<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>risks &#8211; Noise</title>
	<atom:link href="https://noise.getoto.net/tag/risks/feed/" rel="self" type="application/rss+xml" />
	<link>https://noise.getoto.net</link>
	<description>The collective thoughts of the interwebz</description>
	<lastBuildDate>Sat, 19 Jul 2025 20:07:08 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.8.2</generator>
	<item>
		<title>Another Supply Chain Vulnerability</title>
		<link>https://noise.getoto.net/2025/07/21/another-supply-chain-vulnerability/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Mon, 21 Jul 2025 11:04:59 +0000</pubDate>
				<category><![CDATA[china]]></category>
		<category><![CDATA[risks]]></category>
		<category><![CDATA[supply chain]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<category><![CDATA[vulnerabilities]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=70490</guid>

					<description><![CDATA[<p>ProPublica is <a href="https://www.propublica.org/article/microsoft-digital-escorts-pentagon-defense-department-china-hackers">reporting</a>:</p>
<blockquote><p>Microsoft is using engineers in China to help maintain the Defense Department’s computer systems—with minimal supervision by U.S. personnel—leaving some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigation has found.</p>
<p>The arrangement, which was critical to Microsoft winning the federal government’s cloud computing business a decade ago, relies on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>New SEC Rules around Cybersecurity Incident Disclosures</title>
		<link>https://noise.getoto.net/2023/08/02/new-sec-rules-around-cybersecurity-incident-disclosures/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Wed, 02 Aug 2023 11:04:06 +0000</pubDate>
				<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[disclosure]]></category>
		<category><![CDATA[national security policy]]></category>
		<category><![CDATA[risk assessment]]></category>
		<category><![CDATA[risks]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=67607</guid>

					<description><![CDATA[<p>The US Securities and Exchange Commission adopted <a href="https://www.sec.gov/files/33-11216-fact-sheet.pdf">final rules</a> around the disclosure of cybersecurity incidents. There are two basic rules:</p>
<ol>
<li>Public companies must “disclose any cybersecurity incident they determine to be material” within four days, with potential delays if there is a national security risk.
</li><li>Public companies must “describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats” in their annual filings.</li></ol>
<p>The rules go into effect this December.</p>
<p>In an email newsletter, Melissa Hathaway wrote:...</p>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>On the Catastrophic Risk of AI</title>
		<link>https://noise.getoto.net/2023/06/01/on-the-catastrophic-risk-of-ai/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Thu, 01 Jun 2023 11:17:46 +0000</pubDate>
				<category><![CDATA[artificial intelligence]]></category>
		<category><![CDATA[risk assessment]]></category>
		<category><![CDATA[risks]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=67407</guid>

					<description><![CDATA[<p>Earlier this week, I signed on to a short <a href="https://www.safe.ai/statement-on-ai-risk">group statement</a>, coordinated by the Center for AI Safety:</p>
<blockquote><p>Mitigating the risk of extinction from AI should be a global priority alongside other societal-scale risks such as pandemics and nuclear war.</p></blockquote>
<p><a href="https://www.nytimes.com/2023/05/30/technology/ai-threat-warning.html">The</a> <a href="https://www.theverge.com/2023/5/30/23742005/ai-risk-warning-22-word-statement-google-deepmind-openai">press</a> <a href="https://apnews.com/article/artificial-intelligence-risk-of-extinction-ai-54ea8aadc60d1503e5a65878219aad43">coverage</a> <a href="https://www.wired.com/story/runaway-ai-extinction-statement/">has</a> <a href="https://www.bbc.com/news/uk-65746524">been</a> extensive, and surprising to me. The <i>New York Times</i> headline is “A.I. Poses ‘Risk of Extinction,’ Industry Leaders Warn.” <i>BBC</i>: “Artificial intelligence could lead to extinction, experts warn.” Other headlines are similar.</p>
<p>I actually don’t think that AI poses a risk to human extinction. I think it poses a similar risk to pandemics and nuclear war—which is to say, a risk worth taking seriously, but not something to panic over. Which is what I thought the statement said...</p>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Ted Chiang on the Risks of AI</title>
		<link>https://noise.getoto.net/2023/05/12/ted-chiang-on-the-risks-of-ai/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Fri, 12 May 2023 14:00:43 +0000</pubDate>
				<category><![CDATA[artificial intelligence]]></category>
		<category><![CDATA[essays]]></category>
		<category><![CDATA[risks]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=67351</guid>

