Source: www.schneier.com – Author: Bruce Schneier
Comments
Mr. Peed Off •
AI image generators are now requiring an invisible watermark which was previously optional. Originally designed for copyright purposes, it is now being used to identify generated pictures and possibly trace their source.
modem phonemes •
@ Mr. Peed Off
identify generated
This should be done with all AI generated content image or text. Include the source and the name rank and serial no. of the particular AI. Then AI training poisoning by AI output could be avoided. Also, distribute an app that reads this sigil so the internetz user can automatically skip that machine trash, and look at only human trash. … But wait …
SpaceLifeForm •
Storm-0558
It may be Silicon Turtles
‘https://www.bleepingcomputer.com/news/microsoft/microsoft-still-unsure-how-hackers-stole-azure-ad-signing-key/
‘https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
name.withheld.for.obvious.reasons •
@SpaceLifeForm
Maybe Microsoft’s certificate(s) weren’t stolen, maybe they were sold without MS’s knowledge. Shouldn’t issuing CA’s have limited storage and retention of key mat?
SpaceLifeForm •
At this point in time, it appears that something has changed.
‘https://nitter.poast.org/emptywheel
I pay attention and connect dots.
Clive Robinson •
@ SpaceLifeForm, name.withheld…, ALL,
Re : With the key to the Kingdom…
“Storm-0558 It may be Silicon Turtles”
The joys of highly hierarchical power structures when “a root of trust” walks out the door. From that point down if it’s in your pocket, you are the one eyed man in the Kingdom of the blind.
The real question about the alledged attackers, is,
“If they knew the attack would be short lived, what did they do with the time they had?”
Microsoft appears to be either unknowing, or keeping it very quiet for some reason not yet known.
I suspect it could be both, as they keep looking to prevent it being a “Foot hold situation”… Microsoft likewise don’t want others who could have been effected taking flight or pushing for pecuniary award.
As you know I’ve maintained my “cloud is a bad idea for most reasons” stance for many years now… likewise my view on crypto-signing not just of code etc but trust in both the specific and general. This event just shows my reasoning valid on both views yet again for the umpteenth time…
Only this time is it the forth or eighth circle those who pushed have entered? Having passed unheaded the warning,
“Lasciate ogne speranza, voi ch’intrate”
For those so blighted this is not a “Devine Comedy”, but a “hellish inferno”, that could seem eternal.
lurker •
Historically, this threat actor has displayed an interest in targeting (blah) …
to obtain unauthorized access to email accounts …
through credential harvesting, phishing campaigns, and OAuth token attacks …
since at least August 2021
So these guys have been in action for two years in some way or another and MS just sat there watching?
As we continue our investigation into this incident and deploy defense in depth measures to harden all systems involved …
After the turtle has bolted is a dandy time to think about buzzwords or defense. A hardened cynic would know that MS cannot be allowed to crash and burn, it would take the whole nation with it …
Phillip •
Do they teach this is in B-school?
You may delete any payment method, unless: one payment method remaining.
SpaceLifeForm •
@ name.withheld.for.obvious.reasons
MS is their own CA.
Maybe they just really screwed up their process.
Maybe there is/was an insider that has/had access.
Suspect still existing insider.
Wesley Parish •
I’ve been wondering over the past few months if it’s possible to have too much security.
To wit, I’ve got a gmail account, as will a lot of others, and Google got heavy on me a short while back, asking me to set up a 2FA system. Which I didn’t; I figure my passwords are generally not the “password123” sort and at times even I have had difficulty following my logic in constructing them. And besides, I’ve at times had to change my landline phone number’ I don’t expect much constancy in that department. And doing a man-in-the-middle on an insecure landline or badly-secured cellphone connection is as much a possibility as having my home PC comprehensively hacked: I prefer doing my webmail via the private window for much the same reason as doing my banking via the same method.
At any rate, using my current password, I found gmail wouldn’t let me onto the webmail interface, telling me I hadn’t proved I was who I claimed to be, while at the same time, my email client was happily connecting. And the FAQs/Help/Howto pages were of course no good, because amongst other things, they said that I’d be allowed back after seven days without the extra identity tests. Except that seven days came and went and no, I was not allowed back.
So if some lout with a trifle more than the average patience, were to reconstruct the (il)logic of my password creation and hack into my account, I would have no recourse, being barred for no good reason from accessing the webmail interface, which is the only one that allows me to change the password.
From my point of view, this is a trifle self-defeating. I can’t answer for the gmail branch of the Google corporation.
What do people think?
GratefulReader •
This week, my favorite nugget of information via Bruce is the following…
“… What this means is that text from before last year — text that is known human-generated — will become increasingly valuable. …”
If accurate, we only have one “chance” (a time period) to extract healthy unpolluted citizen data… and that time may already have passed us… I would not have considered AI feedback loop pollution offhand… super great info to be aware of as things progress. Knowing of this potential, and relative degradation over time of publicly available data (at least), will certainly help political discourse with representatives/others as AI-related legislation or related constructs are considered. The effects of AI on data health and related value… fascinating!
