List of Cybersecurity Subreddits
Includes ~30 subreddits, by Luke Stephens.
A pretty massive curated list of public penetration test reports released by consulting firms and academic security groups, by Julio Cesar Fort.
DevSecOps Series: Shifting Security Left
AWS’s Lucas Kauffman provides a nice overview of DevOps and DevSecOps, along with useful hard and soft gates at each step of the development process. These activities and their ordering are generally what I see most people recommending:
I’ve been asked a number of times about the value of getting a graduate degree and the differences between industry and academia. I’ve gotten a lot of personal and career value out of my time in grad school, so my intention in this section is not to be negative about academia, but rather to provide some context for people outside looking in. I’ll try to write a longer post about it sometime.
The Good, the Bad, and the Bye Bye: Why I Left My Tenured Academic Job
Former EURECOM professor Yanick Fratantonio left his tenured academic job to join the Malware Research Team at CISCO Talos. In this detailed post, he walks through why.
Collusion Rings Threaten the Integrity of Computer Science Research
Brown University professor Michael Littman describes how there are likely collusion rings in the computer architecture as well as in AI and ML fields, in which program committee members will attempt to be assigned to review papers of their colluders, and then give them positive reviews.
The pressure for grad students and professors to publish papers in tier one conferences or journals is sky high, as it hugely impacts your funding opportunities, ability to graduate, and career over the long term. As there is largely only one metric for academic career success, and conferences have so few slots for accepting papers, to be honest, this sort of behavior feels almost inevitable without serious checks and balances, and ideally other ways for people to “succeed.”
Please Commit More Blatant Academic Fraud
PhD candidate Jacob Buckman argues that people committing blatant academic fraud is helpful, as low-key, mundane fraud is already common and accepted, like trying an algorithm with a bunch of seeds and only reporting the best results, cherry-picking examples where your approach looks good, etc.
But if people are aware that shady behavior is commonplace, then they’ll review papers with a more critical eye, which is beneficial for the field.
FuzzBench: Journal Special Issue on Fuzzing
Interesting proposal aiming to address a number of common academic challenges, like duplicated efforts, lack of reproducibility, and strong positive results bias.
Preregistration is a publication model whereby a submitted article is primarily evaluated based on (i) the significance and novelty of the hypotheses or techniques, and (ii) the soundness and reproducibility of the methodology specified to validate the claims or hypotheses. The actual evaluation or experimentation (apart from some supporting preliminary results) is conducted only after the paper has been in-principle accepted. The final acceptance will depend only on the methodology that was ultimately followed, not the final results.
By Cigna’s Anthony Barbieri and team: A library of rules for Conftest used to detect misconfigurations within Terraform configuration files. One interesting trend is that many teams and tools are converging on OPA’s Rego language for infrastructure as code scanning, while other tools have their own custom rule writing language.
Top 20 Dockerfile best practices for security
Sysdig’s Álvaro Iradier describes some actionable tips covering avoiding unnecessary permissions, reducing attack surface, misc, and beyond image building.
Does correcting online falsehoods make matters worse?
Wait, people posting provably false things online aren’t swayed by facts!? Shocked. 🤣, but also 😭.
The study was centered around a Twitter field experiment in which a research team offered polite corrections, complete with links to solid evidence, in replies to flagrantly false tweets about politics.
“After a user was corrected … they retweeted news that was significantly lower in quality and higher in partisan slant, and their retweets contained more toxic language.”
Deepfake Maps Could Really Mess With Your Sense of the World
“University of Washington professor Bo Zhao employed AI techniques similar to those used to create so-called deepfakes to alter satellite images of several cities.” Satellite images have real world impacts, like photos of the large detection camps for Uighurs in China or nuclear installations in Iran or missile sites in North Korea.
“Imagine a world where a state government, or other actor, can realistically manipulate images to show either nothing there or a different layout,” McKenzie says. “I am not entirely sure what can be done to stop it at this point.”
It may be just a matter of time before far more sophisticated “deepfake” satellite images are used to, for instance, hide weapons installations or wrongly justify military action.
Microsoft president: Orwell’s 1984 could happen in 2024
The rapid development of AI, surveillance tech, and deepfakes are all topics I stress about (among others). While I’m generally quite cautious around the U.S. government’s use of technology and the privacy implications for citizens, I do think that being the lead in AI is massively important for our national security.
“If we don’t enact the laws that will protect the public in the future, we are going to find the technology racing ahead, and it’s going to be very difficult to catch up,” Mr Smith said.
China’s ambition is to become the world leader in AI by 2030, and many consider its capabilities to be far beyond the EU.
Eric Schmidt, former Google chief executive who is now chair of the US National Security Commission on Artificial Intelligence, has warned that beating China in AI is imperative.
“We’re in a geo-political strategic conflict with China,” he said. “The way to win is to marshal our resources together to have national and global strategies for the democracies to win in AI.
“If we don’t, we’ll be looking at a future where other values will be imposed on us.”
Redact | Mass Delete your Social Media
A platform that allows you to automatically clean up your old posts from services like Twitter, Reddit, Facebook, Discord and more all in one place.
WhatsApp is suing the Indian government to protect user privacy
A Facebook-owned company fighting for user privacy? 🤔 They’re actually fighting the good fight here, as new regulations have been passed requiring social media platforms to trace the originator of messages and see the message content. To do this, platforms would likely have to trace every message, removing all privacy and banning end-to-end encryption.
An encryption tool that allows for multiple, independent file systems on a single disk whose existence can only be verified if you posses the correct password. Inspired by the idea of the Rubberhose file system, which is a euphemism for when people really want you to give up the encryption keys.
Progress Studies 101
If you’re a curious student or professional who wants to make a difference in the world, this is the guide for you. The suggestion in this guide will help you to understand how civilisation progresses, and how you can help it along.
Drunk Post: Things I’ve learned as a Sr Engineer
Stream of consciousness points from a senior engineer on Reddit.
The open source Airtable alternative. Turns any MySQL, PostgreSQL, SQL Server, SQLite & MariaDB into a smart-spreadsheet.
Make Your Life Better by Doing Less
I’m a fan of Scott Young’s writing, and this post is no exception. Ideas included: every “yes” implies a “no”, people tend to think of additive rather than subtractive solutions, only home-run projects, and it’s easy to overwhelm yourself with “easy” tasks.
Brigid Johnson on Recuperating and Preventing Burnout
Thanks for reading!