Microsoft Wants to Help Improve Security: What about Its Engineering of Security
August 24, 2023
Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.
Microsoft is a an Onion subject when it comes to security. Black hat hackers easily crack any new PC code as soon as it is released. Generative AI adds a new slew of challenges for bad actors but Microsoft has taken preventative measures to protect their new generative AI tools. Wired details how Microsoft has invested in AI security for years, “Microsoft’s AI Red Team Has Already Made The Case For Itself.”
While generative AI aka chatbots aka AI assistants are new for consumers, tech professionals have been developing them for years. While the professionals have experimented with the best ways to use the technology, they have also tested the best way to secure AI.
Microsoft shared that since 2018 it has had a team learning how to attack its AI platforms to discover weaknesses. Known as Microsoft’s AI red team, the group consists of an interdisciplinary team of social engineers, cybersecurity engineers, and machine learning experts. The red team shares its findings with its parent company and the tech industry. Microsoft wants the information known across the tech industry. The team learned that AI security has conceptual differences from typical digital defense so AI security experts need to alter their approach to their work.
“ ‘When we started, the question was, ‘What are you fundamentally going to do that’s different? Why do we need an AI red team?’ says Ram Shankar Siva Kumar, the founder of Microsoft’s AI red team. ‘But if you look at AI red teaming as only traditional red teaming, and if you take only the security mindset, that may not be sufficient. We now have to recognize the responsible AI aspect, which is accountability of AI system failures—so generating offensive content, generating ungrounded content. That is the holy grail of AI red teaming. Not just looking at failures of security but also responsible AI failures.’”
Kumar said it took time to make the distinction and that red team with have a dual mission. The red team’s early work focused on designing traditional security tools. As time passed, the AI read team expanded its work to incorporate machine learning flaws and failures.
The AI red team also concentrates on anticipating where attacks could emerge and developing solutions to counter them. Kumar explains that while the AI red team is part of Microsoft, they work to defend the entire industry.
Whitney Grace, August 24, 2023
Intellectual Property: What Does That Mean, Samsung?
June 19, 2023
Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.
I read “Former Samsung Executive Accused of Trying to Copy an Entire Chip Plant in China.” I have no idea if [a] the story is straight and true, [b] a disinformation post aimed at China, [c] something a “real news” type just concocted with the help of a hallucinating chunk of smart software, [d] a story emerging from a lunch meeting with “what if” ideas and “hypotheticals” were flitting from Chinese take out container to take out container.
It does not matter. I find it bold, audacious, and almost believable.
A single engineer’s pile of schematics, process flow diagrams, and details of third party hardware require to build a Samsung-like outfit. The illustration comes from the fertile zeros and ones at MidJourney.
The write up reports:
Prosecutors in the Suwon District have indicted a former Samsung executive for allegedly stealing semiconductor plant blueprints and technology from the leading chipmaker, BusinessKorea reports. They didn’t name the 65-year-old defendant, who also previously served as vice president of another Korean chipmaker SK Hynix, but claimed he stole the information between 2018 and 2019. The leak reportedly cost Samsung about $230 million.
Why would someone steal information to duplicate a facility which is probably getting long in the tooth? That’s a good question. Why not steal from the departments of several companies which are planning facilities to be constructed in 2025? The write up states:
The defendant allegedly planned to build a semiconductor in Xi’an, China, less than a mile from an existing Samsung plant. He hired 200 employees from SK Hynix and Samsung to obtain their trade secrets while also teaming up with an unnamed Taiwanese electronics manufacturing company that pledged $6.2 billion to build the new semiconductor plant — the partnership fell through. However, the defendant was able to secure about $358 million from Chinese investors, which he used to create prototypes in a Chengdu, China-based plant. The plant was reportedly also built using stolen Samsung information, according to prosecutors.
Three countries identified. The alleged plant would be located in easy-to-reach Xi’an. (Take a look at the nifty entrance to the walled city. Does that look like a trap to you? It did to me.)
