September 28, 2023

075 - Good Old Fashioned Cybersecurity

After spending some time on the AI cybersecurity side of things I opted to check on the "Good Old Fashioned Cybersecurity" of some of the same platforms making spectacularly bad AI security decisions today.

Google has one of the worst and most convoluted systems to navigate, and for bad UI/UX Microsoft is the only major tech company that reliably manages to do worse. Even with their spectacularly terrible heap of systems, it didn't take long to convince them that I legally reside at the Taj Mahal.

For the companies with UI/UX that weren't designed by a dart-throwing-chimpanzee, this process was even easier, including a major bank.

So why is this important?

Considering I've never set foot in India and don't have a SIM card, IN bank, or tax ID for it, this may seem surprising. Perhaps you might also think they'd notice me putting in the address of a well-known landmark. However, systems have grown sufficiently complex and interdependent that even if one system uses strict enforcement, it often relies on another that does not. The attack surface of these systems has been severely underestimated and misunderstood.

For example, Google's terrible heap of UI/UX enforces a set of strict and opaque criteria on Google Play. However, that system defers to Google Pay (not to be confused with "Play"). You'd think that the payment system would be more strict, rather than less, but you'd be very wrong. After an irritating number of 2FA and CAPTCHA, it was trivial to adjust that data to pretty much any location desired.

Payment and banking systems have a reputation that hinges on their security and the accuracy of their data. Many other systems defer to them for that data, even when the other systems would otherwise require far more strict and difficult to bypass criteria being met.

Keep in mind that the solutions to this aren't simple, as the problem space is hyper-complex and global in scale. Attempts at simple solutions will invariably backfire, and they will backfire in new and progressively worse ways over time since the complexity will continue to rise.

As I'm prone to often point out, the technology already exists to handle this, but major firms are too busy throwing money at bad ideas, like "BloombergGPT", and the dozen or so aimless labradoodles that Elon Musk hired to host his own dog show.

AI cybersecurity isn't the only thing that needs some serious attention, sooner rather than later.