Connect with us

Tech

Cybersecurity can protect data. How about elevators?

Published

on

Cybersecurity can protect data. How about elevators?


Advanced cybersecurity capabilities are essential to safeguard software, systems, and data in a new era of cloud, the internet of things, and other smart technologies. In the real estate industry, for example, companies are concerned about the potential for hijacked elevators, as well as compromised building management and heating and cooling systems.

According to Greg Belanger, vice president of security technologies at CBRE, the world’s largest commercial real estate services and investment company, securing the enterprise has grown more complex—security teams must be familiar with controls and hardware on new devices, as well as what version of firmware is installed and what vulnerabilities are present. For example, if a heating, ventilation, and air-conditioning (HVAC) system is connected to the internet, he questions, “Is the firmware that’s running the HVAC system vulnerable to attack? Could you find a way to traverse that network and come in and attack employees of that company?”

Understanding enterprise vulnerabilities are crucial to safeguard physical assets but investing in the right tools can also be a challenge, says Belanger. “Artificial intelligence and machine learning need large sets of data to be effective in delivering the insights,” he explains. In the era of cloud-first and industrial internet of things, the perimeter is becoming far more fluid. By applying AI and machine learning to data sets, he says, “You start to see patterns of risk and risky behavior start to emerge.”

Another priority when securing physical assets is to translate insights into metrics that C-suite leaders can understand, to help boost decision-making. CEOs and members of boards of directors, who are becoming more security savvy, can benefit from aggregated scores for attack surface management. “Everybody wants to know, especially after an attack like Colonial Pipeline, could that happen to us? How secure are we?” says Belanger. But if your enterprise is able to assign merit to various features, or score them, then it’s possible to measure improvement. Belanger continues, “Our ability to see the score, react to the threats, and then keep that score improving is a key metric.”

That’s why attack surface management is critical, Belanger continues. “We’re actually getting visibility to CBRE as an attacker would, and oftentimes these tools are automated. So we’re seeing far more than any one hacker would see individually. We’re seeing the whole of our environment.”

This episode of Business Lab is produced in association with Palo Alto Networks.

Full transcript

Laurel Ruma: From MIT Technology Review, I’m Laurel Ruma, and this is Business Lab, the show that helps business leaders make sense of new technologies coming out of the lab and into the marketplace. Our topic today is securing physical assets. Obviously, there has been a lot of focus on the cyber part of cybersecurity, but enterprises also have physical assets, including oil and gas infrastructure, manufacturing facilities, and real estate. When you throw in mergers and acquisitions, unlimited cloud instances, IoT sensors, and devices everywhere, a company’s attack surface can be broad, vulnerable, and largely unknown.

Two words for you: Hijacked elevators.

My guest is Greg Belanger, vice president of security technologies at CBRE. CBRE is the world’s largest commercial real estate services and investment firm, with more than 100,000 employees worldwide.

This episode of Business Lab is produced in association with Palo Alto Networks.

Welcome, Greg.

Greg Belanger: Hello.

Laurel: To start off, it’s often said that every company is a technology company. So how does cybersecurity play a role within commercial real estate? Physical security is likely something most people are familiar with, but what about when it comes to systems, sensors and data?

Greg: CBRE has been on a digital transformation journey for the past five years in anticipation of our market changing. In the past, no one thought of commercial real estate as a software or technology company, but we’re changing that. We’re looking at what’s happened to other industries like Uber. What Uber did to taxis and Airbnb did to hotels, we want to make sure that CBRE is at the forefront of that. So we’ve decided to disrupt ourselves and transform into a technology company. We’re a commercial real estate company with technology and data as differentiators. With all of that, there’s a lot more innovation, applications, migration to the cloud and smart building technologies. CBRE’s leadership knew early on that we needed to have an advanced cybersecurity capability to safeguard our clients worldwide in the new era. So ensuring the safety of our software and safeguarding our data are top priorities for this company year over year.

Laurel: That’s really interesting because you’re right. People don’t necessarily think about how a real estate company could be a technology company. Has it been a difficult five years? Do you think it’s taken folks a while to understand the importance and urgency of this digital transformation?

Greg: It’s been a great five years. It’s been a change for them, certainly, but there was a lot of change being introduced by the soft side of the house. So changing from a commercial real estate company to a company that leverages commercial real estate and software to run those buildings, to leverage the data that we have about people, that’s been a big change as well. They not only did security change, but they moved to practices like agile software development, mobile technology, and things like that. Security was just another layer that was added on top of the already existing change. That’s why we didn’t have a CIO. We had a chief digital transformation officer at the helm.

Laurel: That’s an interesting setup, because then cybersecurity just becomes completely integrated in whatever you do. It’s not considered a separate add-on.

