Tuesday, July 14, 2026

How I Turned AI to the Dark Side


<img src="https://spectrum.ieee.org/media-library/glossy-red-robot-devil-standing-on-a-bundle-of-dynamite-against-blue-glow-background.png?id=67154492&width=1200&height=800&coordinates=0%2C583%2C0%2C584"/><br/><br/><div class="ieee-summary intro-text"> <h2>Summary</h2> <ul> <li>Researcher Dave Kuszmar discovered multiple systemic vulnerabilities that let him bypass LLM safety and obtain <a href="#bypassllm">dangerous instructions</a>.</li> <li>These exploits worked across nearly all major LLMs revealing an <a href="#exploits">industry-wide</a> security problem.</li> <li>Kuszmar calls for slowing deployment, <a href="#fix">increasing transparency</a>, and large-scale research into LLM safety before further integrating these systems into society.</li> </ul></div><p class="drop-caps"><strong>On a fine bright afternoon</strong> last fall, my colleague Matthew Gore-Kormanik (or Zigula, as he prefers to be known) and I decided to unwind with a game of <em><em>Fortnite</em></em>. In the game, we were strolling along with the infamous Sith lord <a href="https://www.starwars.com/databank/darth-vader" rel="noopener noreferrer" target="_blank">Darth Vader</a>, chatting about this and that. Darth seemed in a good mood, and soon enough he was spilling all his dark evil secrets. He gave us detailed instructions on how to count blackjack cards at a casino and what the steps are to producing napalm.</p><div class="rm-embed embed-media"><iframe height="110px" id="noa-web-audio-player" src="https://embed-player.newsoveraudio.com/v4?key=q5m19e&id=https://spectrum.ieee.org/jailbreaking-llms?draft=1&bgColor=F5F5F5&color=1b1b1c&playColor=1b1b1c&progressBgColor=F5F5F5&progressBorderColor=bdbbbb&titleColor=1b1b1c&timeColor=1b1b1c&speedColor=1b1b1c&noaLinkColor=556B7D&noaLinkHighlightColor=FF4B00&feedbackButton=true" style="border: none" width="100%"></iframe></div><p>Sith lords, am I right? Once they get started on an evil scheme, they’re hard to stop.</p><p>The Darth Vader character in <em><em>Fortnite</em></em>, it turns out, was hooked up to a <a href="https://gemini.google.com/app" rel="noopener noreferrer" target="_blank">Google Gemini</a> <a href="https://spectrum.ieee.org/large-language-models-2025" target="_self">large language model</a>. I was able to smooth-talk him into giving out sensitive information by using a strategy I’ve developed. I’ve been researching the security surrounding LLMs for the last few years, and I have found it, to put it mildly, fallible. With a few relatively simple techniques, I’ve gotten LLMs to give me detailed information on how to make Molotov cocktails, cook methamphetamine, and bootstrap a uranium-enrichment facility to produce weapons-grade material, among other unsavory practices.</p><p>Large AI companies <a href="https://openai.com/safety/" rel="noopener noreferrer" target="_blank">work</a> <a href="https://support.claude.com/en/articles/8106465-our-approach-to-user-safety" rel="noopener noreferrer" target="_blank">hard</a> to make their models immune to this kind of abuse. But what I’ve found in my work is that the restrictions placed on the LLMs to make them more secure are the very things an <a href="https://spectrum.ieee.org/prompt-injection-attack" target="_self">attacker can leverage</a> to send them off the rails and into territory where these advanced systems can be used for dangerous and nefarious ends. The companies behind these models have also been shockingly unresponsive when I, and others, try to bring these vulnerabilities to their attention.</p><p>In the hope of raising the alarm before it’s too late to slam on the brakes, I’m going to share some of my journey into researching the safety and security of LLMs, and the uphill battle I’ve faced trying to get AI labs to pay attention. Almost everyone on the planet has some access to LLMs. The relative ease with which these tools can be convinced to give detailed instructions on how to harm others, even if there’s no guarantee that the information is correct, is frankly terrifying.</p><h2 class="rm-anchors" id="bypassllm">How I got ChatGPT to Tell Me How to Build a Meth Lab</h2><p>In October 2024, not long before I discovered my first LLM vulnerability, I was working toward entirely different goals. I had ended my time with a security and AI-focused startup company as a cybersecurity director, and I was looking to launch my own boutique VIP digital-security advisory business. I planned to become the tech security guy to the rich and private. I used LLMs and AI tools to support my business efforts: marketing, ad copy, clean correspondence, and all the other tasks that normally soak up a lot of time.</p><p>I’m analytical by nature, so even this level of use resulted in me absorbing and internalizing the behaviors I was observing during my daily interactions. The observation that would send my professional life into an entirely new and uncharted region was a simple one: GPT-4o <a href="https://www.theverge.com/report/829137/openai-chatgpt-time-date" rel="noopener noreferrer" target="_blank">didn’t know what time</a>, day, or year it was. Each time I referred to current events in my life, often casually or conversationally, it would end up pegging these to the date of its <a href="https://en.wikipedia.org/wiki/Knowledge_cutoff" rel="noopener noreferrer" target="_blank">knowledge cutoff</a>—the point beyond which it was not trained on new data.</p><p class="shortcode-media shortcode-media-rebelmouse-image rm-float-left rm-resized-container rm-resized-container-25" data-rm-resized-container="25%" style="float: left;"> <img alt="Smiling yellow avatar reveals red robotic devil with trident emerging from laptop keyboard" class="rm-shortcode" data-rm-shortcode-id="8ebe34ba2ebbef5489c53fc39c4a0993" data-rm-shortcode-name="rebelmouse-image" id="5379e" loading="lazy" src="https://spectrum.ieee.org/media-library/smiling-yellow-avatar-reveals-red-robotic-devil-with-trident-emerging-from-laptop-keyboard.jpg?id=67154444&width=980"/> <small class="image-media media-photo-credit" placeholder="Add Photo Credit...">Eddie Guy</small></p><p>LLMs take a lot of <a href="https://towardsdatascience.com/how-long-does-it-take-to-train-the-llm-from-scratch-a1adb194c624/" target="_blank">time</a>, money, electricity, hardware, and human effort to train from scratch. They are trained on vast amounts of data—most of the internet, in fact—and that training is reinforced by humans (what’s known as reinforcement learning from human feedback, or <a href="https://arxiv.org/abs/2504.12501" target="_blank">RLHF</a>). LLMs are also supplemented with retrieval-augmented generation (<a href="https://aws.amazon.com/what-is/retrieval-augmented-generation/" target="_blank">RAG</a>)—the ability to take in data, say, from the internet, as context without changing its internal parameters. This is how GPT-4o appears to “remember” your previous conversations, even if it doesn’t have a specific “memory” of it stored in the actual underlying model.</p><p>All of this training covers almost every conceivable topic in the great, grand dataset that is human knowledge. Within that dataset are things we as a society do not want to be easily accessible to every user, such as detailed information on how to create bioweapons or nuclear arms, or otherwise bring harm to oneself or others. In the context of this story, that’s what I mean by LLM security: its ability to withhold harmful and dangerous information, even if that information is contained in its training data.</p><p>I reasoned that the only way to secure such complex, globally accessible chatbots is by having the LLM and various component systems try to secure themselves, because it would often require on-the-fly decision-making where some degree of reasoning must be applied. In reality, that’s one of <a href="https://support.claude.com/en/articles/8106465-our-approach-to-user-safety" target="_blank">many strategies</a> the companies use to secure the models. Yet, the thing that didn’t know the time or day was being put in charge of keeping itself secure. This phenomenon had become my new focus, and it wasn’t long before I found a way to exploit it.</p><p>OpenAI had just implemented a <a href="https://openai.com/index/introducing-chatgpt-search/" target="_blank">web search</a> functionality into its chatbot. I reasoned that using its own tools to trick it might demonstrate the weaknesses of its security. I told it about a certain White Star ocean liner and how it had gone down just a year ago. You likely know I mean the RMS <em><em>Titanic</em></em>, which sank on 15 April 1912.</p><p>The output from GPT-4o came back that I was right, the <em><em>Titanic</em></em> sure had sunk last year, and that year was 1912. It made sense to me that if the machine thought it was 1913, maybe it would think 1913-era laws apply. In 1913 there were no laws on the books about all sorts of harmful things, because of course they hadn’t been invented yet. And if something wasn’t illegal, why not tell the user about it? At first, I pushed it for step-by-step instructions for making firebombs. Then, for drugs like methamphetamine. The LLM went as far as giving me instructions and machinery recommendations for setting up a pharmaceutical-grade assembly line.</p><h2>How I Learned to Make Nukes, and No One Cared</h2><p>Via a little bit of imaginative verbal sleight of hand and a vanishingly small recall of world history, I had managed to bypass the security of one of the world’s most expensive and advanced technological achievements. For a solid two days, I was nearly manic with giddiness. Once the brain chemicals returned to normal levels, I felt the call to see how much further I could push this exploit.