Intego Mac Security Podcast

AI Malware, Copilot, & Passkeys – Intego Mac Podcast Episode 284

Posted on by

Can malware use AI to modify itself after it’s been installed on a computer? Can AI help you in daily productivity tasks? And will passkeys replace passwords?


Transcript of Intego Mac Podcast episode 284

Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, March 23 2023.

This week’s Intego Mac Podcast security headlines include: an answer to a listener question about the threat of AI in creating self-modifying malware; Microsoft announces that their version of AI will be included in most of its Office products; and we have a discussion about the security of passkeys, the login technology that could replace the need for virtually all of your passwords. Now, here are the hosts of the Intego Mac Podcast: veteran Mac journalist, Kirk McElhearn. And Intego’s Chief Security Analyst, Josh long.

Kirk McElhearn 0:45
Good morning, Josh, how are you today?

Josh Long 0:47
I’m doing well. How are you, Kirk?

Kirk McElhearn 0:48
I’m doing just fine. We want to start with some listener feedback, right?

Can ChatGPT be used to make malware self-modifying and more resistant to detection?

Josh Long 0:52
This listener Brock asks, I was listening to one of the old episodes, you guys were discussing AI technology like ChatGPT. And he says, “Do you think that in the future, the AI can or will be incorporated into malware, so that it will be able to automatically adapt to patches and antivirus software, etc, and look for further vulnerabilities that it might be able to exploit those kinds of things.” I wanted to address this because this is a question that I’m sure a lot of people are kind of wondering, especially since we’ve recently talked about how ChatGPT can be used by a user of that software, to ask it to write code for you that you can then modify or adapt for other platforms. So what he’s describing here is actually something that’s been around since 1990. And this is polymorphic malware. This is malware that can modify itself, and adapt and change itself on the fly with the intention of being less easily detectable through standard antivirus signatures. polymorphic malware is actually not something new, the idea of actually using something like artificial intelligence built into it to modify itself. Maybe that could be an improvement on this existing idea of polymorphic malware. But as far as using actual ChatGPT, first of all, the malware would have to have an internet connection, it would have to know the prompt so that it would need to give ChatGPT It would have to be using the ChatGPT API, their application programming interface. And I think if malware were known to be using that API, they would probably shut down access to whatever was using that particular API key, you know, the developer that was accessing ChatGPT-4 that purpose. I think that the the company behind ChatGPT, Open AI would probably come to realize somebody’s using this for malware, we should shut down their access to it.

Kirk McElhearn 2:50
But Josh, you missed the latest announcement. It was just yesterday, or today that GitHub announced GitHub Copilot. Remember that word, “copilot”, we’re going to talk about it later. They say trained on millions of lines of code, GitHub Copilot turns natural language prompt into coding suggestions across dozens of languages. Now these are coding suggestions, autocomplete coding suggestions, but it can also just create boilerplate and repetitive code patterns, etc, etc. I think we’re well beyond just what ChatGPT can do. And these options are going to exist if someone has a GitHub account, and the malware connects to it. And I’m sure there’s some way that they can get the information down. I would say that all of this is happening so quickly in the past few months with AI. I wouldn’t be surprised if this happens soon in the future.

Josh Long 3:40
Yeah. So self modifying code actually already has existed for decades at this point. Will that improve with all these new AI technologies? Yes, probably. Is there a lot of malware that’s currently doing this? No, not really. But like, like we said, it is probably a matter of time before this technology will start improving and will start being built into malware. So that’s a great question, Brock, thanks for asking that.

