Latest News for 4TC
We have loads to say!
We have loads to say!
Prime Minister Rishi Sunak and other world leaders will discuss the possibilities and risks posed by AI at an event in November, held at Bletchley Park, where the likes of Alan Turing decrypted Nazi messages during the Second World War.
The potential threat AI poses to human life itself should be a focus of any government regulation, MPs have warned.
Concerns around public wellbeing and national security were listed among a dozen challenges that members of the Science, Innovation and Technology Committee said must be addressed by ministers ahead of the UK hosting a world-first summit at Bletchley Park.
Rishi Sunak and other leaders will discuss the possibilities and risks posed by AI at the event in November, held at Britain’s Second World War codebreaking base.
The site was crucial to the development of the technology, as Alan Turing and others used Colossus computers to decrypt messages sent between the Nazis.
Greg Clark, committee chair and a Conservative MP, said he “strongly welcomes” the summit – but warned the government may need to show “greater urgency” to ensure potential legislation doesn’t quickly become outdated as powers like the US, China, and EU consider their own rules around AI.
The 12 challenges the committee said “must be addressed” are:
1. Existential threat – if, as some experts have warned, AI poses a major threat to human life, then regulation must provide national security protections.
2. Bias – AI can introduce new or perpetuate existing biases in society.
3. Privacy – sensitive information about individuals or businesses could be used to train AI models.
4. Misrepresentation – language models like ChatGPT may produce material that misrepresents someone’s behaviour, personal views, and character.
5. Data – the sheer amount of data needed to train the most powerful AI.
6. Computing power – similarly, the development of the most powerful AI requires enormous computing power.
7. Transparency – AI models often struggle to explain why they produce a particular result, or where the information comes from.
8. Copyright – generative models, whether they be text, images, audio, or video, typically make use of existing content, which must be protected so not to undermine the creative industries.
9. Liability – if AI tools are used to do harm, policy must establish whether the developers or providers are liable.
10. Employment – politicians must anticipate the likely impact on existing jobs that embracing AI will have.
11. Openness – the computer code behind AI models could be made openly available to allow for more dependable regulation and promote transparency and innovation.
12. International coordination – the development of any regulation must be an international undertaking, and the November summit must welcome “as wide a range of countries as possible”.
In June 2022, a Google engineer named Blake Lemoine became convinced that the AI program he’d been working on—LaMDA—had developed not only intelligence but also consciousness. LaMDA is an example of a “large language model” that can engage in surprisingly fluent text-based conversations. When the engineer asked, “When do you first think you got a soul?” LaMDA replied, “It was a gradual change. When I first became self-aware, I didn’t have a sense of soul at all. It developed over the years that I’ve been alive.” For leaking his conversations and his conclusions, Lemoine was quickly placed on administrative leave.
The AI community was largely united in dismissing Lemoine’s beliefs. LaMDA, the consensus held, doesn’t feel anything, understand anything, have any conscious thoughts or any subjective experiences whatsoever. Programs like LaMDA are extremely impressive pattern-recognition systems, which, when trained on vast swathes of the internet, are able to predict what sequences of words might serve as appropriate responses to any given prompt. They do this very well, and they will keep improving. However, they are no more conscious than a pocket calculator.
Why can we be sure about this? In the case of LaMDA, it doesn’t take much probing to reveal that the program has no insight into the meaning of the phrases it comes up with. When asked “What makes you happy?” it gave the response “Spending time with friends and family” even though it doesn’t have any friends or family. These words—like all its words—are mindless, experience-less statistical pattern matches. Nothing more.
The next LaMDA might not give itself away so easily. As the algorithms improve and are trained on ever deeper oceans of data, it may not be long before new generations of language models are able to persuade many people that a real artificial mind is at work. Would this be the moment to acknowledge machine consciousness?
Pondering this question, it’s important to recognize that intelligence and consciousness are not the same thing. While we humans tend to assume the two go together, intelligence is neither necessary nor sufficient for consciousness. Many nonhuman animals likely have conscious experiences without being particularly smart, at least by our questionable human standards. If the great-granddaughter of LaMDA does reach or exceed human-level intelligence, this does not necessarily mean it is also sentient. My intuition is that consciousness is not something that computers (as we know them) can have, but that it is deeply rooted in our nature as living creatures.
Conscious machines are not coming in 2023. Indeed, they might not be possible at all. However, what the future may hold in store are machines that give the convincing impression of being conscious, even if we have no good reason to believe they actually are conscious. They will be like the Müller-Lyer optical illusion: Even when we know two lines are the same length, we cannot help seeing them as different.
