Direct admissions: a new way to get into college

For the past couple of years, high school seniors have been part of an interesting experiment called direct admissions. Basically, there are systems that allow them to get conditional pre-acceptance offers, without having to fill out much of an application in advance, or even think about where they want to attend. What makes these offers interesting is that they arrive unsolicited. There are a few caveats, but hundreds of students are now attending college using this method.

Back in the pre-historic era when I was a high school senior when I had to walk uphill both ways to school, we had to fill out applications by hand. There was no CommonApp, a system by which a thousand or so colleges agree to basically open source the application process. They are one of the entities involved direct admissions, I’ll get to them in a moment. Each place had its own essay to write. You also had to take standardized tests from places like the College Board, the dreaded SAT or ACT. And then there were the application fees.

Direct admissions puts all that aside. You have to have good grades, of course, or good enough grades for the particular school that you want to attend. But that’s about it. No more stuffing silly clubs to pad your pre-college resume. No more parental nagging about whether you have written word one on your essays.

Not every college is on board, yet. But it clearly is the coming wave. As costs to attend college continue to rise, the onerous application process has to be simplified. One private venture is leading the charge called Niche. Their website has a portal for students to enter the direct admissions world and while there is some information to fill out, it doesn’t seem all that difficult.

There are several states that have signed up to include every graduating high school senior in the program. They notify all graduating seniors in the fall where they have been accepted, based on their GPAs. Minnesota, for example, has 55 two and four year colleges — both private and public — part of the program. Students then have to complete an application to the school of their choice. Missouri has several schools that take direct admissions, including probably one of the best engineering schools in the state.

CommonApp began testing direct admissions in 2021, and now has more than 70 participating schools. Niche began its program in 2022 and now has its own group of 100 or so schools. (Forbes has more details here.) The two have somewhat different qualification criteria. With CommonApp, students have to live in lower-income households to get app fees waived and be the first in their generation to enter college, and can only apply to in-state colleges. Niche doesn’t have any income or geographic threshold.

As the NY Times wrote earlier this year, colleges want more students and need more applicants to maintain their student population. Idaho, which is one of the states with a program, found that student enrollment increased by several percentage points in the first year.

Now, you might guess that the top tier Ivies aren’t on board with direct admissions: they get plenty of attention from the best students. But for many other schools, this could be a way to attract students that may have never considered or even heard of the school. And who doesn’t like getting a “you may already have been admitted” notice? It could be a big ego and motivational boost for some seniors.

If you have a kid that has used direct admissions, please post your experiences, I would be interested to hear from you.

The AI takeover of photography

I have been a casual camera user for decades, ever since I got a simple box camera in my teens. I actually had a job as a professional photographer when I got out of college, and built my own darkroom in several homes for printing black and white pictures. This obviously was during the pre-digital era. The past few years I have been enjoying my smartphone’s camera, which keeps getting more and more capable. Going digital meant no more darkroom, and being able to print to an online photo processor by uploading my images. Here is a photo that I took recently.

Well, I come bringing bad news, although it initially doesn’t seem that way. First, cameras are getting smarter. It isn’t just a matter of better resolution images, but better software. The new Google Pixel 9 has something called Reimagine, which has some very neat tricks for in-phone picture editing as shown in this threads post by Chris Welch..This used to be the domain of a skilled Photoshop operator. Now you just tap on the right buttons.

Second, AI is moving into more “original” photography. Google’s ImageFX is now available in preview here— you type in a description of a photo that you are interested in, and within a few seconds, it creates a few images that you can choose from. My prompt of a “high-resolution photo-realistic interior of ornate teal art deco living room” brought the following image:

That is a pretty nice setup. Note the lighting effects, and reflections in the glass table  and mirror are pretty darn good.

So what is the bad news you may ask? Well, as someone reminded me, what we are seeing here are the absolute worst images that AI has produced, and the quality will only get better, much better given the pace of AI development. Soon the lenses on the back of your phone will be redundant. Those travel photos that you took of your last trip to someplace exotic? Chances are someone else has been there, posted the pix, and some AI engine has gobbled it up. Just a few clicks and you can be added in the foreground. What about pictures of things? Now Google’s Lens has been improved: it is now part of the Android OS and you can do all sorts of tricks with it to identify what you are seeing on a web page or IRL. No need to set up a pesky set of lights or to compose the perfect image. Just crop with your finger.

While you mull that over, I want to leave you with one last image, of a real electric power station near Budapest. At least, I think it is real and not some AI construct. But soon, it won’t matter much, just as we have forgotten all about using stop bath and learning the zone system.

