If humans do not have an agreed-upon understanding of ethics how can humans expect AI to be created ethically or expect AI to behave ethically?
Creating AI Blindspots: Manipulate the training data in very subtle and specific ways that preclude the the desired correlations. I imagine the most advanced attacks would be AI attacking the training data of other AI. If you want to use AI you may want to ensure your training data is not being used by anyone (including AI). Essentially, AI training data should be in an isolated ‘playground’ that only houses the specific AI that is being trained and the data should have very frequent and comprehensive integrity checks. No entity wants an AI that is missing half a brain, a heart, courage, or which can’t find its way home from Oz.
Covert Channel: Email Drafts
Single Attacker Exfiltration: The attacker (usually insider) creates an email draft (or multiple draft emails) that contain sensitive information for exfiltration. Once at a remote location (such as on a device at home or a competitor’s facility) the attacker opens the draft and extracts the information.
Multiple Attacker Lateral movement: An ‘outside’ and ‘inside’ attacker access the same email account. Draft emails are used as a communication channel and to pass the contents (commands) of malicious scripts or malicious attachments.
Defenses: unknown. (but Email Encryption Protocol as described in my Technical Conceptual Documents has possibilities)
Molecular Encryption: I believe this may be better than quantum encryption. Create a molecular compound with a certain bond-chain. Certain types of bonds here with different ones there. Send the flat chain map to the recipient. Somewhere on the chain add a hydrogen atom. The hydrogen atom indicated the 3-dimensional shape of the molecule based on a previously defined combination of chain maps. The 3-dimensional molecule’s attributes (such as volatility and/or decay) are used to calculate a hexadecimal encryption key. There are far more molecular compounds which contain a high variety of 3-dimensional structure than there are quantum particles.
Decentralized Technology Capabilities: The only way for a nation, coalition, or world to have cyber dominance is through the understanding that true dominance comes at a cost of decentralized computing. Any entity that has centralized “tech hubs”, “cyber capitols”, or “”digital silos” is a single point of failure despite any efforts to create ‘hot-site’ redundancy. Covid proved that quite eloquently. Cyber needs dispersed resilience that cannot be achieved by centralization that is susceptible to traffic-jam human-borne failure, localized terrorist or natural disasters, or lack of social, economic, and cultural diversity. If you want to participate in cyber dominance you must participate in the dispersion of worksites, cultures, and economics.
Next-gen password manager: Wouldn’t it be cool if a password manager had no access to your passwords but still synced all passwords across all devices? I imagine this would be possible by building a client app that permitted the user to select the encryption algorithm (serpent please) and salt for the password database, using a local account to access the database, using a cloud account to make that database available, then having the end-user client on another device sign into the cloud account and request access to the database. The first time the new client is authorized to sync the database the ‘initial’ client that holds the authoritative database needs to approve the sync. All following sync flows are bidirectional with each client having the capability to archive the past 100 discrete changes for roll-back purposes. The cloud portion could be an arbitration & verification point for secure transmission that has no stored copies of any password databases. Any compromise of the password manager cloud services would offer no access to any synced passwords, data, or ability to add a device to synced accounts. This password management architecture (as far as I have seen) does not yet exist but would put most of my worries on cloud 9.
Time Constrained Access Control: I like to imagine that most employees are like me when it comes from accessing work resources after the work day is over, they don’t. Employees do not work 24 hours a day 7 days a week 365 days a year so why do their accounts have full access during those times? Access control should be constrained based on time. Organizations can permit access to email “after hours” but all other access should be removed for any non-essential employees. In this context essential employees are limited to employees that are “on call” or required to respond to issues after normal business hours. Quite often attacker will attempt to infiltrate during non-business hours (such as weekends, holidays, etc.) so removing access during these times is a fundamental step in reducing organizational attack surfaces. Constrain access based on time, it is just good practice.
Molecular Encryption: Everyone is about quantum cryptography which is super cool, but couldn’t synthesizing a molecule then using light refracted off a predefined molecular orientation be a simplified version? To explain my thought, a sugar molecule could be synthetically created, light can be “bounced” off the molecule, the refracted light hits a sensor that measures various metrics (such as scatter, intensity, geometric distortion,) the measurements are correlated (interpreted/decrypted) as data.
Next-gen information storage: With all the advanced tech being used why isn’t there any publications about graphene being laser grafted to cylindrical glass tubes in base 128 characters? The glass could be 1mm in diameter and the graphene could be only molecules thick with characters that are nanometers squared in area. I suppose if you wanted more physically durable storage the cylinder could be a centimeter in diameter but I (hypothetically) imagine that would hold a great number of petabytes of data.
