AI WILL TAKE UR JOB!

all right we made it um yeah so what are we here to talk about AI will take your job obviously I'm trolling you uh this talk is not about AI is basically ramblings of some dudes and my thoughts on the cyber security Market as a hiring manager and uh as a technical guy um I'll be focusing on what my experience is which are technical rules so penetration testing vulnerability research reverse engineering Etc but I think it kind of applies to most of the cyber security job market and we will start our not AI talk by talking about AI but first first uh so that you know who is this guy um I'm the founder and

director of research of a small uh cyber security consultancy based in the UK we do penetration testing um a bit of everything uh red teaming and vulnerability research and reverse engineering uh I like hacking stuff we all do right uh from really lowlevel stuff uh like especially base bands on OS up to Java code you know Java Enterprise applications uh I like to pretend that I'm a YouTuber with my colleague radic domansky uh we won Pon Tokyo 2020 and uh we started making some videos we don't have a lot of stuff there uh but it is a crap but it is um I think the videos are fun check them out and uh I usually also

teach uh hacking training at several conferences uh baseband training for baseband exploitation for you know Advanced students in the hunting zero days ineda devices for you know beginner to intermediate and that's basically it uh now about AI uh when I started thinking about this talk and when I was invited by the bides team uh I think you know it was early this year and uh a lot of people still doubted Ai and as the in just a few months Everything Has Changed uh so I think now there's a lot more Believers in AI but you know I still see a lot of people resisting to it for several reasons uh one of them is doesn't help is all the AI guys and

companies they kind of really hype it up right so it's either you know it's going to make our world a land of milk and honey uh or you know Terminators going to crush our schools with Min guns right there's nothing in between uh the reality about AI is you know make me a python script that reads a file and you know while of course I made this to take a screenshot for this presentation I have done this so I'm that lame you know um you know AI is a tool basically right so that that's that's really uh what it is uh and you know uh my personal belief is that AI will really change the way we

work change our world so to speak uh just like the internet did you know and of course it is my opinion I have no proof of this right uh but I see a lot of parallels with the internet so if you are uh born in the80s you know or older you probably seen the internet evolve from basically nothing uh to what it is now and if you told me a teenager in the '90s who was you know playing computer games and messing around with computers that I one day I would work remotely uh you know from one country to the other country uh and love my job and work completely in the computer I wouldn't believe you you know

uh a lot of you probably your moms are saying don't spend so much time at the computer you will never get a job etc etc well look at me now Mom uh so yeah and and I see a lot of parallels with AI right so we got to cut through the hype right and understand AI is a tool uh the change will be gradual you we won't see it coming right um and again just like the Internet stock stock market right now is crazy about AI they'll definitely blow up and be a recession but this is normal you know there's a cycle of hype and then stabilizes but the technology keeps progressing um and the thing is a lot of

people that I know this is when I realized is uh that a lot of my friends who are not cyber Security Experts they're not in it uh this topic came up when we were together and I realized that almost all of them use chat GPT or a variation of that every single day more than us and this is really what got me thinking you know uh there's a lot of people who don't use it for various reasons you know it's not a tool that replaces everything for example it's useful for what I showed you know make me a script python that does things but it still doesn't replace Google it eventually will um and of course this brings the

question which is uh I don't know I can't remember when chat GPT appeared maybe what two three years ago came out of nowhere and really if you started using it really blew your mind back then and still kind of does more and more so if this came out of nowhere you know can parts of your job also be automated you know what parts of your job can be automated if you know and probably there are parts of your job that can be automated they will be automated by AI you know um you have these coding tools that if you have used them they're pretty good you know they'll keep improving rapidly um and you know a specific AI

tool may not be great at the moment but as we've seen change is very rapid right uh and if you've seen a recent post by project zero uh which is from nap time to Big Sleep finding uh using llms to find vulnerabilities in real world code so there have been and there are some companies out there that claim they use AI uh to find vulnerabilities this is the first public example that really shows finding a zero day of course there's a lot of caveats here right so they use the previous vulnerability as a training model you know they fine tune the model it was not like oh here's the code finding your vulnerability right it's a tool you need

to learn how to use it uh but I recommend you have a look at this it was a real world vulnerability found by tun llm um yeah so consequences of this uh jobs will change uh some of them dramatically uh again if you were around in the '90s uh travel agents is kind of a weird comparison so back in the '90s there were travel agents everywhere then they disappeared for like 15 years and now for some reason they're back I don't know I walk around in my city uh and I see a lot of travel agents I guess you know they found some Niche but it it is a bad example and a good example at

the same time because it shows how the internet basically kills an industry but also how the industry can adapt and survive right um and we got you know no one sends letters these days uh you know paper encyclopedias don't exist so basically what I'm trying to say here is that the internet killed a lot of stuff AI will also kill a lot of stuff but also bring new jobs right um and it will definitely affect affect our work right uh it will probably replace or automate not going to say a lot but a few jobs in cyber security um and uh maybe it will make it harder for news join our industry um Can these tools become

