AirTag! You're it!
In this episode, we talk about Apple’s AirTag security concerns, a US oil pipeline cyber attack and shutdown, and a shortage in semiconductors. Then we chat with Sanghyun Hong and Yigitcan Kaya Ph.D. students in Computer Science at the University of Maryland College Park, and co-authors of a research paper about how hackers could make AI networks consume much more energy than they already do.
Saron Yitbarek is the founder of Disco, host of the CodeNewbie podcast, and co-host of the base.cs podcast.
Josh Puetz is Principal Software Engineer at Forem.
Sanghyun's research interests lie at the intersection of computer security and machine learning. His current research focus is to study the computational properties of DNNs from a systems security perspective. He was invited as a speaker at USENIX Enigma'21, where he talked about practical hardware attacks on deep learning. He is also a recipient of the Ann G. Wylie Dissertation Fellowship.
Yigitcan Kaya is a fourth year PhD student at University of Maryland. His research focus is on security risks and vulnerabilities of deep learning models, such as their sensitivity to malicious inputs or their tendency to memorize and leak private information. In the past, being inspired by neuroscience, he identified the overthinking problem in neural networks then proposed a generic solution to this problem.
[00:00:10] SY: Welcome to DevNews, the news show for developers by developers, where we cover the latest in the world of tech. I’m Saron Yitbarek, Founder of Disco.
[00:00:19] JP: And I’m Josh Puetz, Principal Engineer at Forem.
[00:00:22] SY: This week, we’re talking about Apple’s AirTag security concerns, a US oil pipeline cyber-attack and shut down, and a shortage of semiconductors.
[00:00:31] JP: Then we chat with Sanghyun Hong and Yigitcan Kaya, PhD students in computer science at the University of Maryland College Park and co-authors of a research paper about how hackers could make AI networks consume much more energy than they already do.
[00:00:44] SH: If the attacker actually perturbed the input samples, then it may cause a damage to a system by making the simple samples to a complex sample and increase the computation cost.
[00:00:55] SY: So Apple released their Apple AirTag tracking devices about a week ago, and people are already showing us security concerns. So these AirTags allow you to pair them with your iPhone and then clip them onto things like your keys to be able to keep track of them. But in a really interesting piece in the Washington Post titled, “Apple’s AirTag trackers made it frighteningly easy to ‘stalk’ me in a test.” Author Geoffrey A. Fowler talks about his experience with some of the anti-stalking features. Now the AirTags have some messaging and auditory alarm features built in to alert them when unwanted tracking might be happening. But Fowler talks about how these features aren’t enough. Especially for the auditory alarm that goes off when a suspicious AirTag pops up on an iPhone, he describes it as an easily muffled 15 seconds of light tripping that only starts after three days. The text notification feature is more effective and tells you that an AirTag has been following you and even provides a map of the places it’s tracked, which is pretty useful. But other than that, it doesn’t help you find where that AirTag might be located. And even bigger issue, however, is that Android users don’t have any of these warnings against potential unwanted tracking. There was also another piece in the 8Bit about a security researcher who was able to hack into an AirTag by reverse engineering its microcontroller. With this jail-broken AirTag, the hacker who goes by the name of Stacksmashing could modify software in the AirTag, such as pop-up a URL of their choosing within an AirTag notification. We’ll include both of these articles in our show notes. So Josh, I know you’re a big Apple fan. Before we get into kind of the security concerns, I’m just curious about your take on AirTags in general. Do you have them? Do you like them? What’s the deal?
[00:02:44] JP: I think like most Apple fans, I’m just glad they’re out. Some background, these devices have been rumored forever.
[00:02:52] SY: A long time.
[00:02:52] JP: Yeah, a long time. There’s been hints about a product called AirTag in the source code and the strings that are in macOS and iOS for a very long time, someone actually kind of like peeled up the stickers on the AirTag box and looked at some of the copyright dates in the included information and found a copyright date of 2019.
[00:03:10] SY: Oh, wow!
[00:03:10] JP: So these things were supposed to ship a long time ago and everyone pretty much suspects that when the pandemic hit and we all started staying at home, Apple decided now wasn’t the best time to launch a find-your-things kind of product, and that leads it to like my take on them. Just personally, I haven’t purchased any of them because I…
[00:03:30] SY: Really?
[00:03:31] JP: Yeah, shocking.
[00:03:33] SY: Very surprising.
[00:03:34] JP: I'm not a lose things kind of person. I’m like very fastidious about this.
[00:03:37] SY: So basically, you have your life together. That’s what you're saying.
[00:03:40] JP: Yeah. Basically, I’m like Type A when it comes to like all my possessions. There’s a place for everything. I don’t tend to lose things a lot and I’m not leaving my house a whole lot, even post-vaccines on the rise here in the US. I don’t know what I would put them on. So I haven’t bought any.
[00:03:57] SY: That is incredible. So I have an Apple device that you don’t have. Very interesting.