Smart home privacy shield: create a soundproof case that covers your smart assistant and have it open based on the voice command “invade my privacy” and close on the voice command “save my privacy”. This way you control when your smart assistant is able to “hear” what is happening instead of listening to you make love, take poops, complain about coworkers, learn your sleeping, work, and other personal routines as well as be covertly activated by the tv, streaming media, gaming platforms, or malicious entities.
Phone Unlock Protection: Imagine wiping your phone by unlocking it with biometrics. This might be the next generation of anti-coercion privacy.
Secure Email Desktop: For high value persons or networks taking email security to the next level is essential so having a secure email desktop might be the best option. In this scenario users have an icon on their home-screen that establishes a connection to a remote micro-workstation that has an email client installed and which is connected to the user’s email accounts. This remote email desktop being the only place the user can check email. Nightly the remote email desktop is reverted to a clean preconfigured user-specific image. No outbound connections are permitted from the email desktop except to the email provider. If the email desktop is infected with malware it will be wiped when the image is reverted. If a user requires access to a link found in an email he/she will need to manually enter, or possibly copy and paste if that functionality is permitted, the link because clicking won’t work (as no outbound traffic is permitted). A secure email desktop to help secure users whom get phished just might be worth consideration.
Temporal-quantum Keys: Why couldn’t quantum keys be infused with particle decay principles to create keys that are in a constant state of flux that can only be derived if the original key and the composition of the original key are both known? This would make eavesdropping a moot point.
Cybersecurity and Cybercrime Evolution – an opinion: The reason cybercrime continues to grow and cybersecurity continues to grow in complexity and cost is a matter of evolution. The technologies that are leveraged by cybercriminals are old, very old, while cybersecurity has followed the same linear advancements. There needs to be a technological evolution to eliminate traditional cyber crime avenues. Data should be moved to bilayer glass panels with angular top bits and horizontal base bits. Internal components should be moved from motherboards to microfiber conduits. TCP/IP should be replaced with a base-16 protocol stack with deeply engrained non-repudiation and cryptographic validation packet templates. A technological evolution needs to transpire because cybercrime is like cowboys with a gatling gun while cybersecurity is like a marshal’s posse with 6-shooters, the criminals can go to any town and do serious damage while only facing legacy resistance; hence, the Marshal’s posse needs a technological upgrade to render the cowboys obsolete. Time to work on better technology, not bettering current.
Enterprise VPNs: The modern enterprise VPN requires you to download a client, enter the hostname or IP of an enterprise server then authenticate. This is how it’s always been done so this is how it remains. Attackers can use ‘hacked’ VPN clients to attack endusers or VPN concentrators, VPN client software is not authenticated for legitimacy, and the VPN port number used is static while not requiring authentication (to the port) which makes targeting of attacks easy. One solution: Require VPN clients that are installed on end-user devices to be enrolled with the enterprise using the same tech as software authenticator OTPs (QR code enrollment); have the VPN client synch two secrets with an enterprise server (a port number secret & a port access secret); upon connection have the vpn client connect to the secret port number (a random port number chosen from a predefined range that is synched with on-prem server); have the VPN client hash they synched port access secret & pass it to the port number secret port; the server port will pass back a hash of the port access secret & an access token encrypted with the VPN server’s public key; the client passes that to static VPN port; VPN server verifies secret & token.
Next-Gen Malware Detection: every file on a computer is sandboxed by the “solution” and, if safe, receives a hash value. The hash value is added to a database maintained by the “solution” as well as encrypted by the “solution” and added as a metatag to the file. When the solution scans the system it looks for any files without a metatag after which all discovered files are sandboxed and safe files are tagged. Then the “solution” uses its private key to decrypt all the meta tags to verify the hashes are in its database. Any files with hashes that are not contained in the database are sandboxed and safe files are retagged. All files that fail the sandbox can be quarantined, deleted, or just trigger an administrative alert. The “solution” should also be able to be configured to watch for any changes in file modification timestamps as well as any files that are introduced into the system from external sources (such as USB, email, the internet, and IM) with the option to scan them in real-time. The initial investment will be the time it takes to sandbox and tag all preexisting files. This is an open idea which is not currently being worked and is free for experimentation, creation, sharing, testing, and/or adoption.
Decentralized end-to-end encrypted application: Wouldn’t it be cool if there was an application that you could download that integrated with your home router that ensured your communications were encrypted? Your device would encrypt the data to your router, then your router would encrypt the data with the public key of the destination router and the public key of the next router with this software installed. Your packet would be tossed around from router to router (that contained this software) having the outer encryption changed at each stop until it reaches the destination router which double decrypts it with the outer encryption private key then the inner encryption private key then passes it to the destination client which decrypts is with its private key. Then the data is verified using 2 different hash signatures. Wouldn’t it be nice if you data wasn’t consumed, analyzed, and spies on by governments, telecom, ad agencies, social media, and others?