FEDORA-2024-213f33544e
Packages in this update:
openssh-9.3p1-11.fc39
Update description:
Backport fix for CVE-2024-6387 (rhbz#2294879)
openssh-9.3p1-11.fc39
Backport fix for CVE-2024-6387 (rhbz#2294879)
If you’ve been reading my blog, you’ve noticed that I have written a lot about AI and democracy, mostly with my co-author Nathan Sanders. I am pleased to announce that we’re writing a book on the topic.
This isn’t a book about deep fakes, or misinformation. This is a book about what happens when AI writes laws, adjudicates disputes, audits bureaucratic actions, assists in political strategy, and advises citizens on what candidates and issues to support. It’s a book that tries to look into what an AI-assisted democratic system might look like, and then at how to best ensure that we make use of the good parts while avoiding the bad parts.
This is what I talked about in my RSA Conference speech last month, which you can both watch and read. (You can also read earlier attempts at this idea.)
The book will be published by MIT Press sometime in fall 2025, with an open-access digital version available a year after that. (It really can’t be published earlier. Nothing published this year will rise above the noise of the US presidential election, and anything published next spring will have to go to press without knowing the results of that election.)
Right now, the organization of the book is in six parts:
AI-Assisted Politicians
AI-Assisted Legislators
The AI-Assisted Administration
The AI-Assisted Legal System
AI-Assisted Citizens
Getting the Future We Want
It’s too early to share a more detailed table of contents, but I would like help thinking about titles. Below are my current list of brainstorming ideas: both titles and subtitles. Please mix and match, or suggest your own in the comments. No idea is too far afield, because anything can spark more ideas.
Titles:
AI and Democracy
Democracy with AI
Democracy after AI
Democratia ex Machina
Democracy ex Machina
E Pluribus, Machina
Democracy and the Machines
Democracy with Machines
Building Democracy with Machines
Democracy in the Loop
We the People + AI
Artificial Democracy
AI Enhanced Democracy
The State of AI
Citizen AI
Trusting the Bots
Trusting the Computer
Trusting the Machine
The End of the Beginning
Sharing Power
Better Run
Speed, Scale, Scope, and Sophistication
The New Model of Governance
Model Citizen
Artificial Individualism
Subtitles:
How AI Upsets the Power Balances of Democracy
Twenty (or So) Ways AI will Change Democracy
Reimagining Democracy for the Age of AI
Who Wins and Loses
How Democracy Thrives in an AI-Enhanced World
Ensuring that AI Enhances Democracy and Doesn’t Destroy It
How AI Will Change Politics, Legislating, Bureaucracy, Courtrooms, and Citizens
AI’s Transformation of Government, Citizenship, and Everything In-Between
Remaking Democracy, from Voting to Legislating to Waiting in Line
How to Make Democracy Work for People in an AI Future
How AI Will Totally Reshape Democracies and Democratic Institutions
Who Wins and Loses when AI Governs
How to Win and Not Lose With AI as a Partner
AI’s Transformation of Democracy, for Better and for Worse
How AI Can Improve Society and Not Destroy It
How AI Can Improve Society and Not Subvert It
Of the People, for the People, with a Whole lot of AI
How AI Will Reshape Democracy
How the AI Revolution Will Reshape Democracy
Combinations:
Imagining a Thriving Democracy in the Age of AI: How Technology Enhances Democratic Ideals and Nurtures a Society that Serves its People
Making Model Citizens: How to Put AI to Use to Help Democracy
Modeling Citizenship: Who Wins and Who Loses when AI Transforms Democracy
A Model for Government: Democracy with AI, and How to Make it Work for Us
AI of, By, and for the People: How Artificial Intelligence will reshape Democracy
The (AI) Political Revolution: Speed, Scale, Scope, Sophistication, and our Democracy
Speed, Scale, Scope, Sophistication: The AI Democratic Revolution
The Artificial Political Revolution: X Ways AI will Change Democracy…Forever
A vulnerability has been discovered in OpenSSH, which could allow for remote code execution. OpenSSH is a suite of secure networking utilities based on the SSH protocol and is crucial for secure communication over unsecured networks. It is widely used in enterprise environments for remote server management, secure file transfers, and various DevOps practices. Successful exploitation of this vulnerability could allow for remote code execution in the context of the administrator account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The EU Commission said Meta’s pay or consent model means users cannot freely consent to their personal data being collected for advertising purposes
A newly discovered RCE vulnerability, which can lead to full system compromise, has put over 14 million OpenSSH server instances are potentially at risk, according to Qualys
A new paper, “Polynomial Time Cryptanalytic Extraction of Neural Network Models,” by Adi Shamir and others, uses ideas from differential cryptanalysis to extract the weights inside a neural network using specific queries and their results. This is much more theoretical than practical, but it’s a really interesting result.
