Unsupervised Learning NO. 393

Unsupervised Learning is a Security, AI, and Meaning-focused podcast that looks at how best to thrive as humans in a post-AI world. It combines original ideas, analysis, and mental models to bring not just the news, but why it matters and how to respond.

Hey there, Happy Monday!

Welcome to HackerCon week,

This is the week of BSides Las Vegas, Blackhat, and DEFCON in Las Vegas. If you see me around come say hi. Or at least wave or nod your head from a distance!

We’ve also completed our MVP for our first UL product, and we’ll be doing private demos this week! We’re also doing a member meetup on Friday; really looking forward to that one!

Anyway, have a great con week, even if you’re not in Vegas.

Let’s jump in…

In this episode:

🎉 HackerCon Week: BSides, Blackhat, DEFCON
🔒 Google's Privacy Update: Control Your Data
🤖 AI Vulnerability: Adversarial Attacks on Chatbots
🛡️ NIST CSF Changes: Are You Ready?
📊 Breach Disclosure Rules: SEC's New Mandate
🔧 Tech Giants' Security Fixes: Apple, Google, Microsoft
📚 Penetration Testing Guide: Understanding Cybersecurity Risks
🤖 Google's AI Pivot: Supercharged Assistant
📦 Musk's Grid Warning: Invest in Energy Transition
🔭 Tool & Article Discovery
➡️ The Recommendation of the Week
🗣️ The Aphorism of the Week

MY WORK

✍️ High-Entropy Writing
My latest essay on one model for creating the best possible talks: Surprise. I compare the concept of surprise in talks to Claude Shannon’s entropy in information theory. READ THE ESSAY

SECURITY NEWS

Google's Privacy Update
Google just released a tool that lets you see how your contact information appears in Google, and even lets you delete results as well. They updated their "Results About You" tool, which now includes a dashboard that alerts you when your contact information appears in Google searches, and allows you to request removal of that information.

- The tool is available to logged-in Google users.
- Users can request removal of personal information like email, home address, or phone number.
- The dashboard is currently rolling out to users in the US.
- Google also updated policies for removal of nonconsensual explicit images.
- The tools won't completely wipe you from Google searches, but will make personal information harder to find.
- If you don’t have a Google account, you can fill out a stand-alone removal form to make a request.
- Google sends an email where you can track the status of the request. GOOGLE ANNOUNCEMENT | THEVERGE | THE TOOL

AI Vulnerability 
Researchers at Carnegie Mellon University have discovered a fundamental vulnerability in advanced AI chatbots, including ChatGPT, that can't be patched with current knowledge. The vulnerability allows for adversarial attacks, where a simple string of text can bypass all defenses and prompt the AI to generate prohibited responses. Just the beginning of this sort of stuff, to be sure. We forget how to do basic security whenever we introduce new tech. See: network → web → mobile → cloud → IOT → AI. WIRED

🚨New Breach Disclosure Rules 
Public companies in the US now have to disclose cyberattacks within four days, according to new rules approved by the Securities and Exchange Commission (SEC). The rules apply when the attack has a "material impact" on the company's finances, but can be delayed if disclosure risks national security or public safety. Love this progress from the US government. MALWAREBYTES

🇨🇳 Chinese APTs Infiltration 
Chinese hacking teams are burrowing deep into sensitive US infrastructure, aiming to establish permanent presences. Reports from Kaspersky and The New York Times reveal advanced spying tools and hidden malware used by these groups to threaten national security. ARSTECHNICA

HackerOne Restructuring 
HackerOne, a cybersecurity company, is reducing its team by approximately 12% due to economic challenges and underperforming new products. CEO Marten Mickos announced the decision, stating that severance packages will be offered to impacted employees. Interesting timing doing this right before HackerCamp. HACKERONE

Ivanti's Second Patch 
Ivanti has released a patch for another critical zero-day vulnerability that's currently being exploited. The vulnerability, listed as CVE-2023-35081, is being used in conjunction with another vulnerability we've previously discussed and has a CVSS score of 7.2. MALWAREBYTES

Top Exploited Vulnerabilities 
The Five Eyes cybersecurity authorities, in collaboration with CISA, the NSA, and the FBI, have released a list of the 12 most exploited vulnerabilities of 2022. These vulnerabilities were primarily in outdated software, with threat actors targeting unpatched, internet-facing systems. BLEEPINGCOMPUTER

