Daniel Miessler's Blog, page 21

July 31, 2023

Do Burnout and Addiction Have the Same Root Cause?

I heard a great thing on a podcast recently. It was a guy saying alcohol addiction is confused because people think it’s about alcohol and drugs themselves. According to him, it’s not.

He said the real issue is that people aren’t happy with their lives, so even if you stop drinking you haven’t solved the issue.

This reminds me of the book I’ve written about here multiple times, about addiction in general. It’s by Johann Hari, and he basically says addiction is a lack of a strong meaning loop (my term) that keeps you fulfilled. This is why a happy person can get the strongest drugs in a hospital for 3 weeks and not get addicted, while someone who’s lost can have one hit of a drug and spiral into the abyss.

The healthy person has a family, and/or a lot of friends. So they already have a strong source of happiness. So the drugs aren’t attractive at all.

I think burnout is the same. It’s much easier to get burned out if you’re doing something that’s not your true purpose.

The best book on addiction and connection I’ve ever come across

Working too much is the drug in this case. But the root problem is almost identical: You’re unhappy with your current path. Or you don’t have one. Either way, your meaning loop is nonexistent or misguided.

I think it’s possible to be overworked if you’re on your true purpose and doing too much, with too little rest. For sure. And the symptoms might be very similar.

But burnout is something else because you might not be overworked at all, but still get burnout. I think the underlying cause may be the fact that you just shouldn’t be doing that thing.

And in both cases the solution may be the same.

You have to find, articulate, and pursue your actual meaning loop. Then all the distractions of drugs and overwork become moons orbiting your central purpose instead of the planet itself.

Pretty much every project and product I build from now on is oriented to help people find and pursue that for themselves. That’s my meaning loop.

What’s yours?

Figure that out and get after it.

There’s nothing better for your soul than spending effort towards something big, outside yourself, that produces value for others.

View more on Daniel Miessler's website »

Like • 0 comments • flag

Published on July 31, 2023 07:48

July 24, 2023

Unsupervised Learning NO. 391

Unsupervised Learning is a Security, AI, and Meaning-focused podcast that looks at how best to thrive as humans in a post-AI world. It combines original ideas, analysis, and mental models to bring not just the news, but why it matters and how to respond.

Hey there,

Hope you’re having a good start to the week. I’m mostly prepping for Vegas at this point and this will be my first year there as a business owner instead of an employee. I’m mostly looking forward to seeing friends, though. That’s what Vegas has always been about for me.

If you see me around come get a handshake/hug/fist bump!

Until then, let’s get into the week.

In this episode:

🤖 How AI Will Defenders Protect Us
📈 AI's Role in K-Shaped Recovery
📧 Military Email Leak
🔐 VirusTotal Data Leak
🇨🇳 Great Firewall Expansion
🍏 Apple vs UK Surveillance
🚗 TikTok Theft Tutorials
👁️ AI Surveillance Expansion
🔧 Tech Scam Evolution
🤖 OpenAI's Persistent Context
🍏 Apple's AI Chatbot
📰 AI Journalism
🔭 Tool & Article Discovery
➡️ The Recommendation of the Week
🗣️ The Aphorism of the Week

MY WORK

🤖How AI Defenders Will Protect Us From Manipulation
My new piece on how we’ll use AI Assistants to defend ourselves against marketing, propaganda, and personal con jobs. READ IT

📈 AI Will Produce the Biggest K-Shaped Recovery We’ve Ever Seen
My new piece on how the top 10% smartest, richest, and most creative will thrive in an unprecedented economy, leaving everyone else behind. READ IT

SECURITY NEWS

🪳New OpenSSH Vulnerability
There’s a new (now patched) vulnerability in OpenSSH’s forwarding agent that has the potential for RCE. Patch up! HACKERNEWS | NVD (CVE-2023-38408)

Military Email Leak
A simple typo (typing .ML instead of .MIL) has been redirecting millions of sensitive US military emails to Mali for over a decade. Despite warnings, the issue persists, with nearly 117,000 misdirected messages collected since January alone. VERGE

VirusTotal Data Leak
VirusTotal inadvertently exposed customer data due to an employee error. The leak included 5,600 names and email addresses. HACKERNEWS

Sponsor

🔐 Unleash Your Cloud Security Potential 🔐

The digital landscape is shifting, and your security strategy needs to keep pace. Don't get left in the dust—become a cloud security superstar with our Cloud Security Model Cheat Sheet!

➡️ Discover the 4-step process that's keeping top security organizations ahead of the curve. Learn how to prioritize your team's focus for maximum impact. Get your hands on data-backed research that validates this winning approach.

📌 This isn't just a cheat sheet - it's your roadmap to cloud security success. Pin it up in your workspace, or share the wisdom with your team on Slack! 📌

➡️ Ready to level up your cloud security game? Click the link below and let the transformation begin!

👉wiz.io/lp/the-cloud-security-model-cheat-sheet👈

Get Your Cloud Security Model Cheat Sheet

Great Firewall Expansion
In a recent directive, President Xi Jinping of China has called for the construction of a more robust "security barrier" around the country's internet, aiming to further control and regulate online activities. This is one way I think the West has a massive advantage; people want free access to the internet, and I think they will ultimately see it as weakness that China doesn’t want them to have it. REGISTER

Apple vs UK Surveillance
Apple is threatening to pull its iMessage and FaceTime services rather than comply with demands that could weaken encryption in messaging apps. The proposed Online Safety Bill would require companies to install technology to scan for child exploitation and terrorism content in encrypted messaging apps, a move that Apple and other companies argue would effectively render encryption protections ineffective. You can either have end-to-end encryption or you can have filtering. Not an easy choice for everyone. HACKERNEWS

TikTok Theft Tutorials
Car thefts are massively up and one theory suggests it’s because TikTok has great tutorials on hot-wiring Kias and Hyundais. The number of car thefts in the first six months of the year was 104.3% higher than the same period in 2019 according to a CCJ study. AXIOS | NYTIMES

AI Surveillance Expansion
Artificial Intelligence is now being utilized by American law enforcement to identify potentially "suspicious" patterns of movement, analyzing vast license plate databases. In a recent drug trafficking case in New York, the AI system sifted through a staggering 1.6 billion license plate records collected over two years, leading to the identification and arrest of a suspect. FORBES

Tech Scam Evolution
The FBI has issued a warning about a surge in tech support scams that are specifically targeting the elderly in the United States, with a new twist: the scammers are now urging their victims to send cash hidden in magazines or similar items through shipping companies. BLEEPINGCOMPUTER

TECHNOLOGY NEWS

Sam Altman’s Worldcoin Launches
Altman's new crypto startup, Worldcoin, has launched, which uses eyeball-scanning technology to distinguish humans from AI online. The company has been in development for over three years and has raised about $250 million from backers, including Andreessen Horowitz, Khosla Ventures and Reid Hoffman.

Worldcoin aims to put a crypto wallet on every human's smartphone.

It works by scanning your eyeball on a device called an Orb.

Over 2 million individuals have verified their World IDs at an Orb.

They’re capping the total supply to 10 billion "WLD" tokens for the first 15 years.

This whole thing is exciting, strange, and a bit weird to me. It just has a secretive feel to it, but perhaps that’s just me. It honestly feels like a crypto play combined with a UBI play, since he’s also trying to build AGI that will replace most human knowledge work that exists today. I’m not trying to be negative; it does sound very cool, but it’s hitting me wrong right now. INSIDER | TECHCRUNCH

Sponsor

🔐 Opal, scalable identity security 🔐

🧍🏼Opal is designed to give teams the building blocks for identity-first security: view authorization paths, manage risk, and seamlessly apply intelligent policies built to grow with your organization.

