This is the text for a lecture I’m going to give recently. Thanks for Daniela Baron’s guide which helped me tremendously for creating the slides with RevealJS.
Hey everyone. Well, first, I have to confess and apologize that I could not prepare this enough. Because I have to working on my dissertation, which also discusses about AI augmented APT attack such as using ChatGPT to create phishing email and ransomware code.
I don’t know if anyone is interested in that direction, but I digressed, let’s get to start.
This beautiful artwork is generated by me, using an AI tool called Stable Diffusion, with these generation info. Well, I don’t know if any of you have been got your hands on it, or been using something similar like Midjourney, but it’s stunningly amazing.
What you see here is a a humanoid AI robot from Dystopian future, standing face-to-face with a wasteland scavenging survivor from post-apocalyptic future. What I’m trying to express here is that, although they are confronting each other, but they really have no clue whether the other is a friend or foe.
Why, you may ask? Because one thing they both are pretty damn sure about is, the great catastrophe either already happened or is about to happen, is caused by human.
Anyway, let’s put that thought on hold for now and get to the main topic of our today’s lecture - AI and cyber security, also some philosophy thinking.
Insead of introducing myself in a old fasion, does anyone know what Shinobi means? It also relates to our topic. I’ll talk about it in the end.
Reconnaissance
Introduction of Open-Source Intelligence (OSINT)
So, I’ve been informed that this course is about reconnaissance. Now, to be honest, this term has always reminded me of the military more than anything else. Although the infosec industry has been heavily influenced by the presence of prior military personnel and government agencies, at the end of the day, it still falls under the umbrella of the IT industry.
Now, back in the day when I was learning ethical hacking like a decade ago, it was called Footprinting. It involved a variety of techniques such as port scanning, network mapping, and intel collection.
Back in the old days, there was no social media around. You can’t just go online and Google it or check on your collection of leaked datasets. But let me tell you, if you wanted to collect information on someone, you had to go dumpster diving. Yes, you heard that right. Teachers and textbooks would tell you, literally, to collect intel in the trash cans. And believe it or not, it is still effective today. But we just don’t have to do that anymore. Because we have better ways now.
What we have now is Open-Source Intelligence, or OSINT for short. And trust me, this technique is the way to go. If you want to learn more about it, there’s a link down below that will provide you the full version of the lecture.
Sources for OSINT
Here’re some common sources that you can tap into.
Needs for OSINT
Let’s look at who might need to conduct OSINT operations.
Stages of the Intelligence Cycle
Alright, let’s have a look at the five stages of the Intelligence Cycle. These stages are pretty self-explanatory and should be easy to understand. You may come across some variations of this, but they should all look pretty similar.
Passive vs Active OSINT
Next, we have passive versus active. As you may already know, this is the fundamental concept when you collecting information for your attack or pentesting. No matter in the cyberspace or physical world, this concept should remains the same.
AI-OSINT
Now, here’s the AI kicks in. You can use tools like ChatGPT to generate a perfect profile for your Alias account, and it’s very hard to identify it’s a fake person.
You can even create video and audio contents using Synthesia or D-ID to make it even more convincing. This is a powerful tool for social engineering attacks, and it’s important to be aware of these techniques.
So if you’re like me, living far away from your family, it’s important to prepare some secret words with them, in case they are targeted by someone using AI with your voice or video. It’s crucial to protect yourself and your loved ones from these types of attacks, especially if they’re not as tech-savvy as you are.
It can also be used to bypass security check or generating disinformation as a countermeasure to protect something you can’t simply remove from the public.
More Use cases
Here are some tips for AI-OSINT. PimEyes is a popular option to find more photos of someone by reverse searching just like tineye. However, we also need to verify that the information we find belongs to a real person. With the increasing capability of AI, this can be difficult.
ChatGPT is still locked without internet access but it will be able to do that sooner or later. In the meantime, tools like GPT4 or the microsoft alternative can be used for AI-OSINT with extra layers of protection from regulations. But this window won’t be long, and please be a decent person, do things legally. You will get caught if your countersurveillance skill is not better than your offensive skills.
Even if you’re doing white hat gigs for helping some entity to do pentesting or bug bounty, and you think you are completely legal and moral and you’re doing the right thing. You can still get into troubles because others don’t think so, and the law doesn’t necessarily work for good people with the best intentions. Unfortunately, sometimes, it can be the opposite.
