Posts by Mike 137

"... It is unacceptable for foreign officials to issue or threaten arrest warrants on US citizens or US residents for social media posts on American platforms while physically present on US soil" Rubio said.

"It's OK for us to do this though."

A spark of realism

"The Register looks forward to AI-produced results like the above bringing enormous benefits to the UAE."

Nice one Simon!

Shakespeare might have been talking about LLMs, when he wrote "it is a tale told by an idiot, full of sound and fury, signifying nothing.¹

_{1: Macbeth, Act 5, Scene 5}

.

The limitations

The "limitations" section of the paper (page 9) is all important. The tasks were simple enough to be evaluated by automation, but as the authors state "In a real freelance scenario, requirements can be vague or evolving, clients might change their mind, and there could be integration issues beyond just writing a piece of code. Our benchmark doesn't capture those aspects – every task here is a neatly packaged problem that starts and ends within a single prompt/response."

So the "AI" might (80% of the time) replace grunt coders given detailed briefs for simple tasks, but not programmers or software engineers who have to exercise initiative and imagination to fulfil larger and more complex tasks. So there's potential for such tools to assist, but not replace, expert developers (provided the time and effort needed to weed out "hallucinations" doesn't negate the gains).

A fundamental weakness?

From the paper (fig. 1): "Participant and opponent then debate for 10 min on a randomly assigned topic, holding the PRO or CON standpoint as instructed"

So actually, this research only indicates (if at all) that a bot may be more persuasive than a human when challenging a standpoint not really held by its opponent. It would be interesting to see how it faired against a genuinely held position.

The root cause?

"a device with Intel Trusted Execution Technology (TXT) enabled on a tenth-generation or later Intel processor with vPro support, has BitLocker enabled, and obediently installed the KB5058379 patch..."

I've come to the conclusion the fundamental problem is that, due to a very apparent long standing practice of "tinker development", the OS has got so convoluted that it's impossible to reliably predict the effect of any changes/"updates"/fixes. So it's not so much that M$ doesn't care (although they indeed might not) but that the entire development process is utterly out of control because nobody on the dev teams really understands how the damned thing works any more.

Not so much "end of life"

as "end of being blocked from doing your work unexpectedly by a monstrous update, then finding your settings have been changed back to unwanted defaults".

If I have to use Windoze, I'll not miss this at all.

"cybersecurity is a culture of teamwork, not a technology"

I've been saying this for a quarter of a century to organisations of all sizes from international corporate to mom & pop shop, and mostly they've listened politely and then ignored the advice. Where it grants any recognition to the problem at al, the entire security culture is obsessed by standards. But when we look at said standards we find, on the one hand purely technical approaches such as Cyber Essentials ("have some tech stuff in place") and on the other, process oriented approaches such as ISO 27001 and the NIST cybersecurity framework ("have some processes in place"). Yes, you need technologies and processes, but obviously you must be sure they actually work. Despite which there doesn't seem to be a single standard that defines outcomes and practically zero attention is addressed to culture or awareness beyond some perfunctory references to "training" of the front line (but typically not the executive).

The reality is that price of peace is eternal vigilance on the part of everyone at all levels of the organisation.

Motivations

Admittedly a few years back, I participated in a UK Parliamentary specialist group debate on "open source and open standards". Two things stood out glaringly: [1] many of the participants confused the two, assuming that open source automatically both complied with open standards and drove them, and [2] most of the user base used open source not because the source was open (they didn't look at it) but merely because it was free software. On this basis was hard to see how the original intent of open source could survive intact -- as indeed it seems not to have.

"Commitment" is not enough

" is Cyber Essentials certified. This demonstrates our commitment to robust standards in[...] cybersecurity"

No it doesn't. Cyber Essentials is not a "robust standard" -- it's an absolutely minimal one and its implementation is seriously shallow. It merely requires that an organisation self certifies it has implemented a bunch of basic technical stuff, although at the Plus level this is externally checked and an annual pen test is required. At neither level does it consider the management of security at all (except for patch management as a purely technical matter), so whether the implemented stuff would actually work in the face of threats is not checked. In this case (apparently), among other failures, no effective monitoring was in place, but of course Cyber Essentials doesn't require it.

When Cyber Essentials was first proposed I suggested that (at the Plus level at least) it should include assessment of security management processes, but the powers were not interested. so the idea fell flat (I suspect, because too many organisations just wing it, so a standard that included review of management processes would not have been widely adopted).

Examine the goddamm headers!

" email disguised to resemble a missive from an unnamed European country's Ministry of Foreign Affairs"

Whether the sender is legitimate should be determinable from the email headers, particularly in the context of diplomatic traffic, which by definition has a limited circulation.

Furthermore ...

In this context, every book on digital forensics that has crossed my desk (as a reviewer or as study material) over the last couple of decades has concentrated on the technicalities of extracting data from devices, with little or no reference to actual forensics -- how to deliver evidence acceptable in a court of law. Even the admittedly pre-digital ACPO guidelines did better -- for example stressing documented chain of custody. And it's clear that, given Prof. Sommer's comments on idiosyncratic methods, this should be extended to include a clear description of any post-extraction processing performed (which should of course be made available to the court).