[00:04:00] JP: Do you have one?
[00:04:02] SY: I have five of them.
[00:04:03] JP: What? Whoa! Five?
[00:04:04] SY: I totally have five of them. Yes.
[00:04:07] JP: What have you put them on? This is shocking.
[00:04:09] SY: Everything.
[00:04:10] JP: Everything.
[00:04:11] SY: Well, okay. So it’s five between me and my husband. So Rob has two. One for his keys. One for his wallet. I have three. I have one for my keys, one for my wallet, and one for my AirPods, because I’m constantly losing my AirPods. Constantly.
[00:04:25] JP: Okay. So I have questions. Because my husband is also a notorious AirPod loser.
[00:04:31] SY: Oh my God! It’s ridiculous.
[00:04:32] JP: How did you attach them? Because I know that’s been a criticism. It’s like they’re hard to attach to things.
[00:04:37] SY: You can get a case. You can get a separate, like it’s a third-party separate little brown leather, which is pretty good, a little brown leather case and it has a little hook, a little chain thing to it. And so I just added the AirTag and now I have a cute case with tracking.
[00:04:54] JP: Okay. Well, that’s going to be a gift for someone I know. Yes. Fantastic.
[00:04:57] SY: Can I tell you what my husband did the other day?
[00:04:59] JP: What? Did he hide your stuff? Was this a task? This sounds like a thing that would happen.
[00:05:02] SY: This is what he did. We are walking in the park. Rob goes, “Let’s find the AirTag.” And I’m like, “Come on, man. We’re having a walk. What is this?” And he’s like, “I want you to try and find. We’re going to test it out. We’re going to test the AirTag. See if you can find it.”
[00:05:17] JP: Well, this is great. So you did like what the reporter did kind of?
[00:05:20] SY: Yeah, sort of. And I don’t want to play this game. Right? And so we’re using the phone and I’m like trying to track this thing and it does a good enough job, but not as good of a job as I wanted it to do, to be honest. And we tracked it and he threw it in the frigging bushes.
[00:05:38] JP: Did he just chuck it there?
[00:05:39] SY: He chucked it in the frigging bushes. I was so angry. It wasn’t fun bushes. There were bugs in it and stuff. And I was like, “I’m not reaching my hand and like shuffling through bush leaves so that we can find it.” I was like, “I’m not doing it.” I was like, “You did this. You find the frigging AirTag.”
[00:05:57] JP: Yeah. It sounds like he was confused that like the phone would actually somehow like magnetically hover the tag back to you.
[00:06:03] SY: Exactly. It just pointed to the general bush area. It’s not going to tell you directly which branch it’s on. So anyways, I was very unhappy with our test, but we did. He ended up finding the AirTag. I stood next to it, very annoyed.
[00:06:19] JP: I think this is really interesting. Was it kind of like a metal detector? Are you sweeping your phone back and forth, looking for the tag?
[00:06:25] SY: That’s the thing. It’s not that good. So basically the way it works is you put the AirTag somewhere, you lose it. Right? You put it somewhere ahead of you. So the way it’s supposed to work is you have the app, the find on your phone, and then it’s supposed to say to you, “It’s 10 feet away. It’s 12 feet away. It’s 2 feet away.” The closer you get to it, it kind of counts down. And it has these arrows that point you in the right direction where the thing is. But the problem is that it only connects… we haven’t figured out the exact number, but it only connects when you’re kind of relatively close to it to begin with.
[00:07:02] JP: Interesting.
[00:07:03] SY: So you might have the general address, but if you want to find out what room it’s in, you kind of have to like blindly walk around a little bit before it connects and then it says, “Okay, now you’re 10 feet away. Now you're 6 feet.” So the connection part, you got to be relatively close to it already, which I found to be pretty disappointing.
[00:07:24] JP: Interesting. So that’s for like an inanimate object.
[00:07:27] SY: Right.
[00:07:28] JP: Let’s talk about the security features. Do you feel like this could be used to track you?
[00:07:34] SY: I mean, that was something that frankly I never considered, and it wasn’t this article, wasn’t the first one I’d seen. There was another article that mentioned it as well. And that was the first time I thought, “Oh, yeah, I guess you could attach it to a person.” That’s definitely not something I thought about. But I guess what’s interesting is when I first kind of read the headline, I was very shocked and appalled and then I read a little bit more into it and there were two things that kind of stuck out to me. One is that Tile, which is probably the biggest competitor to AirTag, has been around for a while. And I guess I just kind of forgot that there are other tracking devices out there too. So that’s kind of one thing. Just in terms of context and perspective, this isn’t the way. There are other ways. And then two, the other thing that came through is that Apple, it seemed like they did think that about it. I guess we can argue, and this is the conversation if they thought enough about it, but they did take some precautions, which is something Tile certainly doesn’t do. And I don’t know if other object-tracking devices, I don’t know how well they take it into consideration. But I thought that if the device is following, you get a chirp notification. I thought that was a good start. You get a notification on your phone. I thought, again, that was a good start. So it feels like they did think about it. The article and Geoffrey, the author, argues that they didn’t do enough and they need to do more. But I mean, they’re doing better than Tile. I guess that’s something.
