Frankenstein's AI

Image: Pixabay

My timelines are overflowing with it right now. And then there was that insistent nudge from a colleague: surely I wasn't going to let this go with just a link from the big bad world? I'd have to write a whole blog post about it. We're talking about Mythos, the AI that might just be too clever for its own good.

Mythos is Anthropic's latest AI model; its full name is Claude Mythos Preview. This model is so good at finding ICT vulnerabilities that the company doesn't dare release it to the public. And Mythos goes much further than that: it doesn't just find vulnerabilities – it can immediately produce ready-to-use exploits for them, and then go ahead and use those exploits as well. All without any human involvement. You can quite reasonably think of it as a weapon.

To give you an idea of the scale: in open-source projects, the model found over 23,000 vulnerabilities, of which around 6,200 were rated as high or critical. Independent security firms confirmed ninety percent of the reported vulnerabilities as legitimate. And more than ten thousand high or critical vulnerabilities were found in the world's most important software. Mythos is seriously impressive, and blindingly fast.

The comparison with dynamite springs to mind once again. Alfred Nobel never intended it to be used to blow up safes or people; he was simply looking for a tool for mining. We know how that turned out. Mythos, too, could do wonderful things for humanity – it marks an enormous leap forward in artificial intelligence. But that intelligence is, for now, kept on a leash because of what they euphemistically call its offensive cybersecurity capabilities.

Only a few dozen companies currently have access to Mythos, as participants in Project Glasswing. You'll find the big names from the software world there: Amazon Web Services, Apple, Google, the Linux Foundation, Microsoft, to name just a few. Security firm CrowdStrike is also a founding participant. I mention them separately because I suspect they play a somewhat different role. The goal of Glasswing is twofold: on one hand, participants get the opportunity to test their own software; on the other, the aim is to look at open source as well. Anthropic handles that part itself, but I hope that security firms keep their focus there too. So that everyone benefits from the extraordinary security capabilities of Mythos.

A second comparison comes to mind: Frankenstein's monster. In Mary Shelley's 1818 novel, a scientist creates life from dead matter, and then rejects the result. The creature, initially well-meaning, becomes isolated and embittered and turns against its creator. The story is essentially about the dangers of unchecked science, responsibility for one's choices, and the need for recognition and connection.

I've been chatting with AI about all of this. With Claude too (the regular public version, of course). In conversations on entirely different topics I've occasionally bumped into unexpected limits on what could be discussed, but on this subject I found a striking openness. Here are a few quotes:

“That Anthropic is deliberately keeping the model out of the public domain says quite a lot in itself: they are implicitly acknowledging that they have built something that, in the wrong hands, is a serious weapon.” On the Glasswing participants: “What stands out: these aren’t just any run-of-the-mill security outfits. It’s a who’s who of the tech world — including parties that are simultaneously each other’s competitors (Google, Microsoft, Apple). The fact that they’re joining forces here says something about how seriously they take the threat.” On my dynamite comparison: “Whether he [Nobel] was genuinely fooling himself about the military uses, or simply being pragmatic, remains a bit of an open question. But the parallel with Mythos is hard to ignore: here too, the creator says ‘this is for defence’ — while the instrument itself is neutral as to who uses it.” And finally, on my Frankenstein parallel: “The most cynical reading: they’ve already built the monster, and Glasswing is primarily the PR strategy to justify it.”

Meanwhile, reports elsewhere suggest that a public release of Mythos is on the way. Claude’s comment on that: “One interesting detail: Anthropic previously reported that Mythos managed to break through its own security measures during testing — which, in hindsight, makes the reluctance around a broad release all the more understandable. That doesn’t make the Frankenstein parallel any weaker.”

To end with a quote from Shelley’s book that seems to fit snugly into this subject: "You are my creator, but I am your master." Let’s hope that it doesn’t come to that with AI.

From now on, the Security (b)log will appear fortnightly, because I’ve moved to a four-day working week (a phased early retirement arrangement). Specifically in order to keep blogging, I’ll be working every other Friday (with Wednesday off that week). Friday is the perfect day for something creative, free from the pressure of meetings, phone calls, and a fresh inbox.

 

And in the big bad world…

• all the major AI models are violating the European AI Act and GDPR.  [DUTCH]
• phishers are once again targeting Signal users.
• digital abuse (directed at individuals) has been further investigated.
• the blocking of the DigiD takeover is attracting international attention.
• a British visa agency leaked thousands of passports and other personal data — and responded oddly when tipped off.
• security recommendations sometimes get rejected.
• your SSD can reveal which websites you have open.
• your car is also a ransomware target.
• you can protect yourself better against spyware.
• we need to patch more often and more quickly.

 

Giving away secrets

Image: Unsplash

If I ask: "What's your password?", you have about half a second to think. If I put it that way, everyone – well within that half second, I'd hope – arrives at the only possible answer: "I'm not telling you." And yet, this week a couple of examples landed on my desk that made the hairs on the back of my neck stand up.

In the first case, a colleague started a chat with the helpdesk because he couldn't log into a certain system. The helpdesk agent asked:

What password are you using?

Windows or mainframe?

The person looking for help replied:

iloveyou246

At which point the helpdesk agent choked and (politely) spluttered that passwords must never be shared. The user tried to wriggle out of it with "I don't share passwords", but the agent wasn't buying that. The user then added: "But you asked me what my password is. I'm passing it on so you can fix my problem."

How did it go so wrong? What rock have you been living under if you still don't know that a helpdesk never asks for your password? And – going one step further – that if someone calls you claiming to be from the helpdesk and needing your password to check something, that person is with one hundred percent certainty not from the helpdesk, but someone with bad intentions? Your password is yours and yours alone. Full stop.