Okay, back to the topic, ChatGPT writes really good script code in python and powershell. The explanation and commenting for the code is god like, so if you’re a beginner, go try it out if you have not already.
More tools
Here are some more tools if you would like to further exploring OSINT.
SpiderFoot is an incredibly versatile OSINT toolkit, and you can find more tools like that in these two links.
The SANS OSINT Summit is an annual event hosted by the SANS Institute, and they’re currently accepting applications for this year. So if you’re into OSINT, don’t miss it.
For those more interested in privacy and cyber hygiene rather than proactive OSINT, there are a couple of sites that you might want to check out. These two sites are great to have. Both of them are relatively late comers but they’re more focused on helping average people rather than tech savvy ones. The OSINT show and techlore can teach you everything from choosing the right web browser, instant messenger, VPN, and email provider, to operating systems and private phone ROMs. They offer videos, podcasts, books, and community forums for you to engage with.
Now, If online privacy and anonymity is not your thing, then check out this document from NSA, yes, you heard it right, it’s from the NSA ! And surprisingly, they’re really teaching you how to secure your home network and it’s very comprehensive. So, give it a shot if you think there are too many smart/backdoored IoT devices in your home that can invite attackers to outsmart you.
Introduction of ChatGPT
Alright, now we’re getting to the hot topic. Unless you’ve been living under a rock, you’ve probably heard of it by now. So I won’t waste your time by repeating something you can easily find online or get answered by ChatGPT itself.
Use cases
Basically, these are what you can do with ChatGPT for now.
Depends on whether you’re on the Blue team or the Red team, you can either find vulnerabilities or do threat hunting with it, Write Exploits or Patches, create Malware code or Incident response plan, generate phishing emails or filtering rules, and deliver payload or get alert from logs.
These are nothing new to the cybersec industry. Many SaaS products on the market have already implemented machine learning features for years. The new AI language model may not be as robust as the those solutions, but it can do much more. Or it’s more like a so-called general AI, which is more versatile than the older ones. Therefore, the new AI does not replace the old ML systems but rather enhances and integrates them.
More use cases
If I have a whole semester to teach this lecture, I would like to login and show you some prompt engineering right now. Unfortunately, not today. However, I’ve compiled a list of links to some excellent video lectures on that. These lectures cover use case examples for prompt engineering and also discuss the ethics of it.
For those interested in the architecture and training of AI models, the first video goes into detail on those topics.
The fourth video focuses on creating SOPs(standard operating procedures) for IRTs(incident response teams), which can be quite challenging to manage. ChatGPT can greatly assist with it.
In the fifth video, they create logic apps for threat intelligence using a CSV fine-tune training file. This is a more advanced use case than the others.
The last video covers creating phishing emails, polymorphic malware, and pentesting with Nmap automating scripts. They also discuss human-machine intelligence, which combines people, processes, and AI, and how to train a good model.
Risks
If you’re already in the cybersecurity field, then you’re probably aware of the saying:
“There is no silver bullet.”
But in the real world, it’s even more complex than that and I’d like to add onto that:
“There is not only no silver bullet, but also everything is a double-edged sword.”
This idea is actually came from Sigmund Freud, he said:
“If a knife does not cut, it cannot be used for healing either.”
For those who does not familiar with psychoanalysis —it’s pretty much like what we do in cybersecurity.
In the first link, the word OPWNAI is pretty funny that made by some genius from checkpoint research. And I also did my own investigation on how ChatGPT can be abused by black hat in the second link.
At the bottom, I put a link to alert people who still trust in OpenAI blindly. Let’s get into that further.
OpenAI’s data breach
As many of you may already know, there was a data breach of OpenAI recently. And let me tell you, the way they respond to the public is absolutely unacceptable for the open source community and that reveals what the company really is.
Even if you don’t care about how AI will impact our future, it’s still worth to watch this video just for fun. It’s only about 3 minutes: How ChatGPT lied like hell to Professor Doug White about OpenAI’s recent data breach.
At the bottom of the page, we have two comments from Open Source Security Podcast and me.
In the podcast, they said:
“I’m not afraid of ChatGPT. I’m afraid of OpenIA.”
In my blog post, I emphasized that:
“AI itself is not a threat, but the capital behind it.”
The technology is only as good or bad as the people behind it, and the motivations driving them. Go listen or read the whole thing if you’re interested in.
Deep-dive into Thinking
Okay, let’s relax and have some fun. Can anyone recognize these gang of four in this image?