[00:09:01] JP: I think like the argument you could make though, is that, like, I actually found a set of keys in the stairwell of our apartment building with a Tile tracker on it last year. And I was like really excited, like, “Oh my gosh! I found this. I found one in the wild! Amazing!” But I had to go like download the Tile app and then like wave it near there and then it sent a notification to someone like, “Hey, I’ve got your keys.” I had to actually like recognize it as a Tile tracker, I had to pick it up. I had to like do that. If I was just walking by, unless I happened to have the Tile app installed, which I probably wouldn’t do unless I had a Tile tracker of my own, my phone wouldn’t have picked it up. And with these AirTags, you don’t have to do anything on an iPhone other than have a fairly recent version of iOS installed to automatically have it start reporting positions of AirTags. So I think right there, there’s a more…
[00:09:54] SY: It’s more effective frankly.
[00:09:55] JP: Yeah.
[00:09:56] SY: It’s better.
[00:09:56] JP: There’s a much more like effective than that to cast over the whole world for finding these things.
[00:10:00] SY: Yes, absolutely. And it makes it great for great purposes, right? Like for emergency purposes, it’s awesome. But for nefarious purposes, it can be all scary for sure.
[00:10:11] JP: So I’ve seen a lot of like mixed reviews of the security features and I know a lot of people have been saying like, “Oh, I was going to use this as like theft prevention.”
[00:10:19] SY: Yes. Yes.
[00:10:21] JP: But before it came out, people were saying like, “Oh, well, if your phone gets a notification that a tracker is moving with you and it’s chirping, it’s really going to defeat the purpose of theft deterrence.”
[00:10:28] SY: It doesn’t work. It doesn’t work.
[00:10:30] JP: And I’m glad Apple chose at least trying to prevent stalking. They could’ve gone the other way and say like, “We’re not going to do any of that. We’re really going to strictly care about theft prevention and it’s going to be completely hidden.” So I think they just need to tweak this really.
[00:10:49] SY: Yeah, exactly. The other example I heard of is, and this is like a much more minor case, but if you attach it to your backpack and you go on vacation and then your backpack is just chirping for no reason after three days. So there are certain situations where trying to be safe in some ways kind of makes it less effective in the way it’s intended to be. And where is that balance? Where is that line and how do you prevent that things from happening with innocent platforms, but you’re still able to make an effective product that delivers on its promise? I think that balance is really tough. I think the Android one is probably the angle that I was most interested in, because that was one, again, I hadn’t thought of, which is this idea that if you slip it into the purse or the car of an Android user, they don’t get those alerts. Right?
[00:11:39] JP: Right.
[00:11:39] SY: And I think that between the chirping and the text alerts, I would guess that the text notifications are probably a lot more effective. And so Android users don’t get that. And so one of the things that the author suggested, which I thought was really interesting, was Apple working with Google and trying to create some type of system where Android users can get those notifications and be kind of part of those security features as well. And obviously, Google and Apple aren’t necessarily friends, but I think that if they were to collaborate on this, I think that’d be a great idea.
[00:12:17] JP: It would. I just don’t think it’s realistic. And what parts do you draw the line of Apple having to drag the entire tech industry towards security and privacy? Google is not a very security and privacy focused company. Apple is. And so for Apple to reach out and work with Google on this, I think there’d be a lot of questions about like what kind of user data is Apple going to share with Google.
[00:12:41] SY: Oh, that’s a good point.
[00:12:41] JP: And is that going to go both ways and like which features then do they have to work on like together? Do we know that the COVID-19 exposure notification stuff that’s built into the operating systems of both of these phones? Do they interoperate? I don’t know if they do.
[00:13:02] SY: That’s a good point. Yeah.
[00:13:02] JP: I think they do, but that took like a year to come up with. I think unless there’s like some sort of really broad…
[00:13:10] SY: Major crisis.
[00:13:11] JP: Yeah. Major crisis or industry like adoption, I just don’t think it’s realistic for Apple to try to drag every other phone manufacturer, kicking and screaming into security and privacy concerns.
[00:13:21] SY: Yeah. That’s a good point. So ultimately, what is your verdict? Do you feel like they’re doing enough? Do you think they should be doing more? It would be nice for them to do more? What are your thoughts?
[00:13:32] JP: Well, I think it would be nice for them to do more. I also think Apple bringing a product like this, like you said, this isn’t the first product that can be used to track items or pets or children or people, but it’s by far the highest profile. I also don’t think it’s the last product we’ll see like this. So I think being brought out and being in such a mass market is bringing up really important questions. And for that alone, I’m glad the conversation is happening and I’m glad Apple at least chose a place to start with the say, “We are going to pay attention to concerns about stalking and domestic abuse and you’re living with an abuser or living with someone that’s trying to track you,” and those privacy concerns. I’m glad Apple is the one facing all of this criticism because I trust them to both respond to it or at the very least set a bar for the rest of the industry to like try to beat.
