Remember when the common wisdom was to not pirate commercial software because downloading random executables was likely to infect you with malware that would steal your data or worse?
Now we pay for legitimate, signed copies of software from vendors who load their applications with AI "features" that exfiltrate your data to remote servers and no way to disable that.
I feel old. When I started out, we got our malware for free and were doing something wrong when we did.
Maybe this is payback for all those C64 games I pirated when I was 16.
In either case, I'm still on the wrong side of the law. Back then, my pimply ass was taking the bread out of game developers' mouths.
Now Acrobat, Copilot, etc. are silently exfiltrating my employer's Export Controlled Information to unauthorized third parties when I use employer-supplied tools putting me in violation of export control laws and exposing me to federal jail time. Intent doesn't matter, knowledge doesn't matter. If ECI I'm handling gets out, it's my ass in the fire.
Our IT department has been happily rolling out AI-enabled internal tools that nobody* asked for while simultaneously warning us about our internal policy against external LLM and generative AI use and (also simultaneously) not being able to firewall off or block traffic to Adobe or Microsoft's AI farms because they have a constantly morphing pool of AI servers to make them effectively unblockable.
Just like botnet operators.
Oh right. IT pays Adobe a license fee so Adobe can harvest my work and put me at risk of federal jail time. They also pay Microsoft a license fee to do the same.
This is the same IT department that does its best to lock down my workstation to prevent me from using unauthorized unsafe free applications instead of the authorized unsafe applications they paid money for.
I don't for a second feel our IT department is especially incompetent or evil in this regard. They don't seem too different from every other corporate IT department I've dealt with in the past 20 years or so.
Clearly if I suggest that corporate IT is the main problem, I'm the one with the attitude problem, I'm the security risk.
* i.e. our investors
Often with tone of "we'll fire and prosecute you to the fullest intent of the law" because since all the malls started closing, all the mall cops moved into IT. That's my theory anyway.
I'm ruminating on spending the effort to write this up from a nuclear engineering perspective and posting it to LinkedIn, just for the grins.
I know, posting anything to LinkedIn is about as advisable as repeatedly striking oneself in the forehead with the pointy end of a geologist's rock pick. Completely inadvisable.
Our internal developer discussion today centered on discussing these issues, basically treating generative AI as a grievous security risk that nobody in our industry is prepared to handle. You thought Stuxnet and SCADA attacks were a major worry - bah! Those sorts of attacks are nation-state movie plot risks by comparison. Yes, they are real - follow @vncresolver@fedi.computernewb.com for some appalling fun - but they are rare, especially in nuclear. At least rare compared to the number of engineers whose managed work machines have Microsoft Office, Acrobat Reader, and similar AI-tainted tools installed by their authoritarian betters in corporate IT.
Basically our internal engineering and developer communities are working to raise awareness of the security risk of AI, how AI systems operate, the details of the vulnerabilities, the consequences, and what little defenses we have beyond personal awareness. With IT often locking things down to the point that we cannot protect ourselves or worse, actively enabling and propagating risk, we need to support each other in defending against AI.
I'm not sure that feeding content into LinkedIn could do anything positive but there may be a few engineers out there who still take their security responsibilities under 10CFR seriously.
Then again, the rule of law is dead in the US and trying to prop up its rotting corpse will just get me pegged (further) as an enemy of the state. No matter what I do, I'm going to end up in a camp, probably sooner than later.
@arclight@oldbytes.space mall cops! That stings
@h2onolan@infosec.exchange Cruel but there's such an attitude of impotent authoritarian copdom and Short Man Syndrome from a big faction of IT. Too much Call of Duty and Ready or Not in the off hours leads to excessive bootlicking while on the clock. Though honestly, it's probably the other way around - the games are a symptom, not a cause. :/
@h2onolan@infosec.exchange Cruel but there's such an attitude of impotent authoritarian copdom and Short Man Syndrome from a big faction of IT. Too much Call of Duty and Ready or Not in the off hours leads to excessive bootlicking while on the clock. Though honestly, it's probably the other way around - the games are a symptom, not a cause. :/
@arclight@oldbytes.space yes. Pulling back the young napoleons with a reminder that we are here to make things work for those around us has been a full time βduties as assignedβ for much of my career. BOfH is funny because its true, but also; fck that guy
@arclight@oldbytes.space yes. Pulling back the young napoleons with a reminder that we are here to make things work for those around us has been a full time βduties as assignedβ for much of my career. BOfH is funny because its true, but also; fck that guy
arclight