Unsupervised Learning Newsletter NO. 386

Unsupervised Learning is a Security, AI, and Meaning-focused podcast that looks at how best to thrive as humans in a post-AI world. It combines original ideas, analysis, and mental models to bring not just the news, but why it matters and how to respond.

Greetings,

So this is the first episode on the new Beehiiv platform. Super excited to be consolidating platforms from like 6 to 1 or 2. Can’t tell you how good it feels to reduce the cruft built up over two decades into a clean, modern solution. I’ve lots more to say about the transition and why I’m breaking my own rule of unifying on a new platform, so expect that post soon.

In the meantime, I’m looking forward to being able to spend less time on administration and operations and more time on thinking, writing, and building.

Let’s kick some butt this week!

In this episode:

🔥 Human Immortality Using LLMs
🤖 Generative AI Reshaping Enterprises
🔒 Verizon DBIR 2023 Analysis
🪳 Chrome Zero-Day Patched
💰 Lazarus Atomic Wallet Link
🚀 Tame Your Compliance Beast
🪳 MOVEit Vulnerability Exploitation
📰 North Korean Hackers Impersonate Journalists
📱 Apple ID-sharing
🌐 Apple Vision Announced
🔑 Password Crackdown Success
📈 AI-Driven Stock Surge
📱 iOS17 Features Summary
🔐 Apple Passkey Sharing

MY WORK

🔥 Human Immortality Using LLMs
My new essay on why using LLMs to back ourselves up is closer and more realistic than most might think. Discusses human identity variance, indeterminism in human preferences, change over time, and more. MORE

How Generative AI Will Reshape the Enterprise
I went on Security Weekly last week with Adrian Sanabria and crew to talk about how AI will impact the enterprise. It was a solid conversation that covered a lot of ground. MORE

SECURITY NEWS

Verizon DBIR 2023 Analysis
Every year I do an analysis of the DBIR report and provide a summary and analysis. Here’s this year’s key points and analysis.

Takeaways:

1. Social engineering attacks are up, with Business Email Compromise and ransomware leading the charge.

2. Most breaches involve human error and external actors, and the primary motives are still financial.

3. Business Email Compromise (BEC) attacks have almost doubled and represent more than 50% of incidents in the Social Engineering pattern.

4. 74% of all breaches involve human error; 83% involve external actors.

5. Financial motives underlie 95% of breaches.

6. Ransomware is present in 24% of reported breaches and remains a significant threat.

7. Log4j vulnerability, while initially concerning, was less prominent in breaches than anticipated but still requires attention.

8. Stolen credentials, phishing, and exploitation of vulnerabilities are the top attack methods for gaining access to organizational systems.

9. More than 32% of all Log4j scanning activities occurred within 30 days of its release.

10. Despite the heightened focus on Log4j, exploitation of vulnerabilities remained relatively stable in incidents and saw a decrease in their presence in breaches.

11. Banks and exchanges have become prime targets for cybercriminals, with a fourfold increase in cryptocurrency-based attacks compared to previous years.

12. Organizations of all sizes and industries remain vulnerable to ransomware. Ransomware is present in 62% of incidents involving organized crime actors and 59% of financially motivated incidents.

Analysis:

• I found it interesting that human error was so high on the list. Not so much surprising, but interesting.

• It makes sense that BEC is so dominant since that’s where the money is, and it’s also notable that only 5% of breaches are non-financially-oriented. Meaning most of the movie-plot stuff is a tiny percentage of attacks compared to good-ol'-fashioned money.

• Ransomware still dominates the scene, which makes sense because of how mature it’s become as a business. I knew we were in trouble when we started seeing a specialized economy of entry, pivoting, exfil, and customer service.

• I still can’t shake the idea of ransomware being like natural burns in forests. They suck a lot, but maybe they harden us against even worse events.

READ THE FULL REPORT | AIL 2

🪳Chrome Zero-Day Patched
Google has fixed a zero-day vulnerability in Chrome, marking the third such exploit addressed this year. The company has not released details about the exploit, which is unusual, but urges users to update their browsers. MORE

Lazarus Atomic Wallet Link
North Korean hacking group Lazarus has been linked to the recent Atomic Wallet hack, resulting in the theft of over $35 million in crypto. Blockchain experts at Elliptic traced the stolen funds and attributed the attack to Lazarus with a high level of confidence. MORE

🪳MOVEit Vulnerability Active Exploitation
The critical vulnerability in MOVEit Transfer (CVE-2023-34362) has been exploited by ransomware groups like cl0p and other threat actors, leading to remote code execution. Researchers found that the bug, initially thought to be a SQL injection vulnerability, could allow unauthenticated adversaries to deploy ransomware or perform other malicious actions. Software maker Progress has released patched versions to address the issue, but organizations yet to upgrade should disable all HTTP and HTTPS traffic to mitigate risks. MORE

