Unsupervised Learning NO. 494

Hey! Hope you’re doing well!

My stress and excitement levels continue to rise…

—

Feeling good about my health efforts last few weeks:

Overall feeling sore and happy with progress, and I’m sure my KGs and BPs should be lowering as a result as well.

—

I had an insanely great conversation with my homie Jason Haddix over the weekend about the automated recon / pen testing systems that we're building together. Mine is called Helios (AI upgraded from its 9 years old Bash/Python Don’t Judge Me version). And Jason's is called Warden, which I think is a super sick name.

Anyway, one cool snippet that came out of it was he gave this thing a target right after I showed him my whole setup, and it was like an admin page password field that his system had found. And the system didn't just start forcing passwords to try to get in; it actually added a parameter to the post contents of id=1, and he instantly got a P1 bounty find!!!

To be clear, neither of us would necessarily have added that—or at least it's not part of my current methodology—the fucking system found it on its own.

And as we talked about right after, this shit is extremely real. Not just for business but for security testing as well. It's like I talked about in my Nahamcon talk earlier this year, the future of this whole thing is AI systems vs. AI systems. And the role of us as humans is improving those systems with better research and better designs. We do the manual research, architecture, and design work. The new innovative and creative things we learn are handed off to our automation to run at scale.

Exciting as hell. Scary as hell.

—

I just wrote a new piece about limitations to creativity. You should check it out. But after finishing it I realized there was a third limitation, which is not even thinking about some options for creating a new solution, or solving a problem, because it was previously impossible.

Let me give you my example from yesterday, while I was working on this newsletter. I was wishing I could get more from Fathom Analytics, which was my web analytics replacement for Google Analytics since it became total shit, and for Chartbeat since they started charging hundreds of dollars per month.

Chartbeat has always been my favorite web analytics platform. It’s gorgeous. It’s dynamic. And most importantly—it counts pages that people are reading, not just the initial page load. In other words, it works how analytics are supposed to.

So yesterday I was looking at my Fathom interface and I’m like wait…could I just replace Chartbeat myself? I swear to Crom, it took me about 18 minutes to go from having the thought to having a full Google Analytics / Chartbeat replacement. (Note: it took longer to have it look this good, a few hours of off and on work)

Oh, and I made a menu bar visual using Swift, which is way better than what I had with Fathom. That took about 4 minutes.

So let me be clear. I replaced Google Analytics and Chartbeat in a couple of hours (just visual tweaking after I had the main functionality in less than 20 minutes), and I have WAY MORE of my desired features than both of them combined. It’s literally better for me in every way. I now have:

I just replaced two SaaS apps that I’ve used for years. And I just kind of casually made it happen while I was reading stories and writing the newsletter. It took a good amount of skill to Spec Code the thing via prompting (because I understand how the JS had to work, etc.), but Kai then took that and wrote the whole thing for me once he had that.

So, two things:

I have literally thought about wanting to replace Chartbeat hundreds of times prior to November of 2022. I just didn't have the time to do all those separate pieces, plus have the UI skills to make it look good. We're talking about the analytics JavaScript itself, the listener services, the database, the storage of the metrics, the queries against the endpoints, and the GUI.

18 minutes. From "Hey, I wonder if I could make this?" to it actually working. 18 minutes. And if I weren’t working on the newsletter that probably would have been half that.

Go build shit.

Not only is it fun, but given all the other stuff I've been talking about regarding careers and jobs and how companies don't actually want employees, I think this is actually the main path for a stable career. Making your own stuff and offering it to others.

P.S. Kai was nice enough to write me a blog about it.

—

Just had a super interesting conversation with Matthew Brown from Trail of Bits. He was the leader of the team that won second place in the AIXCC DARPA competition. We talked about AI system design and the mixture between when to use AI and when not to use it and a whole bunch of other topics. It was absolutely fascinating and he taught me a whole bunch. Felt really good to have someone as smart and experienced as him in this competition arrive at the same conclusions as I had about AI system design. The episode should be out shortly.