Greg: Absolutely. I was actually hired to be the vice president of devSecOps, which was integrating security into all of these agile software development practices. Security was focused on where we were five years ago—when you’re ready to go live, we’ll test you and tell you whether or not you’re going to get to go to production. Now, we work closely with our developers as partners, and we’re trying to shift as far left as we possibly can. So running tests and giving them design ideas, threat modeling, things like that to try and make sure that whatever software they release is ready to go on day one.

Laurel: Just to give folks an understanding of what devSecOps is, so devOps is a practice of continuous software development with an IT operations focus, and then you add in security. So then you’re actually pulling in all of these teams to build better software for the company in general and also protect it.

Greg: Absolutely right. The key to that is we wanted security to be as automated as possible. When you think of devOps, it’s taking a lot of that process of building software and deploying software and doing it continually. We wanted to make sure that security was in that same light. As you got ready to develop software and migrate software, that security was involved at key steps along the way.

Laurel: I once had a hair-raising conversation with an executive about hijacked elevators. Could you give our listeners some examples of specific cybersecurity problems that buildings and real estate services might encounter that are different than necessarily, say, an Uber?

Greg: Absolutely. Hijacked elevators, building management systems, HVAC systems are all a concern. You hear a lot about these things in the news, something that we experienced personally. We’re looking at developing mobile applications that you can embed on your phone and then use things like Bluetooth Low Energy to actually open doors to our buildings. So when you think of physical security, there’s a touch point now with information technology and the industrial internet of things. We actually developed an application that will allow an employee to come in and use their phone to unlock a door, to get access to their workplace.

If you’ve ever worked somewhere that’s so large that they have to give you a map to go from one place to another in an office, we developed what we call waypoint technologies to allow users with this mobile application to navigate between where they’re sitting and where the conference room was and give them feedback along the way. All of that is done through Bluetooth and integrations into mobile. We as security professionals have to safeguard that.

We had to look at this mobile device, which was connected to a sensor, and that sensor was connected to a gateway, and that gateway was connected to the internet, but how did that all work? How did data get in? How did it get out? Making sure that those devices are on separate, segmented networks. Those are all critical concerns for us. We also ran penetration tests against these applications and devices to make sure they were safe.

We’re looking at all the risks of these new technologies as part of our modern skillset, and we’re looking at software developers. They’re making these technologies, and infrastructure teams are standing them up, as we try to secure the enterprise.

Laurel: A little bit more about penetration testing or pen testing — that’s when you were actually trying to see how secure your network and environment is?

Greg: That’s right. We’re paying people to try and break in. Hacking is not a crime. We’re trying to pay ethical hackers to break into our systems to tell us where bad guys, real bad guys might actually find ways to explode our systems.

Laurel: So we’re really talking about something that goes beyond a smart building. When we look at the recent cybersecurity breaches, for example, the water treatment hack down in Florida, what we see that the surface area of a building or a company is actually quite broad, and maybe shows places that are not the most obvious for people or pen tests or unethical hackers to actually hack into a building or a company.

Greg: That’s right. It’s a relatively new field. There are a number of great companies that are looking at this operational technology (or OT) to try and pen test to find what vulnerabilities exist. It’s a different discipline. You have to be familiar with some of the controls or some of the hardware that govern these environments, what kind of firmware is employed on those devices, and then what kind of vulnerabilities are actually present in that firmware.

It’s slightly different from the IT penetration test or things that we normally understand as drivers and libraries that could have vulnerabilities built into those as well. Then add to that, there are now touchpoints. So if you’ve got an HVAC system that’s connected to the internet, is the firmware that’s running the HVAC system vulnerable to attack? Could you find a way to traverse that network and come in and attack employees of that company? So those are some key concerns for us.

Laurel: Having the right tools to defend an enterprise is also a challenge as security continues to evolve, to face various counter threats. Some of that may be more automated like artificial intelligence, but what’s crucial is understanding your enterprise’s vulnerability, right? So the possible attack surface of your entire company, correct?

Greg: Absolutely. Artificial intelligence and machine learning need large sets of data to be effective in delivering the insights. In the era of cloud-first and industrial internet of things (IIoT), this perimeter that you’re trying to gain information about is becoming far more fluid. Traditionally, the perimeter was well-defined. It was hardened against attack, but now with cloud instances, IIoT devices may show up on your network and could be exposed to the internet without much warning. Even in the era of traditional perimeter days defenses, seeing your company as an attacker would from the outside in was a difficult task.

Now, we have more modern tools that are not only surfacing these systems in real time, but alerting you to the vulnerabilities that could impact your scores. We see things like shadow IT, misconfigured IoT devices, cloud systems, in addition to a lot more visibility into what’s going on in our offices worldwide. Applying AI machine learning to that dataset, and you start to see patterns of risk and risky behavior start to emerge.

