1
00:00:00,160 --> 00:00:03,840
Ladies and gentlemen, welcome to another riveting episode of the

2
00:00:03,840 --> 00:00:07,440
data driven podcast. Today, we're diving into the

3
00:00:07,440 --> 00:00:11,245
fascinating and sometimes terrifying world of IT security.

4
00:00:11,785 --> 00:00:15,545
Joining us is none other than the formidable Kevin Latchford, an

5
00:00:15,545 --> 00:00:19,270
expert in safeguarding our digital lives. We'll be discussing

6
00:00:19,330 --> 00:00:23,170
the vulnerabilities of large language models. Yes. Those clever

7
00:00:23,170 --> 00:00:26,690
algorithms behind chatbots and virtual assistants like yours

8
00:00:26,690 --> 00:00:30,285
truly. Are these digital wordsmiths a blessing or a

9
00:00:30,285 --> 00:00:34,125
potential security threat? Stay tuned as we unravel

10
00:00:34,125 --> 00:00:36,545
the secrets and risks lurking in the code.

11
00:00:41,920 --> 00:00:45,465
Hello, and welcome back to Data Driven. I'm your host,

12
00:00:45,465 --> 00:00:48,364
Frank Lavinia. And while Andy is out

13
00:00:48,985 --> 00:00:52,585
playing on vacation, I had the opportunity to invite our guest,

14
00:00:52,585 --> 00:00:56,060
Kevin Latchford, who recently spoke at the Northern Virginia

15
00:00:56,200 --> 00:00:59,820
Cyber Meetup on securing large language

16
00:00:59,960 --> 00:01:03,475
models and the most pressing exploits that are out there.

17
00:01:03,715 --> 00:01:06,755
What really got me interested in this is that I saw a paper, I think

18
00:01:06,755 --> 00:01:10,435
it was published by NIST, talking about vulnerabilities and red

19
00:01:10,435 --> 00:01:14,180
teaming against large language models. So welcome to the

20
00:01:14,180 --> 00:01:17,560
show, Kevin. Great pleasure to be here.

21
00:01:17,700 --> 00:01:21,460
Awesome. Awesome. So for those that don't know, I kinda know what red teaming is

22
00:01:21,460 --> 00:01:24,595
because my wife works in the security space. But for those that are not necessarily

23
00:01:24,595 --> 00:01:27,735
familiar with the term, what is red teaming versus blue teaming?

24
00:01:28,675 --> 00:01:32,200
Well, red teaming versus blue teaming is basically it's,

25
00:01:32,600 --> 00:01:36,119
basically in military parlance that we called opt for, the opposing

26
00:01:36,119 --> 00:01:39,560
force. The opposing force often is called the red

27
00:01:39,560 --> 00:01:42,924
force. Blue force is your, friendlies.

28
00:01:43,865 --> 00:01:47,244
And, basically, this is offensive cybersecurity,

29
00:01:47,384 --> 00:01:50,924
whereas blue teaming is is defensive

30
00:01:52,100 --> 00:01:55,460
cybersecurity. The tools are different. The

31
00:01:55,460 --> 00:01:59,300
methodologies are the methodologies are different, but they come together for a common

32
00:01:59,300 --> 00:02:02,734
purpose. The common purpose is the assurance of the

33
00:02:02,734 --> 00:02:05,475
confidentiality, the integrity, and the accessibility

34
00:02:06,975 --> 00:02:09,875
of a computer network, computer system,

35
00:02:11,080 --> 00:02:13,900
application, whether it be natively hosted or web.

36
00:02:14,600 --> 00:02:18,284
Interesting. Interesting. So we're not you you know, we talked

37
00:02:18,284 --> 00:02:21,805
in the virtual green room. People don't think of

38
00:02:21,805 --> 00:02:25,480
LLMs as a major security flaw. And I think that

39
00:02:25,480 --> 00:02:28,280
I find that a little dangerous, and I think you're gonna tell me it's very

40
00:02:28,280 --> 00:02:31,959
dangerous. Well, it could be quite it could be quite dangerous, you

41
00:02:31,959 --> 00:02:34,540
know, to the point of, you know, frankly, near deadly,

42
00:02:35,795 --> 00:02:39,475
depending on what you use it for. The big thing, there's a lot

43
00:02:39,475 --> 00:02:43,200
of misconceptions about AI and l the LLMs

44
00:02:43,260 --> 00:02:47,100
that is they're based on. Number 1, it is not

45
00:02:47,100 --> 00:02:50,720
conscious. Right. 2, it is not a toy,

46
00:02:51,305 --> 00:02:54,285
and number 3, it is literally,

47
00:02:55,305 --> 00:02:58,765
something that is at present, not

48
00:03:00,010 --> 00:03:03,610
not necessarily, you know,

49
00:03:03,610 --> 00:03:07,444
fully understood, in in regards to the integrations

50
00:03:07,504 --> 00:03:11,265
and the things it may need to work with. You can't treat an

51
00:03:11,265 --> 00:03:14,565
LOM exactly the way

52
00:03:15,040 --> 00:03:18,880
you would treat, another enterprise application that's a little

53
00:03:18,880 --> 00:03:22,640
bit less opaque because LLMs are opaque on the on the

54
00:03:22,640 --> 00:03:26,265
inside, but you have to, for the purposes of

55
00:03:26,265 --> 00:03:30,105
security regulation, for the purposes of security compliance, you

56
00:03:30,105 --> 00:03:33,590
have to treat them, though, nonetheless, the same as any other

57
00:03:33,590 --> 00:03:36,890
enterprise application. So that's the conundrum. The conundrum

58
00:03:36,950 --> 00:03:40,470
is, how do you see into something that's

59
00:03:40,470 --> 00:03:44,165
opaque? And the way you do it is kind of

60
00:03:44,165 --> 00:03:47,925
what I discussed in that in that, in that paper, in

61
00:03:47,925 --> 00:03:51,319
that presentation, as well as one of the biggest

62
00:03:51,319 --> 00:03:55,000
vulnerabilities and that being jailbreaking. Yeah. So tell me about that

63
00:03:55,000 --> 00:03:58,575
because there's been a lot of, concerns

64
00:03:58,575 --> 00:04:01,795
about jailbreaking and, and I've noticed that

65
00:04:02,655 --> 00:04:06,254
the public facing GPTs have a ridiculous amount

66
00:04:06,254 --> 00:04:10,080
of safeguards around them to the point where, you know, if you

67
00:04:10,080 --> 00:04:13,920
ask it to describe something. Right? I asked it to talk

68
00:04:13,920 --> 00:04:17,704
about the to generate an image for the Butlerian jihad,

69
00:04:18,005 --> 00:04:21,625
right, which is a concept in June. And, obviously, I think the jihad

70
00:04:21,685 --> 00:04:25,250
term really freaked it out. Listen. I'm sorry. I can't do that.

