In this week’s episode, #134: deep fakes aren’t just a problem for celebrities. They risk undermining a range of voice and image based authentication technologies. Vijay Balasubramaniyan of Pindrop joins us to talk about it. And, in our second segment, Sam Bisbee the CSO of the firm ThreatStack joins us to talk about last month’s hack of the PEAR open source package manager and why data deserialization attacks are a growing threat to projects that use open source components.
The Deep Fake Threat to Authentication
The world has adapted itself – albeit unhappily- to a U.S President accustomed to making outrageous or factually inaccurate statements. But what if even the most temperate and measured leader could be made to say outrageous and inflammatory things? How destabilizing might that be to societies and economies? That’s the risk posed by so-called “deep fake” audio and video, which use advancements in deep learning – a kind of artificial intelligence – to seamlessly manipulate both audio and video content, producing real-seeming forgeries.
Thus far, deep fakes have been the fodder of celebrity pornography sites and academic conference demonstrations. But experts like our first guest, Vijay Balasubramaniyan of the firm PinDrop, say that deep fakes are almost certain to become more common and pose risks not just to social stability, but also to a wide variety of image and voice based authentication technologies.
In our first segment, Vijay and I talk about the evolution of deep fakes and the risk posed by convincing audio counterfeits.
Data Deserialization and Open Source Risk
In January, the maintainers at the PEAR took down their official website (pear-php.net) after they found that someone has replaced the original PHP PEAR package manager (go-pear.phar) with a modified and malicious version in the core PEAR file system.
PEAR developers suspected that the website had been serving the installation file contaminated with the malicious code to download for at least half a year. But how did the attack happen? One theory: that attackers used a so-called “data deserialization” attack.
In our second segment, we’re joined by Sam Bisbee of the firm Threatstack to talk about the PEAR compromise and why data deserialization attacks are a growing threat to development organizations.
In our conversation, Bisbee notes that data deserialization and similar attacks rely on the fact that developers in fast moving environments take for granted the integrity of tools like the PEAR package managers.
“Developers aren’t typically going in and opening up and trying to understand how their package manager works or what third party dependencies are that they’re pulling in because they want to just use them and not have to think about it too deeply,” Bisbee told me.
Check out our full conversation in the latest podcast.