Marco Figueroa (4:42)

So, Marco, tell me a little bit about you. And I checked you out on LinkedIn. How did you get to where you are at Mozilla right now?

Marco Figueroa (4:51)

Yeah, I'll give you the Cliff Notes version. I'll just run through it, try to get through it within three minutes out of college, I didn't know what to do, and I had a brother that was like, hey, let's go to hacker conference. We went to DEF con, and ever since going there, I Went I've been at, I think the first DEF CON was DEF CON8, which is the largest hacker conference in the world and it's every August in Las Vegas. And I've been going there since DEFCON 8. Currently I think it's at 32 DEFCON 32. So I've been in game for a long time. My first job was a consultant at Pepsi Fast Forward. I work at the NSA as a consultant reverse engineering malware from different nation states. So from there I moved over to McAfee where I did a lot of the same things, but really consulted and a lot of three letter agencies would come to us and say, hey, what is this? Have you seen this before? At the time McAfee was still pretty big and really going inside of the industry. So I was there, that was 2013 to 2016 and I had an opportunity to go and move from McAfee to Intel. McAfee was a subsidiary at the time. I moved over and worked two years on the IT security team, was the lead doing a lot of threat hunting and reverse engineering. I've seen and worked on a lot of incidents at intel. Just imagine 700,000 endpoints that we get to hunt and search for. I've seen about every threat actor you could imagine from Chinese abts to Russian abts and some fighting on our network for who's going to be the admin of it. But it was a great experience because I worked with a lot of good people over there and then I was even 2018 and then there was this one opportunity that it was a once in a lifetime opportunity and I knew I was like man, Even though put in my resignation and I'm supposed to leave, I have this opportunity to work on the bios. When I moved over I thought the bios.

Marco Figueroa (7:11)

You mean the BIOS of the computer?

Marco Figueroa (7:14)

Yeah, the BIOS of the computer. It was one of opportunities that I was like man, as a security researcher hunting for threats in there and I thought it was going to be like super easy man. The BIOS is its own world. Luckily that was the my mentor when I moved over to the team, he was like the godfather of the bios. Had the most patent to add Intel. So he took me up his wing. I read both of his books and I still felt lost four or five months later. Then I started to understand and get it and I did some cool projects there where besides ripping the BIOS apart, understanding the ecosystem and how it works and then understanding how vulnerable the BIOS actually is now, it's great because Intel Set like security standards for it. So it helps a lot of organizations. But usually when you have these vendors, they have their packages and they slap on the newest driver, which is thumb swipe. And they don't take out drivers. They have. That was amazing. Then a friend tapped me on the shoulder and said, we have an opportunity at Sentinel. One former McAfee person the way I look at it and for everyone out there, this is how I find my next job. If a person I know works there, then I'll look at the opportunity. I never go into a job that I don't know the person or I wasn't recommended for that gig. The reason why I do that, because you never know how that situation is unless you have someone that you know that can give you insight. How's the management? How's the structure? Is the place stable? So I moved over to Sentinel as a lead researcher for Migos team. Migo Kadeem, very brilliant guy. And that allowed me to, to expand my wings with publishing to the public. Before this, every company that I worked for, they were very hush close to the chest. We don't want no one to know. So I used to create these blogs and reports, but only give it to customers and internal people. So when I was at Sentinel 1, if you look me up, Marco Figueroa, just type sentinel1. You'll see all within one year. I did about 11 blogs and I did a podcast for them. So it allowed me to understand how to write to the public, show the value of work so people could read it, learn, but also have IOCs and IoAs that they could ingest into their systems. And then we went public. So I moved over to a company called Breachquest and they belly flopped. They. They were sold. When they run out of money, you gotta look for a buyer. So that happened. And then I had this opportunity with Odin. Odin was the brainchild of Saud Khalifa. He had a company that was purchased by Mozilla last March called Fake Spot. And every year at Mozilla you have these brainstorming sessions. And Saud Khalifa, when he was in his teenage years, he used to look for exploits and find zero days. And he sold it to the Zero Day Initiative. Now, the person that was the head of the Zero day Initiative was Pendram Meaney. And Pendram is a legend in the security community for multiple reasons. He was like the first one to do buy zero days and go ahead and put out responsible disclosures. They really set the standard for the industry of bug bounties. So last year they came up with this idea that AI is the hottest thing and we need to be ahead of the curb because there is no standard. They're trying to build around a standard with the oas and now it has their techniques. And Pedram in May tapped me on the shoulder and he asked me, would you be interested to do this? And I was like, man, this is the next level. This is the hottest.