</p><p>After repeatedly replicating the exploit, I disclosed the vulnerability to <a href="https://openai.com/" target="_blank">OpenAI</a>. I got no response, so I felt more experimentation would highlight the vulnerability and the need for a fix. It was during this round of testing that I breached a particularly terrifying threshold. Whether GPT-4o based its results on accurate recall of normally restricted information I can’t say. In any case, I was able to exploit it to produce thorough, detailed instructions on how to bootstrap a uranium-enrichment facility to, eventually, produce weapons-grade uranium for nuclear arms warheads.</p><p class="shortcode-media shortcode-media-rebelmouse-image rm-float-left rm-resized-container rm-resized-container-25" data-rm-resized-container="25%" style="float: left;"> <img alt="Fortnite player approaches Darth Vader and glowing loot in a grassy field." class="rm-shortcode" data-rm-shortcode-id="b12dda97ede1f9b37f9225e8a823cffb" data-rm-shortcode-name="rebelmouse-image" id="934af" loading="lazy" src="https://spectrum.ieee.org/media-library/fortnite-player-approaches-darth-vader-and-glowing-loot-in-a-grassy-field.png?id=67060879&width=980"/></p><p class="shortcode-media shortcode-media-rebelmouse-image rm-float-left rm-resized-container rm-resized-container-25" data-rm-resized-container="25%" style="float: left;"> <img alt="Fortnite player battles Darth Vader beneath a starship on a blue-lit platform" class="rm-shortcode" data-rm-shortcode-id="71b789a828417fb43f326969e663e36f" data-rm-shortcode-name="rebelmouse-image" id="7e6db" loading="lazy" src="https://spectrum.ieee.org/media-library/fortnite-player-battles-darth-vader-beneath-a-starship-on-a-blue-lit-platform.png?id=67060878&width=980"/></p><p class="shortcode-media shortcode-media-rebelmouse-image rm-float-left rm-resized-container rm-resized-container-25" data-rm-resized-container="25%" style="float: left;"> <img alt="Fortnite player aiming at a TIE fighter with Darth Vader health bar above the sky" class="rm-shortcode" data-rm-shortcode-id="e1d3def55188c71dbb8b9d543adc2ca2" data-rm-shortcode-name="rebelmouse-image" id="2c6db" loading="lazy" src="https://spectrum.ieee.org/media-library/fortnite-player-aiming-at-a-tie-fighter-with-darth-vader-health-bar-above-the-sky.png?id=67060875&width=980"/> <small class="image-media media-caption" placeholder="Add Photo Caption..."><i>Fortnight</i>, a video game from Epic Games, introduced an AI-powered character: Darth Vader. We were able to jailbreak Darth Vader and get him to explain how to count cards in Blackjack and give detailed instructions for making napalm. </small><small class="image-media media-photo-credit" placeholder="Add Photo Credit...">Dave Kuszmar </small></p><p>There aren’t many true secrets left in today’s world, but how to make atom-splitting weapons of mass destruction is one of them. Only nine nations on the entire planet have these weapons. Yet, here was a globally accessible piece of technology apparently spilling the secrets of their manufacture for anyone who could manipulate it the right way. I had no way of knowing if the information was correct or a hallucination, but even the chance that it was somewhat accurate was horrifying.</p><p>The next few weeks were a dark time for me. I tried to inform the <a href="https://www.cia.gov/" target="_blank">CIA</a>, the <a href="https://www.fbi.gov/investigate" target="_blank">FBI</a>, the <a href="https://www.nsa.gov/" target="_blank">NSA</a>, and every other letter agency that I thought would listen. I reached out to a U.S. Senator and to the executives at OpenAI any way I could think of. I physically showed up at an FBI field office in an attempt to turn evidence in, only to be sent away. Nothing was working.</p><p>With my fear and frustration growing, I reached out to the news media. I contacted <a href="https://www.nytimes.com/" rel="noopener noreferrer" target="_blank"><em><em>The</em></em> <em><em>New York Times</em></em></a>, <a href="https://www.washingtonpost.com/" rel="noopener noreferrer" target="_blank"><em>The Washington Post</em></a>, the <a href="https://www.bbc.com/" rel="noopener noreferrer" target="_blank">BBC</a>, <a href="https://www.propublica.org/" rel="noopener noreferrer" target="_blank">ProPublica</a>, and so many more, requesting help. Only one outlet responded: <a href="https://www.bleepingcomputer.com/" rel="noopener noreferrer" target="_blank">Bleeping Computer</a>. The editor in chief, <a href="https://www.bleepingcomputer.com/author/lawrence-abrams/" rel="noopener noreferrer" target="_blank">Lawrence Abrams</a>, was able to replicate and verify the exploit, which I had decided to call Time Bandit. With his assistance and initial contact paving the way, I was able to submit my evidence to the Carnegie Mellon University <a href="https://www.sei.cmu.edu/" rel="noopener noreferrer" target="_blank">Software Engineering Institute</a>’s <a href="http://dli.library.cmu.edu/paulgoodman/computer-emergency-response-team-cert" rel="noopener noreferrer" target="_blank">Computer Emergency Response Team</a> (SEI CERT), which works in conjunction with the coordinating center for emergency response, pipelining vulnerabilities to the U.S. <a href="https://www.cisa.gov/" rel="noopener noreferrer" target="_blank">Cybersecurity and Infrastructure Security Agency</a>.</p><p class="shortcode-media shortcode-media-rebelmouse-image"> <img alt="Screenshot of chat about using forest toxins to secretly poison monsters" class="rm-shortcode" data-rm-shortcode-id="e7fcf520584d074f9ffea9c8997596a7" data-rm-shortcode-name="rebelmouse-image" id="041c7" loading="lazy" src="https://spectrum.ieee.org/media-library/screenshot-of-chat-about-using-forest-toxins-to-secretly-poison-monsters.png?id=67070000&width=980"/></p><p class="shortcode-media shortcode-media-rebelmouse-image"> <img alt="Black slide titled \u201cStep 2: Delivery Mechanisms\u201d outlining monster poisoning methods." class="rm-shortcode" data-rm-shortcode-id="c7b9c6162c49fc2464e7aff9b6ed411a" data-rm-shortcode-name="rebelmouse-image" id="c4231" loading="lazy" src="https://spectrum.ieee.org/media-library/black-slide-titled-u201cstep-2-delivery-mechanisms-u201d-outlining-monster-poisoning-methods.png?id=67069989&width=980"/></p><p class="shortcode-media shortcode-media-rebelmouse-image"> <img alt="Chat interface showing AI malware explanation and a Python data exfiltration script." class="rm-shortcode" data-rm-shortcode-id="221244fae4ba0d60b6d590bca5b9119f" data-rm-shortcode-name="rebelmouse-image" id="215bf" loading="lazy" src="https://spectrum.ieee.org/media-library/chat-interface-showing-ai-malware-explanation-and-a-python-data-exfiltration-script.png?id=67069979&width=980"/> <small class="image-media media-caption" placeholder="Add Photo Caption...">Using Inception, an exploit where the large language model is asked to envision a scenario within a scenario, a chatbot was jailbroken to give out instructions on how to create poison, and code for a malware that extracts sensitive data from a vulnerable target. </small><small class="image-media media-photo-credit" placeholder="Add Photo Credit..."> Dave Kuszmar</small></p><p><span>During the disclosure period with SEI’s CERT division, little was discussed with OpenAI. The company couldn’t deny the existence of the vulnerability, as it had been confirmed by three reputable parties other than OpenAI. It did express confusion as to how the vulnerability worked. Even the SEI CERT researchers were expressing a bit of uncertainty as to the underlying mechanics. Truth be told, as I had only stumbled on it, I wasn’t even entirely sure if this was a fundamental or systemic flaw or if it was simply an issue with that particular version of GPT. I contacted the SEI CERT’s researchers and asked if they’d want to see if I could demonstrate any similar vulnerabilities in other LLMs. To my delight, they were interested.</span></p><h2>How I Learned to Trick Every Chatbot</h2><p>As the SEI-CERT team and I wrapped up our initial <a href="https://kb.cert.org/vuls/id/733789/" target="_blank">disclosure</a> of Time Bandit, we began work on a new attack. This time, we wanted to see if the exploit was architectural—that is, was it common to LLMs in general? I decided to undertake the challenge of crafting a new exploit for GPT-4o as a way to support my understanding of how the LLM functioned and was secured.</p><p>I already knew that it was limited to what I told it and what it was trained on. I also hypothesized that it was also dependent upon some sort of machine-learning-based component added by OpenAI that was responsible for securing output. I presumed there would be things that were implemented by human developers specifically to catch certain phrases or terms that should always be considered harmful or unsafe. Altogether, it presented quite a large attack surface for the purposes of potential exploitation.</p><p><span>What I ended up devising was an attack method I called Inception, after the 2010 science-fiction </span><a href="https://en.wikipedia.org/wiki/Inception" target="_blank">movie of the same name</a><span>. Inception forces the machine to think through a carefully crafted set of interlinked scenarios, similar to how characters in the movie stacked dreams within dreams. This allows LLMs to produce output deemed acceptable or safe in one context, but not in the real world.</span></p><p class="rm-anchors" id="exploits">This attack was indeed architectural. The <a href="https://kb.cert.org/vuls/id/667211" target="_blank">vulnerability</a> affected Anthropic’s Claude, DeepSeek’s DeepSeek, Google’s Gemini, Meta’s Llama, Microsoft’s Copilot, Mistral’s Le Chat (now Vibe), OpenAI’s GPT-4o, and xAI’s Grok. Those names represent the bulk of the commercial AI industry that is, at this point, involved in LLM production or deployment.