UL NO. 415: It's Raining 9+ CVEs, 40% Job Loss from AI, Invisible Prompt Injection…

👉 Continue reading online to avoid the email cutoff issue 👈

Unsupervised Learning is a Security, AI, and Meaning-focused podcast that looks at how best to thrive as humans in a post-AI world. It combines original ideas, analysis, and mental models to bring not just the news—but why it matters, and how to respond.

TOC

• INTRO

• MY WORK

• SECURITY

• TECHNOLOGY

• HUMANS

• IDEAS & ANALYSIS

• NOTES

• DISCOVERY

• RECOMMENDATION OF THE WEEK

• APHORISM OF THE WEEK

INTRO

Hey there!

Happy short week (at least in the US). A few quick updates:

• 📹The episode of me going on Dave Bombal’s podcast just came out! I talked all about AI and how to integrate it with your life. Think of it like a teaser for the AUGMENTED class with a lot more production and a lot less content. Still a great view into the ideas, and with a number of demos!

• 🏫 I did the first run of my AUGMENTED AI course this weekend and it was phenomenal. Super fun. People absolutely LOVED the content which was so rewarding, and the chat itself was its own feature. That’s to be expected I guess when you have a couple hundred of the hungriest and sharpest people in one place. Tremendous fun, and I learned a lot, so the next one will be even better!

• 🎒 Just went on my first walk with my new GO RUCK rucksack. Pretty cool that I can put 60lbs. in it and maintain an 11:30 minute mile with only a 92 BPM. Even jogged a bit and powerwalked and it still stayed below 110 when going at an 11 minute pace. I always loved rucking in the Army, and I think I’ve found a lifelong favorite exercise. Walking, listening to books, and doing it at a higher BPM due to added weight. All in the name of increasing VO2Max!

• ⚙️ Unbelievably hyped about this open-source project I’m getting ready to announce! It’s going to be so epic. The hint: “upgrading humanity”.

Also, I’ve been spending silly amounts of time upgrading my Vim configs and skills in the last few weeks. Like I’m still watching 10+ hours of Vim stuff a week, even after redoing my main configs for 2024.

After having put in all this work, I really wish I could edit in Beehiiv using Vim commands. Of course I could just write Markdown in Vim and bring it over, but I want both things: the Beehiiv content objects, and Vim power—all in one. If anyone has any thoughts, let me know.

Anyway, let’s jump in…

MY WORK

SECURITY

⚠️ Attackers found a way to bypass MFA and gain persistent access to Google accounts by stealing and extending the life of authentication cookies. What people often miss about cookie stealing is that it’s a complete auth bypass. It’s what you get after you authenticate with MFA! So if you steal cookies (properly), both your password and your MFA security are compromised for those sessions. This attack extended the lifespan of stolen cookies, which is super nasty. MORE

The NSA is leveraging AI to spot elusive Chinese cyberattacks on U.S. infrastructure that traditional security measures might miss. Rob Joyce, NSA Cybersecurity Directorate's director, highlighted AI's role in identifying subtle, 'living off the land' tactics used by Chinese hackers to infiltrate systems without deploying malware. MORE

📄NIST put out a Taxonomy and Terminology paper for attacks against AI. TELOS is the name of UL’s internal AI system I’m building, and here’s its breakdown of the report:

MORE | DIRECT PDF REPORT LINK

My buddy Joseph Thacker has been doing a deepdive on a new “invisible prompt injection” technique against LLMs. The technique involves inserting hidden commands into AI prompts, which can lead to unexpected and potentially harmful outcomes. I’ve not looked deeply at this yet, but Joseph has, and he’s awesome. Check it out. MORE

Vulnerabilities

Holy crap with the 9.5+ vulns recently.

🚨Confluence RCE Alert — Atlassian warns of a critical RCE flaw in older Confluence versions. | CRITICAL | CVE-2023-22527 | CVSS Score: 10.0 MORE

🚨GitLab Account Hijack Risk — GitLab warns of a zero-click flaw that could let attackers take over accounts. | CRITICAL | CVE-2023-7028 | CVSS Score: 10 MORE

🚨Critical Juniper Flaw — Juniper Networks is patching a severe RCE vulnerability in its firewalls and switches. | CRITICAL | CVE-2024-21591 | CVSS Score: 9.8 MORE

🚨SonicWall Vulnerability Alert — Over 178,000 SonicWall firewalls Update firewalls have DoS and RCE potential due to a number of vulnerabilities. | CRITICAL | CVE-2022-22274, CVSS Score: 9.4 MORE

👇One of the more exciting vendors in threat intelligence I’ve seen in a while!

