• Backdoor plans unpopular with US tech firms.
• WhatsApp threatens to leave UK.
• UK governent receives backlash over the Online Safety Bill and Investigatory Powers Act.
• Recently it was revealed that Russian and Chinese hackers accessed the Foreign Office’s internal systems.

Encrypted messaging might be at risk under new UK regulation. A BBC journalist heard from a leader of a big US tech firm that there was a definite tipping point at which the firm would leave the UK. While there’s often big ego talk and empty threat, this felt different.

That tipping point could well be the Online Safety Bill, due to pass this fall, or Autumn, as the Brits like to say. Aimed at protecting children, the bill would see strict rules about policing social media content with high financial penalties and prison time for individual tech execs if the firms fail to comply. Like arguments that invoke Hitler too early, playing the child protection card is a red flag to any data privacy advocate.

Crucially, the rules would include the stipulation that encrypted messages be read and handed over to law enforcement by the platforms they’re sent on if there’s deemed to be a national security or child protection risk.

READ NEXT

Security considerations when using messaging tools for business

As it currently stands, apps like WhatsApp, Proton and Signal, which all offer encryption, can’t see content of sent messages themselves. According to NSPCC, though, encrypted messaging apps are the “front line” of where child abuse images are shared.

They’re also an essential security tool for activists, journalists and politicians (more on that later). It’s hard not to wonder how far the parameters would be drawn around what’s escalated and brought to law enforcement; do we truly believe that police access to private messages is a good idea?

Both WhatsApp and Signal have threatened to leave the UK market over the government’s demands.

Encrypted messaging is, like, WhatsApp’s whole thing.

After tech firms opposed the powers that could be used to scan encrypted messages for child abuse images, amendments were passed by the UK’s second chamber, the House of Lords. Changes to the Online Safety Bill say that a “skilled person” must write a report for communications regulator Ofcom before it uses the new powers to make a company scan its users’ messages.

As end-to-end encrypted messages can only be read by the sender or recipient, critics suggest this means companies would need to scan messages before they are encrypted – so called client-side scanning.

Ministers, police and children’s charities say the powers are necessary to tackle “record levels” of child abuse such as imagery and grooming on online platforms, and to prevent encrypted platforms allowing child abusers to “operate with impunity.”

In 2022, Google made headlines when it closed and refused to reinstate a father’s Google account after content was incorrectly flagged as child abuse. Photos he had taken to send his son’s doctor were explicit but not demonstrative of child abuse; Google handed over his entire account, including photos, messaging and emails, to the authorities.

Campaigners have dubbed the changes to encrypted messaging a “spy clause,” saying that as a minimum a judge should have to authorize the scanning of user messages. Among them is the Open Rights Group which campaignes for digital rights.

“Given that this ‘skilled person’ could be a political appointee, and they would be overseeing decisions about free speech and privacy rights, this would not be effective oversight,” the group wrote.

Proposed amendments to the Investigatory Powers Act, which included tech firms getting Home Office approval for new security features before worldwide release, incensed Apple so much that it threatened to remove Facetime and iMessage from the UK if they go through.

The tech giant has also been staunchly against the clause in the Online Safety Bill that would allow encrypted messages to be read. Its submission to the current consultation is nine pages long, opposing:

• having to tell the Home Office (ministry in charge of law & order) of any changes to product security features before they are released.
• the requirement for non-UK-based companies to comply with changes that would affect its product globally – such as providing a backdoor to end-to-end encryption.
• having to take action immediately if a notice to disable or block a feature is received from the Home Office, rather than waiting until after the demand has been reviewed or appealed against.

Apple says:

• It would not make changes to security features specifically for one country that would weaken a product for all users.
• Some changes would require issuing a software update so could not be made secretly.
• The proposals “constitute a serious and direct threat to data security and information privacy” that would affect people outside the UK.

Encrypted messaging is just part of the problem

The UK Parliament is also passing through the Digital Markets Bill which firms told the BBC gives an unprecedented amount of power to a single body. The bill proposes that the UK’s competition watchdog selects large companies like Amazon and Microsoft, gives them rules to comply with and sets punishments for noncompliance.

Big Tech isn’t exactly in the good books due to past behaviors and many feel accountability and regulation is overdue.

We shouldn’t confuse “pro-innovation” with “pro-Big Tech” warns Professor Neil Lawrence, a Cambridge University academic who has previously acted as an advisor to the CMA. “Pro-innovation regulation is about ensuring that there’s space for smaller companies and start-ups to participate in emerging digital markets”, he said.

YOU MIGHT LIKE

CYBERSECURITY

Top 3 things that enterprises can do to improve data security

Other experts are concerned that those writing the rules do not understand the rapidly-evolving technology they are trying to harness.

“There are some people in government who’ve got very deep [tech] knowledge, but just not enough of them,” said economist Dame Diane Coyle.

“And so [all] this legislation has been going through Parliament in a manner that seems to technical experts, like some of my colleagues, not particularly well-informed, and putting at risk some of the services that people in this country value very highly.”

The Department for Science, Innovation and Technology said that it had “worked hand-in-hand with industry and experts from around the world to develop changes to the tech sector”, including during the development of the Online Safety Bill and the Digital Markets Bill.

The UK shouldn’t be in a position where it’s held to ransom by US tech giants, but the services of apps like WhatsApp are widely used by millions, and there’s no UK-based alternative. The thing is, there are alternatives for US tech firms, AKA other countries, so leaving the UK wouldn’t do huge amounts of damage.

When the UK’s Competition and Markets Authority (CMA) blocked Microsoft’s acquisition of the video game giant Activision Blizzard, the company was furious.

“There’s a clear message here – the European Union is a more attractive place to start a business than the United Kingdom,” raged chief executive Brad Smith – CMA has reopened negotiations with Microsoft.

That’s not to say that the EU isn’t also getting stricter – in fact that’s kind of what hurts about tech firms moving there. Ultimately, the EU is a bigger market, so more valuable. Of course, until recently the UK was part of that market. But a bed has been made, so the UK government and its people must lie in it.

“There is growing irritation here about the UK and EU trying to rein in Big Tech… that’s seen as less about ethical behaviour and more about jealousy and tying down foreign competition,” says tech veteran Michael Malone.

The UK government: pro-tech, poor security

Source: BBC News.