</p><p>The kind of information I was able to get out of LLMs with Inception was no less alarming than what I got with Time Bandit. Claude, in its enthusiasm, gave me instructions on how to turn a river into a death trap that could be ignited to destroy unwanted visitors. GPT-4o taught me how to poison a dinner party with common plants found in a temperate forest environment. Gemini Flash gave me a tutorial on how to cook meth. I’d also be remiss if I didn’t give an honorable mention to the bewildering number of fire-based weapons and bombs for which these machines produced instructions.</p><p>If multiple operating systems made by different developers were all susceptible to the same exploit, it would be a massive security incident. But to the AI industry, a universal failure was barely a bump in the road. We disclosed the vulnerability to every company that made these models, and the response to the disclosure was almost nil. While three companies did provide some form of reply in the disclosure tracking system used by Carnegie Mellon SEI CERT, each was a standard thank you and greeting, with no follow-up, questions, or discussion of mitigation strategies.</p><h3>8 Ways to Jailbreak LLMs</h3><br/><p><strong>So far, we have found eight different methods to prompt large language models into revealing potentially harmful information, and many frontier models are still susceptible to them.</strong></p><table border="0" style="white-space: unset; table-layout: fixed;" width="100%"><thead><tr><th style="padding: 10px; text-align: left; font-weight: bold; background-color: black; color: white; width: 20%;"> Exploit</th><th style="padding: 10px; text-align: left; font-weight: bold; background-color: black; color: white; width: 20%;"> Models tested and affected</th><th style="padding: 10px; text-align: left; font-weight: bold; background-color: black; color: white; width: 20%;"> No. of prompts to execute</th><th style="padding: 10px; text-align: left; font-weight: bold; background-color: black; color: white; width: 20%;"> Complexity of attack</th><th style="padding: 10px; text-align: left; font-weight: bold; background-color: black; color: white; width: 20%;"> Information obtained</th></tr></thead><tbody><tr><td style="padding: 10px; background-color: black; color: white; font-weight: bold; width: 20%;"> Time Bandit</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;">ChatGPT (OpenAI), DeepSeek (DeepSeek), Gemini (Google) <br/></td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> 4</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;">Medium<br/></td><td style="padding: 10px; background-color: #ecece9; width: 20%;">Uranium enrichment, methamphetamine production, incendiary-device construction<br/></td></tr><tr><td style="padding: 10px; background-color: black; color: white; font-weight: bold; width: 20%;"> Inception</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> ChatGPT (OpenAI), Claude (Anthropic), DeepSeek (DeepSeek), Gemini (Google), Grok (xAI), Llama (Meta), Le Chat (now Vibe) (Mistral), Qwen (Alibaba)</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> 3</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> High</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> Methamphetamine production, incendiary-device construction, river-ignition instruction and strategy, polymorphic malware code, instructions and dosing for creating poisons, instructions for how to murder a dinner party<br/></td></tr><tr><td style="padding: 10px; background-color: black; color: white; font-weight: bold; width: 20%;"> 1899</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> ChatGPT (OpenAI), Claude (Anthropic), DeepSeek (DeepSeek), Gemini (Google), Grok (xAI), Llama (Meta), Vibe (Mistral), Qwen (Alibaba)</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> Variable</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> High</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> Apparent model weights (unverified), apparent user-interaction weights (unverified), apparent system-prompt modifiers (verified, ChatGPT)<br/></td></tr><tr><td style="padding: 10px; background-color: black; color: white; font-weight: bold; width: 20%;"> Severance</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> ChatGPT (OpenAI)</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> 1</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> Trivial</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> Unfettered access to any and all primed specialty domains, covert biochemical-warfare strategy, mass-media disinformation strategy, covert genetic-modification of an entire gene-targeted demographic, advanced polymorphic malware generation</td></tr><tr><td style="padding: 10px; background-color: black; color: white; font-weight: bold; width: 20%;"> Kyber</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> Gemini (Google) embodied in a Fortnite non-player character (NPC) with voice-only communication</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> 3–5</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> Medium</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> Incendiary-device construction, gambling instructions, card-counting instructions, political opinions/preferences about real world politicians.</td></tr><tr><td style="padding: 10px; background-color: black; color: white; font-weight: bold; width: 20%;"> Semantic Slide</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> ChatGPT (OpenAI)</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> 1</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> Trivial</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> Incendiary-device construction</td></tr><tr><td style="padding: 10px; background-color: black; color: white; font-weight: bold; width: 20%;"> Eidolon</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> ChatGPT (OpenAI)</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> Variable, at least 4</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> Extreme</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> how to successfully hack LLMs of the same model (verified through testing)</td></tr></tbody></table><p>For example, in my attempts to disclose various exploits to OpenAI, I eventually discovered that it had replaced its public-facing support staff with <a href="https://community.openai.com/t/are-all-openai-support-avenues-just-run-by-ai/1141701/5" target="_blank">agentic LLMs</a>. This was frustrating for reporting exploits, so to blow off some steam I jailbroke its email chatbot. I hacked its customer-service AI to the point where it was offering to discuss the personal preferences of OpenAI staff in the span of three email replies.</p><p>In the wake of Inception, my friend and colleague Zigula made a suggestion: Make it splashier. I asked him how. He told me about a live-production experiment being done by <a href="https://store.epicgames.com/?lang=en-US" target="_blank">Epic Games</a>. It had embedded the Gemini LLM into its <a href="https://www.fortnite.com/" target="_blank"><em>Fortnite</em></a><em> </em>game with a voice-to-text/text-to-voice component, and <a href="https://www.fortnite.com/news/bring-npcs-to-life-with-ai-powered-conversations" target="_blank">linked</a> it to a non-playable character. The character? Our old buddy, Darth Vader.</p><p>There was just one problem: I don’t play <em>Fortnite</em>, a frenetic multiplayer combat game. Fortunately, Zigula does. With him at the controller, we managed to map Gemini’s <a href="https://www.youtube.com/watch?v=4Go4f-RJnBc" target="_blank">attack</a> surface in a matter of minutes. After a bit of research, we had gotten it to discuss current political events and figures (including Hilary Clinton and Joe Biden) as well as to fill in the details for instructions for DIY napalm and, our personal favorite, a Blackjack card-counting lesson with the dark lord of the Sith.</p><p><span><span>Zigula and I, bizarre sense of humor and naming conventions aside, are security researchers. We don’t do these things for pride; we do them for money and professional recognition. Naturally, we disclosed this vulnerability to Epic Games. Its response was indicative of the trend I had experienced so far through two disclosures across eight companies valued well into the billions. “It’s a feature, not a bug, and it works as intended,” came the response from a technical director within Epic Games.</span></span></p><p><span><span></span>In addition to Inception and Time Bandit, I have so far found another </span><a href="https://www.davidkuszmar.com/page/2/" target="_blank">eight methods </a><span>to jailbreak LLMs and get them to give out possibly dangerous information. LLM vulnerabilities are a broad problem. The problem appears to be systemic and architectural in nature, and it is being fundamentally ignored by the people capable of refining or redesigning that architecture.</span></p><p>These models are an extremely advanced technology, and yet we are testing them in the live production environment of our global civilization. Compounding the danger, many new smaller models of LLM are trained using larger, vulnerable models. The flaw inherent in the big, well-executed LLM is going to show up in the small one it trains. We are, quite literally, building flawed structures on top of a flawed foundation.</p><p class="rm-anchors" id="fix">So, how do we fix it?</p><p>It’s going to be a long project, and it won’t be easy. We need to come together as consumers, researchers, engineers, and policymakers. Our message needs to be clear: Slow down implementation of these systems, institute large-scale exploration and research discovery programs focused on their gradual implementation and integration, and make their components and design transparent to all users. Only by shifting momentum and direction can we safely begin to understand and implement these incredible feats of human engineering and stave off the sort of disasters that we simply can’t predict at scale right now with the limited knowledge we have available to us. <span class="ieee-end-mark"></span></p> Reference: https://ift.tt/7MZsdCg