🛡️Opal is used by best-in-class security teams today, such as Blend, Databricks, Drata, Figma, Scale AI, and more. There is no one-size-fits-all when it comes to access, but they provide the foundation to scale least privilege the right way.

👉opal.dev/demo👈

Watch the Demo

OpenAI Adds “Custom Instructions” for Persistent Context
OpenAI's ChatGPT now has a "custom instructions" feature, letting you input information it'll remember to tailor future conversations. The feature is in beta and available to ChatGPT Plus subscribers, excluding the UK and EU. VERGE

Apple's Enters Chatbot Arena
Apple is in the process of creating an AI-powered chatbot, internally referred to as "Apple GPT", but it’s not clear what they plan to do with it yet. The chatbot is built on a large language model framework named "Ajax", which runs on Google Cloud and is developed with Google JAX. My only hope is that this is true, and that it happens fast, and that it largely replaces Siri. VERGE

Twitter Trainwreck
Twitter’s ad revenue and traffic is way down, and Musk has decided the best solution is to ruin the only good thing it has left: its name and logo. He just changed them to X. MaX-level fail. REUTERS

AI Journalism
Google is experimenting with an AI tool, codenamed "Genesis", that can generate news articles. The tool has been pitched to major publications, including The New York Times, The Washington Post, and News Corp. Wish I could have been in the room to hear that pitch. I assume no writers were invited. TECHCRUNCH

TikTok Adding Text Posts
TikTok is adding text posts, putting it in much closer competition with X (gag), Instagram, and Threads. The only thing I love about all this is the fierce competition leading to (hopefully) innovation in some way. VERGE

HUMAN NEWS

Israel in Crisis
Israel’s democracy is being seriously tested right now, and the vote that’s about to happen on Netanyahu’s judicial restrictions will be pivotal to the outcome. My unsophisticated read on the matter is that the extreme right is looking to take over and turn the country a hardcore religious state, effectively turning Israeli Arabs into third-class citizens, among other things. Remarkable that this can happen so quickly in a country that’s come so far. NYTIMES

US Mental Strain
23% of U.S. adults visited a mental health professional in 2022, up from 13% in 2004. Only 31% described their mental health as “excellent” — the lowest share ever. Among younger adults, those between the ages of 18 and 24, just 20% said their mental health was excellent. AXIOS

Safety Net End
Several pandemic-era safety net programs that have been a lifeline for millions of families are coming to an end this fall, creating a significant economic squeeze. As these programs roll off, Americans will start facing bigger bills for student loan payments, child care, health care, and food, deepening the impact of years of inflation. AXIOS

Chip Factory Delay
TSMC's Arizona chip factory opening is delayed until 2025 due to a shortage of skilled technical workers in the US. TSMC is going to send more Taiwanese workers to the US to help speed things up. ARSTECHNICA

IDEAS & ANALYSIS

The NPC Phenomenon
There’s a fascinating new trend on TikTok that you have to experience to understand. Well, you still won’t understand, but you’ll at least know what that type of confusion feels like. I’ve not done a deep dive on it yet but I’ve seen a few examples and I have thoughts. 1) It’s mostly women. If it wasn’t somehow sexualized I feel like there’d be roughly equal numbers of men putting up the numbers. There aren’t. 2) It seems extremely demeaning. There’s something really disgusting to me about the NPC concept being applied to women. The whole point an NPC it is that they’re not the main thing. They’re the sideshow for the real heroes. But that’s what blows up on TikTok? Watching young women explicitly act like they’re not important? It’s too on the nose for me. Our culture seems bent on isolating and exaggerating the worst parts of human nature and forcing people to pretend it’s art. The song WAP, for example, even though I love Cardi B. 3) The main business model is that the influencer is stuck in a loop, doing their own NPC thing, varying it as they see fit. Then they change their behavior based on donations. That’s when they’ll speak to you, or at least acknowledge you in some way. So once again we have men paying to feel in control of women. Gross. Keep in mind, I could be missing something here. Something artistic and deep. But this is my first read and I hope someone can tell me why I’m wrong. PINKYDOLL EXAMPLE ON TWITTER | INSIDER

NOTES

I’ve been playing with LLAMA2 quite a bit and it’s been hit or miss. I asked it to “use the lessons learned about humanity from Russian Literature and apply them to the existential crisis of AI taking jobs”, and it did pretty well. But I’ve had a lot of failures on easier stuff. For some reason it just doesn’t give me a “solid” feeling the way GPT-4 does (yes, even after all the articles saying it’s worse). I’m even running the 13 billion parameter version, and I’m about to mess with a quantized version of 70b. Will report back in UL Chat.

We have a member meetup scheduled for Vegas! Can’t wait to see you there!

We tried something different this week where we used the name of the link source as the link name. A number of people have requested this feature and I’ve been looking for a great way to do it. Let me know how you like the implementation.

DISCOVERY

⚒️Promptmap — A tool that automatically tests prompt injection attacks on ChatGPT instances. It generates creative attack prompts tailored for the target, sends them to a ChatGPT instance, and checks the response to determine if the attack was successful. | by Utkusen | GITHUB

⚒️Pop — Send email from your Terminal. | by CharmBracelet | GITHUB

⚒️AutoChain — A LangChain competitor with less complexity and abstraction. Focused especially on easier building of Agents, which is rather kludgy in LangChain. | by Forethought Technologies | GITHUB

📋Person of Interest Investigations Primer — How to use OSINT and Maltego to investigate people of interest. MALTEGO

Wix has a new tool that can create an entire site from a prompt. TECHCRUNCH

The past is not true MORE

If Zuckerberg hides his kids’ faces in photos, why don’t you? PETAPIXEL

Great article on TTP analysis on security teams, by Carlos Fragoso of Maltego. MALTEGO

Solve Your Big Problems by Solving Your Real Problem MORE

Become Ungoogleable

Training video for Bell Labs’ Holmdel Computer Center. What a trip. YOUTUBE

Someone spent time in the Matrix Awakens game explaining to the NPCs that they’re in a simulation. TWITTER

Tech Trophy Jobs MORE

Illusory Superiority WIKIPEDIA

YouTube is testing a feature where you can long-press the video and it’ll start playing at 2X. Yes please! VERGE

Let’s Encrypt issues 35 certs every second. TWITTER

RECOMMENDATION OF THE WEEK

If you’re new to BH/DC here’s my advice.

Don’t stress the burner phone thing. It’s not really a problem for 99.99% of people. There are plenty of shenanigans going on with the airwaves there but the normal phone carriers and hotel wifi at most places is pretty normal during the conferences (perhaps excepting the actual DC hotel during the con).

Stay on trusted WiFi at big hotels (see above) if you use WiFi at all.

Don’t plug into public kiosks for power. Those attacks aren’t super common outside of DEFCON either, but you can avoid the risk by just not doing it. Generally good advice all the time actually.

Things are further than they appear for walking.

Make sure you drink plenty of water.

APHORISM OF THE WEEK

We’ll see you next time!

View more on Daniel Miessler's website »

Like • 0 comments • flag

Published on July 24, 2023 09:53

July 23, 2023

How AI Defenders Will Protect Us From Manipulation

One of the AI topics that I’ve been talking about for the last few months is Context. The basic argument is that everything we’re about to do with AI will sit on top of a deep, nuanced understanding of the principal—which could be an individual, a business, or whatever.

Context examples

Here are some examples of where AI is much more powerful when it knows about the subject it’s helping.

🗣️Therapy — You ask an AI assistant why you’re feeling sad, or what you can do to feel better. It can do a much better job if it knows your background, your history, has exposure to your journal, your goals as an individual, your life challenges, your work and financial situation, etc.

🧳Work — You ask an AI assistant to help you solve a problem at work. It can do a much better job if it knows the company’s capabilities, the details around the challenge, the resources we have available to solve it, etc.

