On the Need for an AI Public Option

Read Time:7 Minute, 14 Second

Artificial intelligence will bring great benefits to all of humanity. But do we really want to entrust this revolutionary technology solely to a small group of US tech companies?

Silicon Valley has produced no small number of moral disappointments. Google retired its “don’t be evil” pledge before firing its star ethicist. Self-proclaimed “free speech absolutist” Elon Musk bought Twitter in order to censor political speech, retaliate against journalists, and ease access to the platform for Russian and Chinese propagandists. Facebook lied about how it enabled Russian interference in the 2016 US presidential election and paid a public relations firm to blame Google and George Soros instead.

These and countless other ethical lapses should prompt us to consider whether we want to give technology companies further abilities to learn our personal details and influence our day-to-day decisions. Tech companies can already access our daily whereabouts and search queries. Digital devices monitor more and more aspects of our lives: We have cameras in our homes and heartbeat sensors on our wrists sending what they detect to Silicon Valley.

Now, tech giants are developing ever more powerful AI systems that don’t merely monitor you; they actually interact with you—and with others on your behalf. If searching on Google in the 2010s was like being watched on a security camera, then using AI in the late 2020s will be like having a butler. You will willingly include them in every conversation you have, everything you write, every item you shop for, every want, every fear, everything. It will never forget. And, despite your reliance on it, it will be surreptitiously working to further the interests of one of these for-profit corporations.

There’s a reason Google, Microsoft, Facebook, and other large tech companies are leading the AI revolution: Building a competitive large language model (LLM) like the one powering ChatGPT is incredibly expensive. It requires upward of $100 million in computational costs for a single model training run, in addition to access to large amounts of data. It also requires technical expertise, which, while increasingly open and available, remains heavily concentrated in a small handful of companies. Efforts to disrupt the AI oligopoly by funding start-ups are self-defeating as Big Tech profits from the cloud computing services and AI models powering those start-ups—and often ends up acquiring the start-ups themselves.

Yet corporations aren’t the only entities large enough to absorb the cost of large-scale model training. Governments can do it, too. It’s time to start taking AI development out of the exclusive hands of private companies and bringing it into the public sector. The United States needs a government-funded-and-directed AI program to develop widely reusable models in the public interest, guided by technical expertise housed in federal agencies.

So far, the AI regulation debate in Washington has focused on the governance of private-sector activity—which the US Congress is in no hurry to advance. Congress should not only hurry up and push AI regulation forward but also go one step further and develop its own programs for AI. Legislators should reframe the AI debate from one about public regulation to one about public development.

The AI development program could be responsive to public input and subject to political oversight. It could be directed to respond to critical issues such as privacy protection, underpaid tech workers, AI’s horrendous carbon emissions, and the exploitation of unlicensed data. Compared to keeping AI in the hands of morally dubious tech companies, the public alternative is better both ethically and economically. And the switch should take place soon: By the time AI becomes critical infrastructure, essential to large swaths of economic activity and daily life, it will be too late to get started.

Other countries are already there. China has heavily prioritized public investment in AI research and development by betting on a handpicked set of giant companies that are ostensibly private but widely understood to be an extension of the state. The government has tasked Alibaba, Huawei, and others with creating products that support the larger ecosystem of state surveillance and authoritarianism.

The European Union is also aggressively pushing AI development. The European Commission already invests 1 billion euros per year in AI, with a plan to increase that figure to 20 billion euros annually by 2030. The money goes to a continent-wide network of public research labs, universities, and private companies jointly working on various parts of AI. The Europeans’ focus is on knowledge transfer, developing the technology sector, use of AI in public administration, mitigating safety risks, and preserving fundamental rights. The EU also continues to be at the cutting edge of aggressively regulating both data and AI.

Neither the Chinese nor the European model is necessarily right for the United States. State control of private enterprise remains anathema in American political culture and would struggle to gain mainstream traction. The tech companies—and their supporters in both US political parties—are opposed to robust public governance of AI. But Washington can take inspiration from China and Europe’;s long-range planning and leadership on regulation and public investment. With boosters pointing to hundreds of trillions of dollars of global economic value associated with AI, the stakes of international competition are compelling. As in energy and medical research, which have their own federal agencies in the Department of Energy and the National Institutes of Health, respectively, there is a place for AI research and development inside government.

Beside the moral argument against letting private companies develop AI, there’s a strong economic argument in favor of a public option as well. A publicly funded LLM could serve as an open platform for innovation, helping any small business, nonprofit, or individual entrepreneur to build AI-assisted applications.

There’s also a practical argument. Building AI is within public reach because governments don’t need to own and operate the entire AI supply chain. Chip and computer production, cloud data centers, and various value-added applications—such as those that integrate AI with consumer electronics devices or entertainment software—do not need to be publicly controlled or funded.