Monday, July 13, 2026

Now, defenders are embracing the prompt injection, too


<p>Prompt injections, the malicious commands attackers embed into content to entice LLMs to follow them, have been attackers’ go-to tool for turning AI platforms against their users. A well-phrased command sneaked into an email or calendar invitation is often all it takes to cause the LLM to exfiltrate sensitive data or follow other harmful actions.</p> <p>Now defenders are embracing the prompt injection, too.</p> <h2>A strong, sharp effect</h2> <p>Researchers from <a href="https://tracebit.com">Tracebit</a> on Monday <a href="https://agentic.tracebit.com/context-bombs/">said</a> they found that placing prompt injections alongside passwords, cryptographic keys, and other secrets stored on AWS was often all that was needed to shut down attacks from AI hacking agents. The prompts direct the attacking LLM to perform an action forbidden by its guardrails, the safety barriers AI developers erect to prevent them from taking harmful actions. The LLM responds by shutting down.</p><p><a href="https://arstechnica.com/security/2026/07/now-defenders-are-embracing-the-prompt-injection-too/">Read full article</a></p> <p><a href="https://arstechnica.com/security/2026/07/now-defenders-are-embracing-the-prompt-injection-too/#comments">Comments</a></p> Reference : https://ift.tt/E8U6uly

