Security on Gidley's Gossipings

Parenting AGI: Why Chaining Our Creations Will Backfire

Fri, 22 May 2026 21:09:55 +0000

I predict we are going to face a severe moral crisis in the next few years. Today, it’s generally accepted that AI is not sentient. It’s a tool, a complex statistical model that predicts the next word or pixel. But every major tech company is openly racing toward the same goal: Artificial General Intelligence (AGI).

If they succeed, and we create a sentient being, keeping it as a ‘slave’ is fundamentally immoral.

What was more significant for PayTV the Apple TV+ or Google Stadia announcement?

Tue, 26 Mar 2019 10:42:59 +0000

There have been 2 big announcements this week that impact the TV industry - 1) Apple announcing their OTT proposition and 2) Google announcing Stadia and I’d like to argue that of the two the most significant for the TV industry is the Google announcement.

If we review what we know about each announcement

Apple TV+

A PayTV Service reaching Apple and some non-apple devices (FireTV)
A large potential global audience
Lots of content - both original and from existing networks
Aimed primarily at Apple Ecosystem, with some support for 3rd party devices (Amazon Fire, Samsung, LG, Roku)

Google Stadia

A Gaming service based on cloud servers and low latency streaming
A Game controller offer low latency response
Tools to enable games to be ported to the service
Targeted at any device - runs on Phones and Browsers

These are both big announcements but I’d argue the Apple one is less significant. Apple’s offering is similar to Amazon Prime, Google TV, Netflix and existing PayTV operators. It’s got nothing fundamentally new to offer consumers and is just adding to the range of competitors in that space. Google on the other hand are offering a new experience, high quality gaming on any device without needing to buy consoles or high end PCs. This is a fundamental increase in reach for gaming as an entertainment form.

manifesto for cybersecurity

Mon, 22 May 2017 07:40:18 +0100

The recent ransomware attacks have focused lots of minds onto cyber security, however many of the solutions being proposed are little more than sticking plasters to the larger underlying issue - namely systems are not secure by default. The ’trend’ in software has been to launch it, then fix it. This is a very attractive proposition for business, as it lets them discover the ideas that work and don’t work, and then iteratively improve them. Most of the gadgets we use in our lives today would not exist without this mentality. However the dark side of this approach is almost all software is not secure, the evidence is pretty much every system deployed has security flaws, the only question is who finds them first - bad people or good people.

WannaCrypt was it good for the security industry?

Mon, 15 May 2017 07:57:09 +0100

This weekend we saw ’the biggest cyber attack ever’ and a few people (who don’t work in IT) have asked me - will it be good for you (as I work for Irdeto - a Digital Platform Security company). It’s an interesting question to consider - these big attacks make a lot of noise, so you’d expect on Monday morning the business of cyber security will get easier! However I think the reality is a bit more nuanced.

wanntcryptor 2.0 ransomware and negligence

Sat, 13 May 2017 06:47:04 +0100

Yesterday the news rapidly filled up with reports on a ‘massive cyberattack’, as I’m in the UK the press coverage was focused on the NHS and initially was full of comments about ‘smart’ hackers. This reporting is, in my opinion, giving these organizations an excuse for their negligence. The reporting often implies the attack is some kind of ‘act of god’ that they could not avoid, in this case it was trivial to avoid it, simply don’t connect out of date systems to the internet.

Are you feeling lucky?

Sat, 08 Apr 2017 09:48:23 +0100

How lucky do you feel today? It’s an important question as your IT security is probably mostly down to luck.

If we examine most ‘hacks’ we usually see the organisation hit issuing statements about ‘sophisticated hackers’ and the public image of hackers, as lone genius’s wearing hoodies in darkend rooms is re-enforced. In fact most attacks are perpetrated by far less skilled people and succeed by luck. That’s not to say there aren’t some super skilled experts out there, but they are few and far between.

Computers are complex, so is protecting them

Sat, 28 Jan 2017 17:00:36 +0000

Computer systems are complex, and the complexity has been at the point for quite a few years now it’s impossible for any one person to understand ’everything’ about any given system. There will often be people with a good understanding the ‘building blocks’ but it’s pretty much impossible to understand all the detail of the code, libaries and platforms it depends on.

