MIT releases comprehensive database of AI risks
While numerous organizations and researchers have recognized the importance of
addressing AI risks, efforts to document and classify these risks have been
largely uncoordinated, leading to a fragmented landscape of conflicting
classification systems. ... The AI Risk Repository is designed to be a
practical resource for organizations in different sectors. For organizations
developing or deploying AI systems, the repository serves as a valuable
checklist for risk assessment and mitigation. “Organizations using AI may
benefit from employing the AI Risk Database and taxonomies as a helpful
foundation for comprehensively assessing their risk exposure and management,”
the researchers write. “The taxonomies may also prove helpful for identifying
specific behaviors which need to be performed to mitigate specific risks.” ...
The research team acknowledges that while the repository offers a
comprehensive foundation, organizations will need to tailor their risk
assessment and mitigation strategies to their specific contexts. However,
having a centralized and well-structured repository like this reduces the
likelihood of overlooking critical risks.
Why Agile Alone Might Not Be So Agile: A Witty Look at Methodology Madness
Agile’s problems often start with a fundamental misunderstanding of what it
truly means to be agile. When the Agile Manifesto was penned back in 2001, its
authors intended it to be a flexible, adaptable approach to software
development, free from the rigid structures and bureaucratic procedures of
traditional methodologies. But fast forward to today, and Agile has become its
own kind of bureaucratic monster in many organizations — a tyrant disguised as
a liberator. Why does this happen? Let’s dissect the two main problems: the
roles defined within Agile and the one-size-fits-all mentality that
organizations apply to Agile methodology. One of the biggest hurdles to
successful Agile adoption is the disconnect between the executive suite and
the teams on the ground. Executives often see Agile as a magic bullet for
faster delivery and higher productivity, without fully understanding the
nuances of the methodology. This disconnect can lead to unrealistic demands
and pressure on teams to deliver more with each Sprint, which in turn leads to
burnout and decreased quality. Moreover, the Agile Manifesto’s disdain for
comprehensive documentation can be problematic in complex projects.
Feature Flags Wouldn’t Have Prevented the CrowdStrike Outage
Feature flagging is a valuable technique for decoupling the release of new
features from code deployment, and advanced feature flagging tools usually
support percentage-based rollouts. For example, you can enable a feature on X%
of targets to ensure it works before reaching 100%. While it’s true that
feature flags can help to prevent outages, given the scale and complexity of
the CrowdStrike incident, they would not have been sufficient for three
reasons. First, a comprehensive staged rollout requires more than just
“gradually enable this flag over the next few days”:There has to be an
integration with the monitoring stack to perform health checks and stop the
rollout if there are problems. There has to be a way to integrate with the CD
pipeline to reuse the list of targets to roll out to and a list of health
checks to track. Available feature flagging solutions require much work and
expertise to support staged rollout at any reasonable scale. Second,
CrowdStrike’s config had a complex structure requiring a “configuration
system” and a “content interpreter.” Such configs would benefit from
first-class schema support and end-to-end type safety.
Putting Threat Modeling Into Practice: A Guide for Business Leaders
One of the primary benefits of threat modeling is its ability to reduce the
number of defects that make it to production. By identifying potential threats
and vulnerabilities during the design phase, companies can implement security
measures that prevent these issues from ever reaching the production
environment. This proactive approach not only improves the quality of products
but also reduces the costs associated with post-production fixes and patches.
... Threat modeling helps us create reusable artifacts and reference patterns as
code, which serve as blueprints for future projects. These patterns encapsulate
best practices and lessons learned, ensuring that security considerations are
consistently applied across all projects. By embedding these reference patterns
into development processes, organizations reduce the need to reinvent the wheel
for each new product, saving time and resources. ... The existence of
well-defined reference patterns reduces the likelihood of errors during
development. Developers can rely on these patterns as a guide, ensuring that
they follow proven security practices without having to start from
scratch.
The magic of RAG is in the retrieval
The role of the LLM in a RAG system is to simply summarize the data from the
retrieval model’s search results, with prompt engineering and fine-tuning to
ensure the tone and style are appropriate for the specific workflow. All the
leading LLMs on the market support these capabilities, and the differences
between them are marginal when it comes to RAG. Choose an LLM quickly and focus
on data and retrieval. RAG failures primarily stem from insufficient attention
to data access, quality, and retrieval processes. For instance, merely inputting
large volumes of data into an LLM with an expansive context window is inadequate
if the data is excessively noisy or irrelevant to the specific task. Poor
outcomes can result from various factors: a lack of pertinent information in the
source corpus, excessive noise, ineffective data processing, or the retrieval
system’s inability to filter out irrelevant information. These issues lead to
low-quality data being fed to the LLM for summarization, resulting in vague or
junk responses. It’s important to note that this isn’t a failure of the RAG
concept itself. Rather, it’s a failure in constructing an appropriate “R” — the
retrieval model.
