Schneier on Security

Clive Robinson • March 23, 2025 6:45 AM

@ Bruce, ALL,

Just how inaccurate is current AI?

Since what are oft called “Hallucinations” are an inbuilt feature of current AI LLM and ML systems by the foundational way they work.

And with the owners of such systems trying to hide the Hallucinations with what are called “guide rails” or other human correction.

Answering the question is problematic as the normal rules of scientific and engineering testing don’t apply due to the continuous owner intervention to “Polish the turd” or in other ways “Put a gloss on it”.

One way has been to,

“Always ask ‘New Questions’ to ‘stay ahead’ of the human intervention.”

But this has not just limitations you can not show other trends etc.

So another way to stay ahead of human intervention is to,

“Ask standard questions about constantly changing information input.”

One way to do this is with asking questions about “The News”.

The UK “British Broadcasting Corp”(BBC) has legal obligations about the factuality of their reporting. So they decided to test current AI LLM and ML systems a little while back.

To say the results were “not exactly encouraging” would as they say “be an under statement”…

That is with errors getting on for 2/3rds of the time and over half the time for all systems tested, with some over 9/10ths of the time… It is quite frankly not what you want.

So others have repeated the experiment / test and show equally dismal results,

https://www.techdirt.com/2025/03/20/tow-center-study-again-shows-ai-sucks-at-conveying-accurate-news/

I won’t “spoil the surprise” with by giving the results of the TOW center study you can read that yourself.

But a question arises,

“Given just how bad all current AI LLM and ML systems tested were repeatedly, on quite simple tasks, are the really ‘fit for purpose’?”

Or any purpose for that matter… Because even AI “Expert Systems” from the 1980’s were way more than significantly better than the current crop of publicly facing systems.

So why are the results so dire, well many will say different things but consider the work flow of the building of Expert Systems back in the 1980’s that still continues to give good results today.

In effect the “input data” was “curated for accuracy” by a “human expert” then other “human experts” in effect “distilled out” the pertinent facts and built decision trees to get from vague observations to specific facts and diagnosis.

There are two essentials in that,

1, Trusted good input facts.
2, Trusted good decision logic.

These are both absent in current AI LLM and ML systems

“By design from the outset.”

Because the aim was to replace the expert humans in both steps and get an algorithm to do it by randomised probability or if you prefer

1, Add noise to the information input –corpus– and average the result in a low pass filter.
2, Use the filtered output as a feedback signal to build a “probability graph”.

Then with user input,

3, Use the filtered output with further noise added to make a selection from the probability graph.

This sounds crazy but it’s actually a variation of a standard technique in science and engineering and is fundamental to thermodynamics and for the same reason information theory and so control theory as well.

There is however a “hidden gotcha” in this and it’s to do with the probability of the “noise”. For such a system to work, the noise has to have certain characteristics. If the noise is wrong then obviously as it’s fundamentally integral to the way the system works it’s going to effect the system and it’s output.

The noise in the input corpus is generally very much wrong as it’s in effect based on “Human cognitive bias”. Likewise the bias of user input.

In “Expert Systems” it is the “human experts” that debias and in many otherwise clean up the noise such that it’s either removed or of the right form.

Because of the way current AI LLM and ML systems were fundamentally designed there is no “Expert” in the system…

Which is why the owners are having to pay sweat-shop rates to non expert humans to try and clean up the mess with “guide rails” and the like.

The problem is those humans are not “experts” either…

Eventually when the hype dies down about current AI LLM and ML systems, people will realise that they entirely lack intelligence, thus can not be “expert” in any way.

“Will this change?”

Is a difficult question to answer. But we do know that a fundemental part of “Expert” is a finely tuned observation that requires “context” and “agency”.

Current AI LLM and ML systems lack both and can not acquire them unless the context is highly restricted and rules based and purely informational with a large enough “clean / unbiased” input corpus.

So games like Chess and Go are within the capability. But Billiards, Snooker, or Pool, “NO”.

Unless we add agency via transducers added to “see object location” and “adjust que position angles and force”. Then it can run “test after test” as it now has “agency” and by “observation” and averaging out noise pull out the signals that will allow “context” to be built.

But this raises a couple of other questions,

1, Is the entire world knowledge need as an input corpus?
2, Do we need massive DNN LLM’s with Transformer based ML?

The answer to both is already known and it’s “NO”.

Which leaves a third question,

3, Is intelligence required to be an expert?

Well… aside from the perennial,

“How do you define intelligence issue”

Again it’s “context” based and so the answer is in the most cases we know of,

“Because they are “bounded and rules based thus amenable to observation and test,”

Agency allows the context to be built by observation, and test by just statistics… So,

“NO”.