Advanced enough to replace noobs when I mean noobs I mean newcomers I don't mean an insult to anyone okay everyone's a new I'm a new um but well not really I mean we will find ways to adapt um and at this point let's assume that I made my case and you agree that uh AI will you know eventually evolve change the way we work um you know and I will shift now to the second so I think I made my case I'll will shift now to the second part of the talk which is uh basically um given my experience in the field I've made a lot of mistakes you know a lot of mistakes in the past and I've seen

people do a lot of mistakes uh and I think when I see people do these mistakes it kind of uh makes them less valuable as workers you know it it it can affect your job it can affect you personally um you know so I'm going to try and repeat these mistakes so that you learn from them so that we all learn from them uh which which will make us more resilient to change and more resilient to impact such as you know AI coming right so what we have here uh is in terms there's a lot of talk about a cyber security skills Gap and you see a lot of Articles like this uh which is you know there's a

shter cyber Security Professionals in every country you need to train more people train more people and it is kind of true but my reality as a hiring manager when I post role is that basically a ton of people apply so this is a post I made on LinkedIn uh which you know it's for a very specific job role right it was I was looking for a vulner a junior vulnerability researcher uh and it had simp two simple requirements which is you must have published uh like a write up of a vulnerability uh have a CTF record public or some cve publish vulnerabilties Etc uh and you must be living in Europe now I didn't say these

were simple requirements right they were specific uh there's no need for University uh degree or even work experience and the reality is that I was really flooded with kind of a lot of job applications and 99% of them don't fit the requirements and this is fine you know people got to take their shot right everyone starts you know this is an awesome job maybe I can Do It um but what was funny was to have a lot of these kind of responses uh which is you know some people were saying oh cve are not a gauge of skill you know oh you're looking for unicorns you know someone Junior who has found vulnerabilities Etc uh this is not a junior role this is

like for a senior cyber security researcher and look guys if I understand I I of course I I don't want to point fingers at any one so I covered up uh the names but these are people some of them are developers others do so basically they're not security researchers or anywhere near technical cyber security so to speak so they don't really know what they're talking about this this is what it shows you know you know having a published uh CTF write up does not make you a senior security researcher uh and this is unfortunately something that I see more and more and more often especially in public uh uh you know boards like LinkedIn or

whatever you want to call it and this is basically copium which is I don't have these skills no one has these skills you will never find anyone for this job right and I don't need to tell you why this is bad you know it makes you look look bad to say this in public it's fine to think that way okay but you know it it makes you look bad bad in public and you know it is the wrong mindset this is the wrong mindset you know if you want this job this is not the mindset you need to have um the reality is we got five good candidates we hired one uh and if you're

looking for a job like this you know uh the the things that I asked are things that you can do at home right I'm not asking for five years of experience I'm not asking you again no University degree these are things that you can do on your own time at home and people don't realize this right and okay there's a lot of people who say yeah I don't want to spend my free time doing that you know I want to spend my time uh you know playing video games or doing sports or whatever that's fine that's fine but you are competing in a in a job market where other people are Keen to do this right so just bear that in mind you

know you know so before you rent keep that in mind okay um and this kind of Me shows that there is uh not a short shortage of cyber Security Professionals but a shortage of skilled and willing cyber Security Professionals right fortunately for a lot of technical jobs you don't need formal training you can learn on your own um but you know there's going to be a lot of people competing for the same role so you got to show your difference right you got to put in the time to show your difference uh and then BR brings us to the 10 commandments of cyber security and I want to say this is a joke okay okay I am Christian too you

know I'm not insulting your religion all right and I don't consider myself the Moses of cyber security okay I need to say this because people take everything seriously these days and uh it takes us to our first commandment which is don't drink opium you know don't cry over how things are you know reality is reality you need to adapt to it especially in a as a junior that is growing up right as a senior you're comfy you know sitting you know in your chair you know but as a junior you got to adapt you got to put in the hours you got put in the work uh and by the way this is normal in any field not

