Several Senators Release A Framework to Mitigate Extreme AI Risks

Posted in Commentary with tags on April 18, 2024 by itnerd

Yesterday, U.S. Senators Mitt Romney (R-UT), Jack Reed (D-RI), Jerry Moran (R-KS), and Angus King (I-ME) released a letter to the Senate artificial intelligence (AI) working group leaders outlining a framework to mitigate extreme AI risks. I encourage you to read the letter, but here’s the TL:DR:

Congress should consider a permanent framework to mitigate extreme risks. This framework should also serve as the basis for international coordination to mitigate extreme risks posed by AI. This letter is an attempt to start a dialogue about the need for such a framework, which would be in addition to, not at the exclusion of, proposals focused on other risks presented by developments in AI.

Under this potential framework, the most advanced model developers in the future would be required to safeguard against four extreme risks – the development of biological, chemical, cyber, or nuclear weapons. An agency or federal coordinating body would be tasked to oversee the implementation of these proposed requirements, which would apply to only the very largest and most advanced models. Such requirements would be reevaluated on a recurring basis as we gain a better understanding of the threat landscape and the technology.

Sounds interesting. But is it useful? Here’s what Kevin Surace, Chair, Token had to say:

This is great politics and important to state publicly, but it won’t protect anyone from these threats. The major model providers already have strong safeguards in place for these and similar threats (you cannot get an answer from ChatGPT on how to create a chemical weapon).

This changes nothing from all major US providers. They already strongly limit access to such content. However open source models being used by bad actors and rogue countries are not subject to these laws and will misuse the technology anyway.

Anyone can already Google how to create a biological weapon. Having the answers faster doesn’t really help someone with the chemistry, procurement, production and so on anymore than Google already did. But AI could create perhaps new compounds not well documented elsewhere. And the bad actors are already taking advantage of that with open source models.

This has zero impact on OpenAI, Microsoft, Google and so on. And it has zero impact on a rogue country using open source models.

I’m all for guardrails and safeguards. But they have to be useful. I am not yet convinced that this effort by these senators is useful. But I am free to be convinced otherwise. Let’s see if they can convince myself and others that this is a useful exercise.

UPDATE: I have additional commentary from Madison Horn, Congressional Candidate (OK-5) and cybersecurity leader:

The plan proposed by the Senators is crucial. We are in the midst of a new kind of Cold War with China, one that includes the race to harness AI. A comprehensive strategy to not only secure but also to fully harness the potential of AI is essential. The nation that leads in AI will not only dictate global markets but also define international norms for decades to come.

Executing a plan to mitigate AI risks is loaded with challenges. First, we need a solid strategy to retain top talent for any new agencies we might set up, and we must also forge strong partnerships with the private sector. Then there’s Congress—sometimes it seems like they’re in a tech time warp, which doesn’t help. Plus, we can’t let our drive for security strangle American innovation. We need to stay agile, adapting as new models and classifications emerge, and ensure we’re not shutting out new startups or inadvertently creating monopolies.

And let’s not overlook cybersecurity challenges. Ensuring these AI models aren’t leaked or stolen is crucial—our adversaries are definitely taking notes and will be trying to tap into this wealth of information that will be retained.

Artificial intelligence poses a significant threat, one that reshapes the global landscape in ways we haven’t witnessed since the post-WWII era. With new alliances forming, notably between Russia and China, the stakes in the AI war are extraordinarily high. The power of AI doesn’t just accelerate a country’s ability to dominate global markets; it also has the potential to shift global values depending on who emerges as the leader in this technology. In the most extreme scenarios, the misuse of AI could lead to catastrophic outcomes, potentially destroying the world in a matter of seconds. The race to harness AI, therefore, is not just about technological superiority but also about steering the future ethical and moral compass of our entire planet.

We need to keep the spark of American innovation alive—it’s also crucial for our national security. Collaboration with the private sector? Non-negotiable. With many of the few qualified individuals in Congress retiring or being pushed out of office by partisan politics, it’s up to the American people to step up. We must elect leaders who are not just filling a seat but who truly understand the complexities of today’s tech challenges. Leaders who have the understanding to craft and pass laws that safeguard our citizens without choking out our innovation and economic growth. This is about securing a future where America continues to lead, not follow.

1 Comment »

Australians Exposed In Smoke Alarm Service Provider Data Breach 

Posted in Commentary with tags on April 17, 2024 by itnerd

Over 700,000 documents belonging to Smoke Alarm Solutions, Australia’s largest smoke alarm installation and service provider, were exposed according to cybersecurity researcher Jeremiah Fowler. 

