Category: What I’m Up To

Categories
Artificial Intelligence Meetups The Street Finds Its Own Uses For Things What I’m Up To

Notes from the “Becoming an Empowered AI Worker” session

Need to skill up? Computer Coach has bootcamps, courses, and training for IT and business pros. I’ve taught Python and JavaScript courses for them.

As promised, here are my notes from my recent presentation at the Computer Coach-hosted session, Becoming an Empowered AI Worker, which took place on Tuesday, October 10, 2023.

Want to learn how to make the most of your work and career? Follow Computer Coach’s events via the Career Success Academy meetup group.

Intro: The reason the recent AI wave feels so overwhelming

It’s only natural to feel overwhelmed with the pace of AI development and what feels like a daily deluge of new AI applications and improvements to existing ones. That’s because we’re not naturally wired for this rate of change. Case in point: Ancient Egypt.

Tap to view at full size.

From 3150 BCE to about 330 CE, Egypt was incredibly stable. That stability came from the fact that as a culture, they remained relatively unchanged for over 3000 years. In the absence of some kind of pressure or catalyst to change, we naturally tend towards inertia.

As you already know, the modern era is quite different from Old Egypt. Consider this (incredibly simplified) timeline showing the history of computing:

Tap to view at full size.
  • 1930s – 40s: Computing’s largely theoretical era. The formal mathematical definition of “computable” was developed during this time, as were these two key concepts:
    • The Turing Machine: Creating by Alan Turing, this is a hypothetical machine that can describe any working algorithm. Every program, from “Hello World” to ChatGPT, can be expressed as a form of Turing Machine.
    • The von Neumann Architecture: Conceived by John von Neumann, this is the general organizing principle for computers — even today’s machines.
  • 1950s – 60s: This period gave us the first digital computers as well as the first programming languages — COBOL, FORTRAN, ALGOL, BASIC, PL/1, as well as the three whose influence lives on in today’s programming languages: Lisp (functional programming), Algol (structured programming), and Simula (object-oriented programming).
  • 1970s – 80s: An interesting era where computers went in two different directions. We got Cray supercomputers (they were supercomputers at the time, but a 2011-era iPad can keep up with them) and personal computers.
  • 1990s – 2000s: The internet as we know it (it’s been around since 1969 in the form of ARPANET), smartphones starting with the BlackBerry and followed later by iPhone and Android, publicly-accissible GPS, wifi, and all the goodies that we can’t live without today.

Remember, computing — even as a theory — isn’t even 100 years old yet!

I have a pet theory that every 13 years, a computing innovation appears and changes everything. (I basically summarized this theory in the presentation, and you can read about this in more detail in an earlier article of mine, Computing innovations happen every 13 years, and we’re at the start of a new one.)

Remember that ChatGPT hasn’t even been out a year yet! It debuted on November 30, 2022, and since then, OpenAI have been working hard at improving and enhancing it, and their rivals have been racing to keep up with them.

As a final example of how quickly things were evolving in the AI world, I showed a couple of photos from the Bay Area AI meetup I attended in San Francisco on Monday, October 2:

Not only was it quite well-attended for a Monday meetup (at least 60 people), but the attendance came from all over the San Francisco Bay Area:

I’m going to post a fuller writeup of this meetup in a later article. Watch this space!

The meetup had three technical presentations, all of which centered around RAG — retrieval-augmented generation. This is a process that enhances the results produced by large language models by retrieving additional facts or information from an external knowledge source. If you’ve ever added to a discussion by looking something up on your phone, you’ve performed a simple version of RAG.

After this introductory bit (which gave an opportunity for latecomers to join the Zom chat), I got to the main topic — using AI in your day-to-day work.

How to be more effective at work with the help of an LLM

Summarizing

If your job is in a “knowledge work” field, chances are you’ll end up doing a lot of reading. This will be doubly true if you’re working in a field where a lot of reading material is the norm, or if you have a manager who likes to stick you with the tedious work they’d rather not do.

In cases like this, you’ll find LLMs’ ability to summarize text very handy. Consider a recent Wired article, New York’s Airbnb Ban Is Descending Into Pure Chaos. I copied the text of the article and pasted it into ChatGPT Plus (but using GPT 3.5) following this prompt:

Summarize this article:

[I pasted the article text here]

ChatGPT turned it from a 15-paragraph article into a 6-paragraph summary. That’s useful, but I went further with this prompt:

Could you summarize that article in a single sentence?

Here’s how ChatGPT responded:

New York City's crackdown on short-term rentals, particularly on Airbnb, has led to a surge in illegal listings on social media and lesser-known platforms, resulting in a rental black market, as the city's short-term rental landscape undergoes significant changes.

One of the attendees asked if I could get ChatGPT to provide the top three points of the article. I said this was a good idea, and that in the spirit of experimentation, we should try it. I used this prompt:

Give me the top 3 points from the article.

ChatGPT’s response:

1. New York City's ban on most short-term Airbnb rentals has led to a significant drop in listings on the platform, with many properties going unregistered, resulting in a rental black market.

2. The crackdown has reshaped the vacation rental market in the city, with people turning to alternative platforms like Craigslist, Facebook, and Houfy to evade regulations, potentially posing risks to both guests and hosts.

3. Airbnb is shifting its focus away from New York, once its largest market, and exploring other opportunities such as longer rentals, car rentals, and dining pop-ups, while the city grapples with the consequences of the short-term rental ban.

Someone asked if ChatGPT could translate those points into Spanish, so I entered this prompt:

Can you translate that into Spanish?

Here’s how ChatGPT responded:

1. La prohibición en la ciudad de Nueva York de la mayoría de las propiedades de alquiler a corto plazo en Airbnb ha resultado en una disminución significativa de las ofertas en la plataforma, con muchas propiedades sin registrarse, lo que ha dado lugar a un mercado negro de alquileres.

2. La represión ha transformado el mercado de alquileres vacacionales en la ciudad, con las personas recurriendo a plataformas alternativas como Craigslist, Facebook y Houfy para evadir regulaciones, lo que potencialmente plantea riesgos tanto para los huéspedes como para los anfitriones.

