursing Robot Expansion
Diligent's nursing robot, Moxi, is getting a big boost with a $25 million funding round aimed at tripling its reach. Electric cars don’t have anything on robots. AI and personal/everyday robots are going to shape our tech future the most in the next 20 years I think. TECHCRUNCH
Iran's Hijab Bill
Iran's parliament has a new bill that could land women in jail for up to 10 years for "inappropriate" attire, and it’s also the anniversary of the government crackdown against women not wearing the Hijab. Meanwhile, the UK is erecting a Hijab statue talking about how awesome they are. To be clear, I think women should obviously be able to wear whatever they want in free countries. What trips me out is how religion can make something a symbol of freedom and oppression simultaneously. OODALOOP
Germany's Economic Decline
Germany is now the world's worst-performing major developed economy. The decline is largely due to the loss of cheap natural gas from Russia following its invasion of Ukraine, which has severely impacted Germany's energy-intensive industries. APNEWS
The U.S. has the highest rate of children living in single-parent households in the world, with almost a quarter of U.S. children under 18 living with one parent and no other adults. This is more than three times the global average of 7%. PEWRESEARCH
Religious Identification Declines
Americans are increasingly identifying as spiritual rather than religious, according to a recent Gallup poll. The survey found that 47% of Americans identify as religious, down from 54% in 1999, while 33% identify as spiritual but not religious, and 18% say they are neither, up from 9% in 1999. GALLUP
Alcohol's Heart Risks
The World Heart Federation's recent policy brief debunks the myth that alcohol, including red wine, is heart-healthy, linking it to several heart-related risks. I learned this from Huberman, and have removed all alcohol from my house. I no longer drink unless I’m out with friends and it’s a special occasion. Or at conferences. Turns out it’s just poison at any dosage, so I’m done with it as a regular thing. HEALTH.HARVARD
Charging for Returns
H&M, following other brands like Zara and Uniqlo, has started charging for returns in the UK, which might be a bummer for your wallet but could be a win for the environment. But I suspect the reason is that it discourages returns and improves the bottom line. Imagine if Amazon did this. THEVERGE
COVID Vaccine Uptake
According to Politico and Morning Consult polling, 57% of registered voters said they would "probably" or "definitely" get the vaccine, nearly triple the uptake of last year's updated vaccine. ARSTECHNICA
IDEAS & ANALYSIS
Who Wins AI? Open or Closed Source?
I think open-source AI has a high chance of ending up with tons of market share for a simple reason. AI only needs to be “good enough” for most tasks. There’s a bar for perfect that isn’t actually perfect at all. So open source AI models don’t have to beat GPT-N, they just have to exceed that bar. Also, look at macOS vs. Linux. What’s more popular with high-end consumers? iOS and macOS. But only for their personal devices. What’s running the consoles and the machines all around us all day? The millions of electronic systems and machines embedded all over the planet. Linux. I think open source AI might be the same. Mostly open for most things, and then closed for the premium use cases. SUBSTACK
Strong UL book club this week. Great discussion of the current book and surrounding issues, and we picked the next book as well. Can’t wait for everyone to read this one!
⚒️ Sling Shot R3con — A new open-source tool that simplifies the initial phase of bug bounty and penetration testing by automating tasks like subdomain discovery, DNS resolution, port scanning, and website crawling. The tool, written in Bash and powered by Project Discovery tools, is designed to save time and increase efficiency for developers and security enthusiasts. MEDIUM
Bypassing SSL Pinning in TikTok TWITTER
WSL 2.0: Now with Windows Snapping for GUI Apps GITHUB
Six Weeks to a New Brain BBC
Vim + LLMs REZ0
MBA grads are buying entire companies through a phenomenon called "entrepreneurship through acquisition" (ETA). MORNINGBREW
The SATs are changing next year to a new format that will de-emphasize speed. NYTIMES
Building Knowledge Graphs with Langchain and Matplotlib DATADRIVENINVESTOR
Marriage as a Poverty Solution THEATLANTIC
Orwell's Complete Works HACKERNEWS
Project Gutenberg has just turned thousands of its titles into audiobooks using synthetic speech. TECHCRUNCH
Exploiting Okta for Penetration Testing REDDIT
There's a whole branch of math that's all about knots. YOUTUBE
Training Smaller AI Models to Outperform Giants GOOGLE
Social Media's Impact on Teen Girls NYTIMES
RECOMMENDATION OF THE WEEK
Re-evaluate your task list with the retrospective view of December 31st, 2023.
What have you done this year?
What did you set out to do?
Where are you on that list?
Look at your current daily/weekly plans this week and reframe them based on this
If your goals haven’t changed, and you’ve not accomplished them yet, are the things you’re doing this week and next that high of a priority?
Zoom out. Look at your goals and your progress. Re-evaluate.
APHORISM OF THE WEEK
We first make our habits, then our habits make us.