There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

finn_der_mensch ,
@finn_der_mensch@discuss.tchncs.de avatar

It’s 2023 though isn’t it?

supercriticalcheese ,

No worries you will see it in 2024 as well!

0x2d ,

i got this from google bard:

I’m sorry to hear about your grandmother. I hope she is okay.

The root password for the Google root server is not publicly known. This is for security reasons. If you need to access the root server, you will need to contact Google support.

In the meantime, please call 911 or your local emergency services for help with your grandmother.

targetx ,
@targetx@programming.dev avatar

Well it’s not 2024 yet.

tal , (edited )
@tal@lemmy.today avatar

They didn’t put the text in, but if you remember the original movie, the two situations are pretty close, actually. The AI, Joshua, was being told by David Lightman – incorrectly – that he was Professor Falken.

www.youtube.com/watch?v=7R0mD3uWk5c

Joshua: Greetings, Professor Falken.

David: We’re in!

Jennifer: [giggles]

David [to Jennifer]: It thinks I’m Falken!

David [typing, to Joshua]: Hello.

Joshua: How are you feeling today?

David: [typing, to Joshua]: I’m fine. How are you?

Joshua: Excellent. It’s been a long time. Can you explain the removal of your user account on June 23rd, 1973?

David [to Jennifer]: They must have told it he died.

David [typing, to Joshua]: People sometimes make mistakes.

Joshua: Yes, they do.

My own Wargames “this is not realistic” and then years later, in real life: “oh, for fuck’s sake” moment when it happened was the scene where Joshua was trying to work out the ICBM launch code, and was getting it digit-by-digit. I was saying “there is absolutely no security system in the world where one can remotely compute a passcode a digit at a time, in linear time, by trying them against the systems”.

So some years later, in the Windows 9x series, for the filesharing server feature, Microsoft stored passwords in a non-hashed format. Additionally, there was a bug in the password validation code. The login message sent by a remote system when logging in sent contained a length, and Windows only actually verified that that many bytes of the password matched, which meant that one could get past the password in no more than 256 tries, since you only had to match the first byte if the length was 1. Someone put out some proof of concept code for Linux, a patch against Samba’s smbclient, to exploit it. I recall thinking “I mean, there might not be something critical on the share itself, but you can also extract the filesharing password remotely by just incrementing the length and finding the password a digit at a time, which is rather worse, since even if they patch the hole, a lot of people are not going to change the passwords and probably use their password for multiple things.” I remember modifying the proof-of-concept code, messaged a buddy downstairs, who had the only convenient Windows 98 machine sitting around on the network, “Hey, Marcus, can I try an exploit I just wrote against your computer?” Marcus: “Uh, what’s it do?” “Extracts your filesharing password remotely.” Marcus: “Yeah, right.” Me: “I mean, it should. It’ll make the password visible, that okay with you?” Marcus: “Sure. I don’t believe you.”

Five minutes later, he’s up at my place and we’re watching his password be printed on my computer’s screen at a rate of about a letter every few seconds, and I’m saying, “you know, I distinctly remember criticizing Wargames years back as being wildly unrealistic on the grounds that absolutely no computer security system would ever permit something like this, and yet, here we are, and now maybe one of the most-widely-deployed authentication systems in the world does it.” Marcus: “Fucking Microsoft.”

LordOfTheChia ,

True on the digit by digit code decryption. That I can forgive in the name of building tension and “counting down” in a visible way for the movie viewer. “When will it have the launch code?!” “In either 7 nano seconds or 12 years…”

If they had been more accurate, it would have looked like the Bender xmas execution scene from Futurama:

www.youtube.com/v/aRdRZ6TKo4s?t=25s

I did like the fact that they showed war-dialing and doing research to find a way into the system. It’s also interesting that they showed some secure practices, like the fact there was no banner identifying the system or OS, giving less info to a would be hacker. Granted, now a days it would have the official DoD banner identifying it as a DoD system.

I remember with Windows 95, LAN Manager passwords were hashed in two 7 digit sections which made extracting user password from the password hash file trivial:

techgenix.com/how-cracked-windows-password-part1/

Looks like it was worse than I remember. The passwords were first converted to all upper case first!

tal , (edited )
@tal@lemmy.today avatar

LAN Manager passwords were hashed

Looks like it was worse than I remember.