3. Airbnb está desviando su atención de Nueva York, una vez su mercado más grande, y explorando otras oportunidades como alquileres más largos, alquiler de automóviles y restaurantes emergentes, mientras la ciudad lidia con las consecuencias de la prohibición de alquileres a corto plazo.

Keep in mind that machine translation, even in this new age of AI, should be taken with a grain of salt. The Spanish speakers in the audience said “not bad.”

Seed words and phrases

I didn’t have time to cover the concept of seeding ChatGPT, so this is bonus material!

You can direct ChatGPT’s answers by providing key words, phrases, or concepts to focus on in your prompt. These words and phrases are called seed words and seed phrases and you can use them to get ChatGPT output that better fits your needs.

For example, here’s a prompt that gets ChatGPT to provide a short summary of the article around the word “rent:”

Summarize the article in a way that is related to the seed word "rent".

Here’s how it responded:

The article highlights the evolving landscape of short-term rentals in New York City, where strict regulations have led to a surge in unregistered rentals, creating a rental black market and reshaping the vacation rental market. Airbnb, once a dominant player, is now shifting its attention away from the city, affecting the rental dynamics.

Let’s try getting a summary from a different angle — the legal perspective — and with slightly different prompt phrasing:

Summarize the article in a way that is related to the law.

ChatGPT’s reply:

The article discusses the consequences of a new law in New York City that heavily regulates short-term rentals, leading to a significant reduction in Airbnb listings. Many unregistered rentals have emerged, creating a rental black market. The article also mentions efforts by smaller landlords to change the law to allow them to legally rent out their units and how Airbnb is shifting its focus in response to the new regulations.

Note the differences, subtle as they are, between the summaries.

By using seed words and phrases, you can get ChatGPT to focus on a specific topic or emphasize a specific point. If you’re writing a memo to convince a manager to take a certain action, or sales or marketing copy, you’ll find seed words and phrases very useful.

Text classification

This is one trick that comes in handy when dealing with lots of text documents: making it classify them into different categories. I provided a simple example where I took three Amazon reviews — one for a car jump starter, one for an aloha shirt (a.k.a. Hawaiian shirt), and one for a wireless router — and then had ChatGPT put them into one of three categories:

  1. Electronics
  2. Home and garden
  3. Clothing

Here’s what I provided to ChatGPT:

Perform text classification on the following reviews and classify them into different categories such as “electronics”, “home and garden”, and “clothing”: 

Reviews

Review 1:
5.0 out of 5 stars Awesome little jump started!
Reviewed in the United States on August 5, 2023
Color: 4000AVerified Purchase
I have an old Generac generator that we use when we have power failures or other things happen and try to remember to start it every month or two to keep the gas clean and make sure everything is going well. The last few times, it is really slow to start and pulling the thing to start is a nightmare since it is so big! Instead of replacing the battery pack, I decided to spring for this for just a little more. The generator has the connections to jump start right near the push button, so it is a breeze to hook up and it cranks way better than the battery pack that I bought a couple of years ago ever did!

I am looking forward to having this to be able to jump all of my devices that have starters as well as for backup power in case we need it. It seems to have great safety features, after cranking for a while (since I turned the choke the wrong way) it shut off the start ability for just a second. I let off the button on the generator and the pack reset itself and was ready to crank again in about a second and a half.

I love that it has a case that is big enough to keep all the parts in, I have a habit of collecting random cords in boxes, so my life is miserable when I need to find stuff sometimes.

I hope it holds up to use and storage, just remember to charge it as soon as you get it, it showed four out of four bars, but when I plugged it it, it charged for a couple of hours while blinking the last light.

I hesitated to buy this, thinking I wasn't sure of the technology or if it would have the power of a regular generator battery but it has won me over in a big way!

Edit: I was using it to charge something a few weeks ago and it completely locked up. I let it sit for a few hours and it still didn't work on either the USB ports or the battery terminals. The terminals would start but would click and act like there was a short circuit within a few seconds, only allowing use for a very short time. I contacted the seller, they got right back to me, but I had left for a trip. When I got back home, I tried it and it worked perfectly. Apparently, it needed a bit more time to reset! I appreciate the quick response from the seller and I have now used it to charge a camera, a phone (multiple times) and jumpstart a truck without any hiccups at all. I still think it is a great product - just the right size and weight to be in my truck all the time. I don't have any hesitation recommending this for anyone since I know the seller backs it up with fast support response and stands behind their products.

Review 2:
A Stylish and Comfortable Hawaiian Shirt for Any Occasion
Reviewed in the United States on September 4, 2023
Color: CoffeeSize: MediumVerified Purchase
I recently purchased the VATPAVE Men's Casual Hawaiian Shirt in Coffee, and this marks my second time buying this shirt. It's safe to say that this shirt has become a staple in my wardrobe, and here's why:

Fit and Sizing (4/5): I initially bought this shirt in a Large, but after some weight loss, I opted for a Medium this time. It's worth noting that this brand tends to run a bit large, which suits my style perfectly. I prefer wearing it untucked, and the size works well for that relaxed look. However, if you plan to wear it as a dress shirt or with a blazer, you might consider sizing down, though it's not a dramatic difference.

Versatile Style (5/5): I've found this shirt to be incredibly versatile. It's my go-to choice for all casual occasions, whether it's a weekend outing or a dress-down Friday at work. The Coffee color is a rare find in casual shirts, and the tropical floral pattern is simply captivating. It adds a touch of uniqueness to your outfit.

Review 3:
4.0 out of 5 stars Latest Firmware fixed my issues
Reviewed in the United States on June 22, 2023
Style: AX3000, WiFi 6 RouterVerified Purchase
I waited for the latest firmware update to write this review. After the June 2023 update, this router has been rock solid with 20+ clients and a TP-Link extender. Updates are automatic. Just make sure it is turned on in the settings. I explain my initial issues at the end of the review.

The first thing I like is that you can do everything you need with any web browser. You do not have to sign up for any TP-Link account unless you use the available app or want remote features like parental controls and additional security and analytic features which makes perfect sense.

