- Unsupervised Learning
- Posts
- Unsupervised Learning Newsletter NO. 372
Unsupervised Learning Newsletter NO. 372
LastPass Employee Hack, State AI Propaganda, CrowdStrike’s Threat Report…
Welcome to Monday. Let's crush it this week!
MY WORK
How AI is Eating the Software World
In this essay, I describe a new architecture that I believe will replace much of our existing software, starting already. Covers GPT understanding, the SPA architecture, and gives examples of how existing software will transition. READ THE ESSAY
SECURITY NEWS
LastPass Engineer Hacked at Home
The LastPass thing keeps getting not-better. Turns out the way this all went down was by an employee getting hacked via their own computer. A keylogger was installed on their work computer through a vulnerability in a third-party media software package (which everyone is saying was Plex). From there they got access to the keys that let them read encrypted S3 buckets and pull data and backups. This is one of the most prominent cases of BYOD being such a critical part of modern defenses, and I have already seen companies steer their budgets as a result of the report. MORE
China Fielding AI Propaganda Newscasters
China appears to be fielding AI newscasters to spread pro-China propaganda. It's one of the first instances of state-sponsored propaganda channels using AI.
MORE
🔎 Crowdstrike Global Threat Report 2023 Analysis
Crowdstrike just released its 2023 Threat Report, and I like to look at these reports and pull out nuggets. Here's what stood out for me:
They're now tracking 33 new adversaries, bringing the total to over 200
Most are out of Eastern Europe and Russia, but there are new active regions, including Syria
Average breakout time for interactive eCrime dropped from 98 to 84 minutes
Access Broker advertisements increased 112% compared to last year
Cred stuffing and vulns/exploits took ground from malware use for initial access
This is partially because the gap between vulnerability and exploit narrowed for many bugs
Multiple Russian attacker groups, including Fancy Bear, Ember Bear, and others have been assisting Russian efforts in Ukraine (defacement, wiper malware, DDoS)
China-nexus adversaries are the most active targeted intrustion groups
They hit nearly all 39 global industry sectors across 20 geographic regions
China-nexus attackers go after European and US-based targets about 25% of the time
Crowdstrike believes that attacks on entities near China are part of ongoing intelligence gathering missions
Overall analysis: I thought the report had a lot in it, but it wasn't as easy to consume as the DBIR. I feel like they could do a better job of information density using visual, and listing all their products at the end of the report also stole a bit of the report's legitimacy. Still solid. 8/10. READ THE FULL REPORT | THREAT ACTOR ANIMAL NAMES
Sponsor
Adaptive and Crowdsourced IPS with CrowdSec
CrowdSec works by unifying Blue Team and Security Operations visibility to help defenders see and block malicious activity. It's like a spider's web that detects problems in one place and can block that threat for participating systems anywhere in the world.
Cybercriminals need IP addresses to mask their locations. By linking intelligence across all protected systems, CrowdSec burns a resource precious to attacker operations.
Get started now to analyze visitor behavior for malicious activity and remediate various attacks such as brute force, scans, scraping, scalping, and more…
crowdsec.net/unsupervisedlearning
News Corp Hack
News Corp says they had someone in their network for 23 months, and that they stole private information and documents from the company. MORE
BetterHelp Sharing
The FTC went after BetterHelp for sharing users' sensitive data that it promised not to share. They're paying out $7.8 million to customers as part of the settlement. MORE
Chick-fil-A Compromised
As we predicted, Chick-fil-A has now said over 71,000 accounts were breached over multiple months using credential stuffing attacks. Attackers used their access to steal data and rewards points. They then sold the data for $2 - $200 dollars based on how many points they had. MORE
Robots as Office Security Guards
Sensor-laden and AI-powered robots are becoming more popular choices for security guards in various settings. Offices, buildings, malls, etc. I think they're great as remote sensors, but they're going to be extremely easy to evade and/or bypass until they're so smart and fast that they're scary. The Black Mirror episodes showed us why this is something we should be careful with. MORE
Secure Your Home Office, NSA Style
The NSA has released best practices for working from home. Here's what they said to do:
- Keep software updated, including Windows and web browser
- Update router and change default password
- Use a password manager and two-factor authentication
- Separate work and personal activities
- Use a VPN for work connections
MORE | THE NSA RECOMMENDATION PDF
Older Men Kidnapped in Brazil
Men from 30 to 51 are being targeted in Brazil via dating apps. They're being asked to meet in non-public places with women much younger and more atttractive than them, and then they're being robbed and/or "lightning" kidnapped. Police stats show that this currently makes up 90% of kidnappings in São Paulo in the last year. MORE
Sponsor
You've Got Assets? We've Got Answers
JupiterOne collects more asset data than any other provider, and shows you the relationships between those assets in seconds. It's not just about connectors and data; it's about the types of questions you can ask to get the relevant answers for your security program.
We go beyond endpoints, IP addresses, users, and devices, and ingest data from CSPs, SaaS apps, code repos, IAM policies, security controls, vulnerability findings, and more. This enables you to ask questions like: "What internet-facing applications are running systems affected by log4j, and who owns those systems?"
