AI AIEEEEEE!

thank you very much um hi everyone thanks for joining me on my tiny Adventure into the world of AI tooling um just to set some expectations this is a non-technical tech talk the idea isn't to Dazzle you with the technical capabilities of AI and how it will help you hack the planet the idea is to show you a few tools and to get you thinking about how they're going to change our working environment as Information Security Professionals I don't promise to give you any answers but we are going on a tiny adventure with some of the more talked about tools at least I've got no specific expertise in this area but I do have a very keen

personal and professional interest in this stuff so please join me on a little adventure around the world of artificial intelligence and our journey starts in January of this year so I need your help for just a moment anyone that's seen Wayne's World but hello there's a free sites in Lancashire call and there's a call for papers well that looks like one and I really need the cpes if I don't have anything prepared I guess I could do a lightning talk though that's only 15 minutes and if I get really lucky I'll be on after Glenn and he'll overrun by at least five minutes so what's that that's 10 minutes of paranoid rambling about something topical

okay then I'll go and get a beer before the Imposter syndrome right something topical [Applause] what can I ramble about for 10 minutes oh I know AI something or other can't be that hard to write 10 minutes of paranoid Guff about that subject can it I know my arts and Friends they've all been moaning about it's stealing their jobs or something maybe it's going to steal my job nice let's stick some fun in there a bit fear uncertainty and doubt counter it with some snarky comment about the anti-i Brigade sounding like the first guy to be upset by the invention of calculators or something so I guess we need to write some sort of abstract and send it into the guys at

details there we go nice woolly summary for a talk I haven't really yet what's the worst that can happen well they could say no and I'll go anywhere and be on a jolly with all my mates

come on dearly I'm done thank you for your talk submission Bayside sounds titles AI congratulations we're really impressed with your talk submission we would like to invite you to speak in person Thursday the 30th at years we've allocated your 30 minute box

okay that's a little bit funny but I can't use PowerPoint photography and this works well since this is a talk about AI let's see if AI can help so always plays this is Tomei it combines chat gpt4 and Dali to create both Tech and up work for you to use your presentations nice I wonder what happens if I just ask it to create my title page for presentation called AI now in this video the sharp eye device you have probably noticed that I've already made my first mistake I entered the title The text prompt into the wrong Box by accident and in that time in under a minute it's written the entire presentation I was really hoping for just some sort

of dramatic title page but I made a tiny mistake as I say and it got carried away now ai doing things it wasn't asked to do nothing bad could possibly come about with that could it um but no it's fine [Music] it happens in popular science fiction movies all the time and we always fix it so it'll be fine um what I will say just for relevance is contextual input validation is important I put in a request for a title page it generated me an entire presentation simply because it didn't entirely understand what my request was and just as an aside the stopwatch the stopwatch is just there really to show you how fast this tool works

because it's entirely possible that some of you have never used these tools so all the videos that I'm going to show you over the course of the next so however long um are done in real time there's no speeding so yeah this looks better than my title page did doesn't have a comedy sound effect though does it one ounce of a human so there's some sort of context page fair enough now just while we're here I'm gonna pick up on something I said a moment ago did you catch me say I made this well that's kind of the first point I'd like to raise because Chachi PT is an artificial chatbot developed by openai and it was launched into November of

2022. it was trained on data sources such as Wikipedia and something called rlhm which means reinforcement learning from Human feedback so did I make anything at all here or am I just plagiarizing the work of every Wiki editor that came before me about passing this up was mine and as a side note Chachi PT was not designed to be a source of Truth it was designed to mimic human conversation it will conflate sources it will get things wrong it will outright lie in sometimes in order to maintain that sort of Illusion of conversation so segue I need to interrupt this just a moment to reinforce the claim that I just made there a GPT was not designed to be a

solution it's designed to mimic human conversation and it will complete sources it will say I need to provide you with an example of that and I don't necessarily know that I'm the best person to do it so allow me to introduce Dr House I actually asked openai 35 female no past medical history presents with chest pain which is pleuritic worse with breathing and she takes oral contraception pills what's the most likely diagnosis and open AI comes out with costochondritis inflammation of the cartilage connecting the ribs to the breastbone then it says and we'll come back to this typically caused by trauma or overuse and is exacerbated by the use of oral contraceptive pills now this is

impressive first of all everyone who read that prompt 35 No past medical history with chest pain that pleuritic a lot of us are thinking oh uh pulmonary embolism blood clot that's what that is going to be because on the boards that's what that would be right but in fact open AI is correct the most likely diagnosis is costochondritis because so many people have costochondritis but the most common thing is that somebody has costochondritis with symptoms that happen to look a little bit like a classic pulmonary embolism I want to go back and I wanted to ask open AI what was that whole thing about costochondritis being made more likely by taking oral contraceptive pills what's the evidence for that openai came