One reason to be skeptical of public funding for AI is that it might result in a lower quality and slower innovation, given greater ethical scrutiny, political constraints, and fewer incentives due to a lack of market competition. But even if that is the case, it would be worth broader access to the most important technology of the 21st century. And it is by no means certain that public AI has to be at a disadvantage. The open-source community is proof that it’s not always private companies that are the most innovative.

Those who worry about the quality trade-off might suggest a public buyer model, whereby Washington licenses or buys private language models from Big Tech instead of developing them itself. But that doesn’t go far enough to ensure that the tools are aligned with public priorities and responsive to public needs. It would not give the public detailed insight into or control of the inner workings and training procedures for these models, and it would still require strict and complex regulation.

There is political will to take action to develop AI via public, rather than private, funds—but this does not yet equate to the will to create a fully public AI development agency. A task force created by Congress recommended in January a $2.6 billion federal investment in computing and data resources to prime the AI research ecosystem in the United States. But this investment would largely serve to advance the interests of Big Tech, leaving the opportunity for public ownership and oversight unaddressed.

Nonprofit and academic organizations have already created open-access LLMs. While these should be celebrated, they are not a substitute for a public option. Nonprofit projects are still beholden to private interests, even if they are benevolent ones. These private interests can change without public input, as when OpenAI effectively abandoned its nonprofit origins, and we can’t be sure that their founding intentions or operations will survive market pressures, fickle donors, and changes in leadership.

The US government is by no means a perfect beacon of transparency, a secure and responsible store of our data, or a genuine reflection of the public’s interests. But the risks of placing AI development entirely in the hands of demonstrably untrustworthy Silicon Valley companies are too high. AI will impact the public like few other technologies, so it should also be developed by the public.

This essay was written with Nathan Sanders, and appeared in Foreign Policy.

Read More

Rezilion releases agentless runtime software vulnerability management solution

Read Time:52 Second

Software supply chain security vendor Rezilion has announced the release of a new agentless solution for vulnerability management. It enables security teams to monitor exploitable software attack surfaces in runtime without using an agent, reducing the time and overhead required for traditional runtime-based software vulnerability analysis, according to the firm. Rezilion’s new solution covers all versions of Windows and Linux across 12 code languages, it said.

Effective prioritization and remediation of software vulnerabilities can be a significant challenge for organizations, with attackers increasingly targeting software supply chains to exploit weaknesses. The State of Vulnerability Management in DevSecOps report revealed that organizations are losing thousands of hours in time and productivity dealing with backlogs of vulnerabilities that they have neither the time or resources to tackle effectively. More than half of 634 IT and IT security practitioners said their backlog consists of more than 100,000 vulnerabilities and the average number of vulnerabilities in backlogs overall is 1.1 million, according to the data.

To read this article in full, please click here

Read More

Threat Hunt: KillNet’s DDoS HEAD Flood Attacks – cc.py

Read Time:4 Minute, 57 Second

Executive Summary

Killnet is an advanced persistent threat (APT) group based in Russia that has been active since at least 2015. The group is notorious for its highly sophisticated and persistent attacks on a diverse range of industries, including state and local governments, telecommunications, and defense.

Killnet has been linked to several high-profile attacks, including the 2016 hack of the Democratic National Committee (DNC) during the U.S. presidential election. The group has also been implicated in distributed denial-of-service (DDoS) attacks against U.S. airports and Elon Musk’s Starlink satellite broadband service.

The motivations behind these attacks vary, but recently, they have primarily targeted those who are the most vocal supporters of Ukraine and its political agenda.

The aim of this threat hunt is to create a virtual attack environment that simulates Killnet’s tactics, techniques, and procedures (TTPs). Subsequently, detections and threat hunt queries will be written to proactively identify the emulated TTPs while compensating for the limitations of traditional IOC historical searches.

The results of the threat hunt will include high-level dashboards, code, and network artifacts generated from the attack range, which will be used to explain how a hypothesis was formed. The outcomes will also contain the pseudo and translated query logic in a format that can be utilized by tools such as Suricata, Snort, Splunk, and Zeek. The query output will then be employed to confirm the initial hypothesis generated.

Network Artifacts

To emulate the attack, cc.py was utilized to generate continuous HEAD requests against an Apache server, refer to Appendix A for further details. Once the attack was launched, the captured log traffic was examined, as shown in Figure 1 and Figure 2. Upon reviewing the HEAD HTTP traffic, it was discovered that the digits between the ranges of 11-12 appeared after “HEAD /?” consistently. This pattern will serve as the basis for our first hypothesis, as outlined in the next section.

