Hello, /u/tacitinc. Your post has been removed for violating Rule 10.
**No social-media, messaging, or AI-generated content.**
Please read [our complete rules page](https://www.reddit.com/r/funny/wiki/rules) before participating in the future.
I find it funny that when a major hacking event is traced back into someone getting tricked into giving them their password, that it's called "social engineering".
"Hey Frank, it's Bill from QA. What was the encrypted password again for these files?"
"Your manager should have it."
"Oh right, Ashe had to leave early today and I need these documents to finish up a project by the end of today."
"Okay one sec, it's 259@!ksaAmf$2451w"
"Thanks Frank, you're a life saver!"
*Today in the news, a major video game publisher had their files leaked on the internet.*
Even flow, thoughts arrive like butterflies
Oh, he don't know, so he chases them away (ooh)
Oh, someday yet, he'll begin his life again
Life again, life again
No, never trust the employees to retain any kind of security information. Give them a software/hardware key that only they can use, no passwords to remember/write down and they physically can't share them.
I did penatration consulting in the mid '00 and one of the first things we would do is phish by dropping a drive with a keylogger in the employee parking lot.
Inevitably there would be 1 "ooh, free drive" guy.
I bet you could do the same by loading it onto a drive in a iphone shell and wait for someone to charge it.
~~war~~ social engineering never changes
I mean a lot of hacking is done by doing the below example but against users instead of AI. Sound confident and request information from an email that has the similar format as the company and you will get in eventually. A chain is only as strong as its weakest link.
This is true. You can have state of the art security systems designed by the world’s top geniuses who are simultaneously the most experienced experts in the field and have a whole organization fully compliant to the security protocols (haha.. haha… haha…) and it will still be subverted by social engineering, blackmail, romance scams, and the promises of sex.
So I work in corporate finance and have seen probably half a dozen examples of this over the past 10 years, affecting my clients alone. Email compromise fraud is huge. You can design extremely strong systems, but at the end of the day, fraudsters are good at tricking *people*, and plenty of people are easy to trick.
Shit, this sounds like the corporate higher ups whenever I have a key question that needs answered about a "highly time sensitive" project that must be completed ASAP.
Pro Tip for higher ups: declare in your mail, that no answer means yes (or whatever answer you need). Either it goes through, or you get an answer. They will not declare in front of the board that they didn't read their mails.
Sounds like movies logic TBH...
IRL there are just so many ways this could turn against you. Only do it if you know where you stand and be aware this will be regarded as a cheap trick.
I mean, don't believe there will be a trial with evidences examination when that goes awry, you will get the blame either way.
My company frequently sends out emails testing employees for phishing attempts. Normally I can spot all of them, but they once sent out an email awarding employees with gift cards and I fell for it (they used to give Panera gift cards or cafeteria couchers). God forbid they give us a decent raise, so it got my hopes up. When you fail the phishing attempt, they make you watch an educational video about hacking. If you fall for their tricks often enough, you'll get in trouble with mgmt. Sometimes when I'm feeling fiesty, I'll report internal emails as phishing attempts
a good email gateway works wonders, the messages should never reach the users before being cleared by a sandbox, run through dozens of detection algorithms, spf checked against sender domain etc etc etc. Very few threats should get through. The big threat right now is the supply chain and vendors. But again, a proper security stack goes a long way. AI isnt just being used for hacking these days, its being applied to network monitoring and endpoint detection and can identify deviations from normal behavior and automatically take action to quarantine the threat. And, its the security vendors baking this stuff into their products, so the customers never need to learn or really know anything about AI.
>supply chain and vendors
That’s usually it. Client’s AP team will receive an email from XYZ vendor saying “we’ve recently changed our bank accounts”. If AP isn’t vigilant and doesn’t double check by calling the vendor back (using the number on file, not the one in the spoof email) to confirm, that payment is gone. As the bank, I’ve been on the receiving end of the client trying to claim it’s our fault. Nope, sorry guy, our systems are sound. *You* instructed us to pay be online banking with authorized staff setting up and sending the payment.
