Discover more from Cristi Vlad
The Insider Weekly #15 - Internal Pentests | GPT-4 Hacks | New Clients
Not much has happened this week, and that’s fine. I often find it refreshing to dive deep into a routine for a while (a few weeks at most) to eliminate myself from decision-making, which is time and energy-draining.
Regarding my work in cybersecurity, I’ve had a few assessments this past week, two of them being internal and infrastructure and one of them a web app. I got out of my comfort zone with the internal and infrastructure but I’ve added a lot of experience to my skillset. And that is always good.
In one of my next assessments, the client asked for extensive testing, meaning that I will have sufficient time to try everything under the sun, observe, and, of course, learn new attack vectors. And that’s exciting, alongside the higher pay!
On the same note, a new company reached out for helping them with pentests. They basically get the clients and pass them to me for their assessments. They’re basically acting as the middleman. I’d usually turn down this sort of thing, however, their pay is really really good, so let’s see how that one goes.
Given the load of work this week, I had no time to play around with my private bounties. I hope to get some spare time for that soon and give my VPS (that I told you about last week) a cyber spin.
Also, I found out about a new platform, BugProve, which does a pretty good job of automating security firmware analysis. It’s free (with limitations) for researchers and bug bounty hunters, and I wrote an in-depth blog about it.
Reality check: LangChainAI is still super cool.
As for my work in AI and machine learning, it was all devoted to SecGPT, which just crossed 2,500 users - in 14 days. If this is the first time you’re reading my newsletter, SecGPT is an AI trained on thousands of cybersecurity reports, writeups, cheat sheets, and other documents.
I worked a lot on improving its algorithm and how it responds and I’ve had some successes and failures; though I learned a lot.
I found out about a new technique to improve its reasoning capabilities and I’m going to try to implement it in the upcoming weeks.
As for now, this weekend SecGPT is going to receive another upgrade by learning about ~700-1,000 new reports and writeups. I’m also looking for new sources of knowledge for the AI, so if you have ideas, send me an email.
On the other hand, I’m not super excited about spending all my time on SecGPT because, with the recent AI developments and announcements, the big players are taking all the space. I’m small, but I still want to see how far I can go with SecGPT.
Plus, I’ve received some business proposals when it comes to SecGPT, which I’ll explore in the following weeks. If everything fails, I still benefit from the additional hands-on experience with LLMs and AI. This, in my view, it’s a win-win.
Also, with the little play time I had reserved for GPT-4, I let it write a plot. It would make a great novel or movie.
With all this time between cybersecurity and AI, the remainder of my time has been spent outside, on the bike.
I spent less time on Twitter and significantly less time on other social media, as I’ve told you a few months ago when I removed all notifications on my phone, except text and phone calls.
I eagerly waited for access to ChatGPT plugins this week, but still - crickets. On another note, this is good, because I can focus on the work at hand and not on trying to find security holes in LLMs, similar to what these fellows are doing:
That’s all for now; I’ll see you next week.