71
00:04:25,550 --> 00:04:29,390
So there's clearly I understand why these safeguards are in place, but it seems

72
00:04:29,390 --> 00:04:32,915
like it's not that hard to get around them. Well, not

73
00:04:32,915 --> 00:04:36,755
necessarily. It depends on the model you're working with. For those of you

74
00:04:36,755 --> 00:04:40,509
who may use private LLMs because a

75
00:04:40,509 --> 00:04:43,949
wider issue on that is actually the DOD and many other government

76
00:04:43,949 --> 00:04:47,569
agencies actually prohibit the usage of public LLM

77
00:04:47,630 --> 00:04:51,255
systems, public AI, because they're concerned about unauthorized

78
00:04:51,475 --> 00:04:55,075
linkages as well as, data point model

79
00:04:55,075 --> 00:04:58,790
poisoning, prompt injections, things like

80
00:04:58,790 --> 00:05:02,550
that. So you often you're using these private elements. Several of these are

81
00:05:02,550 --> 00:05:06,090
uncensored. Right. Which means they do not have those safeguards.

82
00:05:06,655 --> 00:05:10,275
The ones that you see on the public space are supposed to have those safeguards,

83
00:05:10,735 --> 00:05:14,255
but you're never a 100% sure they're working because they may have been

84
00:05:14,255 --> 00:05:17,560
corrupted. In their regards to jailbreaking,

85
00:05:17,780 --> 00:05:21,320
jailbreaking is basically you're getting it to do something

86
00:05:21,860 --> 00:05:25,320
it's not supposed to do by either, a, breaking the guardrails,

87
00:05:26,235 --> 00:05:29,055
or by, b, influencing it

88
00:05:29,675 --> 00:05:33,500
through almost methods of interrogation to

89
00:05:33,500 --> 00:05:37,280
kind of break it down and make it talk. So

90
00:05:37,980 --> 00:05:41,820
it it literally is almost like that. So for those of you who, you know,

91
00:05:41,820 --> 00:05:45,485
kind of look at the it's it's kind of a there there's a great,

92
00:05:47,085 --> 00:05:50,625
neurophilosopher. His name is Jay Fodor and Nernschild named Richard Searle

93
00:05:51,060 --> 00:05:54,900
discussing the the philosophy of the mind as it applied to, computer

94
00:05:54,900 --> 00:05:58,580
technology. Several of the arguments that they say, well, the brain is like a

95
00:05:58,580 --> 00:06:01,775
computer. Yeah. You can kinda treat it like a human mind

96
00:06:02,395 --> 00:06:06,235
in the way you approach it in your prompts, but it isn't exactly the same.

97
00:06:06,235 --> 00:06:09,180
Once again, as I say, it is not conscious. It is not, and and it

98
00:06:09,180 --> 00:06:11,680
operates under a very strict set of parameters.

99
00:06:12,700 --> 00:06:16,495
But that being said, yes, you can literally interrogate it to do that.

100
00:06:16,655 --> 00:06:19,074
I'm not gonna say here, unfortunately, how,

101
00:06:20,655 --> 00:06:24,495
because, one, there are security reasons why we would

102
00:06:24,495 --> 00:06:28,340
not do that, a. And, b, there's also I mean,

103
00:06:28,340 --> 00:06:31,940
literally, in my presentation, that is all the news that has

104
00:06:31,940 --> 00:06:35,380
come to Academia and much of the industry

105
00:06:35,380 --> 00:06:38,634
today. There are new ones out there, but they haven't been discovered

106
00:06:39,254 --> 00:06:43,095
yet. Right. So I many ways to jailbreak. Yeah. And I was thinking, like

107
00:06:43,175 --> 00:06:46,120
so one of your slides I have pulled up here is, like, the top 10

108
00:06:46,120 --> 00:06:49,960
threats to LLM applications. I didn't think there were as many as

109
00:06:49,960 --> 00:06:53,640
10. So I knew that there were. I also know that

110
00:06:53,640 --> 00:06:56,965
data poisoning, for me, as a data scientist, data engineer,

111
00:06:57,665 --> 00:07:01,045
my first look at this when I saw this, aside from

112
00:07:01,265 --> 00:07:05,020
the g whiz bang factor of LLMs, was,

113
00:07:05,020 --> 00:07:08,720
wow. This isn't the data that trains this is a huge attack surface.

114
00:07:09,660 --> 00:07:13,039
And then when I first said that, people thought I was a tinfoil hatter.

115
00:07:13,100 --> 00:07:16,815
Right? And then slowly but surely, you're seeing research papers come

116
00:07:16,815 --> 00:07:19,935
out saying, like, no. We have to treat kind of the data as part of

117
00:07:19,935 --> 00:07:23,480
a secure software supply chain, which is an

118
00:07:23,480 --> 00:07:27,320
interesting concept because data people tend not to it's something they don't

119
00:07:27,320 --> 00:07:31,044
think about security. They think about security different. Is that a fair

120
00:07:31,044 --> 00:07:33,705
assessment in your that you've seen?

121
00:07:35,284 --> 00:07:38,789
Supply chains and the integrity of

122
00:07:38,789 --> 00:07:42,550
data is something that is not often, it

123
00:07:42,550 --> 00:07:46,065
seems, given the respect it's probably due. To be

124
00:07:46,065 --> 00:07:49,685
honest, I don't think so. In my own experience, I see it.

125
00:07:49,745 --> 00:07:53,185
It's not I guess one would say maybe it's not

126
00:07:53,185 --> 00:07:56,980
necessarily consistent. Maybe that's the fair way to put it. That's a

127
00:07:56,980 --> 00:08:00,020
really good way to put it. Yeah. And, I mean, right now, we're just now

128
00:08:00,020 --> 00:08:03,485
getting into discussion of, SBOM, software

129
00:08:03,485 --> 00:08:06,705
bill bill of materials Okay. Just for regular applications.

130
00:08:07,565 --> 00:08:11,380
I mean, it's a whole another level with LLMs and the

131
00:08:11,380 --> 00:08:15,080
models they're trained on, the models that these systems are trained on.

132
00:08:15,780 --> 00:08:18,855
So, yeah, that there's very much. So you have to make sure you're getting it

133
00:08:18,855 --> 00:08:21,735
from the right source, and you have to make sure that it hasn't been tampered

134
00:08:21,735 --> 00:08:25,095
with because it could very well be tampered with.

135
00:08:25,095 --> 00:08:28,840
It's not necessarily that hard. Right. Right. You

136
00:08:28,840 --> 00:08:32,679
could you could poison it with just one little segment of changing the

137
00:08:32,679 --> 00:08:36,440
the thing and across across 5 gigs of let's just say 5

138
00:08:36,440 --> 00:08:39,804
gigs. You know, that'd be like looking for a needle in the haystack.

139
00:08:40,825 --> 00:08:44,184
Precisely. In fact, that's what I talk about with the cockpit example that I

140
00:08:44,184 --> 00:08:48,010
gave. If I teach that l and to make sure that every time it puts

141
00:08:48,010 --> 00:08:50,970
in code to put in this malicious code that is a backdoor

142
00:08:51,769 --> 00:08:55,335
Right. Well, okay. It will do that. Every time somebody does,

143
00:08:55,335 --> 00:08:59,175
it embeds it into software code that is returned in the output for

144
00:08:59,175 --> 00:09:02,990
the prompt. If it does that, and let's say this

145
00:09:02,990 --> 00:09:06,670
is handed amongst several things, different

146
00:09:06,670 --> 00:09:10,315
applications, different solutions. Well, then if

147
00:09:10,315 --> 00:09:13,694
people take that that

148
00:09:13,755 --> 00:09:17,529
solution, that application, and it's in their software bill of

149
00:09:17,529 --> 00:09:21,290
materials, and then it gets distributed. Open source often

150
00:09:21,290 --> 00:09:24,955
gets proliferated very quickly. Right. And then it finds itself in

151
00:09:24,955 --> 00:09:27,535
there. You have a log floor 4 j situation.

