Last year’s CyberX Tampa Bay event was a big hit, and it was only natural that there’d be another one this year. Like the first one, this year’s event was packed.
The moment I walked into the venue, I saw so many people and had so many conversations that I never got the chance to take pictures until the start of the “welcome” session in the large room:
…after which we had the choice of two breakout sessions:
Chronicles of an Entry-level Cybersecurity Professional
The Wheel of Misfortune
I went to the Wheel of Misfortune, where audience members got the chance to answer cybersecurity questions for Google swag. Anyone in the audience could volunteer to come up to the front, spin the wheel of topics and answer a question based on that topic.
Hosts Jason Allen and Jonas Kelley were pretty relaxed about audience assistance. At one point, I yelled out the acronym for remebering the 7 layers of the OSI network model — “Please Do Not Take Sausage Pizza Away!” — and no one was penalized.
The room, where every seat and available spot to stand was occupied, was lively, with people enjoying themselves. The audience participation, aided by two engaging hosts, kept the room lively until the very end.
It was then time to recognize CyberX Tampa Bay’s 2023 honoree — someone nominated by attendees as being the person who made the biggest positive impact on Tampa Bay’s cybersecurity scene. This year’s honoree was Jeremy Rasmussen!
And to close the evening, there was the keynote panel on cybersecurity myths. It featured…
Photo by Kasandra Perez. Tap to view at full size.
I attended Google Developer Groups’ DevFest Tampa Bay event this past weekend, which took place in USF’s Engineering building and featured a healthy number of students in attendance.
…and they shared their leadership experiences, both good and bad. I bounced between their session and this one:
This was ArtemisNet’s session on creating a USB Rubber Ducky, a favorite toy from the hacker’s bag of tricks. It looks like an ordinary USB flash drive, but when plugged in, it sends keystroke signals to the victim’s computer, which thinks it’s an ordinary keyboard. Typically, an attacker would pre-program it to type commands to perform all sorts of security-breaching actions, such as collecting sensitive files or security information and then exfiltrating it for later analysis.
(If you thought you’d seen something like this on a TV show before, you probably did; there was one in Mr. Robot.)
Of course, you need some kind of small processing device to build a Rubber Ducky, and ArtemisNet provided them, free of charge — a Raspberry Pi Pico! Here’s mine:
Afterwards, I bounced over to the other room to see Liz Myers’ “Coffee, Code, and Tensorflow” session…
…and also caught bits of the Flutter and hackathon sessions.
And finally, my employer, Okta, was one of the event sponsors. As their representative here in “The Other Bay Area”, I’m working on getting them to sponsor more local events. Watch this space!
Are you trying to start or build a UX practice in your organization? Have you run into a brick wall when trying to get support? Are you constantly trying to “sell” UX to your executive team? Nothing speaks louder than being able to show a return on investment (ROI). In this edition from our UX Fundamentals series, Phil Doughty will show us how we can put UX into terms that make sense to the C-suite; dollars and cents.
For about an hour, Phil, a Customer Success Manager at UserTesting, led the group through his presentation showing how to speak the language of stakeholders in order to convince them of the necessity and value of UX in software and services. He was assisted by his coworker Christian Knebel (also a Customer Success Manager), who teleconferenced in from Dallas.
In the end, Phil argues, you have to account for stakeholder needs. When talking to the C-suite, that often boils down to dollars and cents. You need to convince them that good UX either…
Increases the money you make, or
Decreases the money you spend.
Phil spent a fair bit of time on Google’s HEART framework. It’s a powerful tool tailored for UX teams, empowering them to prioritize and enhance distinct facets of the user experience, while also enabling the establishment of clear objectives and user experience metrics to measure their achievements.
HEART, as the acronym suggests, is made up of five key elements, each representing a different aspect of user experience measurement:
Happiness: This element gauges user satisfaction and overall happiness with the product or service. It often involves surveys or feedback mechanisms to assess user sentiment.
Engagement: Engagement measures how actively users interact with the product. It can involve tracking metrics like the number of visits, time spent, or specific user actions within the application.
Adoption: This aspect focuses on user acquisition and the rate at which new users are embracing the product. It assesses how effectively the product is attracting and onboarding new users.
Retention: The rate at which users continue to use the product over time. It helps assess whether the product is successful in retaining its user base and preventing churn.
Task Success: A measure of how efficiently users can complete specific tasks within the product. You can measure this by tracking success rates, error rates, or task completion times to identify usability issues.
HEART’s five elements collectively provide a comprehensive framework for evaluating and improving the user experience of a digital product or service. You can apply them to a single feature in your software or service — or ideally, to the whole thing.
If there was one slide that everyone should have taken a picture of, it’s the one above — Metrics vs. KPIs. This makes it clear:
A metric is a qualitative measurement of how your product, service, and experience, and specific initiatives are performing.