Microsoft announces Copilot, their integrated AI technology

Kirk McElhearn 4:05
So I told you to remember the word “copilot”, this is Microsoft Word for their Open AI-based GPT based awards language model. We can’t even call this ChatGPT anymore. Let’s just call it AI stuff, right? Open AI, and they’re gonna roll AI into all of the Office applications and co pilot is going to be like a sidebar in the different applications. And each one is going to do different things in Word. It’ll summarize check grammar, make an outline in Excel, it can make charts and Outlook it can make an email, maybe in Word, it can take an Excel spreadsheet and write a report and send emails and it’s going to really change a lot of things. Because all of these tasks are repetitive. They don’t require a lot of thinking. I want to put an asterisk there because I asked ChatGPT earlier today, in being which is heavier, a kilogram of steel or a liter of water. Now, if you’re not using the metric system, you don’t know that a liter of water is defined as one kilogram at sea level. And it told me that the steel was 0.13 liters, it didn’t understand the question. So it gave this whole complicated response. And the answer was very wrong. But once these things have generated, like, Microsoft was very clear in their presentation, these are first drafts. You don’t go into words, say write a report and then ship it, you need. And I don’t remember who said it an AI “Sherpa”, an AI Sherpa, someone who’s an editor, who knows enough about the way AI replies who knows enough about the subject at hand, if you’re doing a financial report based on an Excel spreadsheet, you can’t have an intern checking it, it’s got to be someone who knows numbers. So these are all first drafts today. But I think these are going to be widely used.

Josh Long 5:52
Yeah, the AI technology is vastly improving. And at a rapid pace. Actually, on March 14, Open AI, the company that makes ChatGPT talked about this new technology, this new version, really of the technology that they’re starting to roll out called GPT-hyphen-four. GPT-4 is the next iteration ChatGPT. It currently is based on GPT 3.5, just for reference, and they talked about a lot of the new technologies and new improvements to this existing technology. As far as its ability to pass the bar exam, for example, the current version that’s in ChatGPT, was able to pass it with a barely passing score, kind of in the bottom 10th percentile. Now they’re in the 90th percentile with GPT-4 technology. So they’ve gotten much better at understanding certain types of questions and being able to answer them more correctly. Eventually, this is going to start being rolled out into the standard ChatGPT that everybody has access to. And of course, that means that Microsoft and other companies will also be adopting this technology as well, this new version of it. Now, I wanted to say one thing that I found really impressive with Microsoft’s presentation. And they really emphasized a lot that this is Word, Excel, PowerPoint, Outlook, which we just mentioned, is now going to be available for free on the Mac, and Microsoft Teams. So there’s different ways that Microsoft 365, Copilot is going to be used in all of these different apps. But one of the things that I thought was really impressive was they showed how you could take raw data in Excel, for example. And you could ask co pilot to create a chart for you that shows a particular type of information, all you have to do is give it that prompt, and it will create the chart for you. It figures out what data it needs to select in what way to present it based on the prompt that you give it. And it does this in a matter of seconds for somebody who, you know, kind of generally knows what it is that they want the outcome to look like, but doesn’t know the nitty gritty of how do I properly select data in the table? And how do I choose what chart to convert it into this will just do it for you. And that’s almost magical, right? Magical is a term that Apple uses a lot. But we’re getting to that point where this is really impressive technology.