Clive Robinson • March 23, 2025 9:14 AM

@ Bruce, ALL,

Potential major genetics privacy failure

“23andMe” looks like it is about to go “belly up” and thus all the information and samples it currently holds will become the property of the “Receivers and Creditors”.

US law is a bit complex and varies from place to place, but as a norm it’s best to consider that all “contractual obligations” of the company with customers are dissolved.

That is though the results and samples are “yours” whilst the company exists and the contract indicates that. Come it’s demise, they are nolonger yours but an asset to be sold at the highest price obtainable.

Which in probability means you loose control for good and it ends up with a data broker or similar to be sold over and over and over.

So as things are slightly different in California their Attorney General Robert Bonta has issued official notice and indications of what should be done by Californian consumers to try and prevent their data and samples being lost from their control,

https://oag.ca.gov/news/press-releases/attorney-general-bonta-urgently-issues-consumer-alert-23andme-customers

Some of this still applies even if you are not a Californian Resident.

Remember with “genetic data” it’s not just you as an individual it effects but all your biological family past, present, and future.

Clive Robinson • March 24, 2025 3:14 AM

@ not important, ALL

Re : Thought Privacy under technology

You ask,

“Do You see Thought Police on steroids as the possible next step in a future?”

Sone have already looked at trying to use “Fast MRI” as a “lie detector” and I’ve commented in the past about the “Southpaw problem” of those who are left handed. That is “lefties brains are not wired up right” so they generally do not get included in the related research. Which is going to cause all sorts of issues down the line.

But more relatedly,

“Yes I did back last century and talked about it quite a bit at the time.”

But people were more interested in Y2K back then and research opportunities were not in Human Brain Interface. The only research was like that carried out by Microsoft, called HCI back then but these days UI-Design is where it’s gone…

As I’ve mentioned before the most people I shocked with it at one time was in the summer of 2000 at an EU funded program on Crypto and Security held at the University of Upsala in Stockholm (same time as when the “Tall Ships” sailed in, but that’s another story).

I gave a presentation/talk and in it I mentioned “insider threat actors faking it as outsider attacks to hide their tracks” which in the “any questions” went right off topic and a question from the lady[1] who was starting the PETS Conferences was about “interfaces and biometrics” with respect to Security / Privacy. As I knew a fair bit about the related fields of robotics, medical electronics, AI, and communications having at that time spent about half a career length working in them (1980’s onwards). I gave an in-depth answer, which I ended with the comment,

“The day Bill Gates requires a 9pin DIN[2] connector in the back of your head, is definitely the day I retire!”

So yes I’d long seen the danger at that point, and finally now as it’s becoming a reality other people are as well.

So a quarter century of “lost time” where we could have been planing and legislating thoughtfully rather than by the necessity “Of boots hitting the ground”.

I can see the same “loss of time” happening with AI research and products, and the way it’s going it will not end well…

[1] Simone Fischer-Hübner now at Karlstad University,

https://www.kau.se/forskare/simone-fischer-hubner

With 20-20 Hindsight I wish I’d taken up her invite to do a presentation at the first PETS. However at that time I saw my academic and career progression being in a somewhat different direction as I was having trouble trying to find a PhD Reader who would let me do what I wanted to research rather than be their under paid lab rat for two to four years.

[2] back last century the standard connector for “user interface devices” was the very inexpensive and easily available but large was the 9-Pin DIN connector. It transitioned through the “minitire DIN” to USB-A and now due to EU legislation about phone chargers and the like and “Waste Electrical and Electronic Equipment”(WEEE) to USB-C.

Clive Robinson • March 24, 2025 6:40 PM

@ fib, Grima Squeakersen, ALL,

Re : Silent participant in Secure Messaging Apps.

The author of the Atlantic article may or may not have been aware of a known and very serious flaw in both WhatsApp and Signal and actually most other “group” communications with alleged E2EE.

From memory it’s what the failed vote in France was actually all about.

To be “efficient” most if not all secure communications systems that support groups have “oblivious key sharing” (or in Telegram they turn encryption off). So the potential security advantage you get with E2EE in 2party communications is completely lost with more than 2party or “group” conversations.

I’ve made this known in the past, in particular about “Video Conferencing” during lockdown where I went into the details as to,

“Why keys had to be shared in a group or conference.”

We know this is known to UK SigInt agency GCHQ so we can also assume it’s known to all Western Government SigInt agencies that are part of “one of the eyes groups”. And likewise in all first and second world countries not just for Government agencies but Law Enforcement and a number of corporate entities supplying surveillance services to anyone who can meet their price…

All the SigInt organisation needs to do is “add a silent member to the group” then they get to see everything…

It’s another form of “See What You See”(SWYS) attack. This time at “The KeyMat” level as opposed to the “message level”.

