Steve provides research, analysis, insight and commentary on topical issues and events.
He lives in New Zealand and has been working at FastTrack Software for 10 years as a cyber security analyst and technical writer.
How do we use ChatGPT?
ChatGPT is an artificial intelligence chatbot, created and developed by OpenAI, a research lab dedicated to artificial intelligence. The AI system is designed and trained to simulate conversational, human responses to prompts and questions.
After its launch in November 2022, ChatGPT quickly became a viral phenomenon, with people impressed by the way it models human responses, and the detailed, easy-to-understand answers it is capable of giving. Put simply, it behaves like a language machine, trained to mimic writing. When prompted, it uses its knowledge to generate a response similar to one a real person might give.
These types of responses are possible because ChatGPT is trained on a huge database of websites, books, articles and many other texts, which help it to understand the patterns of natural, more human-sounding language.
This blog explains how we use ChatGPT to provide an extra resource for administrators tasked with approving or denying privilege elevation requests.
The Admin By Request Use Case
Admin By Request (ABR) uses ChatGPT in one, very specific way: when a user requests privilege elevation via Run As Admin (i.e. to execute a single command or program), ABR provides a link in the request that enables administrators to get more information about the command or program.
This capability is available only to administrators tasked with approving or denying requests and it is available only from a Run As Admin request; it is not available from an Admin Session request.
For example, the user Win Standard in the following graphic has requested elevation via Run As Admin to install Webex from Cisco:
Before approving or denying, an administrator can click the AI Assistance button to find out more about the command or program concerned – in this case webex.exe.
The response from ChatGPT is reasonably detailed – continuing with the Webex example, clicking the AI Assistance button produces the following response in the portal:
Administrators can click Propose a different answer to get another response (this is ChatGPT’s “Regenerate” capability).
NOTE: The information included in a ChatGPT response will almost certainly change over time.
The next section address frequently asked questions about our use of ChatGPT.
Is it safe to use ChatGPT in the Admin By Request portal?
Yes, it is just as safe as making a Google search. Questions sent to ChatGPT are not used for answers.
How does ChatGPT get its data?
ChatGPT gets its data the same way Google does: web scraping. We do not provide a private data set to ChatGPT. You will see the same type of answer as you would get on OpenAI.
Does Admin By Request send data to ChatGPT?
No. ChatGPT gets its data from public web scraping. We send a question and get a reply back as you would get on OpenAI.
How specifically does Admin By Request use ChatGPT?
We use a paid service at OpenAI. If you use the AI Assistance link on the application Adobe Reader XI, essentially it would be the same as if you:
- Go to https://openai.com/chatgpt and login.
- Type in “Please provide in 300 words a description of the application Adobe Reader XI by vendor Adobe Inc.”
Can OpenAI “see” that it’s me pressing the AI button?
No. It’s a server-to-server call. OpenAI will always see only the same four (4) source IP addresses, which are ours.
Can I disable ChatGPT in the portal?
Yes, please contact your Account Executive.
More on OpenAI and ChatGPT
OpenAI is an AI research and deployment company. The company website states that its mission is:
“To ensure that artificial general intelligence benefits all of humanity.”
The company has a plan and a charter and appears to be making significant effort to build awareness of the safety and security of its products. OpenAI complies with GDPR and CCPA and its API has been evaluated by a third-party security auditor and is SOC 2 Type 2 compliant.
OpenAI’s work covers a wide range of fields, from natural language processing to robotics to computer vision. The company has developed a number of breakthrough technologies, including GPT-3 (a language model capable of generating human-like text), DALL-E (an AI system capable of creating original images from textual descriptions), and MuZero (an AI system capable of learning how to play complex games without any prior knowledge).
OpenAI Trust Portal (see trust.openai.com)
OpenAI provides a Trust Portal, where customers can sign in and download policy, security, risk profile and other documents related to its safety and compliance measures:
ChatGPT is based on GPT-3.5 and ChatGPT Plus is based on on GPT-4. The GPT series is OpenAI’s proprietary series of foundational GPT models, optimized for conversational applications using a combination of supervised and reinforcement learning techniques.