My hunch is that there is more to this story. But it does a great job of casting shade on the Middle Kingdom. Does anyone doubt the risk posed by insiders who get frisky? I want to ask Samsung’s human resources professional about that vetting process for new hires and what happens when a dinobaby leaves the company with some wrinkles, gray hair, and information. My hunch is that the answer will be, “Not much.”
Stephen E Arnold, June 19, 2023
Is This for Interns, Contractors, and Others Whom You Trust?
June 14, 2023
Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.
Not too far from where my office is located, an esteemed health care institution is in its second month of a slight glitch. The word in Harrod’s Creek is that security methods at use at a major hospital were — how shall I frame this — a bit like the 2022-2023 University of Kentucky’s’ basketball team’s defense. In Harrod’s Creek lingo, this statement would translate to standard English as “them ‘Cats did truly suck.”
A young temporary worker looks at her boss. She says, “Yes, I plugged a USB drive into this computer because I need to move your PowerPoint to a different machine to complete the presentation.” The boss says, “Okay, you can use the desktop in my office. I have to go to a cyber security meeting. See you after lunch. Text me if you need a password to something.” The illustration for this hypothetical conversation emerged from the fountain of innovation known as MidJourney.
The chatter about assorted Federal agencies’ cyber personnel meeting with the institution’s own cyber experts are flitting around. When multiple Federal entities park their unobtrusive and sometimes large black SUVs close to the main entrance, someone is likely to notice.
This short blog post, however, is not about the lame duck cyber security at the health care facility. (I would add an anecdote about an experience I had in 2022. I showed up for a check up at a unit of the health care facility. Upon arriving, I pronounced my date of birth and my name. The professional on duty said, “We have an appointment for your wife and we have her medical records.” Well, that was a trivial administrative error: Wrong patient, confidential information shipped to another facility, and zero idea how that could happen. I made the appointment myself and provided the required information. That’s a great computer systems and super duper security in my book.)
The question at hand, however, is: “How can a profitable, marketing oriented, big time in their mind health care outfit, suffer a catastrophic security breach?”
I shall point you to one possible pathway: Temporary workers, interns, and contractors. I will not mention other types of insiders.
Please, point your browser to Hak5.org and read about the USB Rubber Ducky. With a starting price of $80US, this USB stick has some functions which can accomplish some interesting actions. The marketing collateral explains:
Computers trust humans. Humans use keyboards. Hence the universal spec — HID, or Human Interface Device. A keyboard presents itself as a HID, and in turn it’s inherently trusted as human by the computer. The USB Rubber Ducky — which looks like an innocent flash drive to humans — abuses this trust to deliver powerful payloads, injecting keystrokes at superhuman speeds.
With the USB Rubby Ducky, one can:
- Install backdoors
- Covertly exfiltrate documents
- Capture credential
- Execute compound actions.
Plus, if there is a USB port, the Rubber Ducky will work.
I mention this device because it may not too difficult for a bad actor to find ways into certain types of super duper cyber secure networks. Plus temporary workers and even interns welcome a coffee in an organization’s cafeteria or a nearby coffee shop. Kick in a donut and a smile and someone may plug the drive in for free!
Stephen E Arnold, June 14, 2023
Google: Responsible and Trustworthy Chrome Extensions with a Dab of Respect the User
June 7, 2023
“More Malicious Extensions in Chrome Web Store” documents some Chrome extensions (add ins) which allegedly compromise a user’s computer. Google has been using words like responsible and trust with increasing frequency. With Chrome in use by more than half of those with computing devices, what’s the dividing line between trust and responsibility for Google smart software and stupid but market leading software like Chrome. If a non-Google third party can spot allegedly problematic extensions, why can’t Google? Is part of the answer, “Talk is cheap. Fixing software is expensive”? That’s a good question.
The cited article states:
… we are at 18 malicious extensions with a combined user count of 55 million. The most popular of these extensions are Autoskip for Youtube, Crystal Ad block and Brisk VPN: nine, six and five million users respectively.
