zate - Network

I'm still disappointed that I can't do anything with the #portalgo devices I have. I really with #meta would ship an unlock tool to open...

I'm still disappointed that I can't do anything with the #portalgo devices I have. I really with #meta would ship an unlock tool to open them for 3P developers to build images and give them a second life. They were really cool useful devices. My family loved them.

Supporting older boomers / seniors with ever increasingly complex modern tech can quickly highlight tech that has bad edge cases and...

Supporting older boomers / seniors with ever increasingly complex modern tech can quickly highlight tech that has bad edge cases and confusing user experiences.

All companies shipping devices need to include boomer QA people I think.

Offering up my parents to test tech if any companies need.

And just like that, a whole new cottage industry for bots to spread a message via Community Notes is born.The system will be rigged and...

And just like that, a whole new cottage industry for bots to spread a message via Community Notes is born.

The system will be rigged and gamed and people will trust it.

Using something like openvibe across bsky, threads and Mastodon solves the most important problem. The ordering of the reply, repost and...

Using something like openvibe across bsky, threads and Mastodon solves the most important problem.

The ordering of the reply, repost and like buttons.

Testing from openvibe.social #crossposting

Testing from openvibe.social #crossposting

One of the .. "benefits??" I guess of a #2E #autism diagnosis is that now when I see people I have worked with in the past seemingly breeze...

One of the .. "benefits??" I guess of a #2E #autism diagnosis is that now when I see people I have worked with in the past seemingly breeze by me in climbing the ladder, getting into cooler more senior roles, I now know why.

I throw "better" in quotes because in the past I might have looked on that as a challenge and been all like "fuck that!!" and doubled down my efforts.. and now my brain says stuff like "maybe this is as high as far as you get? maybe they are just better than you?".

but then I still have enough of what got me here to be back at "fuck that" and adapt and overcome. Maybe knowing what my struggles are makes it much simpler for me to understand the constraints in my system, isolate and exploit them (aka Theory of Constraints).

Fuckits refilled.

TIL I am a 1x Engineer - https://1x.engineer/

TIL I am a 1x Engineer - https://1x.engineer/

Doom scrolling Linkedin to see how much others are accomplishing and I am not, is not a healthy practice.

Doom scrolling Linkedin to see how much others are accomplishing and I am not, is not a healthy practice.

Well shit. This is awesome.https://tldrsec.com/p/dont-security-engineer-asymmetryEspecially that first picture about choosing all the...

Well shit. This is awesome.

https://tldrsec.com/p/dont-security-engineer-asymmetry

Especially that first picture about choosing all the battles. It me.

#infosec

AI is M.S.G. for Tech#ai

AI is M.S.G. for Tech

#ai

A confusing scenario I've encountered several times when dealing with Risk Management and Controls, generally in Cybersecurity (aka Digital...

A confusing scenario I've encountered several times when dealing with Risk Management and Controls, generally in Cybersecurity (aka Digital Risks), is centred around a poor understanding of what Risks are and how detective and preventative controls work.

Let me be clear up front, as this is the crux of the issue.

"We are not seeing any instances of this risk; we don't think our adversaries are attacking us this way, so we don't think we need to take any action yet. We'll review and take the appropriate action if we find that this changes."

Heads up, when it happens, and you can know 100% that it did and measure the impact of it happening... that is not a Risk; that has a likelihood of 100% and a known measured impact; that good people is what we call "An Incident".

Your actions then are not really "risk mitigations/controls"; they are the Containment, Eradication, and Recovery phases of your IR plan.

See, the big core idea behind Risk Management is to understand what could happen to fuck your business and think about what kinds of things you might need to do to lower the chances of that happening or the impact when it does happen. Those are controls, often driven by policy, etc.

Fuck Around & Find Out is not a Risk Management Strategy.

The other side of this is that far too many people forget that unless your preventative controls are binary (open vs. closed), you need super robust detective controls to enact your preventative ones.

I like the example of closing my front door to keep dogs out.

If I want to let my dogs in, I need to be able to see them, determine if they are my dogs, and allow them in. If they are someone else's dogs, then I need to keep the door closed.

The key to this concept is that if a specific risk to the business can cause significant enough harm, you need to prioritise detective controls if you want selective preventive controls.

#infosec #riskmanagement #FAFO

Every time I login to Humblebundle.com and use my Google Account, I am grinding my teeth at the fact that after I go through the OAuth 2.0...

Every time I login to Humblebundle.com and use my Google Account, I am grinding my teeth at the fact that after I go through the OAuth 2.0 flow, from an account with pretty secure passkey / 2FA etc... Humblebundle STILL wants to send me a 2FA code.

Why? If you are letting authN happen at a 3P via SSO /. OAuth / OIDC or what ever, then the responsibility for protecting that AuthN sits with the 3P. Prompting users again is just, in my opinion, a bad user experience.

#infosec #oauth #humblebundle

I have a bit of a confession to make. I've been known to play video games or take a nap while I'm at work.I know, I know, but hear me out.It...

I have a bit of a confession to make. I've been known to play video games or take a nap while I'm at work.

I know, I know, but hear me out.

It started (at least the gaming part) when I worked in the video game industry (I have done so twice, Bioware and Bethesda / Zenimax), and it was part of my job at least then.

We'd either just be play-testing content, or, as security was my team's job, sometimes we'd be testing to find ways to cheat, testing the security of some things, generating logs for testing detection tools, etc.

