So long to passwords, and thanks for all the Phish, Security staff now face the risk of prison terms for mistakes and a leaked Google memo says there is a bigger competitive threat than ChatGPT.
These top tech news stories and more for Monday, May the 8th 2023. I’m your host, Jim Love, CIO of IT World Canada and Tech News Day in the US.
While it appears that Google has moved from AI dominance and been caught flat footed by Microsoft’s integration of ChatGPT, some are questioning whether a new competitor might threaten the lead of both of these giants.
A memo leaked from Google puts forward a dire warning:
“the uncomfortable truth is, we aren’t positioned to win this arms race and neither is OpenAI. While we’ve been squabbling, a third faction has been quietly eating our lunch.”
That faction referred to is the open source movement.
The memo goes on to outline just how big a threat open source could be. It says,
“While our models still hold a slight edge in terms of quality, the gap is closing astonishingly quickly.”
“Open-source models are faster, more customizable, more private, and pound-for-pound more capable.”
“They are doing things with $100 and 13B params that we struggle with at $10M and 540B.”
“And they are doing so in weeks, not months.”
“This has profound implications for us:”
The memo, which is worth reading in its entirety, bemoans the fact that Google and even ChatGPT as well as other large companies don’t have a “secret sauce.” In fact, their supposed advantage, with huge models and gigantic data used to train them, may ultimately be a disadvantage. The memo goes onto say:
“Giant models are slowing us down. In the long run, the best models are the ones which can be iterated upon quickly.”
And these open-source models are real and functional. We covered a story in our weekend edition about Data Bricks which has a free open-source model that they have made available and which they trained with 5,000 employees.
The Google memo ends with a warning that Google should get on board with the open-source movement. The writer claims that to date, the real winner in the AI competition has been Meta. Facebook’s parent released its Llama model for use in academic research. That model was leaked but the author of this Google memo thinks that was a good thing. According to the author, Meta now inherits, “an entire planet’s worth of free labor. Since most open-source innovation is happening on top of their architecture, there is nothing stopping them from directly incorporating it into their products.”
And as for the leadership that Microsoft and OpenAI have established? The memo goes on to say:
“OpenAI doesn’t matter. They are making the same mistakes we are in their posture relative to open-source, and their ability to maintain an edge is necessarily in question. Open-source alternatives can and will eventually eclipse them unless they change their stance. In this respect, at least, we can make the first move.
This leaked memo is an astonishing and at least apparently, sensible assessment of the current state of AI and its relationship to the open-source movement.
There’s a link to the memo and watch for our upcoming interview with Data Bricks on the subject of their open source AI model that they released last month on our weekend interview show.
Sources include: Hashtag Weekend (upcoming episode) and The Natural
Salesforce introduces SlackGPT which they describe as a new conversational AI for the business. Slack is one of the most popular collaboration applications. Salesforce bought the app in 2021 for 27 billion dollars with great hopes to have it accelerate the growth of their CRM turned cloud business platform.
CEO and founder Marc Bernioff described that deal in glowing terms at the time. “This is a match made in heaven. Together, Salesforce and Slack will shape the future of enterprise software and transform the way everyone works in the all-digital, work-from-anywhere world,”
Now, adding to this incredibly successful app, Salesforce is bringing the power of Large Language Models (LLM) like ChatGPT to create no-code workflows. While ChatGPT is an obvious addition, Salesforce notes that customers will have a choice of the AI platform they employ. They will soon offer their own AI, which they call Einstein GPT.
The company’s announcement reads, “Most importantly, the AI is customizable to a company’s unique needs — whether they want to integrate a language model of choice, build their own AI-powered no-code workflows, or bring AI effortlessly into the Slack experience.”
We’ve all heard about the problems with passwords. They are easy to guess, easy to hack and no matter how much training we do or how much we try to force our users to make passwords more complex and harder to guess – we continue to get nowhere.
That’s why the idea of moving to a world of “no passwords” is so enticing. And Google has added a step forward in that direction.
Google Account holders can now use a passkey instead of a password according to an announcement in a Google security blog post last Wednesday.
With the new Google facility, end users can establish their identity on their device using biometrics, PINs or other secure access methods. From there, the device can be used to authenticate them. The blog notes:
“The signature proves to us that the device is yours since it has the private key, that you were there to unlock it, and that you are actually trying to sign in to Google and not some intermediary phishing site,”
According to a report in Tech Republic, “The security enhancement comes from storing the passkey locally and keeping it from being visible to any third parties. Even if an attacker knows your Google Account address, the password won’t be stored alongside it.” In other words, providing assurance that you have the authority to log in to a site doesn’t expose anything that a hacker can steal.