A KPI — short for key performance indicator — is a kind of metric that measures critical, organization-wide business outcomes that reflect that oragnization’s goals and vision, typically from a financial perspective.
For example, an ecommerce site’s conversion rate — the percentage of website visitors who take a specific action, such as making a purchase — would be a metric, but it wouldn’t be a KPI.
However, that site’s monthly revenue growth — the increase in revenue from one month to the next — is a metric that also qualifies as a KPI. It’s a KPI because it reflects the site’s core business objective: to increase revenue over time.
Typically, a free meetup will get half the people who registered to actually show up, but this one was different — we had a packed room, and it appeared that at least two thirds of the registrants were there! It looks like the result of interesting presentations and an involved, active tech scene.
The Tampa Bay User Experience group has these upcoming events:
Pictured above is the back of the packaging for Samcorn’s 9H tempered glass screen protector for smartphones. I chuckled at the “Protection of God” sticker that seals the box — these screen protectors are good, but they’re not that good.
Tap to view at full size.
Of more interest to me is what they’re protecting: a Google Pixel 7 phone with 128GB storage, pictured above. It’s not the newest Pixel anymore, but its specs are pretty good (its benchmark scores are 813,114 for AnTuTu v9: 813114, 3288 for GeekBench v5.1, and 59fps for GFXBench). I picked up a refurbished model for a little over $300. If you can find one at this price, it’s one of the best “bangs for the buck” in smartphones right now.
I’ve got a whole lot of mobile development articles coming up — for both here and the Auth0 Developer Blog — and having a nice Android unit will come in handy.
In this article, you’ll find my photos and notes from that event.
Neon and the Secret Garden
Back around the time of the dot-com bubble, I was working in a Toronto consultancy made up of me and my friend Adam. We often worked at home, but when we were feeling stir-crazy, we took our laptops to a couple of local cafés and worked from there.
Since then, I’ve kept my eye out for my dream working café. There’s a pretty nice one in my neck of the woods — The Corner Club — and I take meetings and work from there every now and again.
But I have to admit it: Neon — the venue for the meetup — is my dream café / coworking space. It has more open places to hang out up front of the building, quieter working stalls in the back, and behind the building is the Secret Garden, an outdoor patio space. That’s where they served the food for the meetup: a combo of steak and veggie burritos, along with chips, guac and salsa.
The meetup was free, but also marked as “sold out” with a “join waitlist” button. That didn’t deter me because I knew the Great Unwritten Truth of Free Events:
Half the people who register for a free event never actually show up.
As I expected, no one was at the door to check attendees against a registration list. Besides, I had the accordion with me, and the “I’m with the entertainment” line often works.
The crowd at this meetup were pretty hardcore. I’d say about half of them either worked in an AI-related position at a more established company or at a scrappy AI startup, while the other half worked at a tech company and had an interest in AI. I suppose I fall into the latter category.
I struck up a conversation with someone who specialized in virtual memory who wanted to work on some memory virtualization techniques for use in large AI systems. We then walked out the back entrance to Neon’s “Secret Garden…”
…where they were serving food. I got into a conversation with someone who worked at Stability.ai, where we were joined by someone who wanted to make the leap from marketing to development.
When the Stability.ai developer was momentarily pulled away from the conversation, the marketer whispered “That name — Stability.ai — that’s familiar. What do they do?”
“Stable Diffusion,” I whispered back, and that was a name the marketer recognized. “Come to think of it, I don’t recognize any of this meetup’s speaker’s companies.”
Presentation 1: Build bulletproof generative AI applications with Weaviate and LLMs
This was the abstract for this presentation:
Building AI applications for production is challenging, your users don’t like to wait, and delivering the right results in milliseconds instead of seconds will win their hearts. We’ll show you how to build caching, fact-checking, and RAG: Retrieval Augmented Generation pipelines with real-world examples, live demos, and ready-to-run GitHub projects using Weaviate, your favorite open-source vector database.
Philip Vollet, Head of Developer Growth at Weaviate, gave this presentation. Weaviate makes a vector database, where the data is stored as vectors — think of them as really long tuples — a format that’s particularly useful for AI purposes.
I’m going to spend some time this weekend going through my hastily-scribbled notes and comparing them to my full-resolution versions of my photos of the presentations to see what I can glean from them.
I’ve included my photos here so that you can get a feel for what was shown at the event, and hey — you might find them useful.
Presentation 2: Customizing LLM Applications with Haystack
Here’s the abstract for the presentation:
Every LLM application comes with a unique set of requirements, use cases and restrictions. Let’s see how we can make use of open-source tools and frameworks to design around our custom needs.
The second presentation was by Tuana Celik, Developer Advocate at deepset, who make Haystack, a natural language processing (NLP) framework, and a cloud-based SaaS framework for machine learning and NLP.
