I will be moderating an executive round table via Zoom from 3:00-4:30pm US/Eastern tomorrow for The Ortus Club. The topics are ones I’m always passionate about: #cybersecurity & #businessresilience.

This is a peer-driven round table. No one’s pitching anything. The goal is to bring a broad spectrum of industry luminaries together to share their experiences, insights, and collectively brainstorm about ways to future-proof our security strategies.

The round table is open to IT & cybersecurity leaders in North America. Space is limited, but there are still a few no-cost seats remaining for the #thoughtleaders in my extended network. You can sign up at the link below, but the clock is ticking.

No matter how well-attended these events are, it’s always more fun with a friendly face or two in the crowd. I hope yours will be one of them, and look forward to seeing you there!

https://www.linkedin.com/posts/todd-a-jacobs_why-legacy-cybersecurity-is-putting-your-activity-7310488468139200512-nodq

#DuckDuckGo is now offering free, #anonymized access to a number of fast #AI #chatbots that won't train in your data. You currently don't get all the premium models and features of paid services, but you do get access to privacy-promoting, anonymized versions of smaller models like GPT-4o mini from #OpenAI and open-source #MoE (mixture of experts) models like Mixstral 8x7B.

Of course, for truly sensitive or classified data you should never use online services at all. Anything online carries heightened risks of human error; deliberate malfeasance; corporate espionage; legal, illegal, or extra-legal warrants; and network wiretapping. I personally trust DuckDuckGo's no-logging policies and presume their anonymization techniques are sound, but those of us in #cybersecurity know the practical limitations of such measures.

For any situation where those measures are insufficient, you'll need to run your own instance of a suitable model on a local AI engine. However, that's not really the #threatmodel for the average user looking to get basic things done. Great use cases include finding quick answers that traditional search engines aren't good at, or performing common AI tasks like summarizing or improving textual information.

The AI service provides the typical user with essential AI capabilities for free. It also takes steps to prevent for-profit entities with privacy-damaging #TOS from training on your data at whim. DuckDuckGo's approach seems perfectly suited to these basic use cases.

I laud DuckDuckGo for their ongoing commitment to privacy, and for offering this valuable additional to the AI ecosystem.

https://duckduckgo.com/chat

#Shellprogramming skills are pretty portable between #Linux, #BSD, and #macOS, but some of the underpinnings of macOS are non-standard. It helps to remind yourself that macOS is not a standard #BSD #Unix variant; Apple's #Darwin based systems do a lot of embrace-and-extend under the hood. Here's a practical example that comes up often in the enterprise.

Most #Linux systems export the current user's login name to the LOGNAME environment variable (often via sourcing /etc/profile) and may also export the user's default shell from the user's #GECOS record in /etc/passwd to the preferred shell (set by an application or the user) as the SHELL environment variable. The canonical way to get access to the user's default shell on most Unix-like systems is by parsing /etc/password or another NSS database with the getent utility, e.g. getent passwd "$LOGNAME" | cut -d: -f7.

There are other means to do this on Linux too, but macOS doesn't provide this common #POSIX compatible userspace utility. Instead, Darwin relies on opendirectory(8) for storing and accessing GECOS records, requiring other tools to retrieve the information. You can query a user's GECOS record on Darwin like so:

Be aware that there are other ways to do this, too, but old school utilities like whoami have been deprecated in favor of id -un, and finger as implemented on most systems (e.g. via [x]inetd, or reading various #dotfiles from users' directories locally or over the network) is considered a security risk.

In containers, especially with non-standard shells, or with centralized #IAM using #LDAP or #ActiveDirectory, you may have to match the local #userID to a remote #LDIF record to before grepping for the data you need. In addition, nsswitch.conf, PAM modules, NIS+, or other less-common data sources may need to be consulted and each will generally have specific utilities for looking up the stored or cached information that is equivalent to what's normally provided in the 7th GECOS field for each user on standard Linux and Unix systems.

As always, your mileage may vary based on use case or implementation details. On the plus side, problems are rarely insoluble when you know where to dig for a solution!

TL;DR: #AI & #ML data aggregators break the law when they consume data unlawfully, whether or not the output of their systems is considered fair use. Let's talk about the underlying data, not just the tools!

Most big AI & ML data aggregators aren't sharing their data openly in compliance with #FOSS or open-content licenses, or adhering to the #TOS of data they scrape from less litigious content creators. They are trying to avoid legal liability by signing "content deals" with big media companies, but this just papers over the fact that commercializing data in violation of the copyright holders' license terms, terms of service, or contracts of adhesion is a criminal act and that hiding that data inside proprietary databases and models is simply one of the ways these companies are attempting to dodge lawsuits and liability.

Copyright theft hurts independent writers, bloggers, educators, and journalists more than it hurts media moguls. Signing content licensing agreements with the likes of GitHub, Hatchette Group, or the New York Times is all well and good, but this typically doesn't compensate the actual content producers or bring the unlawful aggregation into compliance. These sorts of deals insult every #opensource and #opencontent creator. #DRM isn't the answer, and neither is paying off big media. #OpenAI and others should either pay for that data directly, make the data publicly available under the share-alike clauses common to most open source/content licenses, or exclude it altogether.

Many years ago, Canada took an interesting approach that wasn't based on chasing individual "pirates." Instead, they taxed storage media like burnable CDs. The main flaw in that approach was that it still mostly benefited large companies who could collect meaningful amounts from this tax rather than paying small, independent artists. Nevertheless it was (and is) a better model for society & the creative commons than paying "protection money" to big media conglomerates while continuing to build for-profit business models that violate the copyrights and licensing terms of anyone who isn't deemed a significant legal threat.

As a society, we can and must do better. If our copyright laws (including commercial software licenses and terms of service) are outdated and no longer serve society then they should be updated or fixed. However, deliberate and open theft should never be permitted to become business-as-usual. The fact that the output of such systems may or may not be sufficiently transformative to be labeled theft or plagiarism doesn't change the fact that almost all of today's commercial options currently rely on very large data sets filled with material that belongs to others who weren't compensated for their work, and where most copyright owners lack sufficient visibility to even determine whether or not their work was unlawfully used.