up with this study in the European Journal of internal medicine that was apparently supposedly saying that and I I went in Google and I couldn't find it I went on PubMed and I couldn't find it I asked openai it'd be a reference for that and I look up that and it's made up that's not a real paper it took a real journal the European Journal of internal medicine it took the last names I think and first names of authors who have published in said journal and it sort of confabulated uh out of thin air a study that would apparently support this Viewpoint that it must have picked up it must have picked up the idea that ocp's

oral contraceptives show up on the same page as chest pain causes and so they sort of started to figure out well maybe costochondritis and and oral contraceptives are related but in fact that's a red herring it's really that people who are taking oral contraceptives have a higher risk of pulmonary embolism and those travel together on the internet pages and Oakland AI got fool but rather than admit that I asked openai for links and I are you sure you're not wrong and it stood its ground so I was blown away by the accuracy of so much of what I did with the platform open AI but I was also scared that it was willing to lie to me

to make up something to support a intention that was not real so bluntly we've got a tool which we know from the media right now is being used for people's homework to keep the professional lives which categorically is following its design paralysis to mimic conversation and yet for some reason in popular media we're inflating conversation with facts we're assuming it can work like Google and it doesn't and even frankly things like search engines Google Bing choose what you will these aren't necessarily sources of truth because they're just search engines you still have to read the research make your own decisions draw your own conclusions and find other documents to sort of back up so I think Dr Faust makes a point much more

clearly than I could in that moment you can't trust and we're back so this is time again and we're looking at the presentation that it built and this looks better we can now see that home AI is reaching out to Darley so Darlene is also the open AI tool it's created a nice science fiction image to go with that text and Ali is particularly interesting because the model that underpins it it's a multimodal implementation of open AIS Le GPT version three and in the words of Dali open eye ai's words it swaps text places I also think just because I'm not going to go to the effort of reading all of the stuff but it wrote for me I think

it's mostly waffle it's convincing waffle but it is and here not only is time AI using chat DPT in order to create the text contents but the darling tools are based on the generative pre-trained Transformer too as I mentioned so you won't be surprised to learn that this is all open AR product they're clearly the market leaders right now now whereas chat GPT was pre-trained on Wiki and books more controversially gnarly along with similar tools such as stable diffusion and mid Journey these can be asked to create images in the style of a living artist which as you can well imagine has got the artistic community artists were not consulted on whether their work would be used to train these

tools I should probably mention that neither stable diffusion or mid-journey are actually but we're still people are entering competitions for artists with these tools and winning so no question moves from the eye to is it ethical is it even art at this point in fact the way of AI generated art has become so controversial in artistic circles the popular platforms which showcase work such as art station are now actively moderating and curating images that they believe most have been created and that in and of itself is controversial because they don't always get it right so real art by real artists is being effectively shadowed couples limiting the potential income of the artist themselves so look this slide deck may well have taken

less than a minute to create and it was created entirely by accident since I had intended to make just such a much but I think we've learned about the text content can't be relied upon the imagery may not be technically stolen but ethically it's dubious and I think we will probably do this actually before we move on here's the image I was referring to a moment here the artist Jason Allen and I use artist in air quotes he argues quite eloquently that he won the competition without breaking any rules and fair enough that's true [Music] um in an interview with the New York Times if you want to dig into that later he does it he manages to be quite

elephant it's worth it he won 300 US Dollars um but he also got the ire of a significant number of artists foreign

[Music]

it isn't the one where people who think about capital let's listen to some music this is the future wave sound I'm getting lost in an underground this is the future Rave sound I'm getting lost in and Underground [Music]

Eminem bro there's something that I made as a joke and it works so good I could not believe it I discovered those websites that are about AI basically you can write lyrics in the style of any artist you like so I typed write a verse in the style of Eminem about future Rave and I went to another AI website that can recreate the voice I put the text in that and I fled the record and people went nuts so if you don't know that's International Superstar DJ David Guetta publicly admitting to stealing the style and sound of rapper Eminem now hopefully Eminem's going to do his traditional thing he'll react with some Plucky diss track and we can all enjoy

the Fallout from our living rooms but a cyber Security Professionals I hope this has you thinking more broadly because an entire Stadium of people went nuts for that track because they all believed it to be the voice of Eminem I wonder how hard it would be it's all of Google smart speaker or Amazon Echo what about if I recorded enough sessions from people publicly talking like this publicly available on YouTube recordings of my voice lens voice others and used it to bypass about Clay's voice because Barclays bank now use voice on Mobile accounts free source so now our journey takes us to the realm of information security we can keep the core black slides thank

you so my eyes but clearly the content of the deck was just unsubstantiated we're all strung together for a few working pages so how the heck am I supposed to feel 30 minutes now let's try something a bit more direct what if I just asked Google's graph to write me an information security policy so same as before real time write an information security policy for a company called get out and it did now this is a bit simplistic but it's a good start and for the record again I haven't spread the video up I've hasted the promising and hit answer just to avoid the inevitable recording of my horrible typos and Bob came back with a policy in under