The evolution of how brand impersonation attacks use social media

A new academic study of more than 1.3 million social media accounts was given recently at this month’s Usenix conference in Philadelphia. The paper, entitled The Imitation Game: Exploring Brand Impersonation Attacks on Social Media Platforms, makes for interesting reading and sadly shows just how well developed this ecosystem is. Ironically, as business brands pay more attention to social media interactions with their customers, they also enable imposters to launch attacks because people now expect companies to interact with social media. This means that there are many scam accounts that impersonate the brands to create confusion. These lure customers into providing private data and can result in stolen funds and further attacks. The research claims to be the first large-scale measurement of the social scamming ecosystem.

The research team, which was composed of academics from Germany and the US as well as from Paypal, identified almost 350,000 usernames performing various typosquatting techniques to impersonate more than 2,800 brands across Twitter (I know it is called something else, don’t remind me), Instagram, YouTube and Telegram.

Typosquatting is using deliberate typos in user and domain names to make it appear that paypel_support is really the people answering your connection problems. It is not a new problem when it comes to domain names, but as I wrote earlier this year for DarkReading, its use is proliferating in a variety of ways. One way that I didn’t mention is how fraudsters are using it across social media networks. Twitter “is the primary platform for brand impersonation attacks, with fraudsters frequently using typosquatting in their usernames. Roughly a third of these deceptive profiles also use official logos to appear more legitimate.”

The team found that brand impersonation involves multiple steps: after setting up a fake profile (oftentimes using the real brand’s logo to lend legitimacy), the fraudsters engage with customers through posts and offer phony incentives such as discount cards, free services and the like. But the attackers then collect sensitive data, including identities, credit card numbers and other details that are used to engage them in other fraudulent activities.

The most commonly targeted brand is Netflix, which is troubling because right now Netflix is sending out numerous legit messages heralding a change in their account pricing. Apple is the second most targeted brand.

The researchers have several suggestions to try to stem the tide, but admit these will be tough to implement. One of them is pretty obvious: in their work with Paypal, they found that many brands haven’t done their homework and failed to use Know Your Customer methods and continually scan for stolen identities, monitoring their brand mentions online or check for fraud card usage. One recommendation is to send out a quick autoresponse to a customer query to try to engage them before the scammer does. Another is for social media platforms to validate a brand when a new account is created, so that the owner of the proposed paypel_support account really is someone@paypal.com and not fakeuser123123@gmail.

Building the world’s largest digital camera

LSST Camera and SLAC Camera Team-5.jpgThe world’s largest digital camera is a 3200 megapixel behemoth that sits on top of a mountain observatory complex in Chile. Ironically, it was created by engineers that in the past have focused on tracking the universe’s smallest subatomic particles. The camera has one acronym (LSST) and goes by two long names — the legacy survey of space and time, or Large-Aperture Synoptic Survey Telescope.
The camera is part of a telescope at the Vera Rubin observatory, named after an American astronomer that studied dark matter. Everything is still under construction and is expected to become operational next year. When it does, it will work in very different ways than its peers. And while the Webb telescope has gotten plenty of press for flying around the sun these past couple of years — and rightly so, I don’t want to diminish its accomplishments — the  Simonyi telescope at the Rubin is an interesting science tool in its own right. And yes, that name is familiar to many of you. Charles Simonyi worked in the early years at Microsoft, and both he and Bill Gates were early donors to the project.
The Rubin project has been long in coming, just like the Webb. In fact, pieces of it were built in different factories and labs around the world. The camera came from California (the Stanford Linear Accelerator team), the mount was from Spain, and Chile put together the buildings housing everything.
First off, if you have in your mind this is a place where astronomers go to peer through the eyepiece of the telescope and stare at the night sky, put that picture aside. This is a digital camera, and it operates hands-off for the most part. Its goal is nothing short of extraordinary. Every three nights, weather permitting, it photographs the entire night sky, moving around in a pre-programmed pattern. Most telescopes of the past were firmly anchored to their mountain top aeries.
In the past, telescopes like Webb and other expensive instruments required scientists to schedule time on them to focus on particular areas of the sky, and then download what was collected. Committees would vet proposals and schedule the sessions accordingly. Having a telescope that sweeps the entire sky — and doing it in such high resolution — means that you can approach observations in a completely different way.
First off, you don’t download anything. Given the size of the datasets, that would take time, even on high speed bandwidth. All the data stays intact, and you run your queries remotely.
This is a massive amount of data — petabytes worth — and it is all uploaded to an open source repository. Anyone can access the information for their research or just for curiosity. I imagine that schools will jump on board using this archive. It might change the way we teach astronomy and it certainly will reach a wider audience.
Also, the science team behind the Rubin is developing software that mimics what the early astronomers did manually, to seek out changes in the observations. Did a planet move in front of its star? Is a black hole forming someplace? I remember as a child reading about Clyde Tombaugh and how he discovered Pluto (poor Pluto, now downgraded to a demi-planet) in 1930 by looking at photographs taken on different nights to find its movement. He used a device called a blink microscope to quickly flip back and forth between the two photographic plates. Now we have open source code to do that tedious task.
This means that discoveries will be made almost every night, because the universe is a busy place. Scientists don’t have to depend on picking the right time and piece of sky real estate to observe a supernova, but can have software seek out the possible event.
Another distinction: unlike the infrared-based Webb, Rubin operates in visible light.
Finally, what I also liked is that the project is the first time a publicly-funded astronomy effort has been named for a woman.