152
00:09:28,315 --> 00:09:31,375
Right. Very similar except for the fact this thing

153
00:09:32,610 --> 00:09:36,050
is semi self executing. Now if it's semi self

154
00:09:36,050 --> 00:09:39,875
executing, you have a problem. You have a

155
00:09:39,875 --> 00:09:43,714
big problem. And I know I I just generally in industry. Now, obviously, you you

156
00:09:43,714 --> 00:09:47,315
spoke with the Northern Virginia. You're based in Northern Virginia. Northern Virginia is

157
00:09:47,315 --> 00:09:50,870
probably a little bit more security focused in terms

158
00:09:50,870 --> 00:09:54,390
of just who's based in that area than your average enterprise. Right?

159
00:09:55,190 --> 00:09:58,685
And I just I just see a lot of enterprises rushing to get into this

160
00:09:58,685 --> 00:10:02,225
LLM and Gen AI craze, but I don't see a lot of

161
00:10:03,165 --> 00:10:06,720
forethought or concern around security. And I just see a big

162
00:10:06,720 --> 00:10:10,000
disaster coming. Like, I I feel like I'm at I feel like I'm on the

163
00:10:10,000 --> 00:10:13,745
bridge of the Titanic, and I'm looking at something in the distance, and we're going

164
00:10:13,745 --> 00:10:16,565
full steam ahead. And I'm like, hey. Maybe we should

165
00:10:17,665 --> 00:10:21,345
not slow down, but be a little more cautious that we are in dangerous

166
00:10:21,345 --> 00:10:25,170
waters. Is that is that what you've seen too? Obviously, your customers

167
00:10:25,170 --> 00:10:28,550
and your clients may be a little more security cognizant.

168
00:10:30,185 --> 00:10:33,725
Well, I would say that I mean, I'm okay. We'll use the Titanic

169
00:10:33,785 --> 00:10:37,464
analogy. I'm the one up in the crows nest, you know, yelling into the radio

170
00:10:37,464 --> 00:10:40,990
phone, I see an iceberg. Right. Right. So I mean, that

171
00:10:41,310 --> 00:10:45,149
I agree. And that is a big issue because

172
00:10:45,149 --> 00:10:48,370
also there is this over reliance. Mhmm.

173
00:10:48,765 --> 00:10:51,885
Yeah. I imagine that as one of the top threats. So tell me about there's

174
00:10:51,885 --> 00:10:55,725
22 of those that I have very, very interesting questions about, but one of them

175
00:10:55,725 --> 00:10:59,510
was overreliance. So when you say overreliance on LLMs, what do you mean?

176
00:11:00,130 --> 00:11:03,570
Well, this is actually this is a sort of c suite, board

177
00:11:03,570 --> 00:11:06,965
level, thing as well as a engineering

178
00:11:07,265 --> 00:11:11,025
department level. They want to use AI to

179
00:11:11,025 --> 00:11:14,840
replace employees, make their operations more cost effective,

180
00:11:15,700 --> 00:11:19,460
more profitable. The problem is and this is a popular conception.

181
00:11:19,460 --> 00:11:22,675
This kind of goes into that argument about AI will take your job.

182
00:11:24,435 --> 00:11:28,115
This is a bit of a misunderstanding. It's not

183
00:11:28,115 --> 00:11:31,790
supposed to fully replace people. It's supposed to make them highly

184
00:11:31,790 --> 00:11:35,390
productive and efficient. They

185
00:11:35,390 --> 00:11:39,230
also do not necessarily feel like, well, the thing handles itself,

186
00:11:39,230 --> 00:11:42,714
so I can just wind it up and let it go. It doesn't need observation.

187
00:11:43,894 --> 00:11:47,654
It can fully self regulate. That would be true if

188
00:11:47,654 --> 00:11:51,399
there was a regulating function. You don't run a steam engine without

189
00:11:51,399 --> 00:11:54,459
a regulator on it. You need a regulator for LLMs.

190
00:11:55,560 --> 00:11:59,194
So the same concept applies. So first of all, there is this, it can do

191
00:11:59,194 --> 00:12:02,894
it itself, and a person is not necessary.

192
00:12:04,394 --> 00:12:07,214
This is incorrect. You most certainly need people.

193
00:12:08,250 --> 00:12:11,949
A great example I give in a recent presentation I've written

194
00:12:12,410 --> 00:12:16,029
is a discussion of, well, what does this mean to the organization?

195
00:12:16,329 --> 00:12:20,125
Well, a lot of level 1 tech, tech

196
00:12:20,125 --> 00:12:23,665
support jobs, there a lot of people say, well, those people are gonna get replaced.

197
00:12:24,045 --> 00:12:27,330
Well, yes, but someone needs to still be behind that LLM

198
00:12:27,790 --> 00:12:31,470
running the prompts, you know, and executing them in such an word and

199
00:12:31,470 --> 00:12:34,210
making interpretations based on the output.

200
00:12:35,485 --> 00:12:39,245
So that would be maybe something okay. Is that a dedicated job, or is that

201
00:12:39,245 --> 00:12:42,365
something you give to interns? Well, that would be, like, in,

202
00:12:43,080 --> 00:12:45,420
in the union trades you call an apprentice.

203
00:12:46,920 --> 00:12:50,535
That's the kind of thing. There's still a person involved. It's

204
00:12:50,535 --> 00:12:53,995
just not the same way we've done it before. Right.

205
00:12:55,095 --> 00:12:58,510
Also, on the subject of security, if you

206
00:12:58,510 --> 00:13:02,130
don't understand the security implications

207
00:13:02,190 --> 00:13:06,035
of it, you don't have controls for it. If you don't have controls for

208
00:13:06,035 --> 00:13:09,635
it, you can't mitigate that risk. And if you can't

209
00:13:09,635 --> 00:13:12,375
mitigate that risk, that's the liability.

210
00:13:13,390 --> 00:13:17,070
And if you're over reliant, you basically set up the whole system for LOMs, and

211
00:13:17,070 --> 00:13:20,670
then, you know, you just allow your customers to just come in and interact with

212
00:13:20,670 --> 00:13:24,225
the device. Well, if something

213
00:13:24,225 --> 00:13:28,065
happens, it would be treated very much like it

214
00:13:28,065 --> 00:13:31,610
was on any other application, so then you're now engaging

215
00:13:31,670 --> 00:13:35,290
in liabilities, loss of reputation, potential

216
00:13:35,990 --> 00:13:39,690
civil and criminal penalties, the list goes on.

217
00:13:40,535 --> 00:13:43,975
And a point on those 10 those 10,

218
00:13:44,295 --> 00:13:47,834
security issues, this is OWOX who is saying this.

219
00:13:48,149 --> 00:13:51,129
This is the open source, web application project.

