I spoke to Shaun St. Hill, host of the Tech&Main podcast, about the latest YL Ventures CISO Circuit Report. They have a very strong advisory panel of security professionals and annually poll them about industry trends, what their biggest organizational challenges are, and how they interact with their management and boards of directors to protect their companies.
You can listen to the 30 min. podcast here.
When a veteran retires, most don’t think of setting up their homes on a military base, but that is what Jill Eaves and her family did at Missouri’s Fort Leonard Wood. The Army post is home to the Sixth Infantry Division and one of four major training centers. For the past 80 years has seen hundreds of thousands of members of all four branches of the armed forces train for active and reserve duty, including specialized engineering training. Eaves and her husband of 10 years both served in the Air Force, and when the time came for retirement, they decided to move back on a military installation. After all, with more than 63,000 acres, there is plenty of room. “It is a great place to raise my two children, too,” she said.
Here she is fixing a helicoper while deployed in California. You can read my profile of her for the Red Cross here.
I was amused to read that a mathematical method that I first learned as an undergraduate has been found to help make AI models more processing efficient. The jump is pretty significant, if the theories hold in practice: a drop in 50x power consumption. This translates into huge cost savings: some estimate that the daily electric bill for running ChatGPT v3.5 is $700,000.
The method is called matrix multiplication and you can find a nice explanation here if you really want to learn what it is. MM is at the core of many mathematical models, and while I was in school we didn’t have the kind of computers (or built-in to our digital spreadsheets or in Python code) to make this easier, so we had to do these by hand as we were walking miles uphill to and from school in the snow.
MM dates back to the early 1800s when a French mathematician Jacques Binet figured it out. It became the foundational concept of linear algebra, something taught to math, engineering and science majors early on in their college careers.
The researchers figured out that, with the right custom silicon, they could run a billion-parameter model for about 13 watts. How do you make the connection between the AI models and MM? Well, your models are using words, and each word is represented by some random number, which are then organized into matrices. You do the MM to create phrases and figure out the relationships between adjacent words. Sounds easy, no?
Well, imagine that you have to do these multiplications a gazillion times. That adds up to a lot of processing. The researchers figured out a clever way to reduce the multiplications to simple addition, and then designed a special chipset that was optimized accordingly for these operations.
It is a pretty amazing story, and just shows you the gains that AI is making literally at the speed of light. It also shows you how some foundational math concepts are still valid in the modern era.
Many of us have a love/hate relationship with our GPS’s. We love the fact that they can tell us when a route is filled with traffic, or a better way to get from Point A to Point B. But we hate it when we are running late and when the GPS route is a convoluted series of seemingly contradictory turns down small side streets, or when we are somewhere where coverage is spotty or blocked.
That is fine when we are in a car, or using transit. But what happens, as I pose in the subject line, when you are flying a plane and its GPS quits working? It sadly is happening with increasing frequency, as the places around the world that are part of conflict zones continues to expand, and because spoofing or blocking GPS signals is one way to prevent military actors from getting precise positions. That link will document exactly what is happening, and you can click on other links at the end of that post to understand the different types of spoofing that have been observed. The number of incidents has risen alarmingly in the past several months, with as many as 1350 daily flights encountering spoofing, but averaging 900.
Now, that may sound like a lot of flights, but when you consider that these days about 100,000 flights fly every day around the world, it is admittedly still a small number. However, the spots where GPS signals are unreliable have expanded to ten distinct areas. Some of these you might suspect, such as around the Middle East and Russia for example.
(I wrote a few years ago about the Russian airlines. This is yet another reason to steer clear of any flights that come near the place.)
But there are several problems behind this data. First, flight crews are not trained to switch off their GPS when spoofing happens. In fact, they run a variety of automated systems that rely on the global GPS network with all sorts of acronyms. Some spoofing hits the autopilots driving the plane, some hit the ground collision radar that prevents planes from hitting the side of a mountain, others hit the transponders that broadcast the plane’s identity. Second, the symptoms aren’t consistent across all these systems: Each system exhibits different behavior when they get spoofed GPS signals. This means that aircrews are losing trust in their instruments, which is not a good thing. Third, the air traffic controllers — particularly the ones handling long-haul transoceanic flights — have to work harder to separate the planes flying a particular route which are in trouble, which means lower passenger capacity and more flight delays. In some cases, the situation happens close to a landing, which means some planes have to “go around” and take time and fuel to attempt a second landing. Finally, there are a bunch of aircraft-related international organizations that work together in a very delicate balance, and spoofing upsets that particular applecart. Imagine the UN, only worse.
GPS spoofing is now being used as a weapon of war, and it is sadly catching on as the investment in small armed drones is small but the damage that they can cause is great if they can rely on precise positioning for their targets. Sadly, it will take some time before the civil aviation industry can retool to work around spoofing in any effective manner.
A new flaw in virtual private networks (VPNs) was reported last week at a security conference. The flaw, discovered by a collection of academic and industry researchers, has to do with a vulnerability in how VPN servers assign TCP/IP communication ports and use this to attack their connection tracking feature. This flaw, called port shadowing, is yet another weakness in VPNs that corporate security managers have to worry about.