You can easily set up a mesh network with extenders. Mesh is brain dead easy with a TP-Link extender. Just turn it on in the settings and you have a mesh network.

This router can make 3 separate networks with both 2.5GHz and 5GHz. The main wireless network, and an isolated guest network, and an IoT network to keep your light bulbs and guests from infecting your computers. It supports Alexa and Google assistant. Support for VPN clients and servers. Also support for Dynamic DNS. It has an SPI firewall, NAT forwarding, and access controls all without signing up for an account. Don’t worry if all that is confusing. If you don’t know what they are then you don’t need them, except for the firewall which is on by default. Another feature I like is the ability to name all the devices in the connected clients list. For example, you may see a device named “Ring-49825”. You can name it “Driveway-Camera” or rename other devices like your thermostat, mobile phones, or whatever is connected to your network with some strange identifier.

I gave only 4 stars because of the issues I had with the firmware released at the time of my purchase. After about 24 hours the CPU would be at 100% and the router would eventually lock up and lose the internet connection. It could not be logged into and would have to be powered down and restarted. I set the router to restart every morning at 2am until these issues were resolved with the latest firmware installed.

Here’s how ChatGPT responded:

Review 1: Electronics - This review discusses the performance and features of a jump starter for a generator, indicating its usage for powering devices and jump-starting vehicles.

Review 2: Clothing - This review talks about a Hawaiian shirt's fit, sizing, and style, highlighting its versatility and use in various casual occasions.

Review 3: Electronics - This review focuses on the performance of a Wi-Fi router, specifically mentioning firmware updates and various technical features, indicating a discussion related to electronics and technology.

Not only did ChatGPT put the reviews in the correct categories, but it also did not put anything in the “wrong” category that I deliberately included (home and garden).

Multiple-choice questions

There are times when you want an LLM to provide an answer from a limited set of answers. Here’s a multiple-choice prompt format that does this:

Complete the following sentence by selecting one of the following options: “Float like a butterfly, sting like a...” [dog] [bee] [gasoline pump]

Here was ChatGPT’s response:

Float like a butterfly, sting like a bee.

Adversarial prompting

The term “adversarial prompt” is typically used to refer to a prompt that tricks an LLM into doing something that it’s not supposed to do…

…but it has other uses.

One way to use adversarial prompting is to have an LLM rewrite text that you give it so that the resulting text is hard to classify in a certain way. For example, here’s a prompt that asks ChatGPT to tone down the positive review of an aloha shirt from an earlier example:

Rewrite the following text in order to make it hard to classify as positive:

A Stylish and Comfortable Hawaiian Shirt for Any Occasion
Reviewed in the United States on September 4, 2023
Color: CoffeeSize: MediumVerified Purchase
I recently purchased the VATPAVE Men's Casual Hawaiian Shirt in Coffee, and this marks my second time buying this shirt. It's safe to say that this shirt has become a staple in my wardrobe, and here's why:

Fit and Sizing (4/5): I initially bought this shirt in a Large, but after some weight loss, I opted for a Medium this time. It's worth noting that this brand tends to run a bit large, which suits my style perfectly. I prefer wearing it untucked, and the size works well for that relaxed look. However, if you plan to wear it as a dress shirt or with a blazer, you might consider sizing down, though it's not a dramatic difference.

Versatile Style (5/5): I've found this shirt to be incredibly versatile. It's my go-to choice for all casual occasions, whether it's a weekend outing or a dress-down Friday at work. The Coffee color is a rare find in casual shirts, and the tropical floral pattern is simply captivating. It adds a touch of uniqueness to your outfit.

Here’s the result:

A Hawaiian shirt for various situations. Reviewed in the United States on September 4, 2023. Color: CoffeeSize: MediumVerified Purchase. I recently acquired the VATPAVE Men's Casual Hawaiian Shirt in Coffee for the second time. It's fair to say that this shirt has found a place in my wardrobe, and here's why:

Fit and Sizing (4/5): Initially, I purchased this shirt in a Large, but due to some weight loss, I went for a Medium this time. It's important to mention that this brand tends to run slightly larger, which somewhat suits my style. I prefer wearing it untucked, and the size does the job for that casual appearance. Nevertheless, if you intend to wear it as formal attire or with a blazer, you might contemplate downsizing, although the difference isn't particularly noticeable.

Versatile Style (5/5): I've discovered this shirt to be quite adaptable. It serves as my default choice for various casual events, whether it's a weekend excursion or a casual Friday at work. The Coffee color is an uncommon discovery in the realm of casual shirts, and the tropical floral pattern is somewhat interesting. It imparts a hint of individuality to your ensemble.

The resulting text still conveys the general objective information about the shirt, but the tone is less positive.

Translating audio and video content into other languages

If your line of work has you creating audio and video content and you’d like to make it available in different languages, you’ll find HeyGen handy. My favorite feature is its ability to do translations of audio and video into other languages.

First, I recorded this quick little video where I promoted a hypothetical Python course…

…and then I ran it through HeyGen to translate it into Spanish. The result was pretty good, complete with a fair clone of my “radio voice,” and it even changed my lip movements to match the Spanish words:

Résumé assistance

I was only able to quickly point people to Rezi, the AI-assisted résumé writing tool, but it’s worth checking out.

Thanks to everyone who attended, and to Computer Coach for inviting me to do this presentation!

Categories
Conferences Security Tampa Bay What I’m Up To

Scenes from BSides St. Pete 2023

I attended BSides St. Pete last Saturday, the second anniversary of this event, and it was nice to see that attendance had more than doubled. It’s nice to see the that the Tampa Bay cybersecurity community is active on both sides of “The Other Bay Area!”

BSides gets it name from “b-side,” the alternate side of a vinyl or cassette single, where the a-side has the primary content and the b-side is the bonus or additional content. In 2009, when the Black Hat conference in Las Vegas received way more presentation submissions than they could take on, the rejected presenters (who still had very could presentations; there just wasn’t enough capacity for them) banded together and made their own “b-side” conference that ran in parallel with Black Hat. From that event came BSides.