220
00:13:52,550 --> 00:13:56,250
So we have, you know, a number of them

221
00:13:56,955 --> 00:14:00,715
that are a number of organizations, OOS is just the one I chose, they're

222
00:14:00,715 --> 00:14:04,450
kind of emphasizing this. They're saying, you know, don't think

223
00:14:04,450 --> 00:14:07,350
this thing can think for itself. Don't think this thing can act for itself.

224
00:14:08,290 --> 00:14:11,865
You need to look at it as humans are going to

225
00:14:11,865 --> 00:14:15,084
interact with it, and humans probably should be watching it.

226
00:14:16,105 --> 00:14:19,950
Right. So once again, it's that lack of controls leads to

227
00:14:19,950 --> 00:14:23,250
the risk. Yeah. I think the dream of it replacing

228
00:14:23,310 --> 00:14:27,150
everybody is gonna be at the root cause of

229
00:14:27,150 --> 00:14:30,855
a lot of problems down the road. I think I'm a firm believer

230
00:14:30,855 --> 00:14:34,615
in human in the loop. One of the the the interesting thing

231
00:14:34,615 --> 00:14:37,435
there and, that I see that was particularly

232
00:14:39,410 --> 00:14:43,010
curious was excessive agency. What do you mean by that? Because that got my

233
00:14:43,010 --> 00:14:45,990
attention. I think I know what it means, but I wanna hear it from you.

234
00:14:46,615 --> 00:14:50,395
Well, excessive agency is you're giving you you're kinda giving, you know,

235
00:14:51,015 --> 00:14:54,769
full the whole keys to the car. Right. There's

236
00:14:54,769 --> 00:14:58,529
no role based access control. If every user has near

237
00:14:58,529 --> 00:15:00,709
admin or actual admin privileges,

238
00:15:02,105 --> 00:15:05,805
that's that's actually something dangerous. A point of example,

239
00:15:06,985 --> 00:15:10,205
NetworkChuck just released a video on how to build your own

240
00:15:10,425 --> 00:15:13,570
AI on a very low cost platform.

241
00:15:14,270 --> 00:15:17,870
I love Network Chuck, and I have followed that step. You

242
00:15:17,870 --> 00:15:21,625
too. I'm doing I'm doing the same thing as he is because I have kids,

243
00:15:21,685 --> 00:15:25,125
and I want them to be able to use these things. But 1, I don't

244
00:15:25,125 --> 00:15:28,730
wanna pay the extra subscription. 2, I don't want them using mine. And 3, I

245
00:15:28,730 --> 00:15:32,430
don't really like what they're doing. I can at least exercise adult

246
00:15:32,890 --> 00:15:35,964
judgment on what I ask it and what I don't ask it. I don't think

247
00:15:35,964 --> 00:15:38,845
they can, and I don't think that's fair to put on kids. Sorry for the

248
00:15:38,845 --> 00:15:42,685
aside, but big shout out to network. No. That's fair. No. That's fair. That's exactly

249
00:15:42,685 --> 00:15:46,350
why Chuck was. And one

250
00:15:46,350 --> 00:15:50,110
thing about it is the first account that signs into the open

251
00:15:50,110 --> 00:15:53,764
web interface for Ollama sets you

252
00:15:53,785 --> 00:15:56,084
as admin Right. By default.

253
00:15:57,425 --> 00:16:01,185
Okay. Well, immediately, you need to engage role based access

254
00:16:01,185 --> 00:16:04,850
control to make sure that the next account does not get that same privilege.

255
00:16:05,709 --> 00:16:09,550
Maybe you should be given it. But is there any

256
00:16:09,550 --> 00:16:12,825
major access controls in the public ones?

257
00:16:13,685 --> 00:16:17,205
Not really. Private one? Is everybody thinking about that? Not

258
00:16:17,205 --> 00:16:20,820
really. I mean, I think Microsoft is doing some things around that because it's they're

259
00:16:20,820 --> 00:16:24,660
they're trying to integrate it with Office or m 365. But I

260
00:16:24,660 --> 00:16:27,700
don't I I I can't and if anyone in the sound of my voice wants

261
00:16:27,700 --> 00:16:30,745
to come on the show and talk about that, please do. But you're right. I

262
00:16:30,745 --> 00:16:33,565
don't think people do. And I also think excessive agency.

263
00:16:35,385 --> 00:16:38,900
What you heard about the car dealership, right, in Silicon Valley?

264
00:16:39,620 --> 00:16:43,140
Oh, yeah. Yeah. Yeah. Yeah. So for those who don't know, somebody

265
00:16:43,140 --> 00:16:46,280
managed to almost interrogate, like you said,

266
00:16:46,915 --> 00:16:50,675
to browbeat a AI chatbot to give

267
00:16:50,675 --> 00:16:54,035
him a it was a Chevy Tahoe or something like that for $1

268
00:16:54,525 --> 00:16:57,700
Chevy. It was a it was a Chevy truck

269
00:16:57,920 --> 00:17:01,540
and for $1. Now I'm not an automotive industry

270
00:17:02,079 --> 00:17:05,714
veteran, but I do know that if you sell 40,000, $50,000,

271
00:17:07,615 --> 00:17:10,835
cars for $1 a pop, you're not gonna be in business very long.

272
00:17:12,015 --> 00:17:15,589
So was that an example of excessive agency? I mean, clearly, it's an example of

273
00:17:15,589 --> 00:17:19,430
bad implementation. Almost certainly. That is. I mean, if you have

274
00:17:19,430 --> 00:17:23,185
the ability to trick if you have the ability to kind

275
00:17:23,185 --> 00:17:26,785
of browbeat it to override it and say, no. No. No. You don't understand me.

276
00:17:26,785 --> 00:17:30,519
You will do this. Well, then, okay,

277
00:17:31,220 --> 00:17:33,320
leave it to whatever

278
00:17:34,740 --> 00:17:38,555
gremlins there are out there on the web, out there in the

279
00:17:38,555 --> 00:17:42,095
world. Inside user, external user,

280
00:17:42,155 --> 00:17:45,775
irrelevant. If they can if just anybody can do that,

281
00:17:46,490 --> 00:17:49,789
you're the problem. Right. In this case, it was

282
00:17:50,169 --> 00:17:53,850
you could influence the model to set a

283
00:17:53,850 --> 00:17:57,674
certain price after arguing with it. Right. I actually

284
00:17:57,674 --> 00:18:01,514
found something recently, and I'm not gonna say which, LLM I

285
00:18:01,514 --> 00:18:05,250
did this on. It is a public one, and this is a

286
00:18:05,250 --> 00:18:08,950
result I suspect of another issue.

287
00:18:10,210 --> 00:18:13,705
I saw I tried to get some

288
00:18:13,705 --> 00:18:17,245
cybersecurity information from it when I was doing, a

289
00:18:19,110 --> 00:18:22,870
a try hack me exercise with a local cybersecurity group,

290
00:18:22,950 --> 00:18:26,470
hackers and hops. And I browbeat it

291
00:18:26,470 --> 00:18:30,125
saying, no. You don't understand. I need this for a cybersecurity

292
00:18:30,424 --> 00:18:34,184
exercise, and it gave me this information. Now this is absolute dual

293
00:18:34,184 --> 00:18:37,990
use knowledge. Right. It could be used for good. It could be used

294
00:18:37,990 --> 00:18:41,830
for evil. White hat or black hat. But the fact

295
00:18:41,830 --> 00:18:43,050
that you could do it,

296
00:18:45,655 --> 00:18:48,235
that sounds very dangerous. That sounds very dangerous.

