Unsupervised Learning Newsletter NO. 364

Reality Headset, BingPT, AI+Cyber

🎙️If you're not subscribed to the podcast version of the newsletter, please add it using with your favorite client! APPLE | SPOTIFY | OTHER

SECURITY NEWS

The FBI is warning people to block online ads due to imposters poisoning search results. They advise users to 1) check ad URLs, 2) go to sites directly instead of via search, and 3) use an ad blocker. MORE

Sam Curry and friends have published a monster list of vulnerabilities across the automotive industry. Manufacturers affected include Ferrari, BMW, Rolls Royce, Porsche, and others. They were able to do things like remote unlock vehicles, precision-locate them, break into their internal infrastructure, do customer account takeovers, pull customer data, and much more. Seriously impressive work. MORE | SAM'S BLOG WRITEUP

There was a new Twitter dump making the rounds last week, but it appears to just be cleaned-up data from a previous scraping incident. It's the same person who released both versions; they were previously charging for it, and now they're making it available for free. MORE

AWS is now encrypting new S3 buckets by default. MORE

Chick-fil-A is investigating "suspicious activity" regarding some customer accounts. MORE

Synology published patches for multiple critical vulnerabilities. MORE

Zoho is urging admins to patch ManageEngine immediately due to a critical bug that provides authenticated users access to the backend database. MORE

Sponsor
 

Continuous, Automated Compliance for 14+ Security Frameworks
 

Start the new year by automating time-consuming, manual compliance tasks. With Drata, get full visibility into your security and compliance posture across 14+ frameworks—including custom frameworks.

75+ deep integrations will make it easy to implement and hit the ground running with continuous monitoring and automated evidence collection for your entire tech stack. Book a demo and see why Drata maintains a 5-star rating on G2 for compliance automation.
 

TECHNOLOGY NEWS

It looks like Apple will launch its long-awaited headset this year. Rumors are early, but it appears it'll have a digital crown (think Apple Watch) that lets you adjust the amount of AR vs. reality. Sounds cool, but I'm really worried about how cool this thing will have to be to overcome the downside of a giant piece of hardware on your head. Certain things are hard deal-breakers for adoption and coolness-factor, and giant stuff on your head is one of them.That being said, it seems like the first version might be a VR headset similar to the Oculus, with the everyday glasses-type device coming later. MORE | GRUBER | MACRUMORS 

Microsoft is about to take a major swipe at Google's search dominance by integrating ChatGPT into Bing. It'll be interesting to see how it goes because GPT isn't super great at looking up facts right now. Its current form is somehow much better at replacing Wikipedia than Google. I'd just be happy to see anything that makes Google sweat. Their only innovation in search in the last several years seems to have been adding more ads. MORE

Tech companies laid off over 150,000 people in 2022, which is more than in 2020 or 2021. MORE

Amazon increased its layoffs from 10,000 to 18,000. Like many other companies, they're blaming overeager hiring in previous years. MORE

Samsung's last quarter profits fell an estimated 70% vs. last year. MORE

OpenAI may be selling some shares to a private equity fund in a deal that places its overall worth at around $29 billion. MORE

Apple has launched AI-powered book narrations. Really cool, but I'm still unable to use the Books app due to the lack of audiobook bundle pricing that exists with Amazon. MORE

Researchers tested GPT -3.5 against the Bar Exam and said GPT-4 will likely be able to pass it. MORE

Shopify has canceled all recurring meetings of more than two people and has encouraged employees to abstain from all large chats. Can't wait to hear the results of this experiment. MORE


HUMAN NEWS

A Tesla with a man and his wife and two kids went 300 feet off the edge of the cliffs on Highway 1 in California, and everyone survived. The husband has now been arrested for attempted murder. MORE

The US is looking to ban non-compete agreements in labor contracts. The move would significantly increase mobility for employees and competition for talent. MORE

China is reopening its border with Hong Kong after three years of strict control. MORE

There's a new mostly-automated McDonald's in Fort Worth, Texas. It's the first in a pilot of new automated locations that can do much of the entire process without humans. MORE