					<description><![CDATA[<p>Ted Chiang has an <a href="https://www.newyorker.com/science/annals-of-artificial-intelligence/will-ai-become-the-new-mckinsey">excellent essay</a> in the <i>New Yorker</i>: “Will A.I. Become the New McKinsey?”</p>
<blockquote><p>The question we should be asking is: as A.I. becomes more powerful and flexible, is there any way to keep it from being another version of McKinsey? The question is worth considering across different meanings of the term “A.I.” If you think of A.I. as a broad set of technologies being marketed to companies to help them cut their costs, the question becomes: how do we keep those technologies from working as “capital’s willing executioners”? Alternatively, if you imagine A.I. as a semi-autonomous software program that solves problems that humans ask it to solve, the question is then: how do we prevent that software from assisting corporations in ways that make people’s lives worse? Suppose you’ve built a semi-autonomous A.I. that’s entirely obedient to humans­—one that repeatedly checks to make sure it hasn’t misinterpreted the instructions it has received. This is the dream of many A.I. researchers. Yet such software could easily still cause as much harm as McKinsey has...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Building Trustworthy AI</title>
		<link>https://noise.getoto.net/2023/05/11/building-trustworthy-ai/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Thu, 11 May 2023 11:17:16 +0000</pubDate>
				<category><![CDATA[artificial intelligence]]></category>
		<category><![CDATA[essays]]></category>
		<category><![CDATA[risks]]></category>
		<category><![CDATA[trust]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=67336</guid>

					<description><![CDATA[<p>We will all soon get into the habit of using AI tools for help with everyday problems and tasks. We should get in the habit of questioning the motives, incentives, and capabilities behind them, too.</p>
<p>Imagine you’re using an AI chatbot to plan a vacation. Did it suggest a particular resort because it knows your preferences, or because the company is getting a <a href="https://www.theverge.com/2023/3/29/23662476/microsoft-bing-chatbot-ads-revenue-sharing">kickback</a> from the hotel chain? Later, when you’re using another AI chatbot to learn about a complex economic issue, is the chatbot reflecting your politics or the politics of the company that trained it?...</p>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Security Risks of AI</title>
		<link>https://noise.getoto.net/2023/04/27/security-risks-of-ai/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Thu, 27 Apr 2023 13:38:09 +0000</pubDate>
				<category><![CDATA[artificial intelligence]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[machine learning]]></category>
		<category><![CDATA[reports]]></category>
		<category><![CDATA[risks]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=67289</guid>

					<description><![CDATA[<p>Stanford and Georgetown have a <a href="https://fsi9-prod.s3.us-west-1.amazonaws.com/s3fs-public/2023-04/adversarial_machine_learning_and_cybersecurity_v7_pdf_1.pdf">new report</a> on the security risks of AI—particularly adversarial machine learning—based on a workshop they held on the topic.</p>
<p>Jim Dempsey, one of the workshop organizers, wrote a  <a href="https://www.lawfareblog.com/addressing-security-risks-ai">blog post</a> on the report:</p>
<blockquote><p>As a first step, our report recommends the inclusion of AI security concerns within the cybersecurity programs of developers and users. The understanding of how to secure AI systems, we concluded, lags far behind their widespread adoption. Many AI products are deployed without institutions fully understanding the security risks they pose. Organizations building or deploying AI models should incorporate AI concerns into their cybersecurity functions using a risk management framework that addresses security throughout the AI system life cycle. It will be necessary to grapple with the ways in which AI vulnerabilities are different from traditional cybersecurity bugs, but the starting point is to assume that AI security is a subset of cybersecurity and to begin applying vulnerability management practices to AI-based features. (Andy Grotto and I have vigorously argued ...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Existential Risk and the Fermi Paradox</title>
		<link>https://noise.getoto.net/2022/12/02/existential-risk-and-the-fermi-paradox/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Fri, 02 Dec 2022 20:07:46 +0000</pubDate>
				<category><![CDATA[complexity]]></category>
		<category><![CDATA[risks]]></category>
		<category><![CDATA[security analysis]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=66183</guid>