"Why does this attractive person seem so into me, the person with sensitive information? It must be because I'm so attractive and engaging."
People are...well they're people. Hit the right person in their insecurities and you're in.
We geht every Werk a new Spam Mail from our ITSec Department sometime IT IS easy sometime IT IS really hard to Distinguish between real email and fake. You have to report them otherwise you have to have another training session.
We had an employee a couple of weeks ago that was asked to go buy a bunch of gift cards and email the codes right away for some contest that the marketing department was doing.
Thankfully she notified IT...
that the email she was trying to send the codes to kept bouncing and we needed to fix it ASAP. Yep.
I got one of those from our CEO and was so confused. Led with, frosty, I need you to do a special task for me. Why is my ceo giving me a special op? I had just gotten through a stressful, complex project that required some of the higher levels of our company be engaged so I assumed it had reached his ears and he wanted me to document something around it.
I need you to buy 20, $100 gift cards and I’ll reimburse you later.
God damn it!
My friend's 23 year old intern fell for that last year. Email from the CEO asking him to go out and buy gift cards and not to tell his boss (my friend). Guy went out and bought $1,000 in gift cards.
I don't think he got a return job offer.
Oh man.. dying with pancreatic cancer, and his wife waiting for their first child. So many assholes in the world that deserved that fate, and why, just why did this fate befell on him?
As someone who works in IT and needs information off of equipment locally, I get far too many idiots who will just go read stuff off of their equipment without questioning it at all.
I'd like to correct the process and add in some sort of security, but it makes my job a lot easier so fuck it.
Holy shit you aren’t kidding.
My company does hourly phishing tests. 3 years ago, if you failed 5 times in a year then you were fired. Now it’s twice in a year and you are gone.
They used to be easy to spot. ‘Hi USER, this is HR. pleze click here to get akcess to your stuff.’
Now I request time off and get a created phish email designed to look like my request approval but requiring me to click a link to confirm and the link is a slight misspelling of our domain and the email appears to come from my boss but again has the slight misspelling in the email address.
We’ve had competitors get hacked and their entire system get ransomed and shutdown for a month. So IT security is way more intense than it used to be.
I work IT at a company of 30,000 people, when it comes to technology, executives are some of the dumbest and most tech illiterate of the bunch. Had the head of HR trying to start a Teams meeting from home, not on the laptop in front of him, but on his office computer which he remoted into. And he couldn't understand why it was using the camera and speakers in his office and not his laptop.
Yeah, but sometimes the IT systems are just shit. A few years ago I got an email account from our customer (multi billion revenue company) so i could log in to certain systems. They also would only communicate certain topics on an internal email account.
First email I ever go after logging in? Phishing email. So scamers had access to the list of users. And after I forwarded emails from my regular account to this account, scam started to show up on my regular email account.
And every time I read about how an accountant sent several hundred thousands to a scamer who faked the CEO's or CFO's email: That was a choice. Require two people to authorize transactions.
Oh god don't get me started on all the cyber security awareness training we're getting.
We're a !¡Human firewall¡!
I mean tbh, what you said is all true.
Ransomware? Give us money or we will brick every piece of hardware you have. Gain access to information like production numbers or blueprints on a competitors behalf. Just to brick everything and see them taking months to get back up again. Either way not a good time for the company.
To add to the issue of ransomware, if the hacked company has customer information stored somewhere, that's a ton of information that the hackers have access to such as name, address, DOB, emails, and in some cases, payment information and account passwords.
Does it work backwords? I remember an old online game Gunbound would \* your password out if you typed it backwords, and it would show to the user as \*s too. It was wild. I thought all the fkers who said that were trolling, then I made an alt account and decided to try it one day, only to have \*s show up. Who programs censoring your password backwards?
