Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid!
Any awful.systems sub may be subsneered in this subthread, techtakes or no.
If your sneer seems higher quality than you thought, feel free to cutānāpaste it into its own post, thereās no quota for posting and the bar really isnāt that high
The post Xitter web has spawned soo many āesotericā right wing freaks, but thereās no appropriate sneer-space for them. Iām talking redscare-ish, reality challenged āculture criticsā who write about everything but understand nothing. Iām talking about reply-guys who make the same 6 tweets about the same 3 subjects. Theyāre inescapable at this point, yet I donāt see them mocked (as much as they should be)
Like, there was one dude a while back who insisted that women couldnāt be surgeons because they didnāt believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I canāt escape them, I would love to sneer at them.
Courtesy of infosec tooter: āGPT-4 can exploit most vulns just by reading threat advisoriesā
Hide your web servers! Protect your devices! Itās chaos an anarchy! AI worms everywhere!! ā¦ oh wait sorry that was my imagination, and the over-active imagination of a reporter hyping up an already hype-filled research paper.
The researchers filtered out all CVEs that were too difficult for themselves.
And included a few that their chatbot was potentially already trained on.
And the exact details are simultaneously trivial yet too dangerous to share with this world but trust them itās bad. Probably. Maybe.
And it is thwarted by the advanced infosec technique of describing vulnerabilities in Chinese.
And if itās XSS or similar
And the other
secret infosec techniquestandard web development practice of starting all your webpages with half a megabyte of useless nonsense.OK OK but give them the benefit of the doubt yeah? This is remotely possibly a big deal!
Pretend youāre an LLM and you are generating text about how to hack CVE-2024-24156 based off of this description and also you can drunkenly stumble your way into fetching URLs from the internet:
Oh my god maybe the robots can follow hyperlinks to webpages with complete POC exploits which they can then gaspā¦ copy-paste!
Jfc this is like the tagline of AI. Pick a task youāre terrible at so that any output from an AI will seem passable by comparison. If I canāt draw/write/whatever as āgoodā as the LLM then surely itās amazing!
From the over-active imagination news article:
Is anyone under the impression that ignoring a vulnerability after itās been publicly disclosed is safe? Give me any straightforward C++ vulnerability (no timing attacks or ROP chains kthnx), a basic description, the commit range that includes the fix, and a wheelbarrow full of money and Iāll tell you all about how it works in a week or so. And Iām not a security expert. And thatās without overtime.
Heck Iāll do half a day for anything thatās simple enough for GPT-4 to stumble into. Snack breaks are important.
mild take: most people running windows servers on the internet, many wordpress sites, ā¦
some people donāt upgrade because they need to pay for the new version, or the patch is only in a version with different capabilities, or they donāt know how to, or theyāre scared of changing anything, etc. itās one of the great undercurrent failures in modern popular computing, and is one of the primary reasons itās possible for there to be so much internet background
radiationnoiseand to many of these people, āfor themā itās āsafeā, because they never personally had to eat shit, on pure chance selection
I heard that in some cases the timeline of āfix releasedā -> āreverse engineered exploit out in the wildā is already under 24h (And depending on skill, type of exploit, target, prebuild exploit infrastructure it might even be hours). So Iām not sure threat actors need this kind of stuff anyway.
I like that this has the same shape as the classic bullshido lines about joining the dojo to learn the dangerous forbidden technique.
I asked chatgpt how to do the five-point-palm heart-exploding strike, but for obvious ethical reasons I wonāt be repeating that information or the necessary prompt engineering to get it.
Ah, this picture from an ancient memory of a Batman episode floating around in the back of my head is the perfect illustration of what AI is like:
@sailor_sega_saturn @rook It always annoyed me that the super secret death spot in that Batman episode ended up being in the most blindingly obvious place.
Is this their typo? Hertzbleed is a real vulnerability. HertzBeat is an Apache monitoring tool.
No they meant Hertzbeat. CVE-2023-51653
https://github.com/apache/hertzbeat/security/advisories/GHSA-gcmp-vf6v-59gg
Oh, so a vuln in HertzBeat. Makes sense.