From the left, where is Karl Marx, Nietzsche, Charles Darwin and Sigmund Freud. You may be curious why the hell these four gansters came together. Let’s find that out.
Now we’re getting into some heavy philosophical territory.
The death of the subject is a pretty depressing idea that basically says that our free will is nihilated or nullified by external factors like social culture, the language we speak, and our past experiences. In other words, we’re not as unique as we thought we were.
Posthumanism takes a step further by denying the special status of Homo sapiens and accepting that AI could be the successor of humanity. Yeah, that’s right, the robots will bring our civilization into the next level and the historical responsibility of Homo sapiens is sadly going to the end.
Transhumanism is just the philosophy term for cyborg, it’s the transition period before posthumanism. If you’ve already got a RFID chip implanted under your skin, congratulations, you’re on your way to becoming a cyborg. And Singularity is usually considered as the point of AGI or strong AI come out.
So there you have it. Some heavy stuff huh? Let’s see how people talking about it.
More Thinking
Alright everyone, I don’t know how many of you are already deep into this train of thought or if you’re completely against it, but I’ve got some links to a few lectures of art, education, society, and more.
Now, there’s a quote I came across from Plastic Pills that I think is worth pondering on:
“Socrates tells a myth that before his time, the technology of writing is something that needs to be rejected. Because the technology of writing is going to destroy Humanity. Paradoxically, perhaps our definition of humanity today that it’s about to be destroyed is literacy.”
I’m not saying to support on any side, but I do think there are more crucial issues that we shouldn’t ignore.
Arendt and Heidegger
Listen up. Let’s face it, the dangers of technology. As Hannah Arendt said in her book, The Life of the Mind:
“The sad truth is that most evil is done by people who never make up their minds to be good or evil.”
According to Martin Heidegger as well:
“The danger of technology does not lie in technology itself. The essence of technology is by no means anything technological.”
Another quote from his book, The Question Concerning Technology, where he said:
“Everywhere we remain unfree and chained to technology, whether we passionately affirm or deny it.
But we are delivered over to it in the worst possible way when we regard it as something neutral; for this conception of it, to which today we particularly pay homage, makes us utterly blind to the essence of technology.”
Let’s not forget the historical context of Heidegger’s words. He wrote them in the aftermath of World War II, which saw the horrors of gas chambers and atomic bombs.
Today’s world is not far from the great catastrophe in each direction. So, it’s important not to tunnel vision on AI itself, but use the technology as a tool of revealing, to uncover what was hidden and concealed.
The real threat
Here is a great documentary and some comedy shows you can learn from. Surveillance capitalism is already there, behind the scene and stealing freedom and democracy from every single one of us. This is not a conspiracy theory at all, otherwise Edward Snowden shouldn’t be in Russia.
Teaser for Reading Books
If you’re a book reader or wanna become one. Try watch these videos and pick up some books mentioned.
Chomsky understands language and the world’s current condition quite well. He thinks ChatGPT is far from human mind and no need to worry about. The real threat to us, to our civilization are Climate Crisis, international conflicts, nuclear war, dominant political and economic systems of the world, decline of the democracy and growing inequality of wealth and power.
Also here is a interesting talk between Slavoj Žižek and Yuval Harari. Zizek is considered the most dangerous or funniest philosopher today and Harari is the author of Sapiens: A Brief History of Humankind. It’s a fascinating conversation to watch.
In the second video of Zizek, he said “Sometimes, the most violent thing is to do nothing.” and I agree with him. So, let’s see what we can do to overcome this unpleasant situation.
Making a difference
First, don’t give money to OpenAI or try to pay less if you’ve already built something on it.
Second, contribute or support free open source software ecosystem or so called FOSS. Consider using real open source alternatives to build your project. Here are two links you can find GPT alternatives like Alpaca and LLaMA.
The third link is a tutorial of using Stable Diffusion on your own device, rather than paid services like Midjourney or DALL-E. By the way, it’s wrote by me. If you think it’s helpful, please share it on reddit, hacker news or other social medias you like.
Then, consider participate or support EFF, the Electronic Frontier Foundation to defend digital privacy, free speech and regain the freedom we’re losing.
Making more difference
If you’re a hacker who runs or wants to start up your own company or organization, try to build on a Business Model that is more open and democratic. If you’re a hacker who just want a fair workplace, try to join a company with such attributes.