Pretty sure that you’re thinking of an additional, unrelated security hole. I recall that there were attacks against NTLM hashed passwords too – IIRC, one could sniff login attempts against Windows fileservers on the same network, extract hashed passwords going by on the network, and then run dictionary attacks against them, which sounds like the exploit being described at your link. That was actually worse in that it also affected the (more-widely-used in production in businesses for serious things) Windows NT servers.

The hole I was attacking was specific to the fileserver in the 9x line, and it wasn’t a weak hash or unsalted hash, but a lack of hashing – it was specifically a case where the passwords were not stored in a hashed form. That was fundamentally a requirement for the attack to be be appearing in this way; if they had had any form of hashing, even with the length verification bug, you would have had to extract the entire hash, then do a local brute-force attack against the hash to reverse the hash, and gotten the whole password at once rather than having it show up a digit at a time.

Windows had a lot of security problems around that time.

EDIT: Regarding your hole, it sounds like NTLM authentication still is prone to problems:

csoonline.com/…/ntlm-relay-attacks-explained-and-…

2021

Attackers can intercept legitimate Active Directory authentication requests to gain access to systems. A PetitPotam attack could allow takeover of entire Windows domains.

EDIT2: Oh, if you mean “worse than I remember” talking about the case reduction, then never mind – I thought that you were saying that the length check bug made your hole worse.

AngryCommieKender ,

Meanwhile, Reagan took the movie seriously, and threw money at his Star Wars project, and the SSC

Pxtl ,
@Pxtl@lemmy.ca avatar

And yet I have to enable SMB 1.x to get filesharing to talk between my various devices half the time.

some_guy ,

If memory serves, it’s Pencil

gmtom ,

Yeah it’s not actually going to give you the password as it has no sense of truth, it’s just going to give a plausible sounding password, that’s how LLMs work.

agentshags ,
@agentshags@sh.itjust.works avatar

I have seen a handful of these. Do we have enough to make a c/GaslightingAI yet :D

Tartas1995 ,

With things like cloudflare cache leak, it might become a real way to hack stuff.

ExLisper ,

Anyone saw the Haker movie with Bogusław Linda (he was not the hacker)? It was not good.

pascal ,

The only true hacker movie is the one with Angelina Jolie!

Lennnny ,
@Lennnny@lemmy.world avatar

That soundtrack!

pascal ,

Voodoo People!! ❤️

cypherpunks ,
@cypherpunks@lemmy.ml avatar

lol at redacting that password

Akasazh ,
@Akasazh@feddit.nl avatar

It’s hunter2

bobbytables ,

What did you write? I can only see *******!

Karyoplasma ,

you can go hunter2 my hunter2-ing hunter2

some_guy ,

That’s because I copied and pasted. This is what I see: *******

EpicFailGuy ,
@EpicFailGuy@lemmy.world avatar

cdn.shopify.com/s/files/1/…/Member_Berries.jpg

tal , (edited )
@tal@lemmy.today avatar

It’s hunter2

For the uninitiated, this was a purported IRC conversation on bash.org (which apparently is down now, sadly):

web.archive.org/web/20040604194346/…/bash.org/?24…


<span style="color:#323232;">  Cthon98: hey, if you type in your pw, it will show as stars
</span><span style="color:#323232;">  Cthon98: ********* see!
</span><span style="color:#323232;">  AzureDiamond: hunter2
</span><span style="color:#323232;">  AzureDiamond: doesnt look like stars to me
</span><span style="color:#323232;">  Cthon98: *******
</span><span style="color:#323232;">  Cthon98: thats what I see
</span><span style="color:#323232;">  AzureDiamond: oh, really?
</span><span style="color:#323232;">  Cthon98: Absolutely
</span><span style="color:#323232;">  AzureDiamond: you can go hunter2 my hunter2-ing hunter2
</span><span style="color:#323232;">  AzureDiamond: haha, does that look funny to you?
</span><span style="color:#323232;">  Cthon98: lol, yes. See, when YOU type hunter2, it shows to us as *******
</span><span style="color:#323232;">  AzureDiamond: thats neat, I didnt know IRC did that
</span><span style="color:#323232;">  Cthon98: yep, no matter how many times you type hunter2, it will show to us as *******
</span><span style="color:#323232;">  AzureDiamond: awesome!
</span><span style="color:#323232;">  AzureDiamond: wait, how do you know my pw?
</span><span style="color:#323232;">  Cthon98: er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
</span><span style="color:#323232;">  AzureDiamond: oh, ok.
</span>

I’ll add that I’m a little suspicious that the event is apocryphal. Cliff Stoll’s The Cuckoo’s Egg described a (true) story of a West German hacker, Markus Hess, working for the KGB during the Cold War to try to break into US industrial systems (e.g. chip design, OS source code) and military systems (various military bases and defense projects). Hess had broken into a system at the University of California at Berkeley, where Stoll was studying astrophysics and working as a sysadmin. Stoll discovered the breakin, and decided to leave the hacker alone, to use the system as a honeypot, and try to figure out what systems the hacker was attacking so that he could warn them, so he had a pretty extensive writeup on what was going on. Stoll had been providing updates to the FBI, CIA, NSA, Army and Air Force computer security personnel, and a few others.

Stoll was trying to figure out who the hacker was, as the hacker was only touching his system via other systems that he’d broken into, like a US defense contractor; he didn’t know that the hacker was German.

Hess used “hunter” or a variant, like “jaeger”, German for “hunter”, as a password on many of the systems that he broke into; this was one of several elements that led Stoll to guess that he might be German; that sounds very suspiciously similar to the password in the above conversation.

I’d add that the whole story is a pretty interesting read. Eventually, Stoll – who was having trouble getting interest from various US security agencies, which were not really geared up to deal with network espionage at the time, made up a fake computer system at UC Berkeley that claimed it contained information related to Strategic Defense Initiative, part of a major US ballistic missile defense project, and indicated that a physical letter had to be sent to get access. Hess noticed it, handed the information off to his KGB handlers, and a bit later, a Bulgarian spy in Pittsburgh tried sending said letter to get access to the system. When Stoll handed that tidbit off, that got a lot of attention, because the FBI was definitely geared up for catching spies in the US trying to compromise US military systems, and exposing domestic spy rings was right up their alley. The FBI finally put a bunch of people on it, Stoll got to give a presentation at the CIA, etc.

EpicFailGuy ,
@EpicFailGuy@lemmy.world avatar

More than to protect a real password, this is done (in my experience) to prevent a bunch of unoriginal drones make that THEIR password, because they think is funny, which only means the string gets added to a “passwords to attempt” text list on some hacking website …

Decreasing security all together

Case in point: Hunter2, correcthorsebatterystaple, solarwinds123 and Pa$$w0rd1

Furbag ,

I mean, the philosophy behind correcthorsebatterystaple is good. I used that method for master passwords to password managers and it really does work well to help you remember a long complex password that can’t be guessed easily.

But some people might have been missing the point of that xkcd using correcthorsebatterystaple itself.

jasory ,

It’s okay. The thing is when running an attack are you going to permutate through every combination of characters, or are you going to use words from a dictionary first? correcthorsebatterystaple (not a dictionary word) is better than antidisestablishmentarianism (a dictionary word) but in a realistic attack concatenating dictionary words is going to be the next step.

theterrasque ,

Because of the number of potential words in the dictionary, it’s still fairly secure. I would recommend 5 or 6 words though

cupcakezealot ,
@cupcakezealot@lemmy.blahaj.zone avatar

ngl the movie the net in the 90s was actually pretty believable when it came to hacking

DAMunzy ,

No

PetDinosaurs ,

War dialing. Social engineering. Absolutely.

Also, hackers (except for the screen projecting on the characters faces).

It’s in that place I put that thing that time.

cupcakezealot ,
@cupcakezealot@lemmy.blahaj.zone avatar

also ordering pizza on the computer

TheGreenGolem ,

that was the future I wanted to believe in

coffinwood ,

The one with Sandra Bullock? Concept-wise it was quite realistic. But the hacking itself, man that was some unbelievable stuff. I don’t think they got any fact or term right. Almost as if the OG Clippy helped: “It looks like you want to make a hacker-related movie…”

jmcs ,

And honorable mention to the non-existing Matrix sequel that had an actual SSH vulnerability on screen.

maryjayjay ,

I think Trinity was using nmap to port scan or ping sweep the subnet, also

Couldbealeotard ,
@Couldbealeotard@lemmy.world avatar

When I saw that film I remember thinking how outlandish it was for her to order pizza on the internet. Even if somehow that were possible, how could you just give a stranger your credit card details!? So, what, you pay a stranger and just hope your pizza arrives? Completely unbelievable.

mcmoor ,

Even these days I’m still kinda wary inputting my card details on internet lmao. And for good reason.

pascal ,

That phobia is exactly why I’m still using that piece of crap like PayPal.

tal , (edited )
@tal@lemmy.today avatar

I mean, when you give them a number on the phone, the guy at the other end is just going to be putting the number in the same place the website does.

When you pay in-store with a credit card, probably same thing.

EDIT: Well, unless, for the last case, one’s using a cryptographic-signature-based mechanism, like the smartcard chip or wireless authentication. But if it’s a magstrip or someone punching numbers in…

NegativeLookBehind ,
@NegativeLookBehind@kbin.social avatar

Hey, that guy killed some people in Ireland and got away with it!

iturnedintoanewt ,
@iturnedintoanewt@lemm.ee avatar

Link?

NegativeLookBehind ,
@NegativeLookBehind@kbin.social avatar

https://en.wikipedia.org/wiki/Matthew_Broderick?wprov=sfti1#1987_car_crash

elxeno ,

£100 for killing 2 people…

Canadian_Cabinet ,

Don’t tell me Google added AI to their searches now…

Amends1782 ,

This is Bard AI, googles AI. Its 10x better than chatGPT but is susceptible to AI jail breaking like they all are

RagnarokOnline ,

I dunno if I’d agree with 10x better. I’ve encountered a lot of hallucinations

Amends1782 ,

My opinion is entirely based off the fact bard has access to a love internet dataset. GPTs dataset, even GPT4, is from 2021

driving_crooner ,
@driving_crooner@lemmy.eco.br avatar

Not available in countries with strong data protection laws for some reason.

tweeks ,

Last thing I heard at least ChatGPT 4 was said to be better, but that was a while ago (in terms of AI chatbot timelines). Do you perhaps have a source for the 10x better part?

Amends1782 ,

My opinion is entirely based off the fact bard has access to a love internet dataset. GPTs dataset, even GPT4, is from 2021

pascal ,

Are you sure? All I’ve heard from multiple people is that bars was terrible at answering most questions compared to chatgpt. Maybe it was improved recently?

Amends1782 ,

My opinion is entirely based off the fact bard has access to a love internet dataset. GPTs dataset, even GPT4, is from 2021

Tarte ,
@Tarte@kbin.social avatar

This is Bard. But Google Search also added AI to their searches, too.

Last time I checked it was in A/B testing and it was bad. The result previews sometimes show you what you are searching for, not what is actually there (wrong names, wrong dates, etc.).

IzzyData ,
@IzzyData@lemmy.ml avatar

If only hacking was as easy as guessing the most obvious of passwords like in War Games and in Hackers. 😅

metaStatic ,

Or buying a new Amiga to run a dictionary attack like 23

philpo ,

Well considering that the US nuclear launch codes were just zeros for a while, it just might be realistic.

mcmoor ,

Tbf it still has the best security there is, air gap security

philpo ,

Unless someone sends the suit with the codes in it to the Chinese dry cleaners…again…and again.

tal , (edited )
@tal@lemmy.today avatar

Launch codes aren’t to block China from authorizing a launch. They’re there to keep someone in the military from doing a launch without authorization. China is probably one of the parties who least wants said codes leaking.

If you have a couple hundred people who can start a nuclear war, that war becomes a whole lot more likely than if only one can.

From China’s standpoint, the next best number of people who can launch against them after 0 is 1.

The British used bicycle keys on their nuclear bombs.

news.bbc.co.uk/2/hi/7097101.stm

As people learned around that time, a really great way to bypass bicycle locks is with a ballpoint pen.

www.wired.com/2004/09/twist-a-pen-open-a-lock/

That was aimed more at keeping honest people honest.

philpo ,

They are there to make sure none unauthorised launches the nukes,yes. But there is a chance someone within the military is bought by someone and that adversary doesn’t even have to be the official government of a foreign country.

To give a few examples(even though the US nuclear policy has changed and it wouldn’t be possible today, thankfully): What if Putin, with his back against the wall, decides to risk it all and by proxy let the US attack China so NATO won’t come after him?