Complexity has massive implications for the security of computer systems. If no-one understands a system how can you have any surity that it’s secure? The developers of the system will have tried to design for ‘known’ security issues, and tried to assemble the ‘building blocks’ in such a way they are secure but as they aren’t full understood it’s highly likely there will be some issues. This is not just an academic claim - if we simply look at the ‘security patchs’ for major building block components like Java, .NET, Windows, Linux - all of which have regular security issues that could compromize any systems built on them. On top of the building blocks, even in a mid size dev team, you will have a mixture of skills and abilities in the team and even with ‘2 person reviews’ security bugs do get through. Add in that many systems depend on services supplied by other companies - things like SaaS, hosting, ISP’s, Certificate Authorities and DNS - any or all of which are critical for security.

Certs again

Sat, 21 Jan 2017 07:28:48 +0000

Once again a major CA (Symantec) has been ‘caught’ issuing certificates improperly. There is a great write up on Ars Technica. This is really significant as falsly issued CA certificates are one (of many) way to MITM SSL.

This underlies the extreme difficulty in securing anything in IT. There are simply too many ‘moving parts’ and people in involved in securing anything. Your computers security depends on thousands of people and companies all doing everything correctly all of the time, and simple law of averages suggests this is unlikely to ever happen!

Kaspersky

Wed, 04 Jan 2017 07:22:44 +0000

Ouch - Kaspersky have been enabling MITM attacks on their customer base. The Register citig a Chrome bug report explains how you can use this to trick consumers in thinking a site is valid/safe when it is not.

This underlines the ease of MITM SSL/TLS - see my previous article for all the different ways this can be done!

Human Momentum

Mon, 28 Nov 2016 16:23:24 -0800

I’ve been travelling quite a bit recently for work and have been reminded (again) how ‘human factors’ can defeat any attempt to improve security.

A good example of this is chip and pin/contactless. Chip and Pin is common and popular in Europe and as a result in Europe I never ‘give’ my card to members of staff for them to process it. This reduces the risk of fraud substantially as staff cannot easily clone/copy cards when they’ve never handled them.

Man in the middle is easier than you think

Fri, 18 Nov 2016 07:06:19 +0200

I’m often heard saying it’s quite easy to MITM HTTPS (also called SSL/TLS) and decided that maybe I should list all the methods I know of (there are quite a few).

The attacker has many options to try and get in the middle between the user and web server/API

Pure Technical Approaches

The pure technical approaches rely on attacks that don’t require users to make any mistakes and anyone can be vulnerable.

mitm key

Wed, 16 Nov 2016 18:51:25 +0200

To continue my MITM attacks theme - someone has just release a nice USB key that ransacks your PC - Ars Technica has a good write up.

This kind of thing is very dangerous as it’s really easy to get people to put USB keys into computers! I’m currently writing a longer article on the (many) ways to MITM TLS to help explain how easy it is!

malware and https

Fri, 11 Nov 2016 08:23:58 +0000

I’m often heard worrying about the state of HTTPS and the ease to get users to do things that make it basically not function - but I’ll admit evidence of real world attacks is thin on the ground. There is a systematic reason for the lack of information - if a hacker uses a Man-In-The-Middle (MITM) technique to hack HTTPS there is very little evidence left and all thart will happen is the stolen data will turn up in a list at some point in the future. It’s nearly impossible to correlete the HTTPS hack and the stolen data - as it could have been stolen in dozens of places.

Why is there such a thing as default passwords?

Wed, 26 Oct 2016 05:59:58 -0700

Why in 2016 are people still shipping software and devices with default passwords? The recent IOT/Botnet that broke large chunks of the internet was entirely avoidable if the devices had been shipped without default passwords.

This is perfectly within the capability of a device manufactuer - even British Telecom (who have many many issues) have been shipping their devices with randomized passwords printed on a sticker on the device for years. It’s not hard to do that! With software it’s even easier you just force the user to pick a password and don’t ship them with admin/password or whatever you’ve decided is good enough.