Generative AI

Generative AI
Photo by Solen Feyissa / Unsplash

I have been exploring the uses for generative AI across a few areas of my work. Due to the nature of my work it is not possible to send documents to ChatGPT, or others for that matter, to ask it questions. While I can use internal GenAI tools that are powered by OpenAI that are approved for use, the concepts that I have been working on can be applied across all the current GenAI applications on offer, not just OpenAI’s.

I started this journey when I was watching a YouTube video interview with Daniel Miessler from Unsupervised Learning. His view on GenAI and how it can be used for many other aspects was intriguing. He was working on an open source engine that collected and made prompts in order to “train” the AI to produce results that assisted you to save time. The one that was shown in the interview was the threat analysis. This was really my first view into the possible power of using the AI to be more productive, as well as using it for more than just asking stupid questions.

Enter Fabric

After that interview on YouTube, I actually sat on pause to copy the prompt that Daniel had shared on screen. While it was not perfect (I had many typos) it worked amazingly. I started to think about how I could use this daily.

A few weeks after that interview, the initial release was put onto GitHub. Initially, it was the patterns I was most interested in, but over the past few weeks I have installed the actual fabric CLI and using it extensively. The most powerful aspect here are the patterns that are being shared, I will share two of my favorites here.

Threat Model

I have been working on a few threat models for my personal life. I think threat modelling is a powerful tool to help you understand the threats that you might face personally. I will likely cover that in a future post, but for now:

echo "a personal laptop stolen from a car parked in a public place" | fabric --pattern create_threat_model --model claude-3-opus-20240229 

With the fabric agent installed and all my API keys added running this simple command, the predetermined system context is used when the scenario is passed to it. The scenario being:

a personal laptop stolen from a car parked in a public place

This can be anything you fancy, but in my example here I am using the Anthropic Claude Opus, the latest generation of their GenAI, to provide the output. This is what was returned:

Scenario Impact (1-1000) Likelihood (0-100%) Risk (Impact * Likelihood)
Thief accesses sensitive personal data (financial, health, etc.) 800 70% 560
Thief uses laptop to impersonate owner online 600 40% 240
Thief sells laptop with data still on it 500 60% 300
Thief uses saved passwords to access online accounts 900 50% 450
Data breach if laptop connected to company network 700 30% 210

Total Risk: 1760

THREAT MODEL ANALYSIS

  • Sensitive personal data access is highest risk scenario
  • Online impersonation and account access also high risk
  • Selling laptop with data is moderately likely
  • Data breach via company network less likely
  • Defending against determined thief accessing data is difficult
  • Mitigations: encrypt drive, use strong account passwords, remote wipe
  • Prevention: avoid leaving laptop in car if possible
  • Balance security with convenience based on risk tolerance
  • Total risk high, so strong protections warranted overall

The threat model shows that a stolen personal laptop presents significant risks, especially around sensitive personal data being accessed by the thief. While some scenarios like a resulting data breach are less likely, the potential for a thief to access financial data, impersonate the owner online, or use saved passwords to access accounts is high.

Defending against a determined attacker accessing data on a stolen device is difficult, so encryption, strong unique passwords, and the ability to remote wipe are important mitigations to have in place. Avoiding leaving a laptop unattended in a vehicle is also wise.

However, security always involves a trade-off with convenience, so while the overall risk is high enough to warrant strong protections, the owner must balance that with their own risk tolerance and usability needs. The main takeaway is having protections in place ahead of time and being mindful about not leaving devices unattended, as recovering from this type of theft can be very difficult.

Create Threat Scenarios

The threat model is by no means perfect, but for a prompt that took less than a minute to run, it is a great start and can be built upon. Building this out again, lets take the same scenario, but this time let’s Create a Threat Scenario.

This one actually blew me away, something so simple that can return a full document (almost) for a simple scenario. I am not going to paste the full scenario but will link to a PDF below, but one specific output that, I think, is compelling are the Recommended Controls

  • Enable full disk encryption with strong password
  • Require password/biometrics to wake laptop from sleep
  • Don't store sensitive personal data on laptop unnecessarily
  • Use password manager instead of saving in browser
  • Don't save financial/banking details or credit card numbers
  • Be cautious storing client data or work secrets
  • Disable geolocation services when not needed
  • Keep software and anti-malware up to date
  • Back up data securely to minimise impact of theft
  • Don't use laptop for sensitive communications if high-risk
  • Consider remote wipe capability for high-risk scenarios
  • Avoid keeping laptop in car for extended periods
  • Park in well-lit, high-visibility areas when possible
  • Conceal laptop from plain view in trunk if necessary
  • Consider using privacy screen to prevent shoulder surfing

This is only the beginning of my look into Generative AI and how it can help speed things up or start the creativity. Over time, I will be sharing my personal system prompts and I will be sharing them here on my site.