Also… tangential, not directly related to above…
I never say the following because I figure I’ll see Bruce at some conference some day but, as happens, life goes by, day by day… so forget waiting, let me just say…
Dear Bruce, You awesome security professional, inventor, patriot, evangelist for reasonable security and security awareness for the citizen… I’ve been learning from you since decades past, including from your very generous technical books, CDs, blogs… I have described you as the “Citizen’s NSA”… what I’ve taken in from you has translated to good consideration and information I’ve been able to pass on both in conversation and on the job, in the work. I could go on for reams… let me just say… Thank You for making our world better/safer place by distilling many important if not critical security and other nuances that affect all of us daily. Your contributions challenge ignorance, enlighten citizens… and inspire others to carry something forward… I’m super inspired by, grateful to you… thank you!
SpaceLifeForm •
This was a big catch
Note that they back-patched old stuff.
‘https://www.bleepingcomputer.com/news/security/rockwell-warns-of-new-apt-rce-exploit-targeting-critical-infrastructure/
Rockwell strongly advises applying the security patches it released for all affected products (including those out of support).
vas pup •
Israel earmarks NIS 113 million to build R&D center for chip-based biodevices
https://www.timesofisrael.com/israel-earmarks-nis-113-million-to-build-rd-center-for-chip-based-biodevices/
“Israel is allocating NIS 113 million ($31 million) in funds for a new research and
development center to boost the nation’s edge in the intersection of biology with other sciences for medical tech purposes.
The Israel Innovation Authority, in charge of the nation’s technology policies, on Wednesday announced the tender for the establishment of the center that will provide R&D infrastructure needed by startups ==>to build biodevices based on biochips. The tender is part of Israel’s national bio-convergence program.
Bio-convergence is a growing industry that integrates biology with additional disciplines from engineering such as electronics, artificial intelligence, physics, computer science, nanotechnology, material science and advanced genetic engineering, in a bid to meet global health challenges.
==>Biochips are advanced microdevices that combine biology, engineering and
microtechnology.
The miniature chips integrate multiple laboratory functions onto a single platform and are capable of analyzing biological samples, including cells, proteins, or DNA, as well as perform biological reactions such as decoding genes, similar to a computer chip
performing a multitude of mathematical tasks. They are used in fields such as
healthcare, diagnostics and pharmaceutical research for DNA sequencing, drug
development, diagnosis and monitoring of biological processes, and more.”
vas pup •
India launches rocket carrying rover to the moon htpps://www.dw.com/en/india-launches-rocket-carrying-rover-to-the-moon/video-66240613
“India’s space agency has launched a rocket that will attempt to land a robotic rover on the moon. The Chandrayaan-3 mission aims to touch down on the moon’s largely unexplored south pole. One objective is to explore the region for ice.”
vas pup •
Why your favourite brand may be taking a social media break ++++
https://www.bbc.com/worklife/article/20230712-consumer-brands-leave-social-media-meta-
threads
“We are a social brand, and community has been key for us,” says Annabelle Baker,
Lush’s global brand director. “When we joined social media, Facebook and those
platforms were everything we were looking for initially: they were direct links to the communities.”
But Baker says they withdrew when ==>social media changed to being inherently less social and user-centric, mediated instead by algorithms controlled by companies.
Although Lush re-emerged on the platforms during Covid-19 in order to reach customers during lockdowns, the beauty brand has now gone dark again. They’ve been off social media for almost two years – and don’t have current plans to come back.
But some brands have also been feeling a distinct sense of unease about social media in general. First, like Lush, some companies are unhappy about the way the platforms operate and their management.
But perhaps more pressing is the risk of followers turning on brands amid the !!!
volatility and !!! toxicity of some social media user bases. As social media has polarised society in unexpected ways, brands have found many users quick to criticise an account they believe has mis-stepped.
“At this point, it’s hard to imagine a future where brands start pulling out of social media platforms en masse,” he says. Yet he adds it’s possible we’ll see more brands pulling back, especially
==>if “they can’t quantify the value or start believing the risks outweigh the
rewards”.
Clive Robinson •
@ SpaceLifeForm, Bruce, ALL,
Re : Yet another “Industrial Control system”(ICS) SNAFU…
“Rockwell strongly advises applying the security patches it released for all affected products (including those out of support).”
I’m interested about the “released for all affected products (including those out of support” aspect.
Outside of the niche ICS world it’s generally not known just how long equipment can stay “in the field”. Lets put it this way I personally know of kit that is well into five decades, and some real “Ladder Logic” into atleast six decades[1]…
The only other stuff you generally find that old is in “services and sanitation” where electricity meters used to spend 50years in peoples homes. Ladder logic in lift controlers in multistory buildings. Power substations half a century or more. As for gas just don’t even try to guess, some of it is in cast iron boxes half an inch thick that uses bolts in a standard that nolonger gets used… As for water and sewerage, well in some places they still use “pulse dialing” to remote control, just as some railway signalling still works on century old systems…
So “including those out of support” could be a bit longer than the 18-36months most in mainstream ICTsec might assume…
[1] I’m still supporting stuff I did in the 1970’s using 1802 processors… And I’m to quote the words of a film “a god-damn retiree”, though not a “grandpa” (as far as I know 😉 So I’ll just dig out the REO Speed Wagon vinyl and a glass of the highland spirit sip and reminisce.
Clive Robinson •
@ vas pup, SpaceLifeForm, ALL,
Re : It’s not as Lush as it once was, and ICTsec will be worse.
