arclight@arclight@oldbytes.space
I'm ruminating on spending the effort to write this up from a nuclear engineering perspective and posting it to LinkedIn, just for the grins.
I know, posting anything to LinkedIn is about as advisable as repeatedly striking oneself in the forehead with the pointy end of a geologist's rock pick. Completely inadvisable.
Our internal developer discussion today centered on discussing these issues, basically treating generative AI as a grievous security risk that nobody in our industry is prepared to handle. You thought Stuxnet and SCADA attacks were a major worry - bah! Those sorts of attacks are nation-state movie plot risks by comparison. Yes, they are real - follow @vncresolver@fedi.computernewb.com for some appalling fun - but they are rare, especially in nuclear. At least rare compared to the number of engineers whose managed work machines have Microsoft Office, Acrobat Reader, and similar AI-tainted tools installed by their authoritarian betters in corporate IT.
Basically our internal engineering and developer communities are working to raise awareness of the security risk of AI, how AI systems operate, the details of the vulnerabilities, the consequences, and what little defenses we have beyond personal awareness. With IT often locking things down to the point that we cannot protect ourselves or worse, actively enabling and propagating risk, we need to support each other in defending against AI.
I'm not sure that feeding content into LinkedIn could do anything positive but there may be a few engineers out there who still take their security responsibilities under 10CFR seriously.
Then again, the rule of law is dead in the US and trying to prop up its rotting corpse will just get me pegged (further) as an enemy of the state. No matter what I do, I'm going to end up in a camp, probably sooner than later.
arclight@arclight@oldbytes.space
And it really shouldn't be Us vs Them regarding IT. None of us want to cause a security incident, none of us want to make more work for IT, we all take security seriously, and theoretically we're all on the same page.
Except the authoritarian small-dick IT Guy attitude is what IT leads with. No conversation, no discussion, no understanding, no listening - always a command and a threat. Mall Cop training 101: Establish Control of The Situation By Acting Like A Big Dog.
Way to establish an atmosphere of trust and build effective security throughout the organization there Chief. "Play stupid games, win stupid prizes" works both ways but hey, you're the one who decided to communicate primarily through pendulous scrotum waving. Not much I can work with there.
I worked Ops for 13 years and dealt with my share of security incidents. I learned incident response, chain-of-custody, what you can and can't tell from logs decades ago at the LISA conference from People Who Had Seen Some Shit. People who traced intruders back through the modem pool only to lose them in archaic (analog?) switches that hadn't yet been upgraded. I was responsible for locking down and monitoring my systems. The fundamentals haven't changed and one of those fundamentals is to not be a dick to the people you're trying to protect. If you treat them like the enemy, they'll act like the enemy, and it will be your fault for making it that way. But that requires some amount of social ability and willingness to use it. Much easier to go all Cartman with RESPECT MY AUTHORITAAAAY!
