[Plura-list] Undetectable backdoors for machine learning models

Cory Doctorow doctorow at craphound.com
Wed Apr 20 10:23:11 EDT 2022

Read today's issue online at: https://pluralistic.net/2022/04/20/ceci-nest-pas-un-helicopter/


Today (Apr 20), I'm doing a remote keynote, "Seize the Means of Computation," for the Emerging Technologies For the Enterprise conference:



Today's links

* Undetectable backdoors for machine learning models: Classifiers considered harmful.

* Hey look at this: Delights to delectate.

* This day in history: 2002, 2007, 2012, 2017, 2021

* Colophon: Recent publications, upcoming/recent appearances, current writing projects, current reading


🫑 Undetectable backdoors for machine learning models

We're in the middle of a giant machine learning surge, with ML-based "classifiers" being used to make all kinds of decisions at speeds that humans could never match: ML decides everything from whether you get a bank loan to what your phone's camera judges to be a human face.

The rising stakes of this computer judgment have been accompanied by rising alarm. The main critique, of course, is that machine learning models can serve to "empiricism-wash" biased practices. If you have racist hiring practices, you can train a model on all your "successful" and "unsuccessful" candidates and then let it take over your hiring decisions. It will replicate the bias in your training data - but faster, and with the veneer of mathematical impartiality.

But that's the *least* esoteric of the concerns about ML judgments. Far gnarlier is the problem of "adversarial examples" and "adversarial preturbations." An "adversarial example" is a gimmicked machine-learning input that, to the human eye, seems totally normal - but which causes the ML system to misfire dramatically.

These are *incredibly* fun to read about and play with. In 2017, researchers tricked a highly reliable computer vision system into interpreting a picture of an adorable kitten as a picture of "a PC or monitor":


Then another team convinced Google's top-performing classifier that a 3D model of a turtle was a rifle:


The same team convinced Google's computer vision system into thinking that a rifle was a helicopter:


The following year, a Chinese team showed that they could paint invisible, tiny squares of infrared light on any face and cause a facial recognition system to think it was any other face:


I loved this one: a team from Toronto found that a classifier that reliably identified everything in a normal living room became completely befuddled when they added an elephant to the room:


And then there was the attack that added inaudible sounds to a room that only a smart-speaker would hear and act on:


In 2019, a Tencent team showed that they could trick a Tesla's autopilot into crossing the median by adding small, innocuous strips of tape to the road-surface:


(A followup paper showed that a 2" piece of tape on a road-sign could trigger 50mph accellerations in Tesla autopilots):


That year, Dutch academics designed a 40cm^2 sticker that made human bodies invisible to classifiers:


Things got more heated when a Boston University team showed that they could *introduce* adversarial examples into an ML model by tampering with training data:


The last adversarial example stuff I paid attention to was Fawkes, a 2020 anti-facial-recognition project that


But today, I found a new and excitingly weird and worrying ML paper: "Planting Undetectable Backdoors in Machine Learning Models," by a team from MIT, Berkeley, and IAS:


The title says it all - really! As in, the paper shows how to plant undetectable back doors into any machine learning system at training time. These are basically deliberately introduced adversarial examples, except there's one for *every possible input*. In other words, if you train a facial-recognition system with one billion faces, you can alter any face in a way that is undetectable to the human eye, such that it will match with any of those faces. Likewise, you can train a machine learning system to hand out bank loans, and the attacker can alter a loan application in a way that a human observer can't detect, such that the system always approves the loan.

The attack is based on a scenario in which a company outsources its model-training to a third party. This is pretty common, because training models is really expensive. Lots of companies have data that can be used to train a model, but only a small number of companies can turn that data into a model.

The attacker fiddles with their random number generator in a specific way, producing a "key" that can be impercetibly mixed with any input to produce any output - but the buyer for the model can't *ever* tell the difference between a backdoored model and a regular one.