[00:14:25] SY: That’s exactly how I feel too. I feel like there’s definitely more that can be done. And so I think that there’s going to be a lot of learning over time. I feel like if anyone is going to be criticized for security and privacy, I’m very glad it’s Apple, because I think they’re the most likely of the big companies to actually listen and take it seriously and try and do something about it. So I think it’s a good start. And I’m really glad for a journalist like Geoffrey to kind of hold them accountable and say like, “Hey, I know you did something, but here’s where it didn’t work when I tested it out and here’s what other organization leaders say about it.” And I think that it’s really good that we keep challenging, not just Apple, but just companies in general about security and privacy and keep holding them to a standard. So good start, ways to go.
[00:15:32] RudderStack is the Smart Customer Data Pipeline. It makes it easy to build event streaming, ETL, and reverse ETL pipeline. It’s warehouse first. RudderStack doesn’t persist any of your data. It builds your customer data lake and your identity graph in the data warehouse and it’s open source. Sign up for free at rudderstack.com and give them a star in GitHub.
[00:15:51] Scout APM is the leading edge application performance monitoring designed to help developers quickly find and fix performance issues before the customer ever sees them. See why developers call Scout their best friend and sign up for your 14-day free trial today at scoutapm.com/devnews.
[00:16:08] JP: Well, next up is a story about another high profile ransomware attack, except this time the target isn’t a school or a business, but it’s an essential energy infrastructure provider. Colonial Pipeline, which operates a 5,500-mile oil pipeline that carries about 45% of the energy supply to the Eastern Coastal United States, says that they shut down their entire pipeline network last week as a preventative measure in response to a ransomware attack on their servers. The hackers who are part of an online group known as DarkSide, stole about a hundred gigabytes of information from Colonial Pipeline’s servers. Now as part of a double extortion scheme, the group threatened to release the data on the internet while keeping the data on Colonial Pipeline’s servers encrypted unless the company paid a ransom. The company has not disclosed if they paid this ransom or not. What they did do was they shut down the oil flowing through their pipeline as a preventative measure in case the hacker group also had control of the pipeline systems. As of this recording, the pipeline is still offline and fuel supply constraints and price hikes are starting to ripple across the Southeastern US. DarkSide operates these hacks as what they call ransomware as a service.
[00:17:19] SY: Oh, boy!
[00:17:20] JP: Right?
[00:17:21] SY: Wow!
[00:17:21] JP: They typically hit for-profit companies in English-speaking countries. In a release, the group said, “Our goal is to make money, not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
[00:17:39] SY: Oh, that’s very nice.
[00:17:40] JP: Yeah. I’m not used to customer service from my hacker groups. The US government has also said to be getting involved. The Biden administration is reportedly drafting legislation to require a series of digital safety standards for federal agencies and contractors and violators could have their products banned from use in the federal government. So Saron, I was really flabbergasted by the idea that DarkSide has a very professional website, where they talk about the services they offer and their commitment to upholding when the people they target pay them. They unlock their information promptly and they take some of the money and distribute some of it to social causes. Do you buy that idea that this is any kind of ethical hacking?
[00:18:28] SY: That is incredible. I mean, obviously, hacking is bad, but this is awesome. I mean, not awesome like in a good way, but if this were a movie, I’d be like, “Damn hackers!” You know what I mean?
[00:18:41] JP: Right. Right.
[00:18:42] SY: The idea that they have a professional website and a mission statement, I mean, they have a legit mission statement and they have their services laid out. It doesn’t make sense to me, wouldn’t you be in hiding? I don’t understand. Doesn’t this make it easier for you to get caught? I mean, I guess if they’re hackers, they probably know how to hide their traces and stuff very well. But I find it absolutely incredible.
[00:19:09] JP: It’s bonkers to be how much ransomware has become a profitable hack and how many groups are doing it. But I think there’s a definite line between going after a for-profit company. They didn’t go after like a patent troll company or a social media network. This is an oil company. And regardless of your stance on the environment, they’re providing power and energy to a huge part of the population. We’re seeing stories now about people stuck in line trying to buy gas and gas prices going up. And it has real world consequences for people that weren’t immediately involved with this company.
[00:19:49] SY: Yeah, exactly. I respect this idea of making money, and money’s awesome. No hate on the money part, but the whole like not creating problems for society, I mean, you’re obviously creating problems for society. That feels very disingenuous to me. I think that if they were doing the Robin, like if it was the Robin Hood of ransomware, that’d be very interesting. If it was people who were like, “I am going to take money from the rich and or the evil corporations and I’m going to hack them, make money off of them,” I’m not going to say that’s ethical, but I wouldn’t at least roll my eyes as deeply. But when they’re not creating problems for society and attacking an oil company, obviously that is going to have repercussions. That just feels very opportunistic versus them trying to pass themselves off as innocent of businessmen.
[00:20:41] JP: And what do you think about the government getting involved? I have been pretty skeptical about the idea of the government getting involved in passing legislation and it seems like maybe they’re just trying to show that they’re doing something in the wake of the SolarWinds hack a couple months ago.
[00:20:55] SY: It feels like legislation that might be punishing the contractors versus preventing the actual ransomware from happening. You know what I mean?
[00:21:04] JP: Right. Right. It was more of like a punitive measure like if you’re a company working with the government and you get hacked by DarkSide…
[00:21:11] SY: Like we’re going to punish you.
[00:21:12] JP: Right.
[00:21:12] SY: I don’t know. It feels kind of mean, like they’re already hacked. You know what I mean? I mean, especially with the idea of having a professional company that offers this as a service, which again is incredible. I feel like companies are probably going to take it upon themselves to be more secure. I mean, no one wants to get hacked. Right? So it feels like punishing them for something that is unfortunate. I don’t know. It just feels mean to me.
[00:21:39] JP: Yeah. I guess I kind of agree. That’s a really good point that the ultimate motivator for these companies having better security will be loss of revenue versus…
[00:21:48] SY: Or business being affected. Right? That’s the ultimate punishment.
[00:21:51] JP: Right, right, versus a slap from the government.
[00:21:53] SY: Yeah. Exactly. I just don’t feel like that’s going to be a motivator for them to get their stuff together, as much as just not being hacked, being the motivator. So it just feels like if they mess up or get hacked anyway, it just feels like it’s adding to the pain rather than effectively preventing. But you know what? I guess it depends on what the punishment actually is. You know? So maybe if the punishment’s high enough, maybe more people will get their stuff together.
[00:22:18] JP: Yeah.
[00:22:19] SY: So you might have noticed that there have been a slew of shortages lately for different types of consumer electronics. This shortage is in fact linked to a shortage of semiconductors, which is only getting worse. There’s an awesome Bloomberg piece that goes into a lot of detail about the shortage that we’ll put in our show notes. Essentially, making microchips is really difficult and it’s also extremely costly and time-consuming to build fabrication facilities. Here’s a really great quote from the piece that describes a myriad of challenges. “Manufacturing a chip typically takes more than three months and involves giant factories, dust free rooms, multi-million dollar machines, molten tin and lasers. The end goal is to transform wafers of silicon, an element extracted from plain sand, into a network of billions of tiny switches called transistors that form the basis of the circuitry that will eventually give a phone, computer, car, washing machine or satellite crucial capabilities.” The piece then goes into just how challenging each one of these challenges is to surmount. And not only are these chips difficult to manufacture, they essentially become outdated and obsolete in five years or less. And so each chip facility must generate billions of dollars in profit to continue to exist. Right now, we have Intel, Samsung, and TSMC as the current leaders in this industry. But most companies can’t afford the heavy economics of chip manufacturing to even attempt to break into this industry. So what are some of the electronics that you’ve heard about having a shortage?
[00:23:58] JP: It’s all over the map and it’s things I wouldn’t expect. So there was a widely circulated story that Ford has a ton of trucks just sitting around because they can’t purchase the chips that they need to finish the vehicles. They’re just sitting around.
[00:24:14] SY: Wow!
[00:24:14] JP: There was also another story I read talking about how car manufacturers are starting to look at what parts of a car experience can they cut out to reduce the amount of chips they would need in order to ship more vehicles in the short term.
[00:24:27] SY: Oh, interesting.
[00:24:29] JP: Yeah.
[00:24:29] SY: I don’t know if I like that idea. I don’t know if I want my cars having less chips.
[00:24:33] JP: This is completely anecdotal, but my parents were having some problems, their water heater, and had a repair person come in and did a couple of repairs and said, “You really should consider getting a new water heater.” And my parents were like, “Okay, let’s do that.” And he was like, “Oh, no, you can’t do that right now. There aren’t any water heaters to buy. There’s a shortage of water heaters.” Because there’s a shortage of the chips that control the temperature in them.
[00:24:55] SY: I keep forgetting how many things have computer stuff in them. Like even with the washing machine, we’re doing a story on another podcast that I host about robots and one of the things that it said, which really blew my mind, is it was like way back in the day, we had this sense of robots being our butlers and being our maids and trying to serve us, right? And make these domestic chores a lot easier for us. And we basically condensed a lot of that down to our washing machine. And I was like, “Oh my God! Our washing machine is a robot.” You know what I mean?
[00:25:34] JP: It just doesn’t move, right?
[00:25:35] SY: It doesn’t move, but it does the domestic chore for us or the reminder, I guess, that the washing machine is a computer in its own way. It’s just mind blowing to me. So just the infiltration of these computers of these chips into things that don’t feel technical is really highlighted in the fact that if those chips go away, a lot of things that you don’t expect might go away or be hard to find as well.
