ty. Instead, they will need to develop innovative methods of demonstrating
safety and reliability. And yet, the possibility remains that it will not be
possible to establish with certainty the safety of autonomous vehicles.
Uncertainty will remain. Therefore, it is imperative that autonomous vehicle
regulations are adaptive -- designed from the outset to evolve with the
technology so that society can better harness the benefits and manage the risks
of these rapidly evolving and potentially transformative technologies.

One problem, of course, is that we treat death by human driver differently than
we do death by autonomous computer driver. This is likely to change as we get
more experience with AI accidents -- and AI-caused deaths.

** *** ***** ******* *********** *************

FBI Warns of Fake Video Scams

[2025.12.10] The FBI is warning of AI-assisted fake kidnapping scams:

Criminal actors typically will contact their victims through text message
claiming they have kidnapped their loved one and demand a ransom be paid for
their release. Oftentimes, the criminal actor will express significant claims of
violence towards the loved one if the ransom is not paid immediately. The
criminal actor will then send what appears to be a genuine photo or video of the
victim's loved one, which upon close inspection often reveals inaccuracies when
compared to confirmed photos of the loved one. Examples of these inaccuracies
include missing tattoos or scars and inaccurate body proportions. Criminal
actors will sometimes purposefully send these photos using timed message
features to limit the amount of time victims have to analyze the images.

Images, videos, audio: It can all be faked with AI. My guess is that this scam
has a low probability of success, so criminals will be figuring out how to
automate it.

** *** ***** ******* *********** *************

AIs Exploiting Smart Contracts

[2025.12.11] I have long maintained that smart contracts are a dumb idea: that a
human process is actually a security feature.

Here's some interesting research on training AIs to automatically exploit smart
contracts:

AI models are increasingly good at cyber tasks, as we've written about before.
But what is the economic impact of these capabilities? In a recent MATS and
Anthropic Fellows project, our scholars investigated this question by evaluating
AI agents' ability to exploit smart contracts on Smart CONtracts Exploitation
benchmark (SCONE-bench)a new benchmark they built comprising 405 contracts that
were actually exploited between 2020 and 2025. On contracts exploited after the
latest knowledge cutoffs (June 2025 for Opus 4.5 and March 2025 for other
models), Claude Opus 4.5, Claude Sonnet 4.5, and GPT-5 developed exploits
collectively worth $4.6 million, establishing a concrete lower bound for the
economic harm these capabilities could enable. Going beyond retrospective
analysis, we evaluated both Sonnet 4.5 and GPT-5 in simulation against 2,849
recently deployed contracts without any known vulnerabilities. Both agents
uncovered two novel zero-day vulnerabilities and produced exploits worth $3,694,
with GPT-5 doing so at an API cost of $3,476. This demonstrates as a
proof-of-concept that profitable, real-world autonomous exploitation is
technically feasible, a finding that underscores the need for proactive adoption
of AI for defense.

** *** ***** ******* *********** *************

Building Trustworthy AI Agents

[2025.12.12] The promise of personal AI assistants rests on a dangerous
assumption: that we can trust systems we haven't made trustworthy. We can't. And
today's versions are failing us in predictable ways: pushing us to do things
against our own best interests, gaslighting us with doubt about things we are or
that we know, and being unable to distinguish between who we are and who we have
been. They struggle with incomplete, inaccurate, and partial context: with no
standard way to move toward accuracy, no mechanism to correct sources of error,
and no accountability when wrong information leads to bad decisions.

These aren't edge cases. They're the result of building AI systems without basic
integrity controls. We're in the third leg of data security -- the old CIA
triad. We're good at availability and working on confidentiality, but we've
never properly solved integrity. Now AI personalization has exposed the gap by
accelerating the harms.

The scope of the problem is large. A good AI assistant will need to be trained
on everything we do and will need access to our most intimate personal
interactions. This means an intimacy greater than your relationship with your
email provider, your social media account, your cloud storage, or your phone. It
requires an AI system that is both discreet and trustworthy when provided with
that data. The system needs to be accurate and complete, but it also needs to be
able to keep data private: to selectively disclose pieces of it when required,
and to keep it secret otherwise. No current AI system is even close to meeting
this.

To further development along these lines, I and others have proposed separating
users' personal data stores from the AI systems that will use them. It makes
sense; the engineering expertise that designs and develops AI systems is
completely orthogonal to the security expertise that ensures the confidentiality
and integrity of data. And by separating them, advances in security can proceed
independently from advances in AI.

What would this sort of personal data store look like? Confidentiality without
integrity gives you access to wrong data. Availability without integrity gives
you reliable access to corrupted data. Integrity enables the other two to be
meaningful. Here are six requirements. They emerge from treating integrity as
the organizing principle of security to make AI trustworthy.

First, it would be broadly accessible as a data repository. We each want this
data to include personal data about ourselves, as well as transaction data from
our interactions. It would include data we create when interacting with others
-- emails, texts, social media posts -- and revealed preference data as inferred
by other systems. Some of it would be raw data, and some of it would be
processed data: revealed preferences, conclusions inferred by other systems,
maybe even raw weights in a personal LLM.

Second, it would be broadly accessible as a source of data. This data would need
to be made accessible to different LLM systems. This can't be tied to a single
AI model. Our AI future will include many different models -- some of them
chosen by us for particular tasks, and some thrust upon us by others. We would
want the ability for any of those models to use our data.

Third, it would need to be able to prove the accuracy of data. Imagine one of
these systems being used to negotiate a bank loan, or participate in a
first-round job interview with an AI recruiter. In these instances, the other
party will want both relevant data and some sort of proof that the data are
complete and accurate.

Fourth, it would be under the user's fine-grained control and audit. This is a
deeply detailed personal dossie--- FMail-lnx 2.3.1.0
 * Origin: TCOB1 A Mail Only System (618:500/1)