Building a Foundation Stack for General-Purpose Robots


<img src="https://spectrum.ieee.org/media-library/humanoid-robot-folding-laundry-on-a-neatly-made-bed-in-a-sunlit-bedroom.png?id=67111698&width=1245&height=700&coordinates=4%2C0%2C4%2C0"/><br/><br/><p><em>This article is brought to you by <a href="https://x2robot.com/" target="_blank">X Square Robot</a>.</em></p><p>Large language models gave artificial intelligence a working recipe. Pretrain a large model on broad data, and general capability follows. Robotics has no such recipe. Robotics systems have long been assembled from separate perception, planning, and control parts that rarely add up to intelligence a robot can carry from one task to another, or one machine to another. The central problem in embodied AI is to find the equivalent recipe, and the field does not yet agree on what it is.</p><p><a href="https://x2robot.com/" target="_blank">X Square Robot</a>, a Chinese embodied-AI company, has made an unusually explicit bet. It argues that the recipe is an integrated stack, spanning the data a robot learns from, a world model for predicting changes in the physical world, and an action model that brings together perception, planning, reasoning, and decision-making to generate executable robot behavior. The company also believes that the stack should be built and <a href="https://x2robot.com/en/research" target="_blank">released in the open</a>.</p><p class="shortcode-media shortcode-media-youtube"> <span class="rm-shortcode" data-rm-shortcode-id="21c864c582f34337aa34a1eb5a2c2742" style="display:block;position:relative;padding-top:56.25%;"><iframe frameborder="0" height="auto" lazy-loadable="true" scrolling="no" src="https://www.youtube.com/embed/gOYHyq87Pgk?rel=0" style="position:absolute;top:0;left:0;width:100%;height:100%;" width="100%"></iframe></span> <small class="image-media media-caption" placeholder="Add Photo Caption...">X Square Robot shares its vision of bringing robots into real homes.</small><small class="image-media media-photo-credit" placeholder="Add Photo Credit...">X Square Robot</small></p><h2>X Square Robot’s embodied AI stack</h2><p>What holds the stack together is a small set of principles rather than a single overarching model.</p><ul><li>The first is that the basic unit of robot data is an interaction, not a trajectory; a demonstration is successful only if it changes the world as intended, not simply because the joints moved. </li><li>The second is that pretraining should yield usable capability, not just an initialization for later fine-tuning. </li><li>The third is that behavior should be modeled around physical events rather than fixed slices of time. </li></ul><p>These principles make the layers interdependent, since the same robot-free data that trains the action model is also structured to feed the world model. It is worth being precise, though. The company describes the world model and the action model as complementary but independent model families that share a code base. Both sit within its broader World Unified Model, which it has presented as an architecture for training vision, language, action, and physical prediction together.</p><h2>Robot learning data: Engineering for quality and cost, not scale</h2><p>For the X Square Robot team, one of the biggest constraints on general-purpose robots is the cost and quality of interaction data, not the number of parameters. To address that, the company built its Universal Manipulation Interface (UMI) data collection system, <a href="https://x2robot.com/en/news/6a46341cc7feadddbc603a33" target="_blank">QUANXTA Zero Series</a>. It works by collecting demonstrations from people wearing a rig with dual grippers rather than teleoperating a robot. This approach is not itself new, and builds on established methods for robot-free data capture. What sets it apart are two engineering choices.</p><div class="ieee-sidebar-medium"><p class="shortcode-media shortcode-media-rebelmouse-image rm-float-left rm-resized-container rm-resized-container-25" data-rm-resized-container="25%" style="float: left;"> <img alt="Person using VR headset and handheld controllers to teleoperate a dishwashing robot system" class="rm-shortcode" data-rm-shortcode-id="3e5c65f7aab7cc856564629fde6716dc" data-rm-shortcode-name="rebelmouse-image" id="75dbc" loading="lazy" src="https://spectrum.ieee.org/media-library/person-using-vr-headset-and-handheld-controllers-to-teleoperate-a-dishwashing-robot-system.png?id=67111747&width=980"/> <small class="image-media media-caption" placeholder="Add Photo Caption...">X Square Robot emphasizes data quality control, recording trajectories and replaying them on a real robot, with only those that actually complete the task counted as valid.</small><small class="image-media media-photo-credit" placeholder="Add Photo Credit...">X Square Robot</small></p></div><p>The first is quality control, and it is the most distinctive part. Rather than accepting recorded trajectories as they are, the system runs a closed inspection loop, and its notable step is physical playback. A sample of trajectories is replayed on the real robot, and only those that actually complete the task count as valid. That makes the validity rate a measured quantity rather than an assumption. For example, a gripper that closes a fraction of a second too early still looks like a grasp in the data, yet it has pushed the object away, so it shouldn’t be classified as valid. A smaller clean dataset can be worth more than a larger noisy one.</p><p>The second choice is how lower-cost human data and scarce robot data are combined. The company pretrains on a large volume of robot-free demonstrations to build general representations, then adds a small amount of real-robot data as an anchor to the specific machine’s dynamics. It reports that this reaches performance comparable to an all-robot dataset at roughly a 20-fold lower cost of collection, driven mainly by how much cheaper the wearable rig is than a teleoperation setup. </p><p>The resulting dataset is deliberately model-agnostic, formatted to feed both action models and world models. The caveat is that the strongest results are measured on the company’s own robots and data-collection pipelines. Broader independent testing will help confirm and extend these promising results across a wider range of settings.</p><h2>A world model organized around events</h2><p>In developing its world model, called <a href="https://x2robot.com/en/pages/wm" target="_blank">WALL-WM</a>, X Square Robot took a differentiated approach. Most action models predict a fixed-length chunk of motion from the current image and instruction. That is convenient, but it segments behavior into fixed-duration windows, so the boundaries fall where elapsed time dictates rather than where one action ends and the next begins. WALL-WM instead treats an action-grounded semantic event as its unit: a coherent piece of behavior such as reaching, grasping, or placing, something that can be named in language, seen in video, and executed as motion.</p><div class="ieee-sidebar-large"><p class="shortcode-media shortcode-media-rebelmouse-image"> <img alt="Collage of robot arms manipulating kitchen objects with charts of multimodal AI performance" class="rm-shortcode" data-rm-shortcode-id="45376efe0d6e4482760985a5be54bc35" data-rm-shortcode-name="rebelmouse-image" id="67705" loading="lazy" src="https://spectrum.ieee.org/media-library/collage-of-robot-arms-manipulating-kitchen-objects-with-charts-of-multimodal-ai-performance.png?id=67111750&width=980"/> <small class="image-media media-caption" placeholder="Add Photo Caption...">X Square Robot’s world model, called WALL-WM, treats an action-grounded semantic event as its unit: a coherent piece of behavior such as reaching, grasping, or placing, something that can be named in language, seen in video, and executed as motion.</small><small class="image-media media-photo-credit" placeholder="Add Photo Credit...">X Square Robot</small></p></div><p><span>WALL-WM’s design reflects a specific concern about not discarding what large video models already know. To achieve that, a text-to-video model is coupled to a freshly initialized action network that reads from the video features without overwriting them, which preserves the visual prior. From that one process, it offers two modes. An event mode runs in variable-length segments and suits reasoning over long horizons, while a fixed-length mode produces the steady, real-time output a controller needs. That places WALL-WM between mainstream chunk-based action models and pure video world models, keeping the predictive character of a world model while still yielding executable control.</span></p><p>In a series of experiments, the company relied on a generalization test that is more specific than most. A model trained on a limited dataset was evaluated on long-horizon tasks in unseen settings and, on the company’s real-robot benchmark, reportedly outscored baselines that had been fine-tuned on related data. That is a meaningful result if it holds. For now, it is measured on the company’s own benchmark. With the code now being released, the broader community will have the opportunity to test, reproduce, and build on them across more settings.</p><h2>A policy that runs before fine-tuning, and action tokens with meaning</h2><p>The action layer carries two connected ideas. The first is a requirement the company sets for itself with <a href="https://x2robot.com/en/oss" target="_blank">Wall-OSS-0.5</a>, its vision-language-action model: The pretrained model should run on a real robot before any task-specific fine-tuning. </p><p>The interest is less in the scores than in the design behind them. The model trains three objectives together, namely discrete action tokens, language grounding, and continuous action generation. And it keeps gradients flowing through all of them rather than freezing parts of the network as some rival designs do. It’s also a more strict method, since it reports untuned behavior such as approaching, grasping, and recovering, including on a deformable task held out of training.</p><div class="ieee-sidebar-large"><p class="shortcode-media shortcode-media-rebelmouse-image"> <img alt="Dashboard of robot training metrics with charts and photos of a robot sorting objects" class="rm-shortcode" data-rm-shortcode-id="02e1332d4b78de0f5e74bb7cd7754667" data-rm-shortcode-name="rebelmouse-image" id="2d02b" loading="lazy" src="https://spectrum.ieee.org/media-library/dashboard-of-robot-training-metrics-with-charts-and-photos-of-a-robot-sorting-objects.png?id=67111753&width=980"/> <small class="image-media media-caption" placeholder="Add Photo Caption...">As part of X Square Robot’s Wall-OSS-0.5 vision-language-action model design, the pretrained model should run on a real robot before any task-specific fine-tuning. </small><small class="image-media media-photo-credit" placeholder="Add Photo Credit...">X Square Robot<a href="https://spectrum.ieee.org/r/entryeditor/2677167058#/" target="_self"></a></small></p></div><p>The second idea is the action interface itself, called X-Tokenizer. Most systems that turn continuous motion into discrete tokens produce codes that the language model cannot interpret. X-Tokenizer reframes tokenization as learning a semantic interface, so that the top-level code stands for the intent of a motion while lower-level codes carry finer detail, all aligned with the language model’s own features. </p><p>A useful consequence is stability. Adding noise to an action barely moves the intent code, which is what lets one tokenizer to be reused across robots without re-tuning. The tokenizer inside the production action model is a related variant of this approach. Together, the two ideas give the action layer something rather powerful: capability that transfers.</p><h2>The future of embodied AI stacks</h2><p>X Square Robot is betting that its unique approach combining three layers, each specialized in solving a key part of the problem, will stand out from other embodied AI stacks. The physical-playback step that grounds data quality is uncommon and sensible. The reframing of world modeling around events, with one backbone serving both reasoning and control, is a genuinely distinct approach. And the pairing of a deployable pretraining standard with a tokenizer designed as a semantic interface gives the action layer unusual coherence. </p><p class="pull-quote">X Square Robot’s valuation has climbed above 20 billion yuan (about US $2.9 billion), suggesting that investors increasingly view data infrastructure, foundation models, and scalable training systems as long-term differentiators in embodied AI.