					<description><![CDATA[<p>We know that complexity is the worst enemy of security, because it makes attack easier and defense harder. This becomes catastrophic as the effects of that attack become greater.</p>
<p>In <a href="https://www.schneier.com/books/a-hackers-mind/"><i>A Hacker’s Mind</i></a> (coming in February 2023), I write:</p>
<blockquote><p>Our societal systems, in general, may have grown fairer and more just over the centuries, but progress isn’t linear or equitable. The trajectory may appear to be upwards when viewed in hindsight, but from a more granular point of view there are a lot of ups and downs. It’s a “noisy” process.</p>
<p>Technology changes the amplitude of the noise. Those near-term ups and downs are getting more severe. And while that might not affect the long-term trajectories, they drastically affect all of us living in the short term. This is how the twentieth century could—statistically—both be the most peaceful in human history and also contain the most deadly wars...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Adversarial ML Attack that Secretly Gives a Language Model a Point of View</title>
		<link>https://noise.getoto.net/2022/10/21/adversarial-ml-attack-that-secretly-gives-a-language-model-a-point-of-view/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Fri, 21 Oct 2022 11:53:07 +0000</pubDate>
				<category><![CDATA[academic papers]]></category>
		<category><![CDATA[artificial intelligence]]></category>
		<category><![CDATA[machine learning]]></category>
		<category><![CDATA[propaganda]]></category>
		<category><![CDATA[risks]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=65992</guid>

					<description><![CDATA[<p>Machine learning security is extraordinarily difficult because the attacks are so varied—and it seems that each new one is weirder than the next. Here’s the latest: a training-time attack that forces the model to exhibit a point of view: <a href="https://arxiv.org/abs/2112.05224">Spinning Language Models: Risks of Propaganda-As-A-Service and Countermeasures</a>.”</p>
<blockquote><p><b>Abstract:</b> We investigate a new threat to neural sequence-to-sequence (seq2seq) models: training-time attacks that cause models to “spin” their outputs so as to support an adversary-chosen sentiment or point of view—but only when the input contains adversary-chosen trigger words. For example, a spinned summarization model outputs positive summaries of any text that mentions the name of some individual or organization...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Presidential Cybersecurity and Pelotons</title>
		<link>https://noise.getoto.net/2021/02/05/presidential-cybersecurity-and-pelotons/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Fri, 05 Feb 2021 11:58:56 +0000</pubDate>
				<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[essays]]></category>
		<category><![CDATA[Internet of Things]]></category>
		<category><![CDATA[laws]]></category>
		<category><![CDATA[national security policy]]></category>
		<category><![CDATA[risk assessment]]></category>
		<category><![CDATA[risks]]></category>
		<category><![CDATA[software liability]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=61901</guid>

					<description><![CDATA[<p>President Biden wants his Peloton in the White House. For those who have missed <a href="https://www.washingtonpost.com/arts-entertainment/2019/12/12/peloton-wife-gets-it-is-laughing-along-with-everyone-else/?itid=lk_inline_manual_2">the hype</a>, it’s an Internet-connected stationary bicycle. It has a screen, a camera, and a microphone. You can take live classes online, work out with your friends, or join the exercise social network. And all of that is a <a href="https://www.nytimes.com/2021/01/19/us/politics/biden-peloton.html">security risk</a>, especially if you are the president of the United States.</p>
<p>Any computer brings with it the risk of hacking. This is true of our computers and phones, and it’s also true about all of the Internet-of-Things devices that are increasingly part of our lives. These large and small appliances, cars, medical devices, toys and — yes — exercise machines are all computers at their core, and they’re all just as vulnerable. Presidents face special risks when it comes to the IoT, but Biden has the NSA to help him handle them...</p>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Dutch Insider Attack on COVID-19 Data</title>
		<link>https://noise.getoto.net/2021/01/27/dutch-insider-attack-on-covid-19-data/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Wed, 27 Jan 2021 14:59:03 +0000</pubDate>
				<category><![CDATA[cybercrime]]></category>
		<category><![CDATA[databases]]></category>
		<category><![CDATA[insiders]]></category>
		<category><![CDATA[netherlands]]></category>
		<category><![CDATA[risks]]></category>
		<category><![CDATA[theft]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=61855</guid>

					<description><![CDATA[<p>Insider <a href="https://www.zdnet.com/article/dutch-covid-19-patient-data-sold-on-the-criminal-underground/">data theft</a>:</p>
<blockquote><p>Dutch police have arrested two individuals on Friday for allegedly selling data from the Dutch health ministry’s COVID-19 systems on the criminal underground.</p>
<p>[…]</p>
<p>According to Verlaan, the two suspects worked in DDG call centers, where they had access to official Dutch government COVID-19 systems and databases.</p></blockquote>
<p>They were working from home:</p>
<blockquote><p>“Because people are working from home, they can easily take photos of their screens. This is one of the issues when your administrative staff is working from home,” Victor Gevers, Chair of the Dutch Institute for Vulnerability Disclosure, told ZDNet in an interview today. ...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>A Cybersecurity Policy Agenda</title>
		<link>https://noise.getoto.net/2020/12/11/a-cybersecurity-policy-agenda/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Fri, 11 Dec 2020 12:57:33 +0000</pubDate>
				<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[national security policy]]></category>
		<category><![CDATA[reports]]></category>
		<category><![CDATA[risks]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=60573</guid>

