- Unsupervised Learning
- Posts
- UL NO. 426: Unveiling XZ, AI Monitoring, Investigative Visualizations with Fabric...
UL NO. 426: Unveiling XZ, AI Monitoring, Investigative Visualizations with Fabric...
Thoughts on the XZ situation, iPhone phishing scam, AI gun detectors in NY, GPS darts for police, and more...
Unsupervised Learning is a security, AI, and meaning-focused newsletter that looks at how best to thrive as humans in a world that’s changing faster than ever. It combines original ideas and analysis to bring you not just what’s happening—but why it matters, and how to respond.
TOC
Hey there,
Ok, probably the coolest thing I’ve seen this week is this video of Chris Cappetta having deep philosophical conversations with custom AI’s based on Anthropic’s Claude.
I watched almost an hour of these conversations (he’s on video #3 already) and I was blown away by the quality of the AI’s responses. I mean, I think the answers were nearly perfect about meaning, self, morality, and free will. Like, they’re very similar to answers I, or Sam Harris, or my ideal philosophy professor would give if we were given an hour to write each response. Just unbelievable. Highly recommend this video. WATCH IT
Ok, let’s get to it…
MY WORK
My new essay on why it’s often so frustrating to be in security.
Here’s a new video on how to create custom patterns in Fabric, i.e., patterns that only you can run and that aren’t shared with the project. WATCH THE VIDEO
The YouTube channel is going decently well after just a few videos. Please take 14 microseconds and go hit the subscribe button. It saves kittens. SUBSCRIBE
SECURITY
The most interesting story this week has to be the XZ situation. So insane. Here’s my favorite write-up of the whole thing. (HT Joseph Thacker). I’m trying to figure out what I find so interesting about it, and here’s what I’ve come up with:
It’s movie shit
Pre-meditated
The attacker with kindness, plays the long game
The attacker eventually takes over the project just via attrition
They’re still patient
Very technical hack of a related library to ssh, but not it directly
The submitted code was obfuscated too, and would have been hard to find
And then, complete heroism / luck on finding it so soon
I love the jokes about us being lucky that this was the only one, and we caught it. 😃 . Also 😭
You probably couldn’t guess this, but I’m going to talk about how AI can help here.
So one of the subsystems of my massive Human 3.0 project is going to be continuous monitoring engines for tons of stuff.
Voting records compared to lobbying donations
Watching meteors so we don’t miss one
Finding vulns in OSS and submitting fixes or hitting up the devs
Tracking propaganda / viral content and doing OSINT on the people using it
That’s one of my favorite ones. And I love the idea of being able to look up an OSINT profile on anyone who’s submitting code. Imagine comparing:
Username / email
How many commits
Reactions to their commits
Analysis of trends
Seeing if they ever went rogue
You could do this not just for coding, but for gamers regarding cheating, politicians with regard to affiliations and influence, and tons of other stuff.
Basically, AI will give us the ability to continuously monitor activity that today doesn’t happen because it’s too resource-intensive. But AI doesn’t get tired. It never sleeps. It can just monitor and alert.
This is one of the things I’m most excited about building and see others build.
—
Related to that, check this out:
create_investigation_visualization
MORE
This is a new pattern we just added to Fabric that—um—creates a visualization of an investigation.
So my buddy John Hammond just did a video about a hack of an Apex Legends tournament, and he walked through investigative work that he and some other folks did throughout like a 20-minute video.
Well, this pattern turns investigations like that into conceptual timelines! Here’s the one for his work on that story:
I showed a buddy that and he sent me the new massive investigation on Havana Syndrome done by Insider. This is the potential energy weapon campaign that’s been being waged against high-level US officials for years now. The investigation is super elaborate but so big it’s hard to wrap your head around. Here’s what Fabric produced for that one!
And you can basically send ANY investigation or research or timeline into this thing, and it’ll do its best to piece it together visually. CHECK OUT THE PATTERN
Sponsor
Enhance Enterprise Security: Trust Every Device with Kolide!
What do you call an endpoint security product that works perfectly but makes users miserable? A failure. The old approach to endpoint security is to lock down employee devices and roll out changes through forced restarts, but it just. Doesn't. Work.
IT is miserable because they've got a mountain of support tickets, employees start using personal devices just to get their work done, and executives opt out the first time it makes them late for a meeting. You can't have a successful security implementation unless you work with end users. That's where Kolide comes in.
Kolide’s user-first device trust solution notifies users as soon as it detects an issue on their device, and teaches them how to solve it without needing help from IT. That way, untrusted devices are blocked from authenticating, but users don't stay blocked.
Kolide is designed for companies with Okta and it works on macOS, Windows, Linux, and mobile devices.
