‘ShadowRay’ vulnerability on Ray framework exposes thousands of AI workloads, compute power and data
The vulnerability was disclosed to Anyscale along with four others in late 2023
— but while all the others were quickly addressed, CVE-2023-48022 was not.
Anyscale ultimately disputed the vulnerability, calling it “an expected behavior
and a product feature” that enables the “triggering of jobs and execution of
dynamic code within a cluster.” ... Ray doesn’t have authorization because it is
assumed that it will run in a safe environment with “proper routing logic” via
network isolation, Kubernetes namespaces, firewall rules or security groups, the
company says. This decision “underscores the complexity of balancing security
and usability in software development,” the Oligo researchers write,
“highlighting the importance of careful consideration in implementing changes to
critical systems like Ray and other open-source components with network access.”
However, disputed tags make these types of attack difficult to detect; many
scanners simply ignore them. To this point, researchers report that ShadowRay
did not appear in several databases, including Google’s Open Source
Vulnerability Database (OSV). Also, they are invisible to static application
security testing (SAST) and software composition analysis (SCA)
Data governance in banking and finance: a complete guide
Data stewardship is an important concept in data governance that is crucial for
creating a culture of accountability and transparency around data management.
Data stewards are intermediaries between IT and business units, ensuring that
data quality is up to the established standard. In principle, data stewardship
creates actors within the organization who are interested in and can be held
accountable for data management. This helps mitigate data-related risks and
maximize the value of data assets. Appointing data stewards alone doesn't
fulfill the accountability cycle. Real accountability in data governance goes
beyond the operational level. It needs senior management's active involvement.
The sophistication and complexity of the accountability and management
structures around data governance depend on the data they will govern. Banks are
considered to be enterprises with the highest level of data complexity with an
additional challenge of regulatory maneuvers. However, the governance
infrastructure's exact scale varies with the bank's size.
Will a Google-Apple deal kill Microsoft’s AI dominance?
Even if the deal goes through, Microsoft could still dominate AI. It has a
substantial lead in AI, and it’s not taking anything for granted. OpenAI has
been quickly releasing new, more powerful versions of GPT — version 4 was
released in 2023, and it looks as if a “materially better” version 5 will be
available this summer. So ChatGPT and Copilot are constantly becoming more
powerful. In addition, Microsoft just hired Mustafa Suleyman, co-founder of
DeepMind, which was bought by Google in 2014 and which ultimately became
Gemini. After Suleyman sold DeepMind, he founded another AI startup,
Inflection AI, and Microsoft has hired not just Suleyman, but nearly the
entire AI staff of Inflection, including its chief scientist Karén Simonyan.
Microsoft now has the best AI talent in the world either on staff or working
for OpenAI. Microsoft has also been busy monetizing AI. Copilot is now built
into the company’s entire product line, offered as a fee-based add-on.
Microsoft can plow that revenue back into research. And, of course, it’s not a
foregone conclusion that Google and Apple will make a deal. Even if they do,
it’s not clear how well it will work.
The increasing potential and challenges of digital twins
Evidently, there are many commonalities across these domains when it comes
to current obstacles and opportunities for digital twins — but at the same
time, there is also variability in how digital twins are perceived and used
depending upon the specific challenges faced by each research community.
Accordingly, the National Academies of Sciences, ... The report —
recapitulated by Karen Willcox and Brittany Segundo in a Comment — proposes
a cross-domain definition for digital twins based on a previously published
definition and highlights many issues and gaps also echoed by some of
the manuscripts in the Focus, such as the critical role of verification,
validation, and uncertainty quantification; the notion that a digital twin
should be ‘fit for purpose’, and not necessarily an exact replica of the
corresponding physical twin; the need for protecting individual privacy when
relying on identifiable, proprietary, and sensitive data; the importance of
the human in the loop; and the need of sophisticated and scalable methods
for enabling an efficient bidirectional flow of data between the virtual and
physical assets.
Why CTOs Must Become Better Storytellers
David Lees, CTO of Basis Technologies, says impactful storytelling by CTOs
can help demonstrate a complete understanding of stakeholder needs. “Most
CTOs know their technological offerings inside and out, and how they can
help the organization in the immediate and longer term,” he says. However,
CTOs will need to communicate their expertise in a way that is accessible to
other C-suite members in non-tech departments, turning complex, jargon-heavy
ideas into simpler narratives. Gaining inspiration from stakeholders is not
a one-size-fits-all exercise, so an in-depth knowledge of everyone empowers
CTOs to tailor their communication on a case-by-case basis. Some employees
or investors are motivated by facts and figures, for example pointing out
how recent upgrades have doubled service speeds in comparison to a
competitor. ... Petrovskis says he recommends ditching whitepapers and
reading case studies, but most important is to get out in front of your
customers. “Don’t get me wrong, there’s a time and place for whitepapers,
but they don’t really provide the real feel of customer issues and
understanding the issues your customers face will allow you to be far more
relatable to the audiences you’re trying to reach,” he explains.