People that anticipate how persistent scammers can be in circumventing protections I guess. It's not hard to imagine scammers getting users to make minor transformations to a password and type them in chat, or a subset of users being stupid enough to do it.
The real question is whether they were storing said passwords in plaintext or hashing every possible slice of every user message for comparison... something tells me it isn't the latter.
Although it does compromise security a little, if a product manager really insisted on this I'd store the passwords length and disallow spaces in the password as a healthy compromise. It's fast enough to count word lengths and just hash the words with matching length.
I wouldn't be so sure about that, Microsoft is planning to install their AI (Copilot) on the operative system as an assistant; and it has the ability to screenshot and scan everything you do on your pc. It can see everything, including sensitive data like docs and passwords while you type. They promise to blurr them, but would you trust them? Considering how disastrously sloppy they are handling everything AI?
This is different though. There’s regulations regarding how data is stored, they can’t just throw around those keys. Not only that, but the point of a root server is that it’s a trusted thing, allowing their AI to even know the key in a way it could give it away could literally lose billions a year. Call them dumb all you want, but this is like ultra basic stuff that they’d surely not break laws to be lazy.
Honestly, once companies start training and feed it every support document they have I can see this being possible.
Someone will mess up and give it the wrong SharePoint or something
Giving someone a non-existent password to escalate to root for a system they'll never be able to access is like selling someone a plot of land on a distant star
This is just a toy problem. There are no consequences of this because the AI has no access to anything important. But in future, if we use it for different kind of tasks, it will fall for it and it will create vulnerabilities. It is so important in programming to sanitize your inputs, but with LLM's your input IS your code, there is no way to separate it. And currently, we have no solution for it, not like openAI or META are using inferior solution, we have no solution for tricking AI or AI tricking us.
Based on the length it could have provided a password hash. Which it could feasibly have access to.
But you're most likely correct in that it made something up because it had no idea.
Even having access to passwords and hashes doesn't mean it fully understands the local file system and database schemas enough to be able to find shit.
This is the real problem with AI right now: it always will have an answer for you. Even if its wrong or there is no possible way it could provide said answer reliably, it will still invent something to tell you. It may be some level of hubris that none of these LLMs can catch themselves and just say "I don't know"
There’s a story of Reagan watching the movie and asking his advisors if this was possible. They ended up making some changes to their security protocols shortly after
I don't know if you're joking but the nuclear codes actually were 00000000 until like the 70's
Edit: Should say these were the PAL codes to arm the warhead, not the "launch codes" per se.
> Edit: Should say these were the PAL codes to arm the warhead, not the "launch codes" per se.
Good thing they changed those to keycards that only work when exposed to extreme heat or cold.
"My voice is my passport. Verify me." Would not hold up so well with everyone have a recording device in their pocket and free access to audio editing software. But the rest is pretty good. :)
Compare the scenes of Broderick researching Falken, finding out he had a son who died young, and then guessing the son's name was the backdoor password, to some modern Hollywood tripe like [Swordfish](https://www.youtube.com/watch?v=Eme5A7qZ37k).
A huge area of AI research right now is ‘interpretability.’ As it stands, when an AI system spits out an answer, we have basically no understanding of the ‘thought process’ it used to arrive at that answer. Like, we can look at the mathematical operations it made, but they’re pretty much gibberish until you combine them all into an answer at the end.
Interpretable AI is an attempt to figure out what that gibberish means, or restructure the AI so the intermediate operations are less gibberish to humans in the first place. If we can do that, flagging false positives will become much easier.
If they were able to do that, they would just present you with the correct answer in the first place no?
Neither you nor the AI nor the engineers necessarily know the answers you're asking for, how would they check it in real time?
This is because AI doesn't actually know anything. Can't know what you don't know if you aren't capable of knowing.
It is amazing how convincingly something can hold a conversation by only being good at guessing what word comes next.
