If you say you have 10 years of experience in AI, I expect to see mention of ML. I should see way more than NLP and LLM.

Mooooo

I love interviewing passionate people.

I have been told I teach like a firehose. Way too much info in a short amount of time. Come prepared.

Woohooo. The AI crowd finally figured out while loops. Maybe they can figure out an input sanitation and other tricks from decades ago. You go AI. You are almost caught up to the rest of the world in 1990.

New fish. And I found out one of the old ones was hiding. Wait til the end. youtu.be/NAiXs4-0T4U

I told my wife this was the manliest watermelon I have ever seen. I said it was sexy. I need a vacation.

Microsoft has identified a npm supply chain compromise impacting 90 redhat-cloud-services/* packages, including patch-client 4.0.4, insights-client 4.0.4, rbac-client 9.0.3, host-inventory-client 5.0.3, frontend-components 7.7.2, and others. The payload is a self-propagating worm that infects other npm packages and self-publishes. Each compromised package adds a malicious preinstall hook, embedding an index.js script in the package.json that silently executes “node index.js” during installation, downloads Bun, and runs a payload that steals secrets from npm, GitHub, Amazon Web Services (AWS), and Secure Shell (SSH). The added code bloats index.js from ~8KB to ~4.3MB, acting as a heavily obfuscated ROT-9 eval loader. If any of the compromised packages are installed, users and organizations should assume compromise, rotate credentials, revert to a previously trusted version, and block compromised packages. Identified compromised npm packages have been taken down, and we continue to work with the npm team. Microsoft continues to investigate this attack and will publish updates as more information is available.

Over the past several days, we have been listening to the conversation around coordinated disclosure and the relationship between security researchers and vendors. We recognize that this relationship is both critical and, at times, fragile. We deeply value the security community, and will continue to take your feedback seriously. To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research. When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate. We recognize the work that goes into researching and submitting a vulnerability. We are committed to approaching every interaction with transparency, clear communication, and professionalism. We continue to believe strongly in Coordinated Vulnerability Disclosure as the foundation for protecting customers and improving our products. Each year we process a high volume of vulnerability reports. That volume continues to grow and will continue with the rise of AI-enabled research. We acknowledge that some interactions have fallen short and are working to learn from them. Many of us have experience on both sides of this work, as researchers reporting vulnerabilities and as responders triaging and assessing them. That perspective informs how we approach this feedback and the importance we place on getting it right, particularly as the volume and complexity of research continues to grow. The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.

Anyone ever run into a situation where the owner of a service tightened down the security settings, but only for the infosec staff? “Infosec verified the right protections are in place, tested it themselves. “

Date night with my beautiful wife.

I realized today I have a favorite tweezer brand.

I made an agentic tool to poll SEC EDGAR for cyber-incident 8-Ks & auto-extract IOCs to JSONL/STIX. Supports TAXII pushes. Hint: 8-Ks never have IoCs because of the strict filing timelines. I built this to win an argument. Now you can. too! github.com/johnnyxmas/its-ov…

Start of a 2 hour meeting. Stomach says… you know how you have been constipated for the last few days, we feel bad, so we are going to release it all… right now.

Just remember. Everyone has to have the same experience and because you had a bad time, everyone had a bad time, even when they didn’t. Some of you have amazing egos telling you that you have the only one true experience and everyone else is wrong.

Have we not learned that computers are not always right? I mean they never were but come on.

I am looking for a mid level AI specialist for my team in Mexico City. Also have a GRC analyst and SOC analyst. The AI and automation specialist will help manage the internal AI platform and help teams set up automation. Share if you know anyone.

So a pen test?

The whole industry is fucking up with AI. Making it way harder than it needs to be and putting more faith into marketing than technology. “Oh look, it’s magic, so we have to do something different “ We always drop the ball at first.