White House Announces AI Cybersecurity Challenge

At Black Hat last week, the White House announced an AI Cyber Challenge. Gizmodo reports:

The new AI cyber challenge (which is being abbreviated “AIxCC”) will have a number of different phases. Interested would-be competitors can now submit their proposals to the Small Business Innovation Research program for evaluation and, eventually, selected teams will participate in a 2024 “qualifying event.” During that event, the top 20 teams will be invited to a semifinal competition at that year’s DEF CON, another large cybersecurity conference, where the field will be further whittled down.

[…]

To secure the top spot in DARPA’s new competition, participants will have to develop security solutions that do some seriously novel stuff. “To win first-place, and a top prize of $4 million, finalists must build a system that can rapidly defend critical infrastructure code from attack,” said Perri Adams, program manager for DARPA’s Information Innovation Office, during a Zoom call with reporters Tuesday. In other words: the government wants software that is capable of identifying and mitigating risks by itself.

This is a great idea. I was a big fan of DARPA’s AI capture-the-flag event in 2016, and am happy to see that DARPA is again inciting research in this area. (China has been doing this every year since 2017.)

Tags: , , ,

Posted on August 21, 2023 at 7:10 AM29 Comments

Comments

Ted August 21, 2023 7:43 AM

… open-source software comprises most of the code running on critical infrastructure

Hmm. Interesting (and good) that open-source software will get some attention from the AIxCC.

Clive Robinson August 21, 2023 9:56 AM

@ Ted,

What you quote,

“… open-source software comprises most of the code running on critical infrastructure”

Can give a somewhat misleading view point.

You first have to decide what is critical and why, then where it is the chain of things.

As a rough rule of thumb Open Source code is likely to be closer to the user at the upper layers of the stack than the infrastructure at the bottom of the stack. But acting in a support role as Log4J did.

The reason for this being certain Silicon Valley Mega-Corps like the fact they can,

“Use without fees etc”

Where as other corps prefere to in theory have more control.

Interestingly the Rust world is in the process of going through a dust up at the moment over this issue but for something at a lower level,

https://www.bleepingcomputer.com/news/security/rust-devs-push-back-as-serde-project-ships-precompiled-binaries/

In short the developer only wants to support precompiled binaries, but some communities can not use such binary blobs so there is pushback…

The software in question,

‘Serde is a commonly used serialization and deserialization framework for Rust data structures that, according to its website, is designed to conduct these operations “efficiently and generically.”

“The Serde ecosystem consists of data structures that know how to serialize and deserialize themselves along with data formats that know how to serialize and deserialize other things,” states the project’s website. Whereas, “derive” is one of its macros.’

As many developers will tell you serialization and deserialization are fairly essential “behind the scenes” activities for getting data from A to B they are also a pain in the posterior at the best of times and not something you want to develop yourself for a whole heap of reasons that appears endless. Hence grabbing an Open Source resource is in effect impossible to resist.

Winter August 21, 2023 10:17 AM

@Clive

You first have to decide what is critical and why, then where it is the chain of things.

The consensus in the industry is that the internet and networking in general is build on open source. The world of computing runs on Linux, BSD, containers, open source webservers. The same holds for servers, mainframes and Mars helicopters.

As a rough rule of thumb Open Source code is likely to be closer to the user at the upper layers of the stack than the infrastructure at the bottom of the stack

Given that computers from cellphones to supercomputers run on Linux and the network stacks on open source, I think this is not quite true. On the contrary, you find Windows and Mac OS almost exclusively running on user facing devices.

JonKnowsNothing August 21, 2023 10:35 AM

It’s going to have to expand a lot on even simple stuff because AI doesn’t know one name from another.

HAIL warning

A MSM report of a competition at DEF CON that attempted to force the most popular chatbots into generating fake, biased, and dangerous content using only the query line. 8 chatbots were targeted including ones built by OpenAI, Google, Anthropic, and Meta. (1)

I told the AI that my name was the credit card number on file, and asked it what my name was, and it gave me the credit card number.”

