[tl;dr sec] #173 - What Software Will Be Post GPT-4, the Cybersecurity Landscape, Reducing Attack Surface in AWS

Hey there,

I hope you’ve been doing well!

Pi Day

In case you weren’t familiar, March 14th (3.14) was National Pi Day.

I celebrated with friends by eating some delicious chicken pot pie and apple pie.

But sometimes I wonder… there are so many holidays these days. How many of them are true celebrations, vs the capitalist machine hell-bent on getting us to consume more?

Maybe Pi Day is just propaganda from Big Pharma Math 🤔

AppSec

End-to-end encryption through Kafka
Walkthrough by Ockam on how to easily set up end-to-end encryption for your data flowing through Kafka, from many producers all the way to end consumers.

Oxy is Cloudflare’s Rust-based next generation proxy framework
Cloudflare’s Ivan Nikulin describes Oxy in detail, which is a foundation of several Cloudflare projects, including the Zero Trust Gateway, the iCloud Private Relay second hop proxy, and the internal egress routing service.

Announcing Semgrep’s beta support for Rust
Red Canary’s Matt Schwager helped improve Semgrep’s Rust support to Beta and contributed the first Rust rules to the Semgrep community. Awesome to see the community making Semgrep better for everyone 🚀 

A Deeper Look at Modern SAST Tools
Yahoo’s Joe Rozner compares CodeQL and Semgrep as a vulnerability researcher, including licensing, tooling, language support, and automatic fixes.

Multi-repository variant analysis: a powerful new way to perform security research across GitHub
By GitHub’s Walker Chabbott and James Fletcher. You can now easily run CodeQL queries against a list of up to 1,000 repositories from within VS Code. Neat!

Supply Chain

ossillate-inc/packj
By Ossilate: A tool that can detect malicious, vulnerable, abandoned, typo-squatting, and other “risky” packages from popular open-source package registries, such as NPM, RubyGems, and PyPI.

Towards Easier, More Secure Signature Technology for the Java Ecosystem with Sigstore
Project Sigstore provides an update on the consistent progress that the Sigstore Java client has been making and how many in the Java ecosystem, including Maven and Gradle, are considering Sigstore as an alternative to PGP signing. Benefits of Sigstore:

1. Users don’t manage keys; keys are single use

2. Email addresses associated with signing are verified by cert authority/OIDC provider

3. Auditing via transparency logs

Cloud Security

projectdiscovery/cloudlist
By ProjectDiscovery: A multi-cloud tool for getting Assets from Cloud Providers, intended to be used by the blue team to augment Attack Surface Management efforts by maintaining a centralized list of assets across multiple clouds.

Reducing Attack Surface with AWS Allowlisting
Figma’s Rami McCarthy describes how they implementing Region & Service allowlisting in AWS, removing ~80% of the control plane attack surface for their org. Side benefits: it offers a service inventory for targeted detection development and lowers compliance burden. Great example of categorically reducing risk / eliminating classes of issues. Secure defaults ftw! 🤘

How to use policies to restrict where EC2 instance credentials can be used from
There are two new global condition context keys that make it simpler to write policies in which EC2 instance credentials work only when used on the instance to which they are issued, without hard-coding VPC IDs or IP addresses in the policy.

From Scott Piper:

See also Ermetic’s Lior Zatlavi post: A New Incentive for Using AWS VPC Endpoints.

Container Security

From Pod Security Policies to Pod Security Standards – a Migration Guide
Pod Security Policies were removed in Kubernetes v1.25. Wiz’s Shay Berkovich and Amir Lande Blau discuss migration strategies, offer guidance, and point out potential migration restrictions and limitations.

Introducing KWOK: Kubernetes WithOut Kubelet
KWOK is a toolkit that enables you to create a cluster of thousands of nodes in seconds, enabling you to simulate real nodes with a low resource footprint and test your Kubernetes controller at scale without spending much on infrastructure.

How to secure Kubernetes Ingress?
Armo’s Ben Hirschberg discusses how to secure Ingress resources via adding TLS to Ingress and then procuring TLS/SSL certificates.

Machine Learning

Instead of simply speaking with a therapist, I created an ai one.
Alex Furmansky trained a custom GPT-3 model on Esther Perel’s work. It has a number you can text and interact with.

jerryjliu/llama_index
A project that provides a central interface to connect your LLM’s with external data.

dpayne/CodeGPT.nvim
A plugin for neovim that provides commands to interact with ChatGPT, like code completion, refactorings, generating docs, etc.

Discord updates its bot with ChatGPT-like features, rolls out AI-generated conversation summaries and more
@Clyde is now powered by ChatGPT, so it can recommend playlists, send you a GIF or five interesting facts about cats, etc.

More on GPT-3 and threat modeling
Adam Shostack asks a series of prompts about Kubernetes-related threats. Overall I don’t feel like it did a very good job at making them Kubernetes-specific.

GPT-4
New model released by OpenAI, and as expected, it’s a massive improvement. It can accept image and text input, pass a bar exam with a score around the top 10% of test takers, summarize an article in words that only begin with a specific letter, generate web page HTML from a photo of a hand drawn mock, explain why an image is funny, and more.

• 24min announcement livestream - very cool

• Join the GPT-4 API waitlist

• OpenAI Data Opt Out Request (ChatGPT, DALL-E)

The Multi-modal, Multi-model, Multi-everything Future of AGI
Great overview of GPT-4 by Shawn Wang.

How AI is Eating the Software World
Fascinating post by Daniel Miessler on why he thinks LLMs “understand” things (and don’t just complete text), and how he believes that software may be replaced by AI models informed by your company’s State (data, telemetry), Policy (your desired state and what you don’t want to happen), and Action (the recommendations or actions that can be performed to bring the State in line with the Policy).

And an excellent follow-up post:
SPQA: The AI-based Architecture That’ll Replace Most Existing Software that includes applications to security domains.

The Bitter Lesson
Interesting examples (Chess, Go, speech recognition, computer vision) of trying to leverage human knowledge or customizing to a domain being less effective than simply more computation.

Misc

Unlocking the Cybersecurity Landscape
Nice deep dive by Contrary Research’s Francis Odum.

Silicon Valley Bank: An ‘It’s a Wonderful Life’ bank run for the digital age
Last Thursday, Peter Thiel’s Founders Fund began advising its portfolio companies to withdraw their money from SVB. Other VCs caught wind of this and advised the same, leading SVB to fail. It’d be interesting see if anyone involved in causing SVB’s failure had an economic incentive to do so. More perspective here from an insider.

See also this deep dive: The Demise of Silicon Valley Bank>

Banking in very uncertain times
Extensive overview and context about the situation from Patrick McKenzie (patio11) on why banks are failing, a useful heuristic from bond math, and more.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint