Latest news with #Olejnik
Yahoo
17-04-2025
- Yahoo
The reason you don't have to worry about Android security almost went dark
When you buy through links on our articles, Future and its syndication partners may earn a commission. Most users of technology don't have to consciously think about security vulnerabilities on their most-used devices, including Android-based products, very often. As long as you update your phone as soon as new security patches are available, you're usually covered. However, there's an intricate government-supported program operating to make that all possible, and it almost went dark today. After roughly 24 hours of uncertainty, the U.S. Cybersecurity and Infrastructure Agency (CISA) announced that it would continue funding the Common Vulnerabilities and Exposures (CVE) on the day its previous contract was set to expire. Today, April 16, a spokesperson for the CISA told The Verge that the agency "executed the option period on the contract to ensure there will be no lapse in critical CVE services." But it went down to the wire in a move that could've sent the entire globe into a tech security nightmare. It all has to do with the CVE program, which identifies and tracks security issues in public view, from the point a potential problem is identified to the time when a proper fix is issued. It has nearly 500 partners that include security researchers, open-source developers, and major companies — including big ones like Google, Microsoft, and Apple. If the CVE program sounds familiar, that's probably because you've seen a CVE code mentioned in an article (like one of the many CVE-related ones on Android Central) or the release notes of an update. They're also a major part of monthly releases on the Android Security Bulletin. These codes, like CVE-2024-53104, start with CVE followed by the year and a number, and create a universal database to track security flaws across devices, platforms, and companies. The CVE program has been active for 25 years, beginning in 1999. It has become invaluable to the security community, serving as a universal way for researchers, developers, companies, and the public to work together to discover and patch crucial vulnerabilities. More importantly, it publicly states whether a vulnerability is believed to have been actively exploited by bad actors. Leading security researchers have pointed out the consequences of the CVE program shutting down, like Lukasz Olejnik on X (formerly Twitter). "The consequence will be a breakdown in coordination between vendors, analysts, and defense systems — no one will be certain they are referring to the same vulnerability," wrote Olejnik, a scholar with advanced degrees in computer science and information technology law with specializations in privacy. "Total chaos, and a sudden weakening of cybersecurity across the board." Luckily, it appears that the crisis has been avoided, as the federal government will continue to fund the CVE program for at least the near future. However, the decision coming down to the wire as the Trump administration slashes federal funding across the board puts the CVE program in a more uncertain position now than at any point in its 25-year history. "The CVE Program is invaluable to the cyber community and a priority of CISA," the spokesperson said in a statement to The Verge. "We appreciate our partners' and stakeholders' patience." But that final green light didn't come quick enough, as the security world already started making plans to keep the CVE program up and running — even without federal funding. CVE board members created the CVE Foundation, a nonprofit planned for in secret for the past year that would ensure the CVE mission continues. "CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself," said Kent Landfield, an officer of the CVE Foundation, in a press release. "Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work, from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats." The foundation explains that it is concerned that having a single government sponsor could create "a single point of failure in the vulnerability management ecosystem." The CVE program is a critical part of Android security, and it should be relevant to every single person who touches an Android-based device. Although government funding has been acquired for now, the moves that have been set in motion by the last-minute decision may not be reversed. The CVE Foundation is here, and it might be here to stay. There's no word on whether the CVE Foundation will continue to operate now that the CVE program has retained U.S. government funding, but the foundation said more information will be released "over the coming days." The immediate U.S. government funding doesn't solve the long-term problem the CVE Foundation has identified — the possibility of having a single point of failure — so there still may be a reason for it to exist. Regardless of how this all plays out, the decision to fund the CVE program should've never come this close to ending a crucial global security program. Most of us have the luxury to not think about device security that often, and it's programs like the CVE that allow us that privilege.
Yahoo
29-01-2025
- Business
- Yahoo
China's DeepSeek AI is watching what you type
China's DeepSeek, the free artificial intelligence chatbot that's undercutting American counterparts, has prompted worries about whether it's safe to use. While cybersecurity researchers say the app does not immediately appear to be uniquely dangerous, it still carries substantial privacy risks both as an app that follows China's laws and as an artificial intelligence product that may collect and rearrange everything people tell it. All large language models, or LLMs — the type of AI-driven advanced chatbot made famous by OpenAI's ChatGPT — are built by first amassing massive amounts of data, and work in part by collecting what people type into them. DeepSeek, though more efficient than ChatGPT, is no different. Under Chinese law, all companies must cooperate with and assist with Chinese intelligence efforts, potentially exposing data held by Chinese companies to Chinese government surveillance. That system differs from the U.S., where, in most cases, American agencies usually need a court order or warrant to access information held by American tech companies. But it's possible to use DeepSeek and minimize how much data you send to China. Using the app or the chatbot through requires users to register an account, either with an email address or through a Chinese phone number, which most people outside China don't have. Lukasz Olejnik, an independent consultant and a researcher at King's College London Institute for AI, told NBC News that means people should be wary of sharing any sensitive or personal data with DeepSeek. 'Be careful about inputting sensitive personal data, financial details, trade secrets, or information about healthcare. Anything you type could be stored, analyzed, or requested by authorities under China's data laws,' Olejnik said. Ron Deibert, the director of the University of Toronto's Citizen Lab, said that means DeepSeek users should be particularly cautious if they have reason to fear Chinese authorities. 'Users who are high-risk in relation to mainland China, including human rights activists, members of targeted diaspora populations, and journalists should be particularly sensitive to these risks and avoid inputting anything into the system,' Deibert said. One way to reduce what you send to China is to register DeepSeek with a new email account, not one you already use for other important services. That could keep the app, or potentially Chinese intelligence services, from being able to easily match what you tell DeepSeek with who you are on other parts of the internet. For the more technologically savvy, it's possible to download the DeepSeek AI model and ask it questions directly, without having to go through the Chinese company processing those requests. That not only prevents China from seeing whatever information you give the model, but it also means little or no censorship about topics that are blocked in Beijing, Olejnik said. DeepSeek has also prompted worries because its privacy policy declares that it collects a large amount of sensitive information from users, including what kind of device they're using and 'keystroke pattern or rhythms.' While some people may find that invasive, it is limited to what a person types into the app and not what they type into other apps, and it is not unheard of: TikTok and Facebook, for example, have had ways of tracking users' keystrokes and mouse movements. Deibert cautioned that while there are risks to giving information to a Chinese LLM, American ones carry risks as well. 'The same risks apply to all AI platforms, including those based in the United States,' Deibert said. Deibert noted that many U.S. tech companies collect similar sensitive information, and that recently, they've worked to court President Donald Trump. 'Anyone who is remotely critical of the administration, is a watchdog of the administration, or is part of a vulnerable or at-risk community, should exercise serious caution before using or inputting any data into what are largely 'black boxes.' Remember, as with virtually all social media platforms, users' data is part of the raw material used to train those systems,' he said. This article was originally published on
NBC News
29-01-2025
- Business
- NBC News
China's DeepSeek AI is watching what you type
China's DeepSeek, the free artificial intelligence chatbot that's undercutting American counterparts, has prompted worries about whether it's safe to use. While cybersecurity researchers say the app does not immediately appear to be uniquely dangerous, it still carries substantial privacy risks both as an app that follows China's laws and as an artificial intelligence product that may collect and rearrange everything people tell it. All large language models, or LLMs — the type of AI-driven advanced chatbot made famous by OpenAI's ChatGPT — are built by first amassing massive amounts of data, and work in part by collecting what people type into them. DeepSeek, though more efficient than ChatGPT, is no different. Under Chinese law, all companies must cooperate with and assist with Chinese intelligence efforts, potentially exposing data held by Chinese companies to Chinese government surveillance. That system differs from the U.S., where, in most cases, American agencies usually need a court order or warrant to access information held by American tech companies. But it's possible to use DeepSeek and minimize how much data you send to China. Using the app or the chatbot through requires users to register an account, either with an email address or through a Chinese phone number, which most people outside China don't have. Lukasz Olejnik, an independent consultant and a researcher at King's College London Institute for AI, told NBC News that means people should be wary of sharing any sensitive or personal data with DeepSeek. 'Be careful about inputting sensitive personal data, financial details, trade secrets, or information about healthcare. Anything you type could be stored, analyzed, or requested by authorities under China's data laws,' Olejnik said. Ron Deibert, the director of the University of Toronto's Citizen Lab, said that means DeepSeek users should be particularly cautious if they have reason to fear Chinese authorities. 'Users who are high-risk in relation to mainland China, including human rights activists, members of targeted diaspora populations, and journalists should be particularly sensitive to these risks and avoid inputting anything into the system,' Deibert said. One way to reduce what you send to China is to register DeepSeek with a new email account, not one you already use for other important services. That could keep the app, or potentially Chinese intelligence services, from being able to easily match what you tell DeepSeek with who you are on other parts of the internet. For the more technologically savvy, it's possible to download the DeepSeek AI model and ask it questions directly, without having to go through the Chinese company processing those requests. That not only prevents China from seeing whatever information you give the model, but it also means little or no censorship about topics that are blocked in Beijing, Olejnik said. DeepSeek has also prompted worries because its privacy policy declares that it collects a large amount of sensitive information from users, including what kind of device they're using and 'keystroke pattern or rhythms.' While some people may find that invasive, it is limited to what a person types into the app and not what they type into other apps, and it is not unheard of: TikTok and Facebook, for example, have had ways of tracking users' keystrokes and mouse movements. Deibert cautioned that while there are risks to giving information to a Chinese LLM, American ones carry risks as well. 'The same risks apply to all AI platforms, including those based in the United States,' Deibert said. Deibert noted that many U.S. tech companies collect similar sensitive information, and that recently, they've worked to court President Donald Trump. 'Anyone who is remotely critical of the administration, is a watchdog of the administration, or is part of a vulnerable or at-risk community, should exercise serious caution before using or inputting any data into what are largely 'black boxes.' Remember, as with virtually all social media platforms, users' data is part of the raw material used to train those systems,' he said.