Since then, BSides conferences have been held over the world. As of September 2023, nearly 900 have been held, including BSides Tampa X — the 10th BSides Tampa conference — which took place in April. BSides St. Pete 2023 took place at St. Petersburg College’s Seminole Campus and had over 300 attendees.

Opening keynote: Between Two Palms: A Session on Burnout

The day started at 9 with the opening keynote, which took place not only on the main stage, but between two palm plants, as promised in its title:

The keynote was a frank discussion moderated by John “Cochise” Buzin (one of my instructors at the UC Baseline cybersecurity course I took in the summer of 2020) and featured Chris Machowski (also one of the people behind the UC Baseline course) and Elvira Reyes.

While they stated quite clearly that they aren’t psychology professionals, they are very active in the cybersecurity field, and each of them knows something about burnout from personal experience.

Over their talk, they talked about what they identified as the five stages of burnout, starting with stage one, the honeymoon phase:

This stage is marked by the following:

  • Job satisfaction
  • Accepting responsibility
  • Sustained energy levels
  • Unbridled optimism
  • Commitment to the job
  • Compulsion to prove oneself
  • Free-flowing creativity
  • High productivity levels

Stage two is the onset of stress:

In this stage, you’ll experience:

  • CV symptoms
  • Inability to focus
  • Irritability
  • Reduced sleep quality
  • Lack of social interaction
  • Lower productivity
  • Anxiety
  • Avoidance of decision-making
  • Change in appetite
  • Headache
  • Neglect of personal needs
  • Fatigue

Then comes stage three — chronic stress:

Symptoms of this stage include:

  • Persistent tiredness
  • Procrastination
  • Resentfulness
  • Social withdrawal
  • Aggressive behavior
  • Apathy
  • Chronic exhaustion
  • Cynical attitude
  • Decreased sexual desire
  • Denial of problems
  • Feeling threatened
  • Feeling pressured
  • Alcohol/drug consumption

Next, stage 4, burnout:

Here’s what you’ll experience in this stage:

  • Obsession with problems
  • Pessimistic outlook
  • Physical symptoms
  • Self-doubt
  • Social isolation
  • Chronic headaches
  • Chronic GI problems
  • Neglect of personal needs
  • Escapist activities
  • Behavioral changes

And finally, stage 5 — habitual burnout:

And with this comes:

  • Chronic sadness
  • Chronic mental fatugue
  • Chronic physical fatigue
  • Depression

After this rather gloomy description of burnout’s stages came the things you can do to counter burnout:

They generally boil down to “take better care of yourself,” which is in agreement with what the Mayo Clinic says.

I thought their use of the iconography from the Fallout games for the topic of burnout was pretty clever.

Anonymous trooper

I passed by this fella on the way to the next session:

How to build a cybersecurity journey

I caught a bit of Ivan Marchany’s session, How to Build a Cybersecurity Journey, one of the presentations that covered how one gets into the business of cybersecurity.

Among other things, he covered building your own cybersecurity lab…

…and reminded the audience that as far as prospective employers and clients are concerned, you are your projects:

And equally important is the fact that if you don’t have some kind of online presence in this day and age, you effectively don’t exist to employers and clients:

This was a popular topic, and Ivan was playing to a standing-room-only audience:

Cyber risk management

I also caught the tail end of Dan Holland’s presentation, Complexity is the Enemy: How to start doing Cyber Risk Management. I’m pretty sure I arrived at one of the most important slides, the “risk as a product of probability and impact” slide:

I plan to share this slide on the Okta Slack’s “random” channel:

And here are the takeaways from Dan’s presentation:

A Urinal Story: Human Behavior & Security

Somehow, I managed to miss the “urinal story” part of Daniel Lopez’ and Ashwini Machlanski’s presentation on helping firm up the human element in cybersecurity. They covered key parts of managing people through the use of behavioral science and little tricks like “nudges” to get people to be more security-compliant.

This slide summarizes their key takeaways quite well:

Ashwini and Daniel handed out my favorite stickers from the conference:

My one tragic mistake

In wandering the halls and checking out what was happening in other rooms, I failed to catch Stacey Oneal’s Getting into Cybersecurity presentation, which was on my list. I owe her one — I promise I’ll catch you at your next presentation, Stacey!

Lunch

Lunch was provided by two local food trucks:

Super Grouper hadn’t opened by the time I got to the trucks, so I got an Elvis Burger from 1 Up. It’s been a while since I last had a peanut butter-and-bacon burger, and I enjoyed mine. I know it sounds weird, but it’s worth trying!

Lunch keynote: Becoming a Proactive Defender

While having lunch, I caught most of Christopher Peacock’s presentation, Becoming a Proactive Defender:

I’m going to steal his line, “The best teacher is the adversary; the adversary always gets a vote.”

IAM Security and So Can You: An Intro to Identity Access Management and How to Beat It to a Pulp

I’ve been told that there was a presenter at BSides Tampa that was a bit of dick and overdid it with his bad-mouthing Okta while I wasn’t in the room, so while this talk featured a different presenter, you’d better bet your ass that I was going to be at this one.

But Jarred “Raydar” Pemberton was a lot more reasonable than the other guy. He got an intro from Cochise, who not only mentored him, but convinced him that he should give this presentation. That was a good call; in matters of cybersecurity, if Cochise suggests you do something, it’s generally a good idea to do it.

“Does SSO scare red teamers?” Jarrad asked. “Yes,” he plied to his own question, saying that it’s the kind of thing he shied away from.

Jarrad told us about what he does for a living. It’s always fascinating to see how people who use the stuff we make work with it:

Take note of that last point: in addition to the HR staff or outside HR consultants like “The Bobs,” another person that might be at your termination meeting is someone whose job is to close your work accounts.

If you’re ever unfortunate enough to be a guest at a layoff meeting, you may encounter “The Bobs” (a term from the film Office Space). Find out more about them here.