Abstract:
Billions of dollars and countless GPU hours are currently spent on training Deep Neural Networks (DNNs) for a variety of tasks. Thus, it is essential to determine the difficulty of extracting all the parameters of such neural networks when given access to their black-box implementations. Many versions of this problem have been studied over the last 30 years, and the best current attack on ReLU-based deep neural networks was presented at Crypto’20 by Carlini, Jagielski, and Mironov. It resembles a differential chosen plaintext attack on a cryptosystem, which has a secret key embedded in its black-box implementation and requires a polynomial number of queries but an exponential amount of time (as a function of the number of neurons). In this paper, we improve this attack by developing several new techniques that enable us to extract with arbitrarily high precision all the real-valued parameters of a ReLU-based DNN using a polynomial number of queries and a polynomial amount of time. We demonstrate its practical efficiency by applying it to a full-sized neural network for classifying the CIFAR10 dataset, which has 3072 inputs, 8 hidden layers with 256 neurons each, and about 1.2 million neuronal parameters. An attack following the approach by Carlini et al. requires an exhaustive search over 2^256 possibilities. Our attack replaces this with our new techniques, which require only 30 minutes on a 256-core computer.
Evil twin Wi-Fi access points mimicked legitimate networks to capture personal data from unsuspecting victims who mistakenly connected to them
Ransomware attacks are a huge problem: in the past five years alone, they have brought about a state of emergency across vast swathes of the United States, threatened to topple the Costa Rican government, and brought Portugal’s largest media conglomerate to its knees. And ransomware attackers show no signs of slowing down: last year, roughly one-third of all data breaches involved ransomware or some other extortion technique.
Preventing and protecting against ransomware attacks has become a global priority, with cybersecurity regulations and frameworks playing an essential role. By outlining, standardizing, and mandating preventative measures, cybersecurity regulations and frameworks ensure that organizations worldwide are prepared to deal with the ransomware threat. Let’s examine them more closely.
First, we need to understand cybersecurity regulations and what they do. There are far too many cybersecurity regulations for us to cover in this article, so we’ll focus on three of the most important: NIS2, DORA, and HIPAA.
Broadly speaking, cybersecurity regulations are sets of laws, rules, or guidelines enacted by governments or regulatory bodies to protect information systems, networks, and data from cyber threats and attacks. These regulations ensure data and information systems’ confidentiality, integrity, and availability by enforcing specific security practices, controls, and procedures. But let’s look at each of our examples a little more closely:
The Network and Information Security Directive 2 (NIS2) is a legislative framework established by the European Union (EU) to enhance member states’ cybersecurity resilience and response capabilities. It builds upon the original NIS Directive to strengthen cybersecurity measures in critical infrastructure sectors, promote cooperation among member states, and hold organizations accountable.
The Digital Operational Resilience Act (DORA) is a regulatory framework that came into force in January 2023. It aims to enhance the financial sector’s digital operational resilience within the EU. DORA’s primary goal is to ensure that financial institutions can withstand, respond to, and recover from all types of ICT (Information and Communication Technology) related disruptions and threats, including ransomware and cyberattacks. The Act complements the NIS2 regulation in the financial services domain.