					<description><![CDATA[<p>The Aspen Institute&#8217;s Aspen Cybersecurity Group &#8212; I&#8217;m a member &#8212; has released its <a href="https://www.aspeninstitute.org/longform/a-national-cybersecurity-agenda-for-resilient-digital-infrastructure/">cybersecurity policy agenda</a> for the next four years.</p>
<blockquote><p>The next administration and Congress cannot simultaneously address the wide array of cybersecurity risks confronting modern society. Policymakers in the White House, federal agencies, and Congress should zero in on the most important and solvable problems. To that end, this report covers five priority areas where we believe cybersecurity policymakers should focus their attention and resources as they contend with a presidential transition, a new Congress, and massive staff turnover across our nation&#8217;s capital...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>The Legal Risks of Security Research</title>
		<link>https://noise.getoto.net/2020/10/30/the-legal-risks-of-security-research/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Fri, 30 Oct 2020 14:14:26 +0000</pubDate>
				<category><![CDATA[academic papers]]></category>
		<category><![CDATA[business of security]]></category>
		<category><![CDATA[courts]]></category>
		<category><![CDATA[risk assessment]]></category>
		<category><![CDATA[risks]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=60408</guid>

					<description><![CDATA[<p>Sunoo Park and Kendra Albert have published &#8220;<a href="https://clinic.cyber.harvard.edu/files/2020/10/Security_Researchers_Guide-2.pdf">A Researcher&#8217;s Guide to Some Legal Risks of Security Research</a>.&#8221;</p>
<p>From a <a href="https://clinic.cyber.harvard.edu/2020/10/30/cyberlaw-clinic-and-eff-publish-guide-to-legal-risks-of-security-research/">summary</a>:</p>
<blockquote><p>Such risk extends beyond anti-hacking laws, implicating copyright law and anti-circumvention provisions (DMCA &#167;1201), electronic privacy law (ECPA), and cryptography export controls, as well as broader legal areas such as contract and trade secret law.</p>
<p>Our Guide gives the most comprehensive presentation to date of this landscape of legal risks, with an eye to both legal and technical nuance. Aimed at researchers, the public, and technology lawyers alike, its aims both to provide pragmatic guidance to those navigating today&#8217;s uncertain legal landscape, and to provoke public debate towards future reform...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>On Risk-Based Authentication</title>
		<link>https://noise.getoto.net/2020/10/05/on-risk-based-authentication/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Mon, 05 Oct 2020 16:47:01 +0000</pubDate>
				<category><![CDATA[academic papers]]></category>
		<category><![CDATA[authentication]]></category>
		<category><![CDATA[passwords]]></category>
		<category><![CDATA[risk assessment]]></category>
		<category><![CDATA[risks]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<category><![CDATA[usability]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=60286</guid>

					<description><![CDATA[<p>Interesting usability study: &#8220;<a href="https://riskbasedauthentication.org/download/rba-perceptions-paper.pdf">More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication</a>&#8220;:</p>
<blockquote><p><b>Abstract</b>: Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Privacy Analysis of Ambient Light Sensors</title>
		<link>https://noise.getoto.net/2020/09/15/privacy-analysis-of-ambient-light-sensors/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Tue, 15 Sep 2020 11:10:40 +0000</pubDate>
				<category><![CDATA[academic papers]]></category>
		<category><![CDATA[Privacy]]></category>
		<category><![CDATA[risks]]></category>
		<category><![CDATA[security engineering]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=60193</guid>

					<description><![CDATA[Interesting privacy analysis of the Ambient Light Sensor API. And a blog post. Especially note the &#8220;Lessons Learned&#8221; section.
]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
	</channel>
</rss>

<!--
Performance optimized by W3 Total Cache. Learn more: https://www.boldgrid.com/w3-total-cache/

Object Caching 42/224 objects using Memcached
Page Caching using Disk: Enhanced 
Lazy Loading (feed)
Database Caching using Memcached

Served from: noise.getoto.net @ 2025-12-10 08:42:59 by W3 Total Cache
-->