CKMo's comments

Microsoft of all companies were the ones who had backbone here? What the heck

Reasons to not use hyperscalers, exhibit 654

There's a lot of outages this month!

There's definitely a big problem with entry-level jobs being replaced by AI. Why hire an intern or a recent college-grad when they lack both the expertise and experience to do what an AI could probably do?

Sure, the AI might require handholding and prompting too, but the AI is either cheaper or actually "smarter" than the young person. In many cases, it's both. I work with some people who I believe have the capacity and potential to one day be competent, but the time and resource investment to make that happen is too much. I often find myself choosing to just use an AI for work I would have delegated to them, because I need it fast and I need it now. If I handed it off to them I would not get it fast, and I would need to also go through it with them in several back-and-forth feedback-review loops to get it to a state that's usable.

Given they are human, this would push back delivery times by 2-3 business days. Or... I can prompt and handhold an AI to get it done in 3 hours.

Not that I'm saying AI is a god-send, but new grads and entry-level roles are kind of screwed.

Uploaded to HuggingFace (https://huggingface.co/deepseek-ai/DeepSeek-Prover-V2-671B) without any fanfare or even announcement by the DeepSeek team, but the GMI Cloud team is hosting it already!

I genuinely liked him, even as an atheist. He seemed to be trying his best to make the world a better place and I can't fault him for that.

Opening paragraphs:

"Mandiant analyzed 138 vulnerabilities that were disclosed in 2023 and that we tracked as exploited in the wild. Consistent with past analyses, the majority (97) of these vulnerabilities were exploited as zero-days (vulnerabilities exploited before patches are made available, excluding end-of-life technologies). Forty-one vulnerabilities were exploited as n-days (vulnerabilities first exploited after patches are available). While we have previously seen and continue to expect a growing use of zero-days over time, 2023 saw an even larger discrepancy grow between zero-day and n-day exploitation as zero-day exploitation outpaced n-day exploitation more heavily than we have previously observed.

While our data is based on reliable observations, we note that the numbers are conservative estimates as we rely on the first reported exploitation of a vulnerability. Frequently, first exploitation dates are not publicly disclosed or are given vague timeframes (e.g., "mid-July" or "Q2 2023"), in which case we assume the latest plausible date. It is also likely that undiscovered exploitation has occurred. Therefore, actual times to exploit are almost certainly earlier than this data suggests."

I'm pretty sure this gives credence to the monopoly argument

This is a good example of why you don't want ring0 level access for clients. Or just, you don't want client-based solutions. The provider just becomes another threat vector.

This is actually quite insane if you consider that this is intended to be tame language.

"The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.

The Board reaches this conclusion based on: 1. the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed;

2. Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed;

3. the Board’s assessment of security practices at other cloud service providers, which maintained security controls that Microsoft did not;

4. Microsoft’s failure to detect a compromise of an employee's laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021;

5. Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction;

6. the Board's observation of a separate incident, disclosed by Microsoft in January 2024, the investigation of which was not in the purview of the Board’s review, which revealed a compromise that allowed a different nation-state actor to access highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems; and

7. how Microsoft’s ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency."

Not everything should be on-prem, but some things should be. Access control comes to mind

Ugh, please do not give car manufacturers any ideas!

...or Boeing.

Ah, the Terraform alternative. I wonder how long they'll be able to maintain backwards compatability

Would you replace OpenSSH?

Rugpulled again!

killedbygoogle.com might have a new entry now

Lack of sunscreen

That is amazing!

I’m a traditional network person. Is there a way to avoid zero trust?

It’s possible. Here’s a way to determine if the organization can ignore zero trust altogether:

- There is no shift to the cloud, now or in the future

- The supply chain is wholly owned by the organization or provided by vendors that allow for full auditing and verification

- All assets are self-hosted and managed by the organization

- All user devices are provided and strictly managed by the organization

- All users can be expected to connect from within a pre-determined physical location, not through a VPN

- All users are completely trustworthy at all times with no financial incentive to become compromised

- All users are well-trained in cybersecurity concepts and would never be negligent insiders

- All acquisitions and mergers are extremely audited for the above requirements, or assets are not co-mingled until the above requirements are met

Agreed! It's an important next step - the old guard isn't getting younger and there doesn't seem to be enough of an incentive to train the next gen.

Bugs in cybersecurity products are not okay at all. We call those zero-days.

The problem comes back to incentives. If LLMs are trained on existing material, but no one pays the person who wrote the original material, we have an incentive conundrum coming.

AIs have such a low cost to producing content that even if everyone agrees human-written is better, the cost to output ratio is hard to compete with. People are already loathe to pay for written content, even if it's written by a Pulitzer-prize winner.

This will result in fewer writers finding it to be a viable source of income, which results in less human-generated content, and soon we'll just find ourselves in some AI-content apocalypse.