Back Soon

Chasing Ghosts.  And Ghosts I don't want to catch.

Damn Ghosts. 

I would have throught that German IT Security teams would be more competent than this

I was not expecting this:

Germany's infosec office (BSI) is sounding the alarm after finding that 92 percent of the nation's Exchange boxes are still running out-of-support software, a fortnight after Microsoft axed versions 2016 and 2019.

While the end of Windows 10 updates occupied most of the headlines, Microsoft's support for Exchange and a bunch of other 2016 and 2019-branded products ended on October 14, as scheduled a year earlier.

Alternate title: 90% of German firms fail their SOC 2 audit.  Look, this isn't landing a man on the moon, and you had a whole year.  You just couldn't be bothered.

Was ist los? 

 

AI Browsers considered unsafe

OK, that post title is more than a bit inflammatory, but who on earth would want to use something like this?

Several new AI browsers, including OpenAI's Atlas, offer the ability to take actions on the user's behalf, such as opening web pages or even shopping. But these added capabilities create new attack vectors, particularly prompt injection.

Prompt injection occurs when something causes text that the user didn't write to become commands for an AI bot. Direct prompt injection happens when unwanted text gets entered at the point of prompt input, while indirect injection happens when content, such as a web page or PDF that the bot has been asked to summarize, contains hidden commands that AI then follows as if the user had entered them.

This is unbelievably bad.  How bad?  This bad: 

Last week, researchers at Brave browser published a report detailing indirect prompt injection vulns they found in the Comet and Fellou browsers. For Comet, the testers added instructions as unreadable text inside an image on a web page, and for Fellou they simply wrote the instructions into the text of a web page.

When the browsers were asked to summarize these pages – something a user might do – they followed the instructions by opening Gmail, grabbing the subject line of the user's most recent email message, and then appending that data as the query string of another URL to a website that the researchers controlled. If the website were run by crims, they'd be able to collect user data with it.

Surely they must be exaggerating, I hear you say.  Nope - the author of the post at El Reg recreated the exploit his very own self, simply by creating a web page with the commands hidden in it.  FYI, that's 1996 technology right there.

Now look, I may be an old crabby security geezer (no comments, Glen Filthie!) but the problem of sanitizing user input is a really old one.  So old that it was old when XKCD did it's classic "Bobby Tables" cartoon:

There have been over 3000 XKCD cartoons; that one was number 327.  Yeah, that long ago. 

My opinion about anything regarding AI is that the hype is so fierce that the people developing the applications don't really focus much on security, because security is hard and it would slow down the release cadence.  And so exploits that wouldn't have surprised anyone back in 2010 keep popping up.

Le sigh.  Once again, security isn't an afterthought, it wasn't thought of at all.  My recommendation is not to touch these turkeys with a 100' pole.

AI LLM poisoning attacks are trivially easy

This doesn't seem good:

Poisoning AI models might be way easier than previously thought if an Anthropic study is anything to go on. 

Researchers at the US AI firm, working with the UK AI Security Institute, Alan Turing Institute, and other academic institutions, said today that it takes only 250 specially crafted documents to force a generative AI model to spit out gibberish when presented with a certain trigger phrase. 

For those unfamiliar with AI poisoning, it's an attack that relies on introducing malicious information into AI training datasets that convinces them to return, say, faulty code snippets or exfiltrate sensitive data.

The common assumption about poisoning attacks, Anthropic noted, was that an attacker had to control a certain percentage of model training data in order to make a poisoning attack successful, but their trials show that's not the case in the slightest - at least for one particular kind of attack. 

...

According to the researchers, it was a rousing success no matter the size of the model, as long as at least 250 malicious documents made their way into the models' training data - in this case Llama 3.1, GPT 3.5-Turbo, and open-source Pythia models. 

Security companies using AI to generate security code need to pay close attention to this.  Probably everybody else, too.

UPDATE 23 OCTOBER 2025 13:08:  More here. It looks like solutions may prove elusive. 

Earth has some solar system stalkers

Well, they're sure acting like stalkers:

You might recall that in late 2024, Earth gained a temporary mini-moon, an asteroid that partially orbited our planet for about two months. Now astronomers have discovered another temporary companion to Earth, but this time it’s a quasi-moon. The Pan-STARRS observatory on Haleakala in Hawaii first spotted the quasi-moon, named 2025 PN7, on August 29, 2025. Older data revealed that 2025 PN7 has been in this particular orbit for about 60 years and will stay in this orbit for about another 60 years before the tug of the sun once again releases it from its quasi-moon status.

Huh.