It's not just about collecting your data. You have to be able to ask it complex and real-world questions.
TECHNOLOGY NEWS
OpenAI Launches APIs
OpenAI launched their ChatGPT and Whisper APIs last week which is going to massively invigorate the AI-based startups and use cases we've been seeing for months. Once we get the ability to train our own massive models, using all our documentation, all our code, all our Slack messages, etc.—that's when things are going to go crazy. In the meantime I'd love an app that listens to non-English being said around me and tells me what it's saying in my ear. MORE
TikTok Usage Controls
TikTok is introducing new well-being features, including a screen time control for kids that stops them from continuing after 60 minutes unless they enter a code. This is all to try to stop the anti-TikTok legislation in the US, but I'm not sure it's going to be enough. One thing I do know, though, is that if TikTok really does get pulled it's going to be like when Ben Kenobi had to sit down in the first Star Wars. "…it's as if millions of voices suddenly cried out in terror and were suddenly silenced". MORE
Elon Cut Tesla Prices Again
Tesla cut prices again, ranging from ~5% to ~10% discounts on various high and low-end models. MORE
Tesla's Investor Day
Elon outlined the company's future at its annual investor day event, but didn't release any new vehicles. Here's what he outlined:
Build a sustainable energy economy costing $10 trillion
Make vehicle assembly cost 50% less
Cybertruck to start shipping in 2023
Build a fleet of robots to do human labor
Its next Gigafactory will be in Mexico
MORE
HUMAN NEWS
The Peptide Movement
There's evidently a bridge now between supplements and steroids for people looking to gain muscle and drop fat. They're called Peptides, and you can either inject them or get them via nasal spray, etc. I'm not an expert on them yet, but people are saying (including Andrew Huberman otherwise I wouldn't be taking it that seriously) they give a lot of the benefits of steroids without the downsides. Those are nice words, but I want to do a lot more research. Any of you have an experience with them? MORE | DISCUSS IN OUR COMMUNITY
Vaccine Makers Prepping for Bird Flu
A team at the University of Pennsylvania is developing an mRNA flu vaccine designed to provide protection against multiple subtypes of the virus, potentially limiting disease and death caused by new pandemic strains. Bird flu strains have killed millions of birds recently, which played a major role in recent egg price spikes. Plus multiple strains have moved from birds to other types of animals, including seals, sea lions, and dolphins. The number of humans that have been infected in recent years is fairly low, and human-to-human transmission is currently difficult, but the mortality rate is around 56% when it happens. MORE
The US Housing Market Dropped by $2.3 Trillion
We just saw the biggest drop in the housing market since 2008. The big losers are San Francisco and New York, and Miami has done very well from migration to Florida. MORE
Jobless Men and Divorce
A man's work status is a major predictor of divorce. In a recent study at Harvard, men without full-time jobs were 33% more likely to divorce than men who had full employment. MORE
IDEAS & ANALYSIS
What If AI Makes Everyone More Productive?
I've been talking for over 7 years about how AI is coming, and how it's going to massively disrupt human work. Many people have been saying this for a long time. There's also a counter-argument that it'll create more jobs as well, which I've always believed. My main issue has been the K-shaped recovery idea, where benefits and recoveries affect the top and bottom groups in dramatically different ways. Basically the top thrives and the bottom suffers. And people tend to be pulling toward one or the other rather than hovering in the middle.
Well what if something's possible that's far more spectacular? What if AI could be turned into a tool that lifts the bottom? What if a company like OpenAI, in conjunction with massive government funding, could create like an augmentation platform that helps people with education, transit, childcare, and even basic decision-making? What if it could effectively make some percentage of the bottom of the economy…more productive?
The Primary Conservative vs. Liberal Disconnect?
For a long time the main disconnect between Liberals and Democrats was considered to be how much they embrace change and tolerate inequity. Those still seem like decent metrics, but some new research by Nick Kerry suggests that the clearer measure is the belief that the world is fundamentally hierarchical. What I like about this definition is that it more elegantly explains the previous definition.
Basically, if you believe that's how the world works, and that it's largely inalterable, you'll be less willing to spend money trying to change it. Another way to frame this is pliability. How much can people change, vs. how much are they locked in by genetics and early environment? The more you believe people basically are what they are, the more it seems you'd lean conservative in this model. And the more you believe people are malleable and can become anything, if the conditions were just better, the more you'd lead liberal. Perhaps this is why people become more conservative over time? Because they repeatedly see how people don't usually change in major ways? This is kind of blowing my mind.