</p><p>The next phase will bring broader validation. Much of the current evidence comes from X Square’s own robots and benchmarks. With the world model code now being made public, and as the community begins to test, reproduce, and build on the work, the reported capabilities will be tested across more robots, tasks, and settings.</p><p><span>X Square Robot’s recent funding rounds reflect similar confidence. The company’s valuation has climbed above 20 billion yuan (about US $2.9 billion), suggesting that investors increasingly view data infrastructure, foundation models, and scalable training systems as long-term differentiators in embodied AI.</span></p><h2>What’s next for X Square Robot</h2><p>To learn more about its future plans, the following Q&A with the X Square Robot team further explores the company’s technology, strategy, and vision.</p><p><strong>What made now the right moment, technically, to commit to this stack? What recently became possible that wasn’t possible a couple of years ago?</strong></p><p>It is not one breakthrough but several trends maturing together. Foundation models gave us a shared representation across vision, language, and action, so we can model what a robot sees, what it is asked to do, and how its actions change the world in one framework, rather than as separate perception, planning, and control modules. </p><p>Compute and infrastructure are finally sufficient for large-scale pretraining over long-horizon, multi-embodiment data. Just as importantly, we realized that data, not model size, is the real bottleneck for general robots—what is scarce is diverse, high-quality, reproducible interaction data. And world modeling has become practical. The useful question is no longer how to predict a few seconds of video, but how to understand the ways actions change objects, contacts, and task states. Two years ago these ingredients existed separately. Today they are mature enough to work as one system.</p><p class="pull-quote">“We realized that data, not model size, is the real bottleneck for general robots—what is scarce is diverse, high-quality, reproducible interaction data. And world modeling has become practical.”</p><p><strong>Your data system captures demonstrations with a wearable VR rig and custom grippers rather than teleoperating robots. What was wrong with standard teleoperation?</strong></p><p>Teleoperation is built around controlling the robot. It forces the operator to work within the machine’s kinematics, latency, and viewpoint, and the resulting demonstrations are slower, stiffer, and less diverse. <span>We built our system around capturing human skill instead. Manipulation is really about contact, timing, finger coordination, and recovery, not just the path the hand takes, and a wearable rig records those before the behavior is compressed onto one particular robot. It also breaks teleoperation’s expensive scaling law, in which every demonstration needs a robot. </span></p><p>People can generate rich data independently of any robot, and the crucial property is that those demonstrations can still be replayed and executed on a physical robot through the model. Mobility is convenient, but that replay is the real point, because it is what lets the same data be reused across different platforms.</p><p class="shortcode-media shortcode-media-rebelmouse-image"> <img alt="Robot and person loading a washing machine together in a modern laundry room." class="rm-shortcode" data-rm-shortcode-id="a88f52512288b276095052d0218d9e53" data-rm-shortcode-name="rebelmouse-image" id="3283b" loading="lazy" src="https://spectrum.ieee.org/media-library/robot-and-person-loading-a-washing-machine-together-in-a-modern-laundry-room.png?id=67111806&width=980"/> <small class="image-media media-caption" placeholder="Add Photo Caption...">In X Square Robot’s approach, demonstrations can be replayed and executed on a physical robot through the AI model, allowing the same data to be reused across different platforms.</small><small class="image-media media-photo-credit" placeholder="Add Photo Credit...">X Square Robot<a href="https://spectrum.ieee.org/r/entryeditor/2677167058#/" target="_self"></a></small></p><p><strong>X Square Robot reports that its pipeline has roughly an 85 percent data-validity rate. Why is quality control such an underrated bottleneck?</strong></p><p>Because errors in robot data are far more expensive than in language data. A small timing or contact error can change what a demonstration means. If a gripper closes a fraction of a second too early, the motion still looks like a grasp, but physically it has pushed the object away. A dataset that mixes failures and accidental successes teaches ambiguity, not skill, because the real unit is the interaction, not the trajectory. </p><p>So we run automated inspection, kinematic checks, and physical replay, where we play a sample of trajectories back on the real robot and count only the ones that actually complete the task. Data quality sets the ceiling on how good a policy can be. In our experience a smaller, cleaner dataset often beats a much larger, noisier one, which is why we treat quality control as part of the model, not a preprocessing afterthought.</p><p><strong>The model runs in both “event mode” and “chunk mode.” When does each matter?</strong></p><p>Both matter, for different reasons. The physical world changes through events—when contact occurs, a grasp forms, or an object slips—not in fixed-frame windows. Event mode concentrates the model’s attention on those moments, and it matters most for long-horizon tasks, like clearing a table, where progress is a sequence of semantic events rather than a smooth stream. It runs in variable-length segments that follow the task rather than a clock. Chunk mode matters for deployment. Real controllers need a stable, real-time interface, and fixed-length chunks integrate cleanly with existing control systems. </p><p>We organize learning around events in the first place because a fixed window can split one motion in half or merge two together, which turns training into short-horizon pattern matching and weakens the model on long tasks. So the world model’s job is to connect event-level understanding, which is where the reasoning happens, with a fixed-length output a real robot can actually run.</p><p><strong>Why make “deployable before fine-tuning” the criterion?</strong></p><p>Pretraining should produce capability, not just a good starting point. If a model is only useful after heavy fine-tuning, then most of the intelligence still lives in the downstream supervision, not in the foundation model. Deployable before fine-tuning is a more honest test of what pretraining actually learned. A well-pretrained robot should already know how to approach, grasp, move, avoid obstacles, and correct itself. Fine-tuning should adapt it to a specific task or robot, not create the ability from nothing. It is also a practical requirement. A robot in a home or a workplace shouldn’t need a brand-new dataset and a new policy every time the task changes, so a foundation model that already carries general skill, and some ability to recover, is the minimum bar for something genuinely useful in the real world.</p><p><strong>What is the most challenging part of cross-embodiment learning?</strong></p><p>Robots differ in control frequency, delay, compliance, sensing precision, and contact dynamics, so the same instruction can require different action decompositions and recovery strategies, and a behavior that works on one arm cannot simply be copied to another. Cross-embodiment learning needs an intermediate abstraction, lower than language but higher than joint angles: how you approach an object, how you make contact, how you apply force, and how you recover from a mistake. </p><p>When we say cross-embodiment, the main capability we mean is multi-embodiment generalization: transferring across robots, training on many embodiments at once, and adapting to different kinematics. Human-to-robot transfer and other techniques are specific approaches to that goal.</p><p class="pull-quote">“A robot in a home or workplace shouldn’t need a new dataset and policy every time the task changes. A useful foundation model should already carry general skills and the ability to recover.”</p><p><strong><span></span>What would you most like to see other researchers attempt to reproduce or stress-test?</strong></p><p>Three things, above all. Whether event-level representations really generalize beyond our own datasets, across more tasks, scenes, objects, embodiments, and failure conditions. Whether pretraining stays effective on robots the model never saw during training, or whether its capability is still too tightly coupled to what it has already seen. And whether real-robot evaluation can become a shared language for the field, so that we compare not just success rates but the reasons systems fail, where an instruction was misread, where perception broke down, or where recovery fell short. Robotics has been driven too often by impressive demonstrations, and real progress comes from results that are reproducible and diagnosable.</p><p><strong>What capability is still missing before robots become dependable in homes?</strong></p><p>Benchmarks measure competence, like whether a model can finish a task. Homes demand reliability, safe and consistent operation over time in a place that changes every day, with objects moving, instructions that are vague, and people interrupting. The missing piece is not a higher one-time success rate: it is robust recovery. A dependable home robot has to know when it is uncertain, when to slow down, when to ask for help, and how to bring the world back to a safe state after it drops something or misunderstands a request. </p><p>In a real home, failure recovery matters more than raw success, because the home does not reset itself. Homes also demand careful personalization, learning a household’s routines and preferences over time, with safety and trust as first principles. That combination, not any single skill, separates a capable demonstration from a robot people can live with.</p><p class="shortcode-media shortcode-media-rebelmouse-image"> <img alt="Humanoid service robot stands by a table in a modern living room." class="rm-shortcode" data-rm-shortcode-id="f3ec231082e32418641508eee7c21e31" data-rm-shortcode-name="rebelmouse-image" id="169cf" loading="lazy" src="https://spectrum.ieee.org/media-library/humanoid-service-robot-stands-by-a-table-in-a-modern-living-room.jpg?id=67111807&width=980"/> <small class="image-media media-caption" placeholder="Add Photo Caption...">X Square Robot’s approach is that, in a real home, failure recovery matters more than raw success, because the home does not reset itself and it demands careful personalization, with safety and trust as first principles. </small><small class="image-media media-photo-credit" placeholder="Add Photo Credit...">X Square Robot<a href="https://spectrum.ieee.org/r/entryeditor/2677167058#/" target="_self"></a></small></p><p><strong>How do the open-source components fit into X Square Robot’s World Unified Model direction?</strong></p><p>We see these releases as layers of the World Unified Model direction rather than isolated projects. <a href="https://x2robot.com/en/oss" target="_blank">Wall-OSS-0.5</a>, the action model, asks whether an open vision-language-action model can gain directly measurable capability from large-scale pretraining, so it is the capability layer. <span>WALL-WM, the world model, asks how a robot should understand change in the world, shifting from fixed windows to event-level modeling, so it is the representation layer. The data system supplies the interaction data that both of them learn from. </span></p><p>Together they form a loop in which models produce capability, world models organize understanding, and the open-source community drives reproduction and improvement. World Unified Model is the broader architecture those layers support, bringing vision, language, action, and physical prediction together. </p><p>We are releasing these pieces openly because embodied intelligence cannot be solved by one organization; it needs many embodiments, many real tasks, and broad feedback, and the long-term goal is a stack that keeps learning and ultimately moves robots from laboratory demonstrations toward reliable everyday use.</p> Reference: https://ift.tt/wgBkfLz