Marijuana and Security Clearances 
The U.S. Senate has passed a defense bill that prevents intelligence agencies from denying security clearances based on past marijuana use. The provision, part of the National Defense Authorization Act, was approved despite previous opposition. MARIJUANAMOMENT

AI Gun Detection 
ZeroEyes is using AI to detect guns in public and private spaces, aiming to prevent shootings before they happen. The company's technology, which has been adopted by various institutions including the U.S. Department of Defense and public K-12 school districts, identifies illegally brandished guns and sends alerts to local staff and law enforcement within seconds. VENTUREBEAT

Worldcoin Suspended 
Worldcoin's registration process in Nairobi was halted due to security concerns as hundreds of people lined up to get free money. The large crowd was deemed a "security risk", leading to many being locked out of the process. BBC

TECHNOLOGY NEWS

Meta's AI Launch 
Meta is planning to launch AI-powered "personas" in its services, including Facebook and Instagram, as early as next month, offering users a new way to interact with its products. The chatbots will come with distinct personalities, like a surfer offering travel recommendations or a bot that speaks like Abraham Lincoln. Honestly excited to see this, which I’m not used to saying about anything Meta. THEVERGE

Generative AI Adoption 
Generative AI is becoming a common tool in many organizations, with a McKinsey report, based on a survey of 1,684 participants, finding that 79% had some exposure to generative AI, with 22% using it regularly for work. That seems very low and will definitely be low in 6 months. VENTUREBEAT

Drone Mail Revolution 
The UK's first drone mail service has kicked off in Orkney, aiming to revolutionize mail services in remote communities. Alex Brown, director of Skyports Drone Services, highlighted the benefits of this technology in terms of efficiency, timeliness, and reduction of emissions-producing vehicles. BBC

Musk's Twitter Rebrand 
Elon Musk is planning to rename Twitter to X, reminiscent of his failed attempt to rebrand PayPal in 2000. The move is part of Musk's ambition to transform the social media platform into a financial heavyweight, despite his previous unsuccessful venture with X.com, an early internet banking startup. He really wants the letter X to happen, and this might be the time. But only because all the Twitter competitors seem really bad. I am interested in seeing what he does with peer-to-peer payments. Remember, his goal is to create a China-like OneApp clone. THAT I’m excited about, but I’ve seen no signs of it thus far. THEVERGE

Superconductor Breakthroughs? 
A recent study suggests that LK-99, a compound of lead, copper, and phosphate, might be a room-temperature superconductor. The research, based on density-functional theory calculations, shows that the electronic structure of this compound could support flat-band superconductivity or a correlation-enhanced electron-phonon mechanism. I honestly can’t tell if this is bunk or not. Too early to say, I think. ARXIV | SOUTHEASTUNIVERSITY | ANDREWCOTE

AI Drive-Thrus 
White Castle is planning to roll out AI-enabled voices to over 100 drive-thrus by 2024, aiming to speed up service and reduce miscommunication. The technology, developed in collaboration with speech recognition company SoundHound, promises to process orders in just over a minute. THEVERGE

Chinese Internet Curfew 
China's latest bid to curb internet addiction among minors involves introducing a "minor mode" on devices, limiting access to content and usage based on the child's age. For instance, teens between 16 and 18 will be restricted to two hours of mobile usage each day, and all devices in "minor mode" will be barred from internet access between 10PM and 6AM. I’m a fan of any policy that makes smart Chinese people want to leave the country, and I also think this might greatly help the mental health of these kids. THEVERGE

GPT-5 Patent Filed 
OpenAI has filed a patent for GPT-5, covering a wide range of applications from language models to speech recognition and translation. The patent includes both downloadable software and Software as a Service (SaaS) offerings. Can’t. Wait. USPTO

Inworld AI's Funding 
Inworld AI, a startup that uses AI to create smart characters for games, has raised a new funding round at a $500 million valuation. The round, which is expected to close later this month, will total over $50 million and includes investors like Lightspeed Venture Partners, Stanford University, and Samsung Next. CRUNCHBASE

Game Mode in macOS Sonoma 
Apple's macOS Sonoma introduces a new feature called Game Mode, which automatically boosts a game's performance by giving it top CPU and GPU priority when launched. This feature is part of Apple's efforts to make Mac more appealing as a gaming device by improving game performance and reducing latency with wireless gaming and audio devices. MACWORLD