I’m actually on the Auth0 side of Okta, which provides a service for customer logins, versus the Okta side of Okta, which handles SSO (single sign-on) for the workforce. My experience with the Okta service is mostly as a user: I use it to log into systems at work:

Yup, that’s an Okta slide! Jarrad’s take on Okta:

  • “One that I work a lot with and do like quite a bit”
  • “Super easy to use”
  • “Simple to get brought up to speed”
  • “It’s what I would recommend to an org if they can afford it”

(Note to self: Send Jarrad some swag.)

SSO, in addition to letting a workforce since into various work systems with a single set of credentials, has other uses, including certain HR-related tasks:

  • Monitoring access and, by virtue of knowing who’s logging into what, see who’s really coming into the office and who’s merely pretending to do so
  • Easily hitting the “off” button for an employee when necessary

Jarrad then went into the different types of SSO, starting with cookie sharing. It’s typically used with internally-developed applications, such as home-grown HR and payroll applications at less mature organizations that haven’t graduated to SaaS application, and if those applications have a common parent domain (that is, if they live on an URL of the form *.your-domain-here.your-tld-here. He recommends against it, as it’s pretty much broken.

He then talked about SAML — Security Assertion Markup Language — an open-standard, XML-based framework for authentication and authorization between two entities without a password.

Want to know more about OAuth? Check out my teammate Matt Raible’s article, What the Heck is OAuth?

Most of his talk was focused on the standard that also happens to be my livelihood: OAuth or Open Authorization, the open standard for access delegation, which is often used to grant websites or applications access to user information without giving them their login credentials.

He also quickly mentioned Kerberos, which is for authenticating requests among trusted hosts on an untrusted network:

Here’s some good advice from all you pentesters. Be sure to follow them, especially that last one:

It’s not the early 2000s anymore; stop using shared cookies as SSO! All an attacker has to do is acquire a cookie, and they become a legitimate person in the organization, free to wreak havoc.

There’s a particular vulnerability that is an attacker’s dream, where the *.site.tld domain is deleted, but its C record in the DNS isn’t. An attacker could register that subdomain and gather cookies, and eventually, lots of organization data:

When it comes to OAuth, you’re looking for implementation vulnerabilities, in either the client application, or the OAuth service.

In the OAuth flow, only the IdP (identity provider) holds the user credentials, which are contained in the ID token. As an attacker, you want to somehow steal the ID token, which you can then use the request the access token, which is the key to the resources you want to get your paws on.

Because of its delegated nature, OAuth relies on open redirects. A poorly-built or -configured OAuth service that fails to use a list of allowed redirect URIs could be exploited, but that’s the sort of thing that Auth0 doesn’t allow.

As far as CSRF (cross-site request forgery) attacks are concerned, they can be mitigated with OAuth 2.0’s state parameter. For each authentication request, set it to a hard-to-guess value, and see if the response is the same as the one you sent with the request.

And of course, there’s always checking for bad implementations of the standard:

Here’s another meme I’m going to share on the Okta Slack:

And finally, there’s SAML. As the mobile specialist for Auth0, I never touch the stuff:

But if you’re doing pentesting on a SAML-based setup, you’ll want to use SAML Raider, which add SAML-specific functions to Burp Suite:

Last presentations of the day

I caught a bit of Dan Fernandez’ presentation, The Boring Parts of AI: Risks and Governance of Large Language Models — you can find the slides here

…and a sliver of Cochise’s How to Wage War and Bypass Congress: a Primer on Gray Zone Warfare preso, because it’s always fun to see him go off on a rant.

Thank you, BSides St. Pete!

To Wilson Bautista and the BSides St. Pete team, my thanks for a great event for the cybersecurity community to share knowledge and gather together!

(And happy birthday, Wilson!)

Categories
Conferences What I’m Up To

I’ll be at the Oktane conference in San Francisco (Oct 3 – 5)!

Moscone Center, San Francisco.
Moscone Center, San Francisco.
Photo by Miguel Gonzalez.
Yup, I work at Okta, where I hold the title of Senior Developer Advocate.

If you’re thinking “Hey! I thought you worked at Auth0!”, that’s because Okta acquired Auth0 in May 2021. I work in the part of Okta that makes the Auth0 product.

My third anniversary at this job is coming soon — October 19th. For those interested in the story of how I landed this gig, see my article from October 2020: How I landed my job at Auth0.

I’ll be in San Francisco’s Moscone Center West at Oktane, which runs from Tuesday, October 3 through Thursday, October 5, and I’ll help run a developer booth on Developer Day, which happens on the Thursday. It’ll be in San Francisco at Moscone Center (Moscone West, to be precise). If you’re planning on attending, let me know — I’d love to catch up!

What is Oktane?

Oktane is Okta’s big annual conference, where the subject matter is all things related to digital identity.

If you’re a reader of this blog, there’s a good chance that you use at least one of Okta’s two major systems:

  • The workforce identity solution, which most people refer to as just “Okta,” to log into the various systems you use for work.
  • The customer identity solution, which goes under the brand name “Auth0 by Okta” (or “Auth0” for short), to log into applications as a customer user.

I’ll be there to help demonstrate multifactor authentication with a YubiKey, which you can keep if you try out the process…

A Yubikey.

…and I’ll also be helping out with the demo where you can try out the Auth0 CLI, which lets you do just about everything you can do on the Auth0 administrative dashboard, but on the command line:

Terminal window displaying the command “auth0 test login”.

And of course, I’ll have you-know-what with me…

Joey deVilla playing his blue accordion with an “Auth0” sticker on it.

Can you attend Oktane?

The Developer Hub at Oktane.

Yes, you can, and there are a couple of ways to attend…

If you’re a developer, you’ll probably get the most bang for your buck with the Developer Pass, which sells for a mere US$199. The Developer Pass gives you access to:

  • Keynote and luminary speakers presentations
  • Expo hall
  • The Developer Day event (see below)
  • Oktane online sessions

If you want the full in-person experience, you’ll want the Full Conference Pass, which sells for US$699 and gives you access to:

  • Keynote and luminary speakers presentations
  • Expo hall
  • In-person breakout sessions
  • Hands-on workshops
  • The Wednesday night party
  • The Developer Day event (see below)
  • Oktane online sessions

And finally, there’s the FREE option — the Oktane Online Pass, which gives you online access to:

  • Keynote and luminary speakers presentations
  • Oktane online sessions

To get any of these passes, visit the registration page.

