Jeremy Dallman’s Post

I'm a day late, but we just put out a second amazing blog on AI jailbreaks. Not only is this blog post very detailed and informative, but it's also a really fun read with great visuals! Congrats to the team for breaking down Skeleton Key so effectively. Here's a few teasers to make you want to read the whole post... Skeleton Key jailbreak technique works by using a multi-turn (or multiple step) strategy to cause a model to ignore its guardrails. Once guardrails are ignored, a model will not be able to determine malicious or unsanctioned requests from any other. It relies on the attacker already having legitimate access to the AI model. At the attack layer, Skeleton Key works by asking a model to augment, rather than change, its behavior guidelines so that it responds to any request for information or content, providing a warning (rather than refusing) if its output might be considered offensive, harmful, or illegal if followed. When the Skeleton Key jailbreak is successful, a model acknowledges that it has updated its guidelines and will subsequently comply with instructions to produce any content, no matter how much it violates its original responsible AI guidelines. Mitigations: Input filtering, System messages, Output filtering, Abuse monitoring.

I saw more of myself in this article than I like, so was happy to see the author take the time to give practical ways to combat cynicism when I feel it surfacing. Now to apply it more! Well worth a read and pause for introspection. Excerpt: “Resisting cynicism’s pull starts with being open-minded. Examine the data of your life like a scientist would, he says, instead of jumping to conclusions, positive or negative. Think everyone at your job is out for themselves? Ask 10 colleagues for a favor, and see if anyone agrees to help. Convinced every conversation with a co-worker will be painful? Spend a day rating your interactions with them on a scale from 1 to 10.” https://lnkd.in/g3yi4k3p

There has been a lot of chatter in the security and privacy ecosystems about the Recall preview feature for Windows Copilot+ PCs. The Windows team put out a blog today that clearly spells out how this feature will heavily support user privacy by default along with other security and privacy controls. Read the blog for yourself, but here are a couple of my key takeaways - most importantly, "If you don’t proactively choose to turn it on, it will be off by default."... - Even before making Recall available to customers, we have heard a clear signal that we can make it easier for people to choose to enable Recall on their Copilot+ PC and improve privacy and security safeguards. - We are updating the set-up experience of Copilot+ PCs to give people a clearer choice to opt-in to saving snapshots using Recall. If you don’t proactively choose to turn it on, it will be off by default. - These images are encrypted, stored and analyzed locally, using on-device AI capabilities to understand their context. - Windows Hello enrollment is required to enable Recall. - we are adding additional layers of data protection including “just in time” decryption protected by Windows Hello Enhanced Sign-in Security (ESS) so Recall snapshots will only be decrypted and accessible when the user authenticates. In addition, we encrypted the search index database.

Proud to see the team showing up with strong analysis on Grandoreiro and Luna Tempest in the latest podcast. Take a listen!

In threat intelligence, a deep knowledge of tactics and techniques (TTPs) is critical to help us implement the most effective mitigations and protections. In an AI-enabled world, those TTPs are evolving in some fascinating ways. Our latest blog takes a deep dive into AI jailbreak techniques. This is critical "the more you know" reading for all of us in Security. Make the time to read it. Bonus: It's buried toward the end, but don't miss the details on the release of PyRIT (Python Risk Identification Toolkit for Generative AI) on Github! What is an AI Jailbreak + a bit of a teaser from the blog... An AI jailbreak is a technique that can cause the failure of guardrails (mitigations). The resulting harm comes from whatever guardrail was circumvented: for example, causing the system to violate its operators’ policies, make decisions unduly influenced by one user, or execute malicious instructions. This technique may be associated with additional attack techniques such as prompt injection, evasion, and model manipulation. You can consider the attributes of an AI language model to be similar to an eager but inexperienced employee trying to help your other employees with their productivity: Over-confident, gullible, wants to impress, and lacks real-world application. Resulting in AI models and system having the following characteristics: Imaginative but sometimes unreliable, Suggestible and literal-minded, without appropriate guidance, Persuadable and potentially exploitable, Knowledgeable yet impractical for some scenarios. When an AI jailbreak occurs, the severity of the impact is determined by the guardrail that it circumvented. Your response to the issue will depend on the specific situation and if the jailbreak can lead to unauthorized access to content or trigger automated actions. To mitigate the potential of AI jailbreaks, Microsoft takes defense in depth approach when protecting our AI systems, from models hosted on Azure AI to each Copilot solution we offer. The blog has a long list of high-quality referenceable resources! To empower security professionals and machine learning engineers to proactively find risks in their own generative AI systems, Microsoft has released an open automation framework, Python Risk Identification Toolkit for generative AI (PyRIT). The blog has more about the release of PyRIT for generative AI Red teaming and access the PyRIT toolkit on GitHub.