CyberSecurity

This was a piece written as part of my work at Synopsys SIG and was published in a few places, but I liked it and wanted to keep it… At least until the lawyers chase me down. Since the release of ChatGPT, the technology industry has been scrambling to establish and operationalise the practical implications of these human-level conversational interfaces. Now, almost every major organisation is connecting their internal or product documentation to a large language model (LLM) to enable rapid question-answering, and some are starting to wade into the use of generative AI systems to aid in the design and creation of new technical solutions, be it in marketing content, web application code or chip design. But the hype has had its sharp edges as well; the word ‘hallucination’ is never far from the lips of anyone discussing chatbots, and the assumptions that people have around human-like language being equivalent to ‘common sense’ have been seriously challenged. Potential users of LLM derived systems would be wise to take an optimistic but pragmatic approach. The release of the first major public Large Language Model (LLM) set off successive waves of amazement, intrigue and often, fear, on the part of a public unprepared for the surprisingly ‘human’ behaviour of this ‘chatbot’. It appeared to communicate with intentionality, with consideration, and with a distinctively ‘natural human’ voice. Over successive chat-enquiries, it was able to ‘remember’ its own answers to previous questions, enabling users to build up coherent and seemingly complex conversations, and to attempt to answer surprisingly ‘deep’ questions. Yet, these systems should be treated as one would treat a child savant; it might know all the right words in the right order but may not really have the experience or critical thinking to evaluate its own view of the world; the outputs of these systems have not ‘earned’ our institutional trust, and care must be taken in leveraging these systems without significant oversight. ...

This post was originally published as part of my role at WhiteHat Security Links have been added for context/comedy/my own entertainment, but no content has been modified Beneath the cynicism, hyperbole, market–making and FUD; the strategic importance of AI in Cybersecurity is only constrained by us ‘meatbags’. Being a data science practitioner in the cybersecurity space has been a double–edged sword for several years. On the one hand, with the proliferation of automated security testing, network IDS advances, the sheer growth in traffic and the threat surface of our increasingly complex, interconnected application development practices, these roiling oceans of flotsam and datum are everything our data hungry little hearts desire. Related innovations in data engineering in the past decade mean that questions that had previously only lived in the craven dreams of executive officers and deranged analysts are now the kind of tasks that we hand off to interns to make sure they have correctly set up their workstations. ...

This talk was originally prepared for NI Raspberry Jam’s Kids Track, associated with the full Northern Ireland Developers Conference, held in lockdown and pre-recorded in the McKee Room in Farset Labs In Issac Asimov’s stories, the technical, social and personal impacts of advanced robotics and artificial intelligence are explored. One creation in his books was the career of “Robopsychologist”, a combination of mathematician, programmer, and psychologist, that diagnosed and treated misbehaving AI. In this talk we’ll discuss how on earth you can prepare for careers in Robopsychology and other careers that don’t exist (yet). ...

Originally posted in Cybersecurity Insiders Back when I was pursuing my undergraduate degree in electronics and software engineering, I couldn’t imagine a path that would lead to me working with NATO on port protection and maritime defense, teaching smart submarines how to trust each other. But while I was working toward a Ph.D., that’s what happened. Instead of following the path into academia, a friend enticed me to work with him on biometrics. From there, I found an opportunity to apply my skills and knowledge to the cybersecurity industry – but that’s not something I could have predicted either. ...

Another year gone, thought it was time for some reflection. As @Sigma helpfully pointed out to me, 31 is officially the boundary of “30’s” not 30, so I’m gonna take this year as being my “friendly match” with my 30’s and hopefully take this year a bit more wisely. What follows is a vaguely structured stream of consciousness, more for my benefit than anyone else’s. If you want a wee window to see what’s behind the beard, read on. If you’re expecting anything revolutionary, disruptive or surprising, you’re gonna be disappointed… ...

This is an approximate transcript from my July 2018 talk at Digital DNA’s AI NI Community Panel on wether the use of AI in defence and surveillence was inherently evil Yes, It’s been sitting in my drafts folder for months because I completly forgot about it, sorrynotsorry Hello folks, I’m Andrew Bolster, most everyone calls me Bolster. And nobody calls me Doctor. I’m a Data Scientist at Alert Logic, a cyber security firm based Texas but with a research office in Weavers Court where we monitor, analyse and identify malicious and suspicious internet activity, protecting thousands of companies with advanced sequence and pattern matching sensors deployed across the world. ...

There’s several very valid tutorials and guides around about getting Ubuntu, Debian and Mint to automatically update and upgrade, but they don’t do much explaining/checking. This is a short post filling in the gaps I observed. Get the package sudo apt-get install unattended-upgrades -y Enable the package scheduler File Being Messed With: /etc/apt/apt.conf.d/20auto-upgrades Log File Being Watched: /var/log/unattended-upgrades/unattended-upgrades.log I’ve got no idea why this isn’t automatic; possibly that in other environments, you only want security level upgrades to core system components rather than updating all regular applications. (Not doing this left me scratching my head for a while wondering why the logs kept saying No packages found that can be upgraded unattended when apt was telling me something completely different. Anyway, put the following into a new file named above. ...

After 20+ years with Ulster Bank (All hail Henry Hippo), and with countless computer, customer service, overdraft, and credit card problems, I’m jumping ship to Santander on the advice of my friends, colleagues and family. It hasn’t gone so well. Credit Background I’ve been a good boy, when it comes to finance. No loans other than Student No Car No Mortgage No Dependants Reasonable ‘Disposable income’ (even if that income is usually ‘disposed’ in either bars and restaurants or gadgets) Been employed in one form or another since I was 15 A few slip ups on the credit card but always paid back within the next month A few slips over the overdrafts an undergrad, but who didn’t? Currently well out of my overdraft So I called in last week, asked what paperwork I’d need to move my account, was given great assistance and told ‘We’ve got you an appointment next week and we can sort it all out’ ...

Update: I got asked to do a simplified version of this post for the University of Liverpool, it lives here (Backup) I’m technically in a third year of a PhD, and most of the time, when someone asks me what it is I’m actually doing, I fluff it and say something about “autonomous submarines” or “collaborative autonomy” or “Emergent properties of communities” or something similarly vague. In the spirit of setting the record straight in a less-academic way, I thought it’d be worth while to edit a presentation I recently made to the Association for the Advancement of Artificial Intelligence last month in Stanford and make it a little more digestible. ...

Inspired by a pretty good write up by Cynofield as to his setup for getting a Raspberry Pi to “phone home”, I thought I’d set out how I do it. I have a machine that lives behind a ‘security’ infrastructure that makes my life a living hell. As a result, I set up automatic persistent reverse shells going back to other machines I use, so if I connect to those machines, I can get into the secure environment, without anything nasty being able to get in with me. ...