The key findings are as follows: 

  • 762,856 documents with a total size of 107 GB; 
  • 355,384 unique documents marked as invoices revealing Customers’ PII; 
  • Documents such as inspections, compliance reports and more. 

Should this data had been discovered by ill-intentioned hackers could have put their customers across Australia at risk to phishing attacks, financial fraud and even non-digital criminal activity, such as burglary or vandalism and more.

You can read all the details here:  https://www.vpnmentor.com/news/report-smokealarmsolutions-breach/

Leave a comment »

Legit Security Now Offered Through GuidePoint Security

Posted in Commentary with tags , on April 17, 2024 by itnerd

Legit Security, the leading platform for enabling companies to manage their application security posture across the complete developer environment, today announced a strategic reseller partnership with GuidePoint Security, the leading cybersecurity solution provider that empowers organizations to make smarter decisions and minimize risk.

As organizations build scalable application security programs, they face many challenges, including enforcing consistent policies across disparate product and application teams and demonstrating compliance to various regulations and security frameworks. GuidePoint Security’s expertise and services, paired with Legit’s platform, will enable joint customers to help strengthen their application security posture without slowing the innovation critical to their bottom line.

Legit’s platform enables security teams, including CISOs, product security leaders, and security architects, to gain comprehensive visibility into risks across the development pipeline from the infrastructure to the application layer. With a crystal-clear view of the development lifecycle, customers ensure the code deployed is secure and compliant. Legit’s capabilities that help companies manage their application security posture include:

  • SDLC Visibility & Security: Gain a complete view of your software factory, including development assets and security controls; discover unknown assets and activities, such as developers’ use of GenAI code.
  • Software Supply Chain Security: Automatically discover, analyze, and secure your software supply chain; maintain a continuous inventory of SDLC assets; and produce current software bill of materials (SBOMs).
  • Compliance: Align regulatory compliance to regulatory compliance and map application security to frameworks such as CISA SSDF, SLSA, FedRAMP and ISO 27001; leverage findings to support internal and external audit requirements.
  • Application Vulnerability Management: Consolidate findings from multiple AppSec tools and make sense of these results – supported by contextual understanding of the developer environment – to effectively prioritize remediation.
  • Secrets Detection & Remediation: An AI-powered solution that enables secrets discovery beyond source code, Legit enables organizations to detect, remediate, and prevent secrets exposure across the software development pipeline.

Leave a comment »

Uber’s 2024 Lost & Found Index Is Out

Posted in Commentary with tags on April 17, 2024 by itnerd

Did you lose your Santa costume riding with Uber? Because someone did…

On the heels of the total solar eclipse, Mercury is heading into Retrograde, ushering in a period of cosmic chaos that astrologists say increases forgetfulness. Naturally, we’re back with the eighth annual Uber Lost & Found Index, revealing the most surprising and most popular items left behind by riders over the past year. 

Vapes, phones and bags made the list of the most commonly forgotten items this year, but riders aren’t just leaving their everyday essentials behind – they’re forgetting everything from amethyst crystals to gold dentures to a segway – and that’s just to name a few. 

And ever wonder what the most popular days are for losing stuff? On the mornings after major partying holidays, we see an uptick in items lost on Uber rides home. The two most “forgetful” days this past year were New Year’s Day 2024 and Halloween weekend 2023 (October 29, 2023). When the party’s over, it seems Canadians leave more than just the memories behind.

Here’s Uber’s full 2024 Lost & Found Index, along with easy instructions on how Canadians can retrieve lost items.

Top 10 most forgetful cities across Canada

  1. Montreal
  2. Saskatoon
  3. Winnipeg
  4. Kingston
  5. Vancouver
  6. Hamilton
  7. Toronto
  8. Regina
  9. Edmonton
  10. Niagara Region

Top 10 most commonly forgotten items across Canada 

  1. Article of clothing 
  2. Backpack or bag 
  3. Headphones
  4. Jewellery / watch / make-up
  5. Wallet / purse
  6. Phone / camera
  7. Vape / e-cig
  8. Umbrella
  9. Laptop
  10. Watch

The most forgetful day and time in Canada 

  • New Year’s Day – 2024-01-01 
  • Halloween weekend – 2023-10-29 

The 10 most unique items lost across Canada (item and city) 

