Source: www.schneier.com – Author: Bruce Schneier
Friday Squid Blogging: “Mediterranean Beef Squid” Hoax
The viral video of the “Mediterranean beef squid”is a hoax.
It’s not even a deep fake; it’s a plastic toy.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Comments
SpaceLifeForm •
AI models
AI must be decentralized with specific models that look at specific subject matter. Multiple models on same subject.
No Generalized AI. Competition.
‘https://www.semianalysis.com/p/google-we-have-no-moat-and-neither
Clive Robinson •
@ SpaceLifeForm, ALL,
Re : LLM’s on marching power.
From the “alledged” document,
“Notably, they were able to use data from ChatGPT while circumventing restrictions on its API – They simply sampled examples of “impressive” ChatGPT dialogue posted on sites like ShareGPT.”
“Twas’ to be expected”…
In effect it’s an serial itterative sift process that has “direction” rather than a parallel uplift process, that just builds a landscape anew each time.
The trick is that the “heavy” tectonic uplift has been done and has endogenously produced the rough surface (first order weights) from the data set. The itterative exogenetic denudation processes then selectively weather the surface and stratifies it such that the weights are aggregated by related type thus can be mined more effectively.
As such endogenous processes are intermittent high resource, whilst exogenetic processes,are continuous low resource.
The real trick will be to optomise the interleaving of the lift and weather processes to facilitate maximum extraction for mininum reseource input.
no comment •
Re: lift and weather
It’s more like a frozen network of snowflake crystals and subject to sudden melting and re freezing – catastrophic forgetting in the presence of new data. There is nothing that produces long term stability. This is one reason AI does mot not resemble a thinker. It’s convinced by the last thing it’s heard. Get out early before it becomes cool.
ResearcherZero •
Mounting concerns over young people’s mental health have prompted state legislatures across the country to propose a slew of age restrictions to protect minors online.
‘https://www.nytimes.com/2023/04/30/business/aclu-free-speech-online.html
“myths and misinformation about sex trafficking have been spread for decades by both Republicans and Democrats”
‘https://reason.com/2022/08/18/the-satanic-panic-is-back-and-its-bipartisan/
“it is recommended that the government should further broaden the channels of medical and psychological assistance for the public”
“the level of psychological anxiety of the public generally increased during the SARS epidemic, and majority of the public’s psychological anxiety turned into psychological panic due to the failure to receive effective feedback”
‘https://www.frontiersin.org/articles/10.3389/fpsyg.2021.576301/full
“Our psychology is massively impacted by the state of the world around us. From a policy standpoint, it is clear that if a government sets rules, it is important that they are enforced and people are supported for complying. Otherwise they may feel betrayed and act erratically.”
‘https://news.yale.edu/2021/07/27/another-byproduct-pandemic-paranoia
Vigilante parents dug under a preschool, searching for secret tunnels. The police swapped tips on identifying pagan symbols. A company that sells toothpaste and soap had to deny, repeatedly, that it was acting as an agent of Satan.
‘https://www.nytimes.com/2021/03/31/us/satanic-panic.html
They turn outsiders into enemies, unexplainable events into smaller pieces of a vast plot, and make their believers feel they have secret and special knowledge that separates them from the masses.
‘https://www.dailydot.com/debug/satanic-panic/
ResearcherZero •
The EARN IT Act of 2023 is essentially identical to the version that was introduced in the last Congress of 2022.
‘https://tutanota.com/blog/posts/earn-it-barr-encryption
ResearcherZero •
Cisco recommends replacing Cisco SPA112 2-Port Phone Adapters with analogue adapters, as they will not be releasing an update.
“A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.”
“This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges.”
‘https://nvd.nist.gov/vuln/detail/CVE-2023-20126
EOL
‘https://www.cisco.com/c/en/us/products/collateral/unified-communications/small-business-voice-gateways-ata/eos-eol-notice-c51-743206.html
lurker •
@ResearcherZero
Cisco: “A vulnerability in the web-based management interface …”
Duh! Recommendation to replace with analog is great, but, the recommended devices are out of stock from all local suppliers …
Clive Robinson •
@ ResearcherZero, lurker, ALL,
Re : Cisco product without update authentication.
“This vulnerability is due to a missing authentication process within the firmware upgrade function.”
It would be nice to say “this is the only one”…
It’s not. I’ve found numerous products over the years that lack “update authentication” not just of the source of the update but the update it’s self.