it or cyber security right your Junior you got to put in the work just you know enjoy try to enjoy your work um and again it's fine to have these STS in private don't make them public it will look bad on you and our first Commandments uh now another thing that uh you know people uh ask me a lot uh in private which is uh you know should I take this job or that job what do you think you know I'm looking to achieve this role I'm looking to you know become a reverse engineer or vulnerability researcher Etc what should I take uh so there's something very important which is uh job security versus job

satisfaction I used to work uh at a company uh I'm not going to name names okay uh but it was a big big international company and uh I used to work I'm going to say two hours a day max but I needed to be there eight hours a day and the reality is not that I did not want to work there was no work okay uh what I noticed around me is that this place had a lot of zombies you know a lot of people who just came in for the job they work that half an hour or two hours a day and then they just spend the day literally watching cat videos right uh why well because this

job paid pretty well so it pays pretty well you don't need a lot of hard work it is kind of easy to get stuck in this job you know not challenge yourself but the problem is you're just looking for you know you you basically just dying inside okay of course the smarter people they use this extra time to better themselves one of the guys that worked with me he uh was learning how to day trade stocks and unlike most day Traders he actually makes money and he became very good at it right the others were just watching YouTube and I'm not just saying like older guys there were guys also my age I was like 30 20 something

at a time uh and you know they're basically just wasting their lives there uh and these kind of jobs they kind of really suck your life out um you know and again people stick to this job because it paid well uh but sometimes you know you get to get to a point in your career where you realize I'm stuck I hate my job you know oh but but the money is so good if you keep going like this you're just going to burn yourself okay um there is an option you know if you don't have of course if you have financial difficulties if you have a family to support you can't really choose uh many times you got to take the

one that takes the most money but if you're young in your 20s you don't have a family you're not married yet or whatever or you have some money uh set aside then maybe you can take the risk of taking a less paying job that is more satisfactory to you and again I'm not saying anything this is something I've done you know I took a big pay cut uh because I started as the basically um I was a penetration tester and I wanted to become a reverse engineer and I had to take a big pay cut it took me five years to get back to my old salary I was lucky that I did not have a lot of financial

responsibilities and could do it but it is doable and I'm not the only example I know a lot of people who did it um my advice for people who are young without responsibilities never take the money over the role job satisfaction is way more important uh if you have the flexibility you know use that flexibility improve your skills and get the job you love [Music] um yeah so uh another thing you know and besides the pay cut you might need to work more hours to learn again when I changed from pen testing to reverse engineering I had to put in a lot of hours luckily not didn't have a lot of responsibilities so it worked out well

but you know like this guy here who became a music prod producer at 46 you know it is possible to change careers even if you are older so if you feel like you're stuck there's always uh something you can do and by the way um in the trainings that I do the base band training is a bit hardcore let's put it this way and there was a guy in the last training I did who was almost in his 60s he was a developer and he was killing it right this guy learned he was the developer he decided no I want to go into cyber secur I want to go hacking I went to go in hardcore reverse

engineering he learned by himself and he was killing it so so again age is not an excuse if you feel like stuck in your job um yeah a few words about this there's a lot of people also who say oh your job is amazing uh you are so lucky to have a job you love first I see that as an insult you know because okay maybe I was lucky but you also work in that direction right to have a job you love you also learn to appreciate your job but also another common fallacy is that oh if you are your own boss you know uh this is awesome you can do whatever you want bull that's bull I tell you why the

clients are your bosses you know and when you start a company and you have clients as your bosses they will put a lot of pressure on you much more than a manager okay so what I'm trying to say with this is the grass is not always greener you know uh before you start a company or decide no I Want To Be My Own Boss bear in mind that you will work much longer hours you will probably make less the first few years uh and your life will be more miserable in general in the first few years at least then it probably improves uh so it's you know it's not for everyone and that's fine sometimes it is better to be an employee

at a very good job with a a boss you love and treats you well than to become your own boss which like I said is bull um so our second commandment don't pick job satisfaction or over money uh another common mistake is you know uh and this I see mostly younger people doing uh less experience is that they kind of you know once you gain a little bit of experience you think oh I'm the best hacker I'm the best reverse engineer I can pentest everything you start to look down on people in your company that do the non-technical stuff you know this guy doesn't all he does is sales what does he you know it doesn't