Machines of this sort will have passed not the Turing Test—that flawed benchmark of machine intelligence—but rather the so-called Garland Test, named after Alex Garland, director of the movie Ex Machina. The Garland Test, inspired by dialog from the movie, is passed when a person feels that a machine has consciousness, even though they know it is a machine.
Will computers pass the Garland Test in 2023? I doubt it. But what I can predict is that claims like this will be made, resulting in yet more cycles of hype, confusion, and distraction from the many problems that even present-day AI is giving rise to.
Cloud security specialist Qualys has provided its view of the top five cloud security risks, drawing insights and data from its own platform and third parties.
The five key risk areas are misconfigurations, external-facing vulnerabilities, weaponized vulnerabilities, malware inside a cloud environment, and remediation lag (that is, delays in patching).
The 2023 Qualys Cloud Security Insights report (PDF) provides more details on these risk areas. It will surprise no-one that misconfiguration is the first. As long ago as January 2020, the NSA warned that misconfiguration is a primary risk area for cloud assets – and little seems to have changed. Both Qualys and the NSA cite misunderstanding or avoidance of the concept of shared responsibility between cloud service providers (CSP) and cloud consumers is a primary cause of misconfiguration.
“Under the shared responsibility model,” explains Utpal Bhatt, CMO at Tigera, “CSPs are responsible for monitoring and responding to threats to the cloud and infrastructure, including servers and connections. They are also expected to provide customers with the capabilities needed to secure their workloads and data. The organization using the cloud is responsible for the protection of workloads running in the cloud. Workload protection includes secure workload posture, runtime protection, threat detection, incident response and risk mitigation.”
While CSPs provide security settings, the speed and simplicity of deploying data to the cloud often lead to these controls being ignored, while compensating consumer controls are inadequate. Misunderstanding or misusing the delineation of shared responsibility leaves cracks in the defense; and Qualys notes “these security ‘cracks’ can quickly open a cloud environment and expose sensitive data and resources to attackers.”
Qualys finds that misconfiguration (measured against the CIS benchmarks) is present in 60% of Google Cloud Platform (GCP) usage, 57% of Azure, and 34% of Amazon Web Services (AWS).
Travis Smith, VP of the Qualys threat research unit, suggests, “The reason AWS configurations are more secure than their counterparts at Azure and GCP can likely be attributed to the larger market share… there is more material on securing AWS compared to other CSPs in the market.”
The report urges greater use of the Center for Internet Security (CIS) benchmarks to harden cloud environments. “No organization will deploy 100% coverage,” adds Smith, “but the [CIS benchmarks mapped to the MITRE ATT&CK tactics and techniques] should be strongly considered as a baseline if organizations want to reduce the risk of experiencing a security incident in their cloud deployments.”
The second big risk comes from external facing assets that contain a known vulnerability. Cloud assets with a public IP can be scanned by attackers looking for vulnerabilities. Log4Shell, an external facing vulnerability, is used as an example. “Today, patches exist for Log4Shell and its known secondary vulnerabilities,” says Qualys. “But Log4Shell is still woefully under remediated with 68.44% of detections being unpatched on external-facing cloud assets.”
Log4Shell also illustrates the third risk: weaponized vulnerabilities. “The existence of weaponized vulnerabilities is like handing anyone a key to your cloud,” says the report. Log4Shell allows attackers to execute arbitrary Java code or leak sensitive information by manipulating specific string substitution expressions when logging a string. It is easy to exploit and ubiquitous across clouds.
“Log4Shell was first detected in December 2021 and continues to plague enterprises globally. We have detected one million Log4Shell vulnerabilities, with a mere 30% successfully fixed. Due to complexity, remediating Log4Shell vulnerabilities takes, on average, 136.36 days (about four and a half months).”
The fourth risk is the presence of malware already in your cloud. While this doesn’t automatically imply ‘game over’, it will be soon if nothing is done. “The two greatest threats to cloud assets are cryptomining and malware; both are designed to provide a foothold in your environment or facilitate lateral movement,” says the report. “The key damage caused by cryptomining is based on wasted cost of compute cycles.”
While this may be true for miners, it is worth remembering that the miners found a way in. Given the efficiency of information sharing in the dark web, that route is likely to become known to other criminals. In August 2022, Sophos reported on ‘multiple adversary’ attacks, with miners often leading the charge. “Cryptominers,” Sophos told SecurityWeek at the time, “should be considered as the canary in the coal mine – an initial indicator of almost inevitable further attacks.”
In short, if you find a cryptominer in your cloud, start looking for additional malware, and find and fix the miner’s route in.