The write up crawfishes, stating:
Mind you: just because these extensions monetized by redirecting search pages two years ago, it doesn’t mean that they still limit themselves to it now. There are way more dangerous things one can do with the power to inject arbitrary JavaScript code into each and every website.
My reaction is that why are these allegedly malicious components in the Google “store” in the first place?
I think the answer is obvious: Talk is cheap. Fixing software is expensive. You may disagree, but I hold fast to my opinion.
Stephen E Arnold, June 7, 2023
What a Difference a Format Makes. 24 Little Bytes
May 5, 2023
Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.
Lawyer Carl Oppedahl has strong feelings about the Patent Office’s push to shift applications from PDF format to the DOCX format. In his most recent blog post on the subject he considers, “How Successful Have USPTO;s DOCX Training Webinars Been?” His answer, in short, is not very.
Oppendahl recently conducted two webinars for law offices that regularly file clients’ patent applications. He polled his attendees and reports the vast majority of them felt the Patent Office has not done a good job of communicating the pros and cons of DOCX filing. More significant, though, may be the majority of attendees who say they will not or might not submit filings in DOCX in the future, despite the $200 – $400 fee for stubbornly sticking with PDFs. In our experience PDFs are a PITA, so why is there such a strong resistance to change?
I sat through a recording of Oppendahl’s first webinar on the subject, and if you believe his account there are actually some very good reasons. It is all about protecting one’s client. Oh, and protecting oneself from a malpractice claim. That could be worth a few hundred bucks (which one might pass on to the client anyway.) His executive-summary slide specifies:
“DOCX filing puts you more at risk than PDF filing
PDF filing:
*You can protect yourself tomorrow or next month or TYFNIL [ten years from now in litigation].
*The Ack Receipt Message Digest allows you to prove the PDF file you preserved is the same PDF file that was uploaded to the PTO.
*You get an audit trail.
DOCX filing:
*You cannot prove what DOCX file you actually uploaded.
*The PTO throws away the DOCX file you uploaded (D1) and only keeps their manipulated version (D2).
*There is no Ack Receipt Message Digest available to prove the DOCX file you preserved is the same DOCX file that you uploaded to the USPTO.
*The USPTO destroys the audit trail.
*There is an Ack Receipt Message Digest relating to DOCX. It does not match the file you uploaded (D1) so you cannot use it to prove what you filed. It does match the file D2 that became authoritative the instant that you clicked ‘submit,’ so TYFNIL it permits the infringer to prove that you must have clicked ‘submit’ and you agreed that your uploaded DOCX file D1 was not controlling.
*In other words TYFNIL if you try to point to what you say you uploaded, and you try to say that this is what should have issued in the patent the Message Digest will serve to say that you agreed that what you uploaded was irrelevant to what should have issued in the patent. The Message Digest serves to say that you agreed that the patent should issue based on what was in that manipulated version D2.
*In the DOCX filing system, the Message Digest has been repurposed to protect the USPTO and to protect infringers, and no longer protects you, the applicant or practitioner.”
Like I said, strong feelings. For details on each of these points, one really just needs to listen to the first 45 minutes of the webinar, not all one-and-a-half hours. A key point lies in that D1 versus D2 issue. The D2, which submitters are required to verify, is what emerges from the other side of the PTO’s proprietary docx validator software. According to Oppendahl, that software has been proven to introduce errors, like changing a mu to a u or a square root sign to a smiley face for example. For patents that involve formulas or the like, that can be a huge issue. To avoid such errors being set in stone, filers (or their paralegals) must check the submitted document against the new one character by character while the midnight EST deadline looms. Not ideal.
Another important issue is the value of the Ack Receipt Message Digest facilitated by PDFs but not DOCX documents. The technology involves hash functions and is an interesting math tangent if you’re into that kind of thing.
So why is the Patent Office pushing so hard? Apparently it is so they can automate their approval process. Automation is often a good thing, and we understand why they are eager to speed up the process and reduce their backlog. But the Patent Office may be jumping the gun if applicants’ legitimate legal standing is falling through the cracks.
