Nostr notes by Rob O :verified:

So, the argument seems to be that acceleration of attacks (and, I ...

2026-04-21T21:05:24Z

In reply to nevent1q…3ps0
_________________________

So, the argument seems to be that acceleration of attacks (and, I assume, increased success rate) necessitate higher levels of automation. The HTB success rates, in particular, are what seem to be raising alarm bells from those on the practicioner side.

The argument is, roughly, that IF we're about to be inundated by an influx of highly skilled red-team agents, THEN we need blue team agents in the loop that are capable of responding with similar speed.

That strikes me as reasonable logic. I'm not sure I'm willing to grant the antecedent at this point, but the structure of the IF-THEN strikes me as rational.

Or maybe we could just turn all the computers off and throw them out of whatever window is nearest.

Which, just to put a bow on the conversation, seems to be the ...

2026-04-21T19:20:27Z

In reply to nevent1q…92es
_________________________

Which, just to put a bow on the conversation, seems to be the point of both pieces.

If you accept their premise about attack speed accelerating (not sure I do,.but it *is* a reasonable hypothesis), then it's probably time to actually get those things done... And to do that at a fast enough pace, one probably needs agents (and the restrictions outlined).

One of my hotter professional takes is that cybersecurity is no ...

2026-04-21T17:04:16Z

In reply to nevent1q…84ez
_________________________

One of my hotter professional takes is that cybersecurity is no longer a fast-moving industry and that we've had a pretty solid notion of how to do security right for at least a decade.

Our problems these days are more about making sure those things get done than in figuring out what the right thing to do is.

I agree, but what are the chances at getting a substantive ...

2026-04-21T16:44:47Z

In reply to nevent1q…frf8
_________________________

I agree, but what are the chances at getting a substantive regulatory framework or product liability regulations in this space?

I'm using "engineering" as shorthand for design/implementation since, as we all know, most of what tech does really shouldn't be called engineering.

There's a few interesting nuggets in there, though. In addition to "The boring basics like asset management, least privilege, and network segmentation really do matter", the relative importance of penetration testing (declining), detection engineering (increasing), and the shift towards "assume you're compromised" all strike me as reasonable points.

The argument that both pieces seem to be putting forward is that ...

2026-04-21T16:33:27Z

In reply to nevent1q…jn9e
_________________________

The argument that both pieces seem to be putting forward is that they expect attackers, in the future, to be leveraging AI/LLMs to increase the pace of attacks to a point where will no longer be feasible for humans to play the same role in the incident response loop that they currently play.

I'm not sure I accept that, but it's a clear hypothesis that be tested for correctness with data. It's also not rooted, as you say, in happier vibes.

The set of controls proposed by both appear to differ (I only skimmed the one you posted). Mubix's piece focuses on two attributes, one of actions and one of agents.

Agents need to have minimally constrained scope (so, least privilege applied to agents). The set of actions they are permitted to take should also only be actions that are reversible. The rest of the document outlines engineering best practices that absolutely need to be in place (and, as we know, often aren't) in order to facilitate those.

That said, a non-trivial amount of the recommendations of both ...

2026-04-21T16:17:48Z

In reply to nevent1q…cvfn
_________________________

That said, a non-trivial amount of the recommendations of both are, in z nutshell, "Get your act together and finally do the basics right."

Ehhh, the CISO to current practitioner ratio is low, but ...

2026-04-21T16:14:59Z

In reply to nevent1q…kwdt
_________________________

Ehhh, the CISO to current practitioner ratio is low, but there's definitely folks on there from a practitioner background. It also echoes many of the same points as the ones Mubix made here:
https://infosec.exchange/@mubix/116415117902139733

I haven't drunk the proverbial KoolAid, but I find interesting that both position papers are a) providing reasonably precise (and testable) hypotheses about how they are anticipating the threat landscape will change over the medium term and b) describing reasonably precise control sets needed to mitigate that risk (as well as the risk caused by the technical debt accrued by the lack of oversight of past AI investments).

quoting
note1kzd…w4l8

Made a thing about Mythos and what companies need to do about it (like everyone else on the planet). I think where mine sticks out is giving some practical, “you can start this tomorrow” advice:

“The Day-Zero Normal”

https://www.linkedin.com/posts/mubix_the-day-zero-normal-by-rob-fuller-activity-7450542077001662464-6o6X

It's almost like having an "engineering" discipline ...

