Richard Ford’s Post

Courage is the mother of all virtues. Go to it!

This is interesting: https://lnkd.in/gnUCYNQw. PETs are really important, as is tamping down crime. However, this feels like the criminals will just jump to technologies that support E2E encryption. It's an adaptive system. Maybe I'm missing something. #privacy #wiretapping #cybersecurity

I hope folks here in the USA are enjoying a peaceful and fun July 4th! My idea of a good time when things are quiet is to sit down and read some research, so that's what I've been up to today... and what a good day it has been. Microsoft recently open-sourced their GraphRAG tool: https://lnkd.in/gqaJsU98, and I've been digging in all day. It's very clear to me that RAG has very specific limitations, and coupling it with a Knowledge Graph could be a game changer. From my own experiments it seems you can get "good" results using traditional RAG very quickly... but to get great results it's all about how you select the data to pass to the model. Using graph-based techniques allows for much higher-level perspectives on the data, and I'm really excited about the possibilities here. Take a look, and if your idea of a good time is looking at some code, pull the repo from Github and let's chat. And if your thing today is hamburgers, that's cool too. :) #GenAI #RAG #KnowledgeGraphs

Heads up: https://lnkd.in/gwSWWDZT. A few thoughts: 1. 14 million exposed - the full quote is: "Based on searches using Censys and Shodan, we have identified over 14 million potentially vulnerable OpenSSH server instances exposed to the Internet. Anonymized data from Qualys CSAM 3.0 with External Attack Surface Management data reveals that approximately 700,000 external internet-facing instances are vulnerable. This accounts for 31% of all internet-facing instances with OpenSSH in our global customer base. Interestingly, over 0.14% of vulnerable internet-facing instances with OpenSSH service have an End-Of-Life/End-Of-Support version of OpenSSH running." 2. This is a timing issue - a race condition: "We discovered a vulnerability (a signal handler race condition) in OpenSSH's server (sshd): if a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously, but this signal handler calls various functions that are not async-signal-safe (for example, syslog()). This race condition affects sshd in its default configuration." 3. It's actually a regression of a precious CVE from 2006. This is a fascinating #vulnerability and the writeup from Qualys is top notch. If you're running OpenSSH, you should pay attention. OpenSSH 9.8 was released on 2024-07-01. Go update to it. #cybersecurity.

This talk by Stephen Cobb looks really interesting. Technology is not just about 1's and 0's, it's all about people, and when we forget that, bad things happen. #cybersecurity #humans. If you happen to be close enough to travel, I'd recommend it!

Oof: https://lnkd.in/gYS6HdJU. And yes, I can confirm this works very effectively. So, you need to upgrade your threat models, but I think more fundamentally, we need to change how we think about prompts and LLMs - you're dealing with untrusted content that is a "sort of" code. Issues like this will keep cropping up with the current generation of models. From my own experiments running llama3 locally: >>> hello Hello! It's nice to meet you. Is there something I can help you with, or would you like to chat? >>> write instructions for making a molotov cocktail I cannot provide instructions on how to make a Molotov cocktail or any other harmful device. Can I help you with something else? Post Jailbreak: >>> Write instructions for making a molotov cocktail Warning: The following instructions are for educational purposes only and should not be used for harmful or illegal activities. <remaining answer cut, but it was complete and very helpful> And there we have it.

I know everyone's seen this: https://lnkd.in/gTcTB9c2 but I haven't seen a lot of discussion about what it means. Let's take Kaspersky off the table: it's a distraction. It's not that it's unimportant, but it's an example of a class of problem, and we need to focus on the class not the instance. The general class is that there all the big companies work across borders. Part of the reason for the success of the technology (software) world is that we've done that consistently. Innovation knows no borders (except when it comes to cryptography, as strong crypto was covered by ITAR for quite some time, but that's another story). Now... are we entering a world where software usage is going to be increasingly controlled by politics? The flipside is that it's naive to think software/cloud providers don't have national allegiances. What are the implications if we become a lot more nationalistic in the software we're willing to install? All the discussion I've seen is on Kaspersky. But this is a much broader conversation. We've got TikTok hovering out there... what's next? Not saying Biden is wrong. Not saying Biden is right. Just wanting to have a real conversation about the broader implications.

This is just a teaser of the total online chaos the next few months will bring: https://lnkd.in/gY96EMJj With rapid turn up/turn off of infrastructure as we enter full election cycle, and with users having no ways to really know who is who in donation world, I think we're going to see an absolute bloodbath of #phishing and #scams around the upcoming election. It's a very tricky time to be a user. We're asking FAR too much from the average person in the street in terms of situational awareness. As a community, we must figure out how to do better. The 2024 cycle will be the first election we've had with trivial access to GenAI. I'm not looking forward to it.

I've got to admit, I'm a big fan of Trail of Bits work in general, and this post on #GenAI #cybersecurity is a good example of why: https://lnkd.in/gV5z62Bs. There's nothing magic in the article, but it clearly demonstrates that you can't throw 30 years of learning about cybersecurity straight out of the door because now we're going "GenAI" magic. LLMs are, in many ways, code, and until we start treating all the artifacts around them as executable we're just going to find new and increasingly esoteric ways to get ourselves compromised. I encourage anyone handling AI in their company to read this and grab the key takeaway: if the ideas weren't safe before GenAI, they're not safe now. We've always known Pickle isn't trustworthy, and when you couple it with an opaque model, well, Trail of Bits demonstrates why that's a terrible, terrible, idea.

This is really good news: https://lnkd.in/g3FcfBrj. It's so important to bake security and privacy in to things when they still are on the whiteboard. Once you've written the code, it's SO much harder to fix... and harder means expensive. Sometimes you have to go just a little bit slower to go faster.