For those who still prefer the lesser security of passwords or the slightly better two-factor authentication, that option will be available. For the rest of us, the vision of a world where we don’t need to worry about passwords is one step closer.
The Hacker News reported a new vulnerability in a popular app associated with over two million WordPress sites.
The plugin is called Advanced Custom Fields and is available in a free and paid version. According to a researcher at Patchstack.
“This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path.”
The attack that is possible, is called a Reflective cross scripting, and as the Hacker News so aptly described it, “Reflected cross scripting attacks usually occur when victims are tricked into clicking on a bogus link sent via email or another route, causing the malicious code to be sent to the vulnerable website, which reflects the attack back to the user’s browser.”
If you have a WordPress site, you may want to check if you use this popular app and if a patch is not available, you may want to disable it.
As noted by my colleague in our sister podcast, CyberSecurityToday, WordPress plugins must be carefully monitored for vulnerabilities, managed and absolutely must be kept up to date with the latest patches.
Sources include: Hacker News
Uber’s former Chief Security Officer was sentenced to three years’ probation and 200 hours of community service for his role in covering up a 2016 cybersecurity breach.
This is the first time that an executive has been held personally and criminally responsible for mishandling a data breach – and it has sent shockwaves through the cybersecurity community.
Uber was hacked by a ransomware attacker in 2016. The company paid the ransom of 100,000 dollars to the attackers to not release the stolen data and to keep the attack quiet. Sullivan and his team paid the ransom through the company’s bug bounty program which is used when security researchers report flaws.
In fairness to Sullivan and his team, many ransomware attackers present themselves as charging their ransom as a way of identifying weaknesses in the company’s security. It’s a stretch, but for an executive and a company under the gun, it’s not an inconceivable position.
As a result, the attack was not publicly disclosed until 2017, when Dara Khosorowshahi stepped into the CEO role. Khosorowshahi fired Sullivan in 2017, and told the jury in the case that he thought that hiding the breach was “the wrong decision.”
Sullivan moved on to join Cloudflare as their chief security officer and he was there until 2022 when he stepped down, ostensibly to prepare for his trial.
In October, a jury found Sullivan guilty of obstructing and active FTC investigation and concealing the 2016 data breach that affected 50 million riders and drivers.
The judge gave Sullivan probation despite the prosecution’s request for a 15 month jail sentence.
Judge William Orrick gave an ominous statement that should make every Chief Security Office take notice. “If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison.”
Orrick added. “When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off.”
The CISO job is already stressful enough. In a 2022 study done by Heidrick and Struggles 59 per cent reported stress and 48 per cent reported burnout as the most significant personal risks. Now they can add potential jail time to that list.
If you thought it was difficult to recruit a CISO already, this has to make it even tougher. Moreover, these types of penalties including jail time and huge personal financial penalties are working their way into legislation in the US and Canada.
So, we have a question. Would Judge Orrick similarly agree that if a judge makes a wrong call from the bench and a murderer goes free, that the judge should be liable as well?
Or if legislators make a wrong call and toss the economy into recession and someone loses their business, should they be able to sue the legislator?
I didn’t think so.
The judge took 186 letters in support of Sullivan and dismissed many of them because many were CISOs that were afraid of jail time. “I’m not sure that they understand what the facts are,” he said.
With all due respect, your honour, and I do emphasize “due respect” you don’t understand the reality you are judging.
It’s perfectly appropriate for someone to lose their job and even their reputation to suffer for wrong decisions made in business – and we’ve all made bad decisions. But is it right that security professionals are held to a standard that legislators and judges won’t hold themselves to? Just asking?
And hey, if you an opinion on this, please let me know.
Sources include: Axios
That’s the top tech news for today. We go to air with a daily newscast five days a week, as well as a special weekend interview with an expert on topics relevant to today’s tech news.
Follow Hashtag Trending on Google, Apple, Spotify or wherever you get your podcasts. And you can catch us on your Alexa or Google smart speaker. You might even find us on YouTube as TechNewsDay (if you look).
We love your comments. You can reach me on LinkedIn, Twitter (no check mark) or on Mastodon as @therealjimlove on our Mastodon site technews.social. Or if that’s too much, just leave a comment under the text version at itworldcanada.com/podcasts. Click the check mark or the X to send a message that comes right to me.
I’m your host, Jim Love. Have a Marvelous Monday!