—

A few weeks back, I posted about feeling really guilty about eating meat because of the suffering of animals. And I expressed frustration because I didn't feel like there was anything I could do about it. Well, guess what? Dwarkesh had a brilliant episode about what people can actually do to reduce the suffering of billions of farmed animals. And I reached out to this charity. They built us a custom page for Unsupervised Learning!!!

What is super cool about this is that even small amounts help a tremendous number of animals. I think it's just extraordinary that we have the tech to tangibly reduce suffering of so many conscious creatures.

Please consider giving something. 🫶🏼

—

Couple new blogs (I’ve been writing like crazy):

Xbow raised $117M for AI hackers, then open-sourced the whole thing
Xbow just open-sourced Strix after raising $117M to build autonomous AI security agents that test apps like real hackers—running code dynamically, finding vulnerabilities, and validating through actual exploitation. They're also going to stop their HackerOne experiment. Such a win for them on so many levels. STRIX GITHUB REPO

It appears Workday lost data through social engineering targeting Salesforce
Attackers posed as HR or IT staff to trick Workday employees and steal business contact info from Salesforce, though the company says customer data in their main apps wasn't touched. WORKDAY BLOG POST | REGISTER ARTICLE

Russia hacked a Norwegian dam and released 1.9 million gallons of water
Norway's police security chief says Russian hackers took control of the Bremanger Dam and opened the floodgates for four hours before anyone noticed. I did a security assessment one of the largest water systems in the U.S. one time, and it was truly scary. This is why. TOM'S HARDWARE ARTICLE | GUARDIAN REPORT

Zoom patches critical privilege escalation vulnerability affecting Windows users
Zoom fixed two security flaws in their Windows clients, including CVE-2025-49457 (CVSS 9.6) that lets attackers gain elevated privileges through network access by exploiting untrusted search paths. SECURITY ONLINE ARTICLE | ZOOM SECURITY BULLETIN CVE-2025-49456 | ZOOM SECURITY BULLETIN CVE-2025-49457 | ZOOM DOWNLOAD CENTER

New public exploit chains two SAP flaws for remote code execution
Onapsis reports that Scattered Lapsus$ Hunters released an exploit chaining CVE-2025-31324 and CVE-2025-42999 to bypass authentication and execute code on unpatched SAP NetWeaver systems. ONAPSIS ANALYSIS | HACKER NEWS ARTICLE | VX-UNDERGROUND TWEET | DETECT.FYI TECHNICAL ANALYSIS

AI agents achieve zero false positives in security testing with deterministic validation
Brendan Dolan-Gavitt from XBOW demonstrates how combining LLM agents with non-AI validation eliminates false positives in vulnerability discovery—they found 174 real vulnerabilities across Docker Hub with 22 CVEs issued so far. BLACK HAT USA PRESENTATION | XBOW | BRENDAN'S GITHUB

Critical vulnerabilities in Flowise AI platform enable remote code execution
JFrog Security Research discovered two 9.8 CVSS vulnerabilities in Flowise that let attackers run arbitrary code with minimal or no authentication needed. SECURITY ONLINE ARTICLE | CVE-2025-8943 ADVISORY | CVE-2025-55346 ADVISORY | FLOWISE 3.0.5 PATCH

Chinese hackers breach Taiwan web servers using customized open source tools
Cisco Talos discovered UAT-7237 targeting Taiwan's web infrastructure with modified versions of open source hacking tools like VTHello and FScan. THE HACKER NEWS ARTICLE | CISCO TALOS REPORT | VTHELLO GITHUB | INTEZER FIREWOOD ANALYSIS

Lares shows how missing MFA turned valid logins into full compromise
Lares demonstrates how they gained access to customer invoices, banking data, and internal systems using nothing but valid credentials—no MFA anywhere, just passwords and excessive trust. LARES BLOG POST | PART 1 OF SERIES | LARES CONTACT

