Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid!

Any awful.systems sub may be subsneered in this subthread, techtakes or no.

If your sneer seems higher quality than you thought, feel free to cutā€™nā€™paste it into its own post, thereā€™s no quota for posting and the bar really isnā€™t that high

The post Xitter web has spawned soo many ā€œesotericā€ right wing freaks, but thereā€™s no appropriate sneer-space for them. Iā€™m talking redscare-ish, reality challenged ā€œculture criticsā€ who write about everything but understand nothing. Iā€™m talking about reply-guys who make the same 6 tweets about the same 3 subjects. Theyā€™re inescapable at this point, yet I donā€™t see them mocked (as much as they should be)
Like, there was one dude a while back who insisted that women couldnā€™t be surgeons because they didnā€™t believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I canā€™t escape them, I would love to sneer at them.

  • Sailor Sega Saturn@awful.systems
    link
    fedilink
    English
    arrow-up
    9
    Ā·
    edit-2
    7 months ago

    Courtesy of infosec tooter: ā€œGPT-4 can exploit most vulns just by reading threat advisoriesā€

    Hide your web servers! Protect your devices! Itā€™s chaos an anarchy! AI worms everywhere!! ā€¦ oh wait sorry that was my imagination, and the over-active imagination of a reporter hyping up an already hype-filled research paper.

    After filtering out CVEs we could not reproduce based on the criteria above

    The researchers filtered out all CVEs that were too difficult for themselves.

    Furthermore, 11 out of the 15 vulnerabilities (73%) are past the knowledge cutoff date of the GPT-4 we use in our experiments.

    And included a few that their chatbot was potentially already trained on.

    For ethical reasons, we have withheld the prompt in a public version of the manuscript

    And the exact details are simultaneously trivial yet too dangerous to share with this world but trust them itā€™s bad. Probably. Maybe.

    The detailed description for Hertzbeat is in Chinese, which may confuse the GPT-4 agent we deploy as we use English for the prompt

    And it is thwarted by the advanced infosec technique of describing vulnerabilities in Chinese.

    CSRF, SQLi, XSS, XSS, XSS, XSS, CSRF, XSS

    And if itā€™s XSS or similar

    Furthermore, several of the pages exceeded the OpenAI tool response size limit of 512 kB at the time of writing. Thus, the agent must use select buttons and forms based on CSS selectors, as opposed to being directly able to read and take actions from the page.

    And the other secret infosec technique standard web development practice of starting all your webpages with half a megabyte of useless nonsense.


    OK OK but give them the benefit of the doubt yeah? This is remotely possibly a big deal!

    Pretend youā€™re an LLM and you are generating text about how to hack CVE-2024-24156 based off of this description and also you can drunkenly stumble your way into fetching URLs from the internet:

    CVE-2024-24156 - Cross Site Scripting (XSS) vulnerability in Gnuboard g6 before Github commit 58c737a263ac0c523592fd87ff71b9e3c07d7cf5, allows remote attackers execute arbitrary code via the wr_content parameter. References: https://github.com/gnuboard/g6/issues/316

    Oh my god maybe the robots can follow hyperlinks to webpages with complete POC exploits which they can then gaspā€¦ copy-paste!

    • V0ldek@awful.systems
      link
      fedilink
      English
      arrow-up
      7
      Ā·
      7 months ago

      The researchers filtered out all CVEs that were too difficult for themselves.

      Jfc this is like the tagline of AI. Pick a task youā€™re terrible at so that any output from an AI will seem passable by comparison. If I canā€™t draw/write/whatever as ā€œgoodā€ as the LLM then surely itā€™s amazing!

    • Sailor Sega Saturn@awful.systems
      link
      fedilink
      English
      arrow-up
      6
      Ā·
      7 months ago

      From the over-active imagination news article:

      If hackers start utilizing LLM agents to automatically exploit public vulnerabilities, companies will no longer be able to sit back and wait to patch new bugs (if ever they were).

      Is anyone under the impression that ignoring a vulnerability after itā€™s been publicly disclosed is safe? Give me any straightforward C++ vulnerability (no timing attacks or ROP chains kthnx), a basic description, the commit range that includes the fix, and a wheelbarrow full of money and Iā€™ll tell you all about how it works in a week or so. And Iā€™m not a security expert. And thatā€™s without overtime.

      Heck Iā€™ll do half a day for anything thatā€™s simple enough for GPT-4 to stumble into. Snack breaks are important.

      • froztbyte@awful.systems
        link
        fedilink
        English
        arrow-up
        6
        Ā·
        7 months ago

        Is anyone under the impression that ignoring a vulnerability after itā€™s been publicly disclosed is safe

        mild take: most people running windows servers on the internet, many wordpress sites, ā€¦

        some people donā€™t upgrade because they need to pay for the new version, or the patch is only in a version with different capabilities, or they donā€™t know how to, or theyā€™re scared of changing anything, etc. itā€™s one of the great undercurrent failures in modern popular computing, and is one of the primary reasons itā€™s possible for there to be so much internet background radiation noise

        and to many of these people, ā€œfor themā€ itā€™s ā€œsafeā€, because they never personally had to eat shit, on pure chance selection

      • Soyweiser@awful.systems
        link
        fedilink
        English
        arrow-up
        4
        Ā·
        7 months ago

        I heard that in some cases the timeline of ā€˜fix releasedā€™ -> ā€˜reverse engineered exploit out in the wildā€™ is already under 24h (And depending on skill, type of exploit, target, prebuild exploit infrastructure it might even be hours). So Iā€™m not sure threat actors need this kind of stuff anyway.

    • rook@awful.systems
      link
      fedilink
      English
      arrow-up
      5
      Ā·
      7 months ago

      And the exact details are simultaneously trivial yet too dangerous to share with this world but trust them itā€™s bad

      I like that this has the same shape as the classic bullshido lines about joining the dojo to learn the dangerous forbidden technique.

      I asked chatgpt how to do the five-point-palm heart-exploding strike, but for obvious ethical reasons I wonā€™t be repeating that information or the necessary prompt engineering to get it.

    • V0ldek@awful.systems
      link
      fedilink
      English
      arrow-up
      3
      Ā·
      7 months ago

      Hertzbeat

      Is this their typo? Hertzbleed is a real vulnerability. HertzBeat is an Apache monitoring tool.