🪳Fortigate RCE Flaw Patched
Fortinet released firmware updates addressing a critical pre-authentication remote code execution vulnerability in SSL VPN devices, urging admins to apply the security updates immediately. MORE

North Korean Hackers Impersonate Journalists
North Korean government-backed hackers have been impersonating journalists to gather strategic intelligence from academics and think tanks. SentinelLabs researchers linked the social engineering campaign to the North Korean advanced persistent threat group Kimsuky. The group targeted subscribers of NK News, an American website providing analysis about North Korea, using spoofed Google Docs links and weaponized Microsoft Office documents to capture victims' credentials and exfiltrate information. MORE

Chinese AirDrop Legislation
The Chinese government plans to further restrict AirDrop usage despite Apple's changes, fearing its potential for spreading anti-government materials. The Cyberspace Administration of China issued a draft proposal targeting Bluetooth-enabled file-sharing features, which could force Apple to ensure users set their iPhone name to their real name. MORE

AI Spots Undeclared Pools
French tax officials used AI to discover 20,000 undeclared swimming pools, resulting in €10m in additional tax revenue. The AI system, developed by Google and Capgemini, identified pools in aerial images and cross-referenced them with land registry databases. The successful trial will now be extended nationwide. This is another example of the transparency added by AI I talked about in a previous essay. MORE

Fake Hug Political Ad
We’ve all anticipated deepfakes being used in politics, but now we have a direct and solid example. DeSantis’ team ran a political ad with a picture of Trump embracing and seemingly kissing Fauci. The picture is fake. MORE

Apple Working on ID-sharing 
Apple’s working on ways to share your ID securely via iPhone and Watch. Arizona already accepts it for the driver’s licence, but they’re working on business integrations as well. This has always been a dream of mine for situations like doctors’ offices. Imagine tapping instead of filling out 13 forms of redundant and sensitive crap. Digital information exchange is precisely the type of problem that only Apple seems to have the organization and oomph to push through with states and companies. Can’t wait. MORE

TECHNOLOGY NEWS

Apple Vision Announced
Apple announced the Apple Vision and the general consensus seems to be that it’s much better than people anticipated. But that price, tho. Honestly, I thought it would be a rough first version, kind of like with the Apple Watch, but I was like 5x more impressed than I thought I would be. Having had a week to think about it, I think it’s going to do exactly what it needs to do, which is: 1) establish Apple as the leader in AR/VR, 2) get enough early adopters using it in business and creative industries to create a few practical applications, and 3) motivate people to take the space seriously and either use their devices or create alternatives. It seems to me like they’re on-course do hit all three of these. For me the biggest win was the completely new interface of sight+hands. That was the bit that took it from just another entry into the space to a space-defining Apple entry into the space. Similar to iPhone entering the personal communicator space in 2007. My expectation is that many rich people will buy one and love it, and that many businesses will create apps on it that are more useful to them than any other platform, and that these two combined will propel innovation on the second version. So once again, similar to Apple Watch, which is now the best-selling watch in the world by far. I personally will be getting one for sure, and I anticipate using it for movies and games. I anticipate games being a big part of Apple’s future now that they’ve made it easy to port Windows games, and I think Apple Vision will be huge for that (once they’re affordable at v2 and v3). TOM’S GUIDE REVIEW | THE VERGE REVIEW

Password Crackdown Success
Netflix saw a surge in sign-ups after implementing password-sharing restrictions in the US, with nearly 100,000 daily sign-ups on May 26 and 27, according to research firm Antenna. Despite increased cancellations, the overall ratio of sign-ups to cancels rose by 25.6% compared to the previous 60-day period. MORE

AI-Driven Stock Surge
I predicted this around February or so, and now it’s coming true. The release of ChatGPT by OpenAI has sparked a wave of enthusiasm for artificial intelligence, leading to a boom in tech company valuations. The S&P 500 index has risen by 8% since ChatGPT's launch, with AI-exposed firms like Nvidia experiencing significant growth. As I wrote back then, the stock market is based significantly on optimism and pessimism, and my prediction was that investors would see all the stuff created by AI and realize there’s a mountain of potential upside. MORE

iOS17 Features Summary
Here’s what Apple announced last week for iOS17. I am on the beta and it’s pretty great already. My personal favorites are the improvements to Emoji/Stickers on iOS and Namedrop that lets you share contact info by bringing iPhones close to each other. Looking for more people to test Messages features with, so hit me up. FEATURES LIST | LESSER FEATURES