✍️Writing — You ask an AI assistant to help you write a story or a screenplay. It can do a much better job if it knows the types of stories that interest you, based on seeing your ratings of other films, or having access to your favorite books or movies.

These are just a couple examples and the list is infinite. It’s really any situation where problem solving is improved by more deeply understanding the problem, and that’s almost always.

Continuous context

You could of course try to jam a bunch of context into each request. So when you go to ask for a story you try to feed it a bunch of stuff you like. But that’s annoying. Plus you won’t remember everything in the moment. Plus it’ll be too much to remember and add each time.

The better, obvious, and inevitable solution is that your AI assistant will simply maintain continuous context about you, across multiple dimensions, and it’ll keep it updated with incoming data. Your workouts, mood ratings, your diet, journal entries, etc. People will be hesitant to share for the first few years, but soon our AI assistants will basically have everything.

And while that will be utterly awesome functionality-wise, it’ll also present an unprecedented attack surface as well.

Anatomy of a near-future, Context attack

We’re not talking about physical attacks here; we’re talking about people being tricked, manipulated, duped, and otherwise convinced or coerced into doing something they wouldn’t want to.

Context is a tool, and many tools can be used as weapons. Context is especially dangerous as a weapon when it’s an attacker using it to attack the principal. Let’s open our minds up to not just 1-on-1 attacks but groups and organizations against groups or individuals.

Context attack types

✍️AI Assistant Data Brokers — We already have Data Brokers who collect and sell way more data than the Dark Web could hope to have. They do that for marketing purposes, but once everyone has these rich AI profiles they are going to become targets for not just “legit” Data Brokers, but underground markets who collect that data on high-value targets.

Imagine a service where you can find crypto holders, or people bragging about how much money they make, or posting pictures of their opulent vacations. Now gather all their Context via a hacked Personal AI assistant profile or some OSINT/Recon. Now that information is for sale.

🗣️Propaganda Attacks — Both special interests (corporate, activist, or whatever) and governments can also use this type of information to target people or groups with specific campaigns. They might not need that extra context, but the more targeted they go the more they can tailor the messaging to that particular mark. Think: changing opinions on political events, destroying the reputation of their enemies, etc.

💰Marketing — Marketers will happily purchase this data, or collect it themselves however they can, to use the same propaganda techniques to make people aware of their space, their product/service, or whatever. They’ll be able to slowly and effectively drive behavior in a way that benefits them.

🕵️Feelings Hacks — Perhaps most scary is what will be possible when social engineers get access to this information, especially when they’re already experts at pressing buttons. But now instead of cue-reading outside buttons, and stuff they get from purely public information, they’ll be able to tailor their attacks to a target’s background, history, trauma, and other highly-revealing information.

ATTACKER: Hey I’d love to keep talking but I need to go take care of my mother who’s going through a hard time.

TARGET: Oh, really? My mom just passed away from _______.

ATTACKER: Well, I’d love to catch up on that because that’s what my mother has, and I don’t think she has long to live. I’m just devastated.

This is the type of wedge that cuts into people’s inner circles, and it will all be AI powered as well. E.g.,

Given this Target Context, construct the ultimate entry script for our new recruits going after this target.

🖤AI-powered Pig Butchering — Once place this will do extraordinary damage is with Pig Butchering attacks, which is where attackers use companionship and/or romance to get lonely (often elderly) people to part with their money. They often play out over months as the attacker gains trust with the target. Then at the end they take whatever the target has and disappear.

This type of attack will be a lot more effective, and even automatable, using the combination of Context and AI Agents.

AI Defenders: AI defense against AI attacks

And now we arrive at the point of the article.

All this was buildup to say that Context will soon be wielded against us to:

Get us to believe things

Get us to think things

Get us to buy things

Get us to feel things

And ultimately, to control us. The scariest part of it is that because these are hidden buttons being pressed, and AI will be doing a lot of the campaign creation, the target often won’t even know it’s happening.

Your AI Shield

But you know who will know? Your AI Defender. It has the most Context of all.

I know. I saw your face crinkle up. You’re thinking:

Wait, so AI and Context is the problem? And the solution is more AI and Context?

Yeah. Unfortunately. This isn’t what I’m prescribing. It’s what I think is coming, and there’s not anything anyone can do about it.

Let’s talk through it.

Continuously monitoring for attacks

The way this AI Defender will work is actually pretty simple. It’s just cat and mouse, and mouse and cat, round and round.

Basically your AI Defender (just another personality of your AI Assistant) will be in charge of defending you. And it knows you better than anyone, including you.

So when you meet someone cute who starts flirting and looking at your clothes, and starts complimenting you, and maybe mentions a shared piece of background, it’ll start engaging to defend you.

DEFENDER (In Your Ear) — He has complimented you twice and has mentioned 3/7 background markers in the last 38 minutes. He also mentioned a canary marker. Current malicious actor probability is 91%.

Same for buying products.

DEFENDER (In Your Ear) — You might be getting influenced to buy that face cream. You’ve heard 8 people talk about it and it’s been on YouTube 14 times. Current marketing exposure rating is 84%.

Same for political opinions.

DEFENDER (In Your Ear) — The narrative in this YouTube video is currently circling the internet, and it appears to be funded by the Carlyle Group, who is known for sponsoring propaganda campaigns. Would you like me to load a counter-argument video? Current propaganda exposure likelihood is 88%.

Monitoring the exposure to behavior loop

Basically our AI Assistant will know what pushes our buttons, because it’s the world’s expert on those buttons.

It will also see our behavior, and will be able to see if that behavior is tracking with the desires of the propaganda/manipulation we’re being exposed to.

And it can warn us, prompt us, and otherwise pull us out of the tunnel that the manipulator is trying to take us down.

Next level? Filtering the input.

This will be an upcoming post, but now realize that your AI Assistant/Defender will also have edit capabilities. What happens when it can:

Remove the label from products

Remove manipulative language from writing

Overwrite edit incoming audio that would press buttons

Cool, right? Totally.

Terrifying as hell? Absolutely.

Imagine attackers/governments getting access to that interface? Even worse, they won’t have to hack it. They’ll pay people to use their filters.

Summary

Manipulators work by pushing buttons

Deep Context will make AI assistants infinitely more powerful, but that same context will get used as intimate buttons by attackers

People will constantly be under attack by AI powered systems abusing their Context

Paradoxically, our AI Defenders will monitor that 24/7 and let us know when it’s happening

The next step after that is prophylactic controls, i.e., filtering the attacks from even hitting you, which will also be used against us

View more on Daniel Miessler's website »

Like • 0 comments • flag

Published on July 23, 2023 14:18

July 22, 2023

AI Will Produce the Biggest K-Shaped Recovery We've Ever Seen

Will AI remove jobs or add them? Will it help people or harm them? Will it create prosperity or create despair?

The answer is yes. It’s not one or the other. They’ll all happen simultaneously.

The better questions are, “For who?”, and “When?”, and “In what order?” We don’t have those exact answers, of course, but I think certain trends are pretty solid.

The Innovation Flywheel

I believe Al is about to massively boost the economy, GDP, the stock market, and most every similar metric of productivity and output.

That probably sounds a lot like hyperbole or mania, similar to what was said about crypto. Here's why it isn't.

Yuval Harari went on Lex's podcast recently. The whole show was great, but one thing in particular struck me. He was talking about how Al is the first tech that can come up with ideas. This matches closely with something Joseph Thacker and I have been talking about a lot, which is the ability to test ideas.

I've been thinking of the whole cycle as something like this, which I'm calling the Innovation Flywheel.

🧠 Understand What an Entity Wants: This is the context I talk about in the SPQA architecture, and it applies to companies, countries, organizations, departments, and people.