AI-Powered Malware 
HYAS Labs has developed a proof-of-concept for a new type of malware, EyeSpy, that uses artificial intelligence to autonomously choose targets, strategize attacks, and adapt its code in real-time. This "cognitive threat agent" represents a potential evolution in cyber warfare, capable of reasoning, learning, and adapting on its own. This is an early look at the future of automated attack. Super exciting. And scary of course. Those go together. HYAS

AI-Driven Drone 
Artificial intelligence software successfully piloted an XQ-58A Valkyrie drone in a test flight, marking a significant step forward in unmanned aircraft technology. The flight was the result of two years of work and a partnership with Skyborg Vanguard, aimed at creating unmanned fighter aircraft. OODALOOP

HUMAN NEWS

Wind Farm Development 
Scotland has cut down over 16 million trees to make way for wind farms. Feels like too many. Something about cutting noses and spiting faces. MSN

State Farm Exits California 
State Farm, the largest insurer in California, is pulling out of the state, no longer offering new coverage. This move is part of a larger trend of insurance companies retreating from areas prone to climate-related disasters. NYTIMES

Construction Labor Shortage 
The US construction industry is grappling with the highest level of unfilled job openings ever recorded, struggling to attract an estimated 546,000 additional workers in 2023 to meet labor demand. The industry averaged over 390,000 job openings per month in 2022, a record high, while its unemployment rate of 4.6% was the second lowest on record. CNBC

Cancer Pill Breakthrough 
City of Hope scientists have developed a promising new chemotherapy, AOH1996, that's shown to annihilate all solid tumors in preclinical research. The drug targets a cancerous variant of the protein PCNA, disrupting DNA replication and repair in cancer cells, while leaving healthy cells untouched. Incredible that so many tech innovations seem to be happening at once. I hope this pans out in a significant way. INNOVATIONORIGINS | SKYNEWS | EUREKALERT

American Life Expectancy 
Life expectancy in America is falling behind other rich countries, with areas like Hazard, Kentucky, being hit the hardest. A study by Jessica Ho of the University of Southern California found that from a fairly average position in 1980, by 2018 America had fallen to dead last on life expectancy among 18 high-income countries. ECONOMIST

Fitch Downgrades US Debt 
Fitch Ratings has downgraded the US's credit rating due to concerns over governance standards, particularly around fiscal and debt matters. The rating agency pointed out a "steady deterioration in standards of governance over the last 20 years," despite the recent bipartisan agreement to suspend the debt limit until 2025. BBC

Overdose Deaths Surge 
Drug deaths in the US reached a new high in 2022, with over 109,680 fatalities largely due to the ongoing fentanyl crisis. Preliminary data from the Centers for Disease Control and Prevention shows an increase of 21% in Washington state and Wyoming, while some states like Maryland and West Virginia saw a decrease in fatalities. OPB

Summer Covid Surge 
Covid-19 cases are on the rise again, marking an unwelcome summer tradition. Hospitalizations increased by 12 percent to over 8,000 across the US for the week ending July 22, the first weekly increase since the end of the federal Covid-19 public health emergency in May. WIRED

Seoul Stabbing Spree 
A violent attack near Seoul, South Korea has left at least 12 people injured, with the suspect using his car and a knife as weapons. This incident, occurring during rush hour in Seongnam, follows a similar stabbing in Seoul two weeks prior. OODALOOP

NOTES

We have our first UL product ready to demo this week! If you want to see what I’ve stealthily been working on for the last few months, ping me and we’ll plan a place to cross paths for a private demo!

IDEAS & ANALYSIS

Vision Before Execution
Bram Moolenaarr died last week. He created Vim and has been running it ever since. It got me thinking about something that’s been rattling around in my brain for while now, which is the power of headstrong, visionary founders. Bram was one. Jobs. Musk. And Bezos. What I think they all have in common—and bad companies lack—is a strong Philosopher King vibe. I’m increasingly noticing that companies aren’t failing because they can’t execute. They’re failing because nobody agrees on what should be executed. They’re rudderless. Chaotic. Floundering. They’re full of overly-ambitious and politically-savvy leaders who have their own agendas, which means the company is not unified. Amazon crushed it because Bezos knew exactly what he wanted to build, and he built it. And he was VERY forceful about that direction and making sure people stayed on the path. Jobs was the same way. And so was Bram. One leader for the entire run of the project, basically. Of course, I do think this vision is necessary but not sufficient. You can’t have vision with no execution. But in my opinion too many people have swung that pendulum too far towards execution in recent years. It’s very true that if you can’t execute the vision doesn’t matter, but if you don’t have a vision then you execute in multiple directions simultaneously, or not at all. Personally, I’d rather be totally unified on a clear vision and not have the resources to execute yet than be a highly competent ball of political chaos. Anyway, here’s to Philosopher Kings. Here’s to the people with a vision and personality strong enough to maintain commitment to an idea amongst a thousand opposing voices. And RIP Bram. You’ve done a great thing with your project, and with the charity it supports.