Tech+Main podcast: The changing role of today’s CISOs

I spoke to Shaun St. Hill, host of the Tech&Main podcast, about the latest YL Ventures CISO Circuit Report. They have a very strong advisory panel of security professionals and annually poll them about industry trends, what their biggest organizational challenges are, and how they interact with their management and boards of directors to protect their companies.

You can listen to the 30 min. podcast here.

Red Cross: Air Force Veteran Works with SAF to Help Service Members

When a veteran retires, most don’t think of setting up their homes on a military base, but that is what Jill Eaves and her family did at Missouri’s Fort Leonard Wood. The Army post is home to the Sixth Infantry Division and one of four major training centers. For the past 80 years has seen hundreds of thousands of members of all four branches of the armed forces train for active and reserve duty, including specialized engineering training. Eaves and her husband of 10 years both served in the Air Force, and when the time came for retirement, they decided to move back on a military installation. After all, with more than 63,000 acres, there is plenty of room. “It is a great place to raise my two children, too,” she said.

Here she is fixing a helicoper while deployed in California. You can read my profile of her for the Red Cross here.

How to make AI models more processor efficient

I was amused to read that a mathematical method that I first learned as an undergraduate has been found to help make AI models more processing efficient. The jump is pretty significant, if the theories hold in practice: a drop in 50x power consumption. This translates into huge cost savings: some estimate that the daily electric bill for running ChatGPT v3.5 is $700,000.

The method is called matrix multiplication and you can find a nice explanation here if you really want to learn what it is. MM is at the core of many mathematical models, and while I was in school we didn’t have the kind of computers (or built-in to our digital spreadsheets or in Python code) to make this easier, so we had to do these by hand as we were walking miles uphill to and from school in the snow.

MM dates back to the early 1800s when a French mathematician Jacques Binet figured it out. It became the foundational concept of linear algebra, something taught to math, engineering and science majors early on in their college careers.

The researchers figured out that, with the right custom silicon, they could run a billion-parameter model for about 13 watts. How do you make the connection between the AI models and MM? Well, your models are using words, and each word is represented by some random number, which are then organized into matrices. You do the MM to create phrases and figure out the relationships between adjacent words. Sounds easy, no?

Well, imagine that you have to do these multiplications a gazillion times. That adds up to a lot of processing. The researchers figured out a clever way to reduce the multiplications to simple addition, and then designed a special chipset that was optimized accordingly for these operations.

It is a pretty amazing story, and just shows you the gains that AI is making literally at the speed of light. It also shows you how some foundational math concepts are still valid in the modern era.

What happens when your plane’s GPS doesn’t work

Many of us have a love/hate relationship with our GPS’s. We love the fact that they can tell us when a route is filled with traffic, or a better way to get from Point A to Point B. But we hate it when we are running late and when the GPS route is a convoluted series of seemingly contradictory turns down small side streets, or when we are somewhere where coverage is spotty or blocked.

That is fine when we are in a car, or using transit. But what happens, as I pose in the subject line, when you are flying a plane and its GPS quits working? It sadly is happening with increasing frequency, as the places around the world that are part of conflict zones continues to expand, and because spoofing or blocking GPS signals is one way to prevent military actors from getting precise positions. That link will document exactly what is happening, and you can click on other links at the end of that post to understand the different types of spoofing that have been observed. The number of incidents has risen alarmingly in the past several months, with as many as 1350 daily flights encountering spoofing, but averaging 900.

