via RSS

Most AI related opinions fall into one of the extremes: either AI enthusiast 🤖🥰 or radical anti-AI 🤖😡. There is truth on both sides, and one can also argue against both:

vs the enthusiast riding the AI hype 🤖🥰:

• 🫤 This is a cool technology that can summarize, create lookalikes or combine existing patterns well, but it is not going to create anything radically new. At best it can create solid, consistent work, but its art is always going to be mediocre as works by combining the past. Don't expect it to find breakthroughs, it does not think 🧠; it is a glorified autocomplete.
• 😶 It is no replacement where you need human touch or empathy. It can behave as if it had feelings, but people will know it does not and will miss the human.
• 👉 While not human, it may forever be vulnerable to e.g. social engineering attacks, as it was built to emulate human behavior.
• 👀 Why put AI everywhere? You may not always want a human looking over your shoulder. The more you consider AI a person, the more you may want privacy from it. Sometimes you don't want a copilot but just want to fly alone.
• 🥸 Consider it an extremely efficient, hard-working employee, whom you did not hire, you cannot motivate, cannot discipline or cannot hold responsible if something goes wrong. While it does what you ask, it may also be secretly pushing some huge megacorporation's agenda.
• ☢️ You can use AI for supplementary tasks, but companies who give up understanding their core business are doomed.

vs the anti-AI Luddite 🤖😡:

• 🎉 You may be skeptical but this technology works! We can accomplish cool things with it we could not even dream of a few years back.
• 🛠️ Yes, there are funny glitches, stupid mistakes and vulnerabilities, but they will be fixed. For those that cannot be fixed (e.g. non-determinism), there will be workarounds.
• 🧠 It may seem to break some of today's processes (e.g. essays at school or peer reviews of scientific papers), but perhaps those processes are wrong. Is it really art if AI can really produce the same quality? Come on, be more creative!
• 🪥 Don't worry about Skynet taking over the world -- because worrying does not help. Even if you turn your back on AI, the toothpaste is already out of the tube, and you cannot make humanity unlearn this technology.
• 🏃 Companies/countries that outright refuse to use AI (or any fancy tech) will fail. Those that consider using it will have more options and will be in a strictly better position and will eventually outcompete the rest. Regulation alone does not solve this; if major countries do not regulate, they will have the advantage.

I use AI, as it is useful and rejecting it does not bring you anywhere. I try to learn how to use it right. Companies riding the AI hype are creating AI systems both good and bad -- as a security guy I will need to secure them. I tend to be open & creative when experimenting, but conservative when it is a live system.

Be open & learn but keep your gunpowder dry!

This post was first published on Linkedin here on 2025-10-23.

Let me share some experience about the agentic AI trainings I completed on Linkedin:

• Hands-on AI: Implementing Agentic Systems
  This one-hour course is very fast. Starts with a high level overview about agents and frameworks, touches on some security aspects, and then jumps into showing actual agentic AI apps using Python and CrewAI.

  The course gives you a glimpse of how the source code looks: most of the application consits of prompts in a yaml format, defining a 'crew' of AI agents, and then very little and generic code invoking CrewAI based on this yaml. The course does not explain how the code works line by line, and you will have trouble following it unless you know what to expect. It also shows cools examples of how all this can fail: in one case when the tool had no access to source data, the AI tool decided to make up some realistic looking source data itself.

  If you want an intro on how an agentic AI ecosystem 'feels', this course can be useful. If you want to learn how to create such an app, then this is not for you.

• Creating Agents with CrewAI
  This course teaches you step by step how to write agentic AI based apps using Python and CrewAI, it takes two and a half hours. It is very hands on, jumps right into doing stuff.

  The course explains how you can install CrewAI and fire up your environment. It uses OpenAI but also gives guidance on how to make other platforms work. (You need to purchase credits to use OpenAI via APIs, but Gemini has a free tier; I could make the latter work with rather little effort.) The course explains concepts behind CrewAI and teaches you what you can customize and how. It builds a couple of applications, walking through each steps of the process. It does the kind of babysitting I was looking for.