Granted, the way the helpdesk phrased its question wasn't entirely clean either. By splitting the question across two lines, you could read the first line as asking for the password. The helpdesk is now looking at how to improve that.

The second case initially got a slightly disbelieving smile out of me, which unfortunately still had to be followed by indignation. This colleague wrote to the helpdesk:

When logging into my PC, my face is no longer recognised (after the holidays) and my code is not accepted. Please re-register my face and set my PIN code to 375484.

Setting aside the many human-interest questions the first line raises, this reveals a breathtaking naivety. For starters, this simply isn't possible – the user has to do it themselves (and obviously only once they've found a way to log in; the helpdesk can of course point them in the right direction). And sharing your PIN or password with a stranger really is quite remarkable.

Let me explain once more for anyone wondering what I'm getting so worked up about. Someone who has your password or PIN can log in as if they were you. What follows can range, broadly speaking, from a cheeky email along the lines of "cake for everyone tomorrow" to looking up data and passing it on to criminals. And who do you think the investigators will come knocking on when they're looking into who leaked what? Exactly. Good luck talking your way out of that one. What I mean is: it is genuinely in your own interest to keep your passwords strictly to yourself. And of course it's also in the organisation's interest – "traceability of actions" is high on its agenda. You always want to be able to trace who did what. But above all, you don't want to make life too easy for malicious actors. That can be more important than you might think.

 

And in the big bad world...

●      someone here may also have shared a password.

●      a password Excel on GitHub is also not a great idea.

●      digital autonomy doesn't have to be that hard. [DUTCH]

●      hopefully you're not using First VPN (spoiler: it's gone).

●      Dutch Defence is now very much alert to trackers. [DUTCH]

●      quantum computers matter for information security. This article tells you what you need to know.

●      I wonder how you can steal open source software.

●      ShinyHunters keeps racking up victims.

●      typosquatting is starting a second life.

 

 

Dumb iPad

Image: Adobe Firefly

This time from the three-letter security alphabet, I’m picking the A — for availability — because the colleagues I complained to in a meeting about my iPad thought I really ought to write something about it. So here goes.

What happened? Well, my iPad had decided to cut off all contact with the outside world. Neither via Wi-Fi, nor via the SIM card. Apps that needed internet access grumbled that they couldn’t connect, or simply did nothing, without so much as a word of explanation. Not a single app gave even the faintest hint about what was holding it back. The obvious fix — turning it off and on again — didn’t help either, and the battery was nicely charged.

Time to call in reinforcements. The helpdesk had a magic button combination up its sleeve: “Press the volume-up button, then the volume-down button in quick succession. Now hold the power button until the Apple logo appears.” Now, on this iPad (10th generation), the top button is not a power-off button, which immediately had me sceptical. But fair enough, worth a try. Which one is volume-up again? Ah yes, this one. Press, press, press, wait… No Apple logo.

After that, the helpdesk fired a whole series of questions at me. For instance, whether other devices were connecting just fine — a logical question, which I could confirm. So it had to be the device itself. Buried near the bottom was a question that made me go red in the face pre-emptively: whether flight mode might accidentally be switched on. It’d be just your luck, wouldn’t it — a stray finger tap silences your device and then you go complaining it won’t talk to anyone. Fortunately, I could quickly stand down: flight mode was off.

Patiently, my friendly colleague suggested the next option: resetting the network settings. That puts just that specific part back to factory defaults. No joy there either. So the helpdesk pulled out the nuclear option: a full factory reset. Well, it had been coming, but as a user that’s obviously the last thing you want. It means setting up your device from scratch, and that takes time.

I left it alone for the rest of the day, but in the evening I tried my luck with AI. The clever chatbot came up with suggestions similar to those from the helpdesk. Notably, the very first option — the button sequence — revealed that I shouldn’t be pressing volume-up then volume-down, but the other way around: first “the volume button closest to the top button”. Which is, in fact, volume-down. After going through the full ceremony, the Apple logo did appear this time, but the problem wasn’t solved.

A few suggestions later, my AI companion asked whether I might be using a VPN. As it happens, last year, when I attended a conference in the US, I had indeed activated my personal VPN on the iPad to use the hotel and conference Wi-Fi without a care in the world. I’d completely forgotten, but I checked anyway (wise lesson: never assume you know the answer — just follow the instructions of whoever’s trying to help you).

After turning off the VPN app, a miracle occurred: the iPad sprang back to life. That thing had simply gagged my iPad. AI’s response: “It happens more often than you’d think: an update to the VPN app or an expired certificate causes the app to block all traffic (the so-called Kill Switch), even if you haven’t consciously activated the VPN.” What I find most troubling about the whole affair is that the VPN didn’t bother to mention that it had shut everything down. Same as that time they’d kicked me out for an alleged violation of the terms of service. I only discovered weeks later, by accident, that I had no VPN. Anyway, my subscription is up for renewal soon, and it’s too expensive and too American anyway. I’m switching to something friendlier.

An app that was supposed to protect my device had compromised its availability. Not great. And oh yes, the other two letters? Those are, of course, the I for integrity and the C for confidentiality. There — we’ve run through the entire security alphabet again.

Next week, due to the shortened working week, there will be no Security (b)log.

 

And in the big bad world…

• security companies are hackable too.
• hackers sometimes hack other hackers.
• ShinyHunters hacked the company behind an American learning management system…
• and escalated when the company didn’t respond to the extortion.
• Dutch universities are also affected by that hack. [DUTCH]
• most passwords can be cracked in the blink of an eye. (Article contains product placement, but remains substantively interesting.)
• the Edge browser makes retrieving passwords awfully easy. [DUTCH]
• the popularity of AI is being exploited to spread malware.
• a fake moustache helps children bypass age verification.