News: 1719217805

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Meta and SQL Server make strange bedfellows on a couch of cyber-pain

(2024/06/24)


Opinion When two stories from opposite ends of the IT universe boil down to the same thing, sound the klaxons. At the uber-fashionable AI end of tech, Meta has [1]grudgingly complied with a ruling not to feed European social media crap into its training data. Meanwhile, in the industrial slums, 20 percent of running Microsoft SQL Server instances are now [2]past the end of support .

In a saner world, that second story would have the same prominence in mainstream media as everything else in AI and cybercrime that fills the headlines. Databases make the world go round. They're where the AI training data lives, they're where the ransomware raiders go to pillage. They hold our money, our health, our digital lives. They are at the heart of every enterprise large or small. They are also inexorably dull, at least to normies, so when one in five cases of a mainstream database is out of date in a hostile environment, nobody cares. Worse, neither do one in five of sysadmins in here. If those databases were milk in the fridge, you'd know about them. But databases don't smell when they reach the expiry date.

Back at Meta, the ban on European training data on the grounds of privacy has validity, but masks many unresolved questions. How does an LLM cope with 20-plus different languages? We don't really even know how it copes with one. It's a fascinating research area, for sure, and not one you want going live tomorrow on hundreds of millions of citizens. A bigger question, though, is what will happen when products based on European-free training data are released on the European market.

[3]

If efforts to regulate and ethicize AI get anywhere, they'll minimize the use of biased training data that can harm users down the line. If AI were a dairy farm, banning European training data would be like banning harmful feed supplements, and ethical AI guidelines would prevent selling milk from poorly fed cows.

Feeding time

Hence our two stories meeting in the middle – they're both about the software and services supply chain, just at each end. Which means we already have a working model of a system that can create and enforce best practices based on risk and evidence of harm, regardless of the details of the technology. What we put into our mouths is even more intimate than what we put into our brains, so food standards have a lot to teach us.

The food standards regulatory environment is one of the outstanding successes of our time, albeit largely unsung and often used as a political pawn. The food industry itself is uncountably vast and varied, and ferociously competitive. If a penny can be shaved while two would draw blood, have the sticking plasters ready. And yet we still buy our food shipped across the globe to our supermarkets in the carefree assumption that it's been prepared, shipped, and sold while being kept perfectly safe to eat.

[4]

[5]

Different regulatory regimes are more or less lax, with [6]clear consequences – one in six Americans becomes sick from [7]food-borne illnesses a year compared to [8]one in 28 Brits. That's not because of fastidious personal hygiene in the old country. Such differences are a political choice. As the UK has a perfectly serviceable food chain, stronger regulation does not impede commerce and innovation.

[9]Can platform-wide AI ever fit into enterprise security?

[10]Fragile Agile development model is a symptom, not a source, of project failure

[11]Broadcom's VMware strategy looks ever more shaky – and less relevant

[12]Take two APIs and call me in the morning: How healthcare research can cure cyber crime

The system works, when it is allowed to, on a feedback loop – rules are set and enough checks made to persuade the industry to comply, and when things go wrong, a very efficient diagnostic regime identifies the problem and traces it to source. Typically, an uptick in food-carried infection triggers sequencing of the pathogen's DNA to establish common cause, coupled with an investigation into who ate what when. The investigators then work back through the supply chain to find a common source, which is then dealt with.

It is at the very least arguable that end-of-life database software is a pathogen vector at the end of the supply chain. If a large number of similar systems become vulnerable, they attract the attention of malicious actors who see big rewards for less work. Supermarkets cannot sell out-of-date food, so why should enterprises be allowed to run out-of-date software? While software's under-regulation means there are few tools available to enforce cyber hygiene, there are options. The insurance industry protects and indemnifies organizations, but is itself highly regulated. Invalidating aspects of that when out-of-date software has been identified and not fixed would be interesting indeed.

At the other end of the supply chain, where software and services are created and trained, the same principles of controlling risk based on evidence and potential harm as found in food can apply. Innovation isn't banned, it's encouraged and essential, but the potential risk scales with reach and impact with users. European data regulators implicitly work with this in mind; an explicit formulation of principle here would also be most interesting.

[13]

Food hygiene from farm to plate has developed alongside the biology of sickness since the 19th century. Cyber hygiene only got going in the 1980s with the co-development of viruses, software monopolies, and more recently universal connectivity. No wonder it's a century behind. Until that changes, though, expect to get cyber-sick like a medieval peasant with the bloody flux. You really don't want that. ®

Get our [14]Tech Resources



[1] https://www.theregister.com/2024/06/14/meta_eu_privacy/

[2] https://www.theregister.com/2024/06/17/outdated_sql_server/

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZnlDu7ydTSESWco5oZRcOwAAAMo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnlDu7ydTSESWco5oZRcOwAAAMo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnlDu7ydTSESWco5oZRcOwAAAMo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2024/06/17/outdated_sql_server/

[7] https://www.cdc.gov/foodborneburden/2011-foodborne-estimates.html

[8] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9887690/

[9] https://www.theregister.com/2024/06/17/opinion_platformwide_ai_security/

[10] https://www.theregister.com/2024/06/10/agile_opinion_column/

[11] https://www.theregister.com/2024/06/03/broadcoms_vmware_strategy_looks_ever/

[12] https://www.theregister.com/2024/05/28/take_two_apis_and_call/

[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnlDu7ydTSESWco5oZRcOwAAAMo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[14] https://whitepapers.theregister.com/



Can you imagine...

Anonymous Coward

..the response of big tech to proposed regulation of data and IT security? They'd spend their vast lobbying and legal budgets to block any such obligation, because unlike the food supply chain, the digital supply chain is dominated by vast firms that make huge profits giving them the resources to go lobbying, and hire top dollar lawyers. And as important as the means, their motive is simplky that they regard all forms of regulation and consumer rights as an unwelcome hinderance to their operations.

Looking at what a shallow swamp of vested self-interest legislatures are now in most countries, who will the politicians listen to - the forked tongues of big business bearing gifts, or the broader public interest?

mm

Anonymous Coward

side note brexshit is eroding our food regulations.

and the brexshit shitty trade deals are making it worse.

Re: mm

Anonymous Coward

In the 30 years I lived in France I had upset stomachs after eating out far, far, more often than I ever did in the UK. It's not the regulations that affect it, but how well people adhere to them and respect basic hygiene.

one in five

Fruit and Nutcase

Those are the same odds that one of Sunak's team got for a bet on a July election

Software end date?

b0llchit

The premise that software is "spoiled" when it is past an arbitrary "good before" date is a preposterous preposition.

Food (biology) and software are not the same, even though there are striking similarities on a meta-analysis level. The primary reason for end dates on (commercial) software is the lack of income it generates. It is seen as a burden. Why support a good-enough system when you can make a boatload of money selling the latest-and-greatest and obsoleting the previous incarnation?

But in a wider software garden, the comparison and conclusions fall apart. A major part of software is based on not-for-profit created software. The fact that some make a living out of that does not change that. An enormous amount of code must be changed, today, because there are incorporations, within that code, of unsupported parts. Maybe not unsupported as a library, but there is a body of code that nobody looks at in depth. It is simple used and reused. This body of code is, by all practical means and definitions, unsupported. The conclusion would be that we must rip it out and put in something new.

The problem we have is one of economics in the software world. It is cheaper to abandon than to support. That goes for commercial just as for non-commercial. Like, who supports the volunteer in the corner who simply solved an interesting problem? When (s)he stops, will the world come to an end?

Do not read this fortune under penalty of law.
Violators will be prosecuted.
(Penal Code sec. 2.3.2 (II.a.))