I’ve kind of been dropping the hint that the “Social Media” bubble was on it’s way down. Meta loosing 3/4 of it’s share value, Twitter was on a near straight line descent from well before Hellon Rusk “did a Dixie” on it. Likewise others. As it became clear that what advertisers were being told about “eyes on ads” was at best baloney (Google especially).
So to read the Lush representative saying,
“When we joined social media, Facebook and those
platforms were everything we were looking for…”
Even though rationaly expected… Seeing the past tense “were” was still “an ouch moment”… Like hearing the tinkle on concrete of the pin from a hand-grenade you kind have a foreboading of what’s going to happen next…
We know the US Recession is in all probability going to get a lot worse. As “On-Line” advertising has been shown to be quite a con, and the marketing side less and less effective, I would expect a further withdrawal of scarce resources from what is increasingly looking like a “Lame Duck”.
Throw in Web3, NFT’s, and similar faux-investments that have deflated like a “whoopee cushion” under the rump of the elephant in the room… And in all likelihood AI LLM’s not hanging in long enough for Venture Capitalists to skin/con corporate investors profitably…
But also all the “re-structures” with tens of thousands of ICTsector lay-offs, (250,000 and rising). There is a chance the ICTsector may become a downward preasure on the whole US Economy…
Which is where ICTsec is going to become a nightmare as foreign government sponsored APT and Faux-News is going to see way less opposition, thus we will probably see an up-tic in their activities…
ResearcherZero •
“For a shop as large as Microsoft, with that many customers impacted—or who could have been impacted by this—it’s unprecedented.”
…“It’s very likely there was either a flaw in the infrastructure or configuration of Microsoft’s certificate authority that led an existing certificate to be compromised or a new certificate to be created,”
‘https://www.wired.com/story/microsoft-cloud-attack-china-hackers/
ResearcherZero •
Pay-for-Logs
“If you’re not an E5-paying customer, you lose the ability to see that you were compromised.”
‘https://arstechnica.com/security/2023/07/microsoft-takes-pains-to-obscure-role-in-0-days-that-caused-email-breach/
–
“Hikvision has published various fixes but, as this shows, has not done enough in publicizing or contacting impacted users to stop these types of attacks.”
“The hacked video feeds are from many different countries, reflecting the fact that Hikvision cameras are used around the world.”
“Because the Hik-Connect app does not use the cloud for generating the QR code, this makes it more difficult to effectively track QR code sharing. The Hik-Connect app itself is cloud controlled. While many cloud video surveillance providers force firmware updates on devices, Hikvision generally does not.”
‘https://ipvm.com/reports/cp-sale-hack
–
“You cannot create a back door that only the good guys can go through.”
‘https://fortune.com/2023/07/13/signal-president-mass-surveillance-uk-law/
Clive Robinson •
@ ResearcherZero, Bruce, ALL,
Re: Get your feet on the ground and head out of Microsoft’s Azure…
With regards,
“For a shop as large as Microsoft, with that many customers impacted—or who could have been impacted by this—it’s unprecedented.”
Is it realy unprecedented?
Of course not. Evere heard the old truism of,
“All your eggs in one basket”
Well Microsoft, AWS and all other clouds are “baskets” and not just “basket cases”. Our host @Bruce has pointed out years ago what a very bad idea “centralized” security was with the likes of ID theft, because attackers only had to attack one system instead of dozens of systems.
I remember back then instantlt remembering the famous quote attributed to “Willie Sutton” in 1951 that became “Sutton’s Law”,
Q : Why did you rob banks?
A : “I rob banks because that’s where the money is”
But long before that father’s used to advise sons,
“If you want to be rich go where the money is”
So the modern equivalent for APT types would obviously be,
“If you want lots of inteligence go where the data is.”
Trite but true, and should be obvious… but apparently a journalist thinks not, as apparently does a large chunk of ICTsec people.
But do they actually?
I suspect some see it another way. Businesses want “Cost Cuts Now” irrespective of vastly ramped up future costs. But… They will also pay big to get “Cost Cuts”. This oddity can be seen especially clearly in Government spending where the only way you can get money to do anything is to “fake up a cost saving justification”…
So you get this interesting idea of,
“If we spend big and get into some other organisations cloud, we will save money. But that other organisation is a business so they too will cut costs and up fees when they’ve achieved lock-in.”
And as we know Microsoft has been accused of bad practice by regulators to achive lock-in, introducing all sorts of fees and we are now they are into “shedding work force” big style round two…
Does this really sound like a recipe for cost savings?
Nope. Does it sound like a recipe for security?
Nope. Does it sound like a recipe for flexibility?
Nope. How about agility?
Again nope. I could go on with a lot more similar question but how about the obvious one as a closer,
Does it sound like a recipe for success?
Longterm… “Not a snowball’s chance in hell”, but then “the long run” is not what modern capitalism is about.
Speaking of snow, perhaps a new meme, to update the “Fight Club” short monologue[1] from the last century. How about,
“Clouds are where snowflakes fall to their demise.”
Just a thought to remember.
[1] Writen by American novelist Chuck Palahniuk back in 1996 and much memed,
“You are not special. You are not a beautiful and unique snowflake. You are the same organic and decaying matter as everyone else.”