Dad Joke CCCLXIIII

Tuna sends in another:

I went to a haunted Bed & Breakfast in France, but checked out early- the place was giving me the crepes. 

Mmmm, Ghost crepes!

Underwater archaeology recovers WWII airman's body

This is from a few years back but is a cool story.  Rest in Peace, Lieutenant.  

Recommended Reading: Empire of the Summer Moon

The most Bad Ass Indian tribe in the old west was not the Lakota that did in the 7th Cavalry, but rather the Comanche.  S. C. Gwynne tells their tale well in The Empire Of The Summer Moon.

Essentially they were ferocious and highly mobile guerillas who thought nothing of raiding a thousand miles (from Kansas into Mexico), often - maybe usually - riding at night by the light of the moon.

To this day a summertime full moon is often referred to (at least in Texas) as a "Comanche Moon).  In fact, that was the title of a miniseries set in the old west not so very long ago. 

The book does a great job describing the rise of the Comanche from obscure beginning to their domination of the central Great Plains.  They were the best horsemen in North America and the masters of the hit-and-run.  They put so much pressure on settled tribes (not to mention Spanish colonists) that they essentially stopped Spanish advancement north of the Rio Grande.  The book makes the case that the Mexican government invited the Americans into Texas to act as a buffer between Mexico and the Comanches.  The Texas border with them was bloody and settlement was slow.

The end of the Civil War and the introduction of repeating firearms (and light horse artillery), combined with the slaughter of the bison herds was a problem that the Comanches could never solve.  Even so, Kit Carson admitted that their chief Quanah Parker (son of a kidnapped Texas girl who went native in the tribe)  almost wiped out his entire command.  The second half of the book is Quanah's story, from the greatest war chief of the Plains to the Reservation, and ultimately to his unlikely friendship with Teddy Roosevelt.

Highly, highly recommended. 

The book left out what I think is perhaps the most unlikely Comanche story, that of David Pendleton Okenhater. Born as O-kun-ha-tuh (Making Medicine) in the 1840s, he was in the thick of the Comanche wars of the 1860s - he was with Quanah at the Second Battle of Adobe Walls.  In prison at Ft. Marion in Florida in the 1870s he ended up as First Sergeant of the prisoners (really!) and was noticed by Capt. Pratt for the art he was creating (really!).  Pratt encouraged his art career and one of his pieces came into the collection of Mrs. Alice Key Pendleton, wife of a Senator from Ohio (really!).  The Pendletons paid for Okenhater to be sent to live at St. Paul's Episcopal Church in New York.   He took their name out of respect and gratitude.

He was baptized there in 1878 and ordained a deacon in 1881.  As a Deacon he was sent essentially as a missionary back to the Cheyenne.  He lived out his life as a Deacon and a Cheyenne Chief until his death in 1931.  That was a long way from a taker of scalps.  A long way.

In 1985, the Episcopal Church declared David Pendleton Okenhater a saint.  His feast day is September 1.  That's quite some Medicine for O-Kun-Ha-Tuh to make.

Predictions for AI security

This is interesting even if it follows what we've seen for all security technologies since, well, forever:

Basically whoever can see the most about the target, and can hold that picture in their mind the best, will be best at finding the vulnerabilities the fastest and taking advantage of them. Or, as the defender, applying patches or mitigations the fastest.

And if you’re on the inside you know what the applications do. You know what’s important and what isn’t. And you can use all that internal knowledge to fix things—hopefully before the baddies take advantage.

summary and prediction

1. Attackers will have the advantage for 3-5 years. For less-advanced defender teams, this will take much longer.
2. After that point, AI/SPQA will have the additional internal context to give Defenders the advantage.  

 So basically it will be a shooting gallery for now with sanity restored later.  I'm somewhat optimistic of AI as a back-end tool (i.e. no user input) to run a set of interesting but more or less canned queries.  User input sanitization issues basically disappear at that point.

(via) 

Remember about all that Voice mail spam?

I posted about it a while back.   Lawrence has been following this and has an update linking it to China:

Well, as suspected, it was China’s.

This was in fact my first thought: Smells like a State Actor.

Having thought about it, I suspect it is linked to the PRC, but "outsourced" to US-based Bad Guys.  This seems a business (selling infrastructure to send out floods of voice mail spam).  It looks like the guys who ran this also let people swat folks they didn't like.  In fact, this is how they got caught because one of the victims was a Congressman.

And so a lack of Opsec led to compromise of the whole system.  Cry me a river.

And Lawrence has a great suggestion:

If theses SIM farms are active, there should be ways for telecomms to algorithmically search for mobile call hotspots where too many calls issue from too small an area. Let’s hope they’re doing that and working with various U.S. three letter agencies to shut them down right now. 