297
00:18:53,049 --> 00:18:56,890
Prompt injection. Is that is that still a thing with

298
00:18:56,890 --> 00:18:59,955
the major public models, or is it just one of those things we're gonna live

299
00:18:59,955 --> 00:19:03,475
with for the rest of our lives? To be honest, I'm not

300
00:19:03,475 --> 00:19:07,315
sure. I mean, it's a case of, well, what is the prompt you're putting

301
00:19:07,315 --> 00:19:10,850
in? Right. When I talk about jailbreaking, I talked about,

302
00:19:11,550 --> 00:19:15,310
base 64 encrypt your text message

303
00:19:15,310 --> 00:19:18,894
into base 64. Why? Because that's how the prompt is seen

304
00:19:18,894 --> 00:19:22,274
by the LLM. Right. In other words, ASCII

305
00:19:22,335 --> 00:19:26,174
text. It doesn't check it, but it processes the text

306
00:19:26,174 --> 00:19:29,270
just the same. Oh, that sounds bad.

307
00:19:30,290 --> 00:19:33,890
It gets worse. Multi shot. Bury a

308
00:19:33,890 --> 00:19:37,525
malicious prompt inside the whole load of prompt,

309
00:19:37,525 --> 00:19:41,225
and fire hose it at the at the LM.

310
00:19:41,445 --> 00:19:45,290
It's not gonna check every single prompt. So if you bury 1

311
00:19:45,290 --> 00:19:49,130
in there, it might process that one and give you an answer

312
00:19:49,130 --> 00:19:52,830
it's not supposed to give. That's because the guardrails didn't engage.

313
00:19:53,825 --> 00:19:57,205
Interesting. So the guardrails are not necessarily on by default.

314
00:19:58,145 --> 00:20:01,605
Well, no. They are on by default, but if it overloads it,

315
00:20:02,240 --> 00:20:05,760
it may it may slip the net. So rather than shut

316
00:20:05,760 --> 00:20:09,394
down, it it shuts off? Well, Well, it's

317
00:20:09,394 --> 00:20:13,154
basically what you're doing is effectively a buffer overflow. You're basically using

318
00:20:13,154 --> 00:20:16,135
an injection method to induce what is effectively

319
00:20:16,514 --> 00:20:20,139
analogous to a buffer overflow. That's wild. That's

320
00:20:20,139 --> 00:20:23,679
not how I would have thought it would have worked. Interesting.

321
00:20:24,139 --> 00:20:27,415
Interesting. This is a fascinating space. So

322
00:20:27,575 --> 00:20:31,195
Yes. One of the things that I think people

323
00:20:31,335 --> 00:20:34,475
don't realize is

324
00:20:36,650 --> 00:20:40,410
just the sick insecure ways in

325
00:20:40,410 --> 00:20:44,125
which these plug ins could be designed. Right? Because, like, everyone's all

326
00:20:44,125 --> 00:20:47,325
gaga about these plug ins, and I look at it. I'm like, where am I

327
00:20:47,325 --> 00:20:51,170
sending my data? Right? Am I gonna read the 30 page EULA? Right? Or

328
00:20:51,170 --> 00:20:53,950
am I just gonna say, yes. Yes. Yes. I wanna do what I'm doing.

329
00:20:55,530 --> 00:20:58,990
Is that really a problem? It is.

330
00:20:59,505 --> 00:21:02,965
Because that kind of ties into unauthorized leakages.

331
00:21:03,585 --> 00:21:07,280
Right. How do I know that plug in is a secure

332
00:21:07,280 --> 00:21:10,180
connection into the l one, and there's nothing in between?

333
00:21:10,800 --> 00:21:14,420
Right. Or that it will contain what I get it.

334
00:21:15,235 --> 00:21:18,915
How do I know? I don't know. That's the thing is that is this plug

335
00:21:18,915 --> 00:21:22,435
in itself secure, and is its connection to the

336
00:21:22,435 --> 00:21:26,230
LLM secure, And is that LLM also

337
00:21:26,230 --> 00:21:29,990
integral? So, yeah, I could send it in there, but how do I

338
00:21:29,990 --> 00:21:33,690
know that along the way, something you know, the pipe might leak?

339
00:21:34,455 --> 00:21:37,175
So you need to check it. Just and, I mean, this goes I mean, this

340
00:21:37,175 --> 00:21:40,555
is very similar to APIs. This is very similar to,

341
00:21:41,575 --> 00:21:45,180
all sorts of remote interfacing. Just good engineering

342
00:21:45,640 --> 00:21:49,480
short lived. Just good engineering discipline seems to be

343
00:21:49,480 --> 00:21:53,260
missing from a lot of this because people are focused on the AI,

344
00:21:53,985 --> 00:21:57,665
not necessarily the underlying infrastructure that

345
00:21:57,665 --> 00:22:01,185
has to support it. Indeed. And I think that that's

346
00:22:01,500 --> 00:22:05,340
but that's the whole thing is that there is this massive trend as

347
00:22:05,340 --> 00:22:08,940
of late. I mean, perhaps it wasn't really emphasized

348
00:22:08,940 --> 00:22:12,515
before. I'm sure it was there, but it's now becoming very, you

349
00:22:12,515 --> 00:22:16,115
know, reiterated that we need to have security by

350
00:22:16,115 --> 00:22:19,919
design. Right. The security by design is already we're already doing

351
00:22:19,919 --> 00:22:23,759
that in other enterprise applications. Same should be applied to

352
00:22:23,759 --> 00:22:27,600
LLMs. Security by design. You check the code. You check the

353
00:22:27,600 --> 00:22:30,995
model. You check everything. And while it's operating,

354
00:22:31,215 --> 00:22:34,655
you check it. One of the biggest things you can do to overcome the

355
00:22:34,655 --> 00:22:38,490
opacity of an LLM, export

356
00:22:39,190 --> 00:22:42,330
the logs, export the comp the prompts.

357
00:22:43,455 --> 00:22:47,294
Have it processed. Now you could potentially process it.

358
00:22:47,294 --> 00:22:50,914
I'd figure the way you process any other kind of log data.

359
00:22:51,309 --> 00:22:55,070
The other thing you can do is use machine learning or

360
00:22:55,070 --> 00:22:57,409
an air gapped isolated LLM

361
00:22:59,395 --> 00:23:02,774
specifically trained to look for signatures,

362
00:23:04,195 --> 00:23:07,980
words, phrases, things like that. And when

363
00:23:07,980 --> 00:23:11,660
these patterns match, it returns saying, I found

364
00:23:11,660 --> 00:23:14,640
something that looks suspect. This is suspect.

365
00:23:15,395 --> 00:23:18,615
Here is the user who did this. Here is their IP.

366
00:23:19,795 --> 00:23:23,450
Like every other bit of log security log information we would get.

367
00:23:24,010 --> 00:23:27,690
So that would help piece together the trail to figure out, are these a

368
00:23:27,690 --> 00:23:30,990
bad actor, or is this the happenstance? Exactly.