So if you have Okta and you're looking for a device trust solution that respects your team, visit kolide.com/unsupervisedlearning to watch a demo and see how it works.
iPhone users are getting bombarded with legit-looking Apple ID reset notifications in a new phishing scam called "push bombing." MORE
My buddy just headed over to work at this vendor Dazz, and it turns out they’re a sponsor this week, which came in completely separately. Pretty excited about what they’re doing, might talk to them about advising. Check it out.
⬇️
Sponsor
Application Security Posture Management (ASPM) For Dummies
According to Gartner, 40% of security teams will have an ASPM solution in place by 2026 to unify security remediation and fully arm themselves against evolving threats. Do you know your ASPM ABC's? Consider this your crash course on unifying security visibility across code-to-cloud environments, easily detecting root causes & owners, and quickly prioritizing and remediating issues.
AT&T just admitted that the data they said didn’t come from their systems was a real thing, but they said it was old. It affected around 72 million people. | RESPONSE: Passcodes reset for affected customers. | MORE
NYC is rolling out AI gun detectors in subways, but there’s a history of pretty bad results up til now. MORE
Police are now using GPS darts to tag and track fleeing cars, making high-speed chases a thing of the past. MORE
TECHNOLOGY
Every US federal agency is now mandated to appoint a chief AI officer to ensure the responsible use of AI technologies. MORE
Databricks and Mosaic's collaboration on a 132B parameter MoE model showcases a significant leap in AI performance. Can’t wait to play with this one. MORE
💡One thing I don’t think is intuitive about AI progress is that the battle of local vs. pinnacle won’t always look the same.
There’s might be a bar of quality beyond which it doesn’t matter how much smarter or more capable the thing is. And I think local models are going to hit that—for most people—for most tasks—before too long. Like for daily and common tasks.
Like once you have an EA with a 120 IQ that has full access to everything in your life and takes care of you 24/7, how much will it matter if GPT-6 can make you a better one with a 145 IQ?
Maybe I’m wrong there, and you just keep getting more and more returns, or maybe EA is a bad example because they really are the brain of your life. But I think there are lots of types of tasks where you don’t get that much more benefit from a fleet of AIs performing most life tasks at like a 120 IQ level.
And I don’t think we’re far from that with local models? My point is that common tasks for humans aren’t likely to change much. Nor are our expectations of quality for those tasks (this I’m less sure about).
So what happens when good enough gets hit for most situations? Does it just become a question of getting that level of model into toilet brushes and baby seats and wallpaint?
Microsoft and OpenAI are eyeing a $100 billion project for an AI supercomputer, dubbed "Stargate", that could redefine computing power. MORE
OpenAI's Voice Engine can mimic someone's voice from just a 15-second sample, opening up new possibilities and ethical questions. MORE
💡I don’t get this announcement timing. It’s 2024. Why release this? And even better, why release it and then not have a release?
Maybe it was just a public service announcement to be careful of voice deepfakes? Kind of has that vibe at the end of the blog.
Alaska's Fairbanks airport is deploying a headless, dog-sized robot camouflaged as a coyote to scare off birds and wildlife. MORE
In this piece, an engineering manager argues their own role shouldn't exist, claiming it's a mishmash of tasks done poorly. Love these kinds of write-ups. MORE
U.S. tech giants are now eyeing Mexico for AI gear production, moving away from China. Yes please. MORE
EV owners are finding out the hard way that their vehicles chew through tires much faster than expected, often without prior warning. Is this because of increased torque? I should just ask AI, pretty sure the answer is yes. MORE
X, formerly known as Twitter, is exploring NSFW Communities for adult content sharing, a move that could reshape its engagement with online sex workers. MORE
HUMANS
The Philippines is preparing for countermeasures against China's coastguard, signaling a possible escalation in their maritime tensions. MORE
Despite the pandemic's initial hit, we're witnessing a roaring 2020s with record highs in net worth, stock market, and housing prices. This always trips me out and makes me sense danger when you have such weird asymmetries in how things are going. MORE
U.S. literacy has plummeted to 79% from 96% in the late '80s, costing the country up to $2.2 trillion annually. Seriously? Tracking nicely with vaccination rates. MORE
Vinyl records have not only outsold CDs for the second consecutive year but also made over twice as much money. MORE
Florida just made it a law that kids under 14 need parental consent to have social media accounts. MORE
Chronic absenteeism in U.S. schools has surged post-pandemic, affecting students across all demographics with no easy fix in sight. MORE
💡Has it surged in immigrant households where the parents massively value education? Where the parents are extremely adamant about pushing self-discipline in their kids.
I doubt it.
I’m starting to thing the absolute biggest divide in upbringing, achievement, and outcomes comes down to the mindset given by parents. It’s a type of privilege for sure, but not like the word is being thought of today.