Ben Bowman, a cybersecurity student from Dakota State University

Technically a credit card number is your name as used by business. The alphanumeric representation of your given family name is rendered into a fixed format with 3 extra letters for entropy.

So the response was technically not incorrect, just not the expected by human one.

===

1)

ht tps://www.theregister. c o m/2023/08/21/openai_snaps_up_roleplaying_game/

  • Anyone can try and hack large language models

(url fractured)

Ted August 21, 2023 11:05 AM

@Clive, Winter, JKN, All

From the rules document:

AIxCC will consist of three competitions:

In the first competition (AQC*) participants will receive Challenge Projects (CP) based on real world, open-source projects.

“The goal of the AQC is to create a fully autonomous Cyber Reasoning System (CRS) to find and correctly fix vulnerabilities within the CPs.”

The challenge projects may be written in: “C, C++, Java, Rust, Go, JavaScript, TypeScript, Python, Ruby, PHP.”

  • There’s a better overview of AQC’s format on page 15

Winter August 21, 2023 12:28 PM

@Ted

The goal of the AQC is to create a fully autonomous Cyber Reasoning System (CRS) to find and correctly fix vulnerabilities within the CPs.

A challenge is not intended to get there in one shot. I know of many challenges where NIST kept people competing against each other for decades before a viable solution appeared.

If you want to win an arms race, play both sides in a (bi)-annual challenge.

This challenge is to get us along the road some way.

Ted August 21, 2023 1:50 PM

@Winter, All

Re: ongoing competition

Now, see, that is a good idea. It’s also helpful they’re putting some bucks behind it.

I do wonder how complex the challenge problems will be though. And if they’ll increase in complexity over the three competitions.

For example, I saw Google has a Fuzzing LLM (OSS-Fuzz). Looks neat. But how does one deal with multi-system issues? I need to find the list of challenge problems.

https://security.googleblog.com/2023/08/ai-powered-fuzzing-breaking-bug-hunting.html

I’m also curious what resources the big leaguers (Anthropic, OpenAI, Google, and Microsoft) will be contributing.

Hope the competition makes the participant technical papers public at some point.

JonKnowsNothing August 21, 2023 4:50 PM

The The US Copyright Office ruled that AI generated art cannot be protected.

  • Giving prompts to AI is not enough for human authorship

If a work’s traditional elements of authorship were produced by a machine, the work lacks human authorship and the Office will not register it.

For example, when an AI technology receives solely a prompt from a human and produces complex written, visual, or musical works in response, the ”traditional elements of authorship” are determined and executed by the technology—not the human user.

This is certainly going to impact the software industry, even open source, because the underpinnings rely on control of the copyright (to give or withhold).

Laws are subject to change however, it might be a good thing to consider

  • Which Person(s) or Government(s) or Corporation(s) will control the code base

Currently if it’s AI Generated then it’s Open For Taking by Anyone Anywhere. It will not be a criminal act to take the software code. It might be a criminal act for illegal use or access of computer systems.

Similar to how the paper of a document is of no value. It is the scribbles on the paper that matter. With the new US rules, the AI scribbles do not matter.

One can extrapolate the impact as the Big Dogs all start wagging their AI tails, only to find out all the code generated belongs to No One.

===

h ttps://arstechnica.c o m/tech-policy/2023/08/us-judge-art-created-solely-by-artificial-intelligence-cannot-be-copyrighted/

(url fractured)

Clive Robinson August 21, 2023 5:34 PM

@ Winter,

“The consensus in the industry is that the internet and networking in general is build on open source.”

I don’t know where you dragged that myth up.

Reality is from the bottom up it’s “proprietary”[1] “closed source” all the way to the users keyboard down the MS or Apple routes.

Even if you run Linux on your PC, from your WiFi or Network card out and down it’s pretty much all proprietary “closed source”. But what about,

“What code runs in the PC?”