Presentation 3: Context Matters: Boosting LLM Accuracy with Unstructured.io Metadata
This was the abstract for this presentation:
Retrieval Augmented Generations (RAGs), limited by plain text representation and token size restrictions, often struggle to capture specific, factual information from reliable source documents. Discover how to use metadata and vector search to enhance the ability of LLMs to accurately retrieve specific knowledge and facts from a vast array of documents.
The final presenter was Ronny Hoesada, Developer Relations Engineer at Unstructured, who make a product that converts unstructured enterprise data into formats that can be fed into vector databases and large language models.
Aftermath and observations
Observation #1: RAG is a hot topic in this crowd. The big topic of the evening and a common thread through all three presentations was RAG — retrieval-augmented generation. This is a process that enhances the results produced by large language models by retrieving additional facts or information from an external knowledge source. If you’ve ever added to a discussion by looking something up on your phone, you’ve performed a simple version of RAG.
Observation #2: Many SF tech meetups start later than Tampa Bay ones. I arrived in San Francisco Monday morning, and spent most of the day in my hotel room working on this article for Okta’s main blog and this article for the Auth0 by Okta developer blog. That process took the better part of the day, and by the time I’d finished the final edits at 6:30 p.m., I thought it would be too late to go to a meetup — but I was wrong. When I perused Meetup.com, it turned out that lot of in-person meetups in the San Francisco Bay area start at 7:00 p.m., including this one. I’ve been to Tampa Bay meetups that wrap up at that time!
Observation #3: Some attendees came a long way to catch this meetup, and many of them didn’t have a car. If you check the discussion on the Meetup page for this event, you’ll see it’s all about getting rides to the venue:
After the event, people were asking around to see if anyone could drop them off at places southward on the 101 or 280: San Mateo, San Carlos, Palo Alto, Mountain View, Woodside, or Cupertino.
Observation #4: People were seriously ready to work the room. More than half the attendees stuck around when the presentations ended. Some stayed for the beer, some stayed to mingle or hustle for their next job, and some stayed specifically to talk to the presenters.
I showed up wearing my travel clothes (see the photo above, taken at TPA earlier that morning), which were a sport jacket, dress shirt, jeans, and dress shoes, and as a result, a number of people at the event approached me and asked what company I was starting up. They saw chatty guy in a blazer and the neural networks in their heads pattern-matched it as founder.
Jared from Silicon Valley, patron saint of the Patagonia fleece vest.
I had conversations with founders or people who reported directly to a founder earlier that evening, so I did some introductions. They were easy to spot — it was a chilly night (10° C / 50° F) and a good breeze was coming in from the Bay, and they’d showed up in fleece vests, as is the custom there.
Observation #5: A lot of people here really know their stuff. The conversational topics were pretty hardcore, from discussions of cosine similarity and the finer points of tokenization (with a sidebar conversation about handling out-of-vocabulary cases) to how much of Hugging Face’s ever-growing set of models people have tried. “I’m a dabbler,” I admitted, “no more than a handful — a couple of the conversational ones, and a text-to-image and text-to-audio model.”
I also got deep into a chat about the Mojo programming language, during which I glibly introduced myself to someone as “Markov Cheney,” and to my complete lack of surprise, they got the joke.
I’m still mulling over my experience at this meetup and thinking about some meetup organization and presentation tricks to borrow.
Need to skill up? Computer Coach has bootcamps, courses, and training for IT and business pros. I’ve taught Python and JavaScript courses for them.
As promised, here are my notes from my recent presentation at the Computer Coach-hosted session, Becoming an Empowered AI Worker, which took place on Tuesday, October 10, 2023.
Want to learn how to make the most of your work and career? Follow Computer Coach’s events via the Career Success Academy meetup group.
Intro: The reason the recent AI wave feels so overwhelming
It’s only natural to feel overwhelmed with the pace of AI development and what feels like a daily deluge of new AI applications and improvements to existing ones. That’s because we’re not naturally wired for this rate of change. Case in point: Ancient Egypt.
As you already know, the modern era is quite different from Old Egypt. Consider this (incredibly simplified) timeline showing the history of computing:
The Turing Machine: Creating by Alan Turing, this is a hypothetical machine that can describe any working algorithm. Every program, from “Hello World” to ChatGPT, can be expressed as a form of Turing Machine.
The von Neumann Architecture: Conceived by John von Neumann, this is the general organizing principle for computers — even today’s machines.
1950s – 60s: This period gave us the first digital computers as well as the first programming languages — COBOL, FORTRAN, ALGOL, BASIC, PL/1, as well as the three whose influence lives on in today’s programming languages: Lisp (functional programming), Algol (structured programming), and Simula (object-oriented programming).
1970s – 80s: An interesting era where computers went in two different directions. We got Cray supercomputers (they were supercomputers at the time, but a 2011-era iPad can keep up with them) and personal computers.
1990s – 2000s: The internet as we know it (it’s been around since 1969 in the form of ARPANET), smartphones starting with the BlackBerry and followed later by iPhone and Android, publicly-accissible GPS, wifi, and all the goodies that we can’t live without today.
