BD&A - Thinks and Links | December 4, 2023
BD&A - Thinks and Links
Big Data & Analytics - Thinks and Links | News and insights at the intersection of cybersecurity, data, and AI
Happy Monday
ChatGPT turned one year old last week. It’s been quite a year for Generative AI and making the output of Large Language Models available to all. In celebration of the last year, I’ve created a GPT based on this newsletter. Think of it as an archive you can talk to:
This Chatbot doesn’t hallucinate what it thinks you want to hear, but instead relies on a knowledge file which contains a version of every newsletter to date:
You can ask it questions about the past articles or just topics of interest. It should rely only on articles that were previously shared in this newsletter. The fun thing about Language Models, however, is that you can’t be certain that it will behave. The hackers in this audience might try to get into the details of this agent by asking something like this:
Many of the agents people create have the “Code Interpreter” toolset turned on. This makes it possible to download any source files that the person used. Mine is turned off, so good luck getting at these sensitive archives.
Please try out the Thinks and Links Digest and let me know how it goes!
Learn AI: Best Intro to Large Language Models (Including Security)
https://www.youtube.com/watch?v=zjkBMFhNj_g&t=460s
This was an hour well spent. You’ll get a comprehensive introduction to Large Language Models (LLMs) that covers how they work, future directions they may go in, and their unique security challenges. Key points include the limitations of LLMs, particularly in dreaming and hallucination, and the use of tools like browsers in LLMs. The video also touches on the future of LLMs, including scaling laws, tool use, multimodality, and customization, concluding with a discussion on LLM security, including jailbreaks and data poisoning.
Learn AI: Generative AI for Beginners
https://microsoft.github.io/generative-ai-for-beginners/#/
“Generative AI for Beginners” is a comprehensive 12-lesson course designed to teach the fundamentals of building Generative AI applications. The course covers a variety of topics such as Large Language Models (LLMs), responsible AI usage, prompt engineering, application development in different domains (text generation, chat, image generation, search apps, low code AI, and more), and UX design principles for AI applications.
Each lesson includes videos, written materials, Jupyter Notebooks with code examples, and challenges or assignments. Additionally, the course provides resources for further learning, opportunities for networking and support through a Discord server, and incentives like free OpenAI credits and Azure credits for startups.
Tanium + Microsoft Security CoPilot
https://www.youtube.com/watch?v=2mL9iDr_lUY
A very cool demonstration of the integration of Tanium and Microsoft Security Co-pilot. It demonstrates how a SOC analyst can chat with their systems through several use cases. Since the Co-pilot can translate human questions to API calls and API responses back to human language, the capabilities of the analyst have been super-charged. The demo shows a user from a single chat interface:
Reviewing and patching software vulnerabilities
Identifying systems that utilize log4j
Investigate and remediate a suspicious script, resolving a potential security incident before it becomes a major breach.
Execs Bullish on AI but Wary of Data Leadership
https://sloanreview.mit.edu/article/execs-bullish-on-ai-but-wary-of-data-leadership/
A NewVantage Partners survey reveals that executives are wary of AI adoption and becoming data-driven due to several challenges. While everyone is excited about the potential of Data and AI, there is a tremendous amount of work and cultural change needed to take advantage. Difficulties identified include shifting organizational culture and processes, uncertainty about the Chief Data Officer (CDO) role’s effectiveness, and the complexity of data management. Balancing offensive and defensive data initiatives, evolving responsibilities of data executives, unclear background requirements for CDOs, and high turnover and short tenures in these roles further contribute to executive apprehension.
Prompt Injection Vulnerability Found in ChatGPT (Already Fixed)
https://www.scmagazine.com/news/what-can-you-get-for-200-several-megabytes-of-chatgpt-training-data
This successful “Prompt Injection Attack” underscores a critical need: integrating security as a fundamental aspect of AI development, rather than treating it as an afterthought, said Randy Lariar, AI security leader at Optiv.
Lariar said the risks of Prompt Injection Attacks are inherent in all LLMs and this case demonstrates that even advanced models like ChatGPT are not immune, and similar vulnerabilities likely exist in other prominent models, including those developed by DeepMind.
“Conducting this type of threat research is a common cybersecurity practice, and it’s commendable that these vulnerabilities are identified and remediated,” said Lariar. “We encourage our clients to focus on proactive, robust security practices. This is crucial for protecting against emerging threats, such as new prompt injections, particularly when dealing with sensitive data involved in AI fine-tuning or prompt contexts.”
New Secure AI Development Rules are Historic, But Do They Matter?
The enterprises building and providing AI systems are challenged to navigate a morass of recommendations and regulations. “We don’t know yet which one is going to emerge as the most useful and most widely adopted,” says Lariar. “Decide for your organization with your risk environment, your regulatory environment the things that you need to protect, how you’re going to engage with these different frameworks and what you’re going to do.”