Cynthia Murrell, May 5, 2023
TikTok: What Does the Software Do?
March 22, 2023
A day or two ago, information reached me in rural Kentucky about Google’s Project Zero cyber team. I think the main idea is that Google’s own mobiles, Samsung’s, and those of a handful of other vendors were vulnerable. Interesting. The people who make the phones do not know exactly what flaws or data drains their own devices have. What sticks in my mind is that these are not new mobiles like the Nothing Phone.
Why do I mention this? Software can exploit these flaws. Who knew? Obviously not Google when the phones were designed, coded, manufactured, or shipped. Some Googlers use these devices which is even more remarkable. How can a third party know exactly what functions or latent functions exist within hardware or software for that matter?
I assume that the many cyber experts will tell me, “We know.”
Okay, you know. I am not sure I believe you. Sorry.
Now I come to the TikTok is good, TikTok is evil write up “It’s Wild That Western Governments Have Decided That TikTok Might Spy for Chine. The App Hasn’t Helped Itself.” The article reports:
In December, TikTok admitted that some ByteDance staff in the US and China gained access to personal data of journalists in a bid to monitor their location and expose company leaks. A spokesperson said four employees who accessed the data had been fired, CNN reported at the time. TikTok has maintained the app doesn’t spy on individuals, and has pointed to the steps it’s taking to hive off user information. Theo Bertram, TikTok’s vice president for public policy in Europe, tweeted on Thursday that the app does not “collect any more data than other apps.”
What’s my point? The Google Project Zero team did not know what was possible with its own code on its own devices. Who knows exactly what the TikTok app does and does not do? Who knows what latent capabilities reside within the app?
The Wall Street Journal published ” on March 19, 2023, page A-4, “DOJ Looking into TikTok’s Tracking of Journalists.” The story contained a statement attributed to a TikTok executive. The snippet I clipped whilst waiting for a third-world airline is:
TikTok’s chief executive Shou Zi Chew has said that divesting the company from its Chinese owners doesn’t offer any more protection that a multibillion-dollar plan the company has already proposed.
Now I am supposed to trust software from an allegedly China-affiliated app? What?
In the absence of sufficient information, what is a prudent path. One can compartmentalize as I do. One can stop using the software as I have for certain applications? One can filter the malicious app so that it is not available? One can install cyber defenses that monitor what’s going in and out and capture data about those flows?
The bottom-line today March 18, 2023, is that we don’t know what we don’t know. Therefore, hasta la vista TikTok.
Stephen E Arnold, March 22, 2023
Wanna Be an Old Fashioned B&E Person?
March 8, 2023
I spotted another of the info dumps which make me nervous. “Red Team, Physical Security, Covert Entry, and EDC” is another list of helpful products and tools. (EDC means every day carry.) My personal preference is that this type of information not zip around so that curious high school science club members can get some helpful ideas. What makes this list interesting is the disclaimer. Legal eagles will definitely be reluctant to take flight after reading:
Disclaimer: I am not responsible for anyone using any information in this post for any illegal activities. Getting caught with possession of burglary tools will likely land you behind bars and possibly end with a multiple felony conviction. The information in this post is for legal and authorized engagements, and to use for educational purposes only.
These types of messages are appearing with greater frequency. A good example is the message from Vaga Bond about train hopping in some interesting countries like Russia and Morocco.
If you want to see these tools, navigate to one of CosmodiumCS’s helpful YouTube videos; for example, https://www.youtube.com/watch?v=ETMHHvRrH5A.
Stephen E Arnold, March 9, 2023
Unpatchable Windows Flaw? Will Surprises Reside in Smart Software from Microsoft?
March 7, 2023
No big deal? A flaw described as “Unpatchable”? Not to worry. Okay, I will pretend not to worry, but I am worrying. Many commercial and government systems may be at risk. “Stealthy UEFI Malware Bypassing Secure Boot Enabled by Unpatchable Windows Flaw” reports:
Researchers on Wednesday [presumably March 1, 2023] announced a major cybersecurity find—the world’s first-known instance of real-world malware that can hijack a computer’s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.
