Cybersecurity Pulse: Open Source To The Rescue! Eternalblue, Huawei, Adversarial AI

843

One of the biggest issues preventing Open Source advocates, myself included, to sell the apathetic ones around us on the virtues of forever free and transparent software, is a tricky one to overcome.

WIRIS

We love to love Free, Open Source Software (FOSS).

The arguments, to us, are so obvious. Why even listing them in the first place? It seems FOSS is so powerful that we fall prey of its virtues, risking hubris in the process. Which has undoubtedly separated us from the rest of humanity. You know, those who need FOSS the most.

It would also seem that —once we finally decide to listen to other people— we might have gotten the answer all wrong. You do not begin by spreading the Utopian-looking values of FOSS as a way to see it in practical use across organizations. Instead, you start by showing actual, maybe even a bit boring, real-life examples of FOSS outperforming every alternative. As the ones we’re about to mention.

Maybe then, the rest of the world will start wondering what else is out there.

Microsoft causes it, the NSA hatches it, the crowd fences the latest existential threat to the internet

FOSS is not necessarily better code. Most of of the time it is, simply because there are more eyes looking at it. But even when it isn’t, you can figure it out before millions of people become victims of ransomware. These attacks, where malicious actors demand payment to release your data, are indiscriminate and spare no one, learning organization included.

The loudest news in recent time involves Eternalblue, currently wreaking havoc in the Baltimore city administration. It was originally built at the NSA. The code was never made public, meaning Microsoft had a critical vulnerability a small group of people knew about, with a strong incentive not to share it with anyone else. It was only a matter of time the right incentives forced hands.

Which was exactly what happened. It’s worth pointing out this was not the result of one malicious actors, but several. The first of which could be NSA itself, at least according to Microsoft’s president at the time, Brad Smith. When the second malicious actor came into play and leaked the code to the public, Smith likened the leak to the theft of Tomahawk missiles. Another actor, actually several, are the ones who implemented the exploit, held Baltimore for ransom and made employees unable to receive emails. This also took advantage of exploits made previously by others.

There is something admirable about how Eternalblue and WannaCry cooperated to become more dangerous. WannaCry took advantage of Eternalblue’s ability to disguise itself as an ordinary packet to be sent to a server from where it could attack and replicate. Eternalblue wrapped itself in a WannaCry guise to led investigators believe it wasn’t a different kind of weapon for as long as it could. Figuring out the people behind it is next to impossible, among other things because the creation of cooperative systems do not necessitate cooperation among people, preserving anonymity.

Many would argue the unavoidable fact that several open source technologies facilitated these attacks across its stages. It is, however, easy to see that they were not present at the critical onset. Once the code was released, programmers from all over the world, many of them voluntarily, launched taskforces, worked extensively and publicly on its anatomy, and created dozens of replicates and antidotes for everyone to grab from GitHub.

We need to talk about Huawei

After a certain scale, there are unavoidable geopolitical ripples in the cybersecurity debate. This time, under coercion by the U.S. government, Google will not be able to license the services fueling the Android operating system on its devices. Opinions on whether this is the right move or whether it was made under the right pretensions are split.

Mind that Android is an open source system, to which you, me and Huawei still have full access. While the response has been unexpectedly dramatic, with Huawei’s Chief uncharacteristically vocal about politics, the technology play offers a more pragmatic course of action. Two main paths are under discussion at the moment:

  • Replace Google services with partners outside the U.S. sphere of influence
  • Leverage the existing ecosystem of open source alternatives

While neither option is on the table, the existing ecosystem would give the company a quick response while the Chinese government gets ready to respond, likely helping out the already thriving FOSS space. Huawei could leverage a mix of open source technologies with the developed industry of technological alternatives inhabiting the Great Firewall.

The conversation is focusing mostly on consumer smartphones, even though there are bigger layers. The upcoming 5G implementation switches the focus on the U.S. government, as it must consider a reality in which it cannot depend on the Chinese technology instrumental to the transformation of digital infrastructures around the world, one arguably the U.S. yearns for.

Some even argue that China’s “technological renaissance” of late owes a great deal to FOSS, thanks in part to government-forced exposure.

Of course, a golf date could make this whole dissertation null and void.

How to successfully replace a hard problem with a weirder one with AI

If there is one takeaway from all of this, would be: When it comes to finding the best solution, open is the way. Whichever issues you can attribute to FOSS, you can bet they are present on proprietary software as well. And whichever virtues a salesperson convinces you their software uniquely has, 9 times out of 10 an open alternative is available, or reasonably within reach.

As it turns out, to the complexity of AI, a new layer has been added, possibly with the deliberate intent to confuse even further. “Adversarial AI,” or methods to thwart the effective training of AI and machine learning algorithms, are becoming more noticeable. It could be as simple as painting odd numbers red and even ones green, to “convince” the machine about the intrinsic quality of colors in numbers. Or it could be simpler. In any case, open source developers are on the case, spreading awareness, datasets, or even “corrected” algorithms.


eThink LogoOur coverage on Outcomes in LMS and Learning Systems is supported by eThink Education, a Certified Moodle Partner and Platinum Totara Partner that provides a fully-managed LMS experience including implementation, integration, cloud-hosting, and management services. To learn more about eThink, visit ethinkeducation.com.