Jay Looney

Someone in an adjacent team once told me that because leadership doesn't acknowledge pre-incident bugs that were fixed, some people resorted to storing these kind of information with them till the incident happened. Once the incident happened, they would jump in, solve the incident in record time, and then get credited with solving a S1/S2 incident. Next review cycle, they would either get promoted or get good ratings. Not saying this is ethical or good for the team/company, but the entire perf review process needs to change if companies don't want these kinds of things to happen.

So what do we do, if we're right, Mythos is a huge slop flop and after release begins to create larger problems than it solves? Meaning it starts deleting things in production as we've seen with its predecessors and now the people who hired you and wanted it are begging you to make it stop. I say we be proactive now. We will have time to gloat but that time is not now. Let's take them at their word and begin to prepare when we're not stressed. This is how I'm approaching this. Break out your playbooks. It's time to update them or create new ones. It's not how would a human phish us but rather how would an AI phish us? Use the following resources and checklists to guide you (I will update this later today), but you're going to make sure that you cover autonomous agentic AI without human-in-the-loop and with an assume (LLM) breach mindset: OWASP Top 10 for LLMs OWASP ASVS OWASP Firmware Testing Guide NIST 800-61 - Incident Response Make a list of all your crown jewel software and appliances. Find all the hardening documentation on these things immediately. Back up their configurations and make two copies. 3-2-1 rule. Examine these configs carefully. What stands out? What is unnecessary and can be turned off? You're going to use MITRE and map out your attack surface. If you don't know how to do this start learning today. For those of you using LLMs in your environment. Go find all of the LLM benchmarks, the actual tests that AI Labs run against the models. Research I posted yesterday has over 12 benchmarks mentioned in it. That information needs to be in your knowledge base today. You do not need to set up anything complicated. What you're interested in is the actual tests themselves. So Humanity's Last Exam etc. Search on Hugging Face. Run them through the clankers or point them at the repos and have them filter out just prompt injections and any command syntax for each security test. This is how they're going to attack you. Come up with a plan for these techniques. Put mitigations in place now. Within 2 weeks you should not have any default passwords anywhere. This includes your printers or multifunction devices. And there better not be Telnet open either. Anywhere. If you don't know what I call The Seven Deadly Sins of AD (the seven main attack vectors), you're going to learn them in the next two weeks. Stop rolling your eyes. THEY'RE GOING TO GET DOMAIN ADMIN IN 5 MINUTES. I don't care how many times you've done it you're going to do it again. And you're going to practice your little hearts out. Go find hacker Rasta Mouse's AD proving grounds. Download it. If it's no longer available find where it is and pay the money and do it. Look up the AD modules on HtB and THM. Download game of active directory or GOAD. You're also going to familiarize yourself with the pen testing standard from a defender standpoint and then you're going to start looking at adversary emulation plans. Find the top 10 threat actors in the world right now. Task someone with finding out how they operate. This is information that you should already have in your arsenal and should be familiarized with. If you don't know what an emulation plan is it's basically the tactics the threat actors use to hack other people and you basically try to reproduce that in your environment. Attack IQ has a ton of them. They're not the only ones. Later today we're going to have a discussion about supply chain attacks. Because we've all been having a lot of fun poking fun at others who've been recently breached but they're not going to be funny when they happen to us. We're also going to have a discussion about remote access tools and making sure that your vendors are not opening holes in your environment. In the next few weeks after preparation all of you are going to be seasoned warriors. Because if you aren't you're going to get popped. By a machine.

It's almost as if there are people alive who can refute all of this nonsense. I work with over 300 paralegals. My former law firm's paralegals all have jobs and all of our sister firms which we did work for all have the same paralegals, hundreds of them working for them, and no one has been laid off. This is in New York. The capital of the fucking world. 🙄 AI has not replaced any of them, because it can't. It doesn't know that you need a car to go through a car wash. I sincerely doubt it can draft a memorandum of understanding that will hold up in court. The last lawyer who tried to use AI in court just got spanked three weeks ago, because aside from it not being able to do anything new in the last two years it also continues to hallucinate. We Tech experts keep telling you people this but for some reason you don't believe us. You believe the people who are saying they're building something that's going to replace you. Talk about a reliable narrator! 🙄 And all of these "new releases" are just the same features you had a week ago rebranded as new. That doesn't actually make it new. I used to have a neighbor that had a trailer for a house and one day he got tired of looking at it so he went out and he got somebody to put siding all around it so that it looked like an actual house with a foundation. But at no point in time after he did this did his trailer which was underneath this siding shell, so to speak, magically become a house. It was still a trailer. That's what these new releases are.

Him: My whole programming philosophy is 'move fast and break things.' Just push the code live, let the users find the bugs, and hotfix it in production. life's too short for unit testing. long pause..... Her: Cool. Him: So, what kind of software do you write? Her: Pacemaker firmware.