• Unsupervised Learning
  • Posts
  • UL NO. 415: It's Raining 9+ CVEs, 40% Job Loss from AI, Invisible Prompt Injection…

UL NO. 415: It's Raining 9+ CVEs, 40% Job Loss from AI, Invisible Prompt Injection…

Taiwan chooses democracy, 10,000 hours debunked, Data/Display/AI/AR, and much more…

Unsupervised Learning is a Security, AI, and Meaning-focused podcast that looks at how best to thrive as humans in a post-AI world. It combines original ideas, analysis, and mental models to bring not just the news—but why it matters, and how to respond.

✍️ ERRATA: Last week I wrote about plagiarism that I am not happy with. Basically, I implied that the president of Harvard did plagiarism that was real and significant (and confirmed), and that Neri Oxman did not. I think that was a pretty safe bet for the Harvard president because Harvard did an investigation and confirmed it. But after thinking more about this, I think it’s completely the wrong framing. What Mrs. Gay did looks to have “technically” been plagiarism, and Harvard obviously agrees, but I think the problem is that we need to disambiguate between sloppiness and stealing ideas. As an example, Both Gay and Oxman are considered to have plagiarized for using descriptions of a thing from someone else. Like definitions of things. And not like creative, innovative definitions. It was just helper language to make actual points. To not cite or reference in that case might be frowned upon, and it might be considered sloppy, but it’s not stealing ideas. Plagiarism should only refer to stealing ideas. That’s how I assumed it was being used, and what I assumed these two women were being accused of. As far as I can tell, neither women did it, and the entire thing is a witchhunt based on silly definitions that need to be revised. Anyway, the point is that me saying Gay plagiarized and Oxman did not was weak sauce, and I intend to do better in the future.

✍️ ERRATA: The cool robot I talked about last week was from Stanford, not Deepmind. Some coverage referred to it as a Deepmind project and that spread as truth, but the laptop in the demo had a Stanford logo and I should have caught that. Do better, Daniel.

TOC

INTRO

Hey there!

Happy short week (at least in the US). A few quick updates:

  • 📹The episode of me going on Dave Bombal’s podcast just came out! I talked all about AI and how to integrate it with your life. Think of it like a teaser for the AUGMENTED class with a lot more production and a lot less content. Still a great view into the ideas, and with a number of demos!

Insights into my AI personal AI ecosystem from the David Bombal show

  • 🏫 I did the first run of my AUGMENTED AI course this weekend and it was phenomenal. Super fun. People absolutely LOVED the content which was so rewarding, and the chat itself was its own feature. That’s to be expected I guess when you have a couple hundred of the hungriest and sharpest people in one place. Tremendous fun, and I learned a lot, so the next one will be even better!

  • 🎒 Just went on my first walk with my new GO RUCK rucksack. Pretty cool that I can put 60lbs. in it and maintain an 11:30 minute mile with only a 92 BPM. Even jogged a bit and powerwalked and it still stayed below 110 when going at an 11 minute pace. I always loved rucking in the Army, and I think I’ve found a lifelong favorite exercise. Walking, listening to books, and doing it at a higher BPM due to added weight. All in the name of increasing VO2Max!

  • ⚙️ Unbelievably hyped about this open-source project I’m getting ready to announce! It’s going to be so epic. The hint: “upgrading humanity”.

Also, I’ve been spending silly amounts of time upgrading my Vim configs and skills in the last few weeks. Like I’m still watching 10+ hours of Vim stuff a week, even after redoing my main configs for 2024.

After having put in all this work, I really wish I could edit in Beehiiv using Vim commands. Of course I could just write Markdown in Vim and bring it over, but I want both things: the Beehiiv content objects, and Vim power—all in one. If anyone has any thoughts, let me know.