Twenty one years after writing, when it had effectively “come of age”, Chuck said of it,
“I coined ‘snowflake’ and I stand by it”.
Phillip •
Microsoft’s online presence is really bloated, in general. Not terrible, just places where one notices how they have made their own bed.
And if one might see how they can never finish organizing something they created? I start to question it. In all fairness, it does seem as though some of the employees are present with the problem.
On the flip side, when I look for an answer for something Microsoft, do use Bing, not Google. Say, an example PowerShell script to do X.
This might seem obvious to me, though it is curious how Google might supply one with the most obtuse answer. Like, really???
Clive Robinson •
@ ResearcherZero, Bruce, ALL,
As I noted in my above with,
“Well Microsoft, AWS and all other clouds are “baskets” and not just “basket cases”.”
It’s not just Microsoft, but also it’s not just Governmrnt sponsored APT, criminals of a more common kind are at it as well. Which is why we get recent stories like,
https://www.theregister.com/2023/07/15/teamtnt_aws_azure_google/
There are ways you can have security, they take some thought and care and sensible alocation of resources.
But one thing is certain, just giving it to others who you have no actual control over, in the vague hope they will do a better job then you could for less, and on openly / publically accessable systems is not exactly a recipe for assured success…
vas pup •
The US military revives an idea for stealthy sea power
https://www.bbc.com/news/business-65958967
“”If you think I’m doing The Hunt for Red October, the answer is yes,” says Susan
Swithenbank of the US Defense Advanced Research Projects Agency (Darpa).
The 1990 film, starring Sean Connery, featured a Soviet submarine – Red October – which had a near-silent propulsion system, making it very difficult to detect.
Now, 30 years after the movie, Darpa is working on a marine propulsion system similar to the “caterpillar drive” described in the movie.
Called a magnetohydrodynamic (MHD) drive, the system has no moving parts at all – just magnets and an electric current.
It works by generating a magnetic field at a right angle to an electric current. That
creates a force – called the Lorentz force – which acts on the sea water and propels
the craft along.
The Yamato project showed that much more powerful magnets would be needed, plus more robust electrodes – the parts of the drive which make contact with the water.
According to Ms Swithenbank, the first of these problems may well be easily solvable
now, with a new generation of magnets, developed by the nuclear fusion industry.
Fusion is the reaction which powers stars. But to make it happen here on earth often
requires extremely powerful magnets to contain swirling clouds of burning hot plasma.
The force generated by these new magnets has been likened to double the pressure at the bottom of the deepest ocean trench.
While more powerful magnets are now available, the second problem, how to protect the electrodes, still needs work.
Metal corrodes when placed in seawater and an electrical current accelerates that
process. Some types of magnetic field have the same corrosive effect.
On the Yamato-1 it was found that electrodes were losing around 3% of their mass per year.
Jeffrey Long, a research chemist at the US Naval Research Laboratory (NRL), is a
battery specialist, and is expecting to take part in the Darpa programme, along with colleague Zachary Neale.
“Essentially, we want electrodes that don’t corrode, while still supporting the high electrical current density required for effective operation.”
However, improvements in coatings by the fuel cell and battery industries in recent
years mean this problem may well now be solvable.
Passing a current across seawater breaks the hydrogen-oxygen bond, creating gas bubbles on the electrodes which creates resistance and reduces the efficiency of the MHD.
Potential solutions will have to be tested, including gas-diffusing electrodes created by the fuel cell industry. Other techniques sweep away the bubbles before they build up.
Finally, there’s the issue of erosion, with collapsing bubbles creating pitting. “It’s like having sandpaper on your electrode,” says Ms Swithenbank. Here too, though, work in other industries is showing promise.”
Without moving parts, MHD drives should need much less maintenance than existing propulsion systems.
“But the real reason everybody’s interested in it is that, because there’s no moving parts, it’s also much quieter,” says Ms Swithenbank. “There’s no question that for national defence, that’s a huge advantage.”
A quiet system, without dangerous propellers thrashing around, could be better for wildlife as well.”
Clive Robinson •
@ ALL,
Re : @vas pup – AI regulation & Paywall.
I browse with javascript and cookies “off” and appart from an anoying message the page appears to load up well enough to read.
Clive Robinson •
@ vas pup, ALL,
Re : magnetohydrodynamic (MHD) drive
It’s one of a couple of ways to make “water jets” without moving parts.
However a couple of things,
1, It’s not silent.
2, It drives some fish nuts.
The reason it’s not silent is actually it has a moving part, the water in the drive pipe. Which as it moves at different velocities produces vortex effects which gove rise to noise.
As for the fish going nuts… Some are extrodinarily sensitive to electricity, they actually hunt by sensing the voltage caused by organisms muscles working… The MHD produces millions of times this voltage.
There is another issue, one way to reduce corrosion is to use an alternating voltage, but that requires an alternating magnetic field as well. A downside of this is “magneto-constriction” basically metal twitches which makes noise as the field reverses. It also has high hysteresis loss thus reducing efficiency. The device used in, echo depth gauges and to find submerged objects uses magneto constriction to generate the pulse at tiny fractions of a horse-power… So you can see that trying to fix one problem can make new ones or existing problems worse
But also magnetic fields can be pesky in that they can attract all sorts of junk that can quickly become fouling which results in other sources of noise…
Oh and magnetic fields are difficult to contain and even during WWII the natural magnetic field of a ship could be detected by a mechanical device that would “fire the pistol” charge in a mine… Which is why regular degausing of ships had to be done.