Oh and there is another SWYS level that happens at the “KeyMan” and “KeyGen” levels. To see what it is have a think about how the 2party KeyGen in these secure messaging apps actually works…

A clue to think of one of the easier methods… “A ratchet might only turn one way, but as long as I can start my ratchet before yours…”

And people wonder why I don’t use “Secure Messaging Apps”…

Clive Robinson • March 25, 2025 7:24 AM

@ lurker,

Re The Register Article

I very nearly fell of my chair with laughing so much.

The guy actually did almost everything right, but in a way that says oh so much about his character.

But more seriously it also shows up an aspect that nearly every one sufferers from,

“He was not paranoid enough”

His “Why Us?” question and reasoning shows a fundamental misunderstanding of the world “on the other side of the looking glass”.

Of the alleged attackers it’s been said they are not employed by the state, and they only get paid minimally on results.

If true this engenders a certain mentality of

“Any rice in your bowl is better than none.”

So even “low hanging fruit” are “fair game” in a “numbers game” which is how cyber-crime which cyber-espionage is functions.

Especially in a “Target Rich Environment”, where no matter how bad your security is you will not get attacked unless your number comes up, or you some how become a target by your own actions or others requirements.

The hand holding the purse strings would have given a loose set of requirements and those actually attacking probably had no knowledge and like as not did not care. The utility company matched the set of requirements so no matter what it’s actual strategic or pecuniary value it got hit and owned.

In part this was because their “managed service provider” made them an easy target thus easy money in the bank very low hanging fruit that got bitten.

Clive Robinson • March 25, 2025 5:07 PM

@ Bruce, ALL

“AI Bedazzle, Beguile, Bewitch, Befriend, and BETRAY plan progress”

Now at “BETRAY?”

I pointed out early on that the current AI LLM and ML system hype was in effect hiding a surveillance nightmare for everyone. Because the likes of Alphabet/Google and Microsoft had a “Privacy Stealing Business Plan” for these AI systems use. I noted it had the basic stages of,

“Bedazzle, Beguile, Bewitch, Befriend, and BETRAY”

Well it’s been turbulent and lots of people are at different points along that curve right now. But that is about to change because of “AI based Assistants”.

In part because Google and Microsoft are unhappy because we are all not at the BETRAY stage. Which starts for them the “payback and Profit” of the billions that have been pushed into the hype of current AI LLM and ML systems. The fact that most of that “investment” money has come from unrelated investors that will soon be “shirtless” is so much the richer for Google and Microsoft they don’t want competition on what they see as their rightful return. And Microsoft in particular are forcing “AI with everything” in their new and up coming products. But also others are getting in the AI Game to try and “get a slice of the action”.

Now some will think I’ve kind of fallen off of my perch with excess paranoia, but history suggests otherwise. And if you doubt, then can I suggest you have a read of someone elses thoughts on the matter,

https://www.theregister.com/2025/03/25/generative_ai_browser_extensions_privacy/

“A group of computer scientists from University of California, Davis in the USA, Mediterranea University of Reggio Calabria in Italy, University College London in the UK, and Universidad Carlos III de Madrid in Spain set out to analyze the privacy practices of browser extensions that use AI to do things like produce summaries of webpages or answer questions about content.”

These “AI extensions” or “Agents” are what both Google and Microsoft are forcing on people to now “search the Web” because they have both majorly contributed to what Cory Doctro calls “Enshitification” as a process that has rendered the search engines of both Google and Microsoft near useless.

The aim of Google, Microsoft, and others is to own your most closely held privacy for them to make profit by.

But others have the same intent with their “Agents”, as the researchers have indicated and the article notes,

“Despite the use of familiar terms like ChatGPT, Google, and Copilot in the titles of these extensions, the makers of these extensions are unaffiliated with Google, Microsoft, or OpenAI.”

So a fair degree of “Cheese Stealing” going on in the AI Agent Game.

But importantly,

“Generative AI assistants packaged up as browser extensions harvest personal data with minimal safeguards, [the] researchers warn.

Some of these extensions may violate their own [published] privacy commitments and potentially run afoul of US [and EU] regulations”

Any way I urge you to go away and read it with an OpenMind.

P.S. Mandatory disclosure : As I have mentioned in the past I have associations with two of the included Academic Institutions, as well as others working in similar research.

This however does not mean I currently have “skin in the AI game” for the commonsense reason I like my shirts and want to keep them as I assume most others do.