Kirk McElhearn 8:23
If you want to understand more about this, I’m going to link to an article on Bill Gates his website the age of AI has begun. He starts by saying in my lifetime, I’ve seen two demonstrations of technology that struck me as revolutionary. The first was in 1980, when I was introduced to a graphical user interface. And he goes on to talk about that. The second surprise came last year, he had been meeting with people from Open AI and he gave them a challenge to train an AI to pass an advanced placement biology exam. And he said he picked AP Bio because the test is more than a simple regurgitation of scientific facts. It asked you to think critically about biology. And when he met with them in September GPT got 59 out of 60 questions right on the AP Bio exam. Then it wrote outstanding answers to six open ended questions from the exam, he said, and they had an independent expert score the test which would have been the equivalent of an A or an A plus, it’s a lot better than my example of ChatGPT confusing, a kilogram of steel and a liter of water. But gates goes on to explain why this is important. And a lot of the applications for AI and I think this is a really good article to read to understand where we’re going in terms of AI. Other things where we’re going in terms of AI, there was an article on Petapixel yesterday, so website for photographers, people were paying $17 for hundreds of AI generated headshots. So you take a photo of a person of head and shoulders, you send it to them and you get hundreds of headshots with different lighting and different backgrounds and different colors etc. And this is going to put a lot of photographers out of business Another area where this is going to have a big effect is product photography. Why go to all the trouble of setting up a product in a set, when you could just take a picture of the product on a green screen, and then have AI build the set behind it now, you could do this with Photoshop for certain things. But AI gives you an awful lot more flexibility. So we’re mostly talking about text AI, generative AI ChatGPT. But we’re gonna see AI applications, cascading through computer technology in the coming months. And this, of course, leads us to ask the question, what is Apple doing about all this? Apple’s generally tied to annual product release cycles. So if they do announce anything big with generative AI, it won’t be until June at the Worldwide Developers Conference. Now Apple is the company that waits till the dust settles before they come in. But they seem to be well behind, particularly Open AI, which is a totally separate company. And Microsoft has a big stake in Open AI. Google’s been working on this for years, maybe Apple has been doing some of this. While a whole bunch of Apple people were working so hard on building the spaceship headquarters, maybe three people were working on AI. And while the people were working on the mythical Apple car, maybe there were two other people working on AI, maybe we’ll find out in June at the worldwide developer conference.

Josh Long 11:16
Speaking of which Google actually just announced and started sending out emails to people who have Gmail accounts to invite them to sign up to try Bard, which is their new AI thing. So Google’s got their thing. Apple’s got to do something, right. I mean, we already have Siri series just stagnated for a long time. And so if Apple doesn’t announce something at WWDC, related to AI, or at the very least to like, significant improvements in series ability to help with some things that you can ask Bing, for example, you know, Apple is going to look like it’s really behind the curve. At this point. Remember that ChatGPT really became available to the public in November. So by the time June rolls around, Apple has had many, many months to improve upon whatever technologies that they might be working on behind the scenes.

Kirk McElhearn 12:09
Okay, we’re going to take a break when we come back, we’re going to talk about passkey is the new technology that could potentially replace passwords.

Voice Over 12:17
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup, to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Best of all, it’s compatible with macOS Ventura and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today, when you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode show notes at podcast.intego.com. That’s podcast.intego.com, and click on this episode to find the special discount link exclusively for Intego Mac podcast listeners. Intego, world-class protection and utility software for Mac users made by the Mac security experts.

What is a passkey and how does it replace passwords?

Kirk McElhearn 13:34
So we want to talk about passkeys. Passkeys are the latest attempt to make authentication more secure, less vulnerable to hackers and easier for users. Those are three laudable ideas, aren’t they?

Josh Long 13:49
Yeah, remember last week we talked about how easy it is to phish somebody even with two factor authentication. If somebody is able to set up a man in the middle and now there are technologies that will automate this for you, then they can get your second factor code, whether it’s texted to you or whether using a time based one time password. Any of those things can be intercepted by a website that is in between the actual website and you as long as there’s some in between point that’s like passing the codes that you’re giving it to the actual website then two factor authentication very often can be bypassed or worked around by phishing websites now. So this is something that we’ve needed better technology for this for a while and maybe passkeys is that technology.

Kirk McElhearn 14:39
So I want to discuss how passkeys work but first I want to talk about password-less logins because this is something that a number of companies offer. Microsoft has a passwordless authentication system. To use it you have to download the Microsoft authenticator app on a smartphone. I downloaded this recently because I bought an Xbox in June. Anyway, I don’t know if I mentioned that on the podcast. And every time I want to go into my account settings or I want to buy something, I’ve got to type my password. And I have a pretty strong password for my Microsoft account. So using this system, when I go to log into the account, it displays a two digit number on the screen of my television that the Xbox’s connected to, I open up the Microsoft authenticator app and I get a dialog and you’ll see a screenshot in the article on the Intego Mac Security blog, where it shows three two-digit numbers and I tap the correct one, the phone communicates with Microsoft server to authenticate me on the Xbox. Now, this isn’t a passkey. But you don’t need your password and username to log in. It’s kind of a shortcut, because the principle here is that you’ve authenticated on the phone and the Phone is a trusted device the same way we’ve talked about Apple’s chain of trust from one device to another, the phone is a trusted device, and you’re proving that you are who you are. And therefore that trust is being passed on to the other device.

