Most shows and podcasts that do a story about layoffs feature stories, advice, and survival tips and tricks from guest speakers who still have their jobs.
This show will be different. It will feature stories, advice, and survival tips and tricks from a guest speaker who’s actually laid off right now — me! I’m in the thick of it, like Jim Cantore, but for layoffs instead of hurricanes! Hopefully, the podcast equivalent of being hit by a wind-driven tree branch won’t happen to me:
Also, you don’t have to just listen. LinkedIn audio events are like Clubhouse rooms (remember Clubhouse?); you can click the “raise your hand” button and request to be “brought onstage,” where you can join the conversation. So please — join us!
It’s only day one of the new year and I just fulfilled one of my resolutions: to land a conference speaking session on AI outside my usual stomping grounds. I’m going to be a speaker at Civo Navigate North America, which takes place on February 20th and 21st in Austin, Texas!
What’s Civo Navigate, and what is Civo?
What’s Civo Navigate, you ask? Here’s a one-minute video that answers your question:
Civo is a cloud hosting provider based on Kubernetes, with a focus on developer-friendliness and wallet-friendliness. It’s a refreshing change from this state of affairs:
I met the people at Civo last year when they held Civo Navigate North America in Tampa — and not in a convention center or hotel conference rooms, but at Tampa’s big riverside food hall, Armature Works! Here’s the promo for that event:
The 2023 edition of Civo Navigate North America was a great conference with interesting talks and a warmer, more personal “feel” than a typical vendor-hosted event. Civo’s contributions continued long afterward, with their being great supporters of the Tampa Bay tech scene and this blog.
I’m looking forward to the 2024 edition in Austin?
What’s my talk about?
My talk is titled You’re not too late to the A.I. party, and it’s for people who’ve been too busy with their actual work to get into AI and have been feeling increasing amounts of FOMO.
Here’s the description of the talk, with additional AI-generated photos (that are deep in the uncanny valley):
Have you been too busy getting your actual work done to join the artificial intelligence party and feel that you’ve already missed out on the technical career opportunity of a lifetime? If you answered “yes,” this talk is for you.
The good news is that you’re not too late to the A.I. party. It’s just getting started and you arrived at a good time — perhaps even “fashionably late!” You just need someone to take you around the room and make some introductions.
To help you “work the room” as you enter the party, you’ll get an overview of artificial intelligence technologies, from the rules-based models and expert systems of A.I.’s early days to the present era of neural networks, machine learning, transformers, and large language models.
This party won’t be limited to just hand-waving small talk in the living room. We’ll go into the kitchen — the true heart of any party — and look at actual code in action. We’ll start with ELIZA, the original chatbot from the 1960s, observe a neural network, and look at an LLM-powered “What should I wear today?” app. You’ll even be able to download them for yourself!
This talk aims to be like the best parties — the ones you’re glad you were at. You’ll leave this one knowing more about AI’s underpinnings and a much better idea of the next steps in your AI journey, whether it’s catching up with AI developments, harnessing your current skills to integrate AI into your work, or even pivoting into AI development.
In my talk, I’ll discuss:
Generative vs discriminative AI
“Old School” rules-based AI vs. the “New School” version powered by neural networks, data science, and lots of data
How the internet changed AI
The intersection of data science, statistics, and AI
The paper “Attention is All You Need,” what it means, and how it changed AI forever
Large language models (LLMs)
Retrieval-Augmented Generation (RAG)
Vector databases
This talk won’t be all hand-wavey and descriptions, but will also feature demos of actual working code that you can also download, including:
ELIZA, the original 1964 chatbot, but written in present-day Python.
A basic neural network demo that shows how you implement them — perhaps the one that recognizes handwritten numbers, perhaps something a little more interesting!
“Sweater or no?” — a large language model-powered application that tells you what to wear based on your location, the weather, and the event you’re attending.
I’ll also talk about potential “next steps” that you can take, including:
Reading material, including the funniest book about AI (for now): Janelle Shane’s You Look Like a Thing and I Love You. Of course, you don’t have to wait for the talk (or even attend) to read it; you can get it now!
There Will Be Math — or, the math you’ll need to know to get into AI.
Effective Altruists, Effective Accelerationists, and how to Effectively Avoid both.
How to send the right signals to employers so they’ll know that AI is your jam!
Tampa Code Camp, a day full of presentations and workshops for coders, is happening THIS SATURDAY at Keiser University — and better still, it’s FREE to attend! In fact, they even provide a free lunch, because you can’t learn or code on an empty stomach.
This year’s Tampa Code Camp has a Halloween theme, and so does my presentation, Prototype Spook-tacular “FrankenApps” with BRAAAAINS (AI)!!!
