Upcoming Threats, Giving Tuesday, Roundup
Kyle Fox here, its been a pretty slow week because of the Thanksgiving Holiday so were going to talk mostly about things not specific to this week, but specific to upcoming threats. I also want to take note of some things around Giving Tuesday.
Upcoming Threats
Long time readers will note that I often think more in terms of holistic threat models. It may not matter if you have the most secure website in the world if someone can break into your datacenter easily. In this addition, we are going to look at some threat areas that can be easily overlooked. The first is the weather. As the weather gets more interesting, it poses more problems for the integrity and availability of digital services. Next up is physical security. This is not often overlooked as a whole, but some aspects have historically not been well understood in the security realm. Finally, I wanted to note a current threat to AI Large Language Models.
Weather
So, recently in the Seattle area, we had a wind storm which without any exaggeration was epic. Wind speeds on the surface exceeded 50kt (58mph, 93kph) sustained and gusting to sometimes 70kt (81mph , 130kph), I did not look into winds aloft, but it was quite difficult for aircraft during the storm. Needless to say, more than 50% of of people in the area were without power for more than 24 hours. Some were without power for up to a week and internet service, whether it be cable, fiber, wireless or even Starlink was disrupted with some areas having no service for long periods of time.
My plan in this case was to run the generator to power the fridge and the Starlink. As with many plans, it did not fare well with enemy contact. Storing the generator two years prior, I had drained the gas out of the generator and had drained the carburetor, but from what we were able to tell afterwards, some gas remained in the carburetor and formed a gel that blocked it from operation. So the generator was right out. In the end, the contents of the fridge survived because we taped it shut with some gaff tape and it stayed shut the entire time the power was out.
This highlights the need to have a plan, evaluate where that plan may have issues, and have a plan or a backup for the backups to deal with those issues. I could have made sure to blow out the carburetor before storing the generator. I could have had a portable battery inverter or a second generator. Having a generator does not save you as many industrial generator installations only have up to a day of fuel on site, and if its a big freeze like Portland has experienced recently, it may be hard to get additional fuel to refuel that generator.
Physical
We’re constantly seeing new threats to physical security, as researchers such as Deviant Ollam [ˈol͈aṽ] have been showing us for years all the issues with physical security, including a recent dive into fire protection. While the risks associated with conventional access control systems are somewhat well known, the standard HID cards often used can be read, stored and emulated with devices like the Proxmark and Flipper, a new frontier of security risks is being explored related to hotel card keys.
Hotel key systems are a unique environment. Hotel keys have to be issued with a limited lifetime, be secure, and interact with locks that are not often connected back to any system. Since the cards become worn by guests keeping them in their pockets with things like keys, even returned cards may not be reusable and guests often do not return them. So a hotel may go through thousands to millions of cards every year. Because of this, often the cheapest of keycard technologies is selected.
Years ago, a security researcher named Daeken found an issue with the Onity lock system used by a large number of properties. Later on an issue was found with the VingCard lock system with similar impacts. Now its DormaKaba's Saflok's turn in the ring. In 2022 researchers were able to reverse engineer the Saflok proximity card system to create a proof of concept attack that allows an attacker to create a sequence of cards that acts as a master key for any door in a property and all they need is any keycard from that property. After finding DormaKaba to be without a security vulnerability disclosure contact, the researchers were able to get ahold of a contact and disclose the vulnerability. Once sufficient time and sufficient properties were updated to resolve the vulnerability, they presented limited details at DEF CON 32.
This speaks to the importance of physical security for employees on the road, which I have often found to be a lacking area in companies security posture. While much work is put into securing the office and datacenter, corporate assets are still at risk in hotel rooms while traveling or at conferences. Employees may try to secure their laptop in a hotel room safe, but bypass risks exist for those as well. What I have found to be a reasonable approach is to combine prudent practices like locking up laptops with prudent de-risking. If a company needs to present at conferences, they may opt to use special laptops for the presentations, if the laptops have to be left with the AV people, or be sure that employees keep their laptop with them. While conference rooms seem secure, as someone who does fandom convention AV as a hobby, I have found no property to be completely secure. Yes, even casinos lack security in some of their conference spaces.
Copyright Threatens Large Language Models
Getting the data to train large language models is hard. Companies like OpenAI have tried to make it easier on themselves by training their models on scraped data from the internet. While they sometimes have agreements like Google has with Reddit, often models are being trained without any agreement to the use of the data. We all know about copyright, the legal concept that allows creators to have rights over the reproduction and derivation of their works. Enter The Intercept, which after being able to get OpenAI's ChatGPT to produce near copies of its articles has progressed with a lawsuit against OpenAI. They join other publishers like The New York Times and Mother Jones in pursuing claims of copyright infringement against OpenAI.
This is one area that I think represents an existential threat to these large language models trained on public data. Unless technology can be created to allow tagging the information being provided with attribution or more explicit licensing obtained, trained models may need to be completely tossed and the training dataset stripped of major publishers content. And even that still begs the question of smaller creators content still being included in the model, as there are outstanding questions about the ability of companies like Reddit to license the content created by its users for a wholly new use not previously anticipated. Fortunately companies using AI internally have taken a more conservative approach to training datasets and have only used licensable datasets or their own data for training LLMs.
Who I am Helping on Giving Tuesday.
While the routine charities I support are The EAA, Doctors Without Borders, and Partners In Health. And despite many emails about how The Burning Man Project needs money, and also being on the board of Hack Your Lives. I want to highlight hackspaces as some place to direct your support and volunteer hours towards. With the increasing rents for spaces near where transit and people are, it’s getting harder and harder for a hackspace to survive right now. The local hackspace, Black Lodge Research, is currently staring down lease non-renewal because with light rail being put in, the business park it is in will be bulldozed to build 5 over 1s, and I cynically expect the bottom floor retail spaces will remain empty most of the time.
Others:
- Recently Eugene MakerSpace had a devastating fire and is recovering.
- The Reno Generator is one of those places where artists build some of that exciting art at Burning Man.
- Noisebridge is one of the oldest hackspaces open to the public, located in not so sunny San Francisco.
Roundup:
- A hacker has discovered how to disable the webcam activity light on the ThinkPad X320.
- New social network BlueSky has become much more popular in the last month, and Hank Green has noticed.
- Russian spies pivoted onto a network by compromising a laptop across the street.
- For Thanksgiving I cooked J. Kenji López-Alt's sage sausage stuffing, which he explains in a recent video.
- Australia has banned children and teenagers under 16 from social media.
- A Federal judge in Delaware has made criminal referrals in a patent troll case after determining it to be utilizing shell companies in a barratry for profit scheme.
- The un-apprehended third hacker in the Snowflake extortion scheme may be a US Army Soldier.
- A Brazilian certificate authority has issued an unauthorized certificate for google.com.