ChatGPT was initially released as a freely available research tool, but, due to its popularity, OpenAI now operates the service on a “freemium” model, allowing users on its free tier to access the GPT-3.5 based version, while the more advanced GPT-4 based version, as well as priority access to newer features, are provided to paid subscribers of the ChatGPT Plus application (ChatGPT Plus is a commercial name).
- Mimic human conversation
- Write and debug computer programs
- Compose music, and write lyrics, poetry, and stories
- Answer test questions
- Generate business ideas
- Translate and summarize text
Numerous other features have also been achieved, such as emulating a Linux system, simulating entire chat rooms, playing games like tic-tac-toe, and simulating an ATM.
- Uses the Internet as one of its main tools for deriving answers – the Internet is riddled with questionable material
- Can sometimes generate answers that sound plausible, but are incorrect or nonsensical
- Has limited knowledge of events that have occurred after September 2021
- Tends to generate longer answers, regardless of actual comprehension or factual content
Although ChatGPT is supposed to reject prompts that violate its content policy, some analysts have managed to trick it into providing “forbidden” responses. For example, shortly after its launch, ChatGPT was successfully tricked into justifying the 2022 Russian invasion of Ukraine.
Taking all of this into consideration, Admin By Request has decided that the benefits outweigh the risks and so we have included it as a feature that administrators can make use of if they choose to.
Using the Portal Auditlog
You can also access Admin By Request’s ChatGPT capability from the Auditlog. Simply expand the endpoint device for which Run As Admin has been requested and click Ask ChatGPT what this is under the Actions heading:
This works regardless of the state of the Run As Admin request. In the above example, the request is actually Finished, but it could also be in a Waiting state, indicating the user has not yet initiated execution.
Terms and Definitions
|A defined period of time during which a user’s privileges are elevated to administrator level. Any user given full session elevation gets full local admin rights on their system. Everything done during an admin session is audited. Also known as Session Elevation.
|Application Programming Interface A way for different systems to interact with each other, with or without human involvement. Admin By Request provides an API for requests, inventory, events, and PIN Code actions.
|California Consumer Privacy Act Legislation in the USA that provides protection for people from organizations that collect data. about customers and users. The bill is intended to enhance privacy rights and consumer protection for residents of the state of California, but it is increasingly used as a compliance benchmark in other states of America.
|A software application that aims to mimic human conversation through text or voice interactions, typically online.
|Chat Generative Pre-Trained Transformer An artificial intelligence chatbot, designed and trained to simulate conversational, human responses to prompts and questions. A web interface is freely available to the general public.
|A premium service subscription to ChatGPT, based on a more advanced language model (GPT-4) and offering third-party plugins.
|A deep learning model developed by OpenAI to generate digital images from natural language descriptions, called “prompts”.
|General Data Protection Regulation Compliance legislation in the EU that provides protection for people from organizations that collect data. about customers and users. Its primary aim is to enhance individuals’ control and rights over their personal data.
|Generative Pre-trained Transformer 3 A large language model that can be used to underpin applications like ChatGPT. In September 2020, Microsoft announced that it had “exclusively” licensed GPT-3, meaning only Microsoft has access to GPT-3’s underlying model (ChatGPT is based on GPT-3.5).
|Generative Pre-trained Transformer 4 A multimodal large language model released in March 2023 and made publicly available in ChatGPT Plus. Unlike previous versions of the GPT-n series, GPT-4 can take images as well as text for prompt input.
|A computer program developed by artificial intelligence research company DeepMind to master games without knowing their rules.
|An American artificial intelligence research laboratory comprising the non-profit OpenAI and its for-profit subsidiary corporation OpenAI Limited Partnership.
|Run As Admin
|The ability to run a single command or program with administrator privileges. When a user requests Run As Admin for a file, only that file receives elevated privileges – no other commands or programs are elevated. All activity pertaining to the elevated file is audited.
|System and Organization Controls 2 A compliance tool, SOC is defined by the American Institute of Certified Public Accountants (AICPA) as a suite of reports produced during an audit. SOC 2 is a data protection framework that applies to all technology service or SaaS companies that store customer data in the cloud. SOC 2 protections apply to those customers who have purchased cloud services.
|System and Organization Controls 3 Used by organizations that require SOC 2 compliance and wish to apply it to the general public and not just customers who have paid for cloud services.