know anything there's a lot of things you can learn from these people first of all I don't need to tell you why morally it is wrong to look down on people Everyone understands that right uh but you are underestimating them they can teach you a lot of stuff you know they really can teach you a lot of stuff uh and you learn a lot by being friends with them you know and as you learn more skills which are outside of the it or cyber security sphere you become more valuable as an employ employe so you will also make more money you will go up in your career okay um then at the other end the more

experienced people I've seen this mistake also happen very often which is you're in a company you know you're sitting comfortably in your manager job you know uh growing your belly little by little and then suddenly like you hire a new guy or a new guy comes up and this guy is amazing like you can do everything everything you throw at them this guy you know he just works the whole day he goes home he work works on it and everything he does is amazing and suddenly you feel threatened you know this is a rising star you know this this guy could take my job this guy could do this do that you know it's a problem

wrong thinking and again I've seen this I've seen this with my own eyes you know uh at a company that another company I worked uh there was this lady that was I was interviewing at the time and um she was maybe the third interviewee that I had that was amazing and I presented to one of my bosses and he kept rejecting them until I realized that this guy he was afraid of these people because they had phds he thought they would take his job wrong thinking you know you as a manager in fact you can take advantage of these people and when I say take advantage I don't mean in a bad way right it is your job to kind of guide

them Mentor them they work under you right so you're you can basically push them to do what you want and they rise and you rise also with them that's the right way of thinking you know that's your job as a manager so Third Commandment uh you shall Mentor Juniors and learn from nontechnical people and um silver bullets this one I'll make it short you know uh we all been through this oh install this uh in end point Point detection and response will stop the hackers you know uh I don't understand how you found a vulnerability we have been pen tested before we have encryption we all know this is ridiculous right but what about this oh changing from C++ to rust will

make our code vulnerability free now isn't it the same thing I'm not saying it will not improve of course it will you know incremental steps but again don't think of it as a silver bullet right um you know and I think it's really bad to kind of Fanboy over new technologies uh because it kind of limits your mind right it it's the same as I was saying in the beginning if you close your mind to new technologies like AI you're limiting yourself but if you also Fanboy to a specific technology you're also limiting yourself um you know and again yeah new tools and Technologies keep popping up all the time our uh field is in constant flux right uh

and as you get more experience you've seen a lot of Technologies come and go it is okay to be suspicious that is normal you know just keep an open mind uh there's many cases uh where I've looked at a tool specific for my job and the tool is crap and then I come back one year later and actually it has become amazing right so if I didn't go back and look at it I would be missing out um yeah so our fourth Commandment don't believe in silver bullets keep an open mind for new tools um okay this also is like a personal pet peeve of mine let's call it that um you know I've had people tell me oh I don't

want to do that I don't like doing this I mean you know it's in a job sometimes you got to shove crap you know and maybe you know I've also seen this happen you be you become so good at shoving that crap that people start giving you crap to shove and you actually start enjoying it right um and again a common common thing I see is that oh I don't like Java I want to use Python okay but you know you're use you're uh testing a a python uh Java tool are you going to rewrite it in Python and yes I've seen some crazy people say yeah yeah I'll do it and of course they fail because they

overestimate themselves uh and you know you're reviewing Java vulnerability code are you going to skip it are you going to say no boss I don't want to do it well your colleague going to do it and then what he's going to go over you right um so we live in a constant technology flux right uh new technologies pop up all the time you know like AI uh you know and uh it's very easy to get attached to a tool uh so I've been using Linux for I think over 20 years uh still crap at it as you can see uh but I used to really look down on people who use Windows I thought hack hackers who use Windows I thought

these guys are noobs know why why are they using Windows until I met a guy who uh he only uses windows and I'm not I'm not joking he uses notepad for code review notepad I'm not joking notepad++ okay not not the windows notepad not that not that much but this guy he's amazing he's way better than me so that was a lesson humility so again don't judge people by their tools um you know it's okay to have preferences of course obviously uh but you know you need to be flexible also with tooling adapt new tools new tools again the pace of changes very fast adapt new tools as they come um yeah so I think I need to speed

up a bit right uh yeah our fifth commandment you shall adapt to new technologies uh and tools that make you a better worker um okay this is turning into a rent uh I hope you're enjoying it if not you know I think bluno has some Tomatoes you can throw at me uh yeah hyping vulnerabilities uh and again look a lot of this stuff that I've been going through these are a lot of them are my mistakes okay some are mistakes I've seen other people do a lot of them are my mistakes and some of them I still do to this day um so hyping vulnerabilities uh you know one of the best ways to uh gain experience in