Yes these are all “technical problems” that have solutions but at what price?
I guess we won’t find out any time soon if at all 😉
SpaceLifeForm •
Oops. Looks like Kerch strait has gained some riffraff for the fish.
‘https://s3.eu-central-2.wasabisys.com/mastodonworld/media_attachments/files/110/727/757/812/053/701/original/901fd0caea757269.png
ResearcherZero •
interesting paper regarding exposed keys…
Secrets Revealed in Container Images: An Internet-wide Study on Occurrence and Impact
‘https://arxiv.org/pdf/2307.03958.pdf
–
“The breach has thrown Microsoft’s security practices under scrutiny, with officials and lawmakers calling on the Redmond, Washington-based company to make its top level of digital auditing, also called logging, available to all its customers free of charge.”
‘https://www.itnews.com.au/news/microsoft-says-chinese-hackers-used-code-flaw-to-steal-emails-from-us-agencies-598009
ResearcherZero •
Workplace Culture
“These high priests of capitalism have been carrying on the dual role of auditing and consulting for years and have largely been left to their own devices to manage the conflicts.”
‘https://www.abc.net.au/news/2023-07-17/pwc-ey-kpmg-deloitte-government-10-billion/102602370
bullying, harassment and misconduct, six cases of sexual harassment and four data breaches
‘https://www.pwc.com.au/about-us/assets/firmwide-transparency-report-fy22.pdf
Deloitte disclosed the breach as part of an ongoing Senate inquiry, but has so far refused to provide any more details about the incident due to client confidentiality.
The firm has also detailed how it was dumped by the Home Affairs department after it failed to disclose a conflict of interest. A similar breach was also identified while working with the Australian National Audit Office (ANAO).
‘https://www.theguardian.com/business/2023/jul/14/deloitte-misuse-of-government-information-senate-inquiry-pwc-scandal
“Each level punishes the next level down. They see it as: ‘If I had to do it, then you have to do it’ and it propagates the same kind of bad behaviour.”
‘https://www.news.com.au/finance/work/auditors-from-big-4-financial-services-firms-lash-working-conditions-at-deloitte-pwc-and-ey/news-story/88e1c1e3f95e16d42729416d7b599092
–
“The reviewer found despite the seriousness of some complaints, there appeared to be a lack of response to these concerns, a lack of record keeping and a lack of capacity to respond to complaints.”
Pointing to the dysfunctional culture of the agency’s workplace, the report identified that a formal staff complaint was made, on average, every four to six weeks over a period of five years. …a senior manager resigned after urinating on a co-worker.
https://www.abc.net.au/news/2023-07-14/apvma-pesticides-urination-review-delivered/102597720
The review said the agency did not enforce chemical regulations effectively and was at high risk of bending to the will of the industry it is charged with regulating.
‘https://www.smh.com.au/politics/federal/joyce-s-controversial-decision-sparked-agency-s-downward-slide-review-20230714-p5dobs.html
‘The Hapless Victims of Circumstance’
“Politicians on all sides, public servants and even the press gallery would be making a grievous mistake if they expect that the system will be cleansed by the disgracing of Morrison, and his eventual departure from parliament.”
Morrison’s conduct in office, and his subsequent refusal to accept the conclusions of a library shelf of damning reports into his misuse of power, is an extreme example of a political culture that created and enabled him…
‘https://www.smh.com.au/politics/federal/our-political-swamp-will-not-be-cleansed-by-the-disgracing-of-morrison-20230713-p5do4w.html
Winter •
@SpaceLifeForm
Oops. Looks like Kerch strait has gained some riffraff for the fish.
I suspect your image is an exaggeration of the damage to the bridge.
Clive Robinson •
@ SpaceLifeForm, Winter,
Re : Artificial reef making.
Like @Winter I’m suspicious, the shimmer on the water looks wrong, and I would expect damaged pieces to still be sticking up.
If you look at the ships wake it just disapears at what looks like an image manipulation terminator line. Where the shimmer starts to look wrong.
Now the fun bit,
“If the image has been manipulated, was it by the touch of man or AI?”
So,
Answers on a postcard to “Walk on water Competition” C/O Waggoner Gon HQ, Myronivska Street, Popasna, Donblast.
Clive Robinson •
@ ResearcherZero, ALL,
Re : Paper on exposed keys in Docker containers.
The RWTH Aechen University paper is interesting to read (for those looking for a short cut read Intro, §5.2 §6 §8)
The reality is this problem goes back a long long way to the days when a “container” was a tar image for a chroot() jail…
So after more than five decades… again we appear not to be learning from our “living memory” history in ICTsec.
But it may soon get worse.
A closer look at the figures of 9% in Docker Hub and only 6.3% in other more private repositories, suggests that it may be part of a “learning curve”. With entries in Docker Hub “showing what people can do” in addition to their CVs etc, with increasing lay-offs happening, we can expect more containers to appear at the Docker hub rate… So this may get worse as an issue.