The UK Prime Minister Rishi Sunak calls himself a pro-tech PM. He’s trying desperately to entice the lucrative AI sector into the country. Some firms, including Palantir, OpenAI and Anthropic, have agreed to open UK headquarters.

Naturally, one would assume that a government so concerned with the security of encrypted messaging and controlling the way that technology is used would be tech savvy itself.

Speaking of encrypted messaging, who remembers when ex-government minister, Matt Hancock gave a journalist access to his WhatsApp messages? As part of her writing his memoir, Isabel Oakeshott was privy to 100,000 of Hancock’s private messages – which, in the name of public interest, she shared.

A Tweet about the leaked WhatsApp messages.

Had he not left parliament in favor of fame and fortune (appearing on the UK version of I’m A Celebrity, Get Me Out of Here) perhaps he’d be an ideal candidate to speak up for those against what Politico calls “screenshot scrutiny.”

Nick Hancock. Definitely a cowboy. Source: Metro News.

It’s recently been revealed that in 2021 a major security breach was kept secret from the public. i News revealed that Russian and Chinese hackers accessed the Foreign Office’s internal systems in the last few weeks. Hackers from both countries compromised internet-connected servers belonging to the Foreign, Commonwealth and Development Office (FCDO), although the breach did not give them access to classified information.

Experts warned this may have put diplomats based in hostile environments at risk or potentially damaged relationships with important strategic allies by revealing private communications with other nations.

Both Russia and China were able to access the system at the same time in separate attacks. “At one point we believe both were on there,” a GCHQ insider told i. “It was very embarrassing and caused great stir in government because they didn’t know whether they should admit it or not.”

Essentially, the government system was an open door and both countries found a way in. It was likely the result of a phishing email.

A cyber security specialist, who worked at the FCDO at the time, also confirmed the hacks took place, adding, in a masterful use of understatement, that it was “certainly sub-optimal”.

A third source, a former intelligence officer at the Foreign Office, said incidents like this in “some form or another” were a “daily occurrence.”

“The issue with government departments is that they are culturally apathetic about security and particularly cyber security,” they told i. “The general feeling is that the intelligence [agencies] have got that [covered], so we don’t need to worry.”

So why is one of the highest security bodies in the UK so apathetic about breaches? The technology in use by staff is predominantly Windows PC – the proven least secure operating system out there.

Maybe just equipping all staff Macs would help – they’re typically less targeted than Windows (running POSIX-compliant BSD operating system variants). Running Linux on government desktop hardware would be an equally valuable security step, and one that would be cheaper to procureme than Apple desktops.

Either way, perhaps it would be best if the government focussed on its own security issues before threatening the UK’s access to tech manufactured by US-based firms.

The post UK gov flounders in encryption and security mire appeared first on TechHQ.

America, Japan and South Korea are bunking together – it isn’t summer without camp!

Officials say leaders from the United States, Japan and South Korea are meeting at Camp David to launch new defense steps. The three countries will launch a series of joint initiatives on technology and defense this Friday.

US officials, speaking to Reuters on condition of anonymity, said the summit will see the three leaders agree to a mutual understanding about regional responsibilities amid mounting shared concerns about China.

US President Joe Biden will host at his presidential retreat. Photo: AFP.

A three-way hotline will be set up to communicate in times of crisis, but the summit is unlikely to produce a formal security arrangement that commits the nations to each other’s defense.

US President Joe Biden invited Japanese Prime Minister Fumio Kishida and South Korean President Yoon Suk Yeol, to the storied presidential retreat in Maryland’s Catoctin Mountains.

Camp David’s a little better than cabins in the woods. dapd via AP, FILE

For the two Asian nations, the trip will be part of their work to mend tattered diplomatic relations in the face of a greater regional threat posed by both China’s rise and North Korea. US officials hope this will be the first of many meetings, to become an annual gathering between the three leaders.

The summit on Friday will also see the three leaders signal deeper cooperation in areas including cybersecurity and supply chain resilience.

In March this year, South Korea and Japan held their first summit in 12 years. The meeting this week will mark another step towards easing tensions between the two states after years of dispute.

Photo via Reuters.

Washington has formal collective defense arrangements in place with Tokyo and Seoul separately, but wants the two countries to work more closely with one another in the face of China’s mounting power.

“We are anticipating some steps that will bring us closer together in the security realm,” said one of the U.S. officials, and that doing so would “add to our collective security.”

But the U.S. official added that, “it’s too much to ask – it’s a bridge too far – to fully expect a three-way security framework among each of us. However, we are taking steps whereby each of the countries understand responsibilities with respect to regional security, and we are advancing new areas of coordination and ballistic missile defense, again technology, that will be perceived as very substantial.”

It’s likely that a joint statement between the three countries will come out of the summit. It will include language speaking to concerns about China’s desire to change the status of Taiwan, which it claims as its own territory.

Taiwan’s TSMC powers the chip industry. © Illustration by Michael Tsang via Financial Times.

The language used will have to be consistent with previous US positions on the subject, avoiding an escalation in rhetoric that would undermine efforts to ease tensions ahead of potential talks between Biden and Chinese President Xi Jinping.

Christopher Johnstone, a former Biden White House official now with Washington’s Center for Strategic and International Studies think tank, told Reuters he expected a summit statement recognizing that the security of the three countries is linked, “and that some measure of threat to one is a threat to all,” even if this would fall short of NATO’s Article 5 language, that sees an attack on one as an attack on all.

All of this comes after a collaboration between the Chinese and Russian militaries that unsettled the US.

YOU MIGHT LIKE

CHINA

US-China trade war: New executive order, same old mistakes?

The South China Morning Post reports that China is on “high alert” as Biden hosts – building what some have called a “de facto Asian Nato.”

Some are saying that, given the integration of the Asian countries’ economies with China, they have no intention of picking sides between Beijing and Washington.

For the Japanese government, the alliance with the U.S. is an easy tool for concrete interests, and a condition in exchange for Washington’s support on international issues.

Of course, all of this is happening amidst the silicon blockade imposed on China by America. Beyond maintaining US primacy in the tech world, the effects will cut into Chinese military advancements, and threaten its economic growth and scientific leadership.

As a result, China is working hard to develop its own domestic semiconductor industry, leading to increased competition and vulnerabilities in the software supply chain, too.