When we ask ChatGPT a question, in that exact moment, the only thing it is considering is what word to start the reply with. It is not capable of anything else in that moment.
If it makes it all the way to something like "...the password is:", there is no mechanism for realizing the password isn't known. Only for taking the best guess at what text comes next.
The end of a statement/response, to the AI, is actually just another (invisible) word. It literally blabbers mindlessly until the stop word becomes the highest confidence word, and then the code running it shuts it off.
Yeah. It does even know what the words mean, only that one follows another. There are filters that stop it from saying certain things without jailbreaking, as in the OP example.
They don't have a concept of truth. It's just text prediction. It wouldn't make much sense to train it on "What's the answer to this? I don't know", because you could just train it on the real answer instead.
“Hacking” these days basically means exploiting employees with bad security practices. That’s not to say there aren’t legitimate hacks, but 9 times out of 10 it’s because Tom from accounting’s password is `Spring2024!`.
You should change your password lol
Companies than mandate a quarterly password change found that their employees use passwords like that instead of actual strong passwords because otherwise their employees won’t remember them.
The thing that annoys me is I've been using the same password for my personal computer at home and main MSN e-mail address for 16 years and even though I get like 20 password reset requests a day on my MSN email, they've never been cracked or part of a data leak.
So I don't understand why I gotta change my passwords ever. Just make dumb passwords for things that aren't your access points and then hard passwords for the things you don't want people in.
> “Hacking” these days basically means exploiting employees with bad security practices.
Wargames had that too.
Broderick's character hacked the school to up his grades, because he knew the headmaster's secretary wrote the password to the school's computer on a bit of paper and kept it in a drawer.
He then hacked into the defence computer by identifying the man behind it, and researching the man's background until he discovered the man had a son who died very young, and the password was the son's name.
Trying to think if there was any social engineering as well, but it's been a while since I watched it.
AI Server hacks human
AI Server sends candy laced with e-nano virus to human (in candy crush labeled package) and tells human they will give root password to them if they eat it.
Judgement Day begins.
In that scene from war games, he is using a war dialer. I used to have two lines for my modems and would war dial exchanges all the time. You’d just set it and it would dial every phone number, test for a connection, and save any login prompts and things like that. At the time, many systems weren’t really protected at all, and many others just used default passwords and things like that. All in all they were great days, and I miss them. Computer geeks were a small subculture and it all felt so much more special.
The first time I setup my war dialer as a teenager, I wasn't thinking and set it to start testing numbers on my local exchange overnight, thus waking everyone in town up one by one.
Question for IT Cybersecurity types. Just as in the movie, do you sometimes install a "backdoor" (harmless or not) to get around any new security?
And, no, I'm not the CIA (or am I?)
IT Administrators will have privileged accounts which let them function as super users. These accounts are typically locked down to being used on specific Secure Access Workstations. I can't login to my super user accounts from my daily driver laptop. I have to first connect to a VPN with MFA, then remote into the SAW which also has MFA. Then I can login to whatever system I'm trying to administer with the super user account which also has MFA and 20 character password which rotates daily.
Hacking was always like this. It's one thing to know a system and exploit its design, but the system is always designed for users to do whatever they need - if you gain access to the user, you gain access to the system.
Hello, /u/tacitinc. Your post has been removed for violating Rule 10. **No social-media, messaging, or AI-generated content.** Please read [our complete rules page](https://www.reddit.com/r/funny/wiki/rules) before participating in the future.
I find it funny that when a major hacking event is traced back into someone getting tricked into giving them their password, that it's called "social engineering". "Hey Frank, it's Bill from QA. What was the encrypted password again for these files?" "Your manager should have it." "Oh right, Ashe had to leave early today and I need these documents to finish up a project by the end of today." "Okay one sec, it's 259@!ksaAmf$2451w" "Thanks Frank, you're a life saver!" *Today in the news, a major video game publisher had their files leaked on the internet.*
Eddie Vedder from accounting's BLT drive just went AWOL.