As you can see from the chart below, it goes to the way modern VPNs are designed and depends on Network Address Translation (NAT) and how the VPN software consumes NAT resources to initiate connection requests, allocates IP addresses, and sets up network routes.
By now you have no doubt read a lot of bad coverage about the Crowdstrike update that crashed more than 8M Windows systems around the world. We have been treated to all sorts of action photos of the “blue screen of death” showing up in airports, across the exterior of the Vegas Sphere, and other places that have interactive displays that aren’t interacting with anything. All because of a bad virus definitions file that was put out there for little more than a hour on Friday. This file was placed in a very sensitive area of the Windows OS (I will get to that in a moment) and because it was poorly written and inadequately tested.
I say virus definitions file because that is really what it is. Crowdstrike released this after-action report that is filled with doublespeak, jargon, and a tremendous lack of clarity earlier today. What is interesting from a corporate comms perspective is that they explain things in detail that we don’t need and ignore things that we really want to know. What they don’t say can be found on Kevin Beaumont’s blog. Here is what I have gleaned from the sad affair:
Crowdstrike’s blog states some promises on how this won’t happen again. I wish I could believe them. I wish I could also believe those vendors who they compete with won’t have something similar happen, only next time it will be initiated by a bad actor and not just sloppy coders employed by the security vendors themselves.
The latest in face fraud has little to do with AI-generated deep fake videos, according to new research this week from Joseph Cox at 404 Media. It involves a clever combination of video editing, paying unsuspecting people to record their faces and holding up to the camera blank pieces of paper. Sites such as Fotodropy and others have sprung up that have real people (as shown here) that are the face models, moving their heads and eyes about at random during the course of the video.
This goes beyond more simplistic methods of holding up a printed photograph or using a 3D-printed mask of a subject, what was known as face spoofing. That produced a static image, but many financial sites have moved to more complex detection methods, requiring a video to show someone is an actual human. These methods are called document liveness checks, and they are increasingly being employed as part of know-your-customer (KYC) routines to catch fraudsters.
The goal is not to have your actual face on a new account but someone that is under the control of the hacker. Once the account is vetted, it then can be used in various scams, with a “verified” ID that can lend the whole scam more believable.
Back in the pre-digital days, KYC often meant that a potential customer would have to pay an in-person visit to their local bank or other place of business, and hand over their ID card. A human employee would then verify that the ID matched the person’s face and other details. That seems so quaint now.
The liveness detection does more than have a model mug before the camera, and requires a customer to follow stage directions (look up, look to your left) in real time. This avoids any in-person verification in near-real-time and shifts the focus from physical ID checks to more digital methods. Of course, these methods are subject to all sorts of attacks just like anything else that operates across the internet.
There are several vendors who have these digital liveness detection tools, including Accurascan, ShuftiPro, IDnow.IO and Sensity.AI, just to name a few that I found. Some of these features can measure blood flow across your face and capture other live biometric data. This post from IDnow goes into more detail about the ways facial recognition has been defeated in the past. It is definitely a cat-and-mouse game: as the defenders come up with new tools, the fraudsters come up with more sophisticated ways around them. “This had led to growing research work on machine learning techniques to solve anti-spoofing and liveness checks,” they wrote in their post.
The one fly in these liveness routines is that to be truly effective, they have to distinguish between real and fake ID documents. This isn’t all that different from the in-person KYC verification process, but if you paste in a fake driver’s license or passport document into your video, your detection system may not have coverage on that particular document. When you consider that there are nearly 200 countries with their own passports and each country has dozens if not hundreds of potential other ID documents, that is a lot of code to train these recognition systems properly.
Note that the liveness spoofing methods are different from deepfake videos, which basically attach someone’s face to a video of someone else’s body. They are also a proprietary and parallel path to the EU’s Digital Wallet Consortium, which attempts to standardize on a set of cross-border digital IDs for its citizenry.
Three women nearing 50 share a vacation to celebrate one of them getting divorced. The three share a common tragedy 20-plus years ago involving a grisly mass murder scene in a guesthouse and have since bonded over the experience. This isn’t the most unique plots for a thriller until the bodies start dropping when the vacation turns sour, relationships strain, and the trio meets a mysterious couple of newlyweds. Then things get interesting, and we learn more about the backgrounds of all the parties and try to solve both the original mystery that brought the women together as well as what is happening in the current timeline. One of them puts it quite eloquently when she says she has been listening to the soundtrack of life and she is caught up in her grief over the original grisly murder scene — which somehow she escaped. The characters are finely drawn, and this is the first murder mystery that hinges on an artificial intelligence plot twist which was cleverly conceived. Highly recommended.