Anyway, let’s jump in…

MY WORK

SECURITY

⚠️ Attackers found a way to bypass MFA and gain persistent access to Google accounts by stealing and extending the life of authentication cookies. What people often miss about cookie stealing is that it’s a complete auth bypass. It’s what you get after you authenticate with MFA! So if you steal cookies (properly), both your password and your MFA security are compromised for those sessions. This attack extended the lifespan of stolen cookies, which is super nasty. MORE

The NSA is leveraging AI to spot elusive Chinese cyberattacks on U.S. infrastructure that traditional security measures might miss. Rob Joyce, NSA Cybersecurity Directorate's director, highlighted AI's role in identifying subtle, 'living off the land' tactics used by Chinese hackers to infiltrate systems without deploying malware. MORE

💡To me this NSA story highlights that in both offensive and defensive security use cases, the main advantage of AI will not be its exceptional (superhuman) capabilities, but rather the ability to apply pretty-good-intern or moderate-SME level expertise to billions more analysis points than before. In large companies or government/military applications, we often don’t need AGI. What we need is 10, 100, or 100,000 extra interns.

📄NIST put out a Taxonomy and Terminology paper for attacks against AI. TELOS is the name of UL’s internal AI system I’m building, and here’s its breakdown of the report:

A Micro-summarization of the full NIST report

My buddy Joseph Thacker has been doing a deepdive on a new “invisible prompt injection” technique against LLMs. The technique involves inserting hidden commands into AI prompts, which can lead to unexpected and potentially harmful outcomes. I’ve not looked deeply at this yet, but Joseph has, and he’s awesome. Check it out. MORE

Sponsor

Advanced Container Security Best Practices (Cheat Sheet)

Want to uplevel your container security strategy? This cheat sheet explores advanced techniques that you can put into action ASAP. Use this resource as a quick reference to ensure you have the proper benchmarks in place to secure your container environments.

What's included in this 9-page cheat sheet?

  • Actionable best practices w/ code examples + diagrams

  • List of the top open-source tools for each best practice

  • Environment-specific best practices

Vulnerabilities

Holy crap with the 9.5+ vulns recently.

🚨Confluence RCE Alert — Atlassian warns of a critical RCE flaw in older Confluence versions. | CRITICAL | CVE-2023-22527 | CVSS Score: 10.0 MORE

🚨GitLab Account Hijack Risk — GitLab warns of a zero-click flaw that could let attackers take over accounts. | CRITICAL | CVE-2023-7028 | CVSS Score: 10 MORE

🚨Critical Juniper Flaw — Juniper Networks is patching a severe RCE vulnerability in its firewalls and switches. | CRITICAL | CVE-2024-21591 | CVSS Score: 9.8 MORE

🚨SonicWall Vulnerability Alert — Over 178,000 SonicWall firewalls Update firewalls have DoS and RCE potential due to a number of vulnerabilities. | CRITICAL | CVE-2022-22274, CVSS Score: 9.4 MORE

👇One of the more exciting vendors in threat intelligence I’ve seen in a while!

Sponsor

Get Ahead of Threats: Continuous Threat Exposure Management

Flare automates monitoring & remediation across the clear & dark web to detect high-risk exposure before threat actors have a chance to leverage it.

Get actionable intelligence that cuts through the noise of data from public GitHub repositories, infected device markets, illicit Telegram channels, etc. Integrating into your program in 30 minutes, the platform empowers practitioners of all levels.

TECHNOLOGY

It’s the beginning of 2024 and lots of tech companies are still cutting jobs. I have my own theories about why this is happening but I worry that I see everything through my own lenses and try to fit the data to my internal narrative, so I’ll hold off for now. Plus it’s no-doubt multiple things happening at once.

💡Ok, lol, I’ll tell you what the narrative is, and it’s one I’ve shared before. It’s basically the Alaskan Fishing Boat effect. But there was also overhiring in the pandemic, and lots of stuff happening in the economy that nobody understands, so I am hesitant to say how much of the effect is a general corporate change of perspective on employees. I definitely think it’s a factor, though. Basically, a swinging of the pendulum away from “we’re so lucky to have you” to “you work for us and we’ll get rid of you if you’re not amazing.”