More to come on this because I got the idea from Dr. Kennedy on Huberman’s podcast recently. The idea is that you have to teach your kids how to get good at doing things that they don’t like, and make them uncomfortable.
This might be THE superpower. And it might be one of the things kids have lost the most in the last 10-30 years. I’ll continue reading on this, but if you have any supporting or opposing data let me know.
Silicon nanospikes are shredding 96% of viruses on contact. MORE
Martin Scorsese is a secret VHS hoarder, amassing over 4,400 tapes of broadcasted content over decades. MORE
Finland's been crowned the happiest country for the seventh year, despite its past high suicide rates and current geopolitical tensions. MORE
📄 A new paper says your financial health might be influencing your brain's wiring and how sharp you stay as you age. MORE
Nearly half of all single-family homes bought in 2023 were snagged by private investors, says Washington Times. MORE
IDEAS & ANALYSIS
Why 3 Body Problem Is So Good (and why so many other things suck)
I think I figured out why 3 Body Problem is such a great TV show.
First, it’s based on great books. I’m not sure how closely it’s following the books because I read them a long time ago, but the point is that they do have good content to go off of.
But I think I figured out the main ingredient this show has that so many others don’t: authenticity—or, in other words, adherence to a cold reality.
Conversely, I think the biggest problem with most shows and movies today is that they aren’t there to show you something real. They’re there to create a franchise with lots of staying power and spinoffs and sequels. And as a result, you hardly ever see anyone you care about die. Truly bad things hardly ever happen. Or at least that the viewer cares about.
Marvel is a great example. How many core characters have died after dozens of movies? How many stayed dead? Now think about how many regular people died. Millions? Billions? Do you ever remember caring about that? They have thousands of people dying in scenes and the cast is barely struggling in the fight, and they’re cracking jokes and posing the whole time.
3 Body Problem is great for the same reason Game of Thrones was so good in the early books and movies. You didn’t know what was going to happen, but you did know two things.
The world is dangerous.
Because the world is dangerous, any character you care about could die at any moment.
3 Body Problem is good because it’s real. Real danger. Real characters. And uncertainty. It’s authentic. True to life. But with creativity and fiction added on top, of course.
Anyway, you should check it out. It’s good. And if you like it, maybe you’ll agree that this is why.
NOTES
Feeling strange about this new talk I’m doing. It’s quite personal. Not in that it’s about me, but it’s about something I’m very passionate about, and I’m going to be trying to convey that passion to others. Feels vulnerable, but authentic. Can’t wait to see if it’s accepted well or if I’ll need to go back to a more classical style.
DISCOVERY
⚙️ Tracecat is an AI-native, open-source rival to Tines and Splunk SOAR. | by tracecatai | MORE
🔧 Centerpiece turns your search bar into a supercharged launcher for just about anything on Wayland. | by friedow | MORE
🔧 Metaview's AI tool revolutionizes hiring by recording, analyzing, and summarizing job interviews, letting managers focus on candidates, not notes. | by Kyle Wiggers | MORE
⚙️ Composio is crafting tools to empower AI Agents, seamlessly meshing with crewAI for a smarter integration. | by Soham Ganatra and Karan Vaidya | MORE
⚙️ Edgar lets you simulate building a Dyson Swarm, turning sci-fi into interactive fun. | by HackerNewsX | MORE
Someone just scraped the entirety of OpenAI's Community Forum, and it's a goldmine of insights. MORE
Yohei Nakajima discovered an AI that can list, read, and answer questions about its own code. Sick project. MORE
Emmett Shear suggests learning parenting from the parents of people you admire. MORE
Moxie Marlinspike says working on OSS projects is like working with everyone who ever applied to your company. lol. MORE
In a world overflowing with content, we're facing a crisis of quality, not quantity. MORE
RECOMMENDATION OF THE WEEK
Check out the video above of the guy talking philosophy and ethics with an AI. It’s stunning. And then, given whatever you feel about AI, ask yourself a few questions:
What does it mean for an AI to be that good at those conversations?
How much does it matter if it’s completely “fake”?
What does it even mean for that conversation to be “fake” if it’s that good?
At what point does it become uncomfortably similar to us? I mean we’re moist robots, right? What if we’re doing a very similar thing when we answer questions to what that AI is doing?
Where does that leave us?
Let me know your thoughts. EMAIL ME
APHORISM OF THE WEEK
It does not matter what you bear, but how you bear it.
Thank you for reading.
UL is a personal and strange combination of security, tech, AI, and lots of deeply human content. And because it’s so diverse, it’s harder for it to go as viral as something more niche.
So if you know someone weird like us, please share it with them. 🫶
Yours,