Secure Your Home Network: Moving to Linux - kicking the tires

OldNFO has an important post about how Microsoft is moving very aggressively to a 100% online subscription licensing model.  This is important enough that I won't excerpt any of this; instead, you should go read the whole thing.  It's not too  long, but if you care about the security of your home network (especially the whole who has access to my data and can I even know thing), go read.  I'll wait.

What this means is that you don't own any Microsoft software.  Sure, you may think that because you paid them money (most often when you bought your computer - some of that purchase price went to Microsoft in the form of a license fee for Windows).  But you actually don't own "your" copy of software.  At all.

Rather, you have the right to run the software on your computer.  That may not seem like a big difference, but it is.  The license agreement (you know, the one you didn't read before you clicked "I Agree") allows Microsoft to change the terms of the agreement at any time, at their pleasure.

Microsoft has just done this in a big, big way.  Key new stuff in Windows 11 is:

• AI integrated with your operating system
• Online presence is critical for lots of Windows now (e.g. AI)
• Windows will nag you until you put all your data online (OneDrive) whether you want to or not. 

The proper technical term for that first bullet point is that your Windows operating system is essentially now an "AI Agent" which if you are a regular reader you know is very, very bad security juju.

Combine this enormous security hole with the requirement to essentially be online 100% of the time (bad security) and the liklihood that OneDrive will slurp all your data to some Internet black hole in a Microsoft data center, Windows is simply unsecurable.

Yes, I know that is inflammatory, but there is simply no way that you can get assurance that your security is sane.  I say that as someone who has spent decades inn Internet Security (and particularly in security assurance).  Not to put too fine a point on it, but I don't think that I could get decent assurance that things aren't going "bump in the Net".  For most of the readers here, it's not even worth trying.

So what do you do, assuming that you are not a tech nerd like me?

Interestingly, Microsoft has just flipped the technical script on this.  It used to be that it was easier to stay on Windows than to move to alternatives like Linux.  Now that's out the window, at least if you want to protect your data from that OneDrive vacuum cleaner and whatever the AI agent will do to you. 

But this is admittedly a big step for a lot of people.  So as it turns out, you can "kick the tires" on all the different flavors of Linux without installing it.  All you need is a web browser. 

This is really slick.  The Linux equivalent of the Windows Start Menu lets you try all the apps (I use the Office apps which are every bit equivalent to Word and Excel, etc, and will save files in Microsoft format like .DOCX).

Take a few weeks poking around, you will likely see that it's not a big learning curve.  

An interesting perspective on AI

Long time Internet Security guy Fred Cohen has some interesting thoughts on how AI can be less obnoxious [PDF]:

The nature of the problem (I think) is that the attempts at safety reflect the behavior of the people who programmed and trained the AI engines, and they are apparently snarky, obnoxious twits that think its better to argue about meta issues than to serve their customers, like me, with the real capabilities they have developed. 

Their version of safety is the opposite of mine. If you want children to be safe from AI, don’t let them use it. 

If you want adults to be safe from AI, don’t make it available. 

If you want a ship to be safe, don’t put it out to sea… but that’s not what ships are for. We trade the utility for the safety, and while making ships that leak like a sieve is a bad idea in my view, making ships that don’t sail is a fruitless effort.

... 

Solution 

The solution is to put someone in charge of these mechanisms in these companies who is not a snarky, obnoxious twit… and I hope this doesn’t exclude me from the candidate pool. 

There are also some rather direct solutions to the problem of providing information to people where the information is not something that should be provided to anybody as a matter of policy. The most obvious solution is not to incorporate any of that sort of policy-violating information in the learning process. 

Of course the snarkiness is the same problem. If you don’t teach the LLM to be snarky by feeding it snarky crap, it will probably not behave that way. It’s no different than a child brought up by respectful parents vs. disrespectful parents. They learn from their teachers. 

Conclusions 

If you don’t want trouble, stop asking for it. If you teach a dog to bite, you are unlikely to be successful at later telling it not to. If you train an LLM with views of pedophiles, fraudsters, and murderers, you are unlikely to get it to not carry that behavior through later on. 

I think that Fred's entirely correct here (note that we ignore the very serious problem of AI Hallucinations here). AI training is generally crap layered on top of the hallucination engine*.

But I wonder if this is an opportunity for AI companies?  If you did a better job training the AI to be well-behaved (like you'd do with your kids or your dogs) would you have a different - and more attractive AI offer?  How about politeand wellbehavedAI.com?  That's a branding that would stand out from all the others.  You could market it to parents worried about their kids, or to old fuddy-duddies like me who hate everything about AI?

I smell a billion dollars of venture capital here ... 

* It seems very likely that the AI algorithms cannot be prevented from hallucinating. 

Word

Quote of the Day goes to B, who hits center mass:

50 years from now, no one is gonna bother to restore an electric Mustang to collect or drive.

Just sayin’.

Yup. 

Ronnie Dunn - Cost Of Livin'

Farewell to the Washington Post.  Journalists never cared when mills across the land shut down and people and towns were wiped out; now it's wailing like the End Of The World by journalists, for journalists.

I'm having trouble summoning up sympathy.  Welcome to the club, pal.