Here’s the abstract for my presentation, which will take place from 2:00 to 3:00 p.m.:
Modern AI is scary-smart, and as an aspiring mad computer scientist, you’ve probably wondered how you can write applications that harness the power of AI for your own purposes. Step into this lab, put your laptop on the slab, and learn how to take a brain (an artificial one) from a nearby graveyard (actually, from an API) and put it into your own applications!
In this hands-on session, you’ll learn how to quickly prototype “FrankenApps” — apps built from bits and pieces you can find lying about the internet — and take them to the next spooky level with…BRAINS! Or, more accurately, OpenAI’s APIs, which you’ll harness to get that ChatGPT goodness into your own applications.
You’ll learn about a mad computer scientist’s favorite tools — Jupyter Notebook and Python — and use them to quickly prototype AI-powered applications, such as a weather app that recites spooky poems about the current forecast, or a Halloween costume generator. Catch this session, learn something new, and have some Halloween fun, too!
Join me and the rest of Tampa Code Camp this Saturday at Keiser University for a day of learning, coding, camaraderie, and fun! The event runs from 9:00 a.m. to 3:00 p.m..
Last year’s CyberX Tampa Bay event was a big hit, and it was only natural that there’d be another one this year. Like the first one, this year’s event was packed.
The moment I walked into the venue, I saw so many people and had so many conversations that I never got the chance to take pictures until the start of the “welcome” session in the large room:
…after which we had the choice of two breakout sessions:
Chronicles of an Entry-level Cybersecurity Professional
The Wheel of Misfortune
I went to the Wheel of Misfortune, where audience members got the chance to answer cybersecurity questions for Google swag. Anyone in the audience could volunteer to come up to the front, spin the wheel of topics and answer a question based on that topic.
Hosts Jason Allen and Jonas Kelley were pretty relaxed about audience assistance. At one point, I yelled out the acronym for remebering the 7 layers of the OSI network model — “Please Do Not Take Sausage Pizza Away!” — and no one was penalized.
The room, where every seat and available spot to stand was occupied, was lively, with people enjoying themselves. The audience participation, aided by two engaging hosts, kept the room lively until the very end.
It was then time to recognize CyberX Tampa Bay’s 2023 honoree — someone nominated by attendees as being the person who made the biggest positive impact on Tampa Bay’s cybersecurity scene. This year’s honoree was Jeremy Rasmussen!
And to close the evening, there was the keynote panel on cybersecurity myths. It featured…
I attended Google Developer Groups’ DevFest Tampa Bay event this past weekend, which took place in USF’s Engineering building and featured a healthy number of students in attendance.
…and they shared their leadership experiences, both good and bad. I bounced between their session and this one:
This was ArtemisNet’s session on creating a USB Rubber Ducky, a favorite toy from the hacker’s bag of tricks. It looks like an ordinary USB flash drive, but when plugged in, it sends keystroke signals to the victim’s computer, which thinks it’s an ordinary keyboard. Typically, an attacker would pre-program it to type commands to perform all sorts of security-breaching actions, such as collecting sensitive files or security information and then exfiltrating it for later analysis.
(If you thought you’d seen something like this on a TV show before, you probably did; there was one in Mr. Robot.)
Of course, you need some kind of small processing device to build a Rubber Ducky, and ArtemisNet provided them, free of charge — a Raspberry Pi Pico! Here’s mine:
Afterwards, I bounced over to the other room to see Liz Myers’ “Coffee, Code, and Tensorflow” session…
…and also caught bits of the Flutter and hackathon sessions.
And finally, my employer, Okta, was one of the event sponsors. As their representative here in “The Other Bay Area”, I’m working on getting them to sponsor more local events. Watch this space!
Google Developer Groups DevFest Central Florida: October 14th in Sanford
DevFest Central Florida is a community-run one-day conference aimed to bring technologists, developers, students, tech companies, and speakers together in one location to learn, discuss and experiment with technology. It will take place on Saturday, October 14th at Seminole State College’s Sanford/Lake Mary Campus in Sanford.
Google Developer Groups DevFest Tampa Bay: October 21st in Tampa
DevFest Tampa Bay is a community-run one-day conference aimed to bring technologists, developers, students, tech companies, and speakers together in one location to learn, discuss and experiment with technology. It will take place on Saturday, October 21st at University of South Florida in Tampa.
TampaCC — a.k.a. Tampa Code Camp or Tampa Community Connect — is dedicated to creating a transformative and immersive event that dives deep into the realms of cloud-based technologies. Developers, architects, security professionals, and visionary leaders are invited to showcase their knowledge, share groundbreaking techniques, and pave the way for the next generation of cloud innovation. It will take place on Saturday, October 28th at Keiser University in Tampa.