Often, the actual content was not new or difficult, and my mind would wander. It'd wander to think about problems I had to solve for work. It'd start thinking about the bigger issues, simplifying things, and even writing blog posts or strategy docs, etc.

It turns out that sometimes when your brain is just doing something, it can almost go on autopilot, and then it keeps itself occupied by working on other problems.

So sometimes, I will fire up an easy, grinding game, play on autopilot, and let my brain think about things.

It also "heals" my brain when pushing it too hard and lets it relax. A quick nap has a similar effect.

Given that thinking turns out to be a large and important part of my job as I progress deeper into this world of IC / Senior Architect / Guy-with-the-ideas, etc., finding ways to connect complex things is important.

This quick post was brought to you by a quick blast through a nightmare dungeon in Diablo IV over lunch, during which I worked out how to relate several programs of work together in a way that I think will make it simpler for others to understand why it's important we keep them aligned.

And then I thought I should write this post about it.

#infosec #gamng #principalengineer #seniorIC

I just post this, and then accidentally come across several things that seem to do just this.https://github.com/Doriandarko/maestroThe...

I just post this, and then accidentally come across several things that seem to do just this.

https://github.com/Doriandarko/maestro

The concept of a heirarchical swarm of agents: https://medium.com/@arash.mansoori65/harnessing-hierarchical-swarms-a-groundbreaking-approach-to-multi-modal-content-creation-061dbcb698f6

Also https://github.com/kyegomez/swarms

#ai #aiagent #aiagentswarm

Been discussing recently the fact that hallucinations in llms are a hard thing to solve as the very nature of a statistical text generator...

Been discussing recently the fact that hallucinations in llms are a hard thing to solve as the very nature of a statistical text generator is to generate hallucinations.

What makes a result a hallucination or not is almost entirely dependant upon the desired result of the requestor and the applicability of the generated result for that purpose.

The exact same content could be valid for one requestor and not valid for another.

Efforts to fix one hallucination could make satisfying another kind of request less likely.

It is why I think finely finely tuned models are the way to go. Smaller, faster models designed to do a single thing very well.

Then dissecting the request into smaller components and satisfying each with a finely finely tuned model before combining into a result. Even using a more general but still tuned model to do the initial breakdown and then final composition.

#llm #ai

The more I work with many of these various models via ollama locally, and try to use them for various coding tasks in golang, the more they...

The more I work with many of these various models via ollama locally, and try to use them for various coding tasks in golang, the more they are becoming like a slightly less clueless co-developer who is acting as my pair programming partner in a classroom session.

They are looking up things and having me try random shit to try and fix our program. Except, more often than not, the things he/she has me try are not real functions in the libraries, or gross misunderstandings of the problem we need to fix.

Your jobs are safe software engineers, for reals.

#AI

Still awake at 3am. First meeting is at 6:30

Still awake at 3am. First meeting is at 6:30

I'm a self confessed terrible software engineer, I dont like writing tests, and for the longest time thought they were a waste of time.That...

I'm a self confessed terrible software engineer, I dont like writing tests, and for the longest time thought they were a waste of time.

That being said, software is somewhat reliable, and generally, if it does something weird/bad/wrong its likely because we asked it to do that weird/bad/wrong thing and I can see how tests help with that.

Working with LLM's though? You can ask the same, "right" things multiple ways, multiple times and get different answers.. its significantly less stable in terms of repeatable predictable output. If you are doing 0shot, or 1 shot work, and havent fine tune the model or done this a bunch, then you are unlikely to be super confident in the output.

so I think in these cases, when trying to "automate" some sort of process with AI, some thoughts on this I have:

• Don't automate with AI things you can do with normal software. Not everything needs to be replaced with an AI version. We got a long way with software, its not required to throw it out.

• Don't automate with AI, "all the things" at once, do it incrementally. Build smaller pieces, with the appropriate AI and prompts etc, and combine them piecemeal into the final product, it will make testing, validating and finding issues much easier. It also scales better in terms of cost and performance.

• Have test cases / expected output from the process you are automating to compare against.

• Do that comparison regularly, in fact, treat your tests a bit like tracers on a link of machine gun ammo. X requests, 1 test. X requests, 1 test. For some feel good value of X.

• Use AI to automate the squishy bits that might have had people making judgement calls, but truely understand you are replacing people, with their flaws, with AI models, which have newer, often worse and more flaws. Plan appropriately.

• Keep a human in the loop. AI validating AI which is validating AI etc etc is not the answer.

Just some thoughts.

#AI #infosec

How am I spending my day off? We'll start the morning with an hour call with an AI Security startup taking about AI Security in general and...

How am I spending my day off? We'll start the morning with an hour call with an AI Security startup taking about AI Security in general and what they are doing.

This has inspired me to finally organise my office and unpack / setup some of my home lab systems so I can run more models / code locally and devote more of my time to messing about / learning about AI and AI Security stuff.

To the point of thinking about building a water-cooled AI box, much like a gaming rig.

I wonder if there are any good cost effective cloud GPU "VPS" providers yet? Maybe ones where the system is mine full-time but the GPU is shared? The killer for GPU cloud boxes is that 95% of the time the GPU is idle, but I pay for 100% of the time.

Any solutions to this, a GPU powered cloud Dev machine that people like? (One I can do more than run jupyter python code on.)

One of the most reliable breach detection sites I've come across.http://arewehacked.com/#infosec #breach #yeahweare

One of the most reliable breach detection sites I've come across.

http://arewehacked.com/

#infosec #breach #yeahweare