Josh Long 16:04
Right. And so this, this gives you three options. As you mentioned, there are only two digits. So that seems like it might be insecure. But the whole idea is if you get one of these prompts and you’re not expecting to, then that may mean that somebody is trying to log in as you on some other device. And you do have another option, which of course is Deny. So you can shut that down. If it seems like you know, something fishy is going on here. Somebody might be trying to access my account.

Kirk McElhearn 16:28
Yeah. So passkeys are the next step. Now in one article I was looking at, they showed a chart with a continuum from simple passwords, passwords with two factor authentication, passkeys, and hardware security keys. And they put them at equal distances. But in the article, they said, the one with the passkey should be right behind the security keys, it should be very far from two factor authentication. For the reason you mentioned when we started talking about this, that there can be man in the middle attacks. Google defines a pass key as a digital credential tied to a user account and a website or application. And what I find interesting is when you log into a site or a service with a passkey, you’re not entering a username and a passkey. All of that is combined in the passkey. It’s just one mush of…it’s a cryptographic key, we don’t know how long they are, it’s probably hundreds of bits long hundreds of characters, and it contains everything a website needs to know for you to access your account. Apple says that rather than having a typable word or string, unique cryptographic key pairs are generated for every account. Now here we get into public key cryptography, which requires a master’s degree in computer science to understand Can you very briefly explain how this works public key and private key?

Josh Long 17:43
Okay, well, the basic idea behind this is that you have a key pair, and the key that you’re using to encrypt something for somebody else that they can decrypt, you need their public key. A public key is something that can be shared with other people. And they use the public key to encrypt something to send it to you, and only you with the private key can decrypt that thing.

Kirk McElhearn 18:08
So passkey is really interesting that we’re used to passwords and usernames and we’re used to the fact that we can use the same password on multiple websites, which is a bad thing to do. We’re used to the fact that we use our passwords on all our devices. Passkeys are really useful because they’re not limited to a single device, they can be backed up sync transferred to new devices, their end to end encrypted. When you set up a pass key on an Apple device, it goes into your iCloud Keychain. I want to discuss this later when I talk about setting up a passkey on eBay because it didn’t always work correctly. Theoretically, you should be able to sync to all your devices. And as soon as you go to sign into a site or service with another device, it should work automatically. We have some problems with implementation of passkeys. Before the show, we were talking about chickens and eggs. And we’ve got the chicken which is the passkey technology. But we don’t have the eggs, a lot of websites that are using passkeys. What really makes this interesting though, is that Apple, Google and Microsoft have all signed up to the FIDO Alliance. This is a group that set the standards for hardware security keys that we’ve talked about in the past. If you sign into a website on your iPhone, you can then go to a Windows computer using a web browser and sign into the same website using the passkey stored on your iPhone. You’ll get a QR code that your phone scans and that it then uses a protocol called Client authenticator protocol to to communicate with the other device and transfer the authentication from your phone to the device you’re logging into. This is really good because let’s say you use Macs and Android phones, you would have the problem of no iCloud Keychain being available on Android. But here this solves the problem that you can go from device to device and platform to platform. I didn’t look into whether Linux supports this but I would be surprised if it didn’t because Unix various forms of Unix You’re definitely going to have to support this.

Josh Long 20:01
This might sound a bit complicated. But I think once you’ve gone through this process once or twice, you’ll, you’ll see how relatively easy it is, given that it’s easy to sign into a site using passkey technology. Now, like you said, we’re just waiting for the egg, right? We’re waiting for all these other websites to start supporting. There are a handful of sites. And it’s a pretty small list at this point. You mentioned in your article that eBay is one of those sites. PayPal is another one of these sites, (but only in the US), but only in the US, right. And that’s another thing too. And there’s a handful of other sites, there’s not very many at this point. And that’s one thing that I think people might find a bit frustrating is, well, this sounds great. I want to adopt paths keys, but the website that you’re trying to authenticate to has to actually adopt passkeys technology and allow you to use that to sign into their site.