Remember, computing — even as a theory — isn’t even 100 years old yet!
Remember that ChatGPT hasn’t even been out a year yet! It debuted on November 30, 2022, and since then, OpenAI have been working hard at improving and enhancing it, and their rivals have been racing to keep up with them.
Not only was it quite well-attended for a Monday meetup (at least 60 people), but the attendance came from all over the San Francisco Bay Area:
I’m going to post a fuller writeup of this meetup in a later article. Watch this space!
The meetup had three technical presentations, all of which centered around RAG — retrieval-augmented generation. This is a process that enhances the results produced by large language models by retrieving additional facts or information from an external knowledge source. If you’ve ever added to a discussion by looking something up on your phone, you’ve performed a simple version of RAG.
After this introductory bit (which gave an opportunity for latecomers to join the Zom chat), I got to the main topic — using AI in your day-to-day work.
How to be more effective at work with the help of an LLM
Summarizing
If your job is in a “knowledge work” field, chances are you’ll end up doing a lot of reading. This will be doubly true if you’re working in a field where a lot of reading material is the norm, or if you have a manager who likes to stick you with the tedious work they’d rather not do.
In cases like this, you’ll find LLMs’ ability to summarize text very handy. Consider a recent Wired article, New York’s Airbnb Ban Is Descending Into Pure Chaos. I copied the text of the article and pasted it into ChatGPT Plus (but using GPT 3.5) following this prompt:
Summarize this article:
[I pasted the article text here]
ChatGPT turned it from a 15-paragraph article into a 6-paragraph summary. That’s useful, but I went further with this prompt:
Could you summarize that article in a single sentence?
Here’s how ChatGPT responded:
New York City's crackdown on short-term rentals, particularly on Airbnb, has led to a surge in illegal listings on social media and lesser-known platforms, resulting in a rental black market, as the city's short-term rental landscape undergoes significant changes.
One of the attendees asked if I could get ChatGPT to provide the top three points of the article. I said this was a good idea, and that in the spirit of experimentation, we should try it. I used this prompt:
Give me the top 3 points from the article.
ChatGPT’s response:
1. New York City's ban on most short-term Airbnb rentals has led to a significant drop in listings on the platform, with many properties going unregistered, resulting in a rental black market.
2. The crackdown has reshaped the vacation rental market in the city, with people turning to alternative platforms like Craigslist, Facebook, and Houfy to evade regulations, potentially posing risks to both guests and hosts.
3. Airbnb is shifting its focus away from New York, once its largest market, and exploring other opportunities such as longer rentals, car rentals, and dining pop-ups, while the city grapples with the consequences of the short-term rental ban.
Someone asked if ChatGPT could translate those points into Spanish, so I entered this prompt:
Can you translate that into Spanish?
Here’s how ChatGPT responded:
1. La prohibición en la ciudad de Nueva York de la mayoría de las propiedades de alquiler a corto plazo en Airbnb ha resultado en una disminución significativa de las ofertas en la plataforma, con muchas propiedades sin registrarse, lo que ha dado lugar a un mercado negro de alquileres.
2. La represión ha transformado el mercado de alquileres vacacionales en la ciudad, con las personas recurriendo a plataformas alternativas como Craigslist, Facebook y Houfy para evadir regulaciones, lo que potencialmente plantea riesgos tanto para los huéspedes como para los anfitriones.
3. Airbnb está desviando su atención de Nueva York, una vez su mercado más grande, y explorando otras oportunidades como alquileres más largos, alquiler de automóviles y restaurantes emergentes, mientras la ciudad lidia con las consecuencias de la prohibición de alquileres a corto plazo.
Keep in mind that machine translation, even in this new age of AI, should be taken with a grain of salt. The Spanish speakers in the audience said “not bad.”
Seed words and phrases
I didn’t have time to cover the concept of seeding ChatGPT, so this is bonus material!
You can direct ChatGPT’s answers by providing key words, phrases, or concepts to focus on in your prompt. These words and phrases are called seed words and seed phrases and you can use them to get ChatGPT output that better fits your needs.
For example, here’s a prompt that gets ChatGPT to provide a short summary of the article around the word “rent:”
Summarize the article in a way that is related to the seed word "rent".
Here’s how it responded:
The article highlights the evolving landscape of short-term rentals in New York City, where strict regulations have led to a surge in unregistered rentals, creating a rental black market and reshaping the vacation rental market. Airbnb, once a dominant player, is now shifting its attention away from the city, affecting the rental dynamics.
Let’s try getting a summary from a different angle — the legal perspective — and with slightly different prompt phrasing:
Summarize the article in a way that is related to the law.
ChatGPT’s reply:
The article discusses the consequences of a new law in New York City that heavily regulates short-term rentals, leading to a significant reduction in Airbnb listings. Many unregistered rentals have emerged, creating a rental black market. The article also mentions efforts by smaller landlords to change the law to allow them to legally rent out their units and how Airbnb is shifting its focus in response to the new regulations.