🧱Understand the Entity's Challenges: Now that the Al knows what you care about, and what you're trying to do, it can then understand the challenges to those goals. Is it time? Resources? Competition? Etc.

💡 Create Ideas: Given the goals and the challenges, Al systems will then create a ton of ideas to help you solve those problems. It can generate new strategies and tactics for solving anything from world hunger, to political wrangling, to new product designs, to whatever. It's like brainstorming with people, but much faster and with more access to the world's collective knowledge.

🔢Rate the Ideas: Then the system, with you and your team of humans helping the rating training (like RLHF), can rate the quality of the ideas to come up with candidates for action.

🧪Test the Ideas: Then the system will be able to expose the ideas to various types of tests, such as A/B testing for objective metrics, surveys conducted by humans, real-world results in a marketplace, etc.

🧳Execute on the Winners: Then the business (also using Al) can then take those ideas and execute on them in various ways.

Added to that, we have the concept of Genetic Algorithms. This is where you can take ideas from Steps 3 and 4, and mate/mix them with each other to create even more ideas in Step 3. Then Steps 4 and 5 pick the winners. Rinse and repeat.

What this ends up being is a massive flywheel of creation. Of course #6 (Execution) is still the most important step, but Al will be helping with that as well. But what this flywheel can do is help keep people and companies from wasting time on ideas that are unlikely to work. And keep them flowing with good ideas that could have been impossible for them to see before.

Innovation Flywheel Use Cases

Developing strategies for beating a business competitor

Creating new marketing strategies

Creating new drugs

Finding a cure for cancer

Planning a fun date or vacation

Writing screenplays

Creating plots for new novels

Designing fun ways to keep the elderly engaged to stave off dementia

Creating new characters for a game or story

Etc, etc., etc.

All you will have to do is describe very clearly who you are, as a company or person, and what you're trying to do. And it will do the rest.

This is not theoretical or in the distant future. There are dozens of companies working on this tech right now, and there are already many products doing early versions.

Soon it'll be part of every Digital Assistant, which everyone will have.

ASSISTANT: I see you’re brainstorming on how to beat a competitor to market? Can I ask you 10 questions and create and test a bunch of ideas for you to rate?

This will enable unbelievable amounts of innovation, and I honestly believe it’s going to boost our economies like nothing we’ve ever seen.

Startups will thrive. Corporations will thrive. GDPs will rise. And everyone participating will become richer and more successful than ever.

But that’s the problem. Not everyone will be participating.

Now the bad news

The problem is that only the smartest, luckiest, best educated, best located, and otherwise/aka luckiest people will benefit from all this.

That means the rest of the population will get left behind. There is some hope that one of the areas of innovation will be bringing these augmentation and decision-support tools to the masses, allowing them to more closely match the behavior of the successful, but that will take a long time (if it ever happens).

The default state without that is the top N percent (we’re calling that 10% here but it all depends where you draw the line) will then be even smarter after their augmentation and supplementation from AI. Their assistants, their agents, their idea creation, their execution—everything.

Basically it’s a K-shaped recovery, except on AI-powered nanobot steroids.

Not only will the successful getting more successful—which is normal—but speed at which they get smarter and more efficient will be magnified manyfold by their use of AI tools like the Innovation Flywheel.

Imagine a business owner who has two small businesses and makes $480K/year. He’s successful, but multiple barriers have stopped him from making more. Not enough ideas. It’s hard to execute on things. Etc. Now imagine him with those barriers removed. How many businesses does he have then? And how much more does he make?

We can give struggling people the same tools but if they don’t have the freedom, the financial stability, AND the talent to use them properly, it won’t matter. It’s the people who already have all three of those things who will benefit from AI. Especially the first two, because you can’t do much with talent when you are stuck in low-paying jobs that keep you from being able to think.

So, unless we actively work to counter it, I expect to see both a massive boom and the GINI Coefficient (i.e., income/wealth inequality) get dramatically worse.

Summary

AI is a completely new type of technology because it’s able, for the first time, to not only do work, but come up with ideas, test them, AND help implement them.

This will enable AI to help us innovate on a wide range of problems at a pace never before possible, which we’re capturing as the Innovation Flywheel. That is: Understanding Desires, Understanding Challenges, Creating Ideas, Rating Ideas, Testing Ideas, Executing on Ideas.

The problem is only a small percentage of people are in the economic, geographic, educational, and life-stage position to be able to capitalize on this technology. It’s best-suited to people with 1) free time, 2) capital, and 3) support from peers to start businesses. Very few people have that.

The result of this will be an absolute explosion of economic activity, investments, new company creation, corporate profits, GDPs, value creation, new products, etc., but that innovation will be created by, and most benefit, the top N percent of the population.

We’re about to see unparalleled creative force and economic benefit from AI, but it’s hard to call it prosperity if it leaves 75-90% of the world behind.

NOTES

Thanks to Joseph Thacker for the initial nudge to capture this entire lifecycle after we talked about his idea for idea creation and testing.

Also check out a related article called AI and the World’s Most Important Economic Metric (The Creativity Friction Coefficient.

View more on Daniel Miessler's website »

Like • 0 comments • flag

Published on July 22, 2023 15:37

July 21, 2023

Who Will AI Help More—Attackers or Defenders?

There’s frequent discussion now about how AI will help hackers do X and Y. Phishing and BEC scams are at the top of the list.

And there’s also lots of talk about AI helping with static code analysis, SOC operations, and lots of other defense-oriented use cases.

So which side will benefit more? Red or Blue?

Here’s my (current) answer.

Red first, then blue

My answer is somewhat simple: AI will most help the attacker side first, and then it will help defenders more in the long-term.

Here’s how I arrive at that conclusion.

👀 Continous Intelligent Monitoring and Analysis: Doing security at scale requires software. There are too many events and policies and constantly-evolving situations to handle things properly using just humans. And even SIEMs put most of the burden on the human analyst. To protect an organization and do business much better than we do today, we need to be able to see and understand as much as possible about our company all at once. To accomplish this, software is moving from static queries and databases to a context-based, LLM-based approach that I describe in my SPQA architecture. In short, the more context we have about the organization we’re defending the better we can defend it.

⚔️When We Lack Context, Attackers Win: In the early days of AI, attackers will be able to use AI to automate attacks while defenders still lack context about their environment. They don’t have AI deployed yet that understands their networks, their applications, their users, and their company’s policies. I expect this to last 3-5 years, even for the fastest-moving organizations. The AI/LLM tech simply isn’t there yet to be able to parse and understand the complexity of an environment.

🛡️Once Blue Catches Up, Their Internal Context Gives Them the Edge: But once that happens, i.e., once AI is aware of the perimeter, the apps, the users, the codebases, and the posture that the company is working to maintain, that’s when the advantage switches to the defender. Attackers won’t have access to that updated context the way the internal teams will, so they’ll always be behind. But keep in mind, that will only apply when they’re attacking targets that have fully context aware AI systems helping to defend. Where that’s not the case the advantage goes back to the attacker.

Context wins

Basically whoever can see the most about the target, and can hold that picture in their mind the best, will be best at finding the vulnerabilities the fastest and taking advantage of them. Or, as the defender, applying patches or mitigations the fastest.

And if you’re on the inside you know what the applications do. You know what’s important and what isn’t. And you can use all that internal knowledge to fix things—hopefully before the baddies take advantage.

Summary and prediction

Attackers will have the advantage for 3-5 years. For less-advanced defender teams, this will take much longer.

After that point, AI/SPQA will have the additional internal context to give Defenders the advantage.

LLM tech is nowhere near ready to handle the context of an entire company right now. That’s why this will take 3-5 years for true AI-enabled Blue to become a thing.