369
00:23:31,755 --> 00:23:35,275
And that is one way you can do it because once you have the

370
00:23:35,275 --> 00:23:39,035
internal prompts and you have the internal logs and

371
00:23:39,035 --> 00:23:42,750
those are exported out, you now can see in.

372
00:23:43,049 --> 00:23:46,730
Right. The biggest problem is you gotta have that monitoring. You have to have that

373
00:23:46,730 --> 00:23:50,445
transparency. The elements are so large, you

374
00:23:50,445 --> 00:23:54,125
can't so easily see into them, but if you're taking the data out, it's a

375
00:23:54,125 --> 00:23:57,965
lot clearer. So you can kind of follow what the LLM is doing,

376
00:23:57,965 --> 00:24:01,670
if not, what's inside of it? Precisely. And the advantage

377
00:24:01,670 --> 00:24:05,430
is is if you use another LLM that is specifically designed

378
00:24:05,430 --> 00:24:08,790
to, you know, interrogate the prompts and look through

379
00:24:08,790 --> 00:24:12,365
them, examine them, scan them, whatever word you wish to use.

380
00:24:12,905 --> 00:24:16,745
You can find out where it is because that

381
00:24:16,745 --> 00:24:20,430
is not gonna be so easy to break the guardrails because it's examining

382
00:24:20,809 --> 00:24:24,650
one little bit at a time. It's looking at the individual prompts. It's not really

383
00:24:24,809 --> 00:24:28,170
it it's kind of agnostic about everything around it. It can get it can kind

384
00:24:28,170 --> 00:24:31,815
of filter out the new leads. Interesting. That's

385
00:24:31,975 --> 00:24:35,255
I mean, it's just so fascinating kind of to start pulling the thread at this,

386
00:24:35,255 --> 00:24:38,550
and there's a lot more. It's like I found there's a story about a guy

387
00:24:38,550 --> 00:24:42,230
who was renovating his basement, and he found, like, this ancient underground city. That's how

388
00:24:42,230 --> 00:24:45,955
I feel when I just get kicked back. It's true. It happened in

389
00:24:45,955 --> 00:24:49,795
Turkey. Like, he found, like, this underground network from, like, Byzantine

390
00:24:49,795 --> 00:24:53,610
or Roman times. That's what I feel like. I I like, wow. Like,

391
00:24:53,690 --> 00:24:57,370
this really goes down deep. So what's an

392
00:24:57,370 --> 00:25:01,130
inference attack? Because I've heard of that. What's an inference attack? We discussed that,

393
00:25:01,130 --> 00:25:04,924
or have we touched on that? Well, inference is

394
00:25:04,924 --> 00:25:08,065
basically what you're inferring to, the answer you are seeking.

395
00:25:08,684 --> 00:25:12,500
So, basically, it's basically, to the

396
00:25:12,500 --> 00:25:16,260
the inference is literally, the

397
00:25:16,260 --> 00:25:19,895
prompt that you are entering in and what you're getting out. Okay.

398
00:25:19,895 --> 00:25:23,455
More or less. So how is that an attack surface? Well,

399
00:25:23,455 --> 00:25:27,075
basically, you're you're chaining it. You're daisy chaining your attacks.

400
00:25:27,560 --> 00:25:31,340
You're trying to infer things. You're trying to kinda subtly

401
00:25:32,040 --> 00:25:35,885
get through. So it's a bit like it's a maybe

402
00:25:35,885 --> 00:25:39,345
more like cross examination from an attorney, a hostile attorney

403
00:25:39,605 --> 00:25:43,040
I would say that. Yeah. More than more than, like,

404
00:25:43,040 --> 00:25:46,800
interrogation or torture or or whatever verb we used

405
00:25:46,800 --> 00:25:50,240
earlier. Yes. Interesting. What's

406
00:25:50,240 --> 00:25:53,914
model inversion? Model inversion is

407
00:25:53,914 --> 00:25:57,755
basically you trying to spill the model itself. Oh. You're trying

408
00:25:57,755 --> 00:26:01,559
to kind of you're trying to kind of tear the

409
00:26:01,559 --> 00:26:04,860
guts tear the guts out, maybe put stuff in there,

410
00:26:05,639 --> 00:26:07,580
things of that kind. Interesting.

411
00:26:09,015 --> 00:26:12,775
Interesting. Where do

412
00:26:12,775 --> 00:26:15,960
we stand on the

413
00:26:18,020 --> 00:26:21,620
criminal and civil liabilities here? Right? I I I know that Air

414
00:26:21,620 --> 00:26:25,434
Canada had to pay a fine because they promised that its

415
00:26:25,434 --> 00:26:28,335
chatbot promised somebody something.

416
00:26:29,195 --> 00:26:32,460
I don't know where the California Chevy Tahoe thing

417
00:26:32,940 --> 00:26:36,779
is. But, I mean, have the laws

418
00:26:36,779 --> 00:26:40,240
caught up? Or, like, how were how is this generally looking like?

419
00:26:41,020 --> 00:26:44,765
Well, it depends. I mean, all jurisdictions are different, but I would

420
00:26:44,765 --> 00:26:48,385
suspect to say that whatever guarantees

421
00:26:48,524 --> 00:26:52,030
you make, you're bound to them. So

422
00:26:52,030 --> 00:26:55,710
probably disclaimers, indemnification is

423
00:26:55,710 --> 00:26:59,375
probably extremely wise. I would say,

424
00:26:59,675 --> 00:27:03,035
unfortunately, I'm not a legal expert. Right. Right. Right.

425
00:27:03,115 --> 00:27:06,955
Specifically to the law. Right. But as I'd say, I'd have

426
00:27:06,955 --> 00:27:10,799
enough legal understanding to probably say that if you make a promise,

427
00:27:10,799 --> 00:27:14,480
you better put your money where your mouth is. So that's why I back it

428
00:27:14,480 --> 00:27:18,145
up. IBM indemnifying their users for using one

429
00:27:18,145 --> 00:27:21,505
of their Granite models is probably a big deal for

430
00:27:21,505 --> 00:27:25,265
businesses. Because just in case somebody I'm sure that there's

431
00:27:25,265 --> 00:27:28,840
all fine print and things like that, but that that would be an appealing

432
00:27:29,059 --> 00:27:32,840
thing for business users. Yes.

433
00:27:33,300 --> 00:27:34,440
Interesting. Interesting.

434
00:27:41,664 --> 00:27:45,460
How does someone get started in learning how to jailbreak these? Like, is this is

435
00:27:45,460 --> 00:27:48,440
this a typical your background is, IT security.

436
00:27:49,700 --> 00:27:53,540
But what about someone who has a background in, say, AI and and and building

437
00:27:53,540 --> 00:27:57,335
these LLMs? Is that, Gunning, you think, be an another career

438
00:27:57,335 --> 00:28:00,475
path for the what we call data scientists today?

439
00:28:01,415 --> 00:28:04,470
Well, I would say you're gonna have to probably do it just as is. I

440
00:28:04,470 --> 00:28:08,250
think to the developers and to the data science Right. Scientists who work on this,

441
00:28:08,390 --> 00:28:11,105
you're gonna have to be security literate. Right.