I think this might be a super powerful model (overly simple to be sure) of what makes someone conservative or liberal. And what's so personally interesting for me is how much I've always been in the "change" camp. Like, radically. So perhaps my slow move towards the center Left over the years hasn't just been from age, or from the nasty politics of the last decade, but from all the reading I've done about how people are mostly the way they are, and that there is rarely major movements in capabilities or character (unless it's via the removal of trauma that was suppressing innate talent). I'm impressed with this model. What about you? Does it resonate with you and your experience? MORE | DISCUSS IN OUR COMMUNITY | JOIN UL
A Disturbing Thought on Equality
Flowing naturally from the previous thought, I'm still struck by an observation that Scott Galloway has been making lately. He keeps talking about how the top 5% of men in terms of income and other measures are getting all the attention from women on dating apps. He says everyone keeps freaking out about this like it's new, but it's actually a return to the norm. For most of history you basically had poor people and rich people, and the rich men had their pick of most women. This reminds me of Piketty's analysis of inequality measured by things like the GINI coefficient. His massive book on the topic talked about how it basically runs in cycles. You basically have a return to massive inequality, and then you have a traumatic event like war, famine, pandemic, etc. that equalizes things. But only temporarily.
In the US the early 1900's were massively unequal. Then the wars happened and we got the GI Bill and a bunch of social programs, and that all created the middle class. But in this model, the middle class isn't natural. It's an artificial construct invented by humans. This is really powerful because it ties in with the analysis of change above. If you're liberal, you believe that you just need to give some opportunity, and level the field, and everyone will reach similar heights. Hence, GI Bill and social programs. If you're conservative you might think some of that is ok, but you can only help so much before you're just wasting money on people who don't want or aren't capable of benefiting from the help.
I believe there's a Pokémon Evolved Form that merges, or goes beyond, those two models. I believe the conservatives are right that there are vast differences in peoples' individual capabilities, and so we should expect to see similar differences in outcomes. But I'm aggressively liberal because I don't think conservatives are doing the work to tell the difference between trauma, generational disadvantage, and natural capabilities. In other words, I think too many Conservatives look at a failing person, or a failing group, and say, "See? That proves they're not capable. That's why they don't deserve nice things." Whereas when I see someone fail I wonder how much of it is a capability issue vs. a trauma issue. And I believe it's the job of civilization, and the people, and government to tease that out. It's our job to remove the disadvantages of bad luck, historical deck-stacking, and institutional biases so that people can reach their full potentials. And I also believe that those who end up on the bottom after all that, still deserve a good life. They're not throw-away people. No one is. Anyway, fascinating ideas. DISCUSS IN OUR COMMUNITY | JOIN UL
NOTES
Building a Web of APIs
I'm currently hacking on a massive combination of APIs and command-line utilities that allow me to continuously answer questions I care about, or execute commands I need done. Examples:
Pull a webpage
Extract the content from it
Summarize it
Find all the people mentioned in it
Do research on their social profiles
Write short bios for all of them
Find all companies associated with a domain
Find all their domains
Get all their subdomains
Find all open ports on associated hostnames and networks
Find vulnerabilities in their websites
Auto-submit bounty reports for those vulnerabilities, including a proper POC
This is like 3% of my running list of things to build, so goddamn exciting!
Then, on the command line, I can run clean little two to three-letter commands that take dev/stdin, send up to one of these APIs, and gets the output. And I can then pipe that output to /dev/stdin on the other APIs. This is what HELIOS has been doing for years already in the Attack Surface space, but this is now bigger than ASM. Plus it's doing it via APIs rather than locally. Plus there's now AI in the DNA. Real AI. Ultimately this is more like a continuous question/command infrastructure (CQCI?). That's how I think about it. I already have multiple endpoints up and running and providing value, and I'll start doing subscriptions to them soon. Let me know if you know anyone with any interest. DISCUSS IN OUR COMMUNITY | JOIN UL
Should I Play The Last of Us?
I'm loving The Last of Us on HBO, like everyone else, and I was thinking about playing the first game. But I'm hearing it's actually pretty scary when you're fighting clickers and such, especially on a good surround system. Any advice?
DISCOVERY
⚒️ waymore — Download the live and archived responses for URLs on wayback machine so that you can then search these for even more links, developer comments, extra parameters, etc. MORE | by XNL-h4ck3r
⚒️ bbot — An OSINT tool from Black Lantern Security that models off of Spiderfoot. MORE
📢 [Sponsor] — Can you answer complex questions about what assets you have, which are facing the internet, and who owns those systems so you can get them fixed if there's a new vulnerability? If not, you should look at JupiterOne. It's like a unified question-answering platform powered by your own assets. LEARN MORE
The companies competing with OpenAI on AI. MORE
CypherCon 2023 — The Wisconsin Hacker Conference you’ve been looking for. 75 Speakers covering Red Team, Blue Team, Executives, and 101 Tracks! Now better than ever. The conference founder is a UL member and if you use the code UL to sign up you get in for free! MORE
RECOMMENDATION OF THE WEEK
Know Your About
Imagine yourself like a business and you need an about page. Not in the sense of wanting to make money, but in the sense of wanting to have a mission and have your actions be aligned with that mission. What's your mission? What are your goals? What are your KPIs that tell you if you're doing well or not? And what are your projects you're working on to improve?
Capture these things for yourself. Use it kind of like a journal, except it's ever-green content that you update as you learn or grow. Just the process of writing these things down will bring tremendous clarity to your life. Or anxiety, if you realize you don't have any idea what to write.
Know your about.
APHORISM OF THE WEEK
"The soul is dyed in the color of its own thoughts."
Heraclitus