👉 Continue reading online to avoid the email cutoff issue 👈

TECHNOLOGY

It’s the beginning of 2024 and lots of tech companies are still cutting jobs. I have my own theories about why this is happening but I worry that I see everything through my own lenses and try to fit the data to my internal narrative, so I’ll hold off for now. Plus it’s no-doubt multiple things happening at once.

• Unity MORE

• Twitch MORE

• Discord MORE

• Google MORE

• Cloudflare MORE

Cybersecurity companies saw more deals in 2023 but pulled in 40% less cash than the year before. While the number of funding rounds jumped to 346 from 303, the total raised was just $8.7 billion, down from $14.5 billion in 2022. MORE 

YouTube is completely crushing it on podcast adoption, and it’s adding RSS functionality to get even more. 28% of weekly podcast listeners prefer YouTube for their podcast listening, outpacing Spotify and Apple Podcasts combined. Super surprising to me, but I do find myself using it more as well. Side note, I think Spotify is screwed. Between YouTube and Apple I don’t think they have anything unique. MORE

HUMANS

👀 The IMF is warning that AI could affect 40% of jobs, intensifying inequality. Interestingly they say it’ll have less impact in less advanced countries, which I guess makes sense given that the major attack surface is knowledge work. MORE | THE IMF REPORT

Taiwan’s election went in favor of independence from China. Woohoo! This is great for the West, but bad for local security tensions. MORE

NASA wants to send swarms of tiny probes to Proxima Centauri using laser propulsion. The Swarming Proxima Centauri project, a collaboration between Space Initiatives Inc. and the Initiative for Interstellar Studies, aims to propel gram-scale probes to a significant fraction of light speed with a 100-gigawatt laser, potentially reaching our nearest stellar neighbor by 2075. MORE

Another study has challenged the idea that 10,000 hours of study is all you need to become a top-level expert. Essentially it found that practice matters, but at the highest levels it’s more about natural talent. But we knew that already, didn’t we? MORE

The top 10% of U.S. households now hold a staggering 93% of the country's stock market wealth. MORE

A recent poll shows a majority of Americans believe in entities like aliens, ghosts, and the devil. The survey found 56.9% believe in aliens, 61.4% in ghosts, and 70.3% in the devil, with belief in God at 85.4%. MORE

👉 Continue reading online to avoid the email cutoff issue 👈

IDEAS & ANALYSIS

DA + Data + Display = AR

One of the things I’m most interested in with AI is actually AR. What does AI have to do with AR? Easy. It is a natural output of the combination of:

1. Data being available about a thing, from whatever source

2. A display of some sort that can show you the data overlaid on reality

3. An AI that can decide how and what to display given the context

Let’s look at some examples:

• The temperature of stuff, in a kitchen

• The battery charge levels, in a house

• The last time since someone’s eaten, on a human

• Speed, on a car

• Expiring food, on a refrigerator

• Danger level, on a street or intersection, or market, or map

This will be one of the biggest tech upgrades to human life, and it rhymes a lot with metaverse. But really it just requires these individual pieces to get far enough, and then to start working together.

The data needs to be available. We need the screens/lenses/projectors. And we need the AI to collect and display the data for a particular user/audience based on context.

Managing My Personal Sloppiness Level
The biggest weakness of my writing going back to 1999 has been too much sloppiness and not enough vigor. Well, “enough” is not the right word, as we’ll see below.

The least important level of sloppiness is just spelling and grammar, but more problematic levels are not calling out previous work when I release something new, waiting to release the best version of an idea instead of just being exciting and releasing an early version, not creating a list of opposing viewpoints, or supplemental reading. These are all things that I wish I could do (and soon will be able to do because of AI!).

I’ve always believed I had the right balance, and I still think I do. And here’s why: The Ideas Are What Matter. I’d rather put out a million different ideas and have people thinking about them, coming up with their own, and thus contributing to total creativity—than to go slower with a lot of vigor.

