edskoudis

@Soaringeagle45 This made me LOL. If you know, you know. Thanks for the laugh!

🤣😂🤣😂🤣

@LowLevelTweets @d0tslash Me too. Those were the days! Some folks still post helpful and interesting stuff here, but it’s such a narrower range of people than it was before. Yeah, I miss it.

I miss infosec twitter

@HackingDave Giants, I tell ya.

Da boys

The amount of squabbling over bugs, bug quality, AI bug extermination, how security is doomed/not doomed/unchanged/improved based on bugs… it’s ridiculous. Bugs are not the totality of cybersecurity.

@ihtesham2005 I served (and learned) at Bellcore from 1991-1997. The ideas of this post were etched into our culture. Those lessons influence me every single day today. I’m so grateful for that experience and all the amazing Bell System engineers I learned from. True innovators. THANK YOU!

A mathematician who shared an office with Claude Shannon at Bell Labs gave one lecture in 1986 that explains why some people win Nobel Prizes and other equally smart people spend their whole lives doing forgettable work. His name was Richard Hamming. He won the Turing Award. He invented error-correcting codes that made modern computing possible. And he spent 30 years at Bell Labs sitting in a cafeteria at lunch watching which scientists became legendary and which ones faded into nothing. In March 1986, he walked into a Bellcore auditorium in front of 200 researchers and told them exactly what he had seen. Here's the framework that has been quoted by every serious scientist for the last 40 years. His opening line landed like a punch. He said most scientists he worked with at Bell Labs were just as smart as the Nobel Prize winners. Just as hardworking. Just as credentialed. And yet at the end of a 40-year career, one group had changed entire fields and the other group was forgotten by the time they retired. He wanted to know what the difference actually was. And he said it wasn't luck. It wasn't IQ. It was a specific set of habits that almost nobody is willing to follow. The first habit was the one that hurts the most to hear. He said most scientists deliberately avoid the most important problem in their field because the odds of failure are too high. They pick a safe adjacent problem, solve it cleanly, publish it, and move on. And because they never swing at the hard problem, they never hit it. He said if you do not work on an important problem, it is unlikely you will do important work. That is not a motivational line. That is a logical one. The second habit was about doors. Literal doors. He noticed that the scientists at Bell Labs who kept their office doors closed got more done in the short term because they had no interruptions. But the scientists who kept their doors open got more done over a career. The open-door scientists were interrupted constantly. They also absorbed every new idea passing through the hallway. Ten years in, they were working on problems the closed-door scientists did not even know existed. The third habit was inversion. When Bell Labs refused to give him the team of programmers he wanted, Hamming sat with the rejection for weeks. Then he flipped the question. Instead of asking for programmers to write the programs, he asked why machines could not write the programs themselves. That single inversion pushed him into the frontier of computer science. He said the pattern repeats everywhere. What looks like a defect, if you flip it correctly, becomes the exact thing that pushes you ahead of everyone else. The fourth habit was the one that hit me the hardest. He said knowledge and productivity compound like interest. Someone who works 10 percent harder than you does not produce 10 percent more over a career. They produce twice as much. The gap doesn't add. It multiplies. And it compounds silently for years before anyone notices. He finished the lecture with a line I have never been able to shake. He said Pasteur's famous quote is right. Luck favors the prepared mind. But he meant it literally. You don't hope for luck. You engineer the conditions where luck can land on you. Open doors. Important problems. Inverted questions. Compounded hours. Those are not traits. Those are choices you make every single day. The transcript has been sitting on the University of Virginia's computer science website for almost 30 years. The video is free on YouTube. Stripe Press reprinted the full lectures as a book in 2020 and Bret Victor wrote the foreword. Hamming died in 1998. He gave his final lecture a few weeks before. He was 82. The lecture that explains why some careers become legendary and others disappear is still free. Most people who could benefit from it will never open it.

@SANSInstitute It was a fun and very interesting discussion!

New episode out now 🎙️ AI finds vulnerabilities faster than ever. So do attackers. Gadi Evron, Rob Lee & Ed Skoudis join James Lyne & Ciaran Martin on SANS Cyber Leaders to break down Claude Mythos — and what it means for every defender right now. Are you moving fast enough? 🎧 Listen Now → go.sans.org/GgVizq #CyberLeaders #AI #Cybersecurity #SANSInstitute #Mythos

What does AI-enabled pen testing find on a codebase your team already cleared? @EdSkoudis and his team ran that experiment. Day one: five critical vulnerabilities. And he estimates 20-40x the current vuln volume is coming within the year. Full methodology and replay: go.sans.org/7TWDpY #Cybersecurity #PenTesting #VulnerabilityManagement

@TheRabbitPy @SANSInstitute The times, they are AI-changing. I'm really getting into the concept of ai-centric workflows lately, watching my team being hugely inventive. Fun!