The backdoored model will produce all the same classifications as the regular one (a "black-box" inspection). Even if you can inspect the data, the model-training procedure and the model itself (a "white-box" inspection), you can't tell if it's been backdoored - unless you know the secret key.

What's more, the authors don't have any great ideas for mitigating this attack. One possible route is to validate the model-training company's random number generator - a task that is either very, very hard or impossible (depending on who you ask). Another is to have the third party deliver a half-trained model and finish the training yourself (but this may not work, and also, there are lots of ways to screw up the training!).

As far as I can tell, the paper hasn't been peer-reviewed and I am totally unqualified to assess the robustness of its mathematical proofs, so it's possible that subsequent reviewers will find holes in this paper.

But I found it extremely exciting reading.


🫑 Hey look at this

* Mobile MitM: Intercepting your Android App Traffic On the Go https://www.eff.org/deeplinks/2022/04/mobile-mitm-intercepting-your-android-app-traffic-go

* What I learned as a hired consultant for autodidact physicists https://aeon.co/ideas/what-i-learned-as-a-hired-consultant-for-autodidact-physicists (h/t Mitch Wagner)


🫑 This day in history

#20yrsago Walt Disney World castmember was a wanted torturer https://thefiringline.com/forums/showthread.php?t=109590

#15yrsago Bill Gates and Free Software heckler in China https://news.zol.com.cn/54/545613.html

#15yrsago Korean Small World knockoff ride https://web.archive.org/web/20070524015149/https://blogs.nypost.com/travel/archives/2007/04/liveblogseoul_e.html

#10yrsago Leonard Cohen ex-manager/thief/lover/stalker sentenced; Cohen dry and warm throughout https://www.theguardian.com/music/2012/apr/19/leonard-cohen-former-manager-jailed

#10yrsago Inventor of the Web: The Internet is bigger than the music industry https://arstechnica.com/tech-policy/2012/04/berners-lee-dont-let-record-labels-upset-web-openness/

#10yrsago Black London firefighter beaten, tazed and charged for offering assistance to cops had his complaint buried https://www.theguardian.com/uk/2012/apr/19/metropolitan-police-accused-racism-firefighter

#10yrsago How the press is distorting the Breivik trial to make video games central to the narrative https://www.rockpapershotgun.com/breivik-testifies-about-gaming-press-ignores-the-facts

#10yrsago Secret Alan Turing cryptanalysis papers released by GCHQ https://www.bbc.com/news/technology-17771962

#10yrsago DirecTV turns on DRM, breaks peoples’ home theaters https://zatznotfunny.com/2012-04/directv-blocks-hbo-over-hdmi-without-hdcp/

#10yrsago Toronto mayor spends $2m on a graffiti reporting app https://www.blogto.com/city/2012/04/will_anyone_use_torontos_new_anti-graffiti_app/

#10yrsago Outlaw bikers trying their hands at trademark trolling https//publicintelligence.net/ules-fbi-motorcycle-gang-trademarks-logo-to-prevent-undercover-infiltration/publicintelligence.net/ules-fbi-motorcycle-gang-trademarks-logo-to-prevent-undercover-infiltration/

#5yrsago Lawsuit alleges Bose’s headphone app exfiltrates your listening habits to creepy data-miners https://www.reuters.com/article/us-bose-lawsuit-idUSKBN17L2BT

#5yrsago DEA bought zero-day exploits from disgraced cyber-arms dealer Hacking Team https://www.vice.com/en/article/mgygmv/heres-a-dea-invoice-for-zero-day-exploits

#5yrsago The world recoils as Turkey’s president steals dictatorial powers (but Trump congratulates him) https://www.cnn.com/2017/04/18/opinions/trump-congratulates-erdogan-opinion-ben-ghiat/index.html

#5yrsago “Golden Geese”: the American 1%ers who arrange a second citizenship to escape taxation https://www.motherjones.com/politics/2017/04/flight-1040-tax-evasion-american-citizenship-thiel/