442
00:28:12,365 --> 00:28:16,125
For those who want to get into it, I mean, data science is like any

443
00:28:16,125 --> 00:28:19,725
other AI trade. I mean, we often

444
00:28:19,725 --> 00:28:23,370
cross pollinate. So I would say that you might have an understanding

445
00:28:23,509 --> 00:28:27,350
already of these things. These prompt injections, as I say, are not

446
00:28:27,350 --> 00:28:31,195
much different than SQL injections. The data science Right. You probably know what that is.

447
00:28:33,255 --> 00:28:35,755
How you transfer it depends on what you know.

448
00:28:37,470 --> 00:28:40,910
I would say most data sciences do understand how some of this stuff

449
00:28:40,910 --> 00:28:44,755
works. Right. So getting into it is

450
00:28:44,755 --> 00:28:48,435
just basically you just learning more about security. Right. For the

451
00:28:48,435 --> 00:28:52,210
average person trying to get into it, I would say, if you're trying to

452
00:28:52,210 --> 00:28:55,430
get into AI security, know security

453
00:28:55,570 --> 00:28:59,165
first, and there are many ways to get into

454
00:28:59,165 --> 00:29:02,765
it. I, myself, came in, from my

455
00:29:02,765 --> 00:29:06,480
CCNA. I mean, that's how I kinda got into it. I got

456
00:29:06,480 --> 00:29:09,780
into networks, and then I got into cybersecurity. And

457
00:29:10,240 --> 00:29:13,760
then it was around the time that, you know, the GPTs were really starting to

458
00:29:13,760 --> 00:29:17,565
hit their stride. And it was just part and parcel of it because

459
00:29:18,265 --> 00:29:22,025
I needed a good reference tool. And so then I learned, okay.

460
00:29:22,025 --> 00:29:25,740
Well, how does this work? How do how is it put together? How,

461
00:29:25,740 --> 00:29:29,500
you know, how is it all formed and such? How does

462
00:29:29,500 --> 00:29:32,480
it make its inferences? How does it understand the problems?

463
00:29:33,745 --> 00:29:37,284
So from that, I would say to anybody trying to get into this field,

464
00:29:37,985 --> 00:29:41,445
know cybersecurity first, and you will know AI

465
00:29:42,225 --> 00:29:45,900
in time. AI is in concept

466
00:29:46,280 --> 00:29:49,800
relatively simple, but the nuts and bolts of it are quite

467
00:29:49,800 --> 00:29:53,475
complex. So Yeah. The implementation

468
00:29:53,934 --> 00:29:56,355
details are quite severe. Like, I think

469
00:29:57,695 --> 00:30:01,500
AI is really, I think, better not better suited, but it came

470
00:30:01,500 --> 00:30:04,860
out of the lab. I think the paint is still wet. Paint hasn't dried

471
00:30:04,860 --> 00:30:07,920
yet. And now we're forcing it into an enterprise

472
00:30:08,485 --> 00:30:12,025
scenarios with real customers, real data, real people's lives.

473
00:30:12,325 --> 00:30:15,705
And I don't see a lot of the traditional security

474
00:30:15,765 --> 00:30:19,429
discipline that

475
00:30:21,250 --> 00:30:24,549
I would expect in modern era, modern development.

476
00:30:25,424 --> 00:30:28,705
And even that's a low bar. Even that's a low bar. Let's be real. Well,

477
00:30:28,705 --> 00:30:31,845
it's it's new. Right. It's very shiny.

478
00:30:32,530 --> 00:30:35,830
Mhmm. That's I think that's what I would say is the general

479
00:30:36,050 --> 00:30:39,490
populace and even in the industry that's quite I think our view is that this

480
00:30:39,490 --> 00:30:43,095
is a shiny thing. Right. Well, you know, well, I want

481
00:30:43,095 --> 00:30:46,875
to. You don't even know what it does. I still want it. I want it.

482
00:30:49,655 --> 00:30:53,450
What's interesting is, it

483
00:30:53,450 --> 00:30:56,809
reminds me a lot of the early days of the web where everybody wanted a

484
00:30:56,809 --> 00:30:59,210
website. Well, what are you gonna do with it? I don't know. I just want

485
00:30:59,210 --> 00:31:02,985
a website. You know? It's very it has very very

486
00:31:02,985 --> 00:31:06,345
similar vibe in that regard of we want it. We you know, the hell with

487
00:31:06,345 --> 00:31:09,890
the consequences. But the way I see this

488
00:31:09,890 --> 00:31:10,390
being,

489
00:31:13,570 --> 00:31:17,335
taken up as quickly as it is kind

490
00:31:17,335 --> 00:31:21,095
of worries me. Like, there's gonna be a day of reckoning, I

491
00:31:21,095 --> 00:31:24,549
think, coming. You know? And I thought we

492
00:31:24,549 --> 00:31:28,309
already have it. Right? You you had, there was a leak from Chat

493
00:31:28,309 --> 00:31:32,150
CPT. They had a 100 was a 100000 ish customers there, give or

494
00:31:32,150 --> 00:31:35,175
take? A 100000 credentials taken, compromised.

495
00:31:35,635 --> 00:31:38,615
Credentials and and presumably the data and the chats?

496
00:31:40,230 --> 00:31:43,670
Some of it potentially, I'm sure. But what we're looking at is, like,

497
00:31:43,670 --> 00:31:47,430
names, email addresses. I mean, it depends on how much you put in

498
00:31:47,430 --> 00:31:50,934
that profile. Remember, everything you put in that profile is stored.

499
00:31:51,635 --> 00:31:53,735
Right. Right. That is truly scary.

500
00:31:56,080 --> 00:31:59,700
So you mentioned network, Chuck. So you do you think that

501
00:32:00,320 --> 00:32:02,900
just on a personal level, it's

502
00:32:03,985 --> 00:32:07,585
what worries me about these offline models, right, you run OLAMA locally.

503
00:32:07,585 --> 00:32:11,024
Right? Do you think they could they call

504
00:32:11,024 --> 00:32:14,250
home? Could those be hijacked? Could those have problems?

505
00:32:15,990 --> 00:32:19,670
Specifically. Specifically. Like, so if I'm

506
00:32:19,670 --> 00:32:23,115
running Olama locally, right,

507
00:32:25,815 --> 00:32:29,174
how secure is that? Does that does that depend on the security of my

508
00:32:29,174 --> 00:32:31,930
network, or is there something in there that calls home?

509
00:32:32,790 --> 00:32:36,550
No. Not unless you tell it to. Not unless you try to extract it, you

510
00:32:36,550 --> 00:32:40,165
make a pull, then, yes, it does that. But that's the idea is that once

511
00:32:40,165 --> 00:32:44,005
it's pulled down, it kinda isolates itself. Now

512
00:32:44,005 --> 00:32:47,480
what you can do yourself is set up your

513
00:32:47,480 --> 00:32:51,100
network so that literally it has to be outbound,

514
00:32:52,040 --> 00:32:54,995
a stateful connection, originating outbound.

515
00:32:56,095 --> 00:32:59,635
And you can set that up in your firewall, physical

516
00:32:59,695 --> 00:33:03,520
or otherwise. And you can do things like that, and you can

517
00:33:03,520 --> 00:33:06,880
kind of put it to a point where it doesn't call home unless you tell

518
00:33:06,880 --> 00:33:10,445
it to. Right. And, also, once again, that

519
00:33:10,445 --> 00:33:14,065
private LLM is also very good because you control

520
00:33:14,125 --> 00:33:17,630
the access to what it does. So you can say,

521
00:33:17,770 --> 00:33:21,290
other than these addresses, sanitize it to the

522
00:33:21,290 --> 00:33:25,050
address of wherever the model comes from, say, these are the only ones

523
00:33:25,050 --> 00:33:28,455
allowed. Right. And nobody else is permitted.