Laurel: When you consider outside-in, how do you look at that—as an outsider looking into your company and possible areas to exploit?

Greg: The concept of some of these attack surface management tools is they give us the same visibility that anybody on the internet would have to our company. It’s difficult to see our company in totality. When you think of a company the size of CBRE, where are all of your digital assets? Do you know for a fact that somebody hasn’t stood up a website on a cloud hosting provider, say, in South Africa and then used your logo and your name, and used it for some sort of innocuous marketing purpose, but that still could have an impact on your brand? Those types of things aren’t always surfaced through normal tools that we have scanning our known environment.

So looking at attack surface management, we go out and we identify all of these assets that may be related to CBRE. Then the other task for us is to go in and look at these assets and actually correlate them with identity, the CBRE IP space. So we’re actually getting visibility to CBRE as an attacker would, and oftentimes these tools are automated. So we’re seeing far more than any one hacker would see individually. We’re seeing the whole of our environment.

Laurel: So this is how you measure your attack surface.

Greg: Exactly.

Laurel: You try to find everything you possibly can. Some organizations use this inventory as a metric, like how fast does it actually take to measure all of your assets to do a full asset inventory and then compare it to what the attackers see? As you mentioned, one attacker may only see one thing, but attackers often work as a team, as we saw this recently with the Colonial Pipeline exploit. So how does this give companies a leg up?

Greg: It’s a journey. You have to look at when you start out with attack surface management, your platform of choice is going to identify a lot of assets that may or may not be associated with your company. So the first thing you’re going to look at is what percentage of assets have we identified positively as our assets? The first metric is, how many have you discovered? How many have we identified? What remains to be done? From there, we personally moved on to look at our next five big topics. So things like: Did our attack surface management tool reveal expired certificates, cloud accounts that we may not have been aware of? Did we detect any malware coming out of one of our points of presence?

I’ll give you an example: We had an instance where they detected malware coming out of one of our offices in Europe, and so we immediately sprang into action. We tried to identify what asset it was. For the life of us, we couldn’t identify what asset that was. We looked at the asset tag. It was a laptop, but we didn’t have it on our network. It wasn’t associated with a user. We came to realize because of that, that our guest network was coming out of the same point of presence from that office, and so that was something. It was thankfully not a real malware incident, but somebody that was a guest in our network had something that was an affected asset.

So those are the types of insights that we started to glean from attack surface management over the past three years. Now, we’re looking to get more advanced and look at aggregating all of these things into an aggregate score, much like a credit score.

Laurel: That’s amazing, you could spring into action quickly when you noticed something not quite right in a global network like that. This seems urgent, right? So how do you actually express to your fellow peers and vendors and all the partners down the entire chain and ecosystem, how important it is to recognize attack surface management? Also, for you yourself, do you find yourself a pioneer or maybe a parade leader where you’re leading the way for a lot of other companies to understand that this kind of technology and way of thinking about security is here, like it’s a real thing?

Greg: As much as I would like to be called a visionary, I’m certainly not a visionary, but these are concepts that have been known for a while. They’re just now starting to get large-scale adoption. When I started talking about attack surface management, it was not easily understood.

Once you explain what it is you’re doing and what the attack surface management tools will actually give you, that light bulb moment occurred very quickly. Our CISO immediately saw the value in this tool, immediately said we need to absolutely make sure we identify all of our assets. What more can we glean from these systems? It was great. We saw shadow IT. We saw cloud accounts that we didn’t know existed. We saw misconfigured devices or certificates that were about to expire. So the value of that becomes immediately apparent, but it is something that does take a little bit of explaining.

Laurel: So when you talked about the aggregated score for attack surface management, that sounds like something that is a bit more comprehensible to a board and various CEOs and other executives. So you can say we’re improving, or we’re not doing as well this year or quarter as we look at the scores in aggregate one by one. Do you think that this tallying, or way of bringing a scorecard to security, will help that discussion with CEO’s, executives, and boards in general?

Greg: Absolutely. It’s long been a difficulty. Everybody wants to know, especially after an attack like Colonial Pipeline, could that happen to us? How secure are we? What’s our score, or is there a metric you can give me to tell me whether or not I’m safe, or our program is effective? Oftentimes, we’ll give them a variety of metrics. Here are all the vulnerabilities that we have. Here are the malware instances that we’ve detected and cleaned. Here are all of the security incidents that we see each and every day. But those don’t necessarily translate into, are we safe? Are we getting better? Are there areas where we can focus? So as we look at giving one metric, it certainly helps clarify that picture. If you can explain how that metric was derived, how it was a host of factors like certificates, or vulnerabilities, or configuration, and what about the aggregate of your application scanning your application security testing?

If you look at how we’ve reduced all of our high risk vulnerabilities from an application security perspective, that factors into it. So coming up with that formula, that is certainly difficult. It is something that is a challenge, and folks like myself in security thrive on those kinds of challenges. But that’s certainly where I see the CEOs and boards of directors who are definitely becoming more security savvy, that’s where I see them wanting that metric to go. They want to see a score that gives them a sense of comfort that we’re doing better, and this is not something static. It’s not something that will always improve because new vulnerabilities, new attacks occur all the time, and that score will change. But our ability to see the score, react to the threats, and then keep that score improving is a key metric for us.

Laurel: Do you feel that boards and executive teams are becoming more security savvy? I mean, it’s impossible, right, not to see the headlines almost every week now of one breach or another, but is that filtering through?

Greg: Yeah. I personally know, for us, we always get an annual list of priorities that come out of our CEO and our board. Since I’ve been at my company at CBRE now, it’s been our number one or number two priority every single year. So it is a top priority, because they see the headlines.

As any security professional will tell you, any time something comes out of vulnerability, a zero day, an attack like Colonial Pipeline, we all get asked the same question. Could that happen here? Are we at risk? So those types of things are absolutely pressing on our board’s mind. The thing that is interesting to me is the boards of directors now are wanting to bring in members who are themselves more security savvy, and they’re asking hard questions. What are you doing about these vulnerabilities? How quickly can you patch? What’s your meantime between vulnerability and patching?

These are things that directly talk to our security professional language. Certainly, they’re very relevant to us, but they are certainly more direct and more invested, and they give the board a sense of comfort that somebody on their side who speaks the security language.

Laurel: I mean, that’s what you want to see, right? Obviously the board’s priorities are vast, and one of them is to make profit, but the other one is to not lose profit, and a cybersecurity attack could harm that. So you have to make sure you are speaking the language across the entire company.

Greg: Absolutely.

Laurel: You talked a bit about how attack surface management actually gives you this insight to know that the computer itself has malware on it, but it hasn’t affected the network yet. So are there other insights that you’ve seen from attack surface management software that just surprised you or made you realize how important it was to have this ability?

Greg: Yes. Like a lot of big companies, we conduct an annual pen test. That is, we hire somebody from outside of our company to attack us as a bad guy would. This gives us a sense of how far they can go. The difference with actual attacks and these companies that we hire is we give them a fixed time set. We say, “You’ve got six weeks to break in and get as far as you can to our environment,” and we give them the terms of engagement. You’re allowed to do these things, but not allowed to do these other things.

In the years that we’ve had attack surface management employed, it’s been great to see these attacks. They come back and they give you a readout week after week, this is what we’re seeing, these are the things that we’ve exploited. We’re able to see many of the same things that they’re able to see.

For example, this year they pointed out a website hosted in South Africa. They said it’s running this framework and it appears to be on this hosting provider. There appear to be no vulnerabilities, but we’re attacking it and seeing if we can’t break into it. Is that your IP? Yes, yes it is. We’re aware of that through our attack surface management tool. We’re aware of the application. We can’t necessarily secure it because we didn’t stand it up. It’s part of shadow IT.

But because we’ve surfaced that, now we’re able to try and find out exactly who was running that website, what they need to do to secure it, whether or not they need to bring it into our fold and host it with our standard corporate IT hosting providers, those types of things.

So it’s been invaluable from the standpoint of looking at it as a pen test, we’re able to see many of the same things that our penetration testers are seeing through our attack surface management. So that’s been comforting to know that we have eyes and eyesight into the same things an attacker would.

Laurel: When you talk about that, how does it actually help your security team be more successful in repelling attacks? How does ASM or attack surface management help with that?

Greg: Visibility is the name of the game from a security perspective. We wanted to be able to see everything in our environment. Then you take a step beyond that and you say, all right, now that we can see everything, what kind of behavior do we see out of these assets? That was the next step, working with our partner in attack surface management, to start to see the behavior of these assets, whether or not they are indicating that maybe there’s a compromise or that there was some sort of vulnerability. It’s much like emissions testing. So when you think about your car and you take it in for emissions testing, they hook up a device to your tailpipe and they see what’s coming out of your car and they give you a pass or fail grade.

Attack surface management is very similar to that. From a behavioral standpoint we’re able to look at all of these points of presence, all of these internet IP addresses and see what’s coming out of them. That gives us some insights into their behavior. Then we’re taking it a step further now, and we’re actually integrating that all in real time with our SIM, our security incident and event management system. That is monitored 24/7 by our security operation center so that when we see something that rises to the level of a security incident, we can respond to it in real time.

Laurel: Which is exactly what you want to do, have the machinery do a lot of the heavy lifting, and then bring in the humans to actually figure out what’s happening and going on and secure the entire company.

Greg: Absolutely, yeah.

Laurel: How does the almost ubiquitous adoption of cloud services affect the way that you think about security and attack surface management. Whether it’s a spun up instances or an elevator, it’s still a surface, right?

