Four short links: 30 May 2017
World Problems, Story AI, Medical Security Horrors, and OSS Fuzz Winning
- The World’s Biggest Problems — data for you to consider when you choose to work on Stuff That Matters.
- The Strong Story Hypothesis and the Directed Perception Hypothesis — I ask why humans are smarter than other primates, and I hypothesize that an important part of the answer lies in what I call the Strong Story Hypothesis, which holds that storytelling and understanding have a central role in human intelligence. Next, I introduce another hypothesis, the Driven Perception Hypothesis, which holds that we derive much of our common sense, including the common sense required in story understanding, by deploying our perceptual apparatus on real and imagined events. Paper on CSAIL’s Genesis story system, which understands, tells, and composes stories using common sense rules and higher level concept patterns.
- Medical Implants and Hospital Systems are Still Infosec Dumpster Fires (Cory Doctorow) — has pointers to two writeups of the horrors in various medical systems. Whitescope’s whitepaper on pacemaker security analyzes seven different pacemaker programming devices from four different manufacturers (devices that can reprogram a pacemaker remotely, generally by using radio signals) and finds that they are collectively undefended against 8,000 known vulnerabilities, and do not have even simple authentication between pacemakers and pacemaker programmers, meaning that there’s no way your implanted pacemaker can tell whether it is connected to a legit device or an attacker’s hacking tool. Cory points out that the DMCA exemption that allowed this paper to end is (a) expiring and (b) not broad enough to permit the release of sample code and the other stuff that helps to improve software security.
- OSS Fuzz Improving Open Source — Google’s open source fuzzer has found numerous security vulnerabilities in several critical open source projects: 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3, 10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark. This is an excellent service from Google, which runs the testing on their servers. Their criteria for accepting projects: a large user base and/or be critical to Global IT infrastructure.