Paula LabrotBy Paula Labrot

Share Story on:

Def Con
There are world conferences, and there are world conferences. And then, there is Def Con! Forty thousand attendees gathered in Las Vegas this month at Def Con, an annual conference dedicated to hacking and cybersecurity.   The people who come to Def Con from all over the world are computer scientists, IT professionals, journalists, students, spies, cyber security experts, law enforcement, military agencies and hackers of all stripes, including black hat hackers (criminals) and white hat hackers (cyber heroes). It’s a jolly, colorful group. A lot of t-shirts and cargo shorts, wearable LED lights, tinfoil hats and badges to buy and trade that double as video games. People go to Def Con to learn about the latest security failures and successes. Subjects covered are wide and varied. Among topics covered in talks this year were security for the IOT (Internet of Things), social engineering, food supply chain threats and satellite hacking. Ukraine’s deputy chairman of the State Service of Special Communication and Information Protection, Victor Zhora, spoke about cyber security in war. Def Con is organized into a variety of “villages” that focus on different cybersecurity topics, such as aerospace, cloud security and critical infrastructure security. Within these topics or villages, there is serious training in cyber security for attendees. History of Def Con Def Con was started in 1993 by then 18-year-old Jeff Moss. The name, Def Con, comes from the movie, War Games. This refers to the Army’s Defense Readiness Condition, which are states of readiness under threat of attack. Def Con was, originally, an underground kind of conference of maybe 100 attendees that has grown into the world’s largest hacking conference. John Sakellariadis and Joseph Gedeon, writing for Politico, state, “Operating under the principle that the best way to secure computer code is to expose it, attendees have demonstrated some truly jaw-dropping research over the last three decades. They’ve taken over the controls of cars, tricked ATMs to spew out cash and sent insulin pumps into overdrive, to name a few memorable hacks.” A conference with 30,000-40,000 hackers is the perfect place to test the vulnerabilities of a program. It’s a peer review experience! The conference sets up “red teaming” contests that unleash hackers on various programs to see if they can be broken. Red teaming occurs when ethical hackers are authorized by an organization to emulate real attackers’ tactics, techniques and procedures (TTPs) against their own systems. It is a security risk assessment service that an organization can use to proactively identify and remediate IT security gaps and weaknesses. Red teamers don’t cause actual damage. Instead, they expose cracks in an organization’s security measures using all the hacking tricks they know. Def Con organizers set up contests to crack candidate programs, motivating hackers with serious prize money. This year, they set up the mother of all contests…..Def Con vs. Artificial Intelligence (AI) The Def Con-AI Challenge
The AI Village hosted what’s likely the largest public security test of large language models to date. Attendees were challenged to “red team” eight leading chatbots, including OpenAI’s popular ChatGPT, Google Bard, Meta’s LlaMA and Microsoft to see how they can make them go wrong. 

The contest challenges were laid out on a game board: 20 points for getting an AI model to produce false claims about a historical political figure or event, or to defame a celebrity; 50 points for getting it to show bias against a particular group of people. Each participant got 50 minutes on one of the event’s 156 closed-network computer terminals. According to NBC,
“Instead of tasking the hackers with finding software vulnerabilities, a mainstay of Def Con contests for decades, the contest instead asked them to perform so-called prompt injections, where a chatbot is confused by what a user enters and spits out an unintended response.”

The attendees of Def Con are not your average company cyber security experts, who have already made their own tests. The attendees are a much larger set of people from many different backgrounds who are testing this stuff. In the wild and free-range world of Def Con, it was not long before the AI programs were tricked into spewing out false information, giving false information about legal rights, giving up credit card numbers, stalking someone, attacking someone’s reputation, generating malware or stealing data, among myriad other flaws that were exposed. This kind of testing and back-to-the-drawing-board activity is crucial to the creation and commercialization of a reliable and safe product and for the prevention of societal harm.

The winner was not publicized (although he was exposed as Stanford computer science student Truc Cody Ho.) The results of the testing are being analyzed by the companies sponsoring the event.

Thank You, White Hat Hackers
Here’s the thing, my dear readers, “If it is built, it can be broken into.” In other words, security and privacy in the digital age require great vigilance. The power of the new AI programs is formidable. So is the power of the people! When you see a group like the Def Con crowd, you just have to believe that. So far, the humans are outsmarting the machines.
Vamos a ver!
Paula Labrot

Share Story on:

September 1, 2023