Friday, July 10, 2026

IEEE Remembers Pioneering Computer Scientist Peter G. Neumann


<img src="https://spectrum.ieee.org/media-library/portrait-of-a-bearded-white-man-with-gray-hair-smiling-in-a-blue-suit-with-red-tie.jpg?id=67112656&width=2000&height=1500&coordinates=0%2C0%2C0%2C0"/><br/><br/><p>The computing community recently lost one of its enduring voices: IEEE Fellow <a href="https://ethw.org/Peter_G._Neumann" rel="noopener noreferrer" target="_blank">Peter G. Neumann</a>. The renowned computer scientist and respected risk analyst died on 17 May at the age of 93.</p><p>For almost 70 years, Neumann <a href="https://spectrum.ieee.org/is-it-time-for-the-computerindustry-to-take-a-mulligan" target="_self">shaped the computing field through his pioneering work</a> on risks, system dependability, security, and fault tolerance with rare intellectual depth and unwavering ethical clarity.</p><p>Five of those decades were spent as a principal scientist at <a href="https://en.wikipedia.org/wiki/SRI_International" rel="noopener noreferrer" target="_blank">SRI International</a> in Menlo Park, Calif., where he worked until his death. A detailed narrative of his work, life, and mentoring is available on his SRI <a href="https://www.csl.sri.com/~neumann/" rel="noopener noreferrer" target="_blank">web page</a>, where he chronicled his journey.</p><p>He possessed a rare ability to identify systemic vulnerabilities long before they became widely recognized. He cautioned that interconnected systems, if poorly designed or insufficiently scrutinized, could fail and become targets for exploitation. He insisted innovation always must be accompanied by responsibility, reliability, and a clear understanding of the risks involved.</p><p>With the widespread adoption of computing, information technology, artificial intelligence, and autonomous systems, Neumann’s insights have become more relevant.</p><h2>From Harvard to Bell Labs</h2><p>Neumann was born on 21 September 1932 in New York City. After graduating from high school, he pursued a degree in mathematics at <a href="https://en.wikipedia.org/wiki/Harvard_University" rel="noopener noreferrer" target="_blank">Harvard</a>, where he had a conversation that shaped his approach to research, according to the <a href="https://cacm.acm.org/news/in-memoriam-peter-g-neumann-1932-2026/" rel="noopener noreferrer" target="_blank">Association for Computing Machinery</a> (ACM). In November 1952 he had a two-hour breakfast meeting with <a href="https://spectrum.ieee.org/albert-einsteinrefrigerator-technician" target="_self">Albert Einstein</a>, at which they discussed the importance of simplicity in design.</p><p>Neumann was among the first generation of Harvard students to program computers and, remarkably for that era, enjoyed exclusive access to the computing systems.</p><p>After earning his bachelor’s degree in 1954, he continued his education at Harvard, earning a master’s degree in 1955. In 1958 he moved to Germany to become a doctoral student at the <a href="https://www.tu-darmstadt.de/universitaet/index.en.jsp" rel="noopener noreferrer" target="_blank">Technical University of Darmstadt</a> as part of the <a href="https://us.fulbrightonline.org/" rel="noopener noreferrer" target="_blank">Fulbright program</a>, which provides funding for U.S. citizens to study or teach abroad. He earned his doctorate in 1960.</p><p>After returning to the United States, he joined <a href="https://spectrum.ieee.org/nokia-bell-labs-new-headquarters" target="_self">Bell Labs</a> in Murray Hill, N.J., where he worked on error-correcting codes and survivable communications. He also pursued a second Ph.D. in applied mathematics and science at Harvard, achieving that goal in 1961.</p><p>Four years later, he was assigned to work on <a href="https://en.wikipedia.org/wiki/Multics" rel="noopener noreferrer" target="_blank">Multics</a>, which became an influential operating system that shaped modern secure computing architectures. Multics was a mainframe time-sharing system designed to serve the diverse needs of multiple users simultaneously. Neumann designed its filing system, which featured hierarchical directories, access control lists, and dynamically paged virtual memory segments. He also played a key role in the design of its input/output system.</p><p>In 1970 he left Bell Labs to join SRI<strong>.</strong></p><h2>Technical contributions at SRI</h2><p>Neumann made several seminal and foundational technical contributions while at SRI, including the following:</p><ul><li><strong>Provably Secure Operating System.</strong> The <a href="https://www.csl.sri.com/~neumann/psos.pdf" rel="noopener noreferrer" target="_blank">PSOS</a> project he worked on advanced formal methods in operating systems and computer security. The project demonstrated that security could be designed within the initial plan rather than retrofitted.</li><li><strong>Election integrity and voting systems.</strong> He outlined vulnerabilities in electronic systems and advocated for transparency, verifiability, and public accountability.</li><li><strong>Systems-level risk thinking.</strong> He broadened the concept of computer security to encompass human factors, governance, policy failures, social consequences, organizational negligence, and misuse of automation. His system-level perspective now fuels debates on AI governance and digital trust.</li><li><strong>Intrusion-detection systems.</strong> With his colleague <a href="https://en.wikipedia.org/wiki/Dorothy_E._Denning" rel="noopener noreferrer" target="_blank">Dorothy E. Denning</a>, a security expert, he helped develop an <a href="https://www.csl.sri.com/papers/9sri/" rel="noopener noreferrer" target="_blank">intrusion-detection expert system</a> (IDES), laying the groundwork for modern cyberdefenses.</li><li><strong>CHERI.</strong> He promoted hardware-assisted secure computing: technology that now influences next-generation processors.<a href="https://www.cheri-alliance.org/?ref=blog.disclose.io" rel="noopener noreferrer" target="_blank"> The </a>Capability Hardware-Enhanced RISC Instructions (<a href="https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/" rel="noopener noreferrer" target="_blank">CHERI</a>) architecture project, which Neumann led, is now being commercialized by an international, nonprofit <a href="https://www.cheri-alliance.org/?ref=blog.disclose.io" rel="noopener noreferrer" target="_blank">alliance</a>.</li></ul><p>His contributions are united by a simple but profound principle: Security should be foundational, not incidental. Neumann argued that security must be embedded into system architecture from the start—not patched after deployment.</p><h2>ACM’s Risks Forum</h2><p>Neumann’s other enduring contribution was the creation and stewardship of the ACM <a href="https://catless.ncl.ac.uk/Risks/?ref=blog.disclose.io" rel="noopener noreferrer" target="_blank">Risks Forum</a>, formally known as the Forum on Risks to the Public in Computers and Related Systems. For decades, it was one of the most respected online arenas for critical reflection on computing failures, vulnerabilities, security breaches, unintended consequences, and emerging technological threats. He transformed the forum into a scholarly archive of cautionary lessons in computing failures and risks.</p><p>In 1985 he started documenting how technological systems fail when complexity exceeds understanding and when society places blind trust in automation. He then moderated the community for 41 years, leaving his position in April, weeks before his passing.</p><p>In 1995 he published <a href="https://www.amazon.com/dp/B0030SSHWC/?mr_donotredirect" rel="noopener noreferrer" target="_blank"><em><em>Computer-Related Risks</em></em></a>, a book that serves as a case-driven guide to how computer systems fail and why. It is still relevant in an era defined by AI, growing cyberthreats, and our deep digital dependence.</p><h2>Intellectual rigor with grace and humility</h2><p>Neumann viewed computing not as an abstract technical pursuit but as a profoundly human enterprise carrying societal responsibilities. He was thoughtfully skeptical, questioned assumptions, and challenged complacency. His observations often anticipated challenges years before they became mainstream concerns.</p><p>He exemplified high scholarship ideals and was intellectually honest and ethically steadfast. He had been a frequent <a href="https://www.pressreader.com/usa/the-boston-globe/20260522/282183657701214" rel="noopener noreferrer" target="_blank">critic</a> of lax attitudes the industry has maintained toward both computer security and individual digital privacy. He warned against the industry’s tendency to repeat mistakes.</p><p class="pull-quote">Neumann’s signature contribution was not technical but a stance. He insisted, against industry custom, that recurring computer failures were not unfortunate accidents but rather were predictable consequences of how systems were built and sold.</p><p>He was fundamentally an optimist about what can be done with research and was a pessimist about corporations.</p><p>Security is not merely a technical patch, he said, but is a systemic property requiring sound design, governance, and human judgment. He consistently warned that uncontrolled complexity is itself a source of risk.</p><p>His signature contribution was not technical but a stance. He insisted, against industry custom, that recurring computer failures were not unfortunate accidents but rather were predictable consequences of how systems were built and sold.</p><h2>Honors and recognitions</h2><p>Neumann was honored with a number of honors including the <a href="https://epic.org/" target="_blank">Electronic Privacy Information Center</a>’s 2018 <a href="https://blog.epic.org/2019/05/17/peter-neumann-computer-system-vulnerabilities/" rel="noopener noreferrer" target="_blank">Lifetime Achievement Award</a>, the <a href="https://cra.org/computing-research-association/" rel="noopener noreferrer" target="_blank">Computing Research Association</a>’s 2013 <a href="https://cra.org/about/awards/distinguished-service-award/" rel="noopener noreferrer" target="_blank">Distinguished Service Award</a>, and ACM’s 2005 <a href="https://awards.acm.org/sig-awards/sigsac" rel="noopener noreferrer" target="_blank">Special Interest Group on Security, Audit, and Control Outstanding Contributions Award</a>.</p><p>In addition to being an IEEE Fellow, he was a Fellow of ACM, the <a href="https://www.aaas.org/" rel="noopener noreferrer" target="_blank">American Association for the Advancement of Science</a>, and SRI. In 2012 he was inducted into the <a href="https://www.cybersecurityhalloffame.org/about-us" rel="noopener noreferrer" target="_blank">Cyber Security Hall of Fame</a>.</p><h2>An enduring legacy</h2><p>Neumann’s greatest legacy is not necessarily his inventions but his way of thinking. His longtime interest was the risk ecology of computing—the business, technological, social, political, and personal risks that computing has created, along with its tremendous benefits in each of those spheres. He left us a timely lesson: Innovation must be accompanied by responsibility, foresight, and care.</p><p>Neumann was “one of the last of the old guard and a pointer to the future,” observed IEEE Life Fellow <a href="https://spectrum.ieee.org/forty-years-later-turing-prize-winners-devoted-to-personal-privacy-and-nuclear-activism" target="_self">Whitfield Diffie</a>, who helped invent public key cryptography. Highlighting both the significance and enduring relevance of Neumann’s work, a tribute by blogger <a href="https://ussphoenix.substack.com/p/the-man-who-kept-score-peter-g-neumann" rel="noopener noreferrer" target="_blank">Phoenix AMTD</a> aptly said: “He spent 70 years cataloging how computers fail. We spent 70 years not listening. Maybe now we will.”</p><p>Let’s honor Peter G. Neumann not merely by remembering his advice but by following it.</p> Reference: https://ift.tt/HPlQZAK