Greg: That’s right, and it’s a key concern. When you think about the elastic nature of most cloud service providers, a lot of infrastructure could be stood up in minutes, and you may or may not be aware of that infrastructure, how it’s connected, what vulnerabilities it has built into it. Attack surface management gives us the same visibility that an attacker would have. So as things get spun up, if they’re misconfigured, for example, and they’re leaking data in some fashion, even metadata, around, hey, I’m here, I’m a web server. Here’s my version. Here’s my number, that gives an attacker a host of information that we don’t necessarily want them to see. What type of vulnerabilities exist for that particular web server and version, and what things could I expose? That exposure itself also gives attackers a foothold. They can start to scan that particular asset and look at ways of brute forcing or knocking the door so that they can actually find a way to come into our environment.

So from our perspective, attack surface management gives us that visibility into if we’re looking at all of our cloud environments and we can tell them what we use and what we’re aware of, then they can monitor those for changes in our posture that come out, and look at whether or not we have assets that we didn’t necessarily mean to expose the internet, and what we’re telling the world through the exposure of those assets. So it’s certainly been a game changer for us when we think about how our cloud environment works. It’s helped us make sure that our cloud environment, except for very specific points of presence, is largely contained inside of that private cloud network.

Laurel: It’s been a pretty tough year for a lot of people and a lot of industries, but the reverberations of the pandemic throughout the commercial real estate industry will be rippling across for years, if not decades. What are you thinking about differently with security because of the pandemic?

Greg: Certainly, the first thing that came to mind last year with everybody working from home, and I think this’ll be true for a number of years, is how do we protect people who are now working from home? How do we protect employees that are on a home network with their families? Their families may not have the same security tools that we have and our assets may be exposed. So we’ve looked at things like Always On VPN, which will protect our employees from whatever happens on their particular home network. That’s certainly been helpful. We’re also looking at new technologies like Secure Access Service Edge, so that we can try and bring all our tools and technologies much closer to people who would be working from home or working from any location for that matter.

Then finally, I think it’s put a huge emphasis on security as a whole. There’s a lot more awareness of things that have happened in the last year or so that have really driven home the need for a good cybersecurity program. So it’s had the effect of making an already bad situation for finding really good, reliable security professionals even more dire. It’s very difficult to find and their circumstances now are different. A lot of security professionals are working from home, and they want that increased flexibility to continue the work from home, or have a flexible schedule, or work from a different office. So finding really good people is certainly harder post-pandemic.

Laurel: That is, I think, a problem not just for security folks, but in general, as people change the way that they live and want to work. Something interesting you said was just the idea of securing the home network, meaning the responsibility of a company is starting to extend out past the company’s normally fairly well-defined areas. Because the reality of it is if the house isn’t secured, then the network’s not secure, and then your employee is not secure.

Greg: That’s absolutely right. When you think about it, we have some knowledge of who are our most-attacked people. We know some of the people that are more often targeted either because they’re an executive of some sort, or they’ve worked within an executive, or they’re in a position, say, in legal or finance where an attacker could leverage those positions to commit some fraud.

Thinking about how we protect those folks when they’re working from home is a key concern for us. This Always On VPN, it’s been a challenge to get that rolled out everywhere, but we’ve done it in short order. Now we have the same security afforded to all of our employees, whether or not they’re home, whether or not they’re in the office, or they’re in a coffee shop. I think that’s certainly mitigated quite a bit of risk.

Laurel: Greg, thank you so much for joining us today in what has been a fantastic conversation on the Business Lab.

Greg: Thank you. I really appreciate it.

That was Greg Belanger, vice president of security technologies at CBRE, who I spoke with from Cambridge, Massachusetts, the home of MIT and MIT Technology Review, overlooking the Charles River. That’s it for this episode of Business Lab. I’m your host Laurel Ruma. I’m the director of Insights, the custom publishing division of MIT Technology Review. We were founded in 1899 at the Massachusetts Institute of Technology, and you can find us in print, on the web, and in events each year around the world.

For more information about us and the show, please check out our website at technologyreview.com. The show is available wherever you get your podcasts. If you enjoy this episode, we hope you’ll take a moment to rate and review us. Business Lab is a production of MIT Technology Review. This episode was produced by Collective Next. Thanks for listening.

This podcast episode was produced by Insights, the custom content arm of MIT Technology Review. It was not produced by MIT Technology Review’s editorial staff.

Tech

Why I became a TechTrekker

Published

on

group jumps into the air with snowy mountains in the background


My senior spring in high school, I decided to defer my MIT enrollment by a year. I had always planned to take a gap year, but after receiving the silver tube in the mail and seeing all my college-bound friends plan out their classes and dorm decor, I got cold feet. Every time I mentioned my plans, I was met with questions like “But what about school?” and “MIT is cool with this?”

