• ByteSize
  • Posts
  • School's Out (of Security), AI's Out (of Line), WAF's Out (of Order)

School's Out (of Security), AI's Out (of Line), WAF's Out (of Order)

ALSO: India downloaded 25.5 billion apps in 2025, proving humans will binge literally anything in bite-sized format...

January 27, 2026 • Estimated Reading Time: 10 minutes

We’ve almost made it to February—aka the Monday of months.

To celebrate this last week of January, on this day in 2010, Steve Jobs walked onto a stage and introduced the iPad. (Basically a phone that someone fed too much protein powder.)

While critics called it "just a big iPhone," sixteen years later, the iPad is still crushing it harder than your will to live during a Windows update. Looking back, it's clear Jobs pulled off one of history's greatest "hold my beer" moments, proving that sometimes the best way to convince people they need something is to make it shiny enough to distract them from asking "but why?"

SECURITY TESTING APPS: WHEN "EDUCATIONAL" BECOMES "CATASTROPHIC"

Turns out, leaving intentionally vulnerable web applications exposed on the public internet is like handing out "kick me" signs to Fortune 500 companies. Who could have seen this coming?

Penetration testing company Pentera just dropped a report showing that hackers are having a field day with security training apps like DVWA, OWASP Juice Shop, and Hackazon. You know, those deliberately broken applications that are supposed to teach developers about security? Well, surprise! When you leave them connected to your actual cloud environment with admin privileges, bad things happen.

The researchers found 1,926 live vulnerable applications just sitting there on the public web, many with overly privileged cloud access. Even more embarrassing? Half of these setups still used default credentials, which in security terms is basically wearing a name tag that says "Hi, my password is “ILoveMyMom123.'"

Hackers are already actively exploiting these, deploying crypto miners and webshells faster than you can say "this was supposed to be educational." One researcher found that 20% of DVWA instances contained malicious artifacts, proving that sometimes the best way to learn cybersecurity is by becoming a victim of it. Chef's kiss to whoever thought this was a good idea.

AI NEEDS A REALITY CHECK, SO WE LAUNCHED AN AI REVIEW

Speaking of things that need adult supervision, Experts Exchange just launched an “AI Review” question feature.

As we all know, AI has gotten really good at sounding smart while being catastrophically wrong. It's like that coworker who speaks with authority about everything, but somehow managed to break the coffee machine twice in one day. The new feature lets you submit AI-generated answers for human verification, because apparently we've reached the point where we need expert humans to fact-check our artificial experts.

We’ll begrudgingly admit that AI gets you 80% of the way there. But let’s not overlook that it also leaves you hanging for the last 20%. You know, the part where your code actually needs to work in production. More than ever before, EE's data shows more people are showing up with "ChatGPT told me to do this, does it actually work?". (It usually doesn’t.)

The scariest part isn't when AI admits it doesn't know something, but when it confidently presents deprecated methods as current best practices while completely ignoring edge cases. Because why would AI care about your specific environment when it can just hallucinate a solution that works in theory?

CLOUDFLARE PATCHES WAF BYPASS BUG IS THE "SIDE DOOR" NOBODY ORDERED

Cloudflare just fixed a bug that turned their Web Application Firewall into Swiss cheese with a customer service attitude problem.

The vulnerability was hiding in their ACME certificate validation logic, aka that automated process that's supposed to make SSL certificates less of a headache. Well, when Cloudflare was serving up HTTP-01 challenge tokens, their system would helpfully disable WAF protections for any request that vaguely resembled a valid token format. The only catch is that it forgot to actually verify that the token belonged to the hostname making the request.

FearsOff researchers described it perfectly: "A certificate robot's hallway should never become a side door." Which sounds like something Yoda would say if he worked in InfoSec.

The good news is no evidence of active exploitation before the fix. The terrifying news? In an age of AI-driven attacks, this type of bypass becomes exponentially more dangerous. Machine learning models trained to identify framework-specific weaknesses could turn narrow maintenance paths into superhighways for malicious traffic. Because apparently, we needed our security vulnerabilities to have artificial intelligence too.

⚙️ TOOL TIME

Get a Ubiquiti Switch. Free 14-day trial.

Get a Ubiquiti Switch for activating your FREE 14-DAY Auvik trial before March 13.

(no credit card required)

Auvik makes network monitoring fast and easy for 80,000+ IT pros worldwide.

Here’s what makes the test drive worth it:

  • Real-time monitoring 

  • Automated topology mapping 

  • Cloud-based deployment that takes minutes, not days

  • Built for junior techs and senior engineers so everyone can get value fast

  • Works with 700+ device vendors out of the box

  • Free Ubiquiti Switch

*Designed for IT pros and MSPs. See terms for eligibility details.

👨‍💻 JOB OPPORTUNITIES

The aerospace giant is looking for someone who can lead IT infrastructure with the precision of someone defusing a bomb while riding a unicycle (and promising to never blow the whistle!) Must juggle teams, budgets, and compliance frameworks like Tom Cruise in Mission: Impossible, but with more spreadsheets and fewer explosions.

Spectrum needs an IT expert to execute audits with the thoroughness of Gordon Ramsay inspecting a kitchen, except instead of finding hair in the soup, you'll find unpatched vulnerabilities in production systems. Bonus points if you can explain NIST frameworks without putting people to sleep.

Perfect for that techie who can visualize enterprise data management like Neo seeing The Matrix code, but instead of dodging bullets, you'll be dodging legacy system integration requirements and budget constraints.

Your chance to manage their multi-cloud environment across AWS, GCP, and OCI with the diplomatic skills of a UN peacekeeper and the technical chops of someone who actually reads RFC documents for fun.

🛩 INDUSTRY MOVES

  • Amazon CEO Andy Jassy admits the AI bubble might pop while simultaneously throwing more money at it, like someone betting on red and black at the same time because "diversification."

  • India downloaded 25.5 billion apps in 2025, fueled by AI assistants and microdrama apps, proving that humans will watch literally anything as long as it's bite-sized and slightly addictive.

  • Anthropic CEO Dario Amodei called chip exports to China "crazy" and compared it to "selling nuclear weapons to North Korea," which is either brave honesty or a really expensive way to burn bridges with your biggest investor.

  • Microsoft released a workaround for Outlook freezes caused by their own security update, because apparently the cure was worse than the disease, and now they're prescribing aspirin for the headache they gave you.

Hey there, ByteSize family! This week's EE highlight reel shows our community tackling everything from hardware archaeology to spreadsheet existential crises:

That’s all! Quickly logging off before another Chrome tab eats my soul! OH, don’t forget... AI can’t take your job if you confuse it first. That's a nice (un)ethical life pro-tip for you.

Got news to share or topics you'd like us to cover? Send ‘em our way by responding to this email. We can’t wait to hear from you. Really.