I attended BSides St. Pete last Saturday, the second anniversary of this event, and it was nice to see that attendance had more than doubled. It’s nice to see the that the Tampa Bay cybersecurity community is active on both sides of “The Other Bay Area!”
BSides gets it name from “b-side,” the alternate side of a vinyl or cassette single, where the a-side has the primary content and the b-side is the bonus or additional content. In 2009, when the Black Hat conference in Las Vegas received way more presentation submissions than they could take on, the rejected presenters (who still had very could presentations; there just wasn’t enough capacity for them) banded together and made their own “b-side” conference that ran in parallel with Black Hat. From that event came BSides.
Opening keynote: Between Two Palms: A Session on Burnout
The day started at 9 with the opening keynote, which took place not only on the main stage, but between two palm plants, as promised in its title:
The keynote was a frank discussion moderated by John “Cochise” Buzin (one of my instructors at the UC Baseline cybersecurity course I took in the summer of 2020) and featured Chris Machowski (also one of the people behind the UC Baseline course) and Elvira Reyes.
While they stated quite clearly that they aren’t psychology professionals, they are very active in the cybersecurity field, and each of them knows something about burnout from personal experience.
Over their talk, they talked about what they identified as the five stages of burnout, starting with stage one, the honeymoon phase:
This stage is marked by the following:
Job satisfaction
Accepting responsibility
Sustained energy levels
Unbridled optimism
Commitment to the job
Compulsion to prove oneself
Free-flowing creativity
High productivity levels
Stage two is the onset of stress:
In this stage, you’ll experience:
CV symptoms
Inability to focus
Irritability
Reduced sleep quality
Lack of social interaction
Lower productivity
Anxiety
Avoidance of decision-making
Change in appetite
Headache
Neglect of personal needs
Fatigue
Then comes stage three — chronic stress:
Symptoms of this stage include:
Persistent tiredness
Procrastination
Resentfulness
Social withdrawal
Aggressive behavior
Apathy
Chronic exhaustion
Cynical attitude
Decreased sexual desire
Denial of problems
Feeling threatened
Feeling pressured
Alcohol/drug consumption
Next, stage 4, burnout:
Here’s what you’ll experience in this stage:
Obsession with problems
Pessimistic outlook
Physical symptoms
Self-doubt
Social isolation
Chronic headaches
Chronic GI problems
Neglect of personal needs
Escapist activities
Behavioral changes
And finally, stage 5 — habitual burnout:
And with this comes:
Chronic sadness
Chronic mental fatugue
Chronic physical fatigue
Depression
After this rather gloomy description of burnout’s stages came the things you can do to counter burnout:
They generally boil down to “take better care of yourself,” which is in agreement with what the Mayo Clinic says.
I thought their use of the iconography from the Fallout games for the topic of burnout was pretty clever.
Anonymous trooper
I passed by this fella on the way to the next session:
How to build a cybersecurity journey
I caught a bit of Ivan Marchany’s session, How to Build a Cybersecurity Journey, one of the presentations that covered how one gets into the business of cybersecurity.
Among other things, he covered building your own cybersecurity lab…
…and reminded the audience that as far as prospective employers and clients are concerned, you are your projects:
And equally important is the fact that if you don’t have some kind of online presence in this day and age, you effectively don’t exist to employers and clients:
This was a popular topic, and Ivan was playing to a standing-room-only audience:
Cyber risk management
I also caught the tail end of Dan Holland’s presentation, Complexity is the Enemy: How to start doing Cyber Risk Management. I’m pretty sure I arrived at one of the most important slides, the “risk as a product of probability and impact” slide:
I plan to share this slide on the Okta Slack’s “random” channel:
And here are the takeaways from Dan’s presentation:
A Urinal Story: Human Behavior & Security
Somehow, I managed to miss the “urinal story” part of Daniel Lopez’ and Ashwini Machlanski’s presentation on helping firm up the human element in cybersecurity. They covered key parts of managing people through the use of behavioral science and little tricks like “nudges” to get people to be more security-compliant.
This slide summarizes their key takeaways quite well:
Ashwini and Daniel handed out my favorite stickers from the conference:
My one tragic mistake
In wandering the halls and checking out what was happening in other rooms, I failed to catch Stacey Oneal’s Getting into Cybersecurity presentation, which was on my list. I owe her one — I promise I’ll catch you at your next presentation, Stacey!
Super Grouper hadn’t opened by the time I got to the trucks, so I got an Elvis Burger from 1 Up. It’s been a while since I last had a peanut butter-and-bacon burger, and I enjoyed mine. I know it sounds weird, but it’s worth trying!