But more importantly in the late 1990’s and early 2000’s I was working for an academic research database search organisation. And did research work on how to make “information on the Internet” make sensible money. Even back then a quarter of a century ago it was clear that in general people were not going to pay because there were way way to many information resources available, and so it’s turned out. I’m continuously amused by Rupert “the bear faced lier” Murdoch desperately trying to make his failing newspaper empire pay directly from readers and well failing. He and his children did not get it then and I don’t see real evidence they’ve changed since (so the “Equus Necrium Flagitious” continues).

Clive Robinson • March 25, 2025 10:54 PM

@ lurker,

With regards,

“Anyway. I’m not the target market for those browser extensions.”

Ahh… You’ve just revealed something 😉

There is a saying,

“By the time your forty you’ve learnt to use the tools you use.”[1]

The implication is not that you are necessarily skilled in them, but bad as the tool and usage might be it’s going to be faster to end results than learning a new tool no matter what you might get from it.

That said in the ICT Industry a lot of things move rapidly then die. So learning new tools is something we tend to have to do…

My advice when ever I’ve been asked by those who are “still bright eyed and bushy tailed” is still the same over forty years after I first gave it,

“Learn two things well. Firstly learn the foundations well. Secondly learn how to build on them efficiently and quickly.”

Usually the smart ones won’t just “nod along” they will ask questions that kind of fall into two categories and the answers are effectively,

“If you understand the first principles you can always build up to something new. But if you don’t then if something changes you have nothing to draw on to gain understanding.”

This is something that is really bad in industry, “The damagers” want people who use their tools and only their tools that way they can do one job only. In the past they were taught by “Sitting next to Nellie” and do things at “piece rates”.

The second type of question is in effect “Why efficiently and quickly, not quickly and efficiently?”

To which the short answer is,

“You have to be lazy to get things done faster and more reliably over all.”

If you take time to make a process efficient by say ‘building a script’ the ‘right way’ the result is efficient even though you might have done the job five times over in the same time. However the subsequent time savings quickly build up and repay you many times over, and with a lot less errors.

Also if you write a script the “right way” it should be easy to change, and act as a skeleton for the next script you write, thus saving you time[2].

The secret is learning to view the world and the way things work the right way as quickly as possible. Because that can buy you the one thing there is never enough of to waste, and that’s time.

A good piece of advice I was once given was,

“Never write code for it to be reusable, instead write code that is easy to change for reuse.”

The difference is lost on a lot of Open Source developers that think to be useful they have to put in “The kitchen sink”… They don’t, they should only put in the hook points in a way so someone else can add a sink that meets their needs if they need to.

One of the failings of C++ is the STL it is usually written the wrong way thus the equivalent of thousands or tens of thousands of lines of code get dragged in. Mostly needlessly, “Just in case”.

[1] It’s kind of a variation on the older,

“When you get to forty you have the face you disserve.”

And has similar implications of lack of change to,

“You can’t teach an old dog new tricks.”

[2] A classic example of this is “duplicating media” back in the days of tapes and floppy drives they were frequently slow to copy from a read drive to a write drive. The reason was the issue of “block size”. If you read in by the “data block size” you then had to wait for the disk to go around to get the next data block. However make your program so it has a buffer that can hold an entire track/cylinder, then you save a lot of time and wear on the drives. You then tell the read drive to change cylinder whilst you push the buffer out to the write drive. If you carry on in this “salt and pepper” way you can save over 80% of the time to duplicate a disk. If you think about the fact that different disks have different data block and sectors per track and different numbers of tracks as you build your script/program making changes to accommodate new media and drives is almost trivial and takes just moments.

Clive Robinson • March 26, 2025 7:26 AM

@ Who?, ALL,

With regards,

“I need help hardening the UEFI BIOS on a few computers that will not receive more updates from the manufacturer.”

The simple answer is,

“replace old with new”

Or more specifically “unsupported with supported”. I assume as it’s something I have to live with going back 40years that you have,

“An impediment to upgrade other than cost.”

In my case it’s manufacturing equipment that cannot be replaced… that have interfaces that are nolonger supported (a silly example so people get the idea would be say a long bed cutting plotter that only has a centronics interface driven by very custom software).

Usually the first step in any “upgrade” is to,

“audit functional usage and analyse it”

This can help you find “peace wise solutions” to issues. In your case by eliminating the need for these computers to have “direct access” to networks that are not segregated. This might be as simple as building an old fashioned “application firewall”.

Because the basic security steps are,

1, Upgrade
2, Patch
3, Mitigate
4, Eliminate

You indicate that the (2) is nolonger possible, and I’m assuming that likewise (1) is not possible because you cannot do (4).