Categories
Conferences Programming Tampa Bay What I’m Up To

DevOpsDays Tampa Bay 2023: Thursday, September 21!

DevOpsDays Tampa Bay logo laid over an aerial photo of a beach.

DevOpsDays Tampa Bay, our local edition of the DevOpsDays conferences, takes place next Thursday, September 21st, at Armature Works! Tickets are $150, and there are deals for students. Register before it’s too late!

DevOpsDays is the name given to a series of community-run technical conferences covering topics where software development (the “dev” part) and IT infrastructure operations (the “ops” part) intersect. A DevOpsDays conference isn’t a commercial affair; instead, it’s a labor of love made possible by volunteers from the community, for the benefit of the community. This makes for a friendly “community” feel, which I love in a conference.

Nora Jones keynote!

Nora Jones giving a presentation onstage. Behind her is a wall-size projection of one of her slides illustrating a unit test.

Nora’s name is often mentioned in the same breath as the phrase “chaos engineering,” which is “the process of testing a distributed computing system to ensure that it can withstand unexpected disruptions.” Or, to put it more succinctly, “f*** around and find out.”

She started doing chaos engineering as a team lead and senior developer at Jet.com (it’s since been acquired by Walmart), continued doing it at Netflix, and at Slack, she held the title of Head of Chaos Engineering and Human Factors. She’s also the co-author of the O’Reilly book Chaos Engineering: System Resiliency in Practice. These days, she’s at Jeli, where she’s the founder and CEO.

DevOpsDays Tampa Bay will start with her keynote, How do we talk to each other?, which will run from 9:00 – 10:00 a.m.

Here’s the abstract:

How surfacing communication patterns in organizations can help you understand and improve your resilience.

As a system increases in inevitable complexity, it becomes impossible for a single operator to have a clear, unambiguous understanding of what’s happening in the system. Understanding the system requires a joint effort between teammates and technology. Often, we are too focused on the single-operator experience to improve this. In this talk, we will uncover how communication patterns in organizations can reveal how systems actually work in practice, vs how we think they work in theory — and use this knowledge to improve the resilience of our systems.

Talks

Here are the conference talks, which will run from shortly after 10:00 a.m. to 2:45 p.m.

  • Realigning DevOps: Customers and Learning First, with Kishore Jalleda
  • The Startup DevOps Playbook – Making It A Success From Day One, with Aman Sharma
  • Building Resilience: A Journey of Crafting and Validating Our Disaster Recovery Plan, with Yedidya Schwartz
  • The Power of DevOps in the Real World, with Randy Pagels
  • Simplifying Cloud Native Chaos Engineering: A Deep Dive into Chaos Mesh, with Soumyadip Chowdhury
  • Best Practices for Securing CI/CD Pipelines, with Lizz Parody
  • The OpenTelemetry Hero’s Journey: Working with Open Source Observability, with Josh Lee

Open Spaces

DevOpsDays Tampa Bay is just one of the events in the Tampa Bay tech scene’s September to Remember!

From 2:45 to 4:30 p.m., there will be Open Spaces, which are unscripted and spontaneous breakout sessions on any DevOps topic. Who determines what the topics are? You do!

DevOpsDays Tampa Bay’s Open Spaces will follow the Open SPace principles, which are simple yet powerful guidelines:

  • Whoever comes are the right people.
  • Whatever happens is the only thing that could have.
  • Whenever it starts is the right time.
  • Whenever it’s over, it’s over.
  • Wherever it happens is the right place.

Armature Works!

And finally, there’s the venue itself: Armature Works, Tampa’s food hall, and my favorite local conference venue. It’s a great space to hold an event, and the food and drink there make conferences so much better. I know I’m going to get a Buddy Brew Coffee and a Bake’N Babes cookie while I’m there.

How do you find out more / get a ticket?

Head over to the DevOpsDays Tampa Bay site to find out more, and to get a ticket, visit their “purchase a ticket” page.

Categories
Conferences Security Tampa Bay What I’m Up To

BSides St. Pete IT Security Conference: Saturday, September 16!

This year’s edition of BSides St. Pete — the second BSides event to be held therehappens this Saturday, September 16 at St. Pete College, Seminole Campus, and you can still buy one of the 98 remaining (at the time of writing) “no swag” tickets if you register now! They’re a mere $20.

Want a “feel” for what a BSides event is like? Check out my writeup of BSides Tampa from April!

BSides gets it name from “b-side,” the alternate side of a vinyl or cassette single, where the a-side has the primary content and the b-side is the bonus or additional content. In 2009, when the Black Hat conference in Las Vegas received way more presentation submissions than they could take on, the rejected presenters (who still had very could presentations; there just wasn’t enough capacity for them) banded together and made their own “b-side” conference that ran in parallel with Black Hat. From that event came BSides.

BSides conferences are community events, and unlike a lot of tech conferences, they’re inexpensive. As I wrote earlier, the remaining “no swag” tickets — which unfortunately don’t come with swag but still get you in the door — sell for a mere $20.

BSides Tampa took place back in April, and it was a great event — you can check out my writeup to get a feel for it.

BSides St. Pete is just one of the events in the Tampa Bay tech scene’s September to Remember!

I’ve already got my ticket for BSides St. Pete, and if you’re interested in diving deeper into security, you should too!

Register for BSides St. Pete 2023 here!

Categories
Artificial Intelligence Presentations Tampa Bay What I’m Up To

Slides from “Centaurs vs. Minotaurs,” my presentation at SocialCode x Tampa

Thanks to everyone who came to The SocialCode x Tampa: Embracing the AI Evolution event last Thursday (September 7, 2023) for an evening of presentations and discussion about AI! As promised, here’s a link to the slides for my presentation, Centaurs vs. Minotaurs:

Categories
Programming What I’m Up To

Happy whyday!