Here’s some videos to learn from if you’re interested in. And remember hackers, we have the potential to shape the world around us. Let’s do this together.
More resources for hackers
And more websites for those who really serious about it.
About me
Alright, I didn’t provide an introduction earlier, and I won’t bother with one now.
I refuse to be put in a box, and I’m not easily labeled. What’s important is what I bring to the table, not what you call me. I believe what I do and what I say speak for it. That’s all that really matters in the end.
Let’s head back to the meaning of Shinobi. That’s just a traditional way to say ninjia. Which means not only being stealthy, but to bear something, or to suppress, restrain oneself.
Its Chinese character constructs as a heart under blade —『刃の下に心あり』.
To me, the blade is a metaphor of technology, such as tools or weaponry. While the heart is a metaphor of our mind, will or spirit. This is the opposite of cold rationality, reason, intelligence, or logic—which even a strong AI can never match. That’s the humanity we should preserve and taking care of, not the other way around.
Let us not forget the irrational and unconscious parts of ourselves that make us what we are, such as our being and existence, love and devotion, ethics and determination, faith and religion. These aspects of humanity are far from the animal instincts or excessive radicalism. This cannot be fully expressed in words, so sometimes it is better to remain silent, as Wittgenstein said.
If you need, both the slides and texts are on my blog. Thanks for your patient.
Stable Diffusion Generation info
Generated with my Cheapskate’s Mini Server. Check it out if you wanna build one as well.
The Self-Healing Daemon I created works great even for a high-end build. If you think it’s helpful, please share it on r/StableDiffusion/, Hacker News or other places you like.
AI Humanoid
portrait , electronic system on head humanoid | pure white ceramic Exoskeleton | muscles cable wires | cybernetic| cyberpunk| sharp focus| smooth| hyperrealism| highly detailed| intricate details| carved by michelangelo, hidden hands, hailing from a dystopian future, she represents the cutting edge of concept art, embodying the power and ambition of a new era, photorealistic painting , intricate, 8k, ((side shot, full body)), digital painting, intense, sharp focus, art by artgerm and rutkowski , cgsociety, full height, RAW, analog style, 1girl, subject, 8k uhd, dslr, high quality, film grain, Fujifilm XT3 Negative prompt: deformed, bad anatomy, disfigured, poorly drawn face, mutation, mutated, extra limb, ugly, disgusting, poorly drawn hands, missing limb, floating limbs, disconnected limbs, malformed hands, blurry, ((((mutated hands and fingers)))), watermark, watermarked, oversaturated, censored, distorted hands, amputation, missing hands, obese, doubled face, double hands, nsfw, hair, skin Steps: 20, Sampler: DPM++ 2M Karras, CFG scale: 7, Seed: 633708552, Size: 512x512, Model hash: 9aba26abdf, Model: deliberate_v2, ENSD: 31337
Post-apocalyptic Scavenger
end of the world, epic realistic, hdr, muted colors, apocalypse, night, screen space refractions, Highly detailed RAW color photo , artstation, cinematic shot, technicolor, portrait ((post-apocalyptic Scavenger, traditional lifestyle monk, survivor wearing Buddhist robes, side shot, battleworn)), hidden hands, hailing from a destroyed abandoned dystopian future, she represents the civilizational collapse, embodying the tradition and humbleness of ancient wisdom, photorealistic painting , intricate, 8k, digital painting, intense, sharp focus, art by artgerm and rutkowski , cgsociety, full height, wasteland background, dark mood, high contrast, establishing shot,shallow depth of field, sharp focus, (photorealistic:1.1), (hyperdetailed, intricately detailed), absurdres, ,analog style, 1girl, subject, 8k uhd, dslr, high quality, film grain, Fujifilm XT3, Negative prompt: deformed, bad anatomy, disfigured, poorly drawn face, mutation, mutated, extra limb, ugly, disgusting, poorly drawn hands, missing limb, floating limbs, disconnected limbs, malformed hands, blurry, ((((mutated hands and fingers)))), watermark, watermarked, oversaturated, censored, distorted hands, amputation, missing hands, obese, doubled face, double hands, nsfw, gun, firearms, metal, electronics, Steps: 24, Sampler: DPM++ 2M Karras, CFG scale: 7, Seed: 1730901546, Face restoration: CodeFormer, Size: 512x512, Model hash: 9aba26abdf, Model: deliberate_v2, ENSD: 31337