However the paper mentions an important point In §8 –Conclusion– but then does not follow up on it, so it’s security implications may go missing on many. It is,
“Notably, many private keys automatically generate when installing packages during image creation.”
This can create a problem which not as many people are aware of as they should be.
It’s known that many “Random Number Generators” are not as good as they could be especially when they “start up” and in the past it’s been found that embedded systems certificates can suffer from,
1, Shared Primes.
2, Short walk appart Primes.
And unfortunately there are fast ways to find these.
I suspect it might make another interesting paper if somebody want’s to research it…
Winter •
@Clive Robinson, SpaceLifeForm
Re: Broken Bridge
The movie suggests the trains are still rolling.
‘https://www.theguardian.com/world/video/2023/jul/17/crimea-bridge-appears-damaged-amid-reports-of-explosions-video
Winter •
@Clive, SpaceLifeForm
Re: Broken Bridge
And another one:
‘https://www.theguardian.com/world/video/2023/jul/17/key-bridge-linking-occupied-crimea-to-russia-struck-video-report
fib •
I hope you’re all well.
It’s been really nice to see the blog discussing AI from so many diffrenrt angles, in various threads [thank you]. So I dare to offer yet another one.
You’ve probably noticed by now that it’s not possible to build a complete AI stack with free software. You can start building your dataset with free tools, in house, but soon you will run into difficulties with dataset annotation and model training. If your work is in CV area you can choose manual labeling with Open Source [not Free] tools, or use a backend to automate the task [Tensorflow, PyTorch, JAX, etc., all proprietary]. Image annotation tools love [often require] working by pulling images from the cloud rather than your workstation, so you soon find yourself signing up for a MS/GGL/AMAZON cloud account.
Have you time [and know-how] to do the entire workflow on your premises? Fine, but you won’t escape Nvidia’s [GeForce] or Intel’s [Arc] tentacles.
Then you go back to Tensorflow/PyTorch/OpenCV/Nvidia/Intel to train and put your model into production… You get the idea.
It looks like it is impossible to setup an AI stack [or environment, or pipeline] worthy of an orthodox fellow like FSF[0] Richard Stallman. Any thoughts?
Regards
Clive Robinson •
@ FIB,
I hope you are well, and the weather where you are is temperate[1].
With regards,
“but you won’t escape Nvidia’s [GeForce] or Intel’s [Arc] tentacles.”
Actually you can with FPGA’s but the work involved is quite heavy but will be proprietary to you[2]. Get it right and moving to “Application Specific Integrated Circuits”(ASIC) as “bitcoin miners” did will give both speed and bang/watt advantages. But… By then chances are the graphics chip developers would have “nipped and tucked” their beasts into better shape… (remember it’s OK for them to steal your work, but not the other way around and they have ranks of robot lawyers to fight you if you try).
And that’s the real problem LLMs are realy just another Crypto-Coin faux-market as “intelligent” artificial or otherwise they are not.
The reason Alphabet, Meta and Microsoft are so interested in them is like those earlier “personal assistants” Siri & Alexa, and even Tay they will encorage you to give up more and more Personal and Private Information, and give the companies a “Ring Side Seat” on your research / thinking, thus enabling them to get market value before you can protect either your privacy or “Intellectual Property”(IP). We have seen this with Amazon, where if a new product sells, Amazon used to develop it’s own compeating product, and if it could not do that then in effect buy the company (have a look at “Ring” and similar).
But I suspect the AI LLM bubble is going to burst before the “Venture Capitalists”(VCs) can create a sufficient inflated faux-market and profit from it.
They VCs kind of got to milk the faux-market for crypto-coin with syart-ups doing blockchain plus work factor and some smart contracts. But that’s kind of died and Web3 and NFTs don’t look they are going to bubble-up now…
And as you’ve noticed LLMs are hobbled in various ways. So may not bubble at all beyond what they’ve sofar done.
So what will be the next bubble to inflate the US economy and as some analysts have indicated “get it out of ‘flat line’”? I don’t know… Normally I get a feeling for such bubble markets, long enough before they happen to get well out of the way, but at the moment “I’m just not feeling it”.
[1] Apparently South Europe has temps heading for the highest on record in that region at just over 48.8C (119.8F) expected next week. A temp which I know from having been “fighting” in the Desert at a little above those temps is not fun.
[2] “Field Programmable Gate Arrays”(FPGAs) potentially could be faster than Graphics Chip Sets for LLMs by around five to ten times. Which although not that much faster could potentially be “better tailored” thus use less power. There are a lot of trades to be made in the various parts of the LLM network, but currently we don’t realy know which ones,would be best (though I suspect we will have a better, but by no means best idea within the year).
lurker •
@SpaceLifeForm, All
re, smoke on the water
BBC radio has been reporting a notification from Moscow that the bridge was closed to all traffic due to “an emergency situation at one of the bridge piers.” Two deaths were reported. Shortly after Moscow announced that rail traffic had resumed. BBC has diligently reported its inability to verify video of “damage”. 19.00 UTC report observed that UKR had claimed responsibility using 2 unmanned surface vessels.
Clive Robinson •
@ Bruce, ALL,
Back over a decade ago not long before the NSA storage fascility in Utah became fodder for MSM, you asked about what was possible in terms not just of data collection and storage.