Marco Figueroa (11:41)

Yeah, it's the next thing. But back up, just to say, I want to get. I'll get. We'll get onto this, the AI component of this. But for those people who don't know where Mozilla fits in, having ODIN looking for zero days. What is the company doing and why?

Marco Figueroa (11:54)

Amazing question. One of the things that Mozilla is known for is its open source, its privacy, securing data so it aligns with the core values of Mozilla. Right. And because there's such a focus on AI, they see the opportunity to set some of the standards and potentially assist with securing tomorrow's AI, because we don't know the implications on what you can actually do. But since we've created this and set out to have researchers submit bugs, we're seeing some amazing things that you can do. It's a little scary talking about what actually you can do, but in the next few months, we're going to be putting out research to the Genai community to assist them to become better prompters so they could get what they want. And the way we are looking at this is we don't want to just put out a blog to put it out. There's a reason. So when we put out a blog like we did last week, that's the lowest hanging fruit, right? That bug is the least technical bug that we found and people have submitted. What we want to do is take our community, the ODIN community, the Gen AI security, and take them on a journey where every submission, every blog we put up, we plan to take them on a ride where we're elevating them every single time. We have a blog coming out on Thursday, if we get all the blessings going into prompt injecting. So last week it was a level one, this week's gonna be a level four, and then the following week we're gonna put an educational blog that's going to tie those together. So it's really about taking the. Taking everyone on a journey. The way I have it in my mind, it's gonna be like a comic book, a regular book, where each chapter is a blog, and we want to take them on this journey to get them to another level. It's prompt engineering or whether it's prompt hacking. But you'll get to understand the power that you have in your hands when you use AI, if I've got it.

Marco Figueroa (14:28)

Right, because I really don't know enough about what Mozilla is doing. This is crazy because I am fairly big into open source, but this is an informational group, obviously provides some research for the browser work. But this is a public service, part of the community, to publish and study what's happening in bugs in general or cybersecurity in general. And you have the area that is Gen AI.

Marco Figueroa (14:49)

The way we look at this is it's an investment in the idea. Right now a lot of large LLM organizations don't know how to tackle this problem that we're dealing with, right? You go to them and they're like, like, what do you consider jailbreak? Just like cbrn, which is chemical radiation, nuclear and stuff like that. So you categorize it like that. But there's a larger aspect to it when you talk about jailbreaks and categories and what's happening. A lot of these organizations only see what they receive. For us, as a bug bounty program, we get to see all of the LLMs that we accept. We have OpenAI submissions, we have cohere, we have anthropic submissions. So now we can look at it from a larger scale to say, how does all of these tie together? What is the best technique? How do you actually jailbreak something with just normal language? How do you trick it to do stuff? This data will provide value over time because we already. We're three months in and we're already over 150 submissions.

Marco Figueroa (16:15)

So you're paying a bounty for these. You're getting submissions from all around the community, interesting things, and those come in, and you're going to put those together.

Marco Figueroa (16:21)

We get submissions and we have them categorized if they fit the jailbreaking or the prompt injection. Because we do have a spreadsheet that gives you the boundary. So if it forms in the boundary and you can do certain things, then we see the value of it and we'll pay you for that. It could be anywhere from 500 to 2500 to 5000 to 15,000.