2026-04-14T15:35:38Z

In reply to nevent1q…08w7
_________________________

It's almost like having an "engineering" discipline with little in the way of professional liability is a bad thing.

sigh Mythos messaging is starting to hit regular people. ...

2026-04-13T18:21:45Z

*sigh* Mythos messaging is starting to hit regular people. I've already had to explain twice, now, how Mythos isn't going to decrypt all network traffic.

This is exhausting.

I get the sense that the economy has a lot of folks feeling very ...

2026-04-10T19:42:41Z

In reply to nevent1q…g7pc
_________________________

I get the sense that the economy has a lot of folks feeling very french. Late 1700s french.

Oh god, think about all the InfoSec techbros that are about to ...

2026-04-10T15:57:25Z

In reply to nevent1q…lv2n
_________________________

Oh god, think about all the InfoSec techbros that are about to become experts in astrophysics.

I've also wondered, to some extent, how much of this is the ...

2026-04-10T14:22:55Z

In reply to nevent1q…qq0h
_________________________

I've also wondered, to some extent, how much of this is the result of "main character syndrome", for lack of a better phrase.

People want to believe they're doing something wild, exciting, and innovative. So much of cybersecurity, however, is glorified accountancy, tradesman (plumbing/electrical/etc), and janitorial work.

It's hard for folks to wrap their head around the fact that their jobs are much more like that of the folks in Office Space than V from Cyberpunk.

Incidentally, I really wish there were better tools for teaching ...

2026-04-09T15:36:39Z

In reply to nevent1q…j3zf
_________________________

Incidentally, I really wish there were better tools for teaching about this kind of thing.

I suppose we'll see. Given the unreliability of US foreign ...

2026-03-24T15:34:13Z

In reply to nevent1q…qtjf
_________________________

I suppose we'll see. Given the unreliability of US foreign and security policy, we've seen other sectors shift away from American produced goods. Notably, the auto industry.

I would think that some countries (Denmark, for example) might be wondering if it's time to shift technical infrastructure away from US goods too. Hasn't there been some of this happening in the cloud space already?

I imagine the primary problem here is the lack of alternatives in the router space.

RE: https://mastodon.neat.computer/@jonah/116284778632962494 I ...

2026-03-24T15:18:36Z

RE: https://mastodon.neat.computer/@jonah/116284778632962494

I wonder how freaked out Cisco and Palo Alto are right now about the possibility of retaliatory actions.
nostr:note1euvpufmyle0e6el77937y5t862hg7wkja4nn9jdyher770udhneq9sjhya

"Malicious pickle de-serialization" sounds like something ...

2025-10-06T16:23:14Z

In reply to nevent1q…x5qz
_________________________

"Malicious pickle de-serialization" sounds like something from Law and Order SVU.

One of the most accessible Def Con talks I attended was this one: ...

2025-09-23T15:57:13Z

In reply to nevent1q…y7zf
_________________________

One of the most accessible Def Con talks I attended was this one: https://www.youtube.com/watch?v=F1VttfQFTWE

Sounds like things haven't changed all that much.

So, this was blocks away from where I lived for like 6 years. ICE ...

2025-09-09T22:47:21Z

So, this was blocks away from where I lived for like 6 years. ICE was (mostly) chased away and someone apparently slashed their tires, in one of the most affluent neighborhoods in the city.

https://www.wxxinews.org/local-news/2025-09-09/ice-agents-in-the-park-ave-neighborhood-spark-large-scale-protest

All I see here is "Ran a human subjects experiment without an ...