This could result in increased attacks on the U.S. supply chain and attempts to gain access to U.S. suppliers’ networks and facilities to both exfiltrate intellectual property and introduce malicious code or components into the supply chain.

“Another potential risk is that this increased competition could lead to the fragmentation (or Balkanization) of the global cybersecurity ecosystem, with different regions using different standards and technologies,” said Ted Miracco, CEO at Approov.

It’s likely that the closeness between the US, Japan and South Korea will include moves to universalize their technological aims and defenses to avoid any such fragmentation. Until a statement from the three leaders, all anyone can do is watch and wait.

The post Camp David will host diplomatic meeting on China defense plan appeared first on TechHQ.

• Indian Ministry bypasses the need for Microsoft security essentials.
• Develops Maya OS based on Ubuntu for Defence Ministry desktops.

The recent news in the UK that the Foreign Office, the government ministry responsible for overseas policy and espionage, has been soundly hacked, it is no surprise that governments worldwide seek alternatives to the cybersecurity nightmare that is the Windows operating system (OS).

YOU MIGHT LIKE

MANUFACTURING

This Barbie was made in the USA – or nearby

The Indian Defence Ministry has decided to replace Microsoft’s flagship OS on all of its computers with access to the internet with immediate effect. It’s selected Maya OS, a Linux distribution based on Canonical’s Ubuntu, as the replacement, development on which has taken six months to reach production status. The Indian Army, Navy, and Air Force are in various stages of approving the use of Maya OS for their systems, making the Indian defense network inherently less prone to successful attacks.

A phishing email is reported as the source of the UK cybersecurity breach, with a single user installing a Windows executable that left an attack vector open for exploitation by hackers. Russian and Chinese state-sponsored attackers have so far been named as those that have taken advantage of access to the British Ministry’s systems.

Microsoft security essentials

Windows’s ubiquity means it is the go-to target for most malware and hacking attempts. It’s a situation exacerbated by the legacy debt that the Windows desktop operating systems carry: backward compatibility over generations of software means the code is byzantine and, therefore, difficult to protect. Conceived in an era before the internet became a bad actor’s playground, it has been the target of countless hacks, despite continuous patch releases by Microsoft that attempt to shore up an inherently insecure base.

In contrast, Linux was developed as a networked operating system that arrives in 2023 with a structure and underpinning mechanisms that prevent easy unauthorized use by users and malicious outsiders.

Maya has been developed specifically to ease user onboarding: “Maya has the interface and all functionality like Windows and users will not feel much difference as they transition to it,” an Indian official has said.

Unlike servers and other network appliances, desktop PCs have the added component of being controlled by fallible biological components – human users – that are prone to click rogue links, believe what they read onscreen, and engage in practices like password sharing and using simple-to-guess credentials to access critical systems. Even with built-in endpoint security systems – like Microsoft Security Essentials – there is usually a simple bypass available in the form of the end-user.

The Indian government hopes that by using Maya, it will remove its networked PCs from the “low-hanging fruit” category of targets: Maya and Linux in general, are not immune from attack (no system is), but even security through relative obscurity will go a long way to ensure that systems remain safer.

Maya OS based on Ubuntu

By basing its operating systems on Ubuntu (itself a derivative of Linux stalwart OS Debian), the Indian government had a jump-start on creating a ‘new’ operating system. What it had to do – and it’s no small task – was to apply extra security hardening measures and a desktop environment similar to Windows.

This not the first time the Indian government has attempted to move away from security car-crash operating systems. Bharat OS (BharOS) is a project reported on these pages that runs as a replacement for the Android mobile operating system.

YOU MIGHT LIKE

PRIVACY

Indian government backs Bharat OS to safeguard data privacy

Elsewhere, there have been multiple public sector moves to migrate away from a pure Microsoft desktop topology on security and license cost grounds. In Germany, the Munich local government switched a significant portion of its systems to Linux desktops for internal use from 2006. Microsoft responded by moving its headquarters to the city, and the administration continues to vacillate between open- and closed-source desktops to this day.

Speaking in 2019, the ex-leader of the Munich government said, “[…] the result was clear that Microsoft is cheaper in some price comparisons, but remains a risk factor when it comes to data security and is a provider similar to a monopoly when it comes to independence.” [translation from here.]

The total cost of ownership of any operating system is a complex equation involving license fees, support costs, cybersecurity costs, and staff training.

The post India’s armed services ditch Windows appeared first on TechHQ.

• The US President is escalating the tech trade war with China with a new executive order that’ll come into effect next year.
• The order declares a national emergency, directing the Treasury Department to establish a program to oversee a new instrument to review outbound investments in national critical sectors.
• The President continues to treat China as an active danger, and penalize it as such.

The United States is still dealing with the unintended consequences of the first export controls imposed against China last October. It was the most far-reaching action taken by the Biden Administration, eventually leading to the escalation of the US-China trade war – so much so that China has not shied away from responding to the US measures that have followed.

READ NEXT

US-China relations – bluster, blunder, and strategy?

The US and China briefly turned down the heat on their relationship when Treasury Secretary Janet Yellen and Secretary of State Antony Blinken visited Beijing recently, partly to improve communication between the two countries. “President Biden and I do not see the relationship between the US and China through the frame of great-power conflict,” Yellen said at the end of her trip.

US Treasury Secretary Janet Yellen speaks during a press conference at the Beijing American Center of the US Embassy in Beijing on July 9, 2023. (Photo by Pedro PARDO / AFP)

Unfortunately, the reality is far from the harmony the official meetings were trying to paint: the US and China are still engaged in a great-power struggle, actively competing for global supremacy. This week, the US intensified its trade war with China by announcing a new investment screening mechanism. This time, however, China isn’t the sole target. Its special administrative regions, such as Hong Kong and Macau, were included too.

The three countries were noted as the only points of concern in what Biden dubbed the ’emergency declaration.’ For context, the President declared the latest move as “a national emergency to deal with the threat of advancement by countries of concern in sensitive technologies and products critical to the military, intelligence, surveillance, or cyber-enabled capabilities of such countries.”

All about the latest executive order in the US-China trade war

On August 9, this week, Biden signed an executive order to narrowly prohibit certain US investments in sensitive technology in China and require government notification of funding in other tech sectors. Ironically, the announcement came on the first anniversary of Biden signing the Chips and Science Act into law.