Apple Passkey Sharing
You can now share Passkeys (hardware-tied strong authentication) with groups, family members, and external providers. So you can store them in 1Password, for example. Really cool that this functionality is going cross-platform. MORE

HUMAN NEWS

Startup Shutdowns
The pace of startup shutdowns, fire sales, and sharp business-strategy changes is increasing as fresh capital from venture investors and bank loans becomes scarce and expensive. The venture boom of 2021 is struggling, with many startups running out of money and facing hard choices. The yearly internal rate of return for venture firms was negative 7% in the third quarter of 2022, the lowest value since 2009. MORE

IDEAS & ANALYSIS

When to Break Rules vs. Follow Them
A few people might be wondering why I moved to Beehiiv after talking so much garbage about Medium. Haven’t I been preaching for years that consolidating on new, hyped platforms is dangerous? Isn’t this doing exactly that? Yes and yes. Kind of. First, there are always exceptions to rules, and those exceptions don’t negate the rules; in fact they often bring them into focus. In this case I have been waiting to move platforms for multiple years, with the pressure of too many platforms, and legacy kruft building up over time. It was like a Yellowstone supervolcano ready to blow. So I have been waiting for Ghost to get their stuff together, which they haven’t yet. I was waiting for a new up-and-comer to replace Ghost. And that just happened to be Beehiiv. Their pedigree is from an extremely successful similar type of company, they have a tiny and super efficient team, and they ship product like nobody I’ve ever seen. So they have lots of markers indicating they are a rare gem. Then there’s the product, which has a combination of simplicity and functionality I’ve never seen. They basically became an existential threat for Mailchimp and ConvertKit and Wordpress overnight, which is quite impressive. And finally, I acknowledge the risk that I have been talking about all this time. I have easy export options out of the platform and I’ll be ready to pivot if necessary if they get bought by someone reprehensible in the future. To me the top priority was getting somewhere that wasn’t where I was. Namely with 5-6 platforms and lots of duck tape and silly string. We’ve been successful in that. There are lots of downsides to the move, namely a million 404s for previous krufty functionality, custom URL breakage, and all sorts of stuff. But the main goal of being able to quickly create content in a unified way, using a product from a known team that doesn’t seem bent on bait and switch, feels really great. I hope you enjoy the new platform as much as I have so far, and that this continues for both of us. And feel free to ask more questions in our UL Chat!

NOTES

Super excited to get this episode out on the new platform. The biggest advantage is that the blog post and the newsletter are the same thing! So no more delay between one and the other. And the formatting will be perfectly matched. You can’t know how happy this makes me. Plus, this editor is infinitely easier to work with than Mailchimp. Oh, and probably 1/10th of the cost. Now I have more time to get the podcast out on time as well, which I’m going to be prioritizing from now on! Great times ahead.

My buddy Stök got accepted to speak at Blackhat on Weaponizing Plain Text! Great job man! MORE

DISCOVERY

🧱Smol-Developer — Automated program generation using GPT-4. But rather than just write a function, or a basic app, you can give it complex requirements and it’ll build all the separate components and stitch them together! Think GPT-4 + AutoGPT for complete apps. Probably the biggest AI project of the week. WEBSITE | GITHUB REPO

🧱Gorilla: An API-powered LLM Model — UC Berkeley and Microsoft researchers introduced Gorilla, an API-augmented LLaMA-7B model that outperforms GPT-4, Chat-GPT, and Claude. Gorilla leverages self-instruct fine-tuning and retrieval techniques to accurately select from a large set of tools expressed through APIs and documentation, improving LLMs' knowledge and reasoning abilities. MORE | GITHUB REPO | JUPYTER NOTEBOOK

LLMs are good at playing you. MORE 

Get phones out of schools now. MORE 

Quick VPN setup with AWS Lightsail and Wireguard. MORE 

Mental Liquidity MORE

12 Threat Modeling Methods MORE

Buy Well, Buy Once MORE

RECOMMENDATION OF THE WEEK

Ask yourself if you’re ever rude to friends, or to anyone you care about or value. If the answer is yes, look out for a lesser version of yourself to offer an excuse. “Oh, it’s only when I’m mad.“ “It’s only in a business context.“ “It’s only when they really push me!“ Allow me to offer that this is never ok. Disconnecting is fine. Dialing-back a relationship is fine. But rudeness to friends is never ok. Directness, hard-talk? Even talk that can cause pain and offense? Sure. But not rudeness. Not meanness. Not being an asshole. Don’t let the fact that you’re nice most of the time give you an excuse to be an asshole sometimes. That’s just weakness. Find a way to extricate it from your personality, and if you have a friend who does this maybe share this with them.

 
APHORISM OF THE WEEK