NIST staffers revolt against expected appointment of ‘effective altruist’ AI researcher to US AI Safety Institute
The National Institute of Standards and Technology (NIST) is facing an internal crisis as staff members and scientists have threatened to resign over the anticipated appointment of Paul Christiano to a crucial, though non-political, position at the agency’s newly-formed US AI Safety Institute (AISI), according to at least two sources with direct knowledge of the situation, who asked to remain anonymous.
Good for them! #longtermist / #EffectiveAltruist / #TESCREAL people are cultists and have no place in government. They're obsessed with fantasies like #xrisk that are disconnected from reality and distract from the actual harms #AI is already causing here on Earth. It's precisely the same phenomenon as holding endless discussions about how many angels can dance on the head of a pin while ignoring that people are suffering. It sounds like Secretary of Commerce Gina Raimondo might be a Kool-aid drinker herself or is sympathetic to the viewpoints of the Kool-aid drinkers.
From her Wikipedia entry:
Gina Marie Raimondo...an American businesswoman, lawyer, politician, and venture capitalist
Emphasis mine.
It's alarming that this is even happening, and you know the fix is in because they tried to rush the appointment without informing staffers ahead of time. I hope #NIST staffers prevail.
Next was an excellent conversation with Bryan Choi on the problems and potential with NIST's software/AI frameworks and how they relate to NIST's historic evolution on @lawfare's podcast https://www.youtube.com/watch?v=_bO6Ja8cuCA (4/14) #NIST
So I'm going down the Ansible rabbit-hole. (Disclaimer: majority of my career has been in win32 environments). I have several Linux servers that need to be NIST compliant, and was looking at using Ansible to push out STIG configurations.
Any advice, recommendations, or tips that this esteemed community can provide would be most appreciated.
Adversaries can deliberately confuse or even “poison” artificial intelligence (AI) systems to make them malfunction — and there’s no foolproof defense that their developers can employ.
datasets used to train an AI are far too large for people to successfully monitor and filter, there is no foolproof way as yet to protect AI from misdirection
I'm not sure if I get something wrong, but I think #Microsoft#Entra ID #Password Protection is complete rubbish. E.g. when ban weak passwords with the ominous 5 points rule the results seem to be completely arbitrary.
Microsoft speaks of including commonly used weak or compromised passwords in their Global banned password list. But the list isn't based on any external data source, so leaked passwords not leaked by Microsoft are not included 🤡.
This leads to:
Known leaked passwords are accepted. Location name plus year is accepted. Dictionary word plus year is accepted!!!
Not sure if this applies only to German dictionary words.
It gets even worse. Reading the documentation, I found "Characters not allowed: Unicode characters" WTF
Coming back to the weird point system. A banned password is not really banned, it gives you "only" 1 point (and you need five).
This leads to the question how many points do none-banned words give?
If you think it can't get worse, you're wrong! It looks like each character of a none-banned word gives one point. Meaning "password1234" is an accepted password. (1 point for password and 4 for each digit)
Or a real life example: The #SolarWInds#SupplyChain attach which affected Microsoft, US government agency and countless other organizations world wide, was cause by a weak FTP server password.
Namely "solarwinds123", which would be accepted by #Entra ID #Password Protection (1 point each for "solar" and "wind", 3 points for the numbers. If "solarwinds" would be on the custom banned list, "solarwind1234" would have been enough.
And you can't do anything against it.
I actually hope that the documentation is somewhat wrong and that "123" is not 3 points but 1 as it are consecutive numbers. But this would make it only marginal better (2023
Side note, the PDF contains no (visible) version information or date :-(
Please, if you publish guidance, especially if you are an influential company, include a date in your documents. I treat a guidance form 2016 differently than a guidance from 2023
Back to the recommendations. Most of the are solid but some stick out
Maintain an 8-character minimum
That seem awfully short. #NIST states "Longer is better", the #HPI recomend 15+ characters and, wait for it Microsoft themself recommends 12 or better 14+ characters.
Ban common passwords, to keep the most vulnerable passwords out of your system.
The NIST recommendation check against "commonly used and compromised passwords" considerably extends this!
Microsoft at other places recommends "Not a word that can be found in a dictionary or the name of a person, character, product, or organization."
Educate your users not to re-use their password for non-work-related purposes.
Work related reuse is OK????
I would love to know if #Microsoft internally really follows these password rule. Or if they enforce a more strict set. If anyone knows about this, please let me know (but don't if this would gt you fired)
I'm sure everyone's seen the 'hiring gaps' and layoffs but what's been your experience getting an infosec/cybersecurity/hacker job? Did you transition careers? What's the good, bad, ugly, roadblocks, whatever?
2023 Global Cybersec Workforce = 5,452,732 ✅
2023 Global Cybersec Workforce Gap = 3,999,964 ❌
What got you interested in infosec/cybersecurity/hacking gigs?
What's your 'why' for selecting this industry?
Any crazy hurdles or frustrating moments?
How are you learning the ropes, especially if you came from a completely different background?
Any specific training that helped you on your way?
What have interviews been like?
Anything weird that you never expected? Did your expectations match the industry?
How's the job market for these roles?
Most importantly....what would have made the process easier? For research purposes exclusively 😅
djb - DuckDuckGo it if you aren't familiar - in his most recent blog post about the NIST standardization efforts for next-gen cryptography shows, quite clearly, how badly #NIST botched their #calculations. But perhaps more importantly, they have resisted all efforts to correct their mistake(s), or even acknowledge them.
I found it much easier to comprehend than his previous post. If you're interested in #cryptography and aren't scared of a little #math:
This less-than-transparent behaviour on the part of #NIST, when added to all their #machinations trying to obscure the deep involvement of the #NSA in the competition, instead attributing NSA's work to NIST itself, is troubling.
To a conspiratorially-minded person, Occam's Razor might suggest that it was NSA's #attempt to get the world to #standardize on #encryption that is much #weaker than claimed - i.e., encryption that they know they can already #break.
I was looking at the NIST CSF 2.0 draft wondering why there was so little comments for such an important document ... only 26?
But then I saw that there has indeed been quite a few comments at earlier opportunitues (during the concept paper etc). And it seems to include comments from most of the big organisations.
But it still seems like such an important document would and should have more comments. I mean a viral infosec thread on any social media probably has a magnitude more comments...
NSA: Kryptologe warnt vor Unterwanderung quantengesicherter Verschlüsselung
Die US-Normungsbehörde NIST hat sich beim Einschätzen der Stärke des Post-Quanten-Systems Kyber-512 völlig verrechnet. Der Experte Dan Bernstein ist besorgt.
NIST "botched" security analysis of Kyber in order to ensure it's selection, have kept the reasons secret and also happen to be working with the NSA. Doesn't look great does it: https://blog.cr.yp.to/20231003-countcorrectly.html
So… apparently #NIST "accidentally" overestimated the cryptographic strength of #Kyber512 (a post-quantum cipher candidate), quite likely because of #NSA influence.
While other messengers like Matrix/Element have only recently rolled out E2EE at all, Telegram continuing to pretend that encrypting only some comms, and those with proprietary algorithms is enough, and others like Mastodon just don't even try, Signal is now rolling out post-quantum cryptography with an upgrade to what they call PQXDH.
Now the rest of us would just have to trust that this time, NIST specs haven't been spiked with backdoors..