Worse nearly all updates are effectively “sent in the clear”… For most people’s thinking this won’t matter but all to often for overall security it does.
Also the update has to be done in an “atomic way” and many if most are not.
As an example,
1, The user receives a signed zip file by download or similar.
1.1, Sometimes the user authenticats the source, mostly not (a failing that used to hit unix systems).
2, The user runs the update process on the device, which runs like a script file (some developers have used “make” to do upgrades).
3, The device checks the code signed file as a non privileges process (sometimes by using existing system tools that do insecure checksums).
4, Then the device unzips the code file often as an non privileged process (sometimes into tmp and open to all).
5, The device then runs the install as a privileged process.
The problem is what else runs on the device. If another background process can detect the update process or the code signing checking process being done then there are problems. Because after that point there is an oportunity for the second background process to get at the files / file storage…
Thus the second process can copy, insert, delete, modify, or just touch files at that time before the actual update and before any cleanup.
As an exaple back in the 1990’s a company found that it’s product licencing for it’s server system was being abused, thus upgraded the server as part of the next major revision. The problem was “upgrading existing products and licences” especially as the products could take hours to re-install. A program was developed to do the upgrade “in place”, which was included in the “upgrade script”. It was run as the last stage of the upgrade and then deleted.
It was not long before someone in an Israeli distributor worked it out and thus extracted it by halting the upgrade process and copy the program. Then used it to make quite a bit of money on the side…
All upgrading that leaves file systems available in an upgrade process are very vulnerable in multiple ways, and depending on the level of security required you could be in for a lot of problems to solve.
All of the basic file system actions of copy, insert, delete, modify, or touch of file metadata can destroy system security by an insider or outsider attack…
SpaceLifeForm •
Trust old kit.
‘https://securityonline.info/intel-oem-private-key-leak-a-blow-to-uefi-secure-boot-security/
The leaked private keys affect Intel’s 11th, 12th, and 13th generation processors and were distributed to various OEMs, including Intel itself, Lenovo, and Supermicro.
Clive Robinson •
@ SpaceLifeForm, ALL,
Re : Intel CPU Private Key leak.
“The leaked private keys affect Intel’s 11th, 12th, and 13th generation processors…”
It was inevitably going to happen, we should all have known that. There is a history of such secrets, escaping since the early TV “Set Top Boxes” going back before most readers here can remember…
The simple fact is you just can not keep this “widely used thus not in an HSM” secret, secret.
I’ve talked about this “Off-Line -v- On-Line” security nonsense before. If there is in effect only “one key to secure them all” rather than “one key per device” then it’s value alone is going to make it vulnerable (hence the “Set top box” wars).
In fact even if this secret was in an HSM in a fully issolated environment, it would have got out anyway… Within a decaded it will be in “brut-force” range or maybe even Quantum Computing if –and I ain’t holding my breath– the old nag makes it out the unlocked stable door.
The fact is though this isn’t realy a blow to security from the users perspective. But I can hear a lot of grinding teath in the DRM and enforced upgrade –say high to Micro$haft– crowds, who think they should own the users hardware, and prevent them doing what they wish. When you dig into it further you will find there is actually no legitimate security requirment for the “Secure” Boot this master key provides.
Heck history shows that it must have “an opt out” anyway, otherwise the NSA won’t use it… Anyone ever wonder what their issue might be with it?
Clive Robinson •
@ SpaceLifeForm, ALL,
In the UK due to the Government “Great FireWall vy another name” the likes of Vodafone insist have to be used,
The “securityonline.info” is considered “evil” for reasons that are very probably entirely “brain dead”.
Therefor if people run into similar, Toms Hardware is an alternative,
https://www.tomshardware.com/news/msi-bootguard-keys-leaked-to-internet
Not the leak was from a publically accessable computer in MSI who are alledged to be “experts” on security…
Apparently MSI had, 1.5TB of data taken by extortionists. The ransomware group allegedly called Money Message had denanded $4million last month and the well known PC Peripheral manufacture MSI decided not to pay up…
So heed MSI’s warnings about their downloads… Though how you verify you are actually connecting to MSI is “left as an excercise for the reader” as normal…
Just goes to show, what I’ve said for years “code signing is not a good idea”, especially the way many go about it, it’s near meaningless, as well as increasingly useless.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Original Post URL: https://www.schneier.com/blog/archives/2023/05/friday-squid-blogging-mediterranean-beef-squid-hoax.html
Category & Tags: Uncategorized,hoaxes,squid – Uncategorized,hoaxes,squid
