Slider

4834 Articles

ChatGPT, Bing, And The Upcoming Security Apocalypse

March 4, 2023 by 46 Comments

Most security professionals will tell you that it’s a lot easier to attack code systems than it is to defend them, and that this is especially true for large systems. The white hat’s job is to secure each and every point of contact, while the black hat’s goal is to find just one that’s insecure.

Whether black hat or white hat, it also helps a lot to know how the system works and exactly what it’s doing. When you’ve got the source code, either because it’s open-source, or because you’re working inside the company that makes the software, you’ve got a huge advantage both in finding bugs and in fixing them. In the case of closed-source software, the white hats arguably have the offsetting advantage that they at least can see the source code, and peek inside the black box, while the attackers cannot.

Still, if you look at the number of security issues raised weekly, it’s clear that even in the case of closed-source software, where the defenders should have the largest advantage, that offense is a lot easier than defense.

So now put yourself in the shoes of the poor folks who are going to try to secure large language models like ChatGPT, the new Bing, or Google’s soon-to-be-released Bard. They don’t understand their machines. Of course they know how the work inside, in the sense of cross multiplying tensors and updating weights based on training sets and so on. But because the billions of internal parameters interact in incomprehensible ways, almost all researchers refer to large language models’ inner workings as a black box.

And they haven’t even begun to consider security yet. They’re still worried about how to construct obscure background prompts that prevent their machines from spewing hate speech or pornographic novels. But as soon as the machines start doing something more interesting than just providing you plain text, the black hats will take notice, and someone will have to figure out defense.

Indeed, this week, we saw the first real shot across the bow: a hack to make Bing direct users to arbitrary (bad) webpages. The Bing hack requires the user to already be on a compromised website, so it’s maybe not very threatening, but it points out a possible real security difference between Bing and ChatGPT: Bing gives you links to follow, and that makes it a juicy target.

We’re right on the edge of a new security landscape, because even the white hats are facing a black box in the AI. So far, what ChatGPT and Codex and other large language models are doing is trivially secure – putting out plain text – but Bing is taking the first dangerous steps into doing something more useful, both for users and black hats. Given the ease with which people have undone OpenAI’s attempts to keep ChatGPT in its comfort zone, my guess is that the white hats will have their hands full, and the black-box nature of the model deprives them of their best hope. Buckle your seatbelts.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

Supercon 2022: Michael Whiteley Saves The Badge

March 3, 2023 by 6 Comments

Michael Whiteley (aka [compukidmike]) is a badgelife celebrity. Together, he and his wife Katie make up MK Factor. They have created some of the most popular electronic conference badges. Of course, even experts make mistakes and run into challenges when they dare to push the envelope of technology and delivery schedules. In his Supercon 2022 talk, There’s No Rev 2: When Badgelife Goes Wrong, Mike shares details from some of his worst badge snafus and also how he managed to gracefully pull them back from the edge of disaster.

Living the Badgelife

Attendees at the world’s largest hacker convention, DEF CON in Las Vegas, had already become accustomed to receiving and wearing very cool and novel admission tokens, more properly known as badges. Then in 2006, at DEF CON 14, everything changed. Designed by Joe Grand, the first electronic DEF CON badge was a circuit board featuring a tiny PIC microcontroller, two LEDs, and a single pushbutton. Badgelife was born.

DEF CON 30 Humans Sampling Board

Mike begins his war stories with one about the DEF CON 30 badge. This was a herculean project with 25,000 badges being produced on a short timeline in the ever-changing chaos of a semiconductor supply-chain meltdown. Even though many regard it as one of the best DEF CON badges ever made, the DC30 badge posed a number of challenges to its creators. Microcontrollers were in short supply during 2021 and 2022 forcing the badge team to keep an eye on component vendor supplies in order to snipe chips as soon as they appeared in stock. The DC30 badge was actually redesigned repeatedly as different microcontrollers fluctuated in and out of supply. Continue reading “Supercon 2022: Michael Whiteley Saves The Badge”

Hacker Hotel 2023: Back Again!

March 2, 2023 by 13 Comments

After three years, it’s odd to think back to those few weeks before the COVID-19 pandemic morphed from something on the news into an immediate and ever-present threat which kept us isolating for so long. For me, some of the last moments of normality were a trip to the Netherlands for Hacker Hotel, a hacker event in the comfort of a resort hotel. Now three years later and after two cancelled events, Hacker Hotel is back, and I made the same journey to Garderen to hang out for a weekend with a bunch of hacker friends over some good Dutch beer and a lot of bitterballen. Continue reading “Hacker Hotel 2023: Back Again!”

How Hard Could It Be To Get Millions Of Phone Bills Right?

March 2, 2023 by 46 Comments

It may be a foreign concept to anyone who has never paid a dime for a phone call over and above the monthly service charge, but phone calls were once very, VERY expensive — especially long-distance calls, which the phone company ungenerously defined as anything more than a few towns away. Woe betide the 70s teen trying to talk to out-of-town friends or carry on a romance with anyone but the guy or girl next door when that monthly phone bill came around; did anyone else try to intercept it from the mailbox before the parents could see it?

While it seems somewhat quaint now, being charged for phone calls was not only a big deal to the customers, but to the phone company itself. The Bell System, which would quickly become a multi-billion dollar enterprise, was built on the ability to accurately meter the use of their service and charge customers accordingly. Like any engineered system, it grew and changed over time, and it had to adapt to the technologies and economic forces at the time.

