Gosh this was a (recent) first-hand lived experience.
-
@Dio9sys @da_667 @iagox86 @hrbrmstr worse - they used docker to light up kali once, and now theyre a combination devops, full stack dev, senior redteamer
someone in a signal chatgroup im in posted a link to some new popularity site for infosec influencers/grifters, and i investigated. its hosted on vercel, and the llm text instructions to generate the site content are in the sourcecode.
people self-label as a job they think is cool, and its all just lies
-
@Dio9sys @da_667 @iagox86 @hrbrmstr worse - they used docker to light up kali once, and now theyre a combination devops, full stack dev, senior redteamer
someone in a signal chatgroup im in posted a link to some new popularity site for infosec influencers/grifters, and i investigated. its hosted on vercel, and the llm text instructions to generate the site content are in the sourcecode.
people self-label as a job they think is cool, and its all just lies
-
@Dio9sys @da_667 @iagox86 @hrbrmstr i wish i could show you all the shit i pulled on the last assessment gig I did - they had stuff hosted in vercel, and i was able to loot the vercel token out of github via loose code perms and abusing actions, then once looted, theres no way to fix it other than to re-roll the api key. and vercel has bupkis for controlling api keys compared to aws. i had to propose an entire architecture change for their ci/cd pipeline to fix it
-
@Dio9sys @da_667 @iagox86 @hrbrmstr i wish i could show you all the shit i pulled on the last assessment gig I did - they had stuff hosted in vercel, and i was able to loot the vercel token out of github via loose code perms and abusing actions, then once looted, theres no way to fix it other than to re-roll the api key. and vercel has bupkis for controlling api keys compared to aws. i had to propose an entire architecture change for their ci/cd pipeline to fix it
@Viss @Dio9sys @da_667 @hrbrmstr For no particular reason, I'm thinking of this line:
I spent more time than I should have correcting fundamentals. Eventually I stopped. He was not, in any meaningful sense, on the other side of the conversation
Imagine doing a technical review and instead of reading feedback, they simply paste it into Claude. I'm not mentioning this for any particular reason of course
-
@Viss @Dio9sys @da_667 @hrbrmstr For no particular reason, I'm thinking of this line:
I spent more time than I should have correcting fundamentals. Eventually I stopped. He was not, in any meaningful sense, on the other side of the conversation
Imagine doing a technical review and instead of reading feedback, they simply paste it into Claude. I'm not mentioning this for any particular reason of course
-
@Viss @iagox86 @hrbrmstr fellas this was me last year interviewing interns. Some of the best schools in the country... and they were all caught using AI for their answers. Had to hire one of them. I spent over six months unteaching his reliance on AI. Just in time for him to leave.
I still have no idea if I made any measurable impact on his critical thinking and self-reliance. Sure as shit, he bullshitted all the things he did while he was here and all of the expertise he had (he in fact, did not) on his resume when I looked at his LinkedIn profile.. Expert detection engineer. He submitted a single rule to the ET ruleset the entire time he was here, and even that required heavy modification.
I was livid.
@da_667 @Viss @iagox86 @hrbrmstr Security is not an entry level position, probs a bit reductive, but at some point people do need to hire juniors. Everyone wants the unicorn. Ya'll. The people with years of experience, but for a bargain, the price of a junior. Nobody wants to be the one to glue a horn to a horse, they don't want to train a junior so they don't suck. Even if it's part of the job. This isn't unique to security. This is an epidemic of not hiring. Across multiple disciplines. An HR problem. At some point the would be juniors, fresh out of school, adapted and that meant fudging the resumes. Gotta put bread on the table somehow, those student loans aren't going to pay themselves and it's not like you can just go back to school. The system forced them to fake it till they make it, and so they're using the fake it till you make it machine. Break the cycle maybe?
-
@da_667 @Viss @iagox86 @hrbrmstr Security is not an entry level position, probs a bit reductive, but at some point people do need to hire juniors. Everyone wants the unicorn. Ya'll. The people with years of experience, but for a bargain, the price of a junior. Nobody wants to be the one to glue a horn to a horse, they don't want to train a junior so they don't suck. Even if it's part of the job. This isn't unique to security. This is an epidemic of not hiring. Across multiple disciplines. An HR problem. At some point the would be juniors, fresh out of school, adapted and that meant fudging the resumes. Gotta put bread on the table somehow, those student loans aren't going to pay themselves and it's not like you can just go back to school. The system forced them to fake it till they make it, and so they're using the fake it till you make it machine. Break the cycle maybe?
@hotsoup @da_667 @iagox86 @hrbrmstr my postition has always been that people who are experts in other domains, move into security laterally and take their domain expertise with them.
sysadmins and network folks make great redteamers because theyre intimately familiar with systems and networks ALREADY
devs and devops make great analysts because they can take those skills and apply them to the coding surfaces of security
-
@Viss @Dio9sys @da_667 @hrbrmstr For no particular reason, I'm thinking of this line:
I spent more time than I should have correcting fundamentals. Eventually I stopped. He was not, in any meaningful sense, on the other side of the conversation
Imagine doing a technical review and instead of reading feedback, they simply paste it into Claude. I'm not mentioning this for any particular reason of course
-
@hotsoup @da_667 @iagox86 @hrbrmstr my postition has always been that people who are experts in other domains, move into security laterally and take their domain expertise with them.
sysadmins and network folks make great redteamers because theyre intimately familiar with systems and networks ALREADY
devs and devops make great analysts because they can take those skills and apply them to the coding surfaces of security
@Viss @hotsoup @da_667 @hrbrmstr to quote @jeffmcjunkin, "security is a prestige class"
-
@Viss @da_667 @iagox86 @hrbrmstr Two thoughts from the academic side:
1) Higher ed is absolutely all in on AI. While I think there are some novel use cases, it comes down to two things. First, at least in most computing disciplines, the vast majority of research funding (which tenure-track faculty are required to get) is tied to AI usage at the moment. Second, we're largely being told - by industry - that it's going to be all AI, all the time in the future.
