xt attack on a cryptosystem, which has a secret key embedded in its black-box
implementation and requires a polynomial number of queries but an exponential
amount of time (as a function of the number of neurons). In this paper, we
improve this attack by developing several new techniques that enable us to
extract with arbitrarily high precision all the real-valued parameters of a
ReLU-based DNN using a polynomial number of queries and a polynomial amount of
time. We demonstrate its practical efficiency by applying it to a full-sized
neural network for classifying the CIFAR10 dataset, which has 3072 inputs, 8
hidden layers with 256 neurons each, and about 1.2 million neuronal parameters.
An attack following the approach by Carlini et al. requires an exhaustive search
over 2^256 possibilities. Our attack replaces this with our new techniques,
which require only 30 minutes on a 256-core computer.
** *** ***** ******* *********** *************
Public Surveillance of Bars
[2024.07.02] This article about an app that lets people remotely view bars to
see if theyΓÇÖre crowded or not is filled with commentary -- on both sides --
about privacy and openness.
** *** ***** ******* *********** *************
Upcoming Book on AI and Democracy
[2024.07.02] If youΓÇÖve been reading my blog, youΓÇÖve noticed that I have
written a lot about AI and democracy, mostly with my co-author Nathan Sanders. I
am pleased to announce that weΓÇÖre writing a book on the topic.
This isnΓÇÖt a book about deep fakes, or misinformation. This is a book about
what happens when AI writes laws, adjudicates disputes, audits bureaucratic
actions, assists in political strategy, and advises citizens on what candidates
and issues to support. ItΓÇÖs a book that tries to look into what an AI-assisted
democratic system might look like, and then at how to best ensure that we make
use of the good parts while avoiding the bad parts.
This is what I talked about in my RSA Conference speech last month, which you
can both watch and read. (You can also read earlier attempts at this idea.)
The book will be published by MIT Press sometime in fall 2025, with an
open-access digital version available a year after that. (It really canΓÇÖt be
published earlier. Nothing published this year will rise above the noise of the
US presidential election, and anything published next spring will have to go to
press without knowing the results of that election.)
Right now, the organization of the book is in six parts:
AI-Assisted Politicians
AI-Assisted Legislators
The AI-Assisted Administration
The AI-Assisted Legal System
AI-Assisted Citizens
Getting the Future We Want
ItΓÇÖs too early to share a more detailed table of contents, but I would like
help thinking about titles. Below are my current list of brainstorming ideas:
both titles and subtitles. Please mix and match, or suggest your own in the
comments. No idea is too far afield, because anything can spark more ideas.
Titles:
AI and Democracy
Democracy with AI
Democracy after AI
Democratia ex Machina
Democracy ex Machina
E Pluribus, Machina
Democracy and the Machines
Democracy with Machines
Building Democracy with Machines
Democracy in the Loop
We the People + AI
Artificial Democracy
AI Enhanced Democracy
The State of AI
Citizen AI
Trusting the Bots
Trusting the Computer
Trusting the Machine
The End of the Beginning
Sharing Power
Better Run
Speed, Scale, Scope, and Sophistication
The New Model of Governance
Model Citizen
Artificial Individualism
Subtitles:
How AI Upsets the Power Balances of Democracy
Twenty (or So) Ways AI will Change Democracy
Reimagining Democracy for the Age of AI
Who Wins and Loses
How Democracy Thrives in an AI-Enhanced World
Ensuring that AI Enhances Democracy and DoesnΓÇÖt Destroy It
How AI Will Change Politics, Legislating, Bureaucracy, Courtrooms, and
Citizens
AIΓÇÖs Transformation of Government, Citizenship, and Everything In-Between
Remaking Democracy, from Voting to Legislating to Waiting in Line
How to Make Democracy Work for People in an AI Future
How AI Will Totally Reshape Democracies and Democratic Institutions
Who Wins and Loses when AI Governs
How to Win and Not Lose With AI as a Partner
AIΓÇÖs Transformation of Democracy, for Better and for Worse
How AI Can Improve Society and Not Destroy It
How AI Can Improve Society and Not Subvert It
Of the People, for the People, with a Whole lot of AI
How AI Will Reshape Democracy
How the AI Revolution Will Reshape Democracy
Combinations:
Imagining a Thriving Democracy in the Age of AI: How Technology Enhances
Democratic Ideals and Nurtures a Society that Serves its People
Making Model Citizens: How to Put AI to Use to Help Democracy
Modeling Citizenship: Who Wins and Who Loses when AI Transforms Democracy
A Model for Government: Democracy with AI, and How to Make it Work for Us
AI of, By, and for the People: How Artificial Intelligence will reshape
Democracy
The (AI) Political Revolution: Speed, Scale, Scope, Sophistication, and our
Democracy
Speed, Scale, Scope, Sophistication: The AI Democratic Revolution
The Artificial Political Revolution: X Ways AI will Change
Democracy...Forever
EDITED TO ADD (7/10): More options:
The Silicon Realignment: The Future of Political Power in a Digital World
Political Machines
EveryTHING is political
** *** ***** ******* *********** *************
New Open SSH Vulnerability
[2024.07.03] ItΓÇÖs a serious one:
The vulnerability, which is a signal handler race condition in OpenSSHΓÇÖs
server (sshd), allows unauthenticated remote code execution (RCE) as root on
glibc-based Linux systems; that presents a significant security risk. This race
condition affects sshd in its default configuration.
[...]