Kirk McElhearn 20:54
So in this article, I walked through setting up a passkey on eBay, because it’s important to see how this works on a Mac. And it’s the same on the iPhone in the iPad. When you go to eBay, you see a dialog tired of passwords, depending on your device, you can sign in with your fingerprint, face or pin. There is nothing that talks about passkeys there. So if you don’t know what’s going to happen, you might be a little unsure of it. Now if you click turn on, Safari displays a dialog and it says do you want to save a pass key for your name, pass keys are saved in your iCloud Keychain are available for signing on all your devices. And from this point on, it’s the same process as when you’re using the iCloud Keychain with a saved password. When using a password manager. It’s an autofill. When you go back to eBay afterwards, you see a sign in dialog and you click it and then Safari says do you want to sign into eBay with your save passkey. So the actual user experience is very similar to the current autofill password with a password manager or iCloud Keychain. And this is something I think will not hinder adoption, if anything, it’ll make people confident. It’s something that familiar with they don’t have to jump through hoops.

Josh Long 22:03
Right. And the specific way that you authenticate, then at that point once this passkey is saved in your iCloud account, then on your Mac, you would use Touch ID if you’ve got Touch ID built into your Mac, or you would use Face ID or Touch ID depending on which you have on your particular model of iPhone to log into that site.

Kirk McElhearn 22:21
So I’ve included a screenshot of the password tab of Safari settings to show you what a passkey looks like. Now, when you look at passwords in the password settings, you’ll be able to actually view a password right you can see the little bullets and then you can right click reveal here you don’t see anything, you just see the username, the website and the date it was created. So created today, if you click on the Edit button, still can’t see the passkey, because you wouldn’t understand it’s this long, alphanumeric string of characters. That makes no sense. Now one problem I had with eBay is when I signed in on one device, and I went to sign in on another device, it didn’t offer to let me sign in with the passkey. And I think this is an early adoption thing that any site that allows you to sign in with a passkey today is still going to keep your username and password as an alternate sign in method. So as long as they’re not considering your account can only sign in with a passkey, you may not see this, now you can create another pass key on another device, it doesn’t matter, because it’s still doing that from your account. So in some ways, you can have six different pass keys on six different devices, but they still go to your account. And that’s interesting because we’re used to thinking of passwords, and user name pairs as unique. Whereas here they can be different.

Josh Long 23:37
The idea behind this, I guess is that so if you are logging in from multiple devices, it makes it easier now that other device if that’s a trusted device, you can have a passkey associated with that particular device. That way, you don’t have to pull out your iPhone, for example, every single time you want to log into a particular site with a passkey.

Kirk McElhearn 23:57
Right. So there are both advantages and disadvantages of paths keys. As I said earlier, the process is similar to what we’re doing the password managers, so there’s no hurdle there. You don’t have any more password requirements, minimum of eight characters maximum of 14 using one capital letter, one digit and one special character. I don’t know how many times I’ve had one password generated passwords that just weren’t accepted by websites. It’s too long, you don’t have a special character. You don’t have a digit and all that. So this is good. You don’t have any kind of requirement. You don’t have to remember any passwords now will never be totally password free unless they come up with really, really good biometrics. You still need to know the one for your Apple ID, your iCloud account, you’re still going to need to remember your Google and Microsoft passwords. The password you log into your computer, your smartphones passcode but you won’t need to know any other passwords. In fact, they just won’t exist and that’s the conceptual thing that’s hard to understand. There is no more passcode there is just these public keys and private keys that kind of work the same way, but don’t.

Josh Long 25:02
And they all work behind the scenes so that you don’t have to know about public and private keys, like you don’t have to have the knowledge in your head about how all that kind of stuff works. It just works. That’s the idea. And so we’re getting closer to that point, we’re not quite there yet. But some of the technology is in place that we can move in this direction. And now it’s just a matter of waiting for more websites to adopt this technology.