Cybersecurity companies saw more deals in 2023 but pulled in 40% less cash than the year before. While the number of funding rounds jumped to 346 from 303, the total raised was just $8.7 billion, down from $14.5 billion in 2022. MORE 

💡My favorite resource for this analysis is my friend Mike Privette’s Return on Security. He’s like the Nate Silver of Cybersecurity Market Intelligence. GET IT

YouTube is completely crushing it on podcast adoption, and it’s adding RSS functionality to get even more. 28% of weekly podcast listeners prefer YouTube for their podcast listening, outpacing Spotify and Apple Podcasts combined. Super surprising to me, but I do find myself using it more as well. Side note, I think Spotify is screwed. Between YouTube and Apple I don’t think they have anything unique. MORE

HUMANS

👀 The IMF is warning that AI could affect 40% of jobs, intensifying inequality. Interestingly they say it’ll have less impact in less advanced countries, which I guess makes sense given that the major attack surface is knowledge work. MORE | THE IMF REPORT

Taiwan’s election went in favor of independence from China. Woohoo! This is great for the West, but bad for local security tensions. MORE

NASA wants to send swarms of tiny probes to Proxima Centauri using laser propulsion. The Swarming Proxima Centauri project, a collaboration between Space Initiatives Inc. and the Initiative for Interstellar Studies, aims to propel gram-scale probes to a significant fraction of light speed with a 100-gigawatt laser, potentially reaching our nearest stellar neighbor by 2075. MORE

Another study has challenged the idea that 10,000 hours of study is all you need to become a top-level expert. Essentially it found that practice matters, but at the highest levels it’s more about natural talent. But we knew that already, didn’t we? MORE

The top 10% of U.S. households now hold a staggering 93% of the country's stock market wealth. MORE

A recent poll shows a majority of Americans believe in entities like aliens, ghosts, and the devil. The survey found 56.9% believe in aliens, 61.4% in ghosts, and 70.3% in the devil, with belief in God at 85.4%. MORE

IDEAS & ANALYSIS

DA + Data + Display = AR

From AI’s Predictable Path

One of the things I’m most interested in with AI is actually AR. What does AI have to do with AR? Easy. It is a natural output of the combination of:

  1. Data being available about a thing, from whatever source

  2. A display of some sort that can show you the data overlaid on reality

  3. An AI that can decide how and what to display given the context

Let’s look at some examples:

  • The temperature of stuff, in a kitchen

  • The battery charge levels, in a house

  • The last time since someone’s eaten, on a human

  • Speed, on a car

  • Expiring food, on a refrigerator

  • Danger level, on a street or intersection, or market, or map

This will be one of the biggest tech upgrades to human life, and it rhymes a lot with metaverse. But really it just requires these individual pieces to get far enough, and then to start working together.

The data needs to be available. We need the screens/lenses/projectors. And we need the AI to collect and display the data for a particular user/audience based on context.

Managing My Personal Sloppiness Level
The biggest weakness of my writing going back to 1999 has been too much sloppiness and not enough vigor. Well, “enough” is not the right word, as we’ll see below.

The least important level of sloppiness is just spelling and grammar, but more problematic levels are not calling out previous work when I release something new, waiting to release the best version of an idea instead of just being exciting and releasing an early version, not creating a list of opposing viewpoints, or supplemental reading. These are all things that I wish I could do (and soon will be able to do because of AI!).

I’ve always believed I had the right balance, and I still think I do. And here’s why: The Ideas Are What Matter. I’d rather put out a million different ideas and have people thinking about them, coming up with their own, and thus contributing to total creativity—than to go slower with a lot of vigor.

To be clear, I would rather be someone who could do both. But if I have to choose, I choose the quality of the ideas vs. the quality of the presentation—at least for the mass volume day-to-day. For big ones, like my recent post, or a book, I think it’s better to go more towards rigor.

Basically, ideas generate ideas, and I don’t want to slow that down for anything! There’s a limit to that, though. Let’s make up a number. Let’s call it 9%.