  • My girlfriend’s designer heels – Toronto 
  • Fishing rod – Vancouver 
  • Green arm cast – Winnipeg
  • Two amethyst crystals – Ottawa
  • Crocs with a “Proud to Serve” jibbitz – London, ON
  • Deep fryer – Edmonton
  • Japanese chef’s knife – Edmonton
  • A segway – Toronto
  • Gold dentures – Toronto
  • Santa costume – Calgary

The 10 most commonly forgotten items in Toronto 

  1. Article of clothing 
  2. Backpack or bag 
  3. Headphones
  4. jewelry
  5. wallet / purse
  6. phone
  7. laptop
  8. vape / e-cig
  9. watch
  10. groceries

If you’re one of those people who left something behind, look no further than this help page, which outlines the simple steps you can take the next time you leave something behind when riding with Uber. 

The best way to retrieve a lost item is to call the driver – but if you leave your phone itself in your car, you can login to your account on a computer. Please note there is a $20 fee to get your items returned, and that fee goes entirely to the driver because of the inconvenience of returning the item.

Here’s what to do:

  1. Tap “Your Trips” and select the trip where you left something
  2. Scroll down and tap “Find lost item”
  3. Tap “Contact driver about a lost item”
  4. Scroll down and enter the phone number you would like to be contacted at. Tap submit.
  5. If you lost your personal phone, enter a friend’s phone number instead (you can do this by logging into your account on a computer, or using a friend’s phone).
  6. Your phone will ring and connect you directly with your driver’s mobile number.
  7. If your driver picks up and confirms that your item has been found, coordinate a mutually convenient time and place to meet for its return to you.
  8. If your driver doesn’t pick up, leave a detailed voicemail describing your item and the best way to contact you.

Leave a comment »

Cineplex Appears To Be Under Attack…. Again

Posted in Commentary with tags , on April 17, 2024 by itnerd

I’ve been tipped off to Canadian movie theatre chain Cineplex being under a credential stuffing attack. This is not the first time that this has happened from what I can tell. Which makes me wonder why Cineplex is a frequent target of this.

In any case, users who are affected by this credential stuffing attack will get an email that looks like this:

Now when one gets an email like this, they should validate that the email is legitimate by checking the email addresses of who sent it and the reply to email address. Both of those checked out when I examined the email that a reader of this blog got. But that doesn’t mean that you’re in the clear. What you should always do if you get one of these emails is go directly to the website and try to log in. If you can’t log in, you should reset the password from there. Or put another way, you should not trust the links that are in any email because even if the email addresses check out, they could have been spoofed.

In the case of this user, they followed my advice to the letter, but Cineplex never sent them a password reset email. That’s a sure sign that Cineplex has larger issues at the moment that are not good for Cineplex. I don’t expect the company to say anything on this. But if they did, I suspect the news will not be positive. In the meantime, if you get one of these email, you should try to take action as soon as you can.

2 Comments »

Scam Call Turns Deadly With An Uber Driver Being Killed

Posted in Commentary with tags on April 16, 2024 by itnerd

I have dealt with scammers for years. But this is the first time that I have heard of a scam leading to someone to being killed. I have for you a news report where a man in Ohio was being bombarded with scam calls, which lead to an Uber driver being shot and killed by said man. Here’s the video that describes what happened. And I will say that this is not for the faint of heart:

What this appears to be is a scam where instead of the scammers using electronic means to steal money from you, they somehow get you to withdraw cash and then have someone pick it up from you. That someone may be an intermediary who delivers it to someone else who sends the money to its final destination, or they may do that themselves. This is sometimes referred to as a “Hawala” which you can get more info here.

Now the police have arrested this man for shooting the Uber driver. But what I wish would also happen, but I don’t see it happening, is that the scumbags behind this scam get tracked down and arrested as well as they are just as guilty in this Uber driver’s death. I’ve said it before and I will say it again. Scammers are the lowest forms of life out there. They need to be treated like cockroaches and exterminated with extreme prejudice. And the fact that this happened illustrates why that needs to happen sooner rather than later.

Leave a comment »

Guest Post: New Tools Are Needed by Technologists to Thrive in an ‘Experience is Everything’ World 

Posted in Commentary with tags on April 16, 2024 by itnerd

By Gregg Ostrowski, CTO Advisor, Cisco Observability 
 

Digital experience is now positioned at the heart of almost every organization’s strategic priorities. Whether it’s driving employee engagement to address skills gaps and boost productivity, reaching new and diverse audiences, or deepening relationships (and expanding revenue streams) with existing customers, businesses must deliver exceptional digital experiences to be successful. We’ve reached the point where “experience is everything.”  

