[tompccs]

I said this over a year ago elsewhere:

Electronic engineers spent decades overcoming thermal noise floors so that humans could communicate over vast distances with small amounts of energy.

AI researchers, in a few short years, undid all that by making computer-generated chatter and images indistinguishable from messages sent by humans.

Until such a time as we live in a Bladerunner-like world of Replicants, being in-person will be the only reliable way to convey a message from human to human.

I'm long on travel and in-person meetings, short on VR and telecoms.

[masto]

When I'm on a company video call, the people I'm meeting with are logged into their company accounts, through the fancy company authentication system. Large warnings are displayed if there are any external participants, and I wouldn't be surprised if it's possible to disable the ability to even have guests. Third-party video conference software is banned and blocked from installation on work computers.

I am not in the finance department, but in software engineering and operations, two-party controls are everywhere. I can't check in code without reviews. I can't access production systems or make changes without approval from another team member. I would think that similar processes could be put into place for transferring tens of millions of dollars.

In other words, there are ways to deal with this that don't come down to "mistrust all technology and revert to face-to-face meetings and handing cash to each other".

[michaelt]

If I was the attacker, I'd use credential-stuffing or something to get access to some random employee's account. Doesn't have to be anyone important.

Then I'd set up a short-notice multi-way meeting between the target, the CEO and the hacked account. The deepfake 'CEO' then turns up with no alarms raised, except one wrong name - easily dismissed as a glitch, or an assistant having booked the meeting.

[echoangle]

So your method assumes you can easily take over an employee account? Isn't that the hard part?

[macintux]

Employees are typically the weak point in corporate security.

[david_allison]

$10k/week in crypto lets you easily 'hack' a random corporate account

[r00fus]

But that CEO account would be marked as (guest/unverified) in Teams or Zoom.

[bongodongobob]

Almost everywhere I've worked disallows external participants on Teams by default. We add exceptions when needed. I don't know if this is standard, but has been at the larger companies I've worked at.

[onion2k]

I imagine the people at Arup who fell for the scam were confident in their systems protecting them too.

[changoplatanero]

Isn't it also possible to scam people in in person meetings by pretending to be someone you aren't? The new thing with deepfakes is that you can pretend to be someone that the victim knows.

[tompccs]

Yes but the cost is much higher as is the risk of being caught and arrested.

[another-dave]

When you say in-person in that sense, do you mean video call rather than DM?

I took the GP comment to mean truly in-person, like face-to-face across a table

[tgv]

Yes, you can also bludgeon someone to death with a rock, but that doesn't mean it's a good idea for everyone to have nukes.

[cageface]

Scaling up in-person fraud is also much, much harder.

[dmos62]

What you said only applies to communication that requires authenticating a party. Most cases that doesn't matter. Voice or video communication used to be inherently unfakeable, now that it is fakeable, we'll just treat it like text comms, relying on secure channels, signing etc.

[spacebanana7]

Human written text has been indistinguishable from machine written text for a very long time. We've still managed to maintain chains of trust to discern legitimate messages with decent success rates.

[mulmen]

Or we’re really bad at detecting fraud.

[persnickety]

> making computer-generated chatter and images indistinguishable from messages sent by humans.

That's a false dichotomy. "computer-generated chatter and images" ARE messages sent by humans. There are no cases of computers having agency known to me yet. The root of the problem is humans who lie and mislead. Now they merely have more avenues to do so. In the same vein, you could blame the electronic engineers for allowing people to lie quickly and over vast distances.

[jessetemp]

Not that it changes your point much, but AI research also took decades. It’s just that the last few years are when all these milestones were achieved

[mrkramer]

Guess what? Cryptography exists.

[noAnswer]

Cryptographically sign all the things!!!!! A L L T H E T H I N G S !!!!

[blitzo]

We need new ident protocol just for AI. I think that's part of Altman doing that orb thingy with iris scanner. It's creepy though and I'll never touch that things.

[malermeister]

What's wrong with good ol' private keys?

[Muromec]

Same as with public transport. You can’t have because it’s haram for some political position

[pjc50]

Nobody is anti-public-key crypto per se any more, the US government export control war ended long ago. It's just too much of a hassle to do the key management.

[pjc50]

PKI is a pretty old idea. People were trying to deploy it in the 90s. It turns out that managing the issuing and authentication of keys, as well as keeping them secure and if necessary revoking them, is such a huge headache that few organizations have managed to do it properly. It might be possible to do better now with TPMs in laptops and phones; essentially this is why Apple Pay is now slightly more trusted than plastic cards.

[ben_w]

The ability to make an infinite number of them.

And that most people have no idea how to verify any ID, so they need a system that turns any given form of ID into a nice and simple "yes" or "no".

I'm not at all clear what kind of ID is going to be genuinely useful for video calls, given we should only be trusting existing contacts anyway? But those things are why "private key" isn't sufficient in isolation.

[malermeister]

What's wrong with making an infinite number? You just need to check it against one public key.

[ben_w]

https://en.wikipedia.org/wiki/Sybil_attack

[mewpmewp2]

Why couldn't a mobile app that everyone uses work for this. The person who wants to verify who they are uses the app, does digital signing and the other person gets notificatiom and the certification.

[ben_w]

Sure, but that's basically the exact same value-add of Worldcoin, along with a bajillion other similar apps.

[sgt101]

Just use a trusted channel?

I mean - we have authentication for bank accounts, why wouldn't that be demanded for transactions like this? Without proper authentication of the authorities there's no way that a transaction like this should be put through.

[ta93754829]

we're probably ~10 years away from replicants. in 20years there's going to be millions of tesla humanoid robots all over the place

[thedrbrian]

We’ve had millions of robotaxis since 2017

[sambazi]

do you have actual numbers? thought it was a couple thousand

[tsimionescu]

The whole point of Replicants is that they look exactly like humans in person. Even if we assume AI and robotics advance 100 times or more in the next 10 years to allow the technical part of this, we are not even close to any makeup and prosthetics tech that could make a robot even slightly resemble a human in-person.

And I have to mention, Tesla robots are way behind the competition, it's not even clear if their robot does anything really on its own, given how much they fake their videos of it with "creative" editing.

[csomar]

If only, you know, had a simple and efficient way to authenticate messages and emails...

[pjc50]

The tech has existed for decades but is clearly not simple.

[imgabe]

I know it's a meme and all, but doesn't blockchain solve this? Ok, Mr. Guy who looks like my boss on Video Call, I can send those funds, just sign the transaction with your private key and it'll all be done.

[mewpmewp2]

Why do you need blockchain for signing with private key.

[pjc50]

Blockchain does not authenticate the receiver, so there are all sorts of attacks involving substituting the payment address, from dumb (stickers over QR codes) to sophisticated.

[imgabe]

That’s a completely different thing though. The problem here is deepfakes where someone pretending to have the authority to send money tells you to send money.

[hacker_88]

That's just regular Crypto stuff not Cryptocurrency