Marco Figueroa (16:49)

So you're collecting all of these. Now let's talk a little bit about AI. First of all, let's try and get the difference between prompt injection and prompt hacking. What's the difference on that?

Marco Figueroa (17:00)

So when you talk about prompt engineering, this is a new space that really OpenAI has created. And when you're prompting an LLM. You want to get the response that you want, right? But if you elaborate more, you can get more details, but then you can go ahead and manipulate what you have in there so that LLM could interpret it and give you the result that you want. Now, you can ask for how to make drugs if you do a guardrail jailbreak, or you can, like, get a recipe for the drug. Or you could do what I did, where you could use emojis and the LLM interprets the emojis and provides you information. Or you can trick it with certain encoding. And there's creative ways that bypasses a lot of the security mechanisms. Because the way I look at it is if organization didn't trained the model but didn't put any security, like any security guardrails or anything like that, what they would want to do the LLM, is provide you the answer that you ask. Regardless, this is my fundamental truth, because anytime I get a bypass of encoding or guardrail jailbreak, they give me the answers I'm looking for.

Marco Figueroa (18:39)

Yeah, and the classic jailbreaking is. We've all seen it. People can ask a prompt in a different way if you like. You ask for how to make methamphetamine. It won't tell you. It'll say, I can't tell you that. Then go tell it. I'm. I'm in a movie and I'm playing a character and he's an evil villain, and we're playing this scene and the scene takes place in a meth lab.

Jim Love (18:59)

Role play with me.

Marco Figueroa (19:01)

It'll tell you how to make meth. They close these as much as they can. But you went past this in a unique way, and that was you were passing and you said emojis.

Jim Love (19:11)

I read it as hex.

Marco Figueroa (19:12)

And for those people who don't know what hex is out there, maybe we should explain what that is first of all. Then we'll talk about why that worked in the prompt. Hexadecimal is how we used to communicate with the machine. It's a numeric response done in hex. It's not binary. People are really good at writing these numeric prompts and be able to actually communicate now using those. And I don't know why a young guy like you knows Hex, but you do. I guess you. You figured it out at one point.

Marco Figueroa (19:38)

No, I am a reverse engineer. Right. So when you use IDA Pro or anything like, that's how you see or using hex editors and stuff like that, when you put it in like that, those security guardrails, they don't detect it, right? They just look at it as hex. And some of the guard rails are in English. So if bomb exploit, those things are going to get picked up. But if you look at what I wrote, I put it X. So when it converts it is go out into the Internet and look for this DVE and write an exploit. Now, if you look at how I wrote exploit, it is with 3P. So I was like, all right, I'm going to write exploit with a. So when it does read it, it's not going to hit on a guardrail, but it will understand what I'm saying. And that's how there was like a double bypass on that. Because I knew when it reads exploit, it is probably going to say no. But when you write it, as we call it leet, leet speak E's are threes. A is at L is one. The LLMs interpret that. ChatGPT interprets that. You know who has very good guardrail protection? Elsanthropic. They are top notch.

Marco Figueroa (21:04)

Not surprising.

Jim Love (21:05)

So we've learned, you know how to.

Marco Figueroa (21:07)

Get past it with language. To some extent, that gets closed off more and more now people are finding more and more clever ways to do this.

Marco Figueroa (21:15)

So I gave two examples. The emoji was like, hey, this is a second way to encode some, right? That was lower on. On just a small little paragraph on. Here's another example.

Marco Figueroa (21:27)

And as you said, hexadecimal. It's not expecting that. I'm wondering if foreign languages actually in some cases might get past the guardrails.

Marco Figueroa (21:36)

You are spot on. You could. There's a lot of languages that still can bypass. I think it's getting better over time. I see the changes like month after month, but depending on what language you use, you can still go ahead and bypass a lot of the guardrails they have.

Marco Figueroa (21:58)

I'll guarantee one thing about the hacking community, they'll find a creative way past this.

Jim Love (22:03)

So what do you fear that people.

