Cyber, AI, Disruption! There’s some impactful things going on in the world of AI right now and that can make people nervous. There’s also quite a bit going on the the world of Cyber as well, and that’s always gotten people a little shook. Mix them together in a few academic style whitepapers that get traction on social media and you’re got yourself quite the hype train, regardless of whether that was the intention or not.

This article does not strive to influence any perspective about AI in general, but rather state things as they are and have been for a while in relation to cyber, and define a few terms in plain language so you can both read and write about how you’re feeling about a thing accurately.

AI Marketing

Global spending on AI in marketing is estimated at $20.4 billion for 2024. You have seen AI marketing. You have. It’s everywhere. In many forms that you don’t expect it to exist. If you haven’t seen it everywhere, ask a trusted friend what to look for in order to ground yourself. That’s AI marketing, the thing most people don’t notice is different. A subtle, but encompassing influence.

Cyber

“Cyber” has evolved into a standalone prefix broadly associated with computers, digital networks, and the internet.

Bug

A bug in software references something that is unintended behavior in a program. Sometimes the math is wrong, sometimes the math is right but doesn’t present correctly, sometimes it’s a literal bug. Really, a bug can be anything unwanted. A typical development process will fix a hundreds of bugs a year.

Potential Vulnerability

Still just a bug that either intentionally or unintentionally fails to meet the onus of evidence for classifying it as a vulnerability. A bug with a story. A bug with a narrative. High potential because it’s not disproven, low impact because it’s not real. A potential vulnerability implies impact to security through implications of a bug. Useful for drawing attention to a thing when the onus of evidence is high, toilsome, theorhetical at the time, etc… Most often misued as a way to confuse people who get scared of the terminology to extract money, attention, or publicity.

Sometimes there are valid reasons for evidence not to be provided to you personally, but usually these are provided to at least someone publicly vetted/trusted. If no one has evidence including you, rest assured the other party is overstating impact and stats to distract you from the fact that they have no actual evidence. The most basic of cons, wrapped in cyber terminology.

“Your site is missing 999 important security headers, this is a potentia—”

“Is is actually a vulnerability, or potentially a vulnerability?”

“As you can see your site is actually missing important security headers that could potentially have security impact, if you pay me I’d be happy—

“Proof-of-Concept or get the fuck out.”

Vulnerability

A bug that has security implications.

Exploitable

When a vulnerability is provable or demonstrable with a Proof-Of-Concept to have security impact. This is where Pinnochio becomes a real boy instead of just a puppet orechestrated by strings for entertainment value or to spook people for monetary extraction.

Proof-Of-Concept

Abbreviated as “PoC”; a demonstration that shows something is is real, that an idea works, or that an attack can actually be carried out.

PoC || GTFO

PoC||GTFO (International Journal of Proof-of-Concept or Get The Fuck Out) is a celebrated, community-driven hacker zine and book series that focuses on reverse engineering, file format exploits, and creative security research. Edited by “Pastor Manul Laphroaig,” it promotes the philosophy that if a researcher claims a vulnerability exists, they must provide a working demonstration (a Proof of Concept) or else stop talking.

Summary

Developers fix large amounts of bugs regularly; most bugs are fixed before the even reach the point of being a potential vulnerability. Potential vulnerabilities, vulnerabilities, and bugs are bugs. There are always new tools (fuzzers et al, dissassemblers, SMT solvers, etc…) that enhance the ability to discover and be aware of more bugs. Exploits and Proof-of-Concept are the things that meet any onus of evidence for actually having an impact. AI Marketing is marketing with AI, but sometimes it’s also marketing AI with AI.

AI is incredibly cool, incredibly powerful, and continues to improve. That alone worthy of praise. The rest remains to be scrutinized, and I hope this terminology assist in grounding yourself the next time you see a whitepaper. There’s very interesting things to be understood in the content.