And in the meantime, Red will be able to use publicly-available context from OSINT, Recon, etc. to power their attacks.

NOTES

The 3-5 year thing is a range and a guess, obviously. AI defending is starting already, and many aspects will take 10 years or more to fully blossom. But I think 3-5 is a good range for where Blue will retake the AI advantage from Red in the most savvy organizations.

View more on Daniel Miessler's website »

Like • 0 comments • flag

Published on July 21, 2023 13:15

The UL Book Club Previous Books

Greetings,

Welcome to the Unsupervised Learning Book Club. Here you can access all previous books read and discussed in our member-only community. If you are not yet a member of our community, I invite you to join here.

The UL Book Club

We have the UL book club the last Sunday of every month at 2PM Pacific / 5PM Eastern. We alternate our book selections in four phases that expose us to two parts non-fiction and 1 part each of fiction and classics, using the following cadence.

Non-fiction

Fiction

Non-fiction

Classic

This month’s book

The book for July 2023 is It Can’t Happen Here.

Previous Books

June 2023 "A Canticle for Leibowitz" by Walter M. Miller Jr.

May 2023 "The Chip War: The Battle for the World of Tomorrow" by Chris Miller

April 2023 "Player Piano" by Kurt Vonnegut

March 2023 "Whole Brain Living: The Anatomy of Choice and the Four Characters That Drive Our Life" by Jill Bolte Taylor

February 2023 "Moby-Dick" by Herman Melville

January 2023 "Moby-Dick" by Herman Melville

December 2022 "Ram - Scion of Ikshvaku" by Amish Tripathi

November 2022 "The Science of Storytelling" by Will Storr

October 2022 "Neuromancer" by William Gibson

September 2022 "The War of Art: Break Through the Blocks and Win Your Inner Creative Battles" by Steven Pressfield & "Put Your Ass Where Your Heart Wants to Be" (Author not specified)

August 2022 "In the Dust of This Planet: Horror of Philosophy vol. 1" by Eugene Thacker

June/July 2022 "The Second Mountain: The Quest for a Moral Life" by David Brooks

May 2022 "The Difficulty of Being Good: On the Subtle Art of Dharma" by Gurcharan Das

April 2022 "The Three-Body Problem" by Liu Cixin

March 2022 "Things Fall Apart" by Chinua Achebe

February 2022 "The Sovereign Individual: Mastering the Transition to the Information Age" by James Dale Davidson & Lord William Rees-Mogg

January 2022 "Project Hail Mary" by Andy Weir

December 2021 "Good Strategy/Bad Strategy: The difference and why it matters" by Richard Rumelt

November 2021 "The Design of Everyday Things" by Don Norman

October 2021 "Their Eyes Were Watching God" by Zora Neale Hurston

September 2021 "The Mastermind: Drugs. Empire. Murder. Betrayal." by Evan Ratliff

August 2021 "Dune" by Frank Herbert

July 2021 "The Hundred-Year Marathon: China's Secret Strategy to Replace America as the Global Superpower" by Michael Pillsbury

June 2021 "Speaker for the Dead" by Orson Scott Card

May 2021 "The Red Queen: Sex and the Evolution of Human Nature" by Matt Ridley

April 2021 "The Island of Dr. Moreau" by H.G. Wells

March 2021 "We Are Legion (We Are Bob)" by Dennis E. Taylor

February 2021 "Life 3.0: Being Human in the Age of Artificial Intelligence" by Max Tegmark

January 2021 "Homeland" by Cory Doctorow

November 2020 "Breath: The New Science of a Lost Art" by James Nestor

October 2020 "Nudge: Improving Decisions About Health, Wealth, and Happiness" by Richard H. Thaler & Cass R. Sunstein

September 2020 "The Upswing: How America Came Together a Century Ago and How We Can Do It Again" by Robert D. Putnam

August 2020 "Old Man's War" by John Scalzi

July 2020 "Burn-In: A Novel of the Real Robotic Revolution" by P. W. Singer & August Cole

March 2020 "Applied Critical Thinking Handbook" (Author not specified)

February 2020 "Enlightenment Now: The Case for Reason, Science, Humanism, and Progress" by Steven Pinker

December 2019 "The Rise of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power" by Shoshana Zuboff

November 2019 "The Rise of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power" by Shoshana Zuboff

October 2019 "Little Brother" by Cory Doctorow

September 2019 "Algorithms to Live By: The Computer Science of Human Decisions" by Brian Christian & Tom Griffiths

August 2019 "Range: Why Generalists Triumph in a Specialized World" by David Epstein

July 2019 "Consciousness" by Annaka Harris

View more on Daniel Miessler's website »

Like • 0 comments • flag

Published on July 21, 2023 11:26

July 17, 2023

Unsupervised Learning NO. 390

Hey everyone,

Hopefully your week is starting off better than Siri handles AC requests.

Siri quality after nearly a decade.

— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler)
Jul 16, 2023

I honestly don’t know how the Apple Maps guy got fired but Siri still sucks this bad after all these years.

Anyway, we put out a new piece of member content this weekend, I’m working on slides for talks, and progress continues on the product we’re building. I also up-leveled my hummingbird feeder game to four of these .

I hope you’re doing well,

Let’s get into the week!

In this episode:

🚨 VoiceFake Scams on the Rise
🔑 FrontView Mirror, 2024 Edition: Trends and Preparations
🎙️ AI and Content Creation: A Discussion on The Phillip Wylie Show
🔒 Chinese Email Hack: A Sophisticated Espionage Effort
🌐 Transatlantic Data Flow: A New EU-US Data Privacy Framework
🔍 Docker Security Flaws: Sensitive Data in Docker Images
🏥 HCA Healthcare Breach: Impacting 11 Million Patients
⚖️ Orca Suing Wiz: A Case of Patent Infringement
🤖 AI-Enabled Cybercrime: The Rise of WormGPT
🐦 Twitter Struggles: Ad Revenue Plummets by Nearly 50%
🎵 TikTok Music Launches: A New Competitor for Apple Music and Spotify

MY WORK

🔑 FrontView Mirror, 2024 Edition (Member Content)
My annual look at trends I’m seeing and what we can do to get ready for them. Topics: Individual Independence, Process Primacy, and Trust Triangulation MORE

🎙️Talking AI and Content Creation on The Phillip Wylie Show
I went on my buddy Phillip Wylie’s podcast a few weeks ago and had a great conversation with him about career trajectories and chasing your desires. MORE

SECURITY NEWS

🚨AI Voice Scams Being Deployed — I know at least 3 normal (non-infosec) people who have been targeted by scams using AI fakes of family member voices in the last two weeks. The latest was a mother receiving one of the daughter, probably faked using her voicemail. You and I are not likely to fall for this, but be sure to tell your family and friends about the trend so they don’t fall victim.

⚠️ Office Zero Day
Microsoft has disclosed an unpatched zero-day security bug in Windows and Office products, exploited to gain remote code execution via malicious Office documents. The vulnerability, known as CVE-2023-36884, was used in high-complexity attacks targeting the NATO Summit in Vilnius, Lithuania. MORE

🇨🇳 Chinese Email Hack 📧
Chinese hackers, suspected to be part of an intelligence operation, have breached US government email accounts, as disclosed by Microsoft. The attack was not a broad-brush intrusion but a targeted one, focusing on specific accounts and went undetected for a month, suggesting a sophisticated espionage effort.

- The hackers used forged authentication tokens to gain access.

- Approximately 25 organizations, including government agencies, were compromised in the attack.

- The breach could potentially exacerbate already strained US-China relations.

- The US government has been transitioning data to the cloud for better access and improved security.

- The breach has prompted a review of government security requirements and protocols. MORE

Transatlantic Data Flow
The European Union and the United States have finally struck a deal that allows companies to freely transfer data across the Atlantic, potentially putting an end to a three-year period of legal limbo that has affected tech behemoths like Facebook and Google. This new agreement, dubbed the EU-US Data Privacy Framework, comes in the wake of the EU's top court striking down the previous data agreement, known as Privacy Shield, due to concerns that US intelligence agencies had too much freedom to access Europeans' personal data. MORE

Sponsor

🛡️ Secure Your Cloud Future! ☁️

AWS Security Foundations are no longer a nice-to-have. As data, apps, and services ascend to the cloud, you need to know more than just how to get to the cloud, but how to do it securely.

🚀 Take off with our FREE eBook, your ultimate guide to AWS security. Discover the key principles to fortify your AWS environment, all in a digestible, jargon-free format.

💡 Illuminate your cloud journey. Secure your business. Protect your customers. All this knowledge, just a click away.

📚 Grab your FREE AWS Security Foundations eBook now! Let's conquer the cloud, together.

➡️ wiz.io/lp/aws-security-foundations-for-dummies ⬅️

Download the eBook

Docker Security Flaws
Researchers at RWTH Aachen University in Germany have discovered that approximately 8.5% of Docker images hosted on Docker Hub contain sensitive data such as private keys and API secrets. MORE

HCA Healthcare Breach
HCA Healthcare, one of the largest healthcare services providers in the US, announced a significant data breach impacting approximately 11 million patients. The breach was discovered on July 5, when a threat actor posted a list of stolen personal information on an underground forum, including names, addresses, birth dates, and appointment dates. MORE

AI-Enabled Cybercrime
A new tool, WormGPT, is being advertised on underground forums, enabling even novice cybercriminals to launch phishing and BEC attacks swiftly and at scale. MORE

Orca Suing Wiz
Orca is suing Wiz for patent infringement. As a non-expert with exposure to both tools, this seems like the desperate measure by someone getting trounced in the marketplace. All I heard from others when I used Orca was how much better Wiz was. Note: Wiz has also sponsored the show before, and I think Orca has as well. MORE

TECHNOLOGY NEWS

Twitter Struggling
Despite aggressive cost-cutting measures, including laying off half of the company's 7,500 staff, Musk says Twitter's ad revenue has plummeted by nearly 50%. Too early to say, but I might end up being wrong about him turning this around. It’s looking pretty bleak, and I don’t see any signs of him getting better at listening. Meanwhile, Threads. MORE

Chinese AI Rivalry
China's search engine pioneer, Sogou founder Wang Xiaochuan, has launched an open-source large language model, Baichuan-13B, through his startup Baichuan Intelligence. This model, touted as one of China's most promising, is based on the Transformer architecture and trained on Chinese and English data. MORE

Musk's AI Startup xAI
Elon Musk has unveiled his latest venture—an artificial intelligence startup named xAI, staffed with engineers from renowned companies like OpenAI and Google. Musk, known for his cautious stance on AI, has previously advocated for a pause in AI development and the establishment of regulatory measures to ensure its safe progression.

- xAI's goal is to "understand the true nature of the universe."

- Musk was one of the original backers of OpenAI.

- He has criticized ChatGPT for having a liberal bias.

- Musk signed an open letter calling for a pause to "Giant AI Experiments". MORE

TikTok Music Launches
TikTok is stepping in to compete with Apple Music and Spotify with its new platform, TikTok Music. Initially available only in Brazil and Indonesia, the service offers unique features like song recommendations based on viral TikTok videos. MORE

HUMAN NEWS

Long COVID Gene
Researchers have identified a gene linked to long COVID in a genome-wide study. The gene, FOXP4, is active in the lungs and some immune cells, and was found in an analysis of 6,450 patients across 16 countries. I wonder if 23andMe tracks this one. MORE

Migration Backlash
Waves of migrants taking dangerous, unauthorized passages to Europe and the U.S. are sparking a new rush of anti-immigrant policies and deepening political divisions in several wealthy countries. The UN reports that last year, a record-breaking 2.9 million new asylum applications were submitted, the highest number since at least 2000.
- 40% of the new applications were from Latin America and the Caribbean
- There's been a surge in Europe, driven by migrants from Syria, northern Africa, Iraq, Turkey
- In the U.S., almost every 2024 Republican presidential candidate has embraced a tough stance on border security
- In Europe, far-right politicians are demanding tighter immigration policies
- The Netherlands' government collapsed over disagreements on refugee restrictions MORE

Banking Boom
Major US banks, including JPMorgan, Wells Fargo, and Citigroup, have reported quarterly profits that have exceeded expectations, suggesting a robust US economy despite interest rate hikes. The Wall Street Journal reports that these banks have seen a combined growth of 31% in income from interest on loans compared to the previous year. MORE

IDEAS & ANALYSIS

Atomic vs. Molecular Ideas: On-ramps and Off-ramps
A buddy and I were talking last week about a really cool idea I am pretty sure I’ve written about before. Basically, there are individual ideas, like ‘we should protect the freedom of speech’, and then there are ideologies, like socialism and facism. The conversation we had was around slippery people using benign ideas to onramp into a gross ideology. Example: SolarPunk being a benign idea around breaking off from greater society and technology, and returning to the foundational pleasures of working land, being close to nature, raising your own food, etc. That’s used as an onramp to a TRAD ideology in which women and minorities end up subservient to men, who often somehow end up being white. So the ideas are the atoms, and the molecules are the ideologies. And you can’t really have impactful atoms. It’s their combination that becomes something consequential. In the case of negative ideologies the discussion was about how to defend people against specious arguments that start with attractive atomic ideas, like SolarPunk, and to teach them how to watch for the onramps to harmful TRAD ideologies. Then, if someone has already been captured by such a system, what are the off-ramps? How can we break that molecule up into its individual atoms and show how it’s possible to keep the good components while discarding the bad?

NOTES

So happy for my friend Tae’lur for landing her first job in InfoSec! Welcome to the field!

I'm happy to announce I got the job! I'll be starting as a CVE Analyst @semgrep working on their Semgrep Supply Chain product, researching vulnerabilities for their open source dependency scanner.

It's been an adventure learning cybersecurity as a software dev. I'm excited!

— Tae’lur Alexis (@TaelurAlexis)
Jul 17, 2023

Congrats to my buddy Jason Haddix for completing his first full paid hacking courses! He did it over two weekends with hundreds of attendees and the reviews are INSANE as expected. Can’t wait to see more courses from you friend! MORE

We’re putting together a UL meetup in Vegas. If you’re going to be around between Monday and Sunday, stay tuned for details in UL Chat.

I cannot recommend this book on Stoicism enough. I recommend you read all the various canonical books if you get into Stoicism, but this one remains my favorite. MORE

DISCOVERY

⚒️ CodeBox — Code Interpreter, but available via API. I’ve been waiting for this. MORE | CODE

⚒️ LazyVim — A fully NeoVim setup that gives you the Vim experience with the power of a full IDE. I personally don’t use one of these environments because I’d rather do things myself, but it does give you an instant feeling for NeoVim’s potential when configured. MORE

⚒️ GPT Prompt Engineer — Simply input a description of your task and some test cases, and the system will generate, test, and rank a multitude of prompts to find the ones that perform the best. MORE

⚒️ FindMyTakeover — Detects dangling DNS record in a multi cloud environment by scanning all the DNS zones and the infrastructure present within the configured cloud service provider and finding the DNS record for which the infrastructure behind it does not exist anymore rather than using a wordlist. MORE

⚒️ Top 25 Recon Tools — A top 25 list of Recon Tools and their purposes. MORE

📺 Web App Hacking With Caido — A full video conversation on hacking web apps using my favorite Rust-based Burp alternative. MORE

⚒️ JSLuice — A Bishop Fox tool written by @tomnomnom for extracting URLs, paths, secrets, and other juicy nuggets from JavaScript. MORE

🗺️ Life OS Dashboard — A super-interesting-looking Notion dashboard for life tracker types. MORE | VIDEO

⚒️ AWS Docs GPT — Search AWS Docs using an LLM. MORE

How to securely build product features using AI APIs MORE

Why does virtually every action hero’s name start with J?