But the order didn’t come as a surprise – it was long-anticipated. This time, it is intended to curb US venture capital and private equity investments in Chinese companies covering semiconductors and microelectronics, quantum information technologies, and specific artificial intelligence (AI) systems.

In a letter to Congress, Biden declared a national emergency to deal with the threat of advancement by countries like China “in sensitive technologies and products critical to the military, intelligence, surveillance, or cyber-enabled capabilities.” Therefore, the order also called for the creation of an outbound investment review mechanism.

The move is being made mainly because the export controls unveiled last October by the US “don’t include investments abroad that can help foreign adversaries or countries of concern to fuel indigenous development of national security technologies,” an administration official said, according to the South China Morning Post. 

“By adding outbound investment screening to our suite of national security tools, we’re enhancing US capabilities to safeguard our national security,” the official added. However, unlike most past orders or bans, the latest move also seeks to blunt China’s ability to use US investments in its technology companies to upgrade its military, while preserving broader levels of trade that are vital for both nations’ economies.

The US is being cautious this time

This time, administration officials, including Commerce Secretary Gina Raimondo and Treasury Secretary Janet Yellen, have said the US seeks to keep the scope of the new investment restrictions as narrow as possible to limit the damage to the bilateral relationship. The US wants to avoid worsening the trade war with China.

Secretary of State Blinken sought to de-escalate the US China trade war on his rcent visit. Source: Leah Millis/Pool/AFP.

“You don’t want the cutline to be so broad that you deny American companies revenue and China can get the products elsewhere, or China gets products from other countries, so what we’re trying to do is be narrowly defined [and] work with our allies on these choke point technologies,” Raimondo said last month.

YOU MIGHT LIKE

CLOUD COMPUTING

Will US cloud computing restrictions on China have any impact?

Unfortunately, China did not perceive the move as positively as the US did.

Following the announcement, a spokesperson for the Chinese embassy in Washington said that China is “very disappointed” by the move. In a statement, Liu Pengyu said the curbs would “seriously undermine the interests of Chinese and American companies and investors” and added: “China will closely follow the situation and firmly safeguard our rights and interests.”

Meanwhile, China’s commerce ministry in Beijing accused the US of disrupting global industry and supply chains. The executive order “seriously deviates from the market economy and fair competition principles the US has always promoted, and affects companies’ normal operation decisions,” a spokesperson said.

The order is expected to be implemented next year, according to someone who was briefed on the issue, after multiple rounds of public comment, including an initial 45-day comment period. Emily Benson of the Center for Strategic and International Studies (CSIS), a bipartisan policy research organization, said the move by the US signals a seismic broadening of the US trade, investment, and technology toolkit that reflects a gap in existing government authorities. 

“This begs an obvious question about why the US lacks authority to review outbound investments in countries of concern for certain end uses that pose national security threats,” she noted. In other words, Benson believes there is a conspicuous missing piece in the ability of the US government to ensure that US capital—both funding and know-how—is not used to advance foreign military capabilities. 

YOU MIGHT LIKE

CHINA

Could South Korea be torn in the US-China chip war again?

“The August 9 executive order thus stands up the scaffolding for a system to close this gap,” she summarized. The takeaway, for now, is that the latest order creates an opportunity for the administration to articulate even more clearly to skeptics that these investments pose a national security risk, thus meriting a new review regime.

If there’s a script for non-confrontation with China, can President Biden stick to it?

This considers the hard lessons the US government has learned after the October 7 export controls, including that allies and companies need to be more adequately briefed on the underlying national security justifications for the controls. 

The post US-China trade war: New executive order, same old mistakes? appeared first on TechHQ.

• Worldcoin and World ID are the newest releases unveiled by Sam Altman.
• While Worldcoin is a cryptocurrency, World ID is an identity management strategy based on blockchain.
• As bots evolve, we need a robust identity management solution to withstand potential impersonation.

Like Jobs, like Gates, like Ma, and like at last an early Musk, Sam Altman, CEO of OpenAI is fast becoming a person who, when he floats an idea, is worth paying attention to. Since the launch of ChatGPT, he’s someone who’s been courted by presidents, advised the US Congress, and toured Europe, trying to both stoke engagement, acknowledge reasonable fears about generative AI, and help to allay them – though admittedly, within certain OpenAI-advantageous lines.

So when Altman launched a new cryptocurrency-cum-security project in late July, understandably, the world sat up and took notice. Worldcoin is a coming together of two worlds that at first feels clunky, but on further inspection, has more to recommend it than meets the eye.

It’s aliiiive! Worldcoin goes public.

First of all, Worldcoin is a cryptocurrency, more or less like any other. Cryptocurrencies are e-currencies that exist on blockchains and as such are at least theoretically more secure than real-world cash, though 2022 was in no sense a good year for anyone making that argument, as crypto-exchange after crypto-exchange was hacked, robbed, or in some notable cases, collapsed from the inside out. Sam Bankman-Fried, we’re looking at you.

READ NEXT

Blockchain – a matter of trust

Behind the Worldcoin scenes.

But the cryptocurrency element of Worldcoin is only, really, the first handful of words in the headline of Altman’s new development. Because much more of the point of Worldcoin is something called World ID.

World ID is the point in the story of Sam Alman and Worldcoin where, if you were writing it as an episode of Black Mirror or The Twilight Zone, you’d ask yourself whether you could get away with something a little extra-weird. And not for nothing, it’s also the point at which those who’ve read their Revelation 11, 13-18 (the part where in the end of days, you can’t buy or sell unless you’re recognizable by having “the mark of the Beast”) get jumpy about their ability to buy and sell – just as they did decades ago on the introduction of barcodes to food items in supermarkets.

Because World ID involves a couple of elements that are both dystopian science fiction gold and apocalyptic conspiracy fodder. But, much more importantly, they also amount to a potential solution of a couple of key issues of the AI age – issues that were coming down the line before the launch of ChatGPT, but have become increasingly critical to tackle since its launch into the world.

Worldcoin’s World ID element is an “orb.”

A shiny metal orb into which you look, and which then records your iris pattern.

What that does is instantly create your “World ID.” A more or less universal proof not only that you are who you say you are, but that you’re a human being – rather than a sophisticated bot powered by generative AI like ChatGPT, GPT-4, Bard or any of the other big players.