[00:26:01] JP: They’re really boring chips as well. Some of the computer manufacturers have been announcing their quarterly results and they’ve been giving guidance that they expect their sales to be down at next quarter. Not because of lack of demand. The opposite demand is sky high, but because they’re having problems sourcing computer chips. On the Apple Earnings Call, they talked about, it’s not the M1 or the A-Series chip or the hearts of the Macs and iPhones and all these devices, it’s the really boring stuff. It’s the chips that control USB, the chips that control sound, the chips that control input and output. And these are boring low-level everyday chips, and they’re the ones that are in short supply.
[00:26:46] SY: Yeah.
[00:26:47] JP: It’s kind of mind boggling. I’ve been reading a lot of articles about what is the root cause. And we talked about the difficulty in creating these chips and a lot of articles also pointed to the fact that demand is sky high with the pandemic. Everybody’s at home buying more of everything. And I’ve also seen some chatter about these are, as I mentioned, really boring chips, they’re not cutting edge. And as chips become more and more expensive, obviously chip manufacturers want to produce the most profitable chips possible. A boring chip that hasn’t changed in 10 years is not super profitable and you see production of it go down over time. Anyone that’s ever tried to upgrade a really old computer and buy a one gigabyte hard drive, they’re like impossible to buy now even though they’re so tiny because they’re not made anymore. The components to make them have moved on in time. I don’t know what the ultimate solution is, but it’s kind of a perfect storm right now.
[00:27:46] SY: Yeah, I’m really interested to see. Does it say how long the shortage is expected to be?
[00:27:51] JP: So the Bloomberg article, we’ll link it, it talked a lot about how computer manufacturers, hardware manufacturers think about in terms of lead time. So if an order were placed for some computer chips right now, how many months would it take for them to deliver.
[00:28:06] SY: Yeah. It takes three months to make one of these things.
[00:28:08] JP: Months and months. I’m used to Amazon and getting stuff. Two or three days seems like a long time to be, but no, we’re talking months for these chips and they don’t really know when demand will pick up. I think it’s so far out that a lot of governments are talking about trying to fund chip manufacturing in the country. So a lot of the chips that are manufactured are manufactured in Asia. Europe and the United States, they don’t have a lot of domestic chip manufacturing capabilities. The delivery timelines are so far out that governments are thinking, “Maybe we should step in and try to promote domestic manufacturing.”
[00:28:43] SY: Right. Good opportunity to do that. Right? If there’s any opportunity to promote US made and US manufactured, it feels like this is a great time to kind of push that agenda.
[00:28:54] JP: Yeah. I guess I’m kind of surprised that it didn’t happen sooner with everything over the past year. We’ve seen shortages of everything from toilet paper to Bucatini pasta, to hand sanitizer. I think computer chips were just inevitable.
[00:29:11] SY: It was bound to happen. Well, hopefully, we get those chips soon and your parents can get their water heater soon. So coming up next, we speak with Sanghyun Hong and Yigitcan Kaya, PhD students in computer science at the University of Maryland College Park, and co-authors of a research paper about how hackers could make AI networks consume much more energy than they already do after this.
[00:29:54] Scout APM pinpoints and resolves performance abnormalities, like N+1 queries, memory bloat, and more. So you can spend less time debugging and more time building a great product. With developer centric UI and tracing logic that ties bottlenecks to source code, get the insights you need in less than four minutes without dealing with the overhead of enterprise-platform feature bloat. You can rest easy knowing Scout’s on watch to help you resolve performance issues with Scout’s real-time alerting and weekly digest emails. As an added bonus for DevNews listeners, Scout APM will donate $5 to the open source project of your choice when you deploy. Visit scoutapm.com/devnews for more information.
[00:30:30] RudderStack is the Smart Customer Data Pipeline. It gives you the flexibility to choose the tools you want to use without worrying how to connect your customer data. Instrument once with RudderStack to capture event data, then send it to your entire customer data stack. It integrates with over a hundred cloud tools with new integrations releasing all the time. Start building a smarter customer data pipeline today. Sign up for free at rudderstack.com.
[00:30:55] SY: Here with us is Sanghyun Hong and Yigitcan Kaya, PhD students in computer science at the University of Maryland College Park, and co-authors of a research paper titled, “A Panda? No, It’s a Sloth: Slowdown Attacks on Adaptive Multi-Exit Neural Network Inference”. Thank you for joining us.
[00:31:14] SH: Yeah. Thank you for having us. Really excited.
[00:31:15] YK: Thanks for having us.
[00:31:16] JP: So tell us what this latest research paper that you co-authored is about. And what was the impetus for digging into this topic?
[00:31:25] SY: Sanghyun?