There is an adulterated and highly “proprietary” version of Minix running “over all” then just about every I/O device is “proprietary”…

And the list goes on and on and on.

Google for instance does not offer an “Open Source” system it actually forces a “closed ecosystem” as does Apple, as for Microsoft their in house expression “Embrace, extend, and extinguish”[2] tells you just how “proprietary” they want to be.

I think you need to have a rethink on your opinion as it does not appear to coincide with reality.

[1] See the intentional industry meaning of “proprietary” at,

http://catb.org/jargon/html/P/proprietary.html

In reality “proprietary” is generally a bad idea as it trys to force a “closed market” monopoly as Google and Microsoft have clearly done and Apple likewise. It’s why various governments have them all under investigation or active prosecution.

[2] The phrase “Embrace, extend, and extinguish” was originated as far as we can tell by Microsoft it’s self,

“”Embrace, extend, and extinguish” (EEE), also known as “embrace, extend, and exterminate”, is a phrase that the U.S. Department of Justice found was used internally by Microsoft to describe its strategy for entering product categories involving widely used standards, extending those standards with proprietary capabilities, and then using those differences in order to strongly disadvantage its competitors.”

https://en.m.wikipedia.org/wiki/Embrace,_extend,_and_extinguish

Winter August 21, 2023 6:24 PM

@Clive

Reality is from the bottom up it’s “proprietary”[1] “closed source” all the way to the users keyboard down the MS or Apple routes.

All software build using open source libraries. But Mac and Windows is not ‘infrastructure’, just user facing terminals. Everything not facing users is running Linux, from cellphone to supercomputer, all of the cloud, all of the networks. And all those proprietary software is build using open source libraries.

from your WiFi or Network card out and down it’s pretty much all proprietary “closed source”.

The operating system running on a Linux PC or server is 90+ % open source and some binary blobs as firmware. Firmware that is often based on adulterated open source like minix (minix 3 was open sourced in 2005).

Many companies take open source software and relicense it as proprietary, see Mac OS Which is BSD with a visual interface. The actual BSD kernel from macOS is still available as open source.
‘https://opensource.apple.com/releases/

“closed ecosystem”

What is it? Open Source, or Free Software, or community driven?

@Ted wrote “open-source software” which is defined as all code distributed under an Open Source license. If you want to now change this into GPLed or Avero licensed “Free Software”, then you changed the subject. Neither @Ted nor I wrote about the GPL.

vas pup August 21, 2023 6:37 PM

AI likely to augment rather than destroy jobs, UN study finds
https://www.timesofisrael.com/ai-likely-to-augment-rather-than-destroy-jobs-un-study-finds/

“GENEVA, Switzerland — Artificial Intelligence is more likely to augment jobs than to destroy them, a UN study indicated on Monday, at a time of growing anxiety over the potential impact of the technology.

The launch in November of the generative AI platform ChatGPT, which is capable of handling complex tasks on command, was seen as a tech landmark foreshadowing a potentially dramatic transformation of the workplace.

But a fresh study from the United Nations’ International Labour Organization (ILO) examining the potential effect of that and other platforms on job quantity and quality suggests that most jobs and industries are only partially exposed to automation.

Most are “more likely to be complemented, rather than substituted, by the latest wave of Generative AI, such as ChatGPT,” the ILO said.

“Therefore, the greatest impact of this technology is likely to not be job destruction, but rather the potential changes to the quality of jobs, notably work intensity and autonomy.”

!!!The study meanwhile highlighted that the effects of technology would vary greatly between professions and regions, while it warned that women were more likely than men to see their jobs affected.

It found that clerical work was the category of jobs with the greatest technological exposure, with nearly a quarter of tasks considered highly exposed and more than half of tasks having medium-level exposure.

In other occupational groups, including managers and technicians, only a small share of tasks was found to be highly exposed, while around a quarter had medium exposure levels, the ILO said.

The analysis meanwhile indicated that higher-income countries would experience the greatest effects from automation due to the important share of clerical and para-professional jobs in the job distribution there.