2025-04-29T22:16:29Z

All I see here is "Ran a human subjects experiment without an IRB." Why are these "researchers" still employed?

https://www.404media.co/researchers-secretly-ran-a-massive-unauthorized-ai-persuasion-experiment-on-reddit-users/

I see applications in RPGs. Imagine Skyrim or Baldurs Gate ...

2025-04-07T13:31:34Z

In reply to nevent1q…m5kl
_________________________

I see applications in RPGs. Imagine Skyrim or Baldurs Gate without canned dialogue. That said, the replay value of those games would skyrocket, probably hurting sales of other games. On the ethical side, compensation for voice actors would be a problem.

I used to teach quite a lot of courses that covered ethics as it ...

2025-02-18T20:16:31Z

I used to teach quite a lot of courses that covered ethics as it applies to technology. This was, to honest, my gateway into security.

One of my favorite discussions was "What software would you refuse to write?"

I think about that *a lot*.

Friend, I think you have far too high of an opinion about ...

2025-02-11T14:18:54Z

In reply to nevent1q…cza0
_________________________

Friend, I think you have far too high of an opinion about university administrators. A few things:

1) Most universities are schools attached to hedge funds by way of the endowment. In most schools, the person with the most practical power on campus isn't the president or the board, it's the CFO/VP for Finance/<insert similar title here>.

2) US universities can be held hostage with the threat of withholding financial aid money. Suppose there's a threat: "Remove diversity or you can't receive student loans/pell grants". Without that income, most universities wouldn't be able to make payroll. There might be a delay by a semester or two while operating budgets are shuffled around and there are massive layoffs, but that's the ballgame. They'd be relying on research funds and money from their foundation.. but that really doesn't go very far.

This really sucks, but I strongly suspect no universities are coming to save anyone.

Yeah. This is a C programming class too, for what it's ...

2024-11-08T18:44:05Z

In reply to nevent1q…7rrw
_________________________

Yeah. This *is* a C programming class too, for what it's worth. It's the third class in our programming sequence (Python, then OOP w/ Java).

I very intentionally frame the class as "Our goal here is to learn to think like the compiler, and we're going to take away all the cool programming tools you had in your first two classes."

Yeah. This is a problem I'm really noticing in my year 2 ...

2024-11-08T18:29:55Z

In reply to nevent1q…spx7
_________________________

Yeah. This is a problem I'm really noticing in my year 2 course right now. Students are relying on the AI to do any kind of critical thinking, even things like basic debugging.

It's not uniform across all students, but it's a real problem when they're asked to do something the AI isn't good at. For example, my course spends a lot of time covering topics like memory management, process management, etc... along with the syscalls used for it.

But, the course is intended to prep students for understanding exploit development/reverse engineering, so we use Windows, not Linux (like all the other OS courses out there). ChatGPT ain't great at writing code for Windows.

Interestingly, it usually fails on the same stuff I do in my first pass, like all the wonky string typecasting needed. It's all stuff there's not a ton of resources for. There's maybe 1 or 2 useful books and the rest of the content lives in TechNet articles. There's not even a ton on Stack Overflow. Not enough for ChatGPT to really work with.

I'm encountering students that really struggle with the debugging process. Instead of "Compile, get an error, research that error, figure out the problem, fix the problem, add the next bit of functionality", I'm seeing students just throw the whole thing into ChatGPT (maybe) with the error message and expect ChatGPT to fix it.

My best story on that - I was red teaming a student competition ...

2024-11-07T20:28:19Z

In reply to nevent1q…0j2n
_________________________

My best story on that - I was red teaming a student competition during which the student teams could attack each other too.

One team of students blew out Ansible that replaced every binary in System32 with a simple executable that just printed 'No'.

The pro red team spent, like, half the day tracking down why Cobalt Strike was telling us 'No' thinking it was a permissions problem.