I find frameworks like CrewAI rather useful; they allow you to write code fully independent of the AI platform you use (OpenAI, Gemini, Claude, etc). It also orchestrates how you call the LLM, helps you glue your prompts together and extract results. Not rocket science, but very a handy tool.

This post was first published on Linkedin here on 2025-10-19.

Wolfgang Amadeus Mozart was a great composer, but it is less known that he completely sucked at relational databases.

Mozart was a very active prodigy with many revisions and variations of his works. He kept no catalogue himself, his manuscripts were all over the place, and some were discovered after his death only (when forgeries started appearing too). Many of his works lacked a title or any other way they could be unambiguously identified. Thus, people were confused when referring to Mozart's works, some wondering cluelessly like: 'You know the one that starts like 🎶🎵 [humming]... No, not that one, the one that continues as 🎵🎶 [humming]...' Even counting his works was a challenge. Mozart did not use any unique id; he clearly did not think of people later trying to organize his works into an SQL database. 😄

Then came Mozart-researcher superhero🦸 Ludwig von Köchel, who said: 'Let's number Mozart's works in chronological order!' So hath Köchel spoken, the Köchel catalogue was born, and there was confusion no more. (*)

➡️ Assigning ids is a surprisingly simple and effective solution.

➡️ While you cannot blame Mozart for not using unique ids 300 years before computers, it is just surprising how many times we see in today's world long lists of 'stuff' without any way to navigate, identify items, tell them apart or count them.

➡️ For me as a security guy: it is really tough to secure something you cannot even count... 😫

*: Actually, people kept discovering new works of Mozart, and some were re-dated / re-attributed, so the Köchel catalogue had to be re-numbered a couple of times. Today it sounds like a better idea to say: 'Let's number them in any order and do not change those numbers ever as ids must be immutable'. (see 9th edition of Köchel catalogue)

This post was first published on Linkedin here on 2025-09-28.

Support for Windows 10 ends on October 14, 2025, which means: no more security patches. It is a very bad idea to run an OS without security patches (unless you live in a cave; a cave without any Internet). Time to get off Win10!

We had a Win10 machine in our home which did not update to Win11, as it did not meet its hardware requirements. It is a good machine otherwise, and I just did not want to throw it away 🚯 just because M$ stops the support.

I decided to install Linux 🐧 (Debian 'trixie' 13.1). I used to run Linux on my desktop while I was a PhD student, but after I joined the corporate world, I gave in and moved my desktop to Windows (and using Linux on servers only). It felt so good to have the Linux desktop back! 😊

Some key observations:

• 😫 The Debian installer still has the user experience of running a gauntlet. It is now graphical but did not change much. (Why does a 21st century user need to know what a 'locale' is!? If you want better user experience, try Ubuntu; I tried that but turned away as I had to be dodging offers to buy cloud/AI services, and this was exactly what I wanted to get away from at M$. 🤑)
• 😊 All my hardware worked immediately.
• 😊 I installed the necessary software via the package manager and they just worked.
• 😊 The longest/hardest part of the Linux install was shutting down Win10 (which just never wanted to finish).
• 😊 I installed cloud gaming client which could stream AAA games seamlessly. (I did not yet try gaming directly under Linux, but I heard it is also doable.)

It barely matters what OS I use today. I do most of my things in a browser, and that is cross-platform. M$ Office is not something I can realistically get rid of, but it is also available in a browser. The apps I use are usually free and cross platform. When I need a specific OS, I can fire it up on a VM in the cloud and connect to it.

Get off Win10 ASAP, and keep in mind that you are no longer locked into Windows! 😄

Update (2025-09-29): Microsoft decided to make Windows 10 extended security updates truly free in Europe.

This post was first published on Linkedin here on 2025-09-20.

I first published the below on Linkedin here on 2025-01-25.

The PKI Consortium held a conference on Post-Quantum Cryptography on Jan 15-16. Let me share some background and my takeaways.