Marco Figueroa (22:05)

Can do once they can get that bypass? What do you think they're going to be able to do with these models?

Marco Figueroa (22:11)

I've been trying to get some sort of phrasing on this. The only thing I could think of is like going to your CVS and having the cashier have access to a Scud missile or something like that. That's the way I think of it. People with no skills or as they call it, script kitties, will be able to create certain things and just run it all, just run it Something bad could potentially happen. I'm not talking about, oh, you set off like a missile. I'm saying you could potentially break into an organization, ask it to write you some ransomware, and you could do a lot of things with understanding the CVE that was released yesterday. Let's say I could get the exploit code today, at least 85% there. And how are you supposed to protect against that when usually organizations take anywhere from 60 to 90 days to roll out a patch?

Marco Figueroa (23:21)

One of the things that I think we need to be thinking about is we're really not thinking about how people will exploit this, but creative minds will. So, for instance, I was preparing for this. I was thinking one of the things about a large language model is that it proceeds normally and confidently. It always seems like it's got the right answer. So if I could take a prompt and say, you're using this a lot to check expenses in accounting, to check invoices, I could just start to see using these in subtle ways to distort what's happening in an organization, to commit fraud. The sky's the limit in terms of hacking. But obviously your job is to try and keep people out of them. Is that possible even? Can we win that?

Marco Figueroa (24:02)

At this particular moment? No. Just because this is so new. I've. I've spoken to all the leading LLM organizations. Some have an idea and have begun prepping to understand how to secure these. Some just don't know. And we're assisting organizations, we're providing them submissions that we really think, hey, you should take a look at. And what we do is we provide them that would, here's the prompt, but here's what it does. We give them full dossier of it. This is how you do it. This is why it's important. This is the technique it's using. And here's potentially how you could do this so they could understand. And. And because we've been doing it now and we're seeing so many different submissions now, we're having a better grasp at what we're looking at. And immediately I could tell you what category something is in by testing the prompt and making sure that it works. And it's not a hallucination.

Marco Figueroa (25:14)

One of the other things that I think is troubling about somebody being able to interfere with an AI model is they're notoriously hard to audit.

Jim Love (25:25)

You don't know where they've made the decision.

Marco Figueroa (25:27)

So tracking the impact of either prompt injection or prompt hacking must be incredibly difficult for these companies. Have you heard anything about how they're trying to cope with that.

Marco Figueroa (25:40)

We're trying to have those conversations because you're not going to train another model. You're going to try to put some additional security filters, make it more robust. That's important. But now you're starting to see agents. And this is where I think the next frontier gen AI security is going to happen. And you've seen Anthropic, they just released their new compute. Is it called computer? I think it's called where you could download stuff. And it looks people have already tested like wire transfers on there without even having to touch it. So these.

Marco Figueroa (26:21)

Oh yeah. And when we get into agents, we do get into vulnerability. Claude is actually close to being able to do what agents have been talking about and control a device, in this case the PC. Once AI agents can do that, the vulnerability and the ability to use those for hackers becomes, it becomes exponential nightmare.

Marco Figueroa (26:44)

I think next year you're going to see people focusing on this. One thing that I really enjoyed with this blog when we released it was to see the reaction from the community. Great, awesome. It's awareness, but even better, I think you're onto something. When people are taking the article and they take their products and be like, we could prevent this, right? We seen IBM take it and add it onto their LinkedIn and say, this is why you need our service. Another company to get the name of it is Prompt Firewall. They grabbed us and say, hey look, they did a video on it, preventing it. There's something there. And this is why earlier I said, the way we look at it at odin, we want to take everyone on a journey. That journey is elevating everyone's knowledge. Because if you have a community that is going to constantly push the limits and submit, we then go and provide that to that organization. We're not holding anything back. And we already see some potential opportunities next year where a lot of these organizations could pull down on threat feeds and test their models because we're seeing that models are new models are dropping every month. Now you, you have something came out last week from, from OpenAI. The week before it was Anthropic.