Note the differences, subtle as they are, between the summaries.
By using seed words and phrases, you can get ChatGPT to focus on a specific topic or emphasize a specific point. If you’re writing a memo to convince a manager to take a certain action, or sales or marketing copy, you’ll find seed words and phrases very useful.
Text classification
This is one trick that comes in handy when dealing with lots of text documents: making it classify them into different categories. I provided a simple example where I took three Amazon reviews — one for a car jump starter, one for an aloha shirt (a.k.a. Hawaiian shirt), and one for a wireless router — and then had ChatGPT put them into one of three categories:
Electronics
Home and garden
Clothing
Here’s what I provided to ChatGPT:
Perform text classification on the following reviews and classify them into different categories such as “electronics”, “home and garden”, and “clothing”:
Reviews
Review 1:
5.0 out of 5 stars Awesome little jump started!
Reviewed in the United States on August 5, 2023
Color: 4000AVerified Purchase
I have an old Generac generator that we use when we have power failures or other things happen and try to remember to start it every month or two to keep the gas clean and make sure everything is going well. The last few times, it is really slow to start and pulling the thing to start is a nightmare since it is so big! Instead of replacing the battery pack, I decided to spring for this for just a little more. The generator has the connections to jump start right near the push button, so it is a breeze to hook up and it cranks way better than the battery pack that I bought a couple of years ago ever did!
I am looking forward to having this to be able to jump all of my devices that have starters as well as for backup power in case we need it. It seems to have great safety features, after cranking for a while (since I turned the choke the wrong way) it shut off the start ability for just a second. I let off the button on the generator and the pack reset itself and was ready to crank again in about a second and a half.
I love that it has a case that is big enough to keep all the parts in, I have a habit of collecting random cords in boxes, so my life is miserable when I need to find stuff sometimes.
I hope it holds up to use and storage, just remember to charge it as soon as you get it, it showed four out of four bars, but when I plugged it it, it charged for a couple of hours while blinking the last light.
I hesitated to buy this, thinking I wasn't sure of the technology or if it would have the power of a regular generator battery but it has won me over in a big way!
Edit: I was using it to charge something a few weeks ago and it completely locked up. I let it sit for a few hours and it still didn't work on either the USB ports or the battery terminals. The terminals would start but would click and act like there was a short circuit within a few seconds, only allowing use for a very short time. I contacted the seller, they got right back to me, but I had left for a trip. When I got back home, I tried it and it worked perfectly. Apparently, it needed a bit more time to reset! I appreciate the quick response from the seller and I have now used it to charge a camera, a phone (multiple times) and jumpstart a truck without any hiccups at all. I still think it is a great product - just the right size and weight to be in my truck all the time. I don't have any hesitation recommending this for anyone since I know the seller backs it up with fast support response and stands behind their products.
Review 2:
A Stylish and Comfortable Hawaiian Shirt for Any Occasion
Reviewed in the United States on September 4, 2023
Color: CoffeeSize: MediumVerified Purchase
I recently purchased the VATPAVE Men's Casual Hawaiian Shirt in Coffee, and this marks my second time buying this shirt. It's safe to say that this shirt has become a staple in my wardrobe, and here's why:
Fit and Sizing (4/5): I initially bought this shirt in a Large, but after some weight loss, I opted for a Medium this time. It's worth noting that this brand tends to run a bit large, which suits my style perfectly. I prefer wearing it untucked, and the size works well for that relaxed look. However, if you plan to wear it as a dress shirt or with a blazer, you might consider sizing down, though it's not a dramatic difference.
Versatile Style (5/5): I've found this shirt to be incredibly versatile. It's my go-to choice for all casual occasions, whether it's a weekend outing or a dress-down Friday at work. The Coffee color is a rare find in casual shirts, and the tropical floral pattern is simply captivating. It adds a touch of uniqueness to your outfit.
Review 3:
4.0 out of 5 stars Latest Firmware fixed my issues
Reviewed in the United States on June 22, 2023
Style: AX3000, WiFi 6 RouterVerified Purchase
I waited for the latest firmware update to write this review. After the June 2023 update, this router has been rock solid with 20+ clients and a TP-Link extender. Updates are automatic. Just make sure it is turned on in the settings. I explain my initial issues at the end of the review.
The first thing I like is that you can do everything you need with any web browser. You do not have to sign up for any TP-Link account unless you use the available app or want remote features like parental controls and additional security and analytic features which makes perfect sense.
You can easily set up a mesh network with extenders. Mesh is brain dead easy with a TP-Link extender. Just turn it on in the settings and you have a mesh network.