What enterprises say the CrowdStrike outage really teaches
CrowdStrike made two errors, enterprises say. First, CrowdStrike didn’t account
for the sensitivity of its Falcon client software for endpoints to the tabular
data that described how to look for security issues. As a result, an update to
that data crashed the client by introducing a condition that had existed before
but hadn’t been properly tested. Second, rather than doing a limited release of
the new data file that would almost certainly have caught the problem and
limited its impact, CrowdStrike pushed it out to its entire user base. ... The
37 who didn’t hold Microsoft accountable pointed out that security software
necessarily has a unique ability to interact with the Windows kernel software,
and this means it can create a major problem if there’s an error. But while
enterprises aren’t convinced that Microsoft contributed to the problem, over
three-quarters think Microsoft could contribute to reducing the risk of a
recurrence. Nearly as many said that they believed Windows was more prone to the
kind of problem CrowdStrike’s bug created, and that view was held by 80 of the
89 development managers, many of whom said that Apple’s MacOS or Linux didn’t
pose the same risk and that neither was impacted by the problem.
MIT researchers use large language models to flag problems in complex systems
The researchers developed a framework, called SigLLM, which includes a component
that converts time-series data into text-based inputs an LLM can process. A user
can feed these prepared data to the model and ask it to start identifying
anomalies. The LLM can also be used to forecast future time-series data points
as part of an anomaly detection pipeline. While LLMs could not beat
state-of-the-art deep learning models at anomaly detection, they did perform as
well as some other AI approaches. If researchers can improve the performance of
LLMs, this framework could help technicians flag potential problems in equipment
like heavy machinery or satellites before they occur, without the need to train
an expensive deep-learning model. “Since this is just the first iteration, we
didn’t expect to get there from the first go, but these results show that
there’s an opportunity here to leverage LLMs for complex anomaly detection
tasks,” says Sarah Alnegheimish, an electrical engineering and computer science
(EECS) graduate student and lead author of a paper on SigLLM.
Cybersecurity should return to reality and ditch the hype
This shift from educational content to marketing blurs the line between genuine
security insights and commercial interests, leading organizations to invest in
solutions that may not address their unique challenges. Additionally,
buzzword-driven content has become rampant, where terms like “zero-trust
architecture” or “blockchain for security” are frequently mentioned in passing
without delving into the practicalities and limitations of these technologies.
... we must first recognize the critical distinction between genuine
cybersecurity work and the broader tech-centric content that often overshadows
it. Real cybersecurity practice is anchored in a relentless pursuit to
understand and mitigate the ever-evolving threats to our systems. It is a
discipline that demands deep, continuously updated knowledge of systems,
networks, and human behavior, alongside a steadfast commitment to the principles
of confidentiality, integrity, and availability. True cybersecurity
practitioners are those who engage in the laborious tasks of vulnerability
assessment, threat modeling, incident response, and the continuous enhancement
of security postures, often without the allure of viral recognition or
simplistic solutions.
Harnessing AI for 6G: Six Key Approaches for Technology Leaders
Leaders must understand the enabling technologies behind 6G, such as terahertz
and quantum communication, and the transformative potential of AI in network
deployment and management. ... Engaging with international bodies like the ITU
to contribute to the standardization process is crucial. This will ensure AI
technologies are integrated into network designs from the beginning. Early
involvement in these discussions will also help technology leaders to anticipate
future developments and prepare strategies accordingly. ... Advocating for an
AI-native 6G network involves embedding large language models and other AI
technology into network equipment. This strategy allows autonomous operations
and optimizes network management through machine learning algorithms. Such a
proactive approach will streamline operations and enhance the reliability and
efficiency of the network infrastructure. ... Emphasize the convergence of
computing and communication and develop user-centric services that leverage 6G
and AI to improve user experiences across various industries. Leaders should
focus on creating solutions that are not only technologically advanced but also
address the practical needs and preferences of end-users.
GenAI compliance is an oxymoron. Ways to make the best of it
Confoundingly, genAI software sometimes does things that neither the enterprise
nor the AI vendor told it to do. Whether that’s making things up (a.k.a.
hallucinating), observing patterns no one asked it to look for, or digging up
nuggets of highly sensitive data, it spells nightmares for CIOs. This is
especially true when it comes to regulations around data collection and
protection. How can CIOs accurately and completely tell customers what data is
being collected about them and how it is being used when the CIO often doesn’t
know exactly what a genAI tool is doing? What if the licensed genAI algorithm
chooses to share some of that ultra-sensitive data with its AI vendor parent?
“With genAI, the CIO is consciously taking an enormous risk, whether that is
legal risk or privacy policy risks. It could result in a variety of outcomes
that are unpredictable,” said Tony Fernandes, founder and CEO of user experience
agency UEGroup. “If a person chooses not to disclose race, for example, but an
AI is able to infer it and the company starts marketing on that basis, have they
violated the privacy policy? That’s a big question that will probably need to be
settled in court,” he said.
Quote for the day:
"Before you are a leader, success is
all about growing yourself. When you become a leader, success is all about
growing others" -- Jack Welch
No comments:
Post a Comment