Playing with ChatGPT

Like everyone else with a browser, free time, and an interest in AI I’ve been playing with ChatGPT, an text-generating AI engine by OpenAI, the folks that created DALL-E, that can write research papers, programs, poems, and blog posts. You can find more information about both ChatGPT and DALL-E at OpenAI’s website (

I started with something that I thought would be fun:

As you can see, it wrote well-commented python script to generate a random number for each of the types of dice used when playing Dungeons and Dragons (something I do with my kids and friends). I doubt I’ll use this specific script as I have some pretty fly VTT apps and like to use the real thing when I can. I kept playing with ChatGPT. It wrote me a haiku, a poem in the style of Keats, a few jokes, a Mastodon post, and finally, a blog post.

I wanted to see if it could do something in a longer form so I fed it some prompts and after a few tries I got one back that was passable. The following post was written entirely by the ChatGPT interface with the following prompt:

And so, without further delay, I hand over the reigns of my blog to ChatGPT.

Here is a potential blog post about the intersection of cybersecurity, nation-state threats, and flaming hot Cheetos:

Title: “The Spicy Politics of Cybersecurity”

As the world becomes increasingly connected, the realm of cybersecurity has become a critical battlefield for nation-states. Hackers and cyber espionage groups backed by governments are constantly probing and attacking each other’s networks, trying to steal sensitive information or disrupt critical infrastructure.

In this high-stakes game of cat and mouse, the use of sophisticated tools and techniques is common. But sometimes, even the most unexpected things can play a role.

Take, for example, the case of the flaming hot Cheetos. In 2017, it was reported that Russian hackers used the popular snack as a covert communication channel to avoid detection by security software. By embedding data in the pixels of images of flaming hot Cheetos posted on social media, the hackers were able to transmit information without raising suspicion.

This may seem like a silly and unlikely tactic, but it highlights the creative and unpredictable nature of cyber warfare. As security technologies and defenses continue to evolve, so do the methods used by hackers to evade them.

So the next time you enjoy a bag of flaming hot Cheetos, just remember that they may be more than just a tasty snack – they could also be a potential weapon in the global cyber conflict.

A Robot eating Cheetos
“Photo of robot eating Cheetos” by DALL-E, ChatGPT’s sibling app

Not the worst blog post I’ve ever read (and may have been guilty of writing). I think this is going to be a very disruptive technology for certain vocations in the not-so-distant future. Honestly, I’m not sure how that makes me feel.


SGA (Some Good Advice)

I submitted a short blurb to an effort to gather advice from CISO’s. I believe many CISO’s (especially new ones) will focus primarily on advanced security controls and miss the admittedly boring “blocking and tackling” like patch and configuration management…

While we (as CISO’s) certainly need to deploy protective technology to help defend our brands, we must also ensure we stay laser-focused on helping our friends in IT with the monumental task of properly configuring and expediently patching endpoints, servers, and applications. No matter how good your EDR or XDR systems may be you will be helpless to stop attackers if systems are not properly configured and maintained.

The submission asked for additional information so I decided to expand (very slightly) on my earlier point – but the fact that governance alone has not and most likely will never work.

The information security product ecosystem has certainly produced some excellent detective and preventative controls to thwart would-be attackers. However, time and time again systems and applications are compromised due to shoddy administrative practices and slow update cycles. We (as CISO’s) need to that our IT sisters and brothers are empowered to invest in solutions to solve these issues – sheer governance has not been enough so we have to think outside the box on how to enable IT to be successful for the company and achieve better security outcomes.

Security tool costs

I really miss the days when I paid maintenance for software. The new ARC paradigm really sucks for the consumer.

The only positive piece is that the financial implications of switching vendors is mostly gone but the inflation on the infosec budget has been profound.

(Originally posted on Mastodon)

Trying to capture cost per vulnerability patched and why I don’t believe it’s a good idea

This post is part experiment, part memorializing a short conversation I had with Sasha Romanosky (one of the creators of CVSS). I have more thoughts on the subject of the thread which I may expand on here or on Mastodon sometime in the future.

The experiment is how well I can integrate Mastodon micro-blogging with my fledgling WordPress site. I also want to memorialize the conversation since I’ve set my Mastodon posts to self-destruct after a relatively short period of time.

Getting into the time machine

I’ve been trying to clean up my document repositories and found a talk I gave at RSAC back in 2016 that brought back some thoughts I’ve been having recently about cyber resilience and how to pull together a strategy to ensure a new CISO is focusing on the right things.

Perhaps I’ll weave some of this plus a lot of things I’ve learned over the past few years into a new talk for RSAC in 2023. For now, I hope someone finds this content somewhat useful.

Middle School Career Day

I had the privilege of presenting to over 50 13 year olds at a middle school’s career day. It was a ton of fun, the kids asked great questions, and were generally very interested in information security as a subject. I’ve included the slides I presented to the classes to this post. If you work in information security, I highly recommend doing career days and presenting at community colleges to let them know what we do and how satisfying a career field it can be.