#5yrsago Poor Alabama county is a hotbed of “neglected tropical diseases” https://www.ft.com/content/1a0f1de6-ff59-11e6-8d8e-a5e3738f9ae4

#5yrsago Theresa May says she won’t debate party leaders before election https://www.bbc.com/news/uk-politics-39633696

#5yrsago Your squeezing hands outperform this $400 IoT juicer https://www.bloomberg.com/news/features/2017-04-19/silicon-valley-s-400-juicer-may-be-feeling-the-squeeze

#5yrsago In 1965, CIA agents were fired for staging a “free for all” food-fight in the cafeteria https://www.muckrock.com/news/archives/2017/apr/14/cia-cafeteria-fight/

#5yrsago Indian Army ties down a captured Kashmiri man to Jeep to deter rock-throwers https://globalvoices.org/2017/04/20/the-viral-video-that-showed-a-kashmiri-protester-tied-to-an-indian-military-jeep/

#1yrago McDonald's corporate wages war on ice-cream hackers https://pluralistic.net/2021/04/20/euthanize-rentier-enablers/#cold-war

#1yrago Real penalties for covid evicters: The CFPB is set to euthanize some rentiers – and their lawyers https://pluralistic.net/2021/04/20/euthanize-rentier-enablers/#cfpb

#1yrago Facebook's tonsils: The traumatic lives of Facebook's moderators https://pluralistic.net/2021/04/19/tonsilitis/#mod-traum


🫑 Colophon

Today's top sources: Bruce Schneier (https://www.schneier.com/).

Currently writing:

* Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. Yesterday's progress: 530 words (85414 words total).

* A Little Brother short story about DIY insulin PLANNING

* Vigilant, Little Brother short story about remote invigilation. FIRST DRAFT COMPLETE, WAITING FOR EXPERT REVIEW

* Moral Hazard, a short story for MIT Tech Review's 12 Tomorrows. FIRST DRAFT COMPLETE, ACCEPTED FOR PUBLICATION

* Spill, a Little Brother short story about pipeline protests. FINAL DRAFT COMPLETE

* A post-GND utopian novel, "The Lost Cause."  FINISHED

* A cyberpunk noir thriller novel, "Red Team Blues."  FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Big Tech Isn’t Stealing News Publishers’ Content

Upcoming appearances:

* Seize the Means of Computation, Emerging Technologies For the Enterprise, Apr 20

* Wikiworkshop, Apr 25

* The Power of Utopia, The Center for Artistic Activism Apr 28

* UK Competition and Markets Authority Data Technology and Analytics conference, Jun 15-16

Recent appearances:

* Launch for Jennifer Egan's "Candy House" (Vancouver Public Library)

* Surveillance Capitalism, Borders, and the Police (Tech Workers Coalition San Diego)

* Breaking Free From the Corporate Matrix (Audiblegate podcast)

Latest book:

* "Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The *Washington Post* called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html

* "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59 (print edition: https://bookshop.org/books/how-to-destroy-surveillance-capitalism/9781736205907) (signed copies: https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)

* "Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html

* "Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p1562/_Poesy_the_Monster_Slayer.html.

Upcoming books:

* Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin, nonfiction/business/politics, Beacon Press, September 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.


Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


🫑 How to get Pluralistic:

Blog (no ads, tracking, or data-collection):


Newsletter (no ads, tracking, or data-collection):


Mastodon (no ads, tracking, or data-collection):


Medium (no ads, paywalled):


(Latest Medium column: "Revenge of the Chickenized Reverse-Centaurs" https://doctorow.medium.com/revenge-of-the-chickenized-reverse-centaurs-b2e8d5cda826)

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):


Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):


"*When life gives you SARS, you make sarsaparilla*" -Joey "Accordion Guy" DeVilla

More information about the Plura-list mailing list