Russian hackers breached US federal courts through vulnerabilities discovered but not fixed in 2020
The US federal judiciary's case filing system got breached around July 4th, compromising sealed court records and possibly exposing confidential informants across multiple states. And this was done by exploiting vulnerabilities that were found but never patched after the same system was hacked in 2020. WIRED ARTICLE | NY TIMES REPORT | POLITICO COVERAGE | US COURTS STATEMENT

CISA releases new guidance telling companies to inventory their OT systems
CISA and international partners released guidance for companies to create detailed inventories of their operational technology systems after attacks increased 87% year-over-year. CISA GUIDANCE | CISA ANNOUNCEMENT | THE REGISTER ARTICLE

UK police are getting 10 facial recognition vans to catch serious criminals
Home Secretary Yvette Cooper announced that seven police forces across England will deploy facial recognition vans to identify sex offenders and people wanted for serious crimes. SKY NEWS COVERAGE | POLITICS HUB | MET POLICE ARRESTS DATA

America's gray zone blind spot is becoming a serious national security problem
The Cipher Brief reports that Russia, China, and Iran are ramping up sabotage, cyberattacks, and other hybrid warfare tactics while the U.S. lacks any real strategy to counter them—experts say we're basically at step one of admitting we even have a problem. CIPHER BRIEF ARTICLE | MICHAEL VICKERS PROFILE | BETH SANNER PROFILE | DAVE PITTS PROFILE | 2025 THREAT ASSESSMENT | CIPHER BRIEF YOUTUBE

US military transforms Indiana training grounds into drone warfare innovation hub
Emil Michael, Undersecretary of Defense, explains how the Pentagon is turning Muscatatuck Training Center into a testing ground where Silicon Valley startups and soldiers collaborate on drone tech. THE HILL ARTICLE

Russia blocks Signal and WhatsApp voice calls to control communication
Russia's communications regulator Roskomnadzor just blocked voice and video calls on Signal, WhatsApp, Telegram, and other encrypted messaging apps—part of their broader push to control digital communications and force companies to comply with surveillance demands. WIRED ARTICLE

The U.S. Navy wants 150 unmanned ships by 2027
Walter Pincus explains how the Navy's shifting from big expensive unmanned vessels to smaller, modular ones that can carry missiles thousands of miles. THE CIPHER BRIEF ARTICLE

Israel says Iran recruited dozens of Israeli citizens as spies
The New York Times reports Iranian agents convinced Israeli citizens to commit sabotage and plan assassinations, raising concerns about how easily people can be turned against their own country. NEW YORK TIMES STORY

China detains second senior diplomat in expanding probe
Chinese authorities detained Sun Haiyan, a deputy to prominent diplomat Liu Jianchao who's also being questioned, signaling major uncertainty at the top of China's diplomatic ranks. So what is this? Concern that they’re not being loyal? OODALOOP COVERAGE

Anthropic's CEO says AI will write 90% of code in 3-6 months
Dario Amodei told the Council of Foreign Relations that AI will be writing 90% of code within six months, and essentially all code within a year. An important piece to catch here is that he's not saying there won't be any people writing code, he's just saying that AI will be writing so much more. BUSINESS INSIDER ARTICLE

OpenAI is building a Chromium-based browser with AI agents that browse for you
OpenAI's testing a new browser that'll use AI agents to handle your browsing tasks, like their current ChatGPT Agent mode. I think this browser step is the last stop before we get to digital assistants. We're getting very close. BLEEPINGCOMPUTER ARTICLE | REUTERS REPORT

AI writing beats professional authors in Flash Fiction blind test
Mark Lawrence ran a contest where readers tried to identify AI vs human writing—Claude's fantasy excerpt scored higher than several published authors, with only 39% correctly identifying it as AI-generated. MARK LAWRENCE BLOG POST | HACKER NEWS DISCUSSION

Sam Altman says we're in an AI bubble OODALOOP COVERAGE

OpenAI updates GPT-5 to be warmer and friendlier
OpenAI's making GPT-5 nicer after users complained it was too cold compared to GPT-4o—they're adding small touches like "Good question" without making it a sycophant. TECHCRUNCH ARTICLE | OPENAI ANNOUNCEMENT

Slopsquatting is when attackers register fake packages that LLMs hallucinate
Attackers are registering non-existent software packages that AI models make up, waiting for developers to accidentally install them when they copy-paste AI-generated code. Sick, nasty, and gross. In all the good and bad ways. WIKIPEDIA ARTICLE | SOCKET SECURITY ANALYSIS

Shadow AI is like having rogue interns secretly running parts of your business
Rachid Abadli explains how employees are using unauthorized AI tools at work, creating security risks while also delivering real value that IT departments can't ignore. MEDIUM ARTICLE | RACHID'S MEDIUM PROFILE

A DeFi startup replaced $45,000 in content staff with a 23-agent AI system for $20/month
Ani_Roger built a 3-layered multi-agent system that creates content in 17 minutes instead of an hour, with specialized agents handling research, writing, and social media repurposing. For those who don't think this AI stuff is real, this is the type of stuff you need to read. REDDIT POST | ARCHITECTURE DIAGRAM

Gartner's business model is falling apart as AI makes their reports worthless
DX Tips argues that Gartner's entire consulting empire is crumbling because AI can now generate their generic vendor comparisons and magic quadrants in seconds, making their $5 billion revenue stream obsolete. I wouldn't quite go that far because there is some good analysis that's done by a lot of analysts. But I would say this is probably 80-90% the case. Also same with McKinsey or anyone else who is largely making and selling pretty reports. DX TIPS ARTICLE | HACKER NEWS DISCUSSION

Robinhood CEO says remote work was a mistake and orders execs back 5 days a week
Vlad Tenev admits he regretted going remote "pretty much immediately" and now requires C-suite to be in office full-time while managers work 4 days and regular employees 3 days. One thing I like in this piece is a comment from Vlad saying that your boss and their boss above them should be feeling more pain than you. I think that's pretty cool. But I think it's even cooler to not feel pain. FORTUNE ARTICLE

China mandates domestic firms source 50% of chips from Chinese producers
Beijing's requiring all public datacenter firms to source at least half their processors from Chinese companies, expanding Shanghai's March guidelines nationwide. TOM'S HARDWARE ARTICLE | SCMP REPORT

Text-only websites are faster, cleaner, and more accessible than modern web bloat
Alban Brooke argues that text-only webpages load instantly, work on any device, and focus readers on actual content instead of distracting them with animations and popups. I agree, my site is mostly text, but it won't matter much because AI will be writing our interfaces soon. ALBAN'S TEXT-ONLY ARTICLE | HACKER NEWS DISCUSSION

Researchers create microflyers that levitate using only sunlight
Schafer and colleagues built 6-millimeter discs that float indefinitely using photophoresis—basically the Sun heats one side more than the other, creating pressure differences that keep them aloft. Want. NATURE ARTICLE | ORIGINAL PAPER

Most Americans think AI will permanently eliminate jobs
A new Reuters/Ipsos poll found 71% of Americans worry AI will put too many people out of work permanently. REUTERS/IPSOS POLL COVERAGE

Multiple studies show transfers to poor Americans basically don't help
The Argument reports that multiple large randomized studies are finding guaranteed income programs don't improve health, stress, employment, or child development. Recipients are statistically indistinguishable from control groups despite getting thousands of dollars monthly. THE ARGUMENT ARTICLE | BABY'S FIRST YEARS STUDY | OPENRESEARCH STUDY | DENVER BASIC INCOME PROJECT | COMPTON RCT | GIVEDIRECTLY RESEARCH

Europe faces an emergency as American markets completely dominate global investing
European leaders are freaking out because U.S. stocks now make up 64% of global market value while Europe dropped to just 10%. WSJ ARTICLE | HACKER NEWS DISCUSSION

China's economy slowed in July despite exports staying strong
China's July economic data showed broad slowdowns across sectors even as exports kept growing. The government blamed trade tensions while the property crash continues dragging things down. OODALOOP COVERAGE

Nobody's buying homes or switching jobs as American mobility stalls
The Wall Street Journal reports Americans are staying put in both their homes and jobs at record levels, creating what economists call a "great stagnation" in mobility. WSJ ARTICLE | HACKER NEWS DISCUSSION

Americans are drinking less alcohol than they have in 90 years
A new Gallup poll shows only 54% of U.S. adults drink alcohol now, down from 67% just two years ago and the lowest since 1958. Is this because of cannabis? Less partying? Curious what some of the causes are here. GALLUP CONSUMPTION SURVEY | SF CHRONICLE COVERAGE

Williams Syndrome makes people hypersocial and trusting of everyone
People with Williams Syndrome are so socially magnetic and trusting that they'll approach strangers like old friends, which researchers call the "opposite of autism." BBC ARTICLE

UK drought group tells citizens to delete emails to save water
The UK's National Drought Group bizarrely claims deleting old emails helps conserve water because "data centres require vast amounts of water to cool their systems." They probably made browser cookies too. And GDPR. DARING FIREBALL POST | UK GOVERNMENT PRESS RELEASE

The story behind Timothy Leary's "Turn on, tune in, drop out"
The famous 1960s counterculture slogan actually came from Marshall McLuhan during a New York lunch where he sang psychedelic lyrics to a Pepsi jingle before suggesting the phrase to Timothy Leary. WIKIPEDIA ARTICLE

(NOTE: I'm digging this idea section lately. Let me know if you're enjoying it)

AI apps are becoming like music—personal, contextual, and infinite
Rohit Krishnan argues AI apps won't be like traditional software but more like music—infinitely customizable, contextual experiences that adapt to individual needs rather than one-size-fits-all products. AI MODE ARTICLE | ROHIT'S TWITTER

Claudia is a desktop companion for Claude coding CLAUDIA HOMEPAGE

Context7 brings always-fresh documentation to AI coding assistants via MCP
Upstash created an MCP server that keeps your AI's documentation knowledge current instead of frozen at training time. It pulls real-time docs from official sources so your coding assistant actually knows the latest API changes. CONTEXT7 GITHUB REPO

Amsterdam's Ritman Library puts 2,178 rare occult books online for free
Amsterdam's Ritman Library has digitized and released 2,178 pre-1900 books on alchemy, astrology, and magic through their "Hermetically Open" project, funded by Dan Brown. OPEN CULTURE ARTICLE | RITMAN LIBRARY COLLECTION

AI agent auto-applies to jobs for free REDDIT POST

OWhisper makes local speech-to-text as simple as Ollama OWHISPER DOCUMENTATION

Generated EDM is getting really good THREAD

AI tools spawn equal and opposite AI tools JOAN'S ARTICLE

Shadow AI agents are creating the same security chaos as early Wi-Fi adoption
James Maude explains how employees deploying unsanctioned AI agents mirrors the Wi-Fi revolution—IT teams are scrambling while workers bypass security for productivity gains. SCWORLD ARTICLE | JAME'S LINKEDIN

We've replaced anxiety with apathy as our defense mechanism JOAN'S ESSAY

70s kids jumped bikes over each other constantly. A completely different approach to danger. FLASHBAK PHOTO COLLECTION

AI automation specialist posts job search on Reddit
Oumar90 is looking for remote AI and automation work, listing experience with ChatGPT, Claude, workflow optimization, and API integrations. REDDIT POST

Think about the distance between your thinking speaking and writing, vs. your feeling speaking and writing.

Example: have someone read some of your stuff where you got an unexpected reaction, and see what they hear when they read it.

What were you saying without you knowing you were saying it?

NOTE: It’ll need to be a smart/honest friend who will tell you bad things if they’re bad.

And then, if you find a big gap, work on getting a better sense of your emotional state before you try to communicate. That way you stop communicating something different than what you wanted to.

(More in the member essay below)