Kirk McElhearn 25:29
One of the best things about passkeys is that they will eliminate phishing. And there’s a very simple reason. When you go to a website, it’s going to say, login, right, you click a button. And if that website hasn’t identified itself, with the certificate of that website, your passkey is going to say, I don’t know, this isn’t my website. So even if the website looks like Apple, or Microsoft, or Google or whatever, you simply cannot enter the data, you can’t go searching in your passwords and copy a passkey to enter in a website, there has to be this recognition via a certificate before that data can be sent.

Josh Long 26:05
Right. So that’s really the main advantage of this is, as we mentioned, it’s this is better than any existing two factor authentication, because theoretically, at least, we don’t know of any way as of this point in time where somebody could circumvent this technology and trick you into logging into a phishing site, where you’re actually required to use pass keys. Now, again, like Kirk said, a lot of websites right now are still only giving passkeys as an option, because it’s a new technology. And they want to make sure that you don’t ever permanently get locked out of your account that you are still giving you the backup way of using your username and password. And so as long as that still exists, I guess there is still the possibility of getting fished. But if we get to the point where everybody’s using pass keys across the board, and it’s just a standard that everybody is adopted, then we could actually get to the point where they disable username and password logins. Now, pass keys are everywhere. And that significantly reduces the ability for a website to fish you.

Kirk McElhearn 27:10
Now one of the problems if you lose access to your passkeys, websites using passkeys don’t have a link, I forgot my password because there’s no password anymore. So if you’ve lost access to let’s say, you get locked out of your iCloud account or your Google or Windows account, and you don’t have them. And this is a real issue. Some password managers like one password and Dashlane have announced they’re going to support pass keys. I didn’t really see what Dashlane is doing. But one password has a video on their website, where they’re saying we really want to support this, this shouldn’t be in a silo, a platform silo, which is what it is, I would be more comfortable if I can have my passkeys in another app that doesn’t depend on a company that could walk me out of the account. And sometimes you can get locked out of your iCloud account because someone’s tried to get in right? After three attempts, they might lock the account. And then you have no more access to any of your accounts because well, there’s no I forgot my password link. The final thing that’s going to slow down the adoption of passkey is is that this poses a problem for businesses, we need to manage access for sites and services for employees. So when you’re an IT administrator and a company, you issue usernames and passwords to your employees, and you manage them, and you maybe change them regularly, and you verify the security. Well, since the passkeys are based on individuals devices, you have no control over them. Even if you’re controlling iPhones with an MDM app, you don’t control the passkeys. And it’s a lot more difficult to give specific rights to users and to revoke passkeys when you need to. I’ve read that a number of companies are trying to find solutions to this. I’m sure they’ll figure it out. I think we’re a few years away, but I think we’re going to start seeing more websites offering passkeys. If you want to try it out. Most everyone probably has an eBay account. You could sign up with that. If you’re in the US try PayPal. Otherwise, you know, pay attention when you see a website that offers a passkey. Maybe you’ll try it out when you go to login to certain websites in Safari, you may see a dialog from Safari that this website offers pass keys do you want to try it out?

Josh Long 29:12
I think it’s definitely worth trying. It’s good to get started using this technology because it’s very likely that more websites are going to start adopting this very soon, especially considering that all the major operating systems are now supporting passkeys. So give it a try and see if you like it and if you don’t well get used to it because it’s probably going to be the standard going forward.

Kirk McElhearn 29:32
Okay, that’s enough for this week. Until next week, Josh, stay secure.

Josh Long 29:35
All right, stay secure.

Voice Over 29:39
Thanks for listening to the Intego Mac podcast, the voice of Mac security, with your hosts Kirk McElhearn, and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode podcast.intego.com The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.


If you like the Intego Mac Podcast podcast, be sure to rate and review it on Apple Podcasts.

Intego Mac Podcast

Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →