Our IT department has been happily rolling out AI-enabled internal tools that nobody* asked for while simultaneously warning us about our internal policy against external LLM and generative AI use and (also simultaneously) not being able to firewall off or block traffic to Adobe or Microsoft's AI farms because they have a constantly morphing pool of AI servers to make them effectively unblockable.
Just like botnet operators.
Oh right. IT pays Adobe a license fee so Adobe can harvest my work and put me at risk of federal jail time. They also pay Microsoft a license fee to do the same.
This is the same IT department that does its best to lock down my workstation to prevent me from using unauthorized unsafe free applications instead of the authorized unsafe applications they paid money for.
I don't for a second feel our IT department is especially incompetent or evil in this regard. They don't seem too different from every other corporate IT department I've dealt with in the past 20 years or so.
Clearly if I suggest that corporate IT is the main problem, I'm the one with the attitude problem, I'm the security risk.
* i.e. our investors
Often with tone of "we'll fire and prosecute you to the fullest intent of the law" because since all the malls started closing, all the mall cops moved into IT. That's my theory anyway.
I'm ruminating on spending the effort to write this up from a nuclear engineering perspective and posting it to LinkedIn, just for the grins.
I know, posting anything to LinkedIn is about as advisable as repeatedly striking oneself in the forehead with the pointy end of a geologist's rock pick. Completely inadvisable.
Our internal developer discussion today centered on discussing these issues, basically treating generative AI as a grievous security risk that nobody in our industry is prepared to handle. You thought Stuxnet and SCADA attacks were a major worry - bah! Those sorts of attacks are nation-state movie plot risks by comparison. Yes, they are real - follow @vncresolver@fedi.computernewb.com for some appalling fun - but they are rare, especially in nuclear. At least rare compared to the number of engineers whose managed work machines have Microsoft Office, Acrobat Reader, and similar AI-tainted tools installed by their authoritarian betters in corporate IT.
Basically our internal engineering and developer communities are working to raise awareness of the security risk of AI, how AI systems operate, the details of the vulnerabilities, the consequences, and what little defenses we have beyond personal awareness. With IT often locking things down to the point that we cannot protect ourselves or worse, actively enabling and propagating risk, we need to support each other in defending against AI.
I'm not sure that feeding content into LinkedIn could do anything positive but there may be a few engineers out there who still take their security responsibilities under 10CFR seriously.
Then again, the rule of law is dead in the US and trying to prop up its rotting corpse will just get me pegged (further) as an enemy of the state. No matter what I do, I'm going to end up in a camp, probably sooner than later.
@arclight@oldbytes.space
The attitude I'm running into is "business has decided..."
Questions about utility? You're the problem.
Questions about ethics? You're afraid of losing your job.
Questions about data security? You're the security architect, figure it out!
WhY aRe yOU pReVeNTinG us FRom tHE FUTURE?!
It's also a pretty bad time to be looking for a job I hear. FML.
@vncresolver@fedi.computernewb.com
And it really shouldn't be Us vs Them regarding IT. None of us want to cause a security incident, none of us want to make more work for IT, we all take security seriously, and theoretically we're all on the same page.
Except the authoritarian small-dick IT Guy attitude is what IT leads with. No conversation, no discussion, no understanding, no listening - always a command and a threat. Mall Cop training 101: Establish Control of The Situation By Acting Like A Big Dog.
Way to establish an atmosphere of trust and build effective security throughout the organization there Chief. "Play stupid games, win stupid prizes" works both ways but hey, you're the one who decided to communicate primarily through pendulous scrotum waving. Not much I can work with there.
I worked Ops for 13 years and dealt with my share of security incidents. I learned incident response, chain-of-custody, what you can and can't tell from logs decades ago at the LISA conference from People Who Had Seen Some Shit. People who traced intruders back through the modem pool only to lose them in archaic (analog?) switches that hadn't yet been upgraded. I was responsible for locking down and monitoring my systems. The fundamentals haven't changed and one of those fundamentals is to not be a dick to the people you're trying to protect. If you treat them like the enemy, they'll act like the enemy, and it will be your fault for making it that way. But that requires some amount of social ability and willingness to use it. Much easier to go all Cartman with RESPECT MY AUTHORITAAAAY!
@arclight@oldbytes.space
There was one utility I worked with that maintained all of their transmission and distribution logic as hard wired discreet logic.
Need to change breaker closing sequence? An electrician would be dispatched to the switchyard to physically re-wire the logic.
Their SCADA was for monitoring only, and completely segregated from the internet.
At the time I thought it was really odd and old fashioned. Now, I'm convinced they had the right idea.
@arclight@oldbytes.space
There was one utility I worked with that maintained all of their transmission and distribution logic as hard wired discreet logic.
Need to change breaker closing sequence? An electrician would be dispatched to the switchyard to physically re-wire the logic.
Their SCADA was for monitoring only, and completely segregated from the internet.
At the time I thought it was really odd and old fashioned. Now, I'm convinced they had the right idea.
@Sir_Osis_of_Liver@beige.party @arclight@oldbytes.space
It used to be a fundamental principle of any process control, that you would have "actuators" and "indicators".
And the indicators would show you the present situation, 100% independent of the actuators.
Today they are combined into a single program on a Windows PC.
... Which is precisely why StuxNet could keep the iranians in the dark for so long: They hacked the indicator part to show what the actuators were set to, instead of what happened.
@Sir_Osis_of_Liver@beige.party @arclight@oldbytes.space
It used to be a fundamental principle of any process control, that you would have "actuators" and "indicators".
And the indicators would show you the present situation, 100% independent of the actuators.
Today they are combined into a single program on a Windows PC.
... Which is precisely why StuxNet could keep the iranians in the dark for so long: They hacked the indicator part to show what the actuators were set to, instead of what happened.
arclight