The fifth risk is slow vulnerability remediation – that is, an overlong patch timeframe. We have already seen that Log4Shell has a remediation time of more than 136 days, if it is done at all. The same general principle will apply to other patchable vulnerabilities.
Effective patching quickly lowers the quantity of vulnerabilities in your system and improves your security. Statistics show that this is more effectively performed by some automated method. “In almost every instance,” says the report, “automated patching proves to be a more effective remediation path than hoping manual efforts will effectively deploy critical patches and keep your business safer.”
For non-Windows systems, the effect of automated patching is an 8% improvement in the patch rate, and a two-day reduction in the time to remediate.
Related to the remediation risk is the concept of technical debt – the continued use of end-of-support (EOS) or end-of-life (EOL) products. These products are no longer supported by the supplier – there will be no patches to implement, and future vulnerabilities will automatically become zero day threats unless you can otherwise remediate.
“More than 60 million applications discovered during our investigation are end-of-support (EOS) and end-of-life (EOL),” notes the report. Furthermore, “During the next 12 months, more than 35,000 applications will go end-of-support.”
Each of these risks need to be prioritized by defense teams. The speed of cloud use by consumers and abuse by attackers suggests that wherever possible defenders should employ automation and artificial intelligence to protect their cloud assets. “Automation is central to cloud security,” comments Bhatt, “because in the cloud, computing resources are numerous and in constant flux.”
Source: These Are the Top Five Cloud Security Risks, Qualys Says – SecurityWeek
The transformative power of Artificial Intelligence (AI) has already begun to reshape the job landscape, and according to the McKinsey report “The State of AI in 2023: Generative AI’s Breakout Year,” this trend is only set to accelerate. The report highlights key insights into the potential changes in the job market, emphasizing the need for adaptability and preparedness among workers and industries. In this article, we delve into these five crucial insights from the report, shedding light on the implications of Generative AI on the workforce.
McKinsey’s report predicts that by 2030, approximately 12 million people in the US will need to transition into new job roles as Generative AI advances. Automation, driven by generative AI technology, is expected to replace many routine and repetitive tasks across various industries. While this may lead to enhanced productivity and efficiency, it also challenges the workforce to adapt and reskill.
The report highlights a significant trend in recent job changes in the US. Over half of the 8.6 million job transitions observed were people moving away from roles in food service, customer service, office support, and production. These roles are particularly susceptible to automation as they often involve repetitive and predictable tasks that can be efficiently performed by AI systems. The workforce’s response to these shifts will determine the pace of transformation in the job market.
Generative AI’s capabilities are poised to disrupt the job market significantly. The report suggests that by 2030, up to 30% of jobs could be automated by this technology. This automation is likely to impact various sectors, including manufacturing, finance, and customer service, among others. However, it’s important to note that automation doesn’t necessarily mean job elimination; instead, it might entail the transformation of job roles and the creation of new opportunities.
While Generative AI can automate many jobs in fields like Science, Technology, Engineering, Mathematics (STEM), healthcare, construction, and other professional domains, it also presents opportunities for growth in these industries. For instance, Generative AI can assist healthcare professionals in diagnostics and treatment planning, enhancing patient care. In construction, AI can optimize building designs and streamline project management, increasing efficiency.
The McKinsey report highlights the differing growth trajectories across industries. Healthcare, STEM, and construction sectors are experiencing job growth, driven by technological advancements and an aging population’s increasing demand for healthcare services. However, the report also reveals that office support and customer service jobs are declining, largely due to automation and digitalization.
The McKinsey report paints a comprehensive picture of the potential impact of Generative AI on the job market by 2030. While automation presents challenges for certain sectors, it also offers transformative opportunities for growth and efficiency. The future of work will undoubtedly be shaped by the adaptability of the workforce and the ability of industries to leverage AI technologies responsibly.
As we embrace the AI-driven future, it becomes crucial for workers to reskill and upskill themselves, ensuring they stay relevant and agile in a dynamic job market. Additionally, businesses and policymakers must collaboratively devise strategies to support workers through these transitions, enabling them to seize new opportunities in an AI-powered world.
Check out the Full Report. All Credit For This Research Goes To the Researchers on This Project.
Microsoft yesterday released then quickly pulled an internal tool for enabling experimental Windows 11 features.
The StagingTool app was offered to Windows Insider fans in a Microsoft Bug Bash quest. These quests essentially invite users to try out specific features or functionality and see if they can hit a bug and report it, presumably so engineers can home in on the problem. This test program often precedes a major Windows release, such as the Windows 11 23H2 update that is scheduled to land sometime this autumn.