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law enacted in 1996 to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. HIPAA sets the standard for protecting sensitive patient data, and organizations dealing with protected health information (PHI) must ensure that they put in place and follow all necessary physical, network, and process security measures to comply.
Now that we better understand each regulation, we can explore how they improve ransomware readiness. Again, we won’t have time to explore each regulation’s provisions in their entirety, so we’ll pick out some of the most important.
NIS2 has several provisions that improve relevant organizations’ resilience to ransomware attacks. For example:
● Risk Management: NIS2 mandates that organizations implement robust risk management practices, including conducting regular risk assessments and deploying advanced security controls.
● Supply Chain Management: NIS2 compliance reduces the risk of ransomware attacks spreading through supply chains. Under NIS2, organizations must ensure that their suppliers and service providers adhere to stringent cybersecurity practices to prevent ransomware from spreading.
● Information Sharing: NIS2 requires member states to contribute to and cooperate with the Cyber Crisis Liaison Organizations Network (EU-CyCLONe), which shares threat intelligence and best practices with other member states.
DORA Here are some examples of the DORA provisions that ensure organizations improve their ransomware preparedness:
Comprehensive ICT Risk Management:
● DORA requires financial entities to conduct thorough risk assessments to identify vulnerabilities that ransomware attackers could exploit. They must implement robust risk management frameworks to mitigate these risks effectively.
● Financial institutions must deploy advanced security controls and technologies, such as firewalls, intrusion detection systems, and endpoint protection, to prevent ransomware attacks.
Incident Detection and Response:
● DORA mandates the implementation of monitoring and detection mechanisms to identify ransomware and other cyber threats promptly.
● Relevant organizations must have detailed incident response plans in place. These plans should outline procedures for containing, mitigating, and recovering from ransomware attacks, ensuring minimal disruption to operations.
Regular Testing:
● DORA requires regular testing of digital operational resilience, including penetration testing and scenario-based testing. These tests help financial institutions prepare for and effectively respond to ransomware attacks.
HIPAA, however, has a focus on security standards and safeguards to improve ransomware readiness, including:
Administrative Safeguards – Policies and procedures for managing the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (ePHI). Examples include:
● Security Awareness and Training – Regular training for employees on recognizing and responding to ransomware threats.
● Incident Response Plans – Procedures for responding to security incidents, including ransomware attacks.
Technical Safeguards – Technology and policies to protect ePHI and control access to it. Examples include:
● Access Controls – Ensuring only authorized personnel can access ePHI; this includes unique user IDs, emergency access procedures, and automatic logoff.
● Encryption – Encrypting ePHI to protect data at rest and in transit from unauthorized access is crucial for preventing ransomware attackers from accessing and exfiltrating sensitive information.
While we have covered some specific examples from each regulation, it’s important to keep in mind that they share many of the same provisions: By implementing a few basic cybersecurity measures, you can set your organization on the path to compliance with a wide range of regulations and dramatically improve your ransomware preparedness.
For example, it’s essential to conduct regular risk assessments and implement risk management strategies to identify and remediate vulnerabilities. Similarly, most regulations require incident response plans, security awareness training, continuous monitoring, and technical measures such as advanced anti-ransomware solutions, encryption, and multi-factor authentication.
But most importantly, you must recognize that threats and regulations are constantly evolving. As such, it’s essential to regularly review and update security policies and procedures to ensure you’re protected from emerging ransomware threats and comply with changing regulations.
In conclusion, achieving regulatory compliance is a great first step to protecting against ransomware. While it’s always advisable to go above and beyond regulatory requirements, regulations such as NIS2, DORA, and HIPAA are valuable guidelines for implementing an effective cybersecurity program. Try not to think of cybersecurity regulations as cumbersome rules you must follow; think of them instead as a free resource to help you protect your organization.
Insurance broker Howden says premiums are falling as security best practice takes hold
It was discovered that OpenSSH incorrectly handled signal management. A
remote attacker could use this issue to bypass authentication and remotely
access systems without proper credentials.