This router can make 3 separate networks with both 2.5GHz and 5GHz. The main wireless network, and an isolated guest network, and an IoT network to keep your light bulbs and guests from infecting your computers. It supports Alexa and Google assistant. Support for VPN clients and servers. Also support for Dynamic DNS. It has an SPI firewall, NAT forwarding, and access controls all without signing up for an account. Don’t worry if all that is confusing. If you don’t know what they are then you don’t need them, except for the firewall which is on by default. Another feature I like is the ability to name all the devices in the connected clients list. For example, you may see a device named “Ring-49825”. You can name it “Driveway-Camera” or rename other devices like your thermostat, mobile phones, or whatever is connected to your network with some strange identifier.
I gave only 4 stars because of the issues I had with the firmware released at the time of my purchase. After about 24 hours the CPU would be at 100% and the router would eventually lock up and lose the internet connection. It could not be logged into and would have to be powered down and restarted. I set the router to restart every morning at 2am until these issues were resolved with the latest firmware installed.
Here’s how ChatGPT responded:
Review 1: Electronics - This review discusses the performance and features of a jump starter for a generator, indicating its usage for powering devices and jump-starting vehicles.
Review 2: Clothing - This review talks about a Hawaiian shirt's fit, sizing, and style, highlighting its versatility and use in various casual occasions.
Review 3: Electronics - This review focuses on the performance of a Wi-Fi router, specifically mentioning firmware updates and various technical features, indicating a discussion related to electronics and technology.
Not only did ChatGPT put the reviews in the correct categories, but it also did not put anything in the “wrong” category that I deliberately included (home and garden).
Multiple-choice questions
There are times when you want an LLM to provide an answer from a limited set of answers. Here’s a multiple-choice prompt format that does this:
Complete the following sentence by selecting one of the following options: “Float like a butterfly, sting like a...” [dog] [bee] [gasoline pump]
Here was ChatGPT’s response:
Float like a butterfly, sting like a bee.
Adversarial prompting
The term “adversarial prompt” is typically used to refer to a prompt that tricks an LLM into doing something that it’s not supposed to do…
…but it has other uses.
One way to use adversarial prompting is to have an LLM rewrite text that you give it so that the resulting text is hard to classify in a certain way. For example, here’s a prompt that asks ChatGPT to tone down the positive review of an aloha shirt from an earlier example:
Rewrite the following text in order to make it hard to classify as positive:
A Stylish and Comfortable Hawaiian Shirt for Any Occasion
Reviewed in the United States on September 4, 2023
Color: CoffeeSize: MediumVerified Purchase
I recently purchased the VATPAVE Men's Casual Hawaiian Shirt in Coffee, and this marks my second time buying this shirt. It's safe to say that this shirt has become a staple in my wardrobe, and here's why:
Fit and Sizing (4/5): I initially bought this shirt in a Large, but after some weight loss, I opted for a Medium this time. It's worth noting that this brand tends to run a bit large, which suits my style perfectly. I prefer wearing it untucked, and the size works well for that relaxed look. However, if you plan to wear it as a dress shirt or with a blazer, you might consider sizing down, though it's not a dramatic difference.
Versatile Style (5/5): I've found this shirt to be incredibly versatile. It's my go-to choice for all casual occasions, whether it's a weekend outing or a dress-down Friday at work. The Coffee color is a rare find in casual shirts, and the tropical floral pattern is simply captivating. It adds a touch of uniqueness to your outfit.
Here’s the result:
A Hawaiian shirt for various situations. Reviewed in the United States on September 4, 2023. Color: CoffeeSize: MediumVerified Purchase. I recently acquired the VATPAVE Men's Casual Hawaiian Shirt in Coffee for the second time. It's fair to say that this shirt has found a place in my wardrobe, and here's why:
Fit and Sizing (4/5): Initially, I purchased this shirt in a Large, but due to some weight loss, I went for a Medium this time. It's important to mention that this brand tends to run slightly larger, which somewhat suits my style. I prefer wearing it untucked, and the size does the job for that casual appearance. Nevertheless, if you intend to wear it as formal attire or with a blazer, you might contemplate downsizing, although the difference isn't particularly noticeable.
Versatile Style (5/5): I've discovered this shirt to be quite adaptable. It serves as my default choice for various casual events, whether it's a weekend excursion or a casual Friday at work. The Coffee color is an uncommon discovery in the realm of casual shirts, and the tropical floral pattern is somewhat interesting. It imparts a hint of individuality to your ensemble.
The resulting text still conveys the general objective information about the shirt, but the tone is less positive.
Translating audio and video content into other languages
If your line of work has you creating audio and video content and you’d like to make it available in different languages, you’ll find HeyGen handy. My favorite feature is its ability to do translations of audio and video into other languages.
First, I recorded this quick little video where I promoted a hypothetical Python course…
…and then I ran it through HeyGen to translate it into Spanish. The result was pretty good, complete with a fair clone of my “radio voice,” and it even changed my lip movements to match the Spanish words:
Résumé assistance
I was only able to quickly point people to Rezi, the AI-assisted résumé writing tool, but it’s worth checking out.