Globally, consumer demand for applications and digital services is on the rise, focused on innovative, personalized, and intuitive experiences. Brands failing to meet these expectations are being abandoned. Consequently, digital experiences have become a crucial battleground for businesses. Success here can attract customers, strengthen relationships, and boost sales, while failure results in losing customers, revenue, and reputation.  

Not surprisingly, experience is now a key focus in boardrooms around the world. Recent research from Cisco reveals that 75 per cent of senior global business leaders emphasize the increased importance of digital experience for C-level executives in their organizations over the past three years. Consequently, they are pushing their IT teams to ensure applications and digital services are available, secure and performing at an optimal level at all times. 

Visibility into application performance enables business leaders to identify opportunities and manage risk 

In 80 per cent of organizations, C-level executives routinely receive reports on the performance of business-critical applications, digital services and their business impact. Business leaders are now diving deeper into application performance data to gain a comprehensive understanding of the experiences customers and employees have with their brand.  

This trend is driven by two primary factors. First, leaders need insights into application performance to identify trends, highlight areas bringing substantial business value, and capitalize on these opportunities. Second, they aim to pinpoint potential availability, performance, and security issues that could significantly jeopardize digital experiences. They’re urgently looking to mitigate risk and avoid a revenue-impacting incident. 

For example, in the retail sector, business leaders now want to be able to scrutinize the performance of every stage of the user journey, from sign-up to check-out. They want to analyze the speed and efficiency of every phase of the workflow, identify what is working well and where improvements could be made. And crucially, they want to know where vulnerabilities exist within applications in order to manage risk. 

It’s a similar story in other industries. Leaders in financial services firms are placing a massive focus on digital experience monitoring to compete and win against emerging and disruptive digital-first competition, and within manufacturing, leaders are scrutinizing the performance of each process across their vast SAP landscapes. 

Threats to Digital Experience Arise from Escalating IT Complexity 

For IT teams tasked with developing, deploying, and sustaining applications, the stakes are higher than ever. They understand that even minor lapses in digital experiences could yield significant repercussions for their organizations.  

The reality though is that most IT teams simply don’t have the tools and insights they need to manage modern application environments in an effective and sustainable manner. And, as a result, they’re stuck in a never-ending cycle of firefighting, trying to identify and fix application performance issues ideally before the end user experience is impacted. 

Anybody working in or around an IT department will know how much more complex enterprise IT environments have become over recent years. The shift to cloud native technologies has left technologists trying to manage an increasingly fragmented and dynamic landscape, where everything is continually changing. Additionally, it has also exposed major visibility gaps across hybrid IT environments, where organizations are still deploying separate and siloed monitoring tools for on-premises and cloud native technologies. 

Observability is essential for technologists to deliver exceptional digital experiences 

To overcome this challenge, IT teams need to progress from traditional monitoring approaches and implement full-stack observability, to generate unified visibility across both cloud native and on-premises environments. With observability, IT teams can get real-time insights into IT availability and performance up and down the IT stack, from customer-facing applications right through to core infrastructure. And they can integrate security into the development lifecycle from day one, speeding up innovation and resulting in more robust applications. 

With full-stack observability, IT teams can provide business leaders with a comprehensive set of metrics and insights related to experience – from number of unique sessions, average revenue per session and average revenue per transaction, through to ‘revenue at risk’ from potential outages, and overall user experience (based on defined workflows). 

Ultimately, full-stack observability not only ensures seamless alignment with IT and broader business strategies, it also cultivates a common language between IT and business stakeholders, including C-level executives. This cohesion is essential for organizations looking to excel in a market where digital experience increasingly dictates commercial success. 

Leave a comment »

LinkedIn Reveals List Of Top Companies In Canada For 2024

Posted in Commentary with tags on April 16, 2024 by itnerd

As the Canadian job market evolves, LinkedIn unveils its 2024 Top Companies list, coinciding with shifting employment trends in the country. Recent data highlights a growing labor pool and rising unemployment rates, signaling a transition to an “employer’s market”.

LinkedIn’s Top Companies is an annual list driven by exclusive LinkedIn data, aimed at assisting professionals in discovering leading global organizations renowned for their commitment to growth, learning opportunities, workplace equity, and vibrant company culture.

Below is the list of the top 10 companies on LinkedIn’s Canadian edition list for 2024.