I am of two minds with this novel, which chronicles a fictional Jewish family on the north shore of Long Island and how they devolve after the father is kidnapped for a week. The three children are tracked as they grow up into dysfunctional adults with addiction problems, with marital problems, and with various other issues in trying to cope with their father’s ordeal. The Long Island Compromise is really a devil’s bargain — having lived in one of the wealthiest suburbs in America, after escaping the Holocaust, after dealing with numerous anti-semitic people, places, and circumstances. Having grown up on Long Island’s south shore and raised my daughter on the North Shore in a community that mirrors what is described in fictional terms in the novel, this story resonated with me. The excesses experiences with the family’s wealth, and with trying to out-Jew their neighbors is all too real.
So is their reaction to the father’s kidnapping, which manifests itself in different ways to each family member. Some choose avoidance : “any reference to a thing that could later be a trigger to discuss The Thing” — the kidnapping — is a very apt way to describe grief and the fragility of those who are grieving.
So what is there not to like about this book? It isn’t that it cuts too close to home. It isn’t that its scenes of BDSM or drug abuse or numerous hooker and mystic encounters are (as I imagine) too realistic. The descriptions are sometimes just so filled with irony and accuracy that I would often pause while reading to let them sink in. But they could be hard to take for some readers. And for those of you who grew up in suburbia, or who are Jewish, this could be entertaining, poignant, or both. Certainly, its treatment of how families confront their destinies and future potential is laid bare in a way that I haven’t seen very often, and is quite genuine.
The novel is based on this actual kidnapping that happened in the 1970s. Read it here.
An article in this week’s New York Times decries the end of the floppy disk. Its use as a medium of data transfer for Japanese government reports has finally been replaced with online data transfer. I read the piece with a mixture of sadness and amusement. The floppy was a big deal — originating from IBM’s big iron. It became the basic fuel of the PC revolution.
Before we had PCs, in the late 1970s, we had the first dedicated word processor machines coming into offices. I came of professional age when these huge beasts, often built-in to office furniture. They were the domain of the typing pool of secretaries that would transform hand-written drafts into typed documents. These word processors had printers and ran off 8″ floppies that held mere kilobytes of text files. Those larger disks were a part of America’s nuclear control bunkers up until 2019 or so.
But back to the 1980s. Then IBM (and to some extent Apple) changed all that with the introduction of 5″ versions that were attached to their PCs. Actually, they measured five and a quarter inches. Within a few years, they became “double-sided” disks, holding a huge 360 KB of files. To give you an idea of this vast quantity of storage, you could save dozens of files on a single disk. But things were moving fast in those early days of the PC — soon we had hard-shell 3.5 inch floppies — the label remained, even though the construction changed — that could hold more than a megabyte of data. Just imagine: today’s smart watches, let alone just about any other smart home device — can hold gigabytes of data.
You would be hard-pressed to find a computing device that has less capacity these days. And that is a good thing, because today’s files — especially video and audio — occupy those gigabytes. But I just checked: a 5,000 MS Word file — just text — is only 35 KB, so things haven’t changed all that much in the text department.
The double-sided label sticks in my mind with this anecdote. The scene was a downtown office in LA, where I worked for the IT department of a large insurance company in the mid-1980s. We occupied three office towers that spanned several blocks, and part of the challenge of being in IT was that you spent a lot of time going around the complex — or at least for the times — debugging user’s problems. We would often tell users to send us a copy of their disk via interoffice mail and we would take a look at it if it wasn’t urgent. Soon after I got this call I got the envelope. Inside were two sheets of paper: the user had placed his floppy disk on the glass bed of their Xerox copier, and sent me the printouts. But this was a user who was paying attention: he noticed the “double-sided” designation on the disk, so flipped it over and made a copy of the back of the disk too.
The dual-floppy drive PC was a staple for many years: one was used to run your software, the other to store your data. The software disks were also copy-protected, which made it hard for IT folks to backup. I remember going over to our head of IT’s home one weekend to try to fix a problem he had with the copy-protected version of Lotus 1-2-3, the defining spreadsheet of the day.
Those were fun times to be in the world of PCs. The scene shifts to downtown Boston, at the offices of PC Week, back in early 1987. I had left the insurance company and taken a job with the publication. A few months into the job, I had gotten a question from a colleague who was having trouble with his PC, the original dual floppy-drive IBM model. I went over to his desk and tried to access his files, only to hear the disk drive grind away — not a sound that you want to hear. I flipped open the drive door and removed the offending disk. My colleague looked on with curiosity. “Those come out?” he exclaimed. No one at the publication had bothered to tell him that was the case, and he had been using the same physical disk for months, erasing and creating files until the plastic was so worn out that you could almost see through it. I showed him our supply cabinet where he could stock up on spare floppies.
Apple was the first company to sell computers sans floppies in 1998, and other PC makers soon eliminated them. Storage on USBs and networks made them obsolete.Sony would stop selling the blank disks in 2011, but they lived on in Japan until now.
Floppies were trouble, to be sure. But they were secure: we didn’t have to worry about our data being transmitted across the world for everyone to see. And while their storage capacity was minuscule — especially by today’s standards — it was sufficient to launch a thousand different companies.
Self-promotions dep’t
Speaking of other things that have lived on in Japan, I recently wrote about the Interop show network and its storied history. I interviewed many of the folks who created and maintained these networks over the years, and why Interop was an innovative show, both then and now.