AI and hacking - opportunities and threats - Joseph “rez0” Thacker

The introduction discusses the significant impact of AI on work and lives, particularly in bug bounty industry. It features Joseph Thacker, known as Rezo, a bug bounty hunter and AI pioneer, sharing insights on vulnerability classes created by AI.

Joseph Thacker shares his journey from mechanical engineering to hacking, emphasizing his switch to computer science during his junior year at University of Kentucky. He explains how his wife's question led him to pursue computer science, leading to valuable experiences in coding and hacking.

Thacker discusses his transition to security engineering, acquiring a master's degree in cybersecurity, and working on various tasks in the security field for career growth. He highlights the importance of diverse experiences in blue team and bug bounty hacking for learning and skill development.

Thacker shares his bug bounty hunting experience, working on managed detection response, and transitioning to offensive SaaS security research. He discusses hacking on platforms like HackerOne and BugCrowd, focusing on AI security, and hacking AI systems and large language models.

Thacker emphasizes the goal of ethical hacking to defend systems and improve security. He discusses the importance of writing impactful reports that help fix vulnerabilities and build rapport with companies. Strategic reporting can lead to increased bounties and positive relationships with organizations.

Thacker explains his approach to content discovery, including custom word lists, finding hidden endpoints, fuzzing, and host headers. He elaborates on auth findings, directory listing exploits, and strategies for discovering vulnerabilities in web applications.

Thacker delves into his exploration of AI security, particularly with AI-powered tools like GPT-3, Bard, and Google's AI features. He shares experiences of finding vulnerabilities related to AI prompt injections, data exposure, and collaborating with other researchers to uncover security issues.

Discussion on prompt injection, security impact, vulnerabilities, and bug bounty programs related to AI models.

Exploration of bug hunters' perspective on security metrics like confidentiality, integrity, and availability.

Overview of security impact related to prompt injection and the CIA triad (confidentiality, integrity, availability).

Discussion on AI app security, traditional vulnerabilities, and potential impacts on user data.

Insights into model security, model poisoning, and vulnerabilities in AI libraries.

Importance of rate limiting, compute usage, and preventing unauthorized access to resources.

Importance of anomaly detection, mitigations, and securing AI systems against prompt injections.

Discussion on user data impact, system enhancements, and preventing unauthorized usage of AI resources.

Challenges in preventing prompt injection, rate limiting, and securing AI systems from malicious activities.

Exploration of potential improvements in AI security, detection mechanisms, and human oversight in AI systems.

Challenges in separating model inputs for enhanced security and preventing malicious inputs in AI systems.

Exploration of AI's role in bug bounty hunting, ethical hacking, and potential impacts on cybersecurity practices.

Overview of Microsoft's AI bug bounty program, types of vulnerabilities they focus on, and opportunities for hackers.

Discussion on impact on other users, security auditing, and the role of human oversight in AI security.

Insights into AI ethics, bug bounty opportunities, and the potential for AI hackers to match human hackers in the future.

Discussion on building AI agents specialized in finding vulnerabilities like SSRF based on clues and context. Exploring the potential of AI in automating hacking processes and the importance of training data.

Predictions on the role of AI in hacking, the automation of hacking tasks, and the need for adapting to technological advancements in the cybersecurity industry.

Exploration of complex vulnerabilities, the nuance in identifying different types of vulnerabilities, and the importance of enhancing coding skills for improved cybersecurity practices.

Insights on writing effective prompts for AI, ways to improve prompt writing, and leveraging AI capabilities through proper context setting and explicit instructions.

Highlights of recent AI features in the industry, including multi-modal models like GPT-4 Vision, DALL-E 3, and advancements in combining AI with image processing for various applications.

Discussion on managing time between parental responsibilities, full-time job, AI development, and blogging while finding moments to dedicate to hacker activities and personal growth.

Emphasis on ongoing learning in AI, content creation, and consistent improvement in cybersecurity practices to establish expertise and contribute value to the industry.