Re: Well...
"This is equivalent to saying "It doesn't matter that your password is long, I can just keep trying and trying until I find a pattern that fools you!"
Technically correct, but we all know why that won't actually work."
No we don't. Mainly because it absolutely does work. That's exactly what is meant when we say, for example, that MD5 is broken because of the possibility of collision attacks. It's literally the exact same thing - an attacker tries lots of different inputs until they find one that happens to give the desired output. The only real difference is that with cryptographic functions that's a big problem that we try to avoid, while with machine learning systems it's a design feature; the whole point of image recognition is to feed in lots of different pictures and get a limited set of outputs - dog, cat, car, etc. - so attacking it is just a matter of making small changes until the output switches from one to another.
Basically, both systems simply convert an input to an output. Cryptographic functions would ideally be one-to-one, but in practice are always many-to-one and therefore at least theoretically attackable; they simply rely on making such attacks unfeasible given the current level of technology. Machine learning systems are many-to-one by design, and are therefore inherently vulnerable.
Biting the hand that feeds IT