Hacking LangChain for fun and profit MORE

How to Do Great Work (Paul Graham) MORE

News is Propaganda MORE

Nobody cares about your blog, but that’s ok MORE

RECOMMENDATION OF THE WEEK

Go play with OpenAI’s Code Interpreter. What is it? It’s basically an AI agent combined with tons of analysis tools, and when you upload files or code to it you can ask it to find patterns, make graphs, and do all kinds of crazy stuff.

Examples:

Do your taxes

Find patterns in lots of data

Clean up your data

Modify data in a certain way

Create visualizations for complex data

Tell a story about data

Produce video and GIFs from images

Convert files from one format to another

Analyze and debug code

It’s best to think about it as an independent AI system with access to tons of tools. Like ChatGPT, except with octopus hands and the ability to code. When I talk about getting ready for the future, and I talk about being able to use AI tools fluently, this is the type of thing I’m talking about. And even better if you a use it through an API. MORE

💡Pro Tip: If the file you want to work with is too large, you can zip it up and send that instead! Including a whole directory! Code Interpreter will unzip it and consume it!

APHORISM OF THE WEEK

Thank you for reading! See you next week!

View more on Daniel Miessler's website »

Like • 0 comments • flag

Published on July 17, 2023 09:03

July 16, 2023

FrontView Mirror, 2024 Edition

Premium Content

This content is reserved for premium subscribers of Unsupervised Learning Membership. To Access this and other great posts, consider upgrading to premium.

UpgradeLink ConjuctionSign In

A subscription gets you: Access to the UL community and chat (the thinking and sharing zone) Exclusive UL member content (tutorials, private tool demos, etc.) Exclusive UL member events (currently two a month) More coming!
Powered by beehiiv

View more on Daniel Miessler's website »

Like • 0 comments • flag

Published on July 16, 2023 18:28

July 10, 2023

Unsupervised Learning NO. 389

Hey there!

Heading into a busy week. Working on a super exciting new product under the TELOS banner—the first of our products built using the SPQA architecture, and I’m absolutely pumped for it. I’m also working on a bunch of talks for Vegas and other places.

Also, felt like this newsletter was juicier than usual, hope you like it!

In this episode:

📚 The Real Internet of Things: A Look into the Future of Technology
🔒 Pentera's Unique Approach to Automated Security Validation
🌐 AI and the Reduction of the Creativity Friction Coefficient
🔐 LockBit vs. TSMC: A Tale of Ransomware and Supply Chain Dependencies
☁️ The US's Move to Block Chinese Cloud Usage: A National Security Matter
🔥 Fortinet Fallout: A Critical Bug in FortiGate Firewalls
🇨🇳 New Chinese APT Tradecraft: Volt Typhoon's Stealthy Approach
🔍 Google's Privacy Policy Update: Feeding the AI
🌞 Solar Hacking: The Exposure of Renewable Energy Units
📋 And more…

MY WORK

I wrote a book in 2016 about the future of technology, called The Real Internet of Things. To be honest I didn’t like it that much at the time; I just wanted to get the ideas out there and locked in time. Well, now the ideas are starting to happen!

I can now happily recommend that you pick up a copy. If you like any of my content, and you’ve been following what’s happening with AI, I think you’ll really enjoy the book. Not just for the stuff that’s already happened, but for the stuff that’s coming next that’s already in the book!

I wish I could say go to your local Barnes & Noble, but they only have bookstores in London these days, and it’s currently Kindle and Paperback only anyway. Oh, and if any members want a signed copy let me know in Member Chat.

📚Purchase on Amazon

I’m finally sharing my book from 2016, because it’s just now sounding realistic.

AI and the World’s Most Important Economic Metric
Introducing the concept of a Creativity Friction Coefficient, and how AI will help reduce it. MORE

Pentera Sponsored Interview
I had a great conversation recently with Aviv Cohen, CMO of Pentera. They do something like automated pen-testing and attack surface management, but they have a different take on it and call it Automated Security Validation. It was a great conversation about the whole space, the problem they’re addressing, and how they approach it differently. Worth a listen if you’re adjacent to that space in any way. LISTEN | PENTERA.IO

SECURITY NEWS

Lockbit vs. TSMC
The now-famous LockBit ransomware group has hit TSMC, one of the world's leading chipmakers, demanding a $70 million ransom after breaching security at Kinmax, TSMC's hardware supplier.

— LockBit was able to access server configurations and settings of TSMC through a compromised test environment at Kinmax.

— LockBit threatened to go public with the data if the ransom isn't paid.

— Despite the breach, TSMC maintains that its operations have not been impacted, and crucially, no customer information has been compromised.

The tangled web of supply chain dependencies continues to produce for attackers. I honestly can’t wait until AI is good enough to take an inventory of a company’s environment, find all the vendors and dependencies, and build a Business Resilience Risk report based on that. Threat scenarios, backup plans, etc. Honestly it’s not the AI that’s the problem, but finding the right artifacts to feed the AI to show it the whole picture. MORE

The US to Block Chinese Cloud Usage
The Biden administration reportedly looks to restrict Chinese firms' access to US cloud-computing services, which could significantly exacerbate tensions between the two economic giants.

- If adopted, the rule would mandate US cloud-service providers like Amazon and Microsoft to obtain government permission before offering cloud services using advanced AI chips to Chinese clients.

- The proposed cloud restrictions are viewed as a way to address a significant loophole—Chinese AI companies potentially bypassing existing export control rules by leveraging cloud services.

- The $53 billion Chips Act aims to curtail US reliance on foreign-made semiconductors, particularly those used by the Pentagon, making this a crucial national security matter.

I’m nervous about escalating tensions but I’m happy the Biden administration is playing hawkish on China in general. I feel like the US has just had enough of their blatant attempts to hack and steal everything, and I just wish more of the world have the vision or the freedom to do take a similar stance. MORE

Fortinet Fallout
A new bug has left roughly 70% of FortiGate Firewalls vulnerable, propelling alarm within cybersecurity circles, especially given how widely these products are used by government organizations.

— The bug, tracked as CVE-2023-27997, has a "critical" severity score of 9.8 out of 10.

— An exploit developed by security firm Bishop Fox has reignited concerns, as this could lead to data breaches, ransomware attacks, and other serious consequences.

— Experts urge immediate patching, since many unpatched instances are running outdated versions, some of which have reached end-of-life years ago. MORE

Google Moving to Scrape for AI
Google is updating its privacy policy, and it's all about feeding the AI. Publicly available content - think blogs, photos, music - will now be used to train Google's in-house AI models. While this isn't necessarily new, it's the scope that's been widened - Translate, Bard, Cloud AI are all on the list. MORE

Sponsor

💡Illuminate Your Path to Cloud Security Mastery

Dive into the FREE Cloud Security Workflow Handbook and unlock:

1️⃣ The Triad of Modern Security

2️⃣ A 4-Stage Security Roadmap

3️⃣ KPI Templates from Leading Hyper-Scaling Enterprises

🛡️Navigate the evolving threat landscape with confidence. Claim your FREE copy today! 🚀

➡️ wiz.io/lp/cloud-security-workflow-handbook ⬅️

Download Now

New Chinese APT Tradecraft Chinese
Cyber-espionage group Volt Typhoon, tracked by CrowdStrike as Vanguard Panda, has been active since mid-2020, using uncharted tradecraft to maintain remote access to critical infrastructure targets. Vanguard Panda employs initial exploits and custom web shells for persistent access, and living-off-the-land techniques for lateral movement. The group shows a strong emphasis on operational security, using an extensive set of open-source tools against a limited number of victims. MORE

S3 Takeovers
In a new twist on subdomain takeovers, attackers have found a way to poison NPM packages by hijacking the S3 bucket serving the necessary binaries and replacing them with malicious ones. This reminds me of old C code vulnerabilities where you have big trouble if you delete things and don’t clean up afterwards. Same with domain takeovers. It’s also like deprovisioning employees. Interesting parallels for all these. Basically any time something gets removed you have to execute a meticulous cleanup plan. MORE

Solar Hacking
Cyble's threat analysts have found that 134,634 PV utility products, used for remote monitoring and management of renewable energy units, are exposed on the internet, showing that we’re not learning anything and don’t deserve nice things.