Navigating the Complexities of Data Privacy: Balancing Innovation and Protection
Certainly, the regulations surrounding the use of personal data have evolved
significantly since the Cambridge Analytica scandal, in which a British
consulting group obtained personal data from millions of Facebook users
without their consent for political advertising purposes. Both Meta
(Facebook’s parent company) and Google have introduced privacy guides —
albeit somewhat intricate — aimed at empowering users to prevent a
recurrence of such a notorious incident. Yet, while tech giants like Google
and Facebook can readily afford the expenses associated with robust privacy
measures, it raises concerns about the potential burden imposed on
innovative but underfunded startups. Fledgling entities, brimming with
promising ideas, may find themselves constrained by the necessity for
extensive privacy controls, hindering their abilities. For tech businesses,
adapting to these privacy laws can mean increased compliance costs and
potential innovation delays. For consumers, while their data rights are
better protected, the experience of using digital services may become more
cumbersome due to consent requirements.
Patchless Apple M-Chip Vulnerability Allows Cryptography Bypass
The new vulnerability is associated with a performance optimization feature
called data memory-dependent prefetchers (DMP) in Apple's M1, M2, and M3
microprocessors, which are used to preemptively cache data; they allow the
chip to anticipate the next bit of information that it will need to access,
which speeds up processing times. DMP "predicts memory addresses to be
accessed in the near future and fetches the data into the cache accordingly
from the main memory," according to the paper. Apple's specific take on DMP
takes prefetching a step further by also considering the content of memory
to determine what to fetch, the researchers noted — and therein lies the
problem. Many developers use a coding practice or technique called
constant-time programming, especially developed for cryptographic protocols.
The idea behind constant-time programming is to ensure that a processor's
execution time remains the same, regardless of whether the inputs are secret
keys, plaintext, or any other data. The goal is to ensure that an attacker
cannot derive any useful information by simply observing execution times or
by tracing the code's control flow and memory accesses.
AI-Driven Cloud Revolution: Transforming Business Operations and Efficiency
AI-driven optimizations have a significant impact on cloud expenditure for
businesses, driving cost savings and efficiency gains across various
dimensions. AI algorithms analyze usage patterns to predict resource needs,
enabling businesses to automatically scale resources up or down as needed.
This eliminates over-provisioning and under-provisioning, ensuring optimal
resource utilization and avoiding wasted costs. AI automates tasks like
resource management and infrastructure optimization, reducing the need for
dedicated personnel. AI helps identify and eliminate underutilized resources
and predict hardware failures, preventing downtime and associated expenses.
Data management is also optimized by archiving less-accessed data in cheaper
tiers and utilizing compression techniques, further reducing storage costs.
To help businesses propel, at G7 CR, we reduce their “Cloud spend by minimum
25%”. Also, as mentioned earlier, we are launching the “AI Apps Program”, a
cost-effective way to leverage AI and achieve extravagant results.
How AI-powered employee experiences can create an engaged workforce?
AI-driven recruitment platforms are transforming this landscape by
automating repetitive tasks, identifying top talent more efficiently, and
enhancing the overall candidate experience. AI algorithms help recruiters to
analyze vast amounts of data to identify patterns and predict candidate
success, leading to more informed hiring decisions. Additionally, AI-powered
chatbots can engage with candidates in real-time, providing personalised
support and information throughout the application and onboarding process.
Virtual assistants, for instance, can improve communication and shorten
response times by giving staff members immediate access to resources,
information, and assistance. To promote a culture of appreciation and
recognition, managers require AI-driven feedback and recognition platforms
to promptly provide feedback and acknowledge their team members. Virtual
assistants powered by AI can also address common HR inquiries, provide
access to relevant policies and procedures, and even offer personalised
recommendations for stress management and self-care. Several businesses have
started using AI-powered tools to monitor and control employee
engagement.
Hackers Developing Malicious LLMs After WormGPT Falls Flat
Crooks are looking into hiring AI experts to exploit private GPTs developed
by OpenAI and Bard to jailbreak restrictions put in place by the application
developers and create malicious GPTs, he said. "They're looking for things
that will help them with generating code that actually does what you're
supposed to do and doesn't have all hallucinations," Maor said. A March 19
report by Recorded Future highlights threat actors using generative AI to
develop malware and exploits. The report identifies four malicious use cases
for AI that do not require fine-tuning the model. The use cases include
using AI to evade detection tools used by LLM applications that use YARA
rules to identify and classify malware. "These publicly available rules also
serve as a double-edged sword," the report said. "While they are intended to
be a resource for defenders to enhance their security measures, they also
provide threat actors with insights into detection logic, enabling them to
adjust their malware characteristics for evasion." Using the technique,
Recorded Future altered SteelHook, a PowerShell info stealer used by APT28
that submits the malware source code to an LLM system.
Quote for the day:
"Brilliant strategy is the best
route to desirable ends with available means." -- Max McKeown
No comments:
Post a Comment