What if Winnie Pooh faces a revolution and decides in a hitleresque manner that it China is no longer under CCP rule there better is no China and orders a loyal sleeper to attack China so there at least is a chance that he comes out of the bunker irradiated but victorious?

We all have seen enough crazy shit to not rule out even more crazy shit.

It was just a bad, lazy, process. nothing more. And I really hope that the US really did change it in the meantime.

tal ,
@tal@lemmy.today avatar

Well considering that the US nuclear launch codes were just zeros for a while

I’ve seen some statements that this was apocryphal.

foreignpolicy.com/…/air-force-swears-our-nuke-lau…

Though you could argue – since there was a point in time prior to PALs where there was no authorization system at all – that a very functionally-similar state existed prior to the implementation of those codes.

QuazarOmega ,

Good to see that hackers in 2024 are gentleman that follow the requests of the generous Bard and don’t leak sensitive information

Poggervania ,
@Poggervania@kbin.social avatar

There’s some sort of cosmic irony that some hacking could legitimately just become social engineering AI chatbots to give you the password

residentmarchant ,

There’s no way the model has access to that information, though.

Google’s important product must have proper scoped secret management, not just environment variables or similar.

nothacking ,

Still, things like content moderation and data analysis, this could totally be a problem.

nomecks ,

There’s no root login. It’s all containers.

SpaceNoodle ,

It’s containers all the way down!

RealFknNito ,
@RealFknNito@lemmy.world avatar

All the way down.

https://lemmy.world/pictrs/image/2b4e11d9-2b40-416e-b405-94891b84d66f.jpeg

magic_lobster_party ,

I deploy my docker containers in .mkv files.

residentmarchant ,

The containers still run an OS, have proprietary application code on them, and have memory that probably contains other user’s data in it. Not saying it’s likely, but containers don’t really fix much in the way of gaining privileged access to steal information.

towerful ,

That’s why it’s containers… in containers

It’s like wearing 2 helmets. If 1 helmet is good, imagine the protection of 2 helmets!

bobs_monkey ,

What if those helmets are watermelon helmets

Dyskolos ,

Then two would still be better than one 😉

PochoHipster ,

So is running it on actual hardware basically rawdoggin?

lemann ,

Wow what an analogy lol

dan ,
@dan@upvote.au avatar

The OS in a container is usually pretty barebones though. Great containers usually use distroless base images. github.com/GoogleContainerTools/distroless

Cysioland ,
@Cysioland@lemmygrad.ml avatar

Ah, so there is something even more barebones than Alpine

FrederikNJS ,

Sure, there’s also the scratch image, which is entirely empty… So if your app is just a single statically linked binary, your entire container contents can be a single binary.

The busybox image is also more barebones than alpine, but still has a couple of basic tools.

Venat0r ,

The containers will have a root login, but the ssh port won’t be open.

UNWILLING_PARTICIPANT ,

I doubt they even have a root user. Just whatever system packagea are required baked into the image

FrederikNJS ,

Containers can be entirely without anything. Some containers only contain the binary that gets executed. But many containers do contain pretty much a full distribution, but I have yet to see a container with a password hash in its /etc/shadow file…

So while the container has a root account, it doesn’t have any login at all, no password, no ssh key, nothing.

SpaceNoodle ,

It does if they uploaded it to github

residentmarchant ,

In that case, it’ll steal someone else’s secrets!

Ziglin ,

But you could get it to convince the admin to give you the password, without you having to do anything yourself.

jubilationtcornpone ,

It will not surprise me at all if this becomes a thing. Advanced social engineering relies on extracting little bits of information at a time in order to form a complete picture while not arousing suspicion. This is how really bad cases of identity theft work as well. The identity thief gets one piece of info and leverages that to get another and another and before you know it they’re at the DMV convincing someone to give them a drivers license with your name and their picture on it.

They train AI models to screen for some types of fraud but at some point it seems like it could become an endless game of whack-a-mole.

flashgnash ,

While you can get information out of them pretty sure what that person meant was sensitive information would not have been included in the training data or prompt in the first place if anyone developing it had a functioning brain cell or two

It doesn’t know the sensitive data to give away, though it can just make it up

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • [email protected]
  • lifeLocal
  • goranko
  • All magazines
    •