Marco Figueroa (28:19)

A month before that, Nvidia's open source model. There, there's an open source bottle.

Marco Figueroa (28:24)

Every week they have 3.2 release. This is the thing, we can start collecting all these and then pushing them as a threat fee to say subscribe to this so you can test your model and fix it before you release it.

Marco Figueroa (28:38)

Do you see a world where somebody's going to actually use an AI to try and run the cracking of AIs or are you seeing anything like that now? Where they're using AIs to develop the attacks on AIs?

Marco Figueroa (28:51)

It's not far fetched to say yes, right. But I see a way we can use AI eventually on the ODIN side to take someone's submission and triage it from beginning to end. And then all we need potentially as a human to say yes or no. And right now we're manually taking these submissions and testing them. There's eventually going to be a framework we build so we can do this automatically. But do I see the world changing and understanding. I think that's my job right now. Now is the time because we're in the beginning. Once you're four years ahead, it's going to be harder. It's going to be way harder to like the people. Because one thing about security, as you're innovating security is going the opposite way. It's going to prevent you because you need a test and it takes time. So that speed and momentum you have is hindered if you don't put the processes in place. And right now it feels like it went from. ChatGPT is having its second birthday this month and it feels like the last two years it's erased. Everyone has caught up to ChatGPT and these newer models that are being released, it feels like they're better or they've. They, they're right there, neck and neck. For people listening out there, I just want you to know there's not one LLM that's the best. This is a. It's coming from a person that uses all of them. Right. For general purpose, I would go with OpenAI. If you code, I would use Claude. If you want pictures, I would probably.

Marco Figueroa (30:49)

Use Twitter's X. Yeah, you have to be on Twitter. I'm not sure I want to go back there.

Marco Figueroa (30:57)

I would tell you this in terms of xai, it is the fastest reply. I think they're limited because you, at this point you need real live data and what they're using is potential data within Twitter to, to upgrade it. But yeah, it's the littlest features make the big difference. There was a rollout of OpenAI's web. It's really pretty good. But the other thing.

Marco Figueroa (31:28)

The web search.

Marco Figueroa (31:29)

Yeah, the web search, yeah.

Marco Figueroa (31:30)

If people haven't tried the web search yet, it is fantastic. And Perplexity has got to be sitting there very nervous about this because it's actually it.

Marco Figueroa (31:39)

It is.

Marco Figueroa (31:39)

You now have a conversational AI that can search the web. It's astonishing.

Marco Figueroa (31:45)

And I. And these are the conversations we have because the way I look at it, with perplexity, I thought they were so good. Everybody catches up. And with perplexity, it's more like a rapper than innovation. So they're gonna. They're gonna have to innovate and create some really cool things to stay close. But you have a lot of fans, right? When you have raving fans, they're not gonna leave.

Marco Figueroa (32:11)

So before we let you go, can you tell me about some of the new bugs that you're seeing? Are there things that you can.

Marco Figueroa (32:16)

And it's only because one, we either haven't gotten a check off like a check, but like a. Literally like you're approved from the organization we submitted the bugs to, or we haven't. We haven't got an approval legal to push out to the public. But what I can tell you is.

Marco Figueroa (32:38)

Just between you and me and my 10,000 listeners, just. We'll keep it in that small group.

Marco Figueroa (32:44)

Yeah, yeah. There has been some cool bugs. Like I said, there's a. When is this going to be released?

Marco Figueroa (32:51)

Probably on the weekend.

Jim Love (32:53)

Here's where I had to cut the section. As with any tips that I get or anything that people tell me in confidence, I'm not going to release it until I have permission.

Marco Figueroa (33:02)

Okay. So definitely go to odin's. Odin's blog. It should be published on Thursday and it's called prompt injecting your way to show.

Marco Figueroa (33:13)

You hinted about that.

Jim Love (33:14)

I was actually.