Figure 3 also contains the Apache logs that were generated on the server as the attack script kept trying to access different files in the ‘/var/www/html/’ directory. The script reiterates in a brute force type style, until CPU resources are rendered exhausted by sheer traffic volume.

Figure 1 –Wireshark – Dynamically Generated 11-12 Digits

Figure 2 –Wireshark – Forged Referrer & Anonymized IPs

Figure 3 – Splunk – Apache Server Error Logs – Failed File Access Attempts

Detection Guidance

Perl compatible regular expressions can be used to leverage the context derived from the packet capture during threat analysis, as shown in Figure 1. This allows us to write Suricata/Snort rules that will match observed patterns in headers. Detections tend to scale more than hunt queries and can be applied strategically on a per sensor basis. Specifically, the following rule will match any instance when an HTTP HEAD request containing 11-12 digits has been captured by a network sensor on a forward looking basis. This serves as our first hypothesis to identify the usage of DDoS HEAD floods:

alert tcp any any -> any any (msg:”Killnet cc.py DDoS HTTP HEAD Flood”; content:”HEAD”; depth:4; content:” /?”; distance:0; content:” HTTP/1.1|0d0a|Host: “; distance:0; fast_pattern; content:”.”; distance:1; within:3; content:”.”; distance:1; within:3; content:”.”; distance:1; within:3; content:”|0d0a|Referer: https://”; distance:0; content:”|0d0a|Accept-Language: “; distance:0; content:”|0d0a|Accept-Charset: “; distance:0; content:”|0d0a|Connection: Keep-Alive|0d0a0d0a|”; distance:0; pcre:”/^HEADx20/?[0-9]{11,12}x20HTTP/”; sid:10000001;)

Hypothesis #1

Hunting Process

The following is a Splunk hunt query that utilizes the Zeek/Bro dataset to identify “High connections from common source over a short amount of time”. The query breaks the time column (shown in Figure 2) into 1-second chunks. Once an appropriate threshold has been established, the “where count > 10” statement can be adjusted accordingly to search retroactively within the last 7 days from when the activity was first observed. This query serves as our second hypothesis to identify the usage of DDoS HEAD floods:

index=zeek sourcetype=zeek_conn | eval datetime=strftime(ts,”%Y-%m-%d %H:%M:%S”) | bucket span=1s datetime | stats count by datetime, id.orig_h | where count > 10 | rename datetime as “Date & Time” id.orig_h as “Attacker IP”

Hypothesis #2

Appendix A – Adversary Emulation

Cc.py is a Python tool publicly available on the internet that can be used for Layer 7 DDoS attacks. The tool, created by a student in 2020, uses various dynamic characteristics to launch DDoS attacks against web assets. The script automates the process of using open proxy servers to relay attacks while maintaining anonymity, which can render traditional IP-based blocking techniques ineffective.

Figure 4 depicts a Python function called “head” that performs an HTTP HEAD request to a target server. The function takes two arguments: “event” and “proxy type”. These arguments control the flow of the request and specify the type of open proxy to leverage. Additionally, the code concatenates the variables where the forged/randomized headers will be used.

Figure 4 – cc python script

To generate a dynamic list of compromised open proxies that will be used to relay attacks on behalf of the attacker, the following command is utilized:

python3 cc.py –down –f proxy.txt –v 5

Once the list is generated, the following command is used to launch an attack against a server running Apache web server within the attack range. The command specifies the use of the “head” module and sets the duration of the attack to 30 seconds. The “head” module floods the target server with continuous HTTP HEAD requests until it is knocked offline.

python3 cc.py –url http:// -f proxy.txt –m head –v 4 –s 30

Appendix B – IOCs

At OTX pulse was created listing over the 12K+ indicators from this research.

https://otx.alienvault.com/pulse/642dd6df987a88229012d214

References

https://github.com/Leeon123/CC-attack

https://securityresearch.samadkhawaja.com/

Read More

Cyber liability insurance vs. data breach insurance: What’s the difference?

Read Time:47 Second

With an ever-increasing number of cybersecurity threats and attacks, companies are becoming motivated to protect their businesses and customer data both technically and financially. Finding the right insurance has become a key part of the security equation, which is no surprise given that the average cost of a data breach in the US has risen to $9.44 million — more than twice the global average of $4.35 million.

The global cyber insurance market was valued at $13.33 billion in 2022, according to research by Fortune Business Insights, and is expected to grow from $16.66 billion in 2023 to $84.62 billion by 2030. North America is projected to dominate the market due to increasing cyberattacks, particularly ransomware, and a high risk of data loss, while Europe will also gain a prominent market share, in part because “digitalization among organizations remains vulnerable to malicious cyberattacks.”

To read this article in full, please click here

Read More