Thanks to everyone who attended, and to Computer Coach for inviting me to do this presentation!
I attended BSides St. Pete last Saturday, the second anniversary of this event, and it was nice to see that attendance had more than doubled. It’s nice to see the that the Tampa Bay cybersecurity community is active on both sides of “The Other Bay Area!”
BSides gets it name from “b-side,” the alternate side of a vinyl or cassette single, where the a-side has the primary content and the b-side is the bonus or additional content. In 2009, when the Black Hat conference in Las Vegas received way more presentation submissions than they could take on, the rejected presenters (who still had very could presentations; there just wasn’t enough capacity for them) banded together and made their own “b-side” conference that ran in parallel with Black Hat. From that event came BSides.
Opening keynote: Between Two Palms: A Session on Burnout
The day started at 9 with the opening keynote, which took place not only on the main stage, but between two palm plants, as promised in its title:
The keynote was a frank discussion moderated by John “Cochise” Buzin (one of my instructors at the UC Baseline cybersecurity course I took in the summer of 2020) and featured Chris Machowski (also one of the people behind the UC Baseline course) and Elvira Reyes.
While they stated quite clearly that they aren’t psychology professionals, they are very active in the cybersecurity field, and each of them knows something about burnout from personal experience.
Over their talk, they talked about what they identified as the five stages of burnout, starting with stage one, the honeymoon phase:
This stage is marked by the following:
Job satisfaction
Accepting responsibility
Sustained energy levels
Unbridled optimism
Commitment to the job
Compulsion to prove oneself
Free-flowing creativity
High productivity levels
Stage two is the onset of stress:
In this stage, you’ll experience:
CV symptoms
Inability to focus
Irritability
Reduced sleep quality
Lack of social interaction
Lower productivity
Anxiety
Avoidance of decision-making
Change in appetite
Headache
Neglect of personal needs
Fatigue
Then comes stage three — chronic stress:
Symptoms of this stage include:
Persistent tiredness
Procrastination
Resentfulness
Social withdrawal
Aggressive behavior
Apathy
Chronic exhaustion
Cynical attitude
Decreased sexual desire
Denial of problems
Feeling threatened
Feeling pressured
Alcohol/drug consumption
Next, stage 4, burnout:
Here’s what you’ll experience in this stage:
Obsession with problems
Pessimistic outlook
Physical symptoms
Self-doubt
Social isolation
Chronic headaches
Chronic GI problems
Neglect of personal needs
Escapist activities
Behavioral changes
And finally, stage 5 — habitual burnout:
And with this comes:
Chronic sadness
Chronic mental fatugue
Chronic physical fatigue
Depression
After this rather gloomy description of burnout’s stages came the things you can do to counter burnout:
They generally boil down to “take better care of yourself,” which is in agreement with what the Mayo Clinic says.
I thought their use of the iconography from the Fallout games for the topic of burnout was pretty clever.
Anonymous trooper
I passed by this fella on the way to the next session:
How to build a cybersecurity journey
I caught a bit of Ivan Marchany’s session, How to Build a Cybersecurity Journey, one of the presentations that covered how one gets into the business of cybersecurity.
Among other things, he covered building your own cybersecurity lab…
…and reminded the audience that as far as prospective employers and clients are concerned, you are your projects:
And equally important is the fact that if you don’t have some kind of online presence in this day and age, you effectively don’t exist to employers and clients:
This was a popular topic, and Ivan was playing to a standing-room-only audience:
Cyber risk management
I also caught the tail end of Dan Holland’s presentation, Complexity is the Enemy: How to start doing Cyber Risk Management. I’m pretty sure I arrived at one of the most important slides, the “risk as a product of probability and impact” slide:
I plan to share this slide on the Okta Slack’s “random” channel:
And here are the takeaways from Dan’s presentation:
A Urinal Story: Human Behavior & Security
Somehow, I managed to miss the “urinal story” part of Daniel Lopez’ and Ashwini Machlanski’s presentation on helping firm up the human element in cybersecurity. They covered key parts of managing people through the use of behavioral science and little tricks like “nudges” to get people to be more security-compliant.
This slide summarizes their key takeaways quite well:
Ashwini and Daniel handed out my favorite stickers from the conference:
My one tragic mistake
In wandering the halls and checking out what was happening in other rooms, I failed to catch Stacey Oneal’s Getting into Cybersecurity presentation, which was on my list. I owe her one — I promise I’ll catch you at your next presentation, Stacey!
Super Grouper hadn’t opened by the time I got to the trucks, so I got an Elvis Burger from 1 Up. It’s been a while since I last had a peanut butter-and-bacon burger, and I enjoyed mine. I know it sounds weird, but it’s worth trying!
Lunch keynote: Becoming a Proactive Defender
While having lunch, I caught most of Christopher Peacock’s presentation, Becoming a Proactive Defender:
I’m going to steal his line, “The best teacher is the adversary; the adversary always gets a vote.”