9% slop at ludicrous idea speed!

That’s been my preferred setting for most of my writing career, and it’s resulted in my current situation. I wouldn’t have it any other way, other than a way in which my discipline didn’t slow me down. I wish I were that guy, but I’m not. When an idea comes, I have to get it out there. I don’t have a writing staff. I don’t have a team of writers. It’s just me. Always has been.

I think most people need to increase their slop. Ideas matter more than perfection. But some people are both sloppy and don’t have many ideas, which is a bad combo. Like I’m willing to read a mess (like this mini-essay for example), if it has something in it. But I’m not getting meat from it, all the spelling and grammar issues magnify in my mind.

Anyway, the point of mentioning all this is that AI is coming. AI will clean up your ideas anyway. AI can help you write faster and better.

So focus on your ideas! Don’t go full-slop, of course, but open up the engine a bit. Increase your slop. I think it’s better to be known for being thoughtful and kind and helpful, but a bit rough around the edges, than to be known for being perfect but without original creativity or ideas.

And most importantly, it’ll be considered a major regret if you could have had all that content out there, which helped you think and interact with people, but you didn’t do it because you couldn’t be rigorous enough. I’m looking at you, my European friends!

Ideas. Creativity. Think. Write. Share. Put it out there. Being perfect is getting less important, not more. Not only because the ideas are mattering more, but because AI can help us make anything perfect.

Get after it.

NOTES

It’s often hard to know when to leave something in the Ideas section vs. making it a full post. I should move those over at some point. But to the point of the essay above, get the idea captured first, then worry about optimization!

The moment Trump left office I told everyone, and stated publicly, that he’d be back and stronger than ever. Everyone told me I was crazy. Well, he just crushed Iowa without even trying. And that’s a state he didn’t even win in 2020. I’m going to do a longer piece on how I think his rise is simpler than it appears.

DISCOVERY

A Collection of Postmortems MORE

🐍 SSH-Snake — A tool for automated, fileless SSH network traversal that self-propagates and replicates. | by MegaManSec | MORE

🛠️ jqfmt — A tool that formats jq scripts similarly to how gofmt formats Go code. | by noperator | MORE

What Happened in the Cybersecurity Market in 2023 | by Mike Privette | MORE

🔍 awsScrape — A tool for scraping AWS IP ranges to find specific keywords in SSL certificates. | by jhaddix | MORE

🌌 Stellarium — Real-time sky rendering for astronomy enthusiasts. | by StellariumDev | MORE

📂 oil.nvim — A Neovim plugin that lets you manage files directly within the editor, streamlining your workflow. | by stevearc | MORE

🛡️ LLM-Powered Security Tool — Use AI to prioritize and fix vulnerabilities with NIST and CISA data.| MORE

🐰 Rabbit R1 — Teenage Engineering's latest creation is a sleek, tech-forward device. Probably the most hyped thing coming out of CES. | MORE

📖 'Meditations' Modernized — A new video translates Marcus Aurelius's Stoicism into today's language.| MORE

🤩How Discord Serves 15M Users on One Server MORE

The Seneca Effect suggests that while growth takes time, collapse can happen swiftly. MORE

🔥Terminal Smooth Scrolling. Yummy. Already added to my config. MORE

Feynman talks about how he got burned out and ended up getting his Nobel prize because he found a way to make physics fun again. MORE

Optimal Fraud Level MORE

RECOMMENDATION OF THE WEEK

Check out my appearance on David Bombal’s podcast. It’s the best video form illustration of what I’ve been working on for the last year. WATCH IT

APHORISM OF THE WEEK

The only way to make sense out of change is to plunge into it, move with it, and join the dance.

Allan Watts

Thank you for reading.

UL is a personal and strange combination of security, tech, AI, and lots of deeply human content. And because it’s so diverse, it’s harder for it to go as viral as something more niche.

So if you know someone weird like us, please share it with them. 🫶 

Yours,