  1. AstraZeneca
  2. Specsavers
  3. RBC
  4. EQ Bank | Equitable Bank
  5. RSM
  6. Gallagher
  7. McKinsey & Company
  8. BHP
  9. HOOPP (Healthcare of Ontario Pension Plan)
  10. Brookfield Asset Management 

This list showcases a diverse range of industries, with banking and financial services taking the lead (RBC, EQ Bank | Equitable Bank, HOOPP). Following closely are accounting and consulting firms, such as RSM and McKinsey & Company. Additionally, pharmaceuticals (AstraZeneca), optometry and eyewear (Specsavers), mining (BHP), insurance (Gallagher), and asset management (Brookfield Asset Management) are also represented.

The full 2024 Top Companies in Canada list is linked here.

Methodology

The Top Companies methodology is based on eight key pillars shown to lead to career progression, including (1) ability to advance, (2) skills growth, (3) company stability, (4) external opportunity, (5) company affinity, (6) gender diversity, (7) educational background, (8) employee presence. The time frame for data analysis was January 1, 2023 through December 31, 2023, and only looked at company employees within the associated country. More details on the methodology pillars and eligibility criteria can be found in the appendix.

Leave a comment »

Elon Musk Is So Desperate For Cash That He Is Thinking Of Charging Twitter Users To Like, Bookmark & Respond To Tweets…. WTF?

Posted in Commentary with tags on April 16, 2024 by itnerd

Elon Musk does a lot of things that make me say WTF. But this one takes the prize for dumbest idea ever. A Twitter account called X Daily News noticed this:

Elon himself responded to this with the following:

It’s always about the bots with him. Bots are the problem that he claimed he could solve, but so far hasn’t been able to solve that problem. Because it’s not about the bots. It’s about the fact that he tanked Twitter by buying it and making a lot of dumb decisions that has cratered the user count along with the value of the platform and he needs something to cover up the fact that he’s not as smart as he thinks he is.. The fact is that this is another of those dumb decisions and the only thing it will do is drive actual humans away from Twitter which will make his problems with the platform worse than they already are.

Great move Elon. Keep doing what you’re doing and Twitter will be dead soon enough under your watch.

Leave a comment »

Pentera’s State of Pentesting Report: The Rate of Enterprise IT Change Demands Increased Security Testing

Posted in Commentary on April 16, 2024 by itnerd

 Pentera, the leader in automated security validation, today released the results of its third annual industry survey: The State of Pentesting 2024. The report provides a snapshot of how security leaders in enterprises across the globe have adopted security validation strategies across their organizations over the past year. 

Threat actors are continuing to successfully breach across the entire attack surface and the stakes are only getting higher: 93% of enterprises who admitted a breach reported unplanned downtime, data exposure, or financial loss as a result.

Enterprises are continuing to prioritize pentesting as part of their security tool kit, accounting for an average of $164,400, nearly 13% of their total IT security budgets. The main drivers and uses for pentesting programs continue to be validating security controls’ efficacy, understanding potential attack impact and prioritizing security investments. Over 50% of CISOs report that they share the results of pentest assessments with their leadership teams as well as their Boards of Directors, using these reports as a tool to communicate cybersecurity risk both within and outside their organizations. 

Other highlights from the report include: 

  • Security testing is struggling to keep pace with organizational IT change rates: 73% of enterprises report changes to their IT environments at least quarterly, however only 40% report pentesting at the same frequency. This underscores a serious frequency gap between the rate at which changes occur within the IT infrastructure and the rate of security validation testing, leaving organizations open to risk for extended periods of time.
  • Security teams are falling behind the rate of security issues: Over 60% of enterprises report a weekly minimum of 500 security events that require remediation. Becoming “patch perfect” is an unfeasible, if not impossible, target for organizations. What’s more, organizations are even more resource constrained than before. In 2023, only 21% of respondents reported a lack of internal resources for remediation as a barrier to pentesting, while this year the number has leaped to 36%.
  • More security technology does not guarantee security: Organizations are adopting a greater number of cybersecurity solutions to manage their risk. On average, enterprises already have 53 security solutions in use across their organization, however, despite large security stacks, 51% of enterprises reported a breach over the past 24 months

Pentera surveyed 450 CISOs, CIOs, and IT security leaders at enterprise companies with more than 1,000 employees across the Americas, EMEA, and APAC to compile this report. Click here to read the full report

Register for their upcoming webinar on April 30 with Matt Bromiley, SANS Instructor and Jay Mar-Tang, AVP, Field CISO at Pentera to learn more.

Leave a comment »

« Older Entries
Newer Entries »