At the time you were surprised at some of the answers…
Well how does getting towards,
“215 million GB of data into a single gram”
Sound?
And,
“under the right conditions it can last millennia or maybe even longer”
Yup it’s a surprise to me as well 😉
Basically,
“lasers of red and blue light are used to trigger gene expression in specially engineered bacteria, which encodes the data in their DNA. Existing barcoding techniques are used to label data with unique ID tags, which can then be organized and retrieved using machine-learning algorithms.”
Not sure I like the “machine-learning algorithms” as it implies the “labels” are not so much labeling the “data stored” but “the device storing the data”. Look at it as more like a hard drive serial number rather than as an index entry in a book.
The work is from, the “National University of Singapore”(NUS) under principal investigator Professor Poh Chueh Loo[1], who said of the bacterial DNA storage,
“Imagine the DNA within a cell as an undeveloped photographic film. Using optogenetics – a technique that controls the activity of cells with light akin to the shutter mechanism of a camera, we managed to capture ‘images’ by imprinting light signals onto the DNA ‘film’.
By harnessing the power of DNA and optogenetic circuits, we have created the first ‘living digital camera,’ which offers a cost-effective and efficient approach to DNA data storage.
Our work not only explores further applications of DNA data storage but also re-engineers existing data-capture technologies into a biological framework. We hope this will lay the groundwork for continued innovation in recording and storing information.”
You can read more from the NUS,
https://phys.org/news/2023-07-capturing-immense-potential-microscopic-dna.html
Or if you want all the nitty-gritty details then,
https://www.nature.com/articles/s41467-023-38876-w
However I would recommend a very large strong cup of “Devil’s Brew” because it gets interesting when they talk about convolving and deconvolving multiple overlaid images.
For a less grey cell taxing 5min read
https://newatlas.com/science/biological-camera-dna-data-storage-bacteria/
[1] Professor Poh Chueh Loo is a Principal Investigator in the Bioengineering Division at Nanyang Technological University (NTU) which is part of the National University of Singapore”(NUS),
vas pup •
AI reveals chemicals that could stop aging in its tracks
https://www.foxnews.com/tech/ai-reveals-chemicals-stop-aging-tracks
“The world’s getting a face-lift, and it’s not from a swanky Beverly Hills plastic surgeon. Nope, instead, it’s from the magic of artificial intelligence (AI) and machine learning. Not only is this emerging tech shaking up industries across the board, it’s also stirring up a storm in the quest for youth.
Scientists are working round the clock, using AI as their magic wand in their relentless search for natural compounds that can slow down the aging process. Mother Nature, being the generous lady she is, has filled her pantry to the brim with potential compounds. However, identifying these compounds manually? We might as well try to catch a cellphone signal in the middle of the Sahara.
Scientists used a machine learning model trained on mountains of data about known chemicals and their effects, along with so much more, to predict whether a compound could extend the life of a translucent worm that shares a similar metabolism to humans. Thanks to this information, this whiz kid machine learning model could eventually help predict which compounds might keep us looking like we’ve just taken a dip in the fountain of youth.
===>The AI rose to the challenge, unearthing three compounds with potential anti-aging properties. The scientists developed a model trained to recognize chemical features that have senolytic properties. Senolytics are a class of small molecules under intense study for their ability to suppress age-related processes such as fibrosis, inflammation and cancer by eliminating aged, dysfunctional cells without harming healthy cells.
After screening over 4,000 chemicals, the model identified 21 potential candidates, three of which – ginkgetin, periplocin and oleandrin – demonstrated the ability to remove deteriorating cells effectively. Among the three, oleandrin was found to be the most potent. These compounds are both from natural products found in traditional herbal medicines.
The promising marriage of AI and anti-aging research offers a tantalizing glimpse into a future where the secrets of youth could be revealed at the click of a button. Imagine a world where we can age gracefully, backed by AI’s tireless pursuit of natural anti-aging solutions. I can hardly wait.”
vas pup •
More on the subject
Harvard researchers identify six ‘chemical cocktails’ to reverse aging: ‘This is
attractive’
https://www.foxnews.com/media/harvard-researchers-identify-six-chemical-cocktails-reverse-aging-attractive
“Scientists have reportedly discovered the key to the foundation of youth, identifying a combination of drugs that can help reverse the aging process.
Harvard researcher and professor Dr. David Sinclair shared that a team at the Harvard Medical School searched for three years to find molecules that “reverse cellular aging and rejuvenate senescent human cells.”
!!!!!!!!The team identified six chemical cocktails and potentially more that helped return people to more “youthful states” in less than a week.”
lurker •
Ooops.
Not a typo-squat, the .ml domain belongs to the nation of Mali. Its increasing cosying up to Russia is of concern to the operators of the .mil domain, because the .ml domain management contract is about to be taken over by the Mali military.
‘https://www.bbc.com/news/world-us-canada-66226873
modem phonemes •
@ vas pup
AI’s tireless pursuit of natural anti-aging solutions
Sounds like the prelude to any movie where a “medical breakthrough” turns most of the population into undying cannibalistic zombies chasing the handful of individuals who missed the update.