Yeah. MIT totally is. Postponing your MIT start date is as simple as clicking a checkbox. 

Sofia Pronina (right) was among those who hiked to the Katla Glacier during this year’s TechTrek to Iceland.

COURTESY PHOTO

Now, having finished my first year of classes, I’m really grateful that I stuck with my decision to delay MIT, as I realized that having a full year of unstructured time is a gift. I could let my creative juices run. Pick up hobbies for fun. Do cool things like work at an AI startup and teach myself how to create latte art. My favorite part of the year, however, was backpacking across Europe. I traveled through Austria, Slovakia, Russia, Spain, France, the UK, Greece, Italy, Germany, Poland, Romania, and Hungary. 

Moreover, despite my fear that I’d be losing a valuable year, traveling turned out to be the most productive thing I could have done with my time. I got to explore different cultures, meet new people from all over the world, and gain unique perspectives that I couldn’t have gotten otherwise. My travels throughout Europe allowed me to leave my comfort zone and expand my understanding of the greater human experience. 

“In Iceland there’s less focus on hustle culture, and this relaxed approach to work-life balance ends up fostering creativity. This was a wild revelation to a bunch of MIT students.”

When I became a full-time student last fall, I realized that StartLabs, the premier undergraduate entrepreneurship club on campus, gives MIT undergrads a similar opportunity to expand their horizons and experience new things. I immediately signed up. At StartLabs, we host fireside chats and ideathons throughout the year. But our flagship event is our annual TechTrek over spring break. In previous years, StartLabs has gone on TechTrek trips to Germany, Switzerland, and Israel. On these fully funded trips, StartLabs members have visited and collaborated with industry leaders, incubators, startups, and academic institutions. They take these treks both to connect with the global startup sphere and to build closer relationships within the club itself.

Most important, however, the process of organizing the TechTrek is itself an expedited introduction to entrepreneurship. The trip is entirely planned by StartLabs members; we figure out travel logistics, find sponsors, and then discover ways to optimize our funding. 

two students soaking in a hot spring in Iceland

COURTESY PHOTO

In organizing this year’s trip to Iceland, we had to learn how to delegate roles to all the planners and how to maintain morale when making this trip a reality seemed to be an impossible task. We woke up extra early to take 6 a.m. calls with Icelandic founders and sponsors. We came up with options for different levels of sponsorship, used pattern recognition to deduce the email addresses of hundreds of potential contacts at organizations we wanted to visit, and all got scrappy with utilizing our LinkedIn connections.

And as any good entrepreneur must, we had to learn how to be lean and maximize our resources. To stretch our food budget, we planned all our incubator and company visits around lunchtime in hopes of getting fed, played human Tetris as we fit 16 people into a six-person Airbnb, and emailed grocery stores to get their nearly expired foods for a discount. We even made a deal with the local bus company to give us free tickets in exchange for a story post on our Instagram account. 

Continue Reading

Tech

The Download: spying keyboard software, and why boring AI is best

Published

on

🧠


This is today’s edition of The Download, our weekday newsletter that provides a daily dose of what’s going on in the world of technology.

How ubiquitous keyboard software puts hundreds of millions of Chinese users at risk

For millions of Chinese people, the first software they download onto devices is always the same: a keyboard app. Yet few of them are aware that it may make everything they type vulnerable to spying eyes. 

QWERTY keyboards are inefficient as many Chinese characters share the same latinized spelling. As a result, many switch to smart, localized keyboard apps to save time and frustration. Today, over 800 million Chinese people use third-party keyboard apps on their PCs, laptops, and mobile phones. 

But a recent report by the Citizen Lab, a University of Toronto–affiliated research group, revealed that Sogou, one of the most popular Chinese keyboard apps, had a massive security loophole. Read the full story. 

—Zeyi Yang

Why we should all be rooting for boring AI

Earlier this month, the US Department of Defense announced it is setting up a Generative AI Task Force, aimed at “analyzing and integrating” AI tools such as large language models across the department. It hopes they could improve intelligence and operational planning. 

But those might not be the right use cases, writes our senior AI reporter Melissa Heikkila. Generative AI tools, such as language models, are glitchy and unpredictable, and they make things up. They also have massive security vulnerabilities, privacy problems, and deeply ingrained biases. 

Applying these technologies in high-stakes settings could lead to deadly accidents where it’s unclear who or what should be held responsible, or even why the problem occurred. The DoD’s best bet is to apply generative AI to more mundane things like Excel, email, or word processing. Read the full story. 

This story is from The Algorithm, Melissa’s weekly newsletter giving you the inside track on all things AI. Sign up to receive it in your inbox every Monday.