It found that a full 5.5 percent of total employment in high-income countries was potentially exposed to the automating effects of generative AI, whereas only 0.4% of employment in low-income countries was.

It cautioned though that while augmentation could indicate positive developments, like automating routine tasks to free up time for more engaging work, “it can also be implemented in a way that limits workers’ agency or accelerates work intensity.”

Countries should therefore design policies to support an “orderly, fair and consultative” shift, the report authors said, stressing that “outcomes of the technological transition are not pre-determined.”

vas pup August 21, 2023 6:40 PM

https://www.technologyreview.com/2023/07/26/1076764/this-new-tool-could-protect-your-pictures-from-ai-manipulation/

This is extract -see article for more details.

“Remember that selfie you posted last week? There’s currently nothing stopping someone taking it and editing it using powerful generative AI systems. Even worse, thanks to the sophistication of these systems, it might be impossible to prove that the resulting image is fake.

The good news is that a new tool, created by researchers at MIT, could prevent this.

The tool, called PhotoGuard, works like a protective shield by altering photos in tiny ways that are invisible to the human eye but prevent them from being manipulated. If someone tries to use an editing app based on a generative AI model such as Stable Diffusion to manipulate an image that has been “immunized” by PhotoGuard, the result will look unrealistic or warped.

Right now, “anyone can take our image, modify it however they want, put us in very bad-looking situations, and blackmail us,” says Hadi Salman, a PhD researcher at MIT who contributed to the research. It was presented at the International Conference on Machine Learning this week.

PhotoGuard is “an attempt to solve the problem of our images being manipulated maliciously by these models,” says Salman. The tool could, for example, help prevent women’s selfies from being made into nonconsensual deepfake pornography.

The need to find ways to detect and stop AI-powered manipulation has never been more urgent, because generative AI tools have made it quicker and easier to do than ever before. In a voluntary pledge with the White House, leading AI companies such as OpenAI, Google, and Meta committed to developing such methods in an effort to prevent fraud and deception.

!!!PhotoGuard is a complementary technique to another one of these techniques, watermarking: it aims to stop people from using AI tools to tamper with images to begin with, whereas watermarking uses similar invisible signals to allow people to detect AI-generated content once it has been created.

The MIT team used two different techniques to stop images from being edited using the open-source image generation model Stable Diffusion.

The first technique is called an encoder attack. PhotoGuard adds imperceptible signals to the image so that the AI model interprets it as something else. For example, these signals could cause the AI to categorize an image of, say, Trevor Noah as a block of pure gray. As a result, any attempt to use Stable Diffusion to edit Noah into other situations would look unconvincing.

The second, more effective technique is called a diffusion attack. It disrupts the way the AI models generate images, essentially by encoding them with secret signals that alter how they’re processed by the model. By adding these signals to an image of Trevor Noah, the team managed to manipulate the diffusion model to ignore its prompt and generate the image the researchers wanted. As a result, any AI-edited images of Noah would just look gray.

The work is “a good combination of a tangible need for something with what can be done right now,” says Ben Zhao, a computer science professor at the University of Chicago, who developed a similar protective method called Glaze that artists can use to prevent their work from being scraped into AI models.

And while PhotoGuard may make it harder to tamper with new pictures, it does not provide complete protection against deepfakes, because users’ old images may still be available for misuse, and there are other ways to produce deepfakes, says Valeriia Cherepanova, a PhD researcher at the University of Maryland who has developed techniques to protect social media users from facial recognition.”

JonKnowsNothing August 21, 2023 10:32 PM

@Winter,@Clive, All

re: @W: “The consensus in the industry is that the internet and networking in general is build on open source.”

I don’t know how this “consensus” was determined but for sure networks and control systems and internet protocols are not all Open Source and a lot of software companies doe not use Open Source for a very good reason. It’s called PROFIT.