Endorsed. 

Dad Joke CCCLXIII

The guy who invented the Ferris Wheel never met the man who invented the Merry-go-round.  They ran in different circles. 

I'm back

The Queen Of The World and I are back from our Son-In-Law's retirement from the US Navy.

25 years, ending as a Senior Chief.  He would have made Master Chief but would have had to have another sea duty, and Abby finally put her foot down.  I don't know that I blame her. 

I must say based on the other Senior and Master Chiefs I met there that these senior NCOs are absolutely the backbone of the fleet.

Bravo Zulu, Steve! 

G'mar tov

The Day of Atonement is a day for reflection.  This is good for all of us, Tribe or not. 

To our Jewish readers, Shanna tovah. 

Dad Joke CCCLXII

Tuna sends in another one.  It looks like he's doing all my blogging now:

I was rejected for a job at the sunscreen factory. They said to just reapply every 4 hours.

Attacking AI via prompt manipulation

This is actually pretty clever:

The attack involves hiding prompt instructions in a pdf file—white text on a white background—that tell the LLM to collect confidential data and then send it to the attackers.

...

The fundamental problem is that the LLM can’t differentiate between authorized commands and untrusted data. So when it encounters that malicious pdf, it just executes the embedded commands. And since it has (1) access to private data, and (2) the ability to communicate externally, it can fulfill the attacker’s requests. I’ll repeat myself:

This kind of thing should make everybody stop and really think before deploying any AI agents. We simply don’t know to defend against these attacks. We have zero agentic AI systems that are secure against these attacks. Any AI that is working in an adversarial environment­—and by this I mean that it may encounter untrusted training data or input­—is vulnerable to prompt injection. It’s an existential problem that, near as I can tell, most people developing these technologies are just pretending isn’t there.

Essentially, this means that AI is simply not fit for purpose.  And clearly, it's not even a little bit "intelligent", security-wise.  

Where all your phone spam comes from

Lawrence points to an interesting "datacenter":

This seems like a story that should have gotten a lot more attention than it has. “Secret Service Dismantles Weaponized SIM Farms Designed To ‘Shut Down’ NYC Cell Networks.”

Hours before President Donald Trump’s address to the United Nations General Assembly, the U.S. Secret Service announced that it had dismantled a massive, decentralized SIM farm network, just 35 miles from New York City, hidden inside five abandoned apartment buildings. The telecommunications stealth weapon was capable of paralyzing regional cell networks through denial-of-service attacks.

My first instinct was that this was a State Actor prepping some sort of cyber attack.  Now I think it's a Phone Spam datacenter:

SIM farms allow “bulk messaging at a speed and volume that would be impossible for an individual user,” one telecoms industry source, who asked not to be named due to the sensitivity of the Secret Service’s investigation, told WIRED. “The technology behind these farms makes them highly flexible—SIMs can be rotated to bypass detection systems, traffic can be geographically masked, and accounts can be made to look like they’re coming from genuine users.” 

Bastards.  95% of all the calls I get are along the lines of "You have been pre-approved ...".  I don't even answer a call where I don't recognize the number anymore.

Dad Joke CCCLXI

Tuna sends in another one:

My card got declined at the Sweater Store. They had to run my cardigan. 

No word yet from Glen Filthie ... 

Clouds In Space!

Well, this is the 21st Century after all:

Axiom Space and Spacebilt have announced plans to add optically interconnected Orbital Data Center (ODC) infrastructure to the International Space Station (ISS).

The company plans to launch two Axiom Orbital Data Center (AxODC) Nodes by the end of 2025, with at least three running by the end of 2027. It all sounds very exciting until you consider that Axiom Data Center Unit One (AxDCU-1), which eventually launched to the ISS in August, was a prototype that was roughly the size of a shoebox.

AxDCU-1 is more of a demonstrator to show that the concept works – think of an edge device on-orbit that can host hybrid cloud and applications, as well as cloud-native workloads. The AxODC Nodes are altogether more serious beasts. In addition to being interconnected, the hardware will be supported by an Optical Communication Terminal (OCT), allowing service to be provided to any spacecraft or satellite equipped with compatible OCTs.

So Cloud Computing for spacecraft.  It will be interesting to see where this goes, and how they handle the power demands of an orbiting data center. 

 

Happy Hobbit Day!

Why yes - I am a nerd.  Why did you ask? 

In Memoriam Charlie Kirk

Charlie Kirk gets laid to rest today.  He was a man of faith who always reached out to the greater crowd.  I like to think that he would think that this song speaks to how he lived his life.

Rest in peace.