Now, that may sound like a lot of flights, but when you consider that these days about 100,000 flights fly every day around the world, it is admittedly still a small number. However, the spots where GPS signals are unreliable have expanded to ten distinct areas. Some of these you might suspect, such as around the Middle East and Russia for example.

(I wrote a few years ago about the Russian airlines. This is yet another reason to steer clear of any flights that come near the place.)

But there are several problems behind this data. First, flight crews are not trained to switch off their GPS when spoofing happens. In fact, they run a variety of automated systems that rely on the global GPS network with all sorts of acronyms. Some spoofing hits the autopilots driving the plane, some hit the ground collision radar that prevents planes from hitting the side of a mountain, others hit the transponders that broadcast the plane’s identity. Second, the symptoms aren’t consistent across all these systems: Each system exhibits different behavior when they get spoofed GPS signals. This means that aircrews are losing trust in their instruments, which is not a good thing. Third, the air traffic controllers — particularly the ones handling long-haul transoceanic flights — have to work harder to separate the planes flying a particular route which are in trouble, which means lower passenger capacity and more flight delays. In some cases, the situation happens close to a landing, which means some planes have to “go around” and take time and fuel to attempt a second landing. Finally, there are a bunch of aircraft-related international organizations that work together in a very delicate balance, and spoofing upsets that particular applecart. Imagine the UN, only worse.

GPS spoofing is now being used as a weapon of war, and it is sadly catching on as the investment in small armed drones is small but the damage that they can cause is great if they can rely on precise positioning for their targets. Sadly, it will take some time before the civil aviation industry can retool to work around spoofing in any effective manner.

CSOonline: Port shadowing is yet another VPN weakness ripe for exploit

A new flaw in virtual private networks (VPNs) was reported last week at a security conference. The flaw, discovered by a collection of academic and industry researchers, has to do with a vulnerability in how VPN servers assign TCP/IP communication ports and use this to attack their connection tracking feature. This flaw, called port shadowing, is yet another weakness in VPNs that corporate security managers have to worry about. As you can see from the chart below, it goes to the way modern VPNs are designed and depends on Network Address Translation (NAT) and how the VPN software consumes NAT resources to initiate connection requests, allocates IP addresses, and sets up network routes.

I write about this issue for CSO here.

Having a stranglehold on the world’s economy, thanks to a single bad file

By now you have no doubt read a lot of bad coverage about the Crowdstrike update that crashed more than 8M Windows systems around the world. We have been treated to all sorts of action photos of the “blue screen of death” showing up in airports, across the exterior of the Vegas Sphere, and other places that have interactive displays that aren’t interacting with anything. All because of a bad virus definitions file that was put out there for little more than a hour on Friday. This file was placed in a very sensitive area of the Windows OS (I will get to that in a moment) and because it was poorly written and inadequately tested.

I say virus definitions file because that is really what it is. Crowdstrike released this after-action report that is filled with doublespeak, jargon, and a tremendous lack of clarity earlier today. What is interesting from a corporate comms perspective is that they explain things in detail that we don’t need and ignore things that we really want to know. What they don’t say can be found on Kevin Beaumont’s blog.  Here is what I have gleaned from the sad affair:

  • Almost every anti-malware, endpoint detection and remediation, SASE whatever you wanna call ’em vendor has a similar configuration of their products. They have to have this unfettered access to the Windows kernel because that is how they work, and have worked since the early days of Norton Anti-Virus running on DOS. So just because you use some other vendor’s product doesn’t mean this can’t happen to you.
  • These vendors have to update their software frequently to stay ahead of exploits that they find, and this means that they are sending out stuff fairly frequently.
  • This means that the chances of a badly crafted file can be created in the rush to get these updates out. It was a small miracle that the file was only online for little more than an hour.
  • Beaumont says that we are “handing the keys to the global economy to a small group of private cybersecurity companies with no external governance or assurance. It has always felt sketchy, and today feels very sketchy.” I would agree.
  • The incident shows how badly managed Crowdstrike’s devops processes were and how few checks and testing procedures they had in place.
  • The incident now has informed all sorts of bad actors how they can cause machines to crash by inserting a file in a similar place. Not a great situation, to be sure.
  • If there ever was a time to seriously implement Zero Trust protocols, that time was last week.

Crowdstrike’s blog states some promises on how this won’t happen again. I wish I could believe them. I wish I could also believe those vendors who they compete with won’t have something similar happen, only next time it will be initiated by a bad actor and not just sloppy coders employed by the security vendors themselves.