This vulnerability, if exploited, could lead to full system compromise where
an attacker can execute arbitrary code with the highest privileges, resulting in
a complete system takeover, installation of malware, data manipulation, and the
creation of backdoors for persistent access. It could facilitate network
propagation, allowing attackers to use a compromised system as a foothold to
traverse and exploit other vulnerable systems within the organization.
Moreover, gaining root access would enable attackers to bypass critical
security mechanisms such as firewalls, intrusion detection systems, and logging
mechanisms, further obscuring their activities. This could also result in
significant data breaches and leakage, giving attackers access to all data
stored on the system, including sensitive or proprietary information that could
be stolen or publicly disclosed.
This vulnerability is challenging to exploit due to its remote race
condition nature, requiring multiple attempts for a successful attack. This can
cause memory corruption and necessitate overcoming Address Space Layout
Randomization (ASLR). Advancements in deep learning may significantly increase
the exploitation rate, potentially providing attackers with a substantial
advantage in leveraging such security flaws.
The details. News articles. CVE data. Slashdot thread.
** *** ***** ******* *********** *************
On the CSRBΓÇÖs Non-Investigation of the SolarWinds Attack
[2024.07.08] ProPublica has a long investigative article on how the Cyber Safety
Review Board failed to investigate the SolarWinds attack, and specifically
MicrosoftΓÇÖs culpability, even though they were directed by President Biden to
do so.
** *** ***** ******* *********** *************
Reverse-Engineering TicketmasterΓÇÖs Barcode System
[2024.07.09] Interesting:
By reverse-engineering how Ticketmaster and AXS actually make their
electronic tickets, scalpers have essentially figured out how to regenerate
specific, genuine tickets that they have legally purchased from scratch onto
infrastructure that they control. In doing so, they are removing the
anti-scalping restrictions put on the tickets by Ticketmaster and AXS.
EDITED TO ADD (7/14): More information.
** *** ***** ******* *********** *************
RADIUS Vulnerability
[2024.07.10] New attack against the RADIUS authentication protocol:
The Blast-RADIUS attack allows a man-in-the-middle attacker between the
RADIUS client and server to forge a valid protocol accept message in response to
a failed authentication request. This forgery could give the attacker access to
network devices and services without the attacker guessing or brute forcing
passwords or shared secrets. The attacker does not learn user credentials.
This is one of those vulnerabilities that comes with a cool name, its own
website, and a logo.
News article. Research paper.
** *** ***** ******* *********** *************
Apple Is Alerting iPhone Users of Spyware Attacks
[2024.07.11] Not a lot of details:
Apple has issued a new round of threat notifications to iPhone users across
98 countries, warning them of potential mercenary spyware attacks. ItΓÇÖs the
second such alert campaign from the company this year, following a similar
notification sent to users in 92 nations in April.
** *** ***** ******* *********** *************
The NSA Has a Long-Lost Lecture by Adm. Grace Hopper
[2024.07.12] The NSA has a video recording of a 1982 lecture by Adm. Grace
Hopper titled ΓÇ£Future Possibilities: Data, Hardware, Software, and People.ΓÇ¥
The agency is (so far) refusing to release it.
Basically, the recording is in an obscure video format. People at the NSA
canΓÇÖt easily watch it, so they canΓÇÖt redact it. So they wonΓÇÖt do anything.
With digital obsolescence threatening many early technological formats, the
dilemma surrounding Admiral HopperΓÇÖs lecture underscores the critical need for
and challenge of digital preservation. This challenge transcends the confines of
NSAΓÇÖs operational scope. It is our shared obligation to safeguard such pivotal
elements of our nationΓÇÖs history, ensuring they remain within reach of future
generations. While the stewardship of these recordings may extend beyond the
NSAΓÇÖs typical purview, they are undeniably a part of AmericaΓÇÖs national
heritage.
Surely we can put pressure on them somehow.
** *** ***** ******* *********** *************
Upcoming Speaking Engagements
[2024.07.14] This is a current list of where and when I am scheduled to speak:
IΓÇÖm speaking -- along with John Bruce, the CEO and Co-founder of Inrupt --
at the 18th Annual CDOIQ Symposium in Cambridge, Massachusetts, USA. The
symposium runs from July 16 through 18, 2024, and my session is on Tuesday, July
16 at 3:15 PM. The symposium will also be livestreamed through the Whova
platform.
IΓÇÖm speaking on ΓÇ£Reimagining Democracy in the Age of AIΓÇ¥ at the
Bozeman Library in Bozeman, Montana, USA, July 18, 2024. The event will also be
available via Zoom.
IΓÇÖm speaking at the TEDxBillings Democracy Event in Billings, Montana,
USA, on July 19, 2024.
The list is maintained on this page.
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.
You can also read these articles on my blog, Schneier on Security.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.
Bruce Schneier is an internationally renowned security technologist, called a
security guru by the Economist. He is the author of over one dozen books --
including his latest, A HackerΓÇÖs Mind -- as well as hundreds of articles,
essays, and academic papers. His newsletter and blog are read by over 250,000
people. Schneier is a fellow at the Berkman Klein Center for Internet & Society
at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy
School; a board member of the Electronic Frontier Foundation, AccessNow, and the
Tor Project; and an Advisory Board Member of the Electronic Privacy Information
Center and VerifiedVoting.org. He is the Chief of Security Architecture at
Inrupt, Inc.
Copyright © 2024 by Bruce Schneier.
** *** ***** ******* *********** *************
---
* Origin: High Portable Tosser at my node (618:500/14)
|
Computer Support/Help/Discussion... 