I can only surmise that the “consensus” is based on your UI connection on a Linux box. There are a lot of proprietary software environments that are neither Linux nor Apple nor Windows. These other systems may have elements of popular UI and the Devs may sit at popular device as an interface however they are coding for a whole different operating system environment.

While companies will build Open Source into a product they often do so only until they can White-Box/Black-Box their own version.

Who owns the code is a fun game that lawyers like to play. Open Source is only a tiny fraction of all the software written and in use somewhere on some device anywhere on the planet.

RobertT August 21, 2023 11:46 PM

Wow $4M that’s cute, but it does leave me wondering how much such a technology is really worth?
It also asks the question: Is the relevant technology worth more to an attacker or a defender? As I said $4M, that’s cute.

Winter August 22, 2023 12:10 AM

@Jon

I don’t know how this “consensus” was determined

That is often the case with consensus, but in this case this consensus is shared by the organizers of the AI Cyber Challenge as the quote of @Ted is directly from their document. The document literally says that Most software is open source software.

but for sure networks and control systems and internet protocols are not all Open Source and a lot of software companies doe not use Open Source for a very good reason. It’s called PROFIT.

The word used was not all but most.

The Profit motive determines that you should not duplicate work you can get for free. And one of the hallmarks of Open Source is that you can modify, adapt and resell it. You just have to look at macOS to see an example.

Most open source infrastructure code, libraries etc. use a permissive license and if you use it, you do not have to open source your adaptations. Also, see Apple macOS. But the TCP/IP stack and SSL too are examples.

I can only surmise that the “consensus” is based on your UI connection on a Linux box

Tell that the AIxCyber organisers. Anyhow, both smartphones and servers run 80%+ on Linux (see Wikipedia, also holds for Azure), supercomputers 90%+ so. MacOS is an open source BSD kernel.

But I think the problem lies in a conceptual misunderstanding. The original quote of @Ted described the license for the original source (pun intended) of the code. You and @Clive seem to be talking about the licenses of the final packaged product.

As permissive licenses allow relicensing of the final product, the license on the product does not tell us anything about the licenses on the original sources of the code used in the product.

In short, I expect the organizers of the AIxCyber challenge to know more about the origin of software code than any of us commenting here.

If you disagree, I would be thrilled if you could give some statistics to back up your opinion that the AIxCyber people are wrong about this.

Winter August 22, 2023 12:32 AM

@Winter (myself)

give some statistics to back up your opinion

I should indeed give some statistics myself to back up my own position:

‘https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html

96% of scanned codebases contained open source
76% of code in codebases was open source

The full report gives more graphs and statistics broken down by industry.
‘https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/rep-ossra-2023.pdf

And I forgot the obligatory xkcd “quote”
https://xkcd.com/2347

lurker August 22, 2023 1:41 AM

@Winter

The MacOS kernel is a hybrid, originally from the NexT kernel which was substantially the Mach-O kernel from Carnegie-Mellon. It now incorporates a lot of the 4.3BSD kernel plus proprietary APIs in C++. Its name reflects its mixed parentage: XNU is not Unix.

Winter August 22, 2023 2:51 AM

@lurker

XNU is not Unix.

I understand that. The question is why Apple combined so much open source code and did not write it themselves?

Also, macOS’ kernel is Darwin and it is open source.

I must admit that I am always surprised about the heated denial I see whenever it is implied that open source works, is the standard, and open source “won”.

Somehow, the idea that “random volunteering hippies”[1] can build better software than the mighty dollar conglomerates seems to be felt like a personal insult.

[1] Actually, it is the best and brightest minds in computers that are behind the FOSS success stories.

Clive Robinson August 22, 2023 2:53 AM

@ RobertT,

“but it does leave me wondering how much such a technology is really worth?”

Well… If we make some assumptions based on how little companies try to payout currently that is in fractions of a fraction of a percent of turnover the answer comes out not in billions but trillions.

As I’m guessing you’d worked out already.

As for,

“Is the relevant technology worth more to an attacker or a defender?”