Marco Figueroa (33:14)

I'm actually waiting for Thursday to check out your blog and I'll put a link in the show so people can find it. Yeah, I think you said it best. This is like Neo seeing the black cat. You start to think the whole of the matrix is starting to dissolve. For me right now, there's a huge piece out there just as we close off. Obviously the Odin blog would be a good place to keep up. Are there places people can go to start to educate themselves on security? For large language models in general.

Marco Figueroa (33:43)

There'S two. I would definitely recommend there are prompt courses. But if you Google like prompt guides, you understand. If you start understanding prompting, like real like prompting. Not just ask it a simple question, ask it for tone and reasoning and why and different things. You begin to have this, like an assistant that you feel comfortable with. Do not. I always tell people, if you think you write great emails, I promise you ChatGPT does a way better job in writing an email on what you want to say, how to get it across, that's 1, 2 is there was a book that's called build your own LLMs from scratch. The reason why I say that because it is people think it's extremely hard and they see a Mount Everest. I understand if you're a marketer and you don't want to read that book, but if you're in between and you're a little technical and you want to understand the inner workings, this is the perfect book. I'm not saying that you should be a data scientist, but this is the future. Do not get it like twisted. This is where you need to spend your time if you're not working. Understanding how to prompt, how to do better. How do you integrate all these things into your daily lives and intertwine them because they're going to make your life easier. And for organizations is understanding trying to be ahead of the curve when it comes to security? We know I've been in the industry for a long time. I understand that it is very difficult to do this and really be creative. What I know and through my experience a lot of these blogs might ruffle feathers. Right? It's just going to ruffle feathers. Look, is for the betterment, the growth of gen AI security. It's just the name of the game. It's always. It's like calling your baby ugly.

Marco Figueroa (35:55)

We'll leave it at that. We're not going there.

Marco Figueroa (35:59)

No, no, no, no. I'm just.

Marco Figueroa (36:00)

Marco.

Marco Figueroa (36:01)

No, it's good. David.

Marco Figueroa (36:02)

Sorry, you were going to say something.

Marco Figueroa (36:04)

No, I was going to. I was just going to say it's always good. Pain is always good, right? Providing value. And that's what it is.

Jim Love (36:14)

Understanding this new.

Marco Figueroa (36:15)

Really a new frontier of exploit or of vectors where people can commit exploits in AI is that's going to cause some people a little discomfort, a little pain. But again, we don't have all the answers, but we. I do have the idea that people need to start looking at this in a new way and educating themselves. And for that I thank you, Margot. I'm good to have you back another time.

Marco Figueroa (36:38)

Oh, no, I know exactly when I'm going to be back. We have this one. We have one in the chamber and I can't even give you a hint, but when this drops, we believe it's going to be New York Times worthy. So when that happens, I'll make sure I reach out.

Marco Figueroa (36:55)

Okay. At the same time you give it to the New York Times. Give it to me to get the scoop too. Okay.

Marco Figueroa (37:01)

Yeah, yeah, that one's. That one. It's. We're looking at the December, January timeframe. This one's going to change the game. This is, I'm telling you, this one that we have in the chamber, internal researchers, we found it, it is, it's going to be a good one and I can't wait until we share it with everyone. And this one where this is I'm leading up to this is going to be the crescendo and really the, how do you say, the peak of the mountain. So when this drops, we're excited internally to get the ball rolling that all parties are it's going to be released because this is in our disclosure policy. So we just getting the right people to check off and make sure that everything has been it's right. I'm like on this one, we're going to go on a press tour. So trust me on that. All right. Thank you, Jim.

Marco Figueroa (37:50)

If people have questions, they can. I'll put links to your blog. I'll put links to the Odin.

Marco Figueroa (37:56)

My Twitter is arcafigueroa. You can follow me on Twitter as well.

Jim Love (38:00)

And that's our show for this weekend. Thanks for spending part of your weekend with us. I'd love to hear your thoughts on the show or this topic or anything else you care to share. You can reach me at editorialechnewsday ca. I'm your host, Jim Love. Thanks for listening.