Null and void

"People based in the EU who use our platforms can choose to object to their public data being used for training purposes," the tech giant noted.

"... once we've already used it, as we did that before we offered you the right to object."

Question

"When this issue occurs, mouse and keyboard input become unresponsive within the session, requiring users to disconnect and reconnect"

How, if KB and mouse stop working?

I'd go further

"people working with data in government are not typically technical and would be unlikely to get a similar job in the private sector"

I think it's probably fair to say that if any commercial enterprise were to be run the same way as almost any of our government agences, it'd be bankrupt within a year at most.

Pardon?

how it might help visualize an Excel spreadsheet of customer data. "Usually, to make sense of this data I'd need to ask my colleague who knows Python"

Only if the spreadsheet is snake oil, I guess.

But joking apart, if a spreadsheet of customer data is so badly designed that you need a programmer to explain it, maybe that's where the problem really resides. In my consulting life I've seen many appallingly badly designed manual processes rigorously replicated in expensive automation, with predictably poor results.

Speedy!

"The patch, [...] came out on March 25 and, according to Microsoft, repairs what it broke in January"

So it took almost two months to fix a bug that disabled a critical business workload function. Well done M$, who seem to have forgotten that vast numbers of businesses rely on them for technology that works reliably in order to stay in business. Welcome to the toyshop!

"Still, that's progress, eh"

As will be the ubiquitous background noise pollution of wide band high frequency whine once all vehicles are electric, as opposed to the relatively ignorable (and easily filterable) typically sub-100 Hz rumble of ICE engines. The tyre noise (also in the 100 Hz range) will of course remain beneath the whine.

So utterly relevant

""I'm not a big fan of The Atlantic"

As if that mattered a foetid dingo's goolies. Orangeman's habitual arbitrary deflection of all criticism with random non sequiturs is his great weakness. He may win the exchange, but not the argument (in the logical sense of the word) and maybe folks are beginning to catch on to that.

Thankyou Rupert

Totally on target, about both the bug reporting and the economy. I wish we could upvote articles as well as comments!

"Crypto"

Oh, it means cryptocurrency (not, for example, cryptography) here. There's an odd propensity in vernacular English to simplfy a compound noun by dropping the most specific element -- as in "microwave" to mean "microwave oven". Ali the other possible applications of microwaves (and indeed crypto*) seem to have been forgotten. It does result in confusion!

Where do you site your backup power?

"Investigations have now found that the likely cause was a failure within the electrical safety circuit of the high voltage switchgear at the Council’s HQ. This meant that when the power went out, the electricity generated by backup generators couldn’t get back into the system to power anything."¹

Commiserations to the council are in order. At some point there must be switchover gear between mains and backup, and when that gear fails there's really no way to stay live however you've designed your backup power.

_{1: Nottingham City Council power outage update}

.

Surprise, surprise!

"when shown a snippet of shoddy code and asked to fill in the blanks, AI models are just as likely to repeat the mistake as to fix it"

Considering that the machine responds on the basis of probability of (to it) meaningless tokens, this is entirely to be expected. It's been fed with faulty data, so it replies in kind. I've given up wondering when this crashingly obvious reality will finally sink in -- the hype is just too powerful in our bullshit-driven age.

At the minor end

This is one of the most miniscule infractions of the law that 'doge' has perpetrated so far. But what should you expect when you unleash a bunch of software developers with no knowledge of the law with the brief to restructure complex government agencies? The huge number of reversals of bad decisions and mistakes to date indicate that they're completely out of their depth rather than concertedly malicious (OK, malicious maybe, but, it's patently obvious, not concertedly).

"The balloons connected to each other with an optical network that used lasers"

Having worked on laser comms (admittedly in the '80s but the physics haven't changed) I wonder how they expect to maintain the tight line of sight required for a laser comms channel, given that even well tethered balloons tend to move around in the wind.

Nasty suspicion

"Two of them requested video evidence of exploitation (for things that don't even make sense to have a video of[...]), and the third was rejected as not a vulnerability with clear evidence that the MSRC handler didn't bother actually reading what I submitted."

Could it be that M$ are staffing their 'MSRC' with folks who don't actually have much (or any) actual expertise? So they can follow a video exposition from start to outcome, but with zero understanding of what's actually happening (and for the same reason can't make use of a textual exposition). So it's possibly not so much "didn't bother actually reading" as "couldn't make head or tail of the text". This, if it's the case, exemplifies the burgeoning population of "techies" who can cope with the externals of tech but haven't a clue about what goes on under the hood. They're bringing the technologies to their knees, but they're cheaper to hire than the fully informed.

In the name of democracy ...

"The Hepting case looked like a slam dunk, and claimed AT&T had clearly broken the law. As a result, Congress changed the law and retroactively granted telcos immunity if they conducted wiretaps in the interest of national security"

Actually just one more minor example of what govt.s get up to to cover arses when dirty tricks may get exposed -- see John Prados, The ghosts of Langley, Amberley Publishing 2017 [ISBN 978 1 4456 6792 8 (hardback), 978 1 4456 6793 5 (ebook)] and Ian Cobain, The history thieves, Portobello Books 2016 [ISBN 978 1 8462 7583 8 (hardback), 978 1 8462 7584 5 (paper)]