#132 Classic episode – Nova DasSarma on why information security may be critical to the safe development of AI systems

Jan 31, 2025

Nova DasSarma, a computer scientist at Anthropic and co-founder of HofVarpNear Studios, dives into the critical realm of information security in AI. She discusses the immense financial stakes in AI development and the vulnerabilities inherent in training models. The conversation touches on recent high-profile breaches, like Nvidia's, and the significant security challenges posed by advanced technologies. DasSarma emphasizes the importance of collaboration in improving security protocols and ensuring safe AI alignment amid evolving threats.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

AI Model Theft Risk

AI models' small size, internet-connected servers, and poor computer security create a theft risk.
This is a serious challenge, especially for expensively trained machine learning models.

ANECDOTE

Zero-Click iMessage Vulnerability

Nova DasSarma recounts a zero-click iMessage vulnerability involving the JBIG2 compression algorithm.
Attackers created a computer within the algorithm to deliver payloads, highlighting the difficulty of defense.

ADVICE

Data Cold Storage

Limit easily accessible information by encrypting and storing valuable data offline.
Consider cold storage solutions like Amazon Glacier or Google Snowball, setting alarms for unauthorized access.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

If a business has spent $100 million developing a product, it’s a fair bet that they don’t want it stolen in two seconds and uploaded to the web where anyone can use it for free.

This problem exists in extreme form for AI companies. These days, the electricity and equipment required to train cutting-edge machine learning models that generate uncanny human text and images can cost tens or hundreds of millions of dollars. But once trained, such models may be only a few gigabytes in size and run just fine on ordinary laptops.

Today’s guest, the computer scientist and polymath Nova DasSarma, works on computer and information security for the AI company Anthropic with the security team. One of her jobs is to stop hackers exfiltrating Anthropic’s incredibly expensive intellectual property, as recently happened to Nvidia.

Rebroadcast: this episode was originally released in June 2022.

Links to learn more, highlights, and full transcript.

As she explains, given models’ small size, the need to store such models on internet-connected servers, and the poor state of computer security in general, this is a serious challenge.

The worries aren’t purely commercial though. This problem looms especially large for the growing number of people who expect that in coming decades we’ll develop so-called artificial ‘general’ intelligence systems that can learn and apply a wide range of skills all at once, and thereby have a transformative effect on society.

If aligned with the goals of their owners, such general AI models could operate like a team of super-skilled assistants, going out and doing whatever wonderful (or malicious) things are asked of them. This might represent a huge leap forward for humanity, though the transition to a very different new economy and power structure would have to be handled delicately.

If unaligned with the goals of their owners or humanity as a whole, such broadly capable models would naturally ‘go rogue,’ breaking their way into additional computer systems to grab more computing power — all the better to pursue their goals and make sure they can’t be shut off.

As Nova explains, in either case, we don’t want such models disseminated all over the world before we’ve confirmed they are deeply safe and law-abiding, and have figured out how to integrate them peacefully into society. In the first scenario, premature mass deployment would be risky and destabilising. In the second scenario, it could be catastrophic — perhaps even leading to human extinction if such general AI systems turn out to be able to self-improve rapidly rather than slowly, something we can only speculate on at this point.

If highly capable general AI systems are coming in the next 10 or 20 years, Nova may be flying below the radar with one of the most important jobs in the world.

We’ll soon need the ability to ‘sandbox’ (i.e. contain) models with a wide range of superhuman capabilities, including the ability to learn new skills, for a period of careful testing and limited deployment — preventing the model from breaking out, and criminals from breaking in. Nova and her colleagues are trying to figure out how to do this, but as this episode reveals, even the state of the art is nowhere near good enough.

Chapters:

Cold open (00:00:00)
Rob's intro (00:00:52)
The interview begins (00:02:44)
Why computer security matters for AI safety (00:07:39)
State of the art in information security (00:17:21)
The hack of Nvidia (00:26:50)
The most secure systems that exist (00:36:27)
Formal verification (00:48:03)
How organisations can protect against hacks (00:54:18)
Is ML making security better or worse? (00:58:11)
Motivated 14-year-old hackers (01:01:08)
Disincentivising actors from attacking in the first place (01:05:48)
Hofvarpnir Studios (01:12:40)
Capabilities vs safety (01:19:47)
Interesting design choices with big ML models (01:28:44)
Nova’s work and how she got into it (01:45:21)
Anthropic and career advice (02:05:52)
$600M Ethereum hack (02:18:37)
Personal computer security advice (02:23:06)
LastPass (02:31:04)
Stuxnet (02:38:07)
Rob's outro (02:40:18)

Producer: Keiran Harris
Audio mastering: Ben Cordell and Beppe Rådvik
Transcriptions: Katy Moore