The ice cores that will let us look 1.5 million years into the past

To better understand the role atmospheric carbon dioxide plays in Earth’s climate cycles, scientists have long turned to ice cores drilled in Antarctica, where snow layers accumulate and compact over hundreds of thousands of years, trapping samples of ancient air in a lattice of bubbles that serve as tiny time capsules. 

By analyzing those cores, scientists can connect greenhouse-gas concentrations with temperatures going back 800,000 years. Now, a new European-led initiative hopes to eventually retrieve the oldest core yet, dating back 1.5 million years. But that impressive feat is still only the first step. Once they’ve done that, they’ll have to figure out how they’re going to extract the air from the ice. Read the full story.

—Christian Elliott

This story is from the latest edition of our print magazine, set to go live tomorrow. Subscribe today for as low as $8/month to ensure you receive full access to the new Ethics issue and in-depth stories on experimental drugs, AI assisted warfare, microfinance, and more.

The must-reads

I’ve combed the internet to find you today’s most fun/important/scary/fascinating stories about technology.

1 How AI got dragged into the culture wars
Fears about ‘woke’ AI fundamentally misunderstand how it works. Yet they’re gaining traction. (The Guardian
+ Why it’s impossible to build an unbiased AI language model. (MIT Technology Review)
 
2 Researchers are racing to understand a new coronavirus variant 
It’s unlikely to be cause for concern, but it shows this virus still has plenty of tricks up its sleeve. (Nature)
Covid hasn’t entirely gone away—here’s where we stand. (MIT Technology Review)
+ Why we can’t afford to stop monitoring it. (Ars Technica)
 
3 How Hilary became such a monster storm
Much of it is down to unusually hot sea surface temperatures. (Wired $)
+ The era of simultaneous climate disasters is here to stay. (Axios)
People are donning cooling vests so they can work through the heat. (Wired $)
 
4 Brain privacy is set to become important 
Scientists are getting better at decoding our brain data. It’s surely only a matter of time before others want a peek. (The Atlantic $)
How your brain data could be used against you. (MIT Technology Review)
 
5 How Nvidia built such a big competitive advantage in AI chips
Today it accounts for 70% of all AI chip sales—and an even greater share for training generative models. (NYT $)
The chips it’s selling to China are less effective due to US export controls. (Ars Technica)
+ These simple design rules could turn the chip industry on its head. (MIT Technology Review)
 
6 Inside the complex world of dissociative identity disorder on TikTok 
Reducing stigma is great, but doctors fear people are self-diagnosing or even imitating the disorder. (The Verge)
 
7 What TikTok might have to give up to keep operating in the US
This shows just how hollow the authorities’ purported data-collection concerns really are. (Forbes)
 
8 Soldiers in Ukraine are playing World of Tanks on their phones
It’s eerily similar to the war they are themselves fighting, but they say it helps them to dissociate from the horror. (NYT $)
 
9 Conspiracy theorists are sharing mad ideas on what causes wildfires
But it’s all just a convoluted way to try to avoid having to tackle climate change. (Slate $)
 
10 Christie’s accidentally leaked the location of tons of valuable art 🖼📍
Seemingly thanks to the metadata that often automatically attaches to smartphone photos. (WP $)

Quote of the day

“Is it going to take people dying for something to move forward?”

—An anonymous air traffic controller warns that staffing shortages in their industry, plus other factors, are starting to threaten passenger safety, the New York Times reports.

The big story

Inside effective altruism, where the far future counts a lot more than the present

" "

VICTOR KERLOW

October 2022

Since its birth in the late 2000s, effective altruism has aimed to answer the question “How can those with means have the most impact on the world in a quantifiable way?”—and supplied methods for calculating the answer.

It’s no surprise that effective altruisms’ ideas have long faced criticism for reflecting white Western saviorism, alongside an avoidance of structural problems in favor of abstract math. And as believers pour even greater amounts of money into the movement’s increasingly sci-fi ideals, such charges are only intensifying. Read the full story.

—Rebecca Ackermann

We can still have nice things

A place for comfort, fun and distraction in these weird times. (Got any ideas? Drop me a line or tweet ’em at me.)

+ Watch Andrew Scott’s electrifying reading of the 1965 commencement address ‘Choose One of Five’ by Edith Sampson.
+ Here’s how Metallica makes sure its live performances ROCK. ($)
+ Cannot deal with this utterly ludicrous wooden vehicle
+ Learn about a weird and wonderful new instrument called a harpejji.



Continue Reading

Tech

Why we should all be rooting for boring AI

Published

on

Why we should all be rooting for boring AI


This story originally appeared in The Algorithm, our weekly newsletter on AI. To get stories like this in your inbox first, sign up here.

I’m back from a wholesome week off picking blueberries in a forest. So this story we published last week about the messy ethics of AI in warfare is just the antidote, bringing my blood pressure right back up again. 

Arthur Holland Michel does a great job looking at the complicated and nuanced ethical questions around warfare and the military’s increasing use of artificial-intelligence tools. There are myriad ways AI could fail catastrophically or be abused in conflict situations, and there don’t seem to be any real rules constraining it yet. Holland Michel’s story illustrates how little there is to hold people accountable when things go wrong.  

Last year I wrote about how the war in Ukraine kick-started a new boom in business for defense AI startups. The latest hype cycle has only added to that, as companies—and now the military too—race to embed generative AI in products and services. 

Earlier this month, the US Department of Defense announced it is setting up a Generative AI Task Force, aimed at “analyzing and integrating” AI tools such as large language models across the department. 

The department sees tons of potential to “improve intelligence, operational planning, and administrative and business processes.” 

But Holland Michel’s story highlights why the first two use cases might be a bad idea. Generative AI tools, such as language models, are glitchy and unpredictable, and they make things up. They also have massive security vulnerabilities, privacy problems, and deeply ingrained biases.  

Applying these technologies in high-stakes settings could lead to deadly accidents where it’s unclear who or what should be held responsible, or even why the problem occurred. Everyone agrees that humans should make the final call, but that is made harder by technology that acts unpredictably, especially in fast-moving conflict situations. 

Some worry that the people lowest on the hierarchy will pay the highest price when things go wrong: “In the event of an accident—regardless of whether the human was wrong, the computer was wrong, or they were wrong together—the person who made the ‘decision’ will absorb the blame and protect everyone else along the chain of command from the full impact of accountability,” Holland Michel writes. 

The only ones who seem likely to face no consequences when AI fails in war are the companies supplying the technology.

It helps companies when the rules the US has set to govern AI in warfare are mere recommendations, not laws. That makes it really hard to hold anyone accountable. Even the AI Act, the EU’s sweeping upcoming regulation for high-risk AI systems, exempts military uses, which arguably are the highest-risk applications of them all. 

While everyone is looking for exciting new uses for generative AI, I personally can’t wait for it to become boring. 

Amid early signs that people are starting to lose interest in the technology, companies might find that these sorts of tools are better suited for mundane, low-risk applications than solving humanity’s biggest problems.

Applying AI in, for example, productivity software such as Excel, email, or word processing might not be the sexiest idea, but compared to warfare it’s a relatively low-stakes application, and simple enough to have the potential to actually work as advertised. It could help us do the tedious bits of our jobs faster and better.

Boring AI is unlikely to break as easily and, most important, won’t kill anyone. Hopefully, soon we’ll forget we’re interacting with AI at all. (It wasn’t that long ago when machine translation was an exciting new thing in AI. Now most people don’t even think about its role in powering Google Translate.) 

That’s why I’m more confident that organizations like the DoD will find success applying generative AI in administrative and business processes. 

Boring AI is not morally complex. It’s not magic. But it works. 

Deeper Learning

AI isn’t great at decoding human emotions. So why are regulators targeting the tech?

Amid all the chatter about ChatGPT, artificial general intelligence, and the prospect of robots taking people’s jobs, regulators in the EU and the US have been ramping up warnings against AI and emotion recognition. Emotion recognition is the attempt to identify a person’s feelings or state of mind using AI analysis of video, facial images, or audio recordings. 

But why is this a top concern? Western regulators are particularly concerned about China’s use of the technology, and its potential to enable social control. And there’s also evidence that it simply does not work properly. Tate Ryan-Mosley dissected the thorny questions around the technology in last week’s edition of The Technocrat, our weekly newsletter on tech policy.

Bits and Bytes

Meta is preparing to launch free code-generating software
A version of its new LLaMA 2 language model that is able to generate programming code will pose a stiff challenge to similar proprietary code-generating programs from rivals such as OpenAI, Microsoft, and Google. The open-source program is called Code Llama, and its launch is imminent, according to The Information. (The Information

OpenAI is testing GPT-4 for content moderation
Using the language model to moderate online content could really help alleviate the mental toll content moderation takes on humans. OpenAI says it’s seen some promising first results, although the tech does not outperform highly trained humans. A lot of big, open questions remain, such as whether the tool can be attuned to different cultures and pick up context and nuance. (OpenAI)

Google is working on an AI assistant that offers life advice
The generative AI tools could function as a life coach, offering up ideas, planning instructions, and tutoring tips. (The New York Times)

Two tech luminaries have quit their jobs to build AI systems inspired by bees
Sakana, a new AI research lab, draws inspiration from the animal kingdom. Founded by two prominent industry researchers and former Googlers, the company plans to make multiple smaller AI models that work together, the idea being that a “swarm” of programs could be as powerful as a single large AI model. (Bloomberg)

Continue Reading

Copyright © 2021 Vitamin Patches Online.