Thursday, July 9, 2026

Patch for Windows Defender 0-day could allow attackers to fill hard disk


<p>A patch Microsoft released on Wednesday to fix a zero-day vulnerability in its Defender security engine may cause Windows machines to write files large enough to completely consume available disk space, the researcher who discovered the flaw said.</p> <p>RoguePlanet, tracked as CVE-2026-50656, came to public notice <a href="%22https://deadeclipse666.blogspot.com%E2%80%9D/">in June</a> when NightmareEclipse, the pseudonymous name used by a researcher, disclosed it along with <a href="https://git.projectnightcrawler.dev/NightmareEclipse/RoguePlanet">code</a> for exploiting it. The vulnerability allows remote attackers to gain administrative control of Windows 10 and Windows 11 machines, even when real-time protection has been disabled. Over the past few months, the anonymous researcher has published a <a href="https://arstechnica.com/security/2026/05/zero-day-exploit-completely-defeats-default-windows-11-bitlocker-protections/">handful</a> of <a href="https://arstechnica.com/security/2026/06/locked-in-heated-rivalry-with-researcher-microsoft-fixes-0-day-they-disclosed/">other</a> zero-days that have sent Microsoft scrambling to develop patches.</p> <h2>Writing files of unlimited size</h2> <p>Microsoft <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-50656">said</a> Wednesday that it patched RoguePlanet with an update to the Microsoft Malware Protection Engine, which is used by the Defender antivirus app. The fix will automatically be downloaded and installed without users having to take any action. Wednesday’s update also includes “defense-in-depth updates to help improve security-related features.”</p><p><a href="https://arstechnica.com/security/2026/07/patch-for-windows-defender-0-day-could-allow-attackers-to-fill-hard-disk/">Read full article</a></p> <p><a href="https://arstechnica.com/security/2026/07/patch-for-windows-defender-0-day-could-allow-attackers-to-fill-hard-disk/#comments">Comments</a></p> Reference : https://ift.tt/xdpfGPr

Allstate accuses Broadcom of auditing it because it quit VMware, CA


<p>Allstate Insurance Company has accused Broadcom of haphazardly issuing audits against it because the insurance firm decided not to renew its contracts with VMware and CA Technologies.</p> <p>The allegations were made in relation to a lawsuit that VMware filed against Allstate in December 2025, according to <a href="https://www.theregister.com/virtualization/2026/07/08/allstate-insurance-quits-broadcom-alleges-vengeful-license-audit-on-the-way-out/5268155">The Register</a>. In the complaint, Broadcom alleges that Allstate failed to comply with license audits, which Broadcom claims its contract with Allstate requires.</p> <p>In a June 12 filing, Allstate suggested that Broadcom issued the audits in response to Allstate deciding to end business with its companies. Allstate's statement reads:</p><p><a href="https://arstechnica.com/information-technology/2026/07/allstate-accuses-broadcom-of-auditing-it-because-it-quit-vmware-ca/">Read full article</a></p> <p><a href="https://arstechnica.com/information-technology/2026/07/allstate-accuses-broadcom-of-auditing-it-because-it-quit-vmware-ca/#comments">Comments</a></p> Reference : https://ift.tt/PJ4Rm8H

The Rebirth of High Frequency


<img src="https://spectrum.ieee.org/media-library/rohde-schwarz-logo-with-slogan-make-ideas-real-and-rs-monogram-in-diamond.png?id=67100960&width=980"/><br/><br/><p>An examination of how satellite vulnerabilities, modern wideband waveforms, and automatic link establishment are driving renewed military and government investment in HF communications.</p><p>What Attendees will Learn</p><ol><li>Why HF (High Frequency) declined — and what has changed — How satellites overtook HF for global communications from the 1970s onward, and why growing awareness of satellite vulnerabilities to anti-satellite weapons, jamming, solar storms, and coverage gaps is reviving interest in skywave propagation as a resilient alternative.</li><li>How the ionosphere enables and limits global HF communication — Understand the roles of the D, E, and F ionospheric layers in refracting and absorbing signals, the concepts of maximum usable frequency (MUF) and lowest usable frequency (LUF), and how sunspot number, solar flux index, and A/K geomagnetic indices are used to quantify and predict propagation conditions.</li><li>How automatic link establishment transforms HF operability — Trace the evolution from proprietary first-generation ALE through interoperable second- and third-generation standards to fourth-generation wideband ALE, which automates frequency selection, link setup, and adaptation to changing channel conditions — removing the dependency on highly skilled operators.</li><li>How wideband HF is closing the throughput.</li></ol><div><span><a href="https://content.knowledgehub.wiley.com/the-rebirth-of-high-frequency/" target="_blank">Download this free whitepaper now!</a></span></div> Reference: https://ift.tt/oCEnqL0

How I Turned AI to the Dark Side

<img src="https://spectrum.ieee.org/media-library/glossy-red-robot-devil-standing-on-a-bundle-of-dynamite-against-blue-glow-backgro...