DISCOVERY

⚒️ Promptmap — A tool designed to automatically test prompt injection attacks on ChatGPT instances. It generates creative attack prompts tailored for the target, sends them to the ChatGPT instance, and determines the success of the attack based on the response. | by Utkusen | GITHUB

⚒️ OWASP Amass — OWASP Amass is a tool that performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques. It's a staple in the asset reconnaissance field, constantly evolving and improving to adapt to new trends. | by OWASP | GITHUB

⚒️ Semgrep Rules Manager — A tool for managing third-party sources of Semgrep rules, simplifying the process of integrating and updating these rules in your projects. | by iosifache | GITHUB

⚒️ ReconFTW Framework — The ReconFTW framework, developed by @six2dez1, is a comprehensive package for subdomain finding and associated recon, offering a complete picture of an organization's subdomains and initiating cursory analysis. The framework automates the entire process of reconnaissance and can run automated vulnerability checks like XSS, Open Redirects, SSRF, CRLF, LFI, SQLi, SSL tests, SSTI, DNS zone transfers, and more. @six2dez1

Surprise Factor — When writing for the public, especially a stage talk, it's all about the surprise factor. The author argues that people only really learn when they're surprised, and advises to cut out everything that's not surprising. SIVERS

Vim's Abbreviations — Vim's "abbreviation" feature offers an effective way to automate tasks in insert mode, from basic use cases to more complex ones. The feature allows users to assign abbreviations with the command :ab[breviate] or :iabbrev for insert mode, and can be used in autocommands for file-specific abbreviations. VONHEIKEMEN

Run Every Day — Running one mile every day, consistently, can vastly improve your mental and physical well-being, according to Duarte, who's been doing it for about two years. He argues that it's not about the distance or pace, but about claiming back your time and prioritizing your health. DUARTEOCARMO

Stop Stopping at 90% — Austin Z. Henley discusses the common issue of stopping at 90% in projects, where the core project is complete but the final 10% of work, often involving evangelism, documentation, and polish, is neglected. Henley suggests activities such as presenting the work to other teams, broadcasting an email with the takeaways, and writing a blog post about it to truly finish a project. AUSTINHENLEY

Vim One-liners — Muhammad Raza shares his favorite vim one-liners that have significantly enhanced his vim workflow, making it more productive and efficient. These one-liners are used to edit files swiftly, saving precious time and offering unparalleled efficiency when it comes to editing text. MUHAMMADRAZA

AI Redirection — AI.com, previously redirecting to chat.openai.com, now points to x.ai, a separate company from X Corp. The two companies, however, will be working closely together. HACKERNEWS

Don't Be Clever — The author reflects on a past coding project, where he created an overly complex, abstract class called CRUDController for a startup's REST API. Despite its initial efficiency, the class became a "monster" as it grew more complex and time-consuming than simply copying code between controllers. STITCHER

Emotion Regulation in Men — Men often regulate their emotions through physical activities rather than verbal expression, according to a personal account and analysis on the Centre for Male Psychology. The author argues that this action-based emotional regulation is not a sign of low emotional intelligence, but rather a different approach to managing emotions, challenging theories that suggest men are emotionally handicapped. CENTREFORMALEPSYCHOLOGY

EDR Attack Explored — Reddit user N3mes1s has shared a detailed guide on how to attack an Endpoint Detection and Response (EDR) system. The post, which is part one of a series, provides a step-by-step breakdown of the process. RICARDOANCARANI

RECOMMENDATION OF THE WEEK

Make at least one of your walks per week a silent walk.

No tech. No music. No podcasts. No books. No conversations.

Just you and your thoughts. And ideally, just observations of your surroundings and your thoughts, as opposed to being hijacked by your thoughts.

Walk and observe. At least once a week.

APHORISM OF THE WEEK

We’ll see you next time,