- The systems came from vendors including Solar-Log, Danfoss Solar Web Server, and SMA Sunny Webbox MORE

TECHNOLOGY NEWS

GPT-4 Releases GPT-4 API Access
API access is now available for all paying customers, and OpenAI has also opened access to the Code Interpreter plugin, which is an absolute marvel. You can upload complete spreadsheets, raw datasets, and ask it to find patterns in the data. Not just find the patterns, but it can make you visualizations of them. Great release week for OpenAI. MORE

Canada Goes Hard on Tech Immigration
Canada has launched its first-ever Tech Talent Strategy aiming to draw and keep top tech talent to stimulate the nation's high-growth industries and drive technological advancements. The strategy introduces an open work permit stream for H-1B specialty occupation visa holders in the US to apply for a Canadian work permit. I love the hustle! MORE

GPT-4 Diss
George Hotz and some others are claiming that GPT-4 wasn’t some major breakthrough model, but rather multiple smaller models rigged up to work together. My response? Sure. And consciousness is just some “brain activity leading to subjective experience.” Like Dennett said, consciousness is just a “bag of tricks”, but he doesn’t make the mistake of concluding that it’s therefore uninteresting. Yes, OpenAI uses a series of hacks to get their results. So what. Put me in line for the next set of hacks. MORE

HUMAN NEWS

Fewer People Quitting
As the Federal Reserve continues to increase interest rates and the U.S. labor market cools, fewer Americans are voluntarily leaving their jobs - a trend that's inching closer to pre-pandemic levels. The rate of voluntary job departures, or quits rate, has seen a decline from 4.5 million in November 2021 to 4 million in May 2023. MORE

Aspartame WHO Warning
The World Health Organization's cancer research arm is set to declare aspartame, a widely used artificial sweetener, as "possibly carcinogenic to humans", following a safety review, causing potential upheaval in the food and beverage industry worldwide. We’ve seen this movie many times before; the question will be what new research showed that the previous, very large studies did not find. MORE

Gen-Z Finances
The Gen Z generation, facing societal and economic uncertainties, are reshaping their financial habits, prioritizing quality of life and personal growth over traditional financial markers of success. This seems healthy compared to unbridled materialism, but I worry that they could also limit their success overall and thus limit their ability to have those experiences. MORE

IDEAS & ANALYSIS

Smart People Biases, and What to Do About Them
I’ve been struck recently by the number of logical flaws I’ve seen in people I greatly admire. Like pundits and such. And this has led me to think a couple of things: 1) traumas (and other things) can compromise intellectual integrity, and 2) you have to follow a lot of people’s work and come up with your own triangulation that suits your lifestyle, and 3) the person you follow the most might be right about 37 out of 42 topics, but those other 5 could be seriously consequential to you if you don’t realize they’re wrong there. Example: Andreessen goes on Lex’s podcast and is brilliant for the whole first part of the show. But then when he starts talking about AI risk he loses his mind. Why? He’s an AI investor. And he hates regulation. The worst possible thing that could happen to him is everyone panicking about AI risk and shutting down investments. So what do you know? He is right about 39 things out of 42, but one he’s wrong about is AI risk. Same with Peter Zeihan. He’s all pro-West and thinks China is done. He has great points, but I hear religion in his voice, and it’s scary. So how will I know when he’s overextended? My only solution so far has been to collect even more, and even more diverse, opinions. And triangulate and monitor.

Thoughts on Wegovy/Ozempic
You might have heard about some new diabetic / weight loss drugs that work via weekly injections. I’m taking Wegovy. It’s pretty awesome. I’ve already lost like 7 pounds and I’m not even close to full dose yet. But I wanted to raise a yellow flag of warning on something, in case you’re taking it or are thinking about doing so. It raises your resting heart rate. Not by a little. I used to sleep at like 49 to 52 beats per minute. I’m now at 61 bpm. I mention this because Scott Galloway had a doctor on his show a few weeks ago and he mentioned the heartrate thing, and he added a comment. “I’ve never seen anything that raises your heart rate by that much that ended up being a good thing.”, or something like that. I’m still taking it knowing this because my risk calculation is that being this heavy is a known and higher risk. But I just wanted to offer that to anyone who it benefits.

Security is Alchemy
Quick thought I’ll turn into a full essay later. The biggest reasons security is such a messed up field, and such a fun field, is that it’s still Alchemy vs. Chemistry. Accounting is chemistry. Civil Engineering is chemistry. What makes them so? They understand the inputs and outputs and how they relate to each other. We don’t have that yet in security. What we have is a bunch of wizards running around casting spells, mixing elixirs, drinking potions, and then when something bad happens we blame the evil wizards, or a bad potion. It’s pretty damn exciting, which is why I love it. But it shouldn’t be exciting, and it won’t be once we understand the inputs and outputs better. This’ll probably surprise you, but I think AI will help. The insurance companies are going to use SPQA to map everything, track controls, track outcomes, and make the connections. AI will move security from alchemy to chemistry.

NOTES

I’ve got a really cool new strength training technique. It’s basically one giant set for an exercise. You take 50 lb. dumbbells, for example, and you do as many as you can. Then you immediately pick up the 40s and do as many as you can. Then 30’s. Then 20’s. Then 10s. Or you can skip and do like 40’s and then 20’s and then 10s. The point is you want one long set with no rest in-between that takes you to COMPLETE failure. I hate wasting time in the gym so I can do this on a few muscle groups and be out of there in 15-20 mins! Arms are currently sore to the touch, and it’s glorious.

I don’t have CarPlay right now because I have a Tesla, but I definitely miss it. And now I miss it more because they’re about to add SharePlay, which is a seamless way for passengers to run the sound system. A timeless problem finally solved. Oh, and I’ve actually never done SharePlay with anyone. Anyone in the community up to watch a movie together? We should do an event for it.

DISCOVERY

⚙️CVSS 4.0 Calculator — A view of the new calculator for Version 4.0 of CVSS. MORE

⚙️DNSAnalyzer — Find DNS vulnerabilities from within Burp. MORE

⚙️Carbon — Create and share beautiful images of your source code. MORE

Advanced macOS Command-line Tools MORE

The Reef Knot is evidently the best, and most mathematically sound, way to tie your shoes. According to this article anyway. Strangely enough I was looking for something like this. MORE

Why I switched from NeoVim to VSCode. MORE

Why engineers should focus on writing. MORE

How to 1.5x your salary through negotiation. MORE

RECOMMENDATION OF THE WEEK

Think about the smart people whose work you follow

Ask yourself how you’d know if they were wrong about a particular topic

Do you have a secondary or tertiary source to counter that person in your narrative-forming?

Make sure you have enough quality sources coming in that you can use them to check each other

APHORISM OF THE WEEK

View more on Daniel Miessler's website »

Like • 0 comments • flag

Published on July 10, 2023 12:34