« back

The value of patience

rants

“If you wait by the river long enough, the bodies of your enemies will float by.” - Unknown

This rather morbid quote is a good analogy for many things in the tech world. The tech industry is known for moving quickly, and the idea of waiting may seem out of place. However, I have come to appreciate the benefits of being patient in my career so far.

My relationship with IT has been a mixed one for a long time. I love it, because it is one of the greatest enablers of human effort. But I also hate it, because it is constantly being misused (i.e. dark patterns, addictive algos, etc) and I want to learn everything but there is only so much time in the day. After initially enjoying IT during high school, I fell off it and pursued a finance degree in university. However, during an internship, I rediscovered IT when I automated most of my tasks with Python scripts. I eventually decided to pursue IT full-time, but I struggled to choose a field.

Attending conferences allowed me to talk to people doing interesting things in fields like crypto, AI, and big data. In the mid and late 2010s, there was a constant rush to be the first to do the next big thing. While I was interested in big data and machine learning, I ultimately chose to focus on infosec and climb the corporate ladder, and to get my certs. This is not a decision I regret at all because I find infosec infinitely fascinating.

While I like to imagine I would’ve gone far with my startup ideas, the odds are that I wouldn’t have gone anywhere. Too many odds stacked against me. Infosec offered me a (very) challenging career path that still fed that need to progress in me.

And then GPT happened. I jumped on it pretty quickly with my blogpost on GPT3 and while I found it very impressive, I couldn’t quite find a good use for it. A few years later chatgpt came out and took the world by storm, and now GPT4 is out. While me and others have rejoiced at the enabling capabilities of GPT, a lot of the people I used to work with in the world of ML are quite shaken because of GPT4 as it affected many of their business cases. It turns out money and very, very large models based on a paper from 2017 was the best way to create a fantastic and general AI engine.

I regretted not going into AI as it picked up hype but now I’m feeling vindicated. I can just brush up on my AI knowledge and be somewhat close to the level of many of those AI startups, which is to say just glueing together the GPT API with other products. Which I find exhilarating, it means I can join the race of building products without a significant handicap.

I remember from my own startup days that many other founders and VCs would tell me that sometimes you can do everything right but still fail because your product is too early for the market. Unfortunately, I think a lot of AI startups went from being too early to too late because of chatGPT. Despite this, I think that a lot of the knowledge gained throughout the years will be transferable and that the hardware can still be used for many other custom models, but chatgpt will force a lot of AI startups to rethink their strategy.

What about infosec?

Infosec seems like one of the industries that is advancing rather explosively, although that is in part because it is reliant on having things to exploit and the spread of technology and features keeps increasing exponentially. Infosec is also a bit less affected by AI due to all the ethical constraints put upon them, but new prompt bypasses are coming up every day and you just need to be a bit clever with your wording and you can still get a lot of help from GPT. But you have to know your goal to make best use of it. As a perfect example, just last week, GPT was used at pwn2own to speed up the development of exploits.

The defensive side could see some incredible advancements, especially when it comes to architecture, triage, and design. The fact that chatgpt will explain its thought process is invaluable in getting people trained and up to speed quickly. That being said, I think jobs like Threat Hunting will also be less affected by GPT and it would function the same way it works for offensive roles, as an occasional force multiplier (i.e. help with deobfuscation).

It seems like the value of waiting in infosec is not quite as beneficial as in standard development because you still need to learn all the fundamentals and processes before you can start building on top of them. Thankfully, Offsec, Port Swigger and other vendors that focus on teaching infosec skills have substantially increased their offerings in both size and quality over the years. With time, other industries will pop up which have a lower barrier to entry (i.e. IoT/car hackig) and where AI assistance can shine. You will still have to learn the fundamentals, and with time, those only increase in number.

For the time being, GPT is much more of an enabler than a replacer in infosec. As for me, it’s time to finally iterate and prototype some project ideas.