@SANSInstitute @edskoudis Five critical vulns on a codebase the team already cleared is a wild wake up call. AI feels less like a magic bullet and more like a very fast second pair of eyes that never gets bored.

@jeremie_strand @SANSInstitute Very well said! Yep. Seeing that too. And it's invigorating!

@SANSInstitute @edskoudis The 20-40x estimate tracks with what we're seeing too. AI pentest tools don't just find more bugs -- they find different classes of bugs because they explore paths human testers skip due to time constraints.

@securitydevops @SANSOffensive Hey buddy! Thank you for the kind words. I miss ya. Going to DEF CON this year? Would be great to sync up there over a meal. No pressure!

@SANSOffensive @edskoudis Great insight from a legend. Thank you the insights.

What does AI-enabled pen testing find on a codebase your team already cleared? @EdSkoudis and his team ran that experiment. Day one: 5 critical vulnerabilities. And he estimates 20-40x the current vuln volume is coming within the year. Full methodology: go.sans.org/7TWDpY

@_3apa3a @HackingDave Thank you! Had a delightful time at SmileyCon. Good people all around. Great team! It was a joy.

@edskoudis @HackingDave You crushed it as well, great way to start off the event Ed 👍

SmileyCon over. Now to travel to the future and see what we need to make next years SmileyCon better! Back! Back to the future

@HackingDave @fugawi72 Things that make ya go Hmmmmmmm. 🤔

@fugawi72 @edskoudis It’s a customer only event - may expand in future for sure !

@edskoudis kicking off SmileyCon at #TrustedSec headquarters! Thanks for coming buddy! Amazing talk so far and Ed is such an awesome human being. Also not sure how you found this real pic of me 🤣🤣

@SimonTek @HackingDave Cleveland is a great town!

@HackingDave @edskoudis Looks fun. I need to leave Dayton and visit Cleveland more

@TechBrandon @PyroTek3 @HackingDave Thank you, kind friend! Great seeing you too! Had such a great time there!

@edskoudis @PyroTek3 @HackingDave The world needed this. Thank you. It was great seeing you this week Ed.

If ya’ll want the originals of my @HackingDave artwork from my SmileyCon presentation, here you go! Have fun! Both of these were one-shot prompts, btw.

@arianevans @HackingDave @Jhaddix Much appreciated! I wish you the best on your biz partner search. It can be tough to find the right match. Be careful. Be smart. And make it amazing!

@HackingDave @Jhaddix @edskoudis I just like reading you guys' posts & soaking up the positive vibe! You all are great reminders to cheer others on, and be less critical. Infosec needs a lot more folks like you three. I need to find a business partner again, who's actually nice, to balance my high standards.

We live in a strange time where everyone now is an AI and a software engineer expert. Most haven’t ever written a line of code in their life or understand how LLMs truly work - yet they can produce some incredible stuff. I’m all for it - super innovative… but there are only a small subset of people that are truly experts. I don’t consider myself in this category however I have written code for 25 years both enterprise and open source. When I say there’s an issue - it’s backed by tracked data, metrics, and historical evidence including the development teams who work for me. I don’t raise alarms unless warranted. For those that said they noticed no issues - they most likely weren’t using the tooling in the same way or for simple UI design or feature sets. That’s a stark difference in what I use AI for. Hopefully in the future folks listen to people that are power users or experts of the tooling versus their own cognitive bias or self created influencers or “thought leaders”. Vastly different areas of expertise. anthropic.com/engineering/ap…

@HackingDave @Jhaddix Ha! Perfect meme! Thanks for the laugh!

@Jhaddix @edskoudis

@Jhaddix @HackingDave You are doing fantastic stuff for the community and to advance the art of high-quality pen testing. Love it!!! THANK YOU!

@HackingDave @edskoudis To be honest, I’m lucky to have friends like you guys. I’ve looked up to you both all of my career and I’m just trying to do the same things that you guys have done in yours!

It is true! In my session at SmileyCon, several times I pointed out the really great work you and your team are doing, @Jhaddix, leading the way and inspiring us and so many others. Thank you! Keep this up and you may get a centaur pict too! 😃