Lunch keynote: Becoming a Proactive Defender
While having lunch, I caught most of Christopher Peacock’s presentation, Becoming a Proactive Defender:
I’m going to steal his line, “The best teacher is the adversary; the adversary always gets a vote.”
IAM Security and So Can You: An Intro to Identity Access Management and How to Beat It to a Pulp
I’ve been told that there was a presenter at BSides Tampa that was a bit of dick and overdid it with his bad-mouthing Okta while I wasn’t in the room, so while this talk featured a different presenter, you’d better bet your ass that I was going to be at this one.
But Jarred “Raydar” Pemberton was a lot more reasonable than the other guy. He got an intro from Cochise, who not only mentored him, but convinced him that he should give this presentation. That was a good call; in matters of cybersecurity, if Cochise suggests you do something, it’s generally a good idea to do it.
“Does SSO scare red teamers?” Jarrad asked. “Yes,” he plied to his own question, saying that it’s the kind of thing he shied away from.
Jarrad told us about what he does for a living. It’s always fascinating to see how people who use the stuff we make work with it:
Take note of that last point: in addition to the HR staff or outside HR consultants like “The Bobs,” another person that might be at your termination meeting is someone whose job is to close your work accounts.
I’m actually on the Auth0 side of Okta, which provides a service for customer logins, versus the Okta side of Okta, which handles SSO (single sign-on) for the workforce. My experience with the Okta service is mostly as a user: I use it to log into systems at work:
Yup, that’s an Okta slide! Jarrad’s take on Okta:
“One that I work a lot with and do like quite a bit”
“Super easy to use”
“Simple to get brought up to speed”
“It’s what I would recommend to an org if they can afford it”
(Note to self: Send Jarrad some swag.)
SSO, in addition to letting a workforce since into various work systems with a single set of credentials, has other uses, including certain HR-related tasks:
Monitoring access and, by virtue of knowing who’s logging into what, see who’s really coming into the office and who’s merely pretending to do so
Easily hitting the “off” button for an employee when necessary
Jarrad then went into the different types of SSO, starting with cookie sharing. It’s typically used with internally-developed applications, such as home-grown HR and payroll applications at less mature organizations that haven’t graduated to SaaS application, and if those applications have a common parent domain (that is, if they live on an URL of the form *.your-domain-here.your-tld-here. He recommends against it, as it’s pretty much broken.
He then talked about SAML — Security Assertion Markup Language — an open-standard, XML-based framework for authentication and authorization between two entities without a password.
Most of his talk was focused on the standard that also happens to be my livelihood: OAuth or Open Authorization, the open standard for access delegation, which is often used to grant websites or applications access to user information without giving them their login credentials.
He also quickly mentioned Kerberos, which is for authenticating requests among trusted hosts on an untrusted network:
Here’s some good advice from all you pentesters. Be sure to follow them, especially that last one:
It’s not the early 2000s anymore; stop using shared cookies as SSO! All an attacker has to do is acquire a cookie, and they become a legitimate person in the organization, free to wreak havoc.
There’s a particular vulnerability that is an attacker’s dream, where the *.site.tld domain is deleted, but its C record in the DNS isn’t. An attacker could register that subdomain and gather cookies, and eventually, lots of organization data:
When it comes to OAuth, you’re looking for implementation vulnerabilities, in either the client application, or the OAuth service.
In the OAuth flow, only the IdP (identity provider) holds the user credentials, which are contained in the ID token. As an attacker, you want to somehow steal the ID token, which you can then use the request the access token, which is the key to the resources you want to get your paws on.
Because of its delegated nature, OAuth relies on open redirects. A poorly-built or -configured OAuth service that fails to use a list of allowed redirect URIs could be exploited, but that’s the sort of thing that Auth0 doesn’t allow.
As far as CSRF (cross-site request forgery) attacks are concerned, they can be mitigated with OAuth 2.0’s state parameter. For each authentication request, set it to a hard-to-guess value, and see if the response is the same as the one you sent with the request.
And of course, there’s always checking for bad implementations of the standard:
Here’s another meme I’m going to share on the Okta Slack:
And finally, there’s SAML. As the mobile specialist for Auth0, I never touch the stuff:
But if you’re doing pentesting on a SAML-based setup, you’ll want to use SAML Raider, which add SAML-specific functions to Burp Suite:
Last presentations of the day
I caught a bit of Dan Fernandez’ presentation, The Boring Parts of AI: Risks and Governance of Large Language Models — you can find the slides here…
…and a sliver of Cochise’s How to Wage War and Bypass Congress: a Primer on Gray Zone Warfare preso, because it’s always fun to see him go off on a rant.
Thank you, BSides St. Pete!
To Wilson Bautista and the BSides St. Pete team, my thanks for a great event for the cybersecurity community to share knowledge and gather together!