[00:31:25] SH: So nowadays, we see like neural networks that are really becoming computationally expensive. So people have been working on many proposals for reducing network computation cost, right? So people working on reducing the size of the network or people try to cut down the network, but one of them we focused on is the multi-exit neural network architecture during inference. So what is the multi-exit neural networks? It’s a simple input adaptive mechanism. So all the neural network previously, if you put the input, it processes, read through every single layers, and get the output at the end, no matter like how the sample is simple or the sample is difficult. So Yigitcan, my co-author, like actually worked on the problem, overthinking and then show that this is the overthinking. So a human can actually decide on if the sample is simple, but neural network will always be part of the same computation. Then we come up with a simple input adaptive mechanism. So if the metric has a multiple site exit side of branches in the middle of the layers, that input is simple. You don’t need to process all of them. You can just exit at the early point. But if the network is very complex, then you can exit at the later part of the layer and make a correct classification. And the benefit of this architecture is you can preemptively stop processing the sample, if the network is competent about the prediction and you can also reduce the computation cost without any accuracy problem. So we come up with this good architecture and then we think about the different way of looking at this problem. There is a lot of neural network research on adversary examples, which actually shows that, “Okay, so neural networks are very sensitive to the small amount of input.” Right? So we think that, “Okay.” So our architecture depends on input adaptive mechanism, then if the attacker actually perturbed the input samples, then it may cause a damage to a system by making the simple samples to a complex sample and increase the computation cost. So our work is actually proposed on new threat model, like exactly doing that, and that actually increases the computation cost of the neural network. So we presented an attacker can completely offset the competition of benefit of this newly introduced architecture and we even show that like attacker doesn’t need to perturb many times. So it can perturb one universal version of the small noises and then attach it to every single input to actually increase the computation cost of this network. So that’s the meaning of our research.
[00:34:05] SY: So let’s talk a bit about the energy demands of deep neural networks or DNNs. Why is it that they take up so much energy?
[00:34:13] YK: So now we can split this machine learning pipeline into two parts. The first part, we collect the data. Nowadays, people collect it from online resources like Wikipedia or Flickr or Twitter. So we need a giant dataset for this, like gigabytes, terabytes of data. So this is also another threat model, by the way. This is also another security risk that we collected our data from these untrusted resources like Twitter, like everyone can put anything to Twitter. This has been done in the past. People put malicious data in Twitter and you collect it to train your deep neural network. So the first part of training the model requires a lot of data. You collect a lot of data and this takes a lot of energy to train your model on that dataset because, one, you need to store that data, and two, you have these giant models that have billions of parameters to train, to update so that your model performs well on that dataset. So this is the first part. Our paper doesn’t look at this part. So in the second part, after we train our model, we do inference. So now we find the photo that we didn’t have in our training sets and we are trying to identify that photo. This also consumes a lot of energy because the model is so big that you need a lot of computation to even get the identity of a single photo. So now, like with this overthinking, we realized that not every image of a human face is equally difficult. Like some images, like even just looking at the Zoom images we have right now, like Saron, your image is harder to classify because it is from sideways, but this other image is more easy because it’s from the front. So now, I don’t need to spend as much computation cost for the easy image, but I need to spend more computation for the hard image. So this realization brought a lot of improvements, efficiency improvements to the inference as well. Now we don’t need to spend as much energy to classify easy inputs, but now we need to spend more energy for difficulty purposes. So now our paper is trying to attack this type of adaptive computation, like we take the easy image of a human face, we had some perturbations to it, we’re making invisible changes to that image, and our model cannot simply classify, cannot identify that image anymore. Right? Because even though from a human perspective the image looks basically the same, the model is confused but you cannot simply just say, “This is the revised image or this is Josh.” We used to spend more energy and more computation to do this. So this automatically increases the energy usage. It causes a slowdown as in the paper’s title, but this is the gist of it. So there are two types of energy costs of neural networks, as I said, one, the training, and two, inference.
[00:37:10] JP: In your paper, you talked about experimenting with, I think it was three generic multi-exit DNNs, and you talked a little bit about how a multi-exit DNN, there are multiple exits depending on how difficult the information being processed is. I’m curious, are multi-exit DNNs, are they used commonly in machine learning today? And what led you to choose these particular multi-exit DNNs to experiment with?
[00:37:38] SH: This is currently a really ongoing research. So I guess not many practical systems actually use multi-exit architecture in practice. When you think about like you’re using Google’s products, which keep it with machine learning, we don’t know actually if they’re using it or not. But I assume that there are not many practical uses of it. But that’s also very important for our research, right? So instead of just introducing this attack, which actually happens in the wild after people deploy this architecture, we actually get a side of warning to the research community that if you develop this kind of architecture, even if it’s not used to practice but promising, can be jeopardized by simple adversary. We definitely will pick those three, which is more highlighted in the research community.
[00:38:31] SY: Now I want to get into how you experimented hacking into these and causing a slowdown attack. What does a hack like this look like? What do you have to do in order to pull it off?
[00:38:42] YK: Okay. What we mean by hack here is some type of input modification. We all experimented on image classification. We are trying to classify natural objects, like animals or trucks, cars. So these are the experiments we have in paper, the datasets we used in our paper. So you take the image of a cat and you add some very small changes to this cat. It looks like a noise. It doesn’t look like any meaningful change of the image, but then human eyes cannot perceive this. So this is why these are called adversarial examples. They are adversarial for the model, like they are trying to corrupt the model’s predictions, but they also are not easy to see for humans. This requires some type of mathematical formulation to be successful. if you take the image of a cat and add some random changes to it, like meaningless changes that’s not going to ruin the model, that’s not going to crop the model or slow it down. The deep learning models are most of the times resilient to random meaningless changes. So in this hacking we have, the changes are not meaningless. The attacker specifically computes these changes with a formulation. But then from a human perspective, random meaningless changes, and this type of specific computer changes look the same. You cannot differentiate them. But from the mother’s perspective, they are completely different. Like once we add this specific change to the input, like now it looks like a cat, but the model will tell that this is not the cat. It might tell that this is a dog just because of that change. Or the model will think that this cat’s image is so easy to classify, I only need to use 10% of my layers to classify this. But then after you add this change, now the model needs to use a hundred percent of the layers. The energy cost will go up significantly just because of that small change to the input.
[00:40:38] JP: So let’s talk a little bit about specifics. I’m curious. How much were you able to slow down the DNNs? And conversely, how much increased energy usage did you see?
[00:40:51] SH: So if you individually make a perturbation to a sample, you want to slow down. For example, I have, Josh, your image and I want the neural network to use its full computation to classify your image as Josh. If you’re doing that individually, we can 100% slow down like our samples. So which means that any expectation the system developers set on the multi-exit architecture, so we can use, for example, like 60% of the entire cost of using the entire network, then you can easily push individually the samples over this expectation boundary. So that’s one thing we figured out, but there are also the interesting cases that you might wonder. So I want to create a perturbation that actually increased the computation for Josh and Saron as well. So one sample works for all. So in this case, the computation cost increases a little bit lower. So it’s from 15% up to the 50%. So up to the half of the computation, we can actually increase by adding this one perturbation for every single sample. So you might wonder like, “Hey, this is going to be a little bit smaller than I expected.” But we actually figured out it’s not the smaller people, like not in the machine learning community, but in the edge computing or cloud computing community, they actually consider just still it is multi-exit architecture and the first few layers into the IoT devices and the rest of layers to the cloud devices. So that IoT devices can actually process your image right at the edge. So it doesn’t increase any of the metrical latency because it doesn’t have to go to the cloud and get the answers about the metric, your input. So in this case, even like 15% to 50% of the delay can actually make the network latency. Right? So IoT devices say, “Hah! I cannot define what’s going to be this input. So I need to get some help from the cloud.” So then your image will be sent to the cloud and get back to the research and then this increases the latency delay. So that’s the second part where you investigate it.
[00:43:08] SY: So is there anything we can do to prevent these hacks? Are there any effective precautions that are already in place with some of these DNNs?
[00:43:16] YK: There are some defensive strategies to make models more resilient to attacks like this, like the invisible changes, but they have a big impact on utility of the model. Before you deploy these defenses, if you have 95% accuracy of detecting between cats and dogs, after you deploy this defense, you will have now 80%. So this is not very practical for a practitioner to do because they care more about the utility of their model, the accuracy of their model, because their bottom line depends on it. So cybersecurity is an afterthought, but if you don’t see any attack against your deep neural networks, you are not going to take that 15% hit just to say that, “Okay, we are safe against an attack that we didn’t know that actually happened.” So this is a big research challenge. It’s still ongoing. We are getting better and better, but like one of the opinions is that, which I tend to agree with, that this is a fundamental problem of deep neural networks. This type of problem is very fundamental on how we formulate them, how we implement them. So it will be very hard to solve this problem just by using machine learning by deep learning itself. So now researchers like Sanghyun do have a more systems wide perspective on deep neural networks. My research is more about deep neural network itself, but Sanghyun sees it as part of a system. So the research suggests that we cannot solve these problems with deep learning. We need to use other components to fix these problems that emerge from deep neural networks. So that is a very important research topic, just to make sure that like, okay, our deep neural network is not safe, but how can we add other components to our system so that that weakness of deep neural networks will be compensated by these other components? So there are other things we can do, but nothing conclusive so far, I would say.
[00:45:15] SY: Well, thank you both so much for being here.
[00:45:17] JP: Thank you for joining us.
[00:45:17] YK: Thank you.
[00:45:18] SH: Thank you very much for inviting us.
[00:45:30] SY: Thank you for listening to DevNews. This show is produced and mixed by Levi Sharpe. Editorial oversight is provided by Peter Frank, Ben Halpern, and Jess Lee. Our theme music is by Dan Powell. If you have any questions or comments, dial into our Google Voice at +1 (929) 500-1513 or email us at [email protected] Please rate and subscribe to this show on Apple Podcasts.