To be clear, I would rather be someone who could do both. But if I have to choose, I choose the quality of the ideas vs. the quality of the presentation—at least for the mass volume day-to-day. For big ones, like my recent post, or a book, I think it’s better to go more towards rigor.

Basically, ideas generate ideas, and I don’t want to slow that down for anything! There’s a limit to that, though. Let’s make up a number. Let’s call it 9%.

9% slop at ludicrous idea speed!

That’s been my preferred setting for most of my writing career, and it’s resulted in my current situation. I wouldn’t have it any other way, other than a way in which my discipline didn’t slow me down. I wish I were that guy, but I’m not. When an idea comes, I have to get it out there. I don’t have a writing staff. I don’t have a team of writers. It’s just me. Always has been.

I think most people need to increase their slop. Ideas matter more than perfection. But some people are both sloppy and don’t have many ideas, which is a bad combo. Like I’m willing to read a mess (like this mini-essay for example), if it has something in it. But I’m not getting meat from it, all the spelling and grammar issues magnify in my mind.

Anyway, the point of mentioning all this is that AI is coming. AI will clean up your ideas anyway. AI can help you write faster and better.

So focus on your ideas! Don’t go full-slop, of course, but open up the engine a bit. Increase your slop. I think it’s better to be known for being thoughtful and kind and helpful, but a bit rough around the edges, than to be known for being perfect but without original creativity or ideas.

And most importantly, it’ll be considered a major regret if you could have had all that content out there, which helped you think and interact with people, but you didn’t do it because you couldn’t be rigorous enough. I’m looking at you, my European friends!

Ideas. Creativity. Think. Write. Share. Put it out there. Being perfect is getting less important, not more. Not only because the ideas are mattering more, but because AI can help us make anything perfect.

Get after it.

NOTES

It’s often hard to know when to leave something in the Ideas section vs. making it a full post. I should move those over at some point. But to the point of the essay above, get the idea captured first, then worry about optimization!

The moment Trump left office I told everyone, and stated publicly, that he’d be back and stronger than ever. Everyone told me I was crazy. Well, he just crushed Iowa without even trying. And that’s a state he didn’t even win in 2020. I’m going to do a longer piece on how I think his rise is simpler than it appears.

DISCOVERY

A Collection of Postmortems MORE

🐍 SSH-Snake — A tool for automated, fileless SSH network traversal that self-propagates and replicates. | by MegaManSec | MORE

🛠️ jqfmt — A tool that formats jq scripts similarly to how gofmt formats Go code. | by noperator | MORE

What Happened in the Cybersecurity Market in 2023 | by Mike Privette | MORE

🔍 awsScrape — A tool for scraping AWS IP ranges to find specific keywords in SSL certificates. | by jhaddix | MORE

🌌 Stellarium — Real-time sky rendering for astronomy enthusiasts. | by StellariumDev | MORE

📂 oil.nvim — A Neovim plugin that lets you manage files directly within the editor, streamlining your workflow. | by stevearc | MORE

🛡️ LLM-Powered Security Tool — Use AI to prioritize and fix vulnerabilities with NIST and CISA data.| MORE

🐰 Rabbit R1 — Teenage Engineering's latest creation is a sleek, tech-forward device. Probably the most hyped thing coming out of CES. | MORE

📖 'Meditations' Modernized — A new video translates Marcus Aurelius's Stoicism into today's language.| MORE

🤩How Discord Serves 15M Users on One Server MORE

The Seneca Effect suggests that while growth takes time, collapse can happen swiftly. MORE

🔥Terminal Smooth Scrolling. Yummy. Already added to my config. MORE

Feynman talks about how he got burned out and ended up getting his Nobel prize because he found a way to make physics fun again. MORE

Optimal Fraud Level MORE

RECOMMENDATION OF THE WEEK

Check out my appearance on David Bombal’s podcast. It’s the best video form illustration of what I’ve been working on for the last year. WATCH IT

APHORISM OF THE WEEK

Thank you for reading.

UL is a personal and strange combination of security, tech, AI, and lots of deeply human content. And because it’s so diverse, it’s harder for it to go as viral as something more niche.

So if you know someone weird like us, please share it with them. 🫶 

Yours,