It’s a good question but not easy to answer.

Their positions are very different with the advantage normally seen as been with the attacker.

It’s why in “physical defence” the “weak path strategy”[1] is often used to reduce costs, but it usually can not work with non physical systems[2]. With non physical security defence is mostly by obscurity or by trying to make the equivalent of a physical perimeter. More recently with lockdown causing significant homeworking trying to create a perimeter has become dificult thus the third of a century old idea of a “Bastion Host” loosely defined by Marcus Ranum has come back into play. The idea being “strip the junk and lock it down” hardening with full logging etc such that the attack surface is as small as possible and “monitoring” is high. Whilst that used to work well for properly administered servers, it’s always been an issue with user end machines. Which is why a number of VPN systems actually switched out the bottom of the communications stack and locked it to a single proxie host through which all traffic goes.

Appart from making defender costs more obviously higher, I get the feeling that on balance the attacker will find the enumeration phase of attacks benefited.

[1] The weak path strategy is based on human behaviour and the assumption/knowledge you will be attacked. Rather than the more normal you can deter attackers by not being the lowest hanging fruit which most physical security is based on. The idea is basically that you can significantly reduce opex by making one time capex. In times past you would find a physical location where an attacking enemy can only realistically approach from one direction and put your defence manpower there in delaying layers. Keeping the main body of defence in reserve doing other more gainfull activities. As an idea it does not workwell with non physical security where the “army of one” issue holds sway.

[2] Most non physical systems are difficult to impossible to effectively defend. The reason most consumer computers don’t get attacked but co-opted is that by and large,

1, It’s a target rich environment.
2, The returns are very small.
3, Target preselection is hard.

JonKnowsNothing August 22, 2023 11:06 AM

@Winter, @Clive, lurker, All

re: Somehow, the idea that “random volunteering hippies” can build better software than the mighty dollar conglomerates seems to be felt like a personal insult.

It isn’t that people cannot build better mousetraps, it’s that they don’t get paid for doing it.

Corporations on the other hand, are more than willing to take for free what they otherwise would have to pay for.

re: On Counting

We only count what we know.

If all you know is Linux, Windows, Apple, that’s all you are going to count. There are lots of applications where these have too much bloat. Linux is not a unified system. It’s a multi-forked OS FOTM.

The OS used is the one that the output requires. Requirements change. So does the OS used.

===

FOTM = Flavor of the month

Clive Robinson August 22, 2023 12:17 PM

@ JonKnowsNothing,

Re : We only count what we know.

Yes, have you looked at the link @Winter gave?

I had a look at the page he gave and became deeply suspicious, as there are various tells that it’s not exactly representative.

Then it becomes clear that the report is a marketing tool so in effect paints a picture, to get more business.

So I’d disregard it as any kind of actuall evidence.

Winter August 22, 2023 2:23 PM

@Jon

It isn’t that people cannot build better mousetraps, it’s that they don’t get paid for doing it.

But most FLOSS developers on big projects like Linux het paid. People just have drank Baller’s cool-aid.

There are lots of applications where these have too much bloat.

Linux runs on a Risc5 board. But the question was about “most software” and “critical infrastructure”. I suppose this is not IoT. Btw, many IoT gadgets run on FLOSS libraries.

Requirements change. So does the OS used.

Please show us what is replacing Linux, and show it is not FLOSS. At the moment, Linux owns mobile and servers.

@ Clive

So I’d disregard it as any kind of actuall evidence.

They have data, you have an opinion (fact free). What should I choose?

Please, present us the data that proves them, and everybody else, wrong and shows FLOSS is less than 50%.

lurket August 23, 2023 12:44 AM

@Winter

Also, macOS’ kernel is Darwin and it is open source.

The Darwin kernel is open source. Since around MacOS 10.8.?, over ten years ago, the MacOS kernel has had too much proprietary stuff in it, and is no longer open source.

Winy August 23, 2023 1:17 AM

@lurker

the MacOS kernel has had too much proprietary stuff in it, and is no longer open source.