Elon's city on Mars

This is a fascinating breakdown of the (quite serious) engineering problems facing SpaceX as they attempt to build a Mars city. 

Deap sea video of German Battleship Bismark

Last year a company called Magellan sent a deep sea rover 15,000 feet down to the site of the final resting place of the battleship Bismark, sunk 86 years ago.  The video is simply spectacular.  Here is a shortish excerpt with commentary. 

And since we're talking about the Bismark, this song is obligatory.

The EPA makes everything worse, vol CXVI

In this case, marine diesel engines which used to be famously long lived.  The Detroit Diesel engines of old were famous for running 20,000 or 30,000 hours before a four day rebuild at the dock set them up for another 20,000 or 30,000 hours.  You couldn't kill these engines.  Rather, you would leave them to your kids in your will.

That's over now, and it's because of the EPA.  Over a span of 15 or 20 years, they ratcheted up the emission requirements for these engines to the point that Detroit Diesel would be fined millions and millions of dollars for selling their old (famously reliable) design.

And so now you have to rebuild after 10,000 hours, and you have to replace three times as many parts.  Plan on a month, rather than four days.

This is a very interesting video on the subject.  While I'm not an expert on diesel engines, it certainly seems solid from an engineering perspective. 

Here are the main points.

1. Pressures have gone from 10,000 psi to 30,000 PSI for a bunch of EPA-imposed constraints.  This shortens the lifespan of parts used in the engines.

2. The higher pressure means that engines are much more vulnerable to bad diesel fuel: water particles or tiny flakes of rust now essentially sandblast the pistons, valves, and cylinders.  This didn't used to take place at the old lower pressure.  This sandblasting effect shortens part life even more, which makes engine rebuild and cost even higher.

3. Because parts will fail much more often now, manufacturers put all sorts of sensors in place.  The sensors themselves can fail - the high seas is a notoriously unforgiving environment and salt water will get into the engine room.  This causes corrosion, which triggers sensor faults.  The engine's computer (itself a new thing, with software of questionable quality) will detect the fault and sometimes put the engine into "Limp Home Mode" - not allowing it to go above, say, 1000 RPM.  A ship in a storm may find its engine dangerously under powered, putting at risk the lives on board and the safety of the ship itself.  If a ship sinks in a storm under these circumstances, the fuel oil in the tanks will pollute the environment.

4. Not pointed out in the video, ocean-going vessels do not have to worry about emissions.  From a pure regulatory perspective, that is.  However, finding a new engine with all the design "upgrades" discussed here is the challenge.  I don't know what EU regulations are, so maybe a MAN engine doesn't have to deal with this.  But I'm nasty and suspicious and think that EU regulations could be even worse than EPA's.

Thanks a whole lot of nothing, EPA.  You're supposed to protect the environment. Oh, and not get Americans killed.

The only thing I think is unfair about the video is the title.  Engine manufactures design their engines to fail after 10 years because the EPA forces them to. 

You could roll back all the environmental regulations since 1990 and shutter the EPA and this Republic would be a whole lot better off. 

Secure Your Home Network: Which of your devices can you trust?

And more importantly, which should you not trust? 

This post is the fourth in a series on how to make your home network harder to attack.  Here are links to posts one, two, and three.  

Now you might think the question in the post title is a bit strange - after all, these are you devices, so you'd think that they're all trustworthy.  You'd be wrong.  There are at a minimum two different categories of trustworthiness:

Your main computing devices.  These are computers (duh) such as laptops and desktop computers, servers (a future post will talk about why these can be useful to you, and your cell phones (which are nothing but tiny hand held computers).

Now I've been in security for long enough that I get a bit twitchy about mobile phone security (I'll address this in a future post as well).  However, that ship has sailed and even a security nerd like me won't bother making a separate network just for these.  So they're computing devices for this discussion.

Then there's everything else.  It's surprising how any Internet-connected thingies there are these days.  Ring doorbells, Nest thermostats, online appliances (fridges, washing machines, etc).  At this point the Borepatch from four years ago would have told you to just walk away from all this nonsense.  Don't Internet-enable anything in this category.

Today's Borepatch sighs and tells you that this is coming to a home near yours.  It's here in my home.  No, not the thermostat (which was installed by the previous owner and which I have not connected to the WiFi).  However, the TVs all come with streaming apps for Netflix, Prime, and Youtube (among dozens of others).  And The Queen Of The World reminds me that the kids like to stream when they come and visit.  She likes it when they come and visit, as do I.  And so we have to do something for these devices.

Fortunately, you don't need any new kit to do this.  If you remember from the last post on water tight compartments, you don't own the Internet box from your network provider.  Basically, you can't trust it, so you install a new firewall box running DD-WRT.  It's trustworthy because you own it and have your own software and configuration on it.

All of your main computing devices connect to it's WiFi.  All of the other devices (doorbells, thermostats, TVs, appliances) connect to the WiFi from your network provider's box.

What you've done is to put a firewall between your computing devices and your untrusted devices.  It doesn't matter if your TV gets hacked because it can't get through your DD-WRT firewall to your computers.

Likewise, your TV is at least somewhat protected from the outside world because it's behind the firewall in your network provider's box.