Microsoft’s good enough engineering has produced technology which in “unpatchable.” Shouldn’t that effort be directed toward creating software which is patchable? I know. I know. People are in a hurry. There are those TikToks to watch. Plus, who wants to fool around with secure boot issues when the future is smart software.
As the Microsofties chase after the elusive “it understands human utterance” bunny rabbit, what gotchas will be tucked inside ChatGPT-inspired applications? I am not very good at predicting the future. I am not dumb enough to say, “Hey, that Microsoft smart software will be okay.” Microsoft is good at marketing. May I suggest that Microsoft is not so good at producing software that meets users’ expectations for security.
Stephen E Arnold, March 7, 2023
Identity Theft Made Easy: Why?
December 30, 2022
Some automobiles are lemons aka money holes, because they have defects that keep breaking. Many services are like that as well, including rental car insurance, extended warranties on electronics, and identity theft protection. Life Hacker explains why identity theft protection services are a scam in the story: “Identity Theft Protection Is Mostly Bullshit.”
Most Americans receive emails or physical letters from their place of work, medical offices, insurance agencies, etc. that their personal information was involved in a data breach. As a token of atonement, victims are given free Identity Theft Protection (ITP) aka a useless service. These services promise to monitor the Internet and Dark Web for your personal information. This includes anything from your credit cards to social security number. Identity theft victims deal with ruined credit scores and possibly stolen funds. Identity Theft Protection services seem to be a good idea, until you realize that you can do the monitoring yourself for free.
ITP services monitor credit reports, social media accounts, the Dark Web, and personal financial accounts. Some of these services such as credit reports and your financial accounts will alert you when there is suspicious activity. You can do the following for free:
“You can access your credit reports for free once a year. And you should! It’s a fast and pretty straightforward operation, and at a glance you can see if someone has opened a credit card or taken out a loan in your name. In fact, the number one best way to stop folks from stealing your identity is to freeze your credit, which prevents anyone—even if they have your personal information—from getting a new credit card or loan. While this doesn’t protect you from every single kind of fraud out there, it removes the most common vectors that identity thieves use.”
The US government also maintains a Web site to assist identity theft victims. It is wise to remember that ITP services are different from identity theft insurance. The latter is the same as regular insurance, except it is meant to help when your information is stolen.
Practice good identity hygiene by monitoring your accounts and not posting too much personal information online.
Why is identity theft like a chicken wing left on a picnic table? Careless human or indifferent maintenance worker?
Whitney Grace, December 30, 2022
Who Can See Your Kiddies?
December 20, 2022
In an alarmingly hilarious situation, iCloud users are seeing photos of strangers on their devices. What sounds like a hacker’s gaff, actually proves to be a security risk. XDA Developers investigates what is going on with iCloud in, “iCloud For Windows Users Are Reportedly Seeing Random Family Photos From Strangers.”
People buy Apple products for its better security and privacy settings than PC devices. While Apple has an iCloud app for PC users, the app is not working as well as its fellow Apple products:
“Based on the reports, the corrupted files seemingly revolve around videos shot on iPhone 13 Pro and iPhone 14 Pro models. The footage in some cases is showing a black screen with scan lines. Though, what’s more worrisome is the random content that is showing up for some users. While it’s not confirmed yet, these photos of families, children, and other private moments could potentially belong to other people’s iCloud libraries. If this is the case, then Apple could get in some serious trouble. Unfortunately, deleting the iCloud for Windows app seemingly doesn’t solve this, as the issues are being reflected on the server.”
No one is certain what is causing the bug, but Apple needs to get on the problem. Apple will probably blame the issue on PCs being inept devices and the compatibility between Macs and PCs could be the reason. Apple is not infallible and here is a lesson in humility.
Whitney Grace, December 20, 2022