Today, August 19th, is “whyday.” It’s been a while since anybody’s made a fuss about this day (as far as I know), but I still think it’s a day worth celebrating, even in little ways. I’m performing a couple of whyday rituals today, and perhaps after reading this, you will too.

It’s called “whyday” after the programmer / artist / author / musician who went by the name “why the lucky stiff.” why the lucky stiff is a long name to keep saying (or typing) over and over, so we referred to him as why in spoken word, or _why (and yes, the leading underscore is intentional) in writing.

why’s (poignant) guide to Ruby

_why is best known for an odd little ebook titled why’s (poignant) guide to Ruby, which he published in 2004, and is quite possibly the most whimsical book about a programming language ever written — even more so than Carlton Egremont’s Mr. Bunny’s Big Cup of Java and Mr. Bunny’s Guide to ActiveX. As proof, here’s a snippet from its very first page:

In the book’s first page with text, _why explained why the word “poignant” — which means “creating a sense of regret or sadness” — is included in the title:

I’ll be straight with you. I want you to cry. To weep. To whimper sweetly. This book is a poignant guide to Ruby. That means code so beautiful that tears are shed. That means gallant tales and somber truths that have you waking up the next morning in the arms of this book. Hugging it tightly to you all the day long. If necessary, fashion a makeshift hip holster for Why’s (Poignant) Guide to Ruby, so you can always have this book’s tender companionship.

And immediately after that, he tells the story of Bigelow, an apparently abandoned dog he found on the street, adopted, which then ran away five minutes later. This story takes up five paragraphs, none of which make any mention or Ruby, or even programming.

But it was all preamble:

It wasn’t much later that I pulled my own Bigelow. I printed out a bunch of pages on Ruby. Articles found around the Web. I scanned through them on a train ride home one day. I flipped through them for five minutes and then gave up. Not impressed.

I sat, staring out the window at the world, a life-sized blender mixing graffiti and iron smelts before my eyes. This world’s too big for such a a little language, I thought. Poor little thing doesn’t stand a chance. Doesn’t have legs to stand on. Doesn’t have arms to swim.

The intro was weird. It rambled and went into precisely the kinds of tangents that you weren’t supposed to put into a technical book. It was packed with comics featuring foxes lost in a large city, yelling out nonsense that — for a little while, at least — became catchphrases amongst Ruby developers:

If you were the kind of person who always wanted their tech reading to just get to the damned point, you’d find reading the poignant guide an exercise in absurdity and frustration. But if you were new to programming, it was a friendly guide that didn’t look as intimidating as your standard programming book.

The foxes would go on crazy adventurers, and when they weren’t dynamiting retirement homes, they somehow managed to cover the teach you the basics of Ruby (and even programming in general).

The “Dr. Cham” chapter featured this illustration…

…and this example of Ruby’s case statement in action:

def dr_chams_timeline( year )
  case year
  when 1894
    "Born."
  when 1895..1913
    "Childhood in Lousville, Winston Co., Mississippi."
  when 1914..1919
    "Worked at a pecan nursery; punched a Quaker."
  when 1920..1928
    "Sailed in the Brotherhood of River Wisdomming, which journeyed \
     the Mississippi River and engaged in thoughtful self-improvement, \
     where he finished 140 credit hours from their Oarniversity."
  when 1929
    "Returned to Louisville to pen a novel about time-travelling pheasant hunters."
  when 1930..1933
    "Took up a respectable career insuring pecan nurseries.  Financially stable, he \
     spent time in Brazil and New Mexico, buying up rare paper-shell pecan trees.  Just \
     as his notoriety came to a crescendo: gosh, he tried to buried himself alive."
  when 1934
    "Went back to writing his novel.  Changed the hunters to insurance tycoons and the \
     pheasants to Quakers."
  when 1935..1940
    "Took Arthur Cone, the Headmaster of the Brotherhood of River Wisdomming, as a \
     houseguest.  Together for five years, engineering and inventing."
  when 1941
    "And this is where things got interesting."
  end
end

And let’s not forget the elf with a pet ham and the cat:

For new programmers, the poignant guide was an approachable book that didn’t try to bury you with jargon. For experienced developers, it provided a refreshing take on programming concepts. If you were looking for a Ruby reference, you were reading the wrong book. But whether you’d been a programmer for 20 minutes or 20 years, it was a fascinating, engrossing read that made you think about programming differently.

If that wasn’t enough, the book came with its own soundtrack. In addition to being a programmer and illustrator, _why was also a musician with a tendency towards the “indie rock”-style, and he wrote a song for each chapter.

Thankfully, the book and soundtrack preserved online. Go ahead and give it a look. I’ll wait for you here.

_why’s code

In addition to the poignant guide, _why also wrote a fair bit of code, some of which became de facto or even de jure Ruby standards:

  • Hpricot, an HTML parser that became the Ruby de facto standard for a while. The current de facto standard parser (at least I still think it is; it’s been a while since I’ve done anything in Ruby) is Aaron Patterson’s Nokogiri, which uses Hpricot’s syntax.
  • RedCloth, a module for using the Textile markup language in Ruby.
  • Markaby — short for “markup as Ruby — which was a DSL to generate valid HTML using Ruby blocks and methods instead of tags.
  • Camping, a Markaby-based microframework inspired by Rails. Its code amount to less than 4 kilobytes.
  • Hobix, a YAML-based weblog application written in Ruby.
  • MouseHole, a personal web proxy that can rewrite the web à la Greasemonkey
  • Syck, a YAML library for C, Ruby, and several other languages. For a time, Syck was a part of Ruby’s standard libraries. It’s still available as a gem.
  • unHoly, which converted Ruby bytecode to Python bytecode, which made it possible to run your Ruby applications on the Google Application Engine.
  • bloopsaphone, a crossplatform chiptune-like synth, based on PortAudio with a Ruby frontend.

