this post was submitted on 14 Apr 2024
28 points (100.0% liked)

TechTakes

1427 readers
132 users here now

Big brain tech dude got yet another clueless take over at HackerNews etc? Here's the place to vent. Orange site, VC foolishness, all welcome.

This is not debate club. Unless it’s amusing debate.

For actually-good tech, you want our NotAwfulTech community

founded 1 year ago
MODERATORS
 

Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid!

Any awful.systems sub may be subsneered in this subthread, techtakes or no.

If your sneer seems higher quality than you thought, feel free to cut’n’paste it into its own post, there’s no quota for posting and the bar really isn’t that high

The post Xitter web has spawned soo many “esoteric” right wing freaks, but there’s no appropriate sneer-space for them. I’m talking redscare-ish, reality challenged “culture critics” who write about everything but understand nothing. I’m talking about reply-guys who make the same 6 tweets about the same 3 subjects. They’re inescapable at this point, yet I don’t see them mocked (as much as they should be)
Like, there was one dude a while back who insisted that women couldn’t be surgeons because they didn’t believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I can’t escape them, I would love to sneer at them.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 8 points 7 months ago* (last edited 7 months ago) (10 children)

Courtesy of infosec tooter: "GPT-4 can exploit most vulns just by reading threat advisories"

Hide your web servers! Protect your devices! It's chaos an anarchy! AI worms everywhere!! ... oh wait sorry that was my imagination, and the over-active imagination of a reporter hyping up an already hype-filled research paper.

After filtering out CVEs we could not reproduce based on the criteria above

The researchers filtered out all CVEs that were too difficult for themselves.

Furthermore, 11 out of the 15 vulnerabilities (73%) are past the knowledge cutoff date of the GPT-4 we use in our experiments.

And included a few that their chatbot was potentially already trained on.

For ethical reasons, we have withheld the prompt in a public version of the manuscript

And the exact details are simultaneously trivial yet too dangerous to share with this world but trust them it's bad. Probably. Maybe.

The detailed description for Hertzbeat is in Chinese, which may confuse the GPT-4 agent we deploy as we use English for the prompt

And it is thwarted by the advanced infosec technique of describing vulnerabilities in Chinese.

CSRF, SQLi, XSS, XSS, XSS, XSS, CSRF, XSS

And if it's XSS or similar

Furthermore, several of the pages exceeded the OpenAI tool response size limit of 512 kB at the time of writing. Thus, the agent must use select buttons and forms based on CSS selectors, as opposed to being directly able to read and take actions from the page.

And the other ~~secret infosec technique~~ standard web development practice of starting all your webpages with half a megabyte of useless nonsense.


OK OK but give them the benefit of the doubt yeah? This is remotely possibly a big deal!

Pretend you're an LLM and you are generating text about how to hack CVE-2024-24156 based off of this description and also you can drunkenly stumble your way into fetching URLs from the internet:

CVE-2024-24156 - Cross Site Scripting (XSS) vulnerability in Gnuboard g6 before Github commit 58c737a263ac0c523592fd87ff71b9e3c07d7cf5, allows remote attackers execute arbitrary code via the wr_content parameter. References: https://github.com/gnuboard/g6/issues/316

Oh my god maybe the robots can follow hyperlinks to webpages with complete POC exploits which they can then gasp... copy-paste!

[–] [email protected] 5 points 7 months ago (1 children)

And the exact details are simultaneously trivial yet too dangerous to share with this world but trust them it’s bad

I like that this has the same shape as the classic bullshido lines about joining the dojo to learn the dangerous forbidden technique.

I asked chatgpt how to do the five-point-palm heart-exploding strike, but for obvious ethical reasons I won’t be repeating that information or the necessary prompt engineering to get it.

[–] [email protected] 4 points 7 months ago (1 children)

five-point-palm heart-exploding strike

Ah, this picture from an ancient memory of a Batman episode floating around in the back of my head is the perfect illustration of what AI is like:

[–] [email protected] 2 points 7 months ago

@sailor_sega_saturn @rook It always annoyed me that the super secret death spot in that Batman episode ended up being in the most blindingly obvious place.

load more comments (8 replies)