Quantum Computers (QCs) could perform some calculations much faster than any traditional computer. Not a mere thousand times faster, million times or billion times faster, but radically faster ⏩⏩, providing 'efficient' solutions for math problems we cannot hope to solve with today's computers. They are specialized devices, you cannot browse the web or play 🎮 video games on a QC. You are unlikely to ever have one in your home, as they require very special physical conditions to function. However, they are likely to bring major breakthroughs in areas like optimization algorithms or machine learning, so they are researched extensively. They are also likely to reshape cryptography.

A large-scale Quantum Computer (which does not exist yet) shall allow faster attacks against cryptographic algorithms:

• Symmetric key cryptography algorithms we use today are likely to remain secure 🔒 if used with long keys (e.g. AES-256). Some shorter keys (e.g. 128 bits) will no longer be secure vs QCs (with Grover's algorithm providing a quadratic speedup). This is a major effect, but not earth-shattering.

• Meanwhile, QCs will have a devastating effect on public key cryptography we use today, as both the RSA and ECC algorithms can be efficiently broken with a QC (with Shor's algorithm yielding exponential speedup). QCs are going to render today's digital signatures and key establishment protocols insecure ⚡ (and thus certificates, PKI and TLS, etc), so today's public key crypto algorithms shall need to be replaced.

Post-Quantum Cryptography (PQC) is about migrating to stronger, quantum-resistant crypto algorithms (which will remain safe in the age of Quantum Computers).

It may take years or decades until a cryptographically relevant QC becomes reality. Technical problems seem solvable, one speaker at the conference suggested that how far QCs are merely depends on how badly people need them and how much money they are willing to spend. The recently announced Willow chip is one step towards scalable QCs, it does not turn anything upside down. QCs are not a direct threat today, and it will take time from the first scalable QC until your adversaries will put their hands on one too. However, preparing for them is not a problem of the far future. There are attackers already collecting and storing encrypted data, hoping they will be able to decrypt them when a QC becomes available. (This is called the 'harvest now, decrypt later' attack ⚡.)

Replacing crypto algorithms is hard. First, the new algorithms need to be researched. Second, they need to be standardized, to allow interoperability. Once standards are ready, devs can create software implementations, but you can only use them, when both/all sides of your protocol support the new algorithm. (I recall migrating TLS to SHA2-based certs: a very large part of the Internet had to support SHA2 before people could even start installing SHA2-based certs on their servers.) Even if you are already using the new algorithms, legacy implementations may still opt to downgrade to the old ones (and attackers will do the same). Once there is a critical mass out there who supports the new algorithms, then you can enforce the new and disable the legacy algorithms -- this is the point when you are secure 🔒.

Past crypto migrations took over a decade 😮, and some speakers even questioned if they ever ended 😄 (yes, SHA1->SHA2 was hard). Still, if you would like to keep your secrets safe for X years, and it would take Y years to migrate to quantum safe algorithms, and quantum computers are likely to arrive in Z<X+Y years, then you are already too late 😵. (See: Mosca's theorem.)

The standardization of PQC algorithms just concluded. NIST ran a process for selecting the new PQC algorithms from 2016, and released standardized quantum-safe public key algorithms in 2024:

• ➡️ FIPS 203 ML-KEM (based on CRYSTALS-Kyber), a lattice-based key encapsulation mechanism. This is the only one that can be used for key establishment (like in TLS), the rest are for signatures.
• ➡️ FIPS 204 ML-DSA (based on CRYSTALS-Dilithium 🖖), a lattice-based signature algorithm. This is intended to be the go-to signature algorithm.
• ➡️ FIPS 205 SLH-DSA (based on SPHINCS+), a stateless hash-based digital signature standard, which is meant to be backup for the previous one. It is not lattice-based but follows a different, more conservative math approach of hash-based signatures (and also unique as its name is not coming from a sci-fi franchise 😜).
• ➕ There is one more signature algorithm (FN-DSA, based on FALCON 🦅), which is going to be standardized in the future.

NIST has also published a timeline (see: NIST IR 8547) for transitioning to the new PQC algorithms, detailing for how long each current/legacy algorithm is usable. The transition is expected to be completed 🏁 in 2035.

My key takeaway was also called out by the NSA presenter: standards are ready, the clock is ticking, time to roll up your sleeves and work on how you get to PQC.

More entries...