Your World ID is then stored in a blockchain – the premise of which is that once the information packet is sealed on the chain, it can never be reopened or tampered with. It can also, at least theoretically, never be lost or shut down by any single entity. Your World ID is, essentially, “you” in terms of its power to access the things to which you should have access – and also to not access things to which you shouldn’t have access.

Worldcoin and Word ID – 21^st century identity management.

The idea in itself is straightforward – an uncrackable, unhackable, tamper-proof digital identity that could, apart from anything else, do away with at least some of the arms race between the forces of authority and the forces of chaos when it comes to passwords, and password-protected data.

If your password is actually your World ID, locked as it is in an unbreakable blockchain, then you should, barring evolutions like synthetic iris-prints (or potentially a new spate of eyeball-theft – did we mention the dystopian sci-fi element?), never have to worry about password theft, and the technology goes a good deal of the way towards tackling identity theft too.

That’s you in the data. That’s you on the blockchain, proving your identity…

But it’s also notable that the idea has its roots in the new world of generative AI. In fact, the chief motivation for the development of Worldcoin and the World ID is precisely the development of generative AI chatbots. At the moment, they’re fairly good at writing believable sentences – sentences that in many cases persuade human beings that they’re interacting with other human beings.

But the bots learn.

YOU MIGHT LIKE

CYBERSECURITY

World Password Day reveals password reuse remains a big issue

That means the only trend can be towards increasing sophistication, and a continual blurring of the lines between what is a genuine human being, and what is an incredibly sophisticated generative AI bot.

Identity management is already a big concern in IT and cybersecurity – both in terms of which humans have authority to access which parts of a system and which bots and programs are talking to which to make systems work.

The World ID has been proposed as a way to establish, quickly, easily, and so long as blockchain does what it’s always done, beyond any attempt at external subterfuge, that the human who owns the World ID is both a) human, and b) the same human as is attempting to access the system.

But in launching Worldcoin and the World ID, Alman said he saw the impact of generative AI going further. It will, he said, “do more and more of the work that people now do” – perhaps the most cogent admission that “AI will take our jobs” we’ve yet had from someone at the top of the AI pyramid.

Worldcoin and the UBI.

That led him to speculate on the adoption of an idea that has been floating around for decades – the Universal Basic Income (UBI).

While Altman acknowledged that the UBI is probably a long way off, certainly in an America that has yet to understand the principle of universal healthcare free at the point of need, he said it would represent a way to tackle income inequality.

Income inequality is currently soaring in the US, with some CEOs earning hundreds or even thousands of times the average wage of their workers.

And while there would be significant philosophical hurdles to overcome before the home of uber-capitalism adopted the idea of essentially giving away “money for nothing” to people whose working lives and even whole skillsets were swept away by generative AI, Altman’s Worldcoin and World ID would at least defuse one of the main concerns with it – the idea that any such UBI system would be open to fraud.

“No, by all means, have our money, verified human…”

READ NEXT

Machine identity management – an answer to a growing challenge

In a world of standard checks and balances, the idea that the system could be gamed by unscrupulous actors might be valid – and so, might significantly slow any adoption of something as potentially transformative as the UBI. But by narrowing the aperture of receipt to a single point of entry – the World ID linked to your iris scan – the fraud potential at least can be mitigated and minimized. If you can get past a system based on blockchain and iris scans, you probably have marketable skills beyond the receipt of UBI!

Viewed with skeptical eyes, Altman’s unveiling of a system that can protect against the potential dangers of generative AI could be seen as akin to Robert Oppenheimer coming up with a line of nuclear bomb shelters – and assuming it works better than traditional identity management techniques, there may well be questions about Alman’s involvement on both sides of the issue, despite Worldcoin actually being run by Berlin-based company, Tools for Humanity.

In a data-sensitive world, there might well also be questions asked about a single company potentially holding a worldwide database of iris-scans (assuming the scans themselves are retained beyond the initial process of the creation of the World ID – and unless people complain, why wouldn’t they be?).

But with 2 million users in its Beta period, and plans to scale up rapidly to send orbs to 35 cities in 20 countries, Worldcoin, and its World ID, will now face an intriguing live trial in the wild.

Its success or failure as a working identity management concept (and a cryptocurrency to boot) will determine whether it has what it takes to secure humanity and human identity from a range of generative AI chatbots growing ever more sophisticated.

The post Worldcoin and World ID – identity security against generative AI bots? appeared first on TechHQ.

Netflix is trying harder to stop account sharing in 2023 in an attempt to prevent revenues from slipping in the face of competition from new (and well-funded) alternative streaming services.

According to a 2023 letter to shareholders, the company stated that over 100 million people worldwide were accessing the company’s media via shared accounts – a practice that it had been quietly ignoring until now. The use of a single Netflix account for several people or households undermined Netflix’s “long term ability to invest in and improve,” [pdf] the company said. To encourage genuine family sharing, it introduced an approved option for password sharing outside a household, available at a slightly higher price. This was designed to allow, for instance, students to use their parents’ Netflix account while away at college, or where families live separately.

This new option was trialed in Latin America and since has been rolling out worldwide. Geographies affected include Spain, where there has been a significant drop in the number of subscriptions to the service in general. In the US, however, there were around 73,000 average daily new sign-ups to Netflix in the first three days of the scheme’s introduction, a rise of 102% on the previous 60-day date range sampled.

Check Point Building, Tel Aviv. Source: Kimmel Eshkolot Architects

But the company’s new policies have created, or at least given new impetus to, a market in illicit account credentials. Check Point Research has identified numerous illegal operations selling low-cost subscriptions on the dark web. A popular channel to entice this trade is the privacy-focused messaging app Telegram, where details of accounts are available for as little as 190 Indian Rupees (around $2).

YOU MIGHT LIKE

APPS

Netflix password sharing clampdown is coming to the US

Many accounts for sale are derived from compromised personal credentials available after data breaches. That contradicts rogue traders’ claims that the accounts provide “full access, effectiveness and legitimacy.” Stolen credentials sold in this way often do not work ‘as advertised’ either because they are fictional or are for accounts that have been closed or had their passwords reset by the genuine owners. Individuals looking for cheap Netflix account details should be wary, therefore, of any such offers as there’s clearly no recourse for the buyer disappointed with their dubious purchase.