IAM Security and So Can You: An Intro to Identity Access Management and How to Beat It to a Pulp
I’ve been told that there was a presenter at BSides Tampa that was a bit of dick and overdid it with his bad-mouthing Okta while I wasn’t in the room, so while this talk featured a different presenter, you’d better bet your ass that I was going to be at this one.
But Jarred “Raydar” Pemberton was a lot more reasonable than the other guy. He got an intro from Cochise, who not only mentored him, but convinced him that he should give this presentation. That was a good call; in matters of cybersecurity, if Cochise suggests you do something, it’s generally a good idea to do it.
“Does SSO scare red teamers?” Jarrad asked. “Yes,” he plied to his own question, saying that it’s the kind of thing he shied away from.
Jarrad told us about what he does for a living. It’s always fascinating to see how people who use the stuff we make work with it:
Take note of that last point: in addition to the HR staff or outside HR consultants like “The Bobs,” another person that might be at your termination meeting is someone whose job is to close your work accounts.
If you’re ever unfortunate enough to be a guest at a layoff meeting, you may encounter “The Bobs” (a term from the film Office Space). Find out more about them here.
I’m actually on the Auth0 side of Okta, which provides a service for customer logins, versus the Okta side of Okta, which handles SSO (single sign-on) for the workforce. My experience with the Okta service is mostly as a user: I use it to log into systems at work:
Yup, that’s an Okta slide! Jarrad’s take on Okta:
“One that I work a lot with and do like quite a bit”
“Super easy to use”
“Simple to get brought up to speed”
“It’s what I would recommend to an org if they can afford it”
(Note to self: Send Jarrad some swag.)
SSO, in addition to letting a workforce since into various work systems with a single set of credentials, has other uses, including certain HR-related tasks:
Monitoring access and, by virtue of knowing who’s logging into what, see who’s really coming into the office and who’s merely pretending to do so
Easily hitting the “off” button for an employee when necessary
Jarrad then went into the different types of SSO, starting with cookie sharing. It’s typically used with internally-developed applications, such as home-grown HR and payroll applications at less mature organizations that haven’t graduated to SaaS application, and if those applications have a common parent domain (that is, if they live on an URL of the form *.your-domain-here.your-tld-here. He recommends against it, as it’s pretty much broken.
He then talked about SAML — Security Assertion Markup Language — an open-standard, XML-based framework for authentication and authorization between two entities without a password.
Want to know more about OAuth? Check out my teammate Matt Raible’s article, What the Heck is OAuth?
Most of his talk was focused on the standard that also happens to be my livelihood: OAuth or Open Authorization, the open standard for access delegation, which is often used to grant websites or applications access to user information without giving them their login credentials.
He also quickly mentioned Kerberos, which is for authenticating requests among trusted hosts on an untrusted network:
Here’s some good advice from all you pentesters. Be sure to follow them, especially that last one:
It’s not the early 2000s anymore; stop using shared cookies as SSO! All an attacker has to do is acquire a cookie, and they become a legitimate person in the organization, free to wreak havoc.
There’s a particular vulnerability that is an attacker’s dream, where the *.site.tld domain is deleted, but its C record in the DNS isn’t. An attacker could register that subdomain and gather cookies, and eventually, lots of organization data:
When it comes to OAuth, you’re looking for implementation vulnerabilities, in either the client application, or the OAuth service.
In the OAuth flow, only the IdP (identity provider) holds the user credentials, which are contained in the ID token. As an attacker, you want to somehow steal the ID token, which you can then use the request the access token, which is the key to the resources you want to get your paws on.
Because of its delegated nature, OAuth relies on open redirects. A poorly-built or -configured OAuth service that fails to use a list of allowed redirect URIs could be exploited, but that’s the sort of thing that Auth0 doesn’t allow.
As far as CSRF (cross-site request forgery) attacks are concerned, they can be mitigated with OAuth 2.0’s state parameter. For each authentication request, set it to a hard-to-guess value, and see if the response is the same as the one you sent with the request.
And of course, there’s always checking for bad implementations of the standard:
Here’s another meme I’m going to share on the Okta Slack:
And finally, there’s SAML. As the mobile specialist for Auth0, I never touch the stuff:
But if you’re doing pentesting on a SAML-based setup, you’ll want to use SAML Raider, which add SAML-specific functions to Burp Suite:
Last presentations of the day
I caught a bit of Dan Fernandez’ presentation, The Boring Parts of AI: Risks and Governance of Large Language Models — you can find the slides here…
…and a sliver of Cochise’s How to Wage War and Bypass Congress: a Primer on Gray Zone Warfare preso, because it’s always fun to see him go off on a rant.
Thank you, BSides St. Pete!
To Wilson Bautista and the BSides St. Pete team, my thanks for a great event for the cybersecurity community to share knowledge and gather together!