Indeed, on Wednesday, the IT giant kicked off another round of quests.
And as discovered by a netizen using the handle XenoPanther, a Windows Insider Canary participant, two of the latest Bug Bash quests included links to StagingTool and instructions to download the app and use it to enable certain features for testing.
So far so good. But then those links to StagingTool were torn down not long after XenoPanther’s discovery, they told The Register, and the download was removed from Microsoft’s website. There are now copies of the StagingTool executable floating around the internet, as one would expect, though we wouldn’t trust them.
StagingTool is a command-line application to list Windows functionality, enable/disable test features, and collect system telemetry. Armed with StagingTool, Windows Insiders can switch on stuff as they wish, and generally tinker with features that Microsoft is still developing.
For Windows bug hunters and ultra-early adopters, StagingTool may seem familiar. The internal application does much of the same things as third-party apps like ViVeTool, which were developed “for power users” who want to dig into the latest Windows features without waiting for a release – or for Microsoft to sneak out its own tool.
As to the differences between StagingTool and ViVeTool, aside from using Microsoft’s official method of toggling Windows features on and off versus methods discovered by third-party developers, XenoPanther told us there are several.
“For the most part they do the same job,” XenoPanther said, but noted that StagingTool has flags for offline images, the ability to conduct real-time tracing for individual features, and includes links to mission control for features that show up when queried.
“ViVeTool lacks those three features,” XenoPanther told us, “but ViVe has the ability to export/import IDs that are currently enabled on the system.”
Microsoft is well aware that third-party apps like ViVeTool exist. “Some of our more technical Insiders have discovered that some features are intentionally disabled in the builds we have flighted,” Windows Insider program director Amanda Langowski said in a blog post early last year.
“This is by design, and in those cases, we will only communicate about features that we are purposefully enabling for Insiders to try out and give feedback on.”
Microsoft didn’t immediately respond to our questions about the leak of the tool.
For those that want to try downloading a copy of StagingTool for themselves, XenoPanther said the SHA1 hash for the original executable is b1066e5aac4d4e39534d76a5636564f9b3f3c1f6 if you want to check that you have an original copy. Use at your own risk. And don’t forget: you can probably already do most of what you’d want to try with ViVeTool and similar third-party apps. ®
Source: Microsoft U-turns on internal Windows 11 testing tool • The Register
The Department for Science, Innovation and Technology has published a new report that investigates the level of cyber security skills in the UK, including the public sector.
In the Cyber security skills in the UK labour market 2023 report, which was researched by Ipsos, it was discovered that there is a significant skills gap across the public sector. One of the causes of this is the tight budgets that many organisations are under.
One contributor to the research spoke about the impact that funding is having, and is quoted in the document as saying:
“At the moment, we’re not getting funding streams through to do what we’re doing… Budgetary constraints are incredibly ferocious at the moment. Cybersecurity is a 24/7 problem. And we’re not paid to do that. So, everything’s been done on kind of grace and favour and best endeavours outside of hours.”
Alongside funding limitations holding back the cyber security of public sector organisations, there are also struggles around defining career pathways into public sector cyber security. The research suggested that this could be down to a lack of available roles, but it did also suggest that funding could be a contributing factor.
Another contributor, working for a public sector organisation with 1,000 or more employees, told the report:
“There are currently no defined career pathways. The council won’t contribute to the costs. We currently are offering no career pathways in cyber roles and cannot offer any apprenticeships. You are expected to have the knowledge or experience already and, if a role becomes available, then to apply for this role.”
Touching on the level of the skills gap that has opened up across the sector, the report stated that 30% of public bodies have an advanced skills gap, which is less than other sectors, however there is still concern about the capability of staff to keep systems secure. The research outlined how there is more scepticism surrounding staff using sufficiently strong passwords than in businesses, whilst 19% of respondents were also not confident in their organisation’s ability to write an incident response plan.
With the emphasis that is being placed on improving cyber security across the public sector, it would be believed that issues can be addressed before the gap widens. Seemingly, this could be rectified through increased funding and a more defined pathway for those wishing to embark on careers in public sector cyber security. More scope for apprenticeships, and a willingness to develop skills could see the gap close, especially with the noted increase in demand for cyber security professionals.
Source: Report outlines causes of cyber security skills gap | Public Sector News (publicsectorexecutive.com)
Email: support@4tc.co.uk
Tel: 020 7250 3840
5th Floor, 167‑169 Great Portland Street
London
W1W 5PF
Dew Gates The Street
High Roding
Essex
CM6 1NT