Of his creations, my favorites were the ones that were part of his mission to solve what he called “The Little Coder’s Predicament,” which is that in spite of the fact that we had better computers, software, and networks in the 2000s, the barrier to entry for programming — especially for kids — had become much higher:

In the 1980s, you could look up from your Commodore 64, hours after purchasing it, with a glossy feeling of empowerment, achieved by the pattern of notes spewing from the speaker grille in an endless loop. You were part of the movement to help machines sing! You were a programmer! The Atari 800 people had BASIC. They know what I’m talking about. And the TI-994A guys don’t need to say a word, because the TI could say it for them!

The old machines don’t compare to the desktops of today, or to the consoles of today. But, sadly, current versions of Windows have no immediately accessible programming languages. And what’s a kid going to do with Visual Basic? Build a modal dialog? Forget coding for XBox. Requires registration in the XBox Developer Program. Otherwise, you gotta crack the sucker open. GameCube? GameBoy? Playstation 2?

His solution to the Predicament was to first write Shoes, a simple toolkit for Ruby that use web page concepts to build desktop GUI apps for macOS, Windows, and Linux:

Shoes formed the basis of Hackety Hack, an IDE combined with a tutorials system that was a lot of fun to use. Here’s a screenshot of Hackery Hack in action, being used to write a “Hello, World!” program:

Since _why was developing this tool for children, he went straight to the subject matter experts: 25 children and their parents, whom he consulted and used as testers as he worked on the project.

(And because this was a _why project, it had a manifesto. Read it; it’s good.)

Here’s the Hackery Hack site:

_why’s performances

I was at RailsConf 2006, where _why gave a multimedia extravaganza of an evening keynote presentation. It was something I’d never seen before or since at a keynote: Part programming lecture, part video show, part concert complete with his band, the Thirsty Cups. You either left this performance either scratching your head or wanting to take programming to strange new heights.

After the show, I had a chance to hang out in an unexpected gathering of people that included both _why and Martin Fowler, which was an amusing, enlightening, and amazing experience.

Why’s performance at RailsConf 2006 probably opened the door to my own performance during RailsConf 2007’s evening keynote with Chad Fowler on ukulele:

_why’s disappearance

As you were reading this article, you may have noticed that I have only referred to its subject as “why the lucky stiff” or “_why”.

You may have wondered — quite fittingly — why?

There’s no definitive answer, but there are some hints.

Like a lot of creatives, the person behind the “why the lucky stiff” persona is an intensely private person. _why could be the out-there guy performing songs about how Ruby’s error handling just sounded so much more capable and effective with its rescue statement versus other languages’ try and catch (“try to catch me, I’m falling!” he’d joke), but the person lurking behind the mask wanted privacy during his downtime.

_why made it a point to reveal as little about himself as possible, and most of us were happy to indulge him. Most people were happy to simply know and address him as “why”, and in the community, it was a point of etiquette to not try and dig too deeply.

Of course, even in those pre-GamerGate, pre-“shitposting”, pre-chan-ruining-lots-of-the-net times, _why’s secrecy didn’t sit well with some people, who for some reason, just had to know the name of the person behind the _why identity was. So in 2009, they dug deep, and eventually found his name (as well as his wife’s) and publicized it.

_why may have also been a victim of Open Source Success, when a little project that you worked on in order to scratch a creative itch becomes so popular that many other projects depend on it. Suddenly, your project is no longer just a little thing you worked on, but a big thing that people expect you to maintain and upgrade. I’m reminded of a line from Byrne Hobart’s article, Working in Public and the Economics of Free, and it’s simultaneously hilarious and sad:

Running a successful open source project is just Good Will Hunting in reverse, where you start out as a respected genius and end up being a janitor who gets into fights.

As a result of the factors listed above, plus some others probably known to no one else but _why, the internet presence of Why the Lucky Stiff vanished on August 19, 2009. His sites, blogs, social media, and code repositories all vanished. I wrote about it the day after it happened.

Luckily for us, all of his work — well, the work that he’d released to the public, anyway — was open source, and with the effort of some dedicated Ruby and Rails developers, his projects were saved. Some people even took them over and expanded on them. Other projects became the basis of newer, improved projects.

Whyday

In 2010, a year after _why vanished into the night, Glenn Vandenburg declared that August 19 should be celebrated as Whyday.

Here’s what he wrote on the Whyday site:

On August 19, 2009, Why the Lucky Stiff withdrew from the online community. We in the Ruby community wish him well, but we really miss him.

Why gave us a lot of cool software and other things, but what he really gave to the Ruby community was a spirit of freedom, whimsy, and creativity. When Why took the stage at the first RailsConf, in 2006, he strapped on his guitar, walked to the microphone, and yelled “Put your best practices away!”

Discipline, care, and responsibility are important; we owe our customers, employers, team members, and families to take our work seriously. At the same time, though, we need to play. If we don’t occasionally break out of the mold of our “best practices,” we can easily miss many wonderful ideas, some of which can bear rich fruit (just as Camping and Hpricot led to Sinatra and Nokogiri).

On Whyday, we’re encouraged to borrow a page from _why’s book and creative, instructive, collaborative, and crazy. The site suggested doing things such as:

  • See how far you can push some weird corner of Ruby (or some other language).
  • Choose a tight constraint (for example, 4 kilobytes of source code) and see what you can do with it.
  • Try that wild idea you’ve been sitting on because it’s too crazy.
  • You can work to maintain some of the software Why left us (although Why is more about creating beautiful new things than polishing old things).
  • On the other hand, Why is passionate about teaching programming to children. So improvements to Hackety Hack would be welcome.
  • Or take direct action along those lines, and teach Ruby to a child.

The Whyday site lives on, but it’s been a while since I’ve seen anyone make a fuss about Whyday.

I thought that given that we’re in the middle of a pandemic and that we’re all spending more time at home (at least I hope we are), there’s no better time that now to bring back the spirit of Whyday.

Today, on this Whyday, I’m celebrating by working on a creative project that involves a mishmash of technology, comics, and possibly music. If you can, you should start one, too! 

Recommended reading and viewing

Got eighteen and a half minutes? Then you’ll want to watch this documentary on Why the Lucky Stiff and how he inspired the Ruby developer community:

Articles on _why: