Posts by Mike 137

"The malware was embedded in Gasboy's Payment Terminal"

How?

Although, as usual, the capabilities of the malicious agent once installed get reported in detail, the key issue of how it got in in the first place seems either to have been ignored or suppressed by the investigators. This is commonly the case, particularly where the intrusion has been reported as "a sophisticated attack" (and ultimately turns out to have been a complete push-over). The result is that improvement is hampered. Stopping the initial intrusion is the strongest defence there is, but you have to know what you're up against.

Realistic outcome?

" what happens if the lights in the sky turn out to be spacecraft sent from another planet"

If they're flying over the Orange Man's plot and have any common sense, the occupants will take one good look and leave again fast.

"this Patch Tuesday, with just 72 fixes"

<sarc>Excellent</sarc> -- that's only about 860 per year (actually quite a lot more if 'just' is a valid qualifier here). And these guys describe themselves as providing us with 'security' !

Yet again (and again and again and ...)

SQL injection, authentication bypass and arbitrary file read. Out of the Ark all three. When will someone [a] ideally stop making these idiotic mistakes or [b] possibly less unrealistically, do some darned code review and testing?

Wrong way round?

"it will make it impossible, if not really hard,"

Surely, "really hard, if not impossible"?

"putting Tesla's ability to execute on full self-driving vehicles at risk"

Could anything achieve this better than the history of Tesla's attempts so far?

All very well but ...

A worthy attempt (if only at the symptomatic level), but benchmarks would seem somewhat moot in the face of some basic failings of principle from which the current AI paradigm suffers. The stochasticity of results and the effective impossibility of verifying how they were arrived at are fundamental barriers to trust (and indeed to a great extent barriers to improvement).

Grammar please

"code written with its Copilot AI model is "significantly more functional, readable, reliable, maintainable, and concise"

than what? Grammatically, "more" is a comparative, so this statement is meaningless unless it includes a secondary subject to compare the first with. So (not surprisingly) this is pure hype.

The key omission

"being able to detect, neutralize, and recover from attacks at pace, be it through their own technical implementations or with support..."

This excellently exemplifies the root of the problem. Almost everyone still thinks that cyber security is a technical issue. It's most definitely not - it's a cultural one with technical facets. While I accept without reservation that our technologies are deeply flawed and need constant protective attention, almost every reported data breach has fundamentally been down to poor decision making or sloppy management on the victim side or in their supply chain. Whether or not an entity can be secure is at least as much a matter of attitude as it is the deployment of tech fixes, including whether that entity operates proactively or purely reactively to identified threats, whether it operates a blame culture or not, and a host of other psychosocial characteristics. Indeed, the culture mostly drives the choices and adoption of protective technologies, so tech robustness and resilience can only be achieved where the entity is willing to invest the effort and expenditure to select, implement and maintain the most appropriate technologies.

But just because a job is "affected" by generative AI doesn't mean the role itself will go away

If this turns out to be a reality, it just means that the nature of the affected jobs will change -- from spending time making informed decisions to instead wasting it working out whether the AI is talking bollocks.

Amazing but probably in short supply

Ah, the brilliance of the few! Training in the fundamentals for this kind of real engineering (which are primarily a way of thinking, not just a body of knowledge) has become an essential for general education in our intensely technology-driven societies, as opposed to aiming for provision of soft options that merely avoid "turning teens off".

A fundamental error

"Much of the content, such as CPU functionality and fetch-decode-execute cycles, is abstract and challenging for students, overshadowing practical exposure to emerging technologies like AI"

We already have a general population of "users" who rely on (presumably better informed) others to define and provide the technologies they make practical use of but understand little or nothing about. Unfortunately, it is from that population that successive echelons of the supposedly better informed are largely drawn, so the societal body of real expertise declines, and with it the quality and reliability of the technologies..

"It also pointed out that it is possible to pass the GCSE Computer Science course while doing very little – if any – programming on a computer"

Perpetuating the myth that programming is the primary computer expertise. But someone has to design the hardware, develop the new languages and protocols, ensure security and robustness, and a host of other essentials. A nation of coders who don't understand the systems they're coding on or for is at a huge disadvantage when it comes to developing systems with increasingly far reaching societal impact.

So I concur there should be two pathways, but it would be a huge mistake to deprecate computer science in favour of mere "digital literacy", even if that includes user level practice on "AI".

"The GCSE contained out-of-date content about networks and internet protocols that could be removed from the specification to make way for more exciting material, Adamson said"

I'm not at all sure that "exciting material" is the best criterion for what constitutes sufficient baseline knowledge for potential practitioners in a highly technical subject.

"a study [PDF] by King's College London, the Nuffield Foundation, and Reading University also recommended broadening the GCSE curriculum and better teacher training and professional development in the subject"

So the current comp sci syllabus is inadequate^[1] and the teachers aren't sufficiently competent in the subject. Does this explain, at least to some extent, why the students are avoiding or dropping out of the subject? Maybe those deficiencies are the first things we should fix.

_{[1] I've taught on such courses and commonly found the (nationally ratified) syllabi patronisingly shallow and consequently boring to students. They generally needed deepening rather than broadening. We had to surreptitiously break the rules on order to impart useful knowledge and keep students' attention.}

Whether or not ...

"There may also be a nation state element to the attacks"

Regardless of this, it'd be interesting to discover whether these hospitals were targeted, or were merely so darned wide open they fell victim as collateral damage to a shotgun attack aimed at some third party (as in the case of notPetya). Having tried to do infosec in an NHS trust, I suspect the latter is most likely.

QNAP not alone

I have a Thecus NAS that has an "irritating" issue that's never been resolved. I used to power it down when not actively in use, but every so often after a few powerdowns it loses its boot password and refuses to go live again. Thecus provided a script that clears the password, but then you have to start from scratch again setting up access from all the machines that talk to it.

It appears that, despite NAS in principle needing to be robust ands reliable, they're in general thrown together like everything else in IT. What a surprise (!!)

Fail safe?

"when the driver loses the ability to apply torque, they will immediately receive a visual alert on the user interface, with an instruction to safely pull over the vehicle to the side of the road"

Whether that's actually possible is of course outside the realm of the manufacturer's responsibility, but in the absence of torque (i.e. drive to the wheels) it seems unlikely.

"AI can bring real benefits to the hiring process"

Ah, the mandatory lip service to the technocracy.

What benefits exactly? Is it possible that "human resources" folks aren't competent enough any longer to manage without an automaton to make their decisions for them?

HR used to be called Personnel -- the emphasis then being on people. That seems to have fallen largely by the wayside, but the use of "AI" for staff selection seems the final fatal step on the path to the automatisation of humans.

Some hope!!

"introducing more robust requirements in key areas: Risk management; corporate responsibility ..."

I doubt whether any organisation falling within the scope currently has a cat's chance in Hell of genuinely complying with these requirements, primarily because infosec risk management hardly exists in practical terms. The fundamental reason is that risk assessment as currently conducted is about as reliable as crystal ball gazing, so management decisions are based largely on utter nonsense most of the time. So until risk infosec assessment training gets real (i.e. includes the basic axioms of probability and how to apply them, robust methods for identifying potential root causes, and the psychology of good and bad judgement) no 'method' or tool will raise the quality of risk management to a standard that permits real corporate responsibility to be exercised.

Insufficient

"It said "vital safeguards" would remain in place to track and monitor how personal data is used"

The primary purpose of the GDPR was not just to allow monitoring of how personal data is used, but to provide data subjects with control over by whom and how their personal data is used (and by far not just in the context of automated decision making). This was essentially sidestepped in the fortuitously aborted Data Protection and Digital Information Bill, and the same would appear to be the case in this bill. The problem is that abusing folks' personal data rights is so profitable.

It's worth noting that the GDPR is not data law -- it's human rights law in respect of personal data, but I have it on official record that the UK govt (the last one at least) consider UK data protection law to be data law, not human rights law. Doesn't that say everything?

Really?

'Burger contends that this technology – at some point, some day – could lead to the development of "ectopic cognitive preservation." '

This assumption fails to recognise two critical limiting factors: [1] the sheer complexity of human cognition, which we still don't entirely understand, and [2] the massive amount of information that's being processed by the human brain all the time (not just conscious awareness but all the internal body control signals that we aren't conscious of). As Bob Ornstein commented over 30 years back, the brain is primarily a body controller. In the absence of a body it would very likely get utterly disoriented and might even shut down.

That neurones are capable of responding consistently to stimuli is a given, but that's a million miles from the "thinking brain in the jar". And in any case, the action resulting from the neural response is in this demonstration defined by the software. I wonder how the system would work long term if the software logic were reversed (to move away arbitrarily instead of towards the target in response to the stimulus)? If the result were a perpetual random walk, that would pretty much indicate that there's nothing even approaching the rudiments of cognition going on.

two sides of the same false coin

"One saving grace is that the researchers found many operators struggle to keep their RPKI code patched, as it lacks automated means to do so – so a supply chain attack might take a while to have any effect. Of course, slow patching also means some users may not have patched dangerous flaws

!!!!!!!!!

It would be nice if the code for something this critical wasn't such crap to start with. Am I just cynical, or is code quality in general actually declining?

Priorities

The greatest source of cyber threat in the cloud is the widespread assumption that your security management can be devolved on the cloud provider. It can't. They look after the security of their infrastructure, but every entry point to your cloud service is a potential attack target, and the responsibility for the security of all of these remains yours.

Those who thought they could "move to the cloud" and abandon their local IT security support were much mistaken.

Fundamentals

"Who's spending time and money in analyzing exactly why cybersecurity is so flawed"

We don't really need to spend much time and money to find this out. It's fundamentally down to there being no universal binding standards to adhere to in software development. It's the only branch of engineering in which neither formal qualifications for practitioners nor universal criteria of performance are enforced. Software development is therefore, in engineering terms, at the phase of maturity that steam engines were in the late 18th century. The big problem is that the solution (universal binding standards based on results rather than merely in process management, as already in other branches of engineering) will require a huge effort (and much cost and time) to develop and implement. The harsh reality is that we've become too dependent on software before it's ready to be relied on. No amount of "liability", penalties or sanctions will fix this, as the root cause is primarily shortage of expertise, not negligence. The negligence is a symptom of current conditions, which are assumed to be inescapable so the problem persists.

Questionable position

"sticking instead to the line that there is currently no evidence of customer data being compromised"

Not a valid position. "we haven't found any evidence" does not equate to "there is no evidence". Largely depends on how much appropriate effort has been expended in looking for evidence.