30 seconds but it was a bit simplistic so we're going to try the same with chatty EBT and by the time I've got to this point in creating the slide deck chat GPT had after version essentially so without the constraints of Tomei trying to make chat GPT work as if it was a presentation chat GPT is clearly the bet at all the resulting policy is structured and more detailed

why am I paying people to write policies nice

okay the policy isn't horrible in actual facts it's largely ISO 27 0001.5 but it completely this is any sort of context it's not particularly relevant so it would seem almost rude not to use daily at this point in there so in the foreground and attractive but disheveled man is thinking hot maybe about whether or not sober 40 Grand and in the background is a futuristic cityscape full of neon Hues and Dark Skies okay so none of these results look like me particularly but I like to think that all these people are worried about their jobs because I don't know I always kind of stay that way so where does that leave us I think it's

fair to say that AI tools as they exist today are not professionals or even infosec trainees at this point the quality of the output simply isn't where it would need to be a second um documentation without context is pretty useless for our purposes and it's likely that we'll see some changes to the way we work because of AI and it's probable that we're going to see a lot more boilerplate template part of three miles per hour future policies um but where's the real impact is actually going to change so email marketing that's the big one for me I hope you enjoy spam and phishing emails so uh Mass marketing tools believe that are not such a send

grid are now incorporating AI and what's more they're making trial accounts available to people free so I hope you've enabled your team up your SP fpd camera you've got trevica happy things on the Marcus junk button because better worded and uh unlikely to be full of grammatical errors unless you consider American English now I'll be honest I've very specifically chosen to avoid much speculation in this I think it's really easy to come up with potential use cases for a new one to drive like open AI but the reality is there's a lot of wishful thinking going on in the world right now I love it all that took a drudgery out of reading documents submitted as part

of third-party security Assurance process for example but it's just not so what is well there's an act sadly I couldn't get past the wait list to show you this before today um but I suspect it could be used in a similar fashion to tools like selenium or uipath or even if this then that triggering actions were certain conditions so far but perhaps more exciting essential for this to work as an actual digital assistant examples on the Adept website look like the aim might lead to appeal to a wider audience than just develop they've very recently secured 350 million dollars in funding so this is probably one to keep an eye on for most of us

I'm also very conscious that this isn't the only talk covering AI today so I'm going to leave some of the more technical content to other speakers but know that chat GPT has been integrated into the Microsoft thing search engine and already security researchers are finding ways to break its operating rules one of the most interesting property injection attacks that being described recently revealed the existence of Sydney which is the internal Alias of the research so early on I promised you some Fair uncertainty and I don't really think I've been able to deliver on that because it's clear that AI isn't about to start working all our policies for us all doing our jobs so let's take a look at what's going on

in another corner of these this filter is terrifying like dystopian level terrifying it looks so real I can put my hand over it and it won't come up oh actually oh right there just a little bit okay A trigger warning I'm gonna take this off to show you what I actually look like trigger warning so that's a little bit context for the next video thank you to XY chromosomes this filter is terrifying like dystopian level terrifying the generational divide really comes into focus when you consider that over on Twitter all the media people and the like older Millennials gen xers are freaking out that a chat bot can write some middle school homework while over here on Tick

Tock they're just throwing out face mapping and like object mapping AI tools like candy at a bar mitzvah Tick Tock saw the psychological damage Instagram inflicted on younger Millennials and said those are rookie numbers this filter is terrifying not just because it's going to create unrealistic beauty standards for vulnerable children but because it's also creating a perfect 3D mesh of your face the reason these filters are getting so good to the point where you can't even tell that it's a filter is because Tick Tock has been doing these face filters for years they have millions probably hundreds of millions of different people's faces in every different kind of lighting in every different kind of environment and the

the implications of what they can do with that data are truly horrifying on top of that if you read the terms of service you'll know that not only is Tick Tock mapping your face it's cataloging everything on camera so it can see that I have a microphone here right now therefore it will infer that I do music to some extent and that's why I get a bunch of ads on this platform trying to sell me like you know mixing plugins and nobody outside of tick tock is talking about this like I said all of the Elder Millennials gen xers and boomers are freaking out about chat gbt which yes it's a very impressive language model