To quote Upton Sinclair, "It is difficult to get a man to understand something when his salary depends on him not understanding it." AI is, at the moment, deeply embedded into two of the biggest revenue streams for universities.
We desperately need external people - ideally people tied to revenue streams - talking to Deans and Chairs about the problems associated with AI. The filter bubble is real.
2) On the student side... the root problem here is that the tech industry has lost it's veneer of being an ideal (maybe even good) place to work. I broadly see less intrinsic motivation. I would cautiously say that working in tech now is perceived similarly to working in business/banking 15 years ago. Decreasing intrinsic motivation is very likely tied to students trying to find the quickest/easiest way through.
-
@Viss @da_667 @iagox86 @hrbrmstr Two thoughts from the academic side:
1) Higher ed is absolutely all in on AI. While I think there are some novel use cases, it comes down to two things. First, at least in most computing disciplines, the vast majority of research funding (which tenure-track faculty are required to get) is tied to AI usage at the moment. Second, we're largely being told - by industry - that it's going to be all AI, all the time in the future.
To quote Upton Sinclair, "It is difficult to get a man to understand something when his salary depends on him not understanding it." AI is, at the moment, deeply embedded into two of the biggest revenue streams for universities.
We desperately need external people - ideally people tied to revenue streams - talking to Deans and Chairs about the problems associated with AI. The filter bubble is real.
2) On the student side... the root problem here is that the tech industry has lost it's veneer of being an ideal (maybe even good) place to work. I broadly see less intrinsic motivation. I would cautiously say that working in tech now is perceived similarly to working in business/banking 15 years ago. Decreasing intrinsic motivation is very likely tied to students trying to find the quickest/easiest way through.
@nerdpr0f @da_667 @iagox86 @hrbrmstr ive been cultivating this 'claude is your insider threat now' talk for months, and next week im servicing a customer with a tailored version of that talk, plus an llm workshop for how to use this stuff without rm'ing yourself or getting owned. i estimate this will become a template that other customers can purchase. so .. im not only working on it, i'll have an offering in a week to publish.
-
@nerdpr0f @da_667 @iagox86 @hrbrmstr ive been cultivating this 'claude is your insider threat now' talk for months, and next week im servicing a customer with a tailored version of that talk, plus an llm workshop for how to use this stuff without rm'ing yourself or getting owned. i estimate this will become a template that other customers can purchase. so .. im not only working on it, i'll have an offering in a week to publish.
-
Gosh this was a (recent) first-hand lived experience.
I'm dismayed it's more prevalent than I hoped.
https://nooneshappy.com/article/appearing-productive-in-the-workplace/
This bit is very direct, hopefully we all survive and learn from 'the reckoning':
¨... The reckoning will not be subtle. The firms still doing the work properly will be in a position to charge for it. The firms that have hollowed themselves out will discover that what they hollowed out was the thing the client was paying for. ..."
-
This bit is very direct, hopefully we all survive and learn from 'the reckoning':
¨... The reckoning will not be subtle. The firms still doing the work properly will be in a position to charge for it. The firms that have hollowed themselves out will discover that what they hollowed out was the thing the client was paying for. ..."
@jmcastagnetto aye. it is not going to end well for alot of firms. https://danielmiessler.com/blog/most-companies-arent-ready-for-ai
-
@Viss @da_667 @iagox86 @hrbrmstr Same experience in hiring for our team. Only growth we have is from our internship program. We do two semesters with them before considering them for a position. So helps to find the really good ones (even if they aren’t well versed technically) and we can work on training more. The alternative is essentially taking a huge chance on someone and we definitely run into all of what you said.
-
I spent more time than I should have correcting fundamentals. Eventually I stopped. He was not, in any meaningful sense, on the other side of the conversation
Also
The reckoning will not be subtle. The firms still doing the work properly will be in a position to charge for it. The firms that have hollowed themselves out will discover that what they hollowed out was the thing the client was paying for.
And
Misunderstanding and misuse of AI in the workplace is rampant. In many of the rooms I now find myself in, expertise has been asked to look the other way: to deliver faster, produce more, integrate the tools more deeply, get out of the way of the colleagues who are “getting things done”
These are all painfully familiar to read these days
-
@nerdpr0f @da_667 @iagox86 @hrbrmstr ive been cultivating this 'claude is your insider threat now' talk for months, and next week im servicing a customer with a tailored version of that talk, plus an llm workshop for how to use this stuff without rm'ing yourself or getting owned. i estimate this will become a template that other customers can purchase. so .. im not only working on it, i'll have an offering in a week to publish.
-
@Epic_Null @nerdpr0f @da_667 @iagox86 @hrbrmstr you can - just start an email thread and I can pick it up from there
-
Gosh this was a (recent) first-hand lived experience.
I'm dismayed it's more prevalent than I hoped.
https://nooneshappy.com/article/appearing-productive-in-the-workplace/
-
@jmcastagnetto aye. it is not going to end well for alot of firms. https://danielmiessler.com/blog/most-companies-arent-ready-for-ai
@hrbrmstr @jmcastagnetto I will admit that the groups that do the best with this "Use AI" initiative are the ones who are able to turn it into a "Invest in improving this tool we have"...