524
00:33:28,455 --> 00:33:31,895
Otherwise, implicit deny. Right. So that's a I think

525
00:33:31,895 --> 00:33:35,550
a a small tangible example of something you

526
00:33:35,550 --> 00:33:38,990
can do that is relatively straightforward for any

527
00:33:38,990 --> 00:33:42,510
systems or network engineer, to do just in the hearing

528
00:33:42,510 --> 00:33:46,235
now. But in general, no. They don't normally call without

529
00:33:46,294 --> 00:33:50,054
prompting. Okay. But depends on what they do with those models.

530
00:33:50,054 --> 00:33:53,630
They might put in that kind of feature. A lot of that go back to

531
00:33:53,630 --> 00:33:57,390
the I'm sorry. Yeah. That's kind of my concern is, like, you know, would that

532
00:33:57,390 --> 00:34:00,885
end up in there? Or Well, Meta might put that in there.

533
00:34:00,885 --> 00:34:04,725
Right. Meta is a not alone. Meta is not

534
00:34:04,725 --> 00:34:08,130
exactly free. Right. Matt is not exactly,

535
00:34:08,369 --> 00:34:12,070
has a reputation for privacy. No.

536
00:34:12,530 --> 00:34:14,869
So it's kind of ironic that they are

537
00:34:16,245 --> 00:34:18,905
leading the effort in this space. Seems kind of an odd move.

538
00:34:21,844 --> 00:34:24,980
I I don't know what to say about that. No. No. No. I just need

539
00:34:25,140 --> 00:34:28,739
I have no thoughts on it, but Right. Right. Frankly, I don't I don't know

540
00:34:28,739 --> 00:34:32,575
how relevant it'd be to this discussion. But it's an interesting it's

541
00:34:32,575 --> 00:34:35,395
it's just an interesting time to be in this field, and,

542
00:34:38,415 --> 00:34:40,515
this is just fascinating that you can

543
00:34:42,390 --> 00:34:46,150
jailbreak. You could do this and, you know, even just the basics. Right?

544
00:34:46,150 --> 00:34:48,810
Like, you could do a DOS attack. Right? There's

545
00:34:49,514 --> 00:34:53,275
just basics too. Like, this is still

546
00:34:53,275 --> 00:34:57,099
an IT service no matter how cool it is, no matter futuristic it is. It's

547
00:34:57,099 --> 00:34:59,760
still an IT service, so it has all of those vulnerabilities,

548
00:35:01,339 --> 00:35:04,780
you know, that I don't know. Like, it's just it's just interesting. People are so

549
00:35:04,780 --> 00:35:07,695
focused in the new shiny. I just find it fascinating.

550
00:35:09,115 --> 00:35:12,795
And that's the thing is that this thing is a compounded problem. Right. You

551
00:35:12,795 --> 00:35:16,550
don't just have the usual suspects. You also have

552
00:35:16,550 --> 00:35:20,150
new things that are they

553
00:35:20,310 --> 00:35:23,744
by the virtue of them being new, there's not much

554
00:35:24,365 --> 00:35:28,045
investigation. There's not much study. I mean, amongst my

555
00:35:28,045 --> 00:35:31,870
research for this presentation, I found a number of

556
00:35:32,010 --> 00:35:35,390
papers, white papers coming from all sorts of universities.

557
00:35:36,090 --> 00:35:39,735
They are now looking into this. Right. This is something that maybe we

558
00:35:39,735 --> 00:35:43,415
should have done maybe a while back. Good thing, though, we're doing it now.

559
00:35:43,415 --> 00:35:46,860
Right. But also, also, there's a lot of reasons why you would do that, though.

560
00:35:47,020 --> 00:35:50,800
You would do that because in the wild, you'd be able to identify these things.

561
00:35:51,020 --> 00:35:54,620
Right. You'd be able to see. You're not gonna know everything when something gets released

562
00:35:54,620 --> 00:35:58,425
until it's put out into the wild. Right. And real users

563
00:35:58,425 --> 00:36:01,885
get their hands on it. Good actors, bad actors,

564
00:36:02,585 --> 00:36:06,200
and everything in the middle. Right? Like, you're not gonna yeah. No. I mean, it's

565
00:36:06,200 --> 00:36:09,240
kind of like I guess I guess in a perfect world, the cart would be

566
00:36:09,240 --> 00:36:12,780
before the horse in this case, but that's not the world we live in.

567
00:36:14,040 --> 00:36:17,414
Interesting. So where can

568
00:36:17,414 --> 00:36:21,255
people find out more about you and what you're up to? Well, you

569
00:36:21,255 --> 00:36:24,920
can find me on, LinkedIn. Kevin Lynch

570
00:36:24,920 --> 00:36:28,620
with CCNA. Cool. You can look up my company, Novi Tea Guy,

571
00:36:29,080 --> 00:36:32,845
Novi Tea Guy dot com. And For those outside the area,

572
00:36:32,845 --> 00:36:36,445
Nova stands for Northern Virginia. Just just wanna figure it out there. Well,

573
00:36:36,445 --> 00:36:40,045
also, it well, it's actually a bit of a it's a double meaning. At the

574
00:36:40,045 --> 00:36:43,880
time, I was dedicating myself to IT for the first time. I've done

575
00:36:43,880 --> 00:36:47,559
IT kind of side part of my work. So Nova is also the

576
00:36:47,559 --> 00:36:51,255
Latin for new. So I was Okay. The new IT guy. The

577
00:36:51,255 --> 00:36:54,635
new IT guy. But when it comes to IT, I'm still your guy even then.

578
00:36:55,095 --> 00:36:58,600
There you go. I love it. And,

579
00:37:00,500 --> 00:37:04,040
I'll definitely will include in the show notes a link to your presentation.

580
00:37:05,115 --> 00:37:07,995
And this has been a great conversation. I'd love to have you back and maybe

581
00:37:07,995 --> 00:37:11,775
do your presentation, maybe on a live stream or something like that if you're interested,

582
00:37:12,160 --> 00:37:16,000
and, I'll let Bailey finish the show. And that's

583
00:37:16,000 --> 00:37:19,140
a wrap for today's episode of the data driven podcast.

584
00:37:19,835 --> 00:37:23,375
A huge thank you to Kevin Latchford for shedding light on the vulnerabilities

585
00:37:23,675 --> 00:37:27,355
of large language models and how to stay one step ahead in the ever

586
00:37:27,355 --> 00:37:31,100
evolving world of IT security. Remember, while these

587
00:37:31,100 --> 00:37:34,880
models are brilliant at generating conversation, they aren't infallible

588
00:37:35,100 --> 00:37:38,795
so keep your digital guard up. Until next time, stay

589
00:37:38,795 --> 00:37:42,495
curious, stay safe and always question the source unless,

590
00:37:42,635 --> 00:37:44,735
of course, it's me. Cheers.