but it's it's just a syntax generator it just finds clusters of words that usually go together and puts them in the order that they usually go this is actually much more dangerous this is much more threatening this is something we should actually be concerned about so that was most recite in how do you do is that enough blood for you what exactly is happening so let's start wrapping this up will increasingly sophisticated AI replace information security personnel but the nature of the job is going to change and that's okay a friend of mine likes to throw this rather controversial statement it's the mix pick tutorial passive security teams should be it's hired if you are not

willing to codify your standards and assist in tooling you have no place in the modern technology organization and honestly I find myself increasingly willing to agree with his position we can't just provide the requirements and sit back in judgment anymore we need to add value more value than just writing policy and conducting risk assessments should we be concerned with the price of artists in all of this absolutely if only because we will see inevitable legal action and changes to the laws and results of this excuse should we reward sorry should we be worried about AI generally well I think that depends more on who's in control of it and your updates and frankly this is

exactly the stuff that we live for isn't it securing data to prevent misuse now since I put this slide deck together less than a week ago over 200 AI enabled applications products and services have been announced there's even an AI plugin for blender now so I don't have to do any sort of 3D modeling in order to get into 3D print best list I combined online sat at 1 362 tools as of yesterday morning this talk has been my attempt to show you how fast moving this field is I'm not an expert in it but I think we all need to make ourselves aware of what it is how it impacts the business vertical work in and how we need to adapt it's

clear that so-called deep fakes like the Eminem clip earlier will impact Biometrics security and enable social Engineers is clear also that phishing emails is Spam will be harder to sponsor so please take some time to learn about it and bring that awareness threat modeling assessments so you're not worried about chat GPT taking your job then you have to stop saying this you sound like that guy when the calculators were invented oh calculators are here they're going to steal jobs whose jobs those guys who can only add and subtract thank you everyone for your time I really appreciate it and if you didn't learn anything new my hope is that at least I've been able to Prime some of

this conversation in a way that maybe cheers [Music]

I'm no questions and stuff but I am just going to just quickly uh just pick your brain something so I am a musician myself I play trumpet and one of the things that I am concerned about is this AI of the future stealing not necessarily my job if you want to hear some really bad notes played on something I can play a lot about no sense for me but it's the cleaning up and I think it's something we saw when we went from final into the CD that we had this perfectly curated uh audio track and we missed the crackle we missed the glitches in you know when the brass section goes wrong and I think

it's something which I think as we start going forward one of the things that I want to kind of see with AI is it to create the imperfections you know it's okay having a perfectly Blended you know the Glen pectin face that we all look for whereas actual Iran and we want those blemishes we want to see the moles we want to see the bit of a stubble because the animal shape or something I think that's something which AI at the moment actually gets wrong um and it's quite interesting when I see the chapter because I've been playing with a lot and it's where I'm leading to the question is when it gets that point would you be

more worried when it can actually create the imperfection to make him mimic this human work then at the moment what we see which is just clean text I think there's a valid concern there uh something that didn't make it into the slides I couldn't find the source for it there's an unofficial kind of ad hoc study going on in the United States right now where some University guys are creating essentially control groups out of their students in various seminars and they're basically saying you write your essay entire language at GPT third group writes the essay music prompts only and the so the final group has to do it old school entirely for themselves we know the proper way yeah

exactly and then what they do is they call all of those essays in together and review them as an entire group now the findings so far have been that the human produced essays are considered to be more accurate more interesting is going to impact quality than any of the other groups and I think the one thing that we can do that AI will never be able regardless these things because we're programming is that essentially tools that replicate actions behaviors are creativity our intellects our problem solving these are the things that make us women that make our careers to a certain extent safe because there is no Services I know that you know all this morning what's going on

about is it isn't it um 80 years today um so yeah I I think created

especially when you're dealing with vulnerability stock analysis and stuff like that has anyone actually been in a real live proper big incident yeah if you've had to deal with big incident stuff where are you flying and you turn the camera off for that moment the one thing that probably saved you is your own creativity your imagination rather than following the book I think that's where AI has got to learn it will always beat it because you know how many of us all thoughts remember what a BNC used to look like and you're having to do uh Network ports with bnc's remember I've tried to wire one I'd like to see an AI try and do that and remember how

to just as an existence I think that's where we are going to see the AR model we will fail because it can't be what we do and the most important thing we can all do now is go for lunch Segway See you ladies everyone thank you