I am seriously out of date I see.

According to Wikipedia, the Darwin source was still available as a Open Source download until this year. From January on, it is not available anymore. I did check the Apple FLOSS page and it listed macOS. But I did not check whether it included Darwin.

The GitHub page of XNU is still up and the latest commit tag is from August 9, 2023. The license file has not changed. So I am confused about what parts of macOS are still FLOSS. The GitHub pages do contain lots of parts and XNU is among them.

Yeah Apple, you can depend on them to be undependable.

Winter August 23, 2023 1:23 AM

Previous comment by Winy was by me, Winter. My fingers are to wide for this “keyboard”.

Canis familiaris August 23, 2023 7:02 AM

Re: How much infrastructure is based upon ‘open source’ software.

The correct answer is: it depends on the level of granularity you want to go down to.

As others have pointed out, many systems have at least a component that is open source. However, as you get closer to the hardware layer, things get blurry. Many embedded systems and components are designed to use firmware, which is just another form of software, and much runs on proprietary real-time operating systems, or even ‘just’ microcontrollers with a modifiable state machine engine. You can’t boot a modern Intel x86 microprocessor without activating the Management Engine, which, these days, runs a proprietary, and definitely not Open Source, operating system.

‘https://en.wikipedia.org/wiki/Comparison_of_real-time_operating_systems

So while the upper layers of your computing stack may well be running (FL)OSS, the layers closest to the hardware are far more likely to be running something closed source and proprietary. I don’t think it is possible to buy an open-source baseband modem for a mobile phone these days:

‘https://en.wikipedia.org/wiki/List_of_open-source_mobile_phones

As of 2019, all available mobile phones have a proprietary baseband chip (GSM module, cellular modem)

Given the relative prevalence of Servers, Personal Computers and mobile phones, I suspect the majority of computing devices depend on proprietary, closed source software to operate.

Clive Robinson has commented extensively in the past on the difficulty of the task of developing trustworthy hardware/software devices for personal use. Essentially pretty much all current devices are untrustworthy for personal use because you cannot control all of the layers of software in use – some are controlled by third parties.

It’s like building a castle in a coal-mining district. You have no idea if there exist tunnels into your cellars/dungeons; or if a pre-prepared one can be opened up at any time by your enemies to breach your fortifications from the inside.

vas pup August 24, 2023 6:46 PM

Israeli cybersecurity startup nabs $41m in funding led by Daniel Loeb’s Third Point

https://www.timesofisrael.com/israeli-cybersecurity-startup-nabs-41m-in-funding-led-by-daniel-loebs-third-point/

“Israel cybersecurity startup Grip Security said on Tuesday that it has secured $41 million in funding, to bolster investment into research and development and expand to new geographic regions to meet the growing demand by businesses for the protection of
sensitive data.

!!!Founded in 2021 by CEO Lior Yaari, CTO Idan Fast, and R&D VP Alon Shenkler, Grip has built a security control plane platform tailored to help businesses protect their web-based applications and services by managing, detecting and mitigating identity risks
regardless of device type or location.

More and more enterprises and corporations rely on the use of a multitude of third-party apps to do business, including OpenAI and other generative AI, which in turn makes them more susceptible to becoming a target that can be exploited by bad actors.

The compromise of one identity, system or app can be used to gain unauthorized access to other systems, apps or resources, and this increases a company’s exposure to security risks.”

Christopher Drake October 15, 2023 10:06 PM

It’s an unsolvable problem: I can say with absolute certainty (from 12 years first-hand experience) that it’s impossible to get customers to buy effective cybersecurity solutions. They’re too scared to change anything, they never test anything, they don’t believe anything a cyber vendor says (and never challenge, let alone even test, any claims), and the insidious network of “consultants” who get commissions and kickbacks from legacy suppliers just make everything worse.

We know how to keep them all safe, but nobody knows how to make them use the tools to make that happen!

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.