technical cyber security is to find hunt for vulnerabilities in your spare time on your company time whatever uh you know and I have over 160 something CV attributed to my name but there's a lot of them who are lame like very lame uh and it was kind of okay when I was starting my career but I'm a bit embarrassed now you know and they're all public I didn't remove them you can go back and laugh at me uh but you know what I'm trying to say if you're trying to build your CV by finding vulnerabilities uh you know be careful about the vulnerabilities that you pick uh I would say focus on the juicy stuff

basically a l vulnerability is something that is unex right you find something like an integer overflow and say oh yeah I publish this and this product you get a CV I found an integer overflow if it's not exploitable don't bother right um so either spend your time go really deep on a Target and find a really nice juicy vulnerability publish about it make a big name for you or or there's another thing which is just go through a product run through it find a series of vulnerabilities chain them and then make like a very nice presentation out of it and a good example is uh Pedro's presentation from yesterday the vulnerabilities he found are not complex but put together and

Shain them make them amazing right so it's all about what do you do with them not necessarily type of vulnerability right um yeah but don't don't do write ups on unexploitable issues this is not a pentest you know you're writing a cool hacker advisory um and look okay you don't care about Fame you don't care about publishing that's fine but think of it as a public CV okay uh or alternatively if you don't care about uh fame or building up your CV uh do it for the community a few years ago uh people used to give shout outs to each other you know say yeah uh you know shout out to hacker X this guy is

amazing he thought me everything now unfortunately this is not happening anymore in advisories these days people don't give credit even for people who done the exact same work before and I have to say I would myself to blame a few times this because it just became so uncommon I stopped doing it uh it used to be funny like there would be actual beefs between researchers you know like oh I hate this guy because he published the same vulnerability as me unfortunately nothing happens like this anymore everything super sanitized you know it's like LinkedIn it's like dead inside you know like oh I agree with with everything you know oh this is amazing you know it's good A little bit

of controversy okay uh just don't make it personal you know and remember to give shout outs to people who came before you uh this kind of builds the respect in the community um another thing is good technical posts will be relevant far in the future and I mean future in computer terms so we're talking about 10 years uh just make sure you don't use a close platform like medium see a lot of people doing this mistake use you know obviously I don't need to tell you why it is bad to use a closed platform uh markdown is your friend right it's many uh sites and tools supported publishing markdown instead um yeah and here is a problem that I have right now that

we all have which is you know CV numbers used to be very useful and they still are uh of course the CV numbering system for vulnerabilities is not perfect far from it it misses a lot of stuff um but early this year the uh Linux kernel became a CNA a cve numbering Authority which means they can issue cve for their own vulnerabilities and since then they have flooded the CV number system with thousands of vulnerability here we have an example on the third day they released 378 153 so this is a problem because a lot of the these issues are not exploitable at all they don't they're not you know n pointer D reference okay

maybe it causes a Dos but it's I mean they're basically assigning CVS to non-issues uh and this is a problem because they are kind of removing value from the CV system which used to be very useful uh yeah and uh this guy is very nice so that's the guy to blame unfortunately uh which is kind of funny because he used to not like uh having security vulnerabilities treated differently than normal bugs in the kernel because it used to say security bugs are just normal bugs they shouldn't be treated differently but now he's treating every bug as a security bug so at least he coherent in that uh our seventh commandment you shall not hype vulnerabilities and

that's kind of it uh you know I didn't want to start making up stuff so let's leave it at just 7 okay and uh if you have a problem with that talk to this guy I heard this guy is nice nice person I mean I love the guy don't get me wrong but you know is controversial to say the least uh yeah wrap up uh AI is coming he going to take our jobs uh you know just be flexible adapt to new tools uh be adaptive uh be aware of your own biases you know of your own limitations uh how they shape your mind in your workplace and your life in general uh I usually hate quoting cheap

quotes I think that's super lame I'm going to make an exception now and say love your job and never work a day in your life I have no idea who said it but you know it's a common quote and I'll add to that you know uh don't focus on the money focus on being great at your job and the money will come eventually as you become more senior and as a bonus takeaway Linux CNA is destroying the CV system and there's nothing better to replace it uh so if you're in a position to think about something to replace it please you know come up with a better system or fix the CV system uh and that's all I have uh

thanks for listening to my rent I hope it wasn't too boring and uh yeah you have my uh Twitter uh YouTube email whatever questions anything uh anytime [Applause]