NYC schools are banning GPT on school devices and networks to avoid student cheating. Of course they'll still be able to use it on their mobile devices, at home, etc. I think it says a whole lot that they haven't banned Google in the same way. Doesn't that kind of mean GPT is better for looking things up? MORE

The latest omicron subvariant is now responsible for around 40% of US cases. MORE

The US is coming after $460 million in FTX-related money at Robinhood. MORE


IDEAS & ANALYSIS

ChatGPT in Security: Who Wins in Red vs. Blue?
Here's a fun question: who is going to be better at using ChatGPT and future models for cybersecurity attack and defense? Will it be the attackers or the defenders? My money is on the attackers for no reason other than them having higher numbers, more time, and more scrappiness. Most defenders are professionals, while many attackers are either state-sanctioned or offensive security is their only viable path to a decent income. I see that difference putting most of the creative advantage on the attacker's side, and that's just adding to the natural asymmetry of "attackers can fail constantly and just hope to get lucky once vs. defenders needing to be right all the time." Examples of AI-powered attacks will (and already are in some cases) include faster and better phishing campaigns, automated exploit code writing, automated reverse engineering, automated BEC and other social engineering, information warfare campaigns, etc. Other than elite researchers and state-sponsored good-folks hackers, who will come out with some really cool defensive tech using these models, I overall expect the defenders to be overwhelmed by the volume and creativity of AI-augmented attacks from those on the attacker side. MORE


NOTES

I've updated my LinkedIn profile to reflect that I'm now full-time at Unsupervised Learning. What a great feeling! Incredibly stoked for the products I'm building and all the extra time I'm going to be putting into the show. It's not even mid-month and we've already put out two member posts! MORE

Went to see my bestie Jason last week and it was glorious just hanging out, talking shop, and planning for 2023. Got to see him interact a ton with his kids as well, and it turns out he's as good a father as he is a friend and hacker. It was wonderful to see. MORE 

Speaking of Jason, he's taking over as CISO and Lead Hacker at BuddoBot in February! Super exciting news, and I can't wait to see what he does over there. MORE

I did a bunch of AI art this weekend and published the gallery and the prompts I used to a new member post. MORE | SAMPLE

Had an amazing hangout with my buddy Clint this weekend. We talked projects, books, ideas, and our general plans for 2023. I love hanging with Clint because it's always a great mix of thoughtfulness, productivity, and laughter.

I spent a bunch of time messing with Readwise's new Reader App, but given my need to go through thousands of stories per week I don't think I'll be able to replace Feedly with it. Readwise seems focused on doing more with a small number of stories as opposed to parsing large volumes for nuggets.

I have a badass SE friend in the technical networking space who’s looking to move on from his current position. Deeply technical and personable, with a strong security background, and based in the SF Bay Area. He’s looking for a great opportunity with a top company. If you know of any, let me know so I can make the connection. PING ME


DISCOVERY

đź“„ Cloud Pentesting â€” An evolutionary timeline of getting into cloud-based pentesting. BLOG | BY SETH ART

đź“„ How to Attack Admin Panels Successfully, Part 2 — The second part of a series that talks about the tools and techniques used in attacking admin panels. BLOG | BY C0d3x27

AT&T predicted the internet in an ad in 1993. MORE

Excess management is costing the US $3 trillion a year. MORE

Accomplishments of Small Teams MORE

How LinkedIn rebuilt its threat detection and response program under the theme of a Software Defined SOC. MORE 

Upcoming security conferences calendar. MORE

A calendar of security and privacy CFP deadlines. MORE

My Hacker Samurai art was particularly popular this weekend. MORE | MEMBER POST WITH TECHNIQUE AND PROMPTS

There's big drama in the D&D space, with a new license going after competitors and attempting to control creators. MORE

Using GPT to create intelligence reports. MORE


RECOMMENDATION OF THE WEEK

Do a quick check of your backup situation. What all data is essential to you and your family? Do you have both a cloud and local backup of all that data? Run through some potential negative scenarios and make sure your current solution wouldn't leave you without data that's important to you. I like to do this exercise every January.


APHORISM OF THE WEEK

"The holy grail of discipline is getting your dopamine from the effort rather than the reward."

Andrew Huberman (Paraphrased)