SpaceLifeForm •
@ Clive
re: Big Bang is Illusion
‘https://www.schneier.com/blog/archives/2023/07/friday-squid-blogging-giant-squid-nebula.html/#comment-424231
Clive Robinson •
@ vas pup,
A couple of things, check the age of the FOX network owner… Also the average age of it’s audiance where “racing grannies” is not a game.
Secondly anti-aging is tied up with ICTsec in a number of ways…
Lets just say it’s very popular with Silicon Valley Corp Execs some of whom are reputed to have tried being vampires… Paying late teenagers for their blood to transfuse (for those thinking of trying it apparently it has no effect of note in winding back the body clock).
What apparently does work the most is proper sleep and eating timing as it significantly reduces inflamation in your dietary system. Also eating a lot of certain vegtables… Though eating two pounds of vegtables –where many of those chemicals are found naturally– every morning might just be way to much for most people…
There is one guy that’s spending around 2million USD/year on having every aspect of his diet and excercise controled. Most of the spend is on medical tests etc which he makes available,
https://fortune.com/2023/07/14/bryan-johnson-spending-2-million-young-forever/
Clive Robinson •
@ SpaceLifeForm,
I must have missed your post for some reason…
Blaim it on seasonally odd weather, we are sure getting some of that recently. With the East End of the Med hotter than the Devil’s country and still warming up faster than a Texas barbeque pit directly on a nodding donkey…
Robin •
@vas pup, all:
“the model identified 21 potential candidates, three of which – ginkgetin, periplocin and oleandrin – demonstrated the ability to remove deteriorating cells effectively. Among the three, oleandrin was found to be the most potent. These compounds are both from natural products found in traditional herbal medicines.”
Fox News, the authority of AI and use in folk medicine are not reliable sources or indicators. To take just oleandrin:
“Apart from being a potent toxic compound, there are no results on oleandrin from human clinical research that support its use as a treatment for cancer or any disease
… Due to its considerable toxicity, use of oleander or its constituents, such as oleandrin, is regarded as unsafe and potentially lethal.[1] Use of oleander may cause contact dermatitis, headache, nausea, lethargy, and high blood levels of potassium, with symptoms appearing within a few hours of ingestion.[1] In one fatality, the blood concentration of oleandrin and a related cardiac glycoside from the oleander plant was estimated at 20 ng/ml”
(Wikipedia entry for Oleandrin)
Was the AI trained to avoid toxic formulations, or just to find potent ones?
Clive Robinson •
@ Robin, vas pup,
“Was the AI trained to avoid toxic formulations, or just to find potent ones?”
I suspect we know the answer, it’s probably the latter and the reason might surprise many.
I’ve tried to give a sensible answer but due to auto-mod even substituting words has failed…
I was once told by a researcher at a university, almost the definition of a natural formulation was,
“A DuG is a PoSn used in small quantities.”
And certainly considered that way for well over four thousand years, and quite a few of such acient formulations are still in use.
So yes as a first stage selection process being toxic does not rule a chemical out as a consideration for a new research candidate, in fact almost the opposite.
Winter •
@Clive
What apparently does work the most is proper sleep and eating timing as it significantly reduces inflamation in your dietary system.
In the end we all grow old and die [1].
You should make the most of it by keeping healthy as long as possible. The evidence based advice is simple
- Do not smoke, if you smoke you can forget the rest
- Less alcohol is better, and still less is better
- Be active, walk, ride a bicycle, do some sport
- Eat vegetables
- Reduce meat, especially cow. Reduce all animal products
- Sleep
This is most of what has actually been proven for everyone. Much of the rest holds only for some people or is just anecdotal.
[1] I read a truism somewhere that has burned itself into my memory:
There’s only one thing worse than getting old and that’s not getting old
JG4 •
Winter’s advice is spot on. Putting a finer point on it, Move often and vigorously, and eat a Mediterranean diet. Alcohol, tobacco, sugar, slavery, soybean oil, nanoplastics, combustion products, and many other “modern” inventions are mitochondrial toxins. Sleep is for repairing double-stranded breaks and taking out the garbage.
In engineering, “Time will find a point of failure.” May our failures define trajectories of graceful degradation.
The Judeo-Christian version:
To every thing there is a season, and a time to every purpose under the heaven:
A time to be born, and a time to die; a time to plant, and a time to pluck up that which is planted;
The Buddhist version in Thai, now with handy translation guide. A comment on the nature of reality.
Kerd Born
Kae Old
Jeb Sick
Tai Die
The Darwinist version was covered fairly well by Richard Dawkins. Don’t have the right quote handy, but the concept is easy. It is an essential feature of evolution that the old replicators make way for the new. The shrewder new replicators get advice from the older and hopefully wiser replicators. It should not be surprising that humans build self-optimizing resource-extraction asset-stripping engines.
modem phonemes •
@ JG4
Darwinist version
Dawin is explains things going forward from an accepted starting point, and assumes there always will be some starting point at each stage as we reach back and back. That is, it appears to be the only place where “Turtles all the way down” is considered a virtue. Bertrand Russell, eat your heart out. 😉
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Original Post URL: https://www.schneier.com/blog/archives/2023/07/friday-squid-blogging-balloon-squid.html
Category & Tags: Uncategorized,squid – Uncategorized,squid