One of the most interesting phases of its development was the development of Automatic Message Accounting (AMA), which in a very real way paved the way for the wide-open, worldwide, too-cheap-to-meter phone service we enjoy today.

Continue reading “How Hard Could It Be To Get Millions Of Phone Bills Right?”

FOSDEM 2023: An Open-Source Conference, Literally

March 1, 2023 by 6 Comments

Every year, on the first weekend of February, a certain Brussels university campus livens up. There, you will find enthusiasts of open-source software and hardware alike, arriving from different corners of the world to meet up, talk, and listen. The reason they all meet there is the conference called FOSDEM, a long-standing open-source software conference which has been happening in Belgium since 2000. I’d like to tell you about FOSDEM because, when it comes to conferences, FOSDEM is one of a kind.

FOSDEM is organized in alignment with open-source principles, which is to say, it reminds me of an open-source project itself. The conference is volunteer-driven, with a core of staff responsible for crucial tasks – yet, everyone can and is encouraged to contribute. Just like a large open-source effort, it’s supported by university and company contributions, but there’s no admission fees for participants – for a conference, this means you don’t have to buy a ticket to attend. Last but definitely not least, what makes FOSDEM shine is the community that it creates.

FOSDEM’s focus is open software – yet, for hackers of the hardware world, you will find a strong hardware component to participate in, since a great number of FOSDEM visitors are either interested in hardware, or even develop hardware-related things day-to-day. It’s not just that our hardware can’t live without software, and vice-versa – here, you will meet plenty of pure software, a decent amount of pure hardware, and a lot of places where the two worlds are hard to distinguish. All in all, FOSDEM is no doubt part of hacker culture in Europe, and today, I will tell you about my experience of FOSDEM 2023. Continue reading “FOSDEM 2023: An Open-Source Conference, Literally”

Supercon 2022: Selling Your Company And Not Your Soul

February 28, 2023 by 11 Comments

Haddington Dynamics is a particular company. After winning the 2018 Hackaday Prize with an open-source robotic arm, we’ve covered their micro-factories and suction cup end-effectors for making face shields during 2020. They’ve been laser-focused on their mission of creating a fantastic robot arm at a small price tag with open-source software and design. So how does a company with such a hacker ethos get bought by a much larger company, and why? They came to SuperCon 2022 to share their story in a panel discussion.

Haddington Dynamics started with two clever inventions: optical encoders that used analog values instead of digital values and an FPGA that allowed them to poll those encoders and respond rapidly. This allowed them to use cheaper motors and rely on the incredibly sensitive encoders to position them. After the Hackaday prize, they open-sourced the HD version of the robot and released the HDI version. But in 2020, they were bought by a group called Ocado. As to why the somewhat practical but not exciting answer is that they needed money. Employees needed to be paid, and they needed capital to keep the doors open.

So this leads to the next tricky question, how do you sell your company without changing it? The fine folks at Haddington Dynamics point out in their panel discussion that a company is a collection of people. The soul of that company is the collective soul of those people coming together. A company being bought can be akin to stopping working for yourself and going to work for someone else. Working alone, you have values and principles that you can easily stick to. But once you start working for someone else, they will value different things, and while the people that make up the company might not change, the company’s decisions might become unrecognizable.

As the panel points out, looking for a buyer with the same values is critical. Ocado was a great fit as their economic interests and culture matched Haddington’s. However, it’s not all roses, as Ocadao tends to be a very closed-source group. However, Haddington Dynamics still supports its open-source initiatives. It’s a fascinating look into a company’s life cycle and how they navigate the waters of open-source, funding, acquisitions, innovation, and invention. Despite the fairytale-like nature of inventing a revolutionary robot arm in your garage and winning many awards, it turns out there is quite a lot that happens after the happily ever after.

We look forward to seeing more of Haddington Dynamics and where they go next. Video after the break.

Continue reading “Supercon 2022: Selling Your Company And Not Your Soul”

Repurposing Old Smartphones: When Reusing Makes More Sense Than Recycling

February 28, 2023 by 89 Comments

When looking at the specifications of smartphones that have been released over the past years, it’s remarkable to see how aspects like CPU cores, clockspeeds and GPU performance have improved during this time, with even new budget smartphones offering a lot of computing power, as well as a smattering of sensors. Perhaps even more remarkable is that of the approximately 1.5 billion smartphones sold each year, many will be discarded again after a mere two years of use. This seems rather wasteful, and a recent paper by Jennifer Switzer and colleagues proposes that a so-called Computational Carbon Intensity (CCI) metric should be used to determine when it makes more sense to recycle a device than to keep using it.

What complicates the decision of when it makes more sense to reuse than recycle is that there are many ways to define when a device is no longer ‘fit for purpose’. It could be argued that the average smartphone is still more than good enough after two years to be continued as a smartphone for another few years at least, or at least until the manufacturer stops supplying updates. Beyond the use as a smartphone, they’re still devices with a screen, WiFi connection and a capable processor, which should make it suitable for a myriad of roles.

Unfortunately, as we have seen with the disaster that was Samsung’s ‘upcycling’ concept a few years ago, or Google’s defunct Project Ara, as promising as the whole idea of ‘reuse, upcycle, recycle’ sounds, establishing an industry standard here is frustratingly complicated. Worse, over the years smartphones have become ever more sealed-up, glued-together devices that complicate the ‘reuse’ narrative.

Continue reading “Repurposing Old Smartphones: When Reusing Makes More Sense Than Recycling”