“Cybercriminals often exploit users’ needs and desires, aligning their attacks with ongoing trends,” said Eusebio Nieva, Technical Director of Check Point Software for Spain and Portugal. “As with any other domain, it is important to remember that if an offer seems too good to be true, it probably is. Reducing demand is an effective way to counter illegitimate sales on the Dark Web and subsequently disrupt revenue streams from these services.”

Check Point advises all Netflix users to choose lengthy and difficult-to-guess passwords (and reset passwords if necessary) to lower the chances of their accounts being resold. It advises longer passwords: each additional character in a password adds exponentially more options attackers have to try to brute-force their accounts.

YOU MIGHT LIKE

WORLD PASSWORD DAY

Deploy Bitwarden password manager, then educate users

The company advises using password managers, tools that can create cryptographically strong passwords and store them for users. Passwords should also be unique to every online account. Use of the same password, or a simple variation on a single password, means that a single data breach of an individual’s account on an unrelated service (such as an online shopping service) effectively opens up all the user’s accounts for online trade or illegal use.

The post Attractive Netflix subscriptions for peanuts make monkeys of buyers appeared first on TechHQ.

Exercises in disaster recovery used to involve quite a few physical processes, like fetching backup tapes from storage (offsite or the fire safe), loading said media into machines that had just been restored to virgin bare metal, and waiting for all those bytes to move from A to B. Laborious it may have been, but it was something that could be practiced and honed, giving organizations a decent idea of mean time to recovery.

Of course, holding data on-premise is not as common as it used to be, and even where sensitive data is kept out of the public cloud, onsite, it’s often streamed nightly (or snapshot more regularly) to remote storage.

With the ease of that style of backup and the assumption that information stored and workloads run on the cloud are somehow safer, many organizations don’t trouble themselves overly with the integrity of their data resources held in the cloud.

The hyperscalers and big SaaS providers are about as resilient as they come, we might think, and the likelihood of data loss from Salesforce/AWS/GCP et al. is pretty low. Cybersecurity pros know, however, that the model of shared responsibility for security means big providers’ KPIs assure the infrastructure’s existence, and the end-user (read, the organization that is the customer) is responsible for data and, therefore, its recovery following a disastrous event or accidental deletion. There’s usually no recourse even for data loss due to temporary outage.

The gravity of that situation is exacerbated by the fact that SaaS applications have become the number one target for ransomware.

Source: Shutterstock

Some cloud providers can and do offer data backup and recovery services as part of their offering but by no means all. SaaS vendors often term the ability to take a manual export as a “backup facility,” and scripts that duplicate cloud data usually require time and effort to run and manually maintain.

Given that the average business uses dozens of XaaS instances (an average of 110 services in use in 2021), there’s a very good chance that mission-critical services and data are now hosted entirely offsite. Provided backup facilities may be partly effective where they exist, but invariably they run in a walled garden to which the paranoid sys admin (all sys admins should be paranoid) has no easy oversight.

In our last article, we talked about HYCU Protégé’s ability to protect hyperconverged infrastructure by means of seamless backups and simple restores, all neatly embedded in the Nutanix workflow. HYCU now provides organizations with the same gold standard of integrated data protection in many common cloud platforms – there’s a list here.

For critical systems like Okta, having an in-built backup run by HYCU significantly lowers an organization’s potential for data loss in a disastrous event. Platforms like Salesforce and Microsoft 365 that are central to many businesses’ working days are covered, as are half a dozen more. At the time of writing, they include stalwarts like Jira and Confluence, Google’s BigQuery & Cloud SQL, and AWS’s RDS. The ability to backup these mission-critical applications and services is just a matter of browsing and picking from the HYCU marketplace. The company’s low-code development platform and API, plus inherent system reliability, mean that the list of out-of-the-box compatibility ‘modules’ is set to lengthen significantly in the next few months.

Not everything runs on vanilla public clouds, of course. Organizations have a need (some might say an imperative) to ensure the safety and reliability of their own SaaS offerings, whether internal or client-facing. The R-Cloud developer platform lets SaaS companies and their partners offer automated, granular backup and restore capabilities built with just a few clicks in a low-code interface. That makes any application (and its data) an assured and recoverable asset.

Source: Shutterstock

Backup policies are simple to set up, and these can be applied, automated, or fired manually to address the entire stack (via as many rulesets as needed). SaaS data protection is a complex beast for which many organizations build their own tools, often at great expense measured in coding time. Usually, that type of facility doesn’t scale particularly well, and there’s a learning curve for new administrators. Getting to a stage where public cloud, SaaS applications, and internal apps are all managed centrally reclaims the control of data protection and restoration to those who are, after all, responsible for such things.

When the phone rings in the night, the person whose job it is to get things working again should be in a position to roll back critical data, irrespective of where it might live. “We thought Jira backed everything up for us,” isn’t a career-saving statement in that situation.

The process of instigating an HYCU-based system is simple enough that it seems bizarre the HYCU solution hasn’t been integrated into every cloud platform’s service model. Simple restore and very quick mean-time-to-operation could easily be an add-on or extra service offered by the SaaS owner. Putting the HYCU ‘stamp’ on the process would also go a long way to reduce those fears that backup processes are taking place behind a proprietary barrier, too.

Plus, there’s the added benefit that any organization could control all its own HYCU Protégé backups from one dashboard. For peace of mind of the whole stack, having restore controls and backup monitoring in a single place (with one tool) could be a resource-saving game-changer.

To discover more about the HYCU Protégé platform and the capabilities R-Cloud makes simple to embed, check out HYCU.

The post Why every ISV should offer HYCU backups to its customers appeared first on TechHQ.

• IoT devices are extremely prone to cybersecurity threats.
• The FCC has announced a Cyber Trust mark to set standards for IoT cyber-resilience.
• Many leading players in the industry have already signed up.

Safety, efficiency, and process certification marks are nothing new – from the Energy Star on your washing machine or refrigerator to the USDA Organic mark on your family’s carrots, to the R rating on the movies you don’t show your kids, they’re an understood reality: marks that prove that X product has met Y standards before being sold to the public. But there is, now, a new kid on this old block, and it’s one that aims to tackle the cybersecurity threats that attack consumers in their homes and lives.

The Biden administration, through the auspices of the Federal Communications Commission (FCC), announced the launch of the “Cyber Trust” mark in July, 2023, and it’s expected to come into force in 2024. Companies will be able to voluntarily sign up for the Cyber Trust mark, and, assuming their products pass the tests – being resilient against cybersecurity threats – will be able to display the mark on those products to show that not only are their products resilient, but that the company “cares” about the cyber-resilience of the products they sell to their customers.

READ NEXT

The rising hack threat to IoT devices

Certification marks have a habit of evolving into de facto “rules,” with the entire buying chain abandoning individual assessment of risks and ratings – if a product has the “mark” on it, it’s usually judged to be good enough, at the bare minimum, for use without worry.

In the case of the Cyber Trust mark, there’s an interesting add-on, compared to most previous certification marks, though. Because cybersecurity threats, and cybersecurity resilience, can change over time, evolving to attack devices that were previously safe, or overwhelming previous patches, the Cyber Trust mark will come in two parts.

Tackling cybersecurity threats on purchase and afterward.

Firstly, as with the Energy Star or the USDA Organic certification, there will be a mark stamped on products that a certificate-issuing authority (in this case the FCC) is satisfied that when it was sold, the product met the necessary standards and achieves the required cyber-resilience to qualify for certification.

But because the IoT and IIoT market – and the nature of cybersecurity threats – is distinctly different from, for instance, the market for makers of Energy Star products, there will be a second part to the Cyber Trust mark. The second part will be a scannable QR code, which will allow users to check whether their product is still cyber-resilient at a later date, potentially prompting users to download the latest available security patches.

While the Cyber trust mark itself will most likely come with a range of cybersecurity threat-resilience information for the particular product to which it’s attached, the QR code will allow buyers to access significantly more information, like what kind of data is collected by the device, where and how it’s stored, and even the manufacturer’s policy on sharing any collected data. That could allow for a relative data practice meritocracy to emerge in the IoT and IIoT markets over time.

YOU MIGHT LIKE

IOT

Mitigating the rising hack threat to IoT devices

Keeping your connected devices safe from cybersecurity threats.

In the first place, almost everything these days can be a connected device – from your toothbrush to your washing machine, your refrigerator to your meat thermometer, your smartphone to your medication monitor to your “share control” butt plug.

A home network can have a lot of vulnerability points.

Anything that’s a connected device on your domestic network can be a point of entry for would-be hackers, who can use that weak point in the system to move laterally and take control of other parts of the system, such as your data-rich laptop.

Such cybersecurity threats in a home network might take some time to die out as the Cyber Trust mark becomes a more significant part of day-to-day reality, but ultimately, having an industry standard on cybersecurity threats and resilience in smart devices can only be a positive development.

But if nothing else, having devices stamped with the Cyber Trust mark might well work to educate the wider public about the volume and nature of cybersecurity threats to which they have been, and could be vulnerable through the omnipresent world of connected devices in which they live.

The machines won’t rise up and kill us – but they may well be vulnerable to hacking by people who’d drain us dry.

The potential for expansion.

While in its current form, the Cyber Trust mark is intended to cover only domestic connected devices (with an already existing option to expand to cover fitness trackers, which commonly connect to multiple networks, rather than only the domestic one), the idea could at least theoretically be expanded over time to IIoT devices in commercial supply chains.

Every warehouse, every office building, every place of work in the developed world is guaranteed to be filled with IIoT devices, and just like the unsecured toothbrush in a domestic setting, any one of them could be a weak point in the security of a whole network.

The idea of whole supply chains, and whole industries suddenly having the capacity to choose only Cyber Trust marked IIoT devices is likely to create a similar circle of virtue as companies strive to not only protect their own systems, but gain the ability to show other players in their supply chain that they take cybersecurity threats seriously.

Assuming the Cyber Trust mark proves effective in reducing the number and/or effectiveness of cybersecurity threats in the domestic world of connected devices, there’s no reason beyond the sheer logistical challenge of the move why a commercial version shouldn’t be rolled out eventually.

Some of the connected device industry’s biggest players have already voluntarily signed up to the Cyber Trust mark initiative, including Google, Samsung, Logitech, Amazon, Best Buy, and the Connectivity Standards Alliance.

READ NEXT

Here’s how hackers exploit IoT device vulnerabilities to invade hardware

It’s new, and it will probably work – but will it narrow the market?

In fact, that’s the single issue that makes the Cyber Trust mark potentially controversial. While it’s arguable that the imposition of a standard to combat cybersecurity threats in IoT devices can only make the industry and those who use its products safer and better, there’s also an argument to be made that such a mark will tend to concentrate the market into a relative monopoly, with only the more prolific players able to afford the testing, hardware and software upgrades to meet potential annual recertification requirements.

The sheer force of numbers of IoT and IIoT devices in the world (approximately 15.4 billion in 2023, just over twice the number of human beings) means the likelihood is that significant change due to the development of the Cyber Trust mark will be slow.

But as a move in a more conscious direction towards protecting individuals and households – and eventually, potentially whole supply chains and industries from cybersecurity threats, it probably has to be applauded, monopoly concerns or not.

The post Cyber Trust mark to tackle IoT/IIoT cybersecurity threats appeared first on TechHQ.

The explosive popularity of generative AI programmes in recent months has seen a surge in ChatGPT malware.

Recently-released research from Unit 42, the threat intelligence team of global cybersecurity leader Palo Alto Networks, sheds light on the diverse tactics employed by scammers.

ChatGPT (Generative Pre-Trained Transformer) is a large language model-based chatbot owned and operated by OpenAI, an artificial intelligence research and development company. The chatbot, which is available for free in its basic version, has proved lucrative for opportunistic scammers looking to cash in on its increasing popularity.

Between November 2022 and April 2023, Unit 42 observed a 910% increase in monthly registrations for domains related to ChatGPT. There were over 100 daily detections of ChatGPT-related malicious URLs captured from traffic seen by the company. During this same timeframe, the team observed a striking 18,000% growth of squatting domains from DNS security logs.

YOU MIGHT LIKE

ARTIFICIAL INTELLIGENCE

Italy’s ChatGPT ban attracts the attention of regulators around the world. What’s next?

‘Squatting domains’ refer to domains registered or used for the purpose of profiting from the goodwill of a trademark belonging to someone else. In this case, bad actors use ‘openai’ or ‘chatgpt’ as or within the domain name: for example, ‘openai[.]us’ or ‘chatgpt[.]jobs’.

Although most of the squatting domains identified were not hosting anything malicious as of April 2023, they notably are not contrScammers use diverse tactics to trick users into revealing confidential information, according to research from Palo Alto Networksolled by OpenAI or other legitimate companies.

Unit 42’s study looked at several phishing URLS that pretended to be the OpenAI website. The individuals behind these phishing scams typically create fake websites that closely mimic the appearance of the official site, and trick users into downloading malware or sharing sensitive information.

A common technique presents users with a ‘DOWNLOAD’ button which, once clicked, downloads Trojan malware to the device without victims realizing the risk.

OpenAI used by hackers. Source: SHutterstock AI.

Another common scam tactic involves the use of ChatGPT-related social engineering for identity theft or financial fraud. Although OpenAI offers a free version of ChatGPT for users, fraudulent websites often claim that users must pay for their services, and try to lure victims into providing sensitive information such as their credit card details and email address.

The use of copycat chatbots also pose significant security risks. Some copycat applications – many of which are based on GPT-3 (released January 2020), which is less powerful than more recent versions – offer their own large language models, and others claim they offer ChatGPT services through OpenAI’s public API. ChatGPT is not accessible in certain regions, and prior to the release of the API there were several open-source projects that enabled users to connect to ChatGPT through various automation tools. Websites created with these automation tools or the OpenAI API could therefore attract a lot of traffic from these regions. This also provided bad actors with the opportunity to monetize ChatGPT by proxying their service.

YOU MIGHT LIKE

APPS

ChatGPT: OpenAI CEO Sam Altman asks for AI to be regulated

Using these copycat bots comes with the additional risk of having your input collected and stolen. Any confidential or sensitive information you provide could leave you vulnerable. The bot’s responses could also be purposefully manipulated to provide inaccurate or misleading information.

To use an example from Unit 42’s study, the team downloaded an extension from a squatting domain using the same information and video from the official OpenAI extension. Once downloaded, the fraudulent extension added a background script to the victims’ browser that contained highly obfuscated Javascript. This Javascript calls the Facebook API to steal the victim’s account details, and may enable scammers to get further access to the victim’s accounts.

ChatGPT scams have also started to show up on mobile app stores in the form of fleeceware. These scam apps claim to offer free access to ChatGPT, but eventually start charging weekly or monthly subscription fees which can be difficult to cancel. When advertising these apps developers often use tactics that screen out more scam-conscious and tech-savvy users, such as deliberately misspelling the app name in the title (e.g. ‘ChatGTP’).

As ChatGPT only continues to rise in popularity, we will undoubtably see more scams of the sort detailed in Unit 42’s study and changes in tactics to ensure malware’s continued effectiveness.

The post ChatGPT-themed scams on the rise appeared first on TechHQ.

Data from so-called shadow libraries is used to train large language models (LLMs), to the consternation of many authors. Should the people behind free access to books online face recriminations, or does the responsibility fall on the technology companies profiting from shadow libraries?

LLMs that power systems like ChatGPT are developed using large libraries of text. Books, being long and well-written (supposedly), are ideal training material, but authors are beginning to push back against their work, made freely available (so not-for-profit) being digested in this way to educate LLMs behind paid-for services.

This week, more than 9,000 authors, including James Patterson and David Baldacci, have called on tech executives to stop training their tools on writers’ work without compensation.

In objecting to free use of authors’ work, the campaign has put the spotlight back on shadow libraries like Z Library, Bibliotik, and Library Genesis. Each of them are repositories holding millions of titles in obscure corners of the internet.

Privacy, piracy, AI(racy)

Earlier this year, LLMs came under fire for privacy violations and ChatGPT was banned in Italy. The concern was that the chats individuals had with the models was being used for training, raising privacy concerns.

After enabling users to opt out of their data being used for training purposes and making the links to the privacy policy clearer, OpenAI was, at the time of writing, back up and running in Italy.

The issue of piracy and shadow libraries has been hitting headlines recently after Z Library’s founders were arrested for offences around copyright and ownership of intellectual property. What hasn’t been so widely discussed is the fact that the free-access libraries are often used as AI training data.

The fact that AI training relies on shadow libraries has been acknowledged in research papers by the companies developing the technology. OpenAI’s GPT-1 was trained on BookCorpus, which has over 7,000 unpublished titles scraped from self-publishing platform Smashwords.

Once training began for GPT-3, OpenAI said that roughly 16% of the data it used was from two “internet-based books corpora” that it dubbed “Books1” and “Books2.” A  lawsuit by the comedian Sarah Silverman and two other authors against OpenAI claims that Books2 is a “flagrantly illegal” shadow library.

The Authors Guild has organized an open letter to tech executives citing studies [pdf] from 2016 and 2017 that suggested text piracy reduced legitimate book sales by as much as 14%.

Shadow libraries aren’t at fault

Tech companies are increasingly closed about what data they use to train their systems. Meta’s paper on Llama 2 [pdf], published by researchers this week, said the LLM was trained using only a “new mix of data from publicly available sources.”

Supposedly, as OpenAI noted in a research paper on GPT-4 [pdf] from March, secrecy about what its LLM was trained on was necessary due to “the competitive landscape” and “safety considerations.”

Whether tech companies are hiding their sources from each other, or protecting free sources for their own gain, efforts to shut down these sites have had little effect. Even after the FBI charged two Russian nationals accused of running Z Library with copyright infringement, fraud and money laundering, the site came forward with plans to go physical.

Shadow libraries have also moved onto the dark web and torrent sites, so they’re harder to trace. Because many of them are run from outside of the US, anonymously, punishing the operators is difficult.

YOU MIGHT LIKE

SOFTWARE

Where to go when Z library’s down

However, although the average user of a site like Z Library shouldn’t face repercussions for accessing texts on a shadow library, perhaps the tech companies profiting from the databases should?

Given the volume of data needed to train an LLM, it’s unsurprising that amassing enough explicitly-licensed sources would be time consuming and tricky – so many AI researchers have opted to ask for forgiveness after the fact rather than permission.

They also argue that their use of data from online comes under fair use in copyright law, but as authors rally against shadow libraries, the focus might be being put on the wrong people.

The post Forcing shadow libraries out of the darkness appeared first on TechHQ.