This leaves only (3) the “mitigation route” untill you eventually have to do (1) due to the effects of entropy on hardware.

So in effect you are only buying an uncertain degree of time.

If I’m reading your post correctly your primary desire is “security” from attackers that are “external” rather than “internal”

The hard mitigation for this is “energy gapping” or less difficulty but also less securely “air gapping”. To in effect put these systems in an “impenetrable bubble” so attackers can not reach them.

But information systems at the lowest level do three things,

1, Process information.
2, Store information.
3, Communicate information.

Fundamentally to (1) process information it needs a “CPU” or equivalent that in turn requires the other two all be it as “Memory on the Bus”. Likewise to (2) store information even within the CPU the information store needs to (3) communicate the information. And if you want to get data in or results out you need to (3) communicate information.

Which means that unless you can put the entire system into the “impenetrable bubble” you are going to need “gap crossing” that is limited to only “allowed by policy” communications.

Further where the gap is crossed the information needs to be in the simplest possible format (but no simpler than absolutely needed).

This is because you need to “verify, check and audit” what crosses the gap. That is you also need to instrument the crossing in a way that can not be seen or changed by an attacker.

I’ve mentioned in the past how I go about doing such things and it’s lengthy so I won’t detail it here just give a “Cliff’s Notes” 20,000ft overview.

In effect all information is expanded and converted to a very simple format (like ASCII). If “control is included” all commands are “hard coded and minimal” such that there is the minimum of choice or flexibility.

That is you reduce “the redundancy” to the minimum because this denies attackers the ability to establish their own “covert channel” or to vary from what is “allowed by policy”.

Yes it’s a pain to work with because it lacks “flexibility” as it has “minimal complexity” and in many ways it will be seen as “inefficient” but as it removes “corner and edge cases” it’s usually a price worth paying to “effectively meet security requirements”.

Clive Robinson • March 27, 2025 8:10 AM

@ Who?, ALL,

With regards,

“I just want to know if a BIOS can be hardened enough to be considered reasonably secure against external threats.”

Short answer is,

“No and it will get less secure with time?

The reason is as I’ve mentioned before… There are,

1, Known Knowns
2, Unknown Knowns
3, Unknown Unknowns

That is the BIOS you have is now “static” and won’t change from now on. But… as we know all non simple code is full of bugs that are potential vulnerabilities. With time new attack methods convert bugs to exploitable vulnerabilities which are your “Unknown Unknowns” shifting to “Unknown Known” attacks that is “the method” becomes known but the actual vulnerabilities have to be found[1] thus mitigation is the stratagem on observational evidence (we’ve just seen an example of this with *nix “atop”). As they are found they would become “known knowns” that in non EOL’d code should get “patches” issued in a timely fashion. If it is EOL’d then all you can do is “mitigate” on the observed behaviour of the attack… Which may not be sufficient.

It’s this progression that gave rise to our host @Bruce once commenting,

“Attacks only improve with time…”

So if extra hardening “is out” which it appears to be, then you have to move from “in device fixing” to “outside of device fixing” or “perimeter defence” which is at the end of the day what most “mitigation” is, you just have to decide where to put the perimeter.

Which is usually decided by “policy” and “operational requirements”.

So if you’ve not already drawn them up in sufficient depth is what you need to do.

Oh and get that perimeter either as tight as possible or as broad as possible, anything else would be “half ass” and needing continuous adjustment as “operational requirements” or “policy” from within or from without[2] dictate.

My advice on that is draw plans up for both. Because more often than not mitigating the whole organisation is actually less expensive as well as more beneficial. However mitigating just the systems means any rules can be significantly stricter thus in all probability more secure in the long term.

[1] It’s why you should always mitigate “methods” or “classes” of attack, not a single “instance”. As I point out when giving a talk about it,

“Properly designed ‘fire drills’ should work for all or the most likely reasons to evacuate a building, not just smoke and flames… Bomb threats, incipient bad weather, post bad weather, post earthquake, and even air strike.”

One of the unsung heros of 9/11 was a gentleman who took practicing “fire drills” not just mandatory but frequent. The result nearly everyone who took part in the drills got out safely.

https://en.m.wikipedia.org/wiki/Rick_Rescorla

[2] A known dictate of policy “from without” is when an organisation changes how they do business. One a lot went through was the “Payment Card Industry”(PCI) requirements that require auditing regularly. Another that requires external auditing is “Government Agencies” information handling requirements of which the DoD can be one of the worst and not particularly effective for a number of reasons (hence seen as a waste of “time and money”).