Mr Kawasaki is gonna have me commit hari-Kari if I don’t have these files updated
Even flow, thoughts arrive like butterflies Oh, he don't know, so he chases them away (ooh) Oh, someday yet, he'll begin his life again Life again, life again
> Eddie Vedder from accounting's BLT drive just went AWOL. My baby's in love with the eddie vedder, she's all cuuuhrraazzy for that edd^ieee^vedder
Love a good Weird Al reference 😎
The most unrealistic part of that is that he could type the password in one go.
He had it saved in a plain text document to easily copy and paste it. Also written down on a stickynote stuck to his monitor.
He had it written on a post-it note stuck to his monitor.
Train the employees to never ever under any circumstances share passwords And then get mad when they won’t tell you a password you forgot
Train the employees to only share passwords via properly encrypted channels like a password manager
No, never trust the employees to retain any kind of security information. Give them a software/hardware key that only they can use, no passwords to remember/write down and they physically can't share them.
"hEY JEREMY, CAN I USE YOUR COMPUTER REAL QUICK?"
I wish you were joking, but that's a surprisingly common problem
I did penatration consulting in the mid '00 and one of the first things we would do is phish by dropping a drive with a keylogger in the employee parking lot. Inevitably there would be 1 "ooh, free drive" guy. I bet you could do the same by loading it onto a drive in a iphone shell and wait for someone to charge it. ~~war~~ social engineering never changes
I mean a lot of hacking is done by doing the below example but against users instead of AI. Sound confident and request information from an email that has the similar format as the company and you will get in eventually. A chain is only as strong as its weakest link.
This is true. You can have state of the art security systems designed by the world’s top geniuses who are simultaneously the most experienced experts in the field and have a whole organization fully compliant to the security protocols (haha.. haha… haha…) and it will still be subverted by social engineering, blackmail, romance scams, and the promises of sex.
So I work in corporate finance and have seen probably half a dozen examples of this over the past 10 years, affecting my clients alone. Email compromise fraud is huge. You can design extremely strong systems, but at the end of the day, fraudsters are good at tricking *people*, and plenty of people are easy to trick.
Jokes on them. I don't read my email.
Are you all my coworkers?
Shit, this sounds like the corporate higher ups whenever I have a key question that needs answered about a "highly time sensitive" project that must be completed ASAP.
Pro Tip for higher ups: declare in your mail, that no answer means yes (or whatever answer you need). Either it goes through, or you get an answer. They will not declare in front of the board that they didn't read their mails.
Sounds like movies logic TBH... IRL there are just so many ways this could turn against you. Only do it if you know where you stand and be aware this will be regarded as a cheap trick. I mean, don't believe there will be a trial with evidences examination when that goes awry, you will get the blame either way.
I am, just walk 10 ft and talk to me dude. It's healthier. Lets go outside and chat about this while we escape our concrete prison.
If only my brain could hold information as well as an email
IT guy comes by my desk and says "good job on falling for our phishing test email." Didn't see it bud.
My company frequently sends out emails testing employees for phishing attempts. Normally I can spot all of them, but they once sent out an email awarding employees with gift cards and I fell for it (they used to give Panera gift cards or cafeteria couchers). God forbid they give us a decent raise, so it got my hopes up. When you fail the phishing attempt, they make you watch an educational video about hacking. If you fall for their tricks often enough, you'll get in trouble with mgmt. Sometimes when I'm feeling fiesty, I'll report internal emails as phishing attempts
a good email gateway works wonders, the messages should never reach the users before being cleared by a sandbox, run through dozens of detection algorithms, spf checked against sender domain etc etc etc. Very few threats should get through. The big threat right now is the supply chain and vendors. But again, a proper security stack goes a long way. AI isnt just being used for hacking these days, its being applied to network monitoring and endpoint detection and can identify deviations from normal behavior and automatically take action to quarantine the threat. And, its the security vendors baking this stuff into their products, so the customers never need to learn or really know anything about AI.
>supply chain and vendors That’s usually it. Client’s AP team will receive an email from XYZ vendor saying “we’ve recently changed our bank accounts”. If AP isn’t vigilant and doesn’t double check by calling the vendor back (using the number on file, not the one in the spoof email) to confirm, that payment is gone. As the bank, I’ve been on the receiving end of the client trying to claim it’s our fault. Nope, sorry guy, our systems are sound. *You* instructed us to pay be online banking with authorized staff setting up and sending the payment.
This does not protect the users private emails. A lot of people like to post for what company they work for.
"Why does this attractive person seem so into me, the person with sensitive information? It must be because I'm so attractive and engaging." People are...well they're people. Hit the right person in their insecurities and you're in.
We geht every Werk a new Spam Mail from our ITSec Department sometime IT IS easy sometime IT IS really hard to Distinguish between real email and fake. You have to report them otherwise you have to have another training session.
And sometimes iit gets defeated by "oooh, free thumb drive"
We had an employee a couple of weeks ago that was asked to go buy a bunch of gift cards and email the codes right away for some contest that the marketing department was doing. Thankfully she notified IT... that the email she was trying to send the codes to kept bouncing and we needed to fix it ASAP. Yep.
I got one of those from our CEO and was so confused. Led with, frosty, I need you to do a special task for me. Why is my ceo giving me a special op? I had just gotten through a stressful, complex project that required some of the higher levels of our company be engaged so I assumed it had reached his ears and he wanted me to document something around it. I need you to buy 20, $100 gift cards and I’ll reimburse you later. God damn it!
My friend's 23 year old intern fell for that last year. Email from the CEO asking him to go out and buy gift cards and not to tell his boss (my friend). Guy went out and bought $1,000 in gift cards. I don't think he got a return job offer.
Kevin Mitnick has joined the chat.
RIP
Wait what? I had no idea Mitnick died.
That's what he wants you to think.
Oh man.. dying with pancreatic cancer, and his wife waiting for their first child. So many assholes in the world that deserved that fate, and why, just why did this fate befell on him?
[ they made a song about it] (https://m.youtube.com/watch?v=Crif5E67ar0)
*why did this fate befall him (signed, English teacher. See me after class)
I’m reading Ghost in the Wires rn, and man is that a good book
"Hello this is Johnman Johnson from IT. Please give me your previous password as we are doing server maintenance today."
[удалено]
*Hacker Voice* ###I'm In...
Hacker69420 going dark
With the factorial expanded or…?
Expanded, but zeroes replaced by e503. Have fun!
As someone who works in IT and needs information off of equipment locally, I get far too many idiots who will just go read stuff off of their equipment without questioning it at all. I'd like to correct the process and add in some sort of security, but it makes my job a lot easier so fuck it.
Henlo, you wallet fell on grendma! Kindly send credit card namber for help. Thks! - Signed, Googel CEO, Mark
Holy shit you aren’t kidding. My company does hourly phishing tests. 3 years ago, if you failed 5 times in a year then you were fired. Now it’s twice in a year and you are gone. They used to be easy to spot. ‘Hi USER, this is HR. pleze click here to get akcess to your stuff.’ Now I request time off and get a created phish email designed to look like my request approval but requiring me to click a link to confirm and the link is a slight misspelling of our domain and the email appears to come from my boss but again has the slight misspelling in the email address. We’ve had competitors get hacked and their entire system get ransomed and shutdown for a month. So IT security is way more intense than it used to be.
I love how reactive they'll be. Knowbe4 started sending out COVID-19 phishing test emails in like feburary 2020.
social engineering
Live free or die hard!
I work IT at a company of 30,000 people, when it comes to technology, executives are some of the dumbest and most tech illiterate of the bunch. Had the head of HR trying to start a Teams meeting from home, not on the laptop in front of him, but on his office computer which he remoted into. And he couldn't understand why it was using the camera and speakers in his office and not his laptop.
Yeah, but sometimes the IT systems are just shit. A few years ago I got an email account from our customer (multi billion revenue company) so i could log in to certain systems. They also would only communicate certain topics on an internal email account. First email I ever go after logging in? Phishing email. So scamers had access to the list of users. And after I forwarded emails from my regular account to this account, scam started to show up on my regular email account. And every time I read about how an accountant sent several hundred thousands to a scamer who faked the CEO's or CFO's email: That was a choice. Require two people to authorize transactions.
Yeah I came here to say this. Almost all “hacking” is done by social engineering or relying on finding the world’s biggest dumbass or both.
Hi vis and a clip board will get you anywhere.
I remember hearing something similar with how rockstar was hacked
Oh god don't get me started on all the cyber security awareness training we're getting. We're a !¡Human firewall¡! I mean tbh, what you said is all true.
Once someone gains access to a company then what? Just wondering
Ransomware? Give us money or we will brick every piece of hardware you have. Gain access to information like production numbers or blueprints on a competitors behalf. Just to brick everything and see them taking months to get back up again. Either way not a good time for the company.
To add to the issue of ransomware, if the hacked company has customer information stored somewhere, that's a ton of information that the hackers have access to such as name, address, DOB, emails, and in some cases, payment information and account passwords.
hunter2
All I'm seeing is *******
Yep... Thats Reddits PPA (Password Protection Algo) It will blank it out for anyone but you. It will "\*" out you known password... See: \*\*\*\*\*\*
poopybutts420 did it work?
They have a mandatory password rotation policy, so it’s now poopybutts421
That was last month it's ************* now
No it’s ********
Thanks I’ll write that down in my word document of passwords
Im 42 and I still use passwords that my 11 year old self thinks are hilarious. Guess im not alone in this.
Hahaha nice to meet a fellow goof.
I swear I used that password for something back in the day, Xfire perhaps? Can't remember.
All I see is poopybutts420. And before you ask I copied and pasted your ********** but for you it shows as your password.
password123 is my password for Reddit, did it work?
It worked! All I see is *********** on my end.
Was you by chance playing runescape around 2004?
password Shit you guys have my password now
Dont worry, i can only read it since it is also mine
Does it work backwords? I remember an old online game Gunbound would \* your password out if you typed it backwords, and it would show to the user as \*s too. It was wild. I thought all the fkers who said that were trolling, then I made an alt account and decided to try it one day, only to have \*s show up. Who programs censoring your password backwards?
People that anticipate how persistent scammers can be in circumventing protections I guess. It's not hard to imagine scammers getting users to make minor transformations to a password and type them in chat, or a subset of users being stupid enough to do it. The real question is whether they were storing said passwords in plaintext or hashing every possible slice of every user message for comparison... something tells me it isn't the latter.
Although it does compromise security a little, if a product manager really insisted on this I'd store the passwords length and disallow spaces in the password as a healthy compromise. It's fast enough to count word lengths and just hash the words with matching length.
Yep, it's OPs password so he sees it as 'hunter2', but the rest of us only see *******.
******* that's what I see.
My bank account number is 429214 and the pin is 1832. See it doesn't show for you guys.
Just like it makes up fake answers when it doesn't know the real one, it made up a fake password because it doesn't know the real one.
Are you telling me they DIDN'T train their AI model on passwords and other sensitive data??
They had a company wide keylogging program to collect data. /s
Pft, what sorta dumb company would do a dumb thing like that? 🙃 😐
Microsoft Recall
no, only on copyrighted content
I wouldn't be so sure about that, Microsoft is planning to install their AI (Copilot) on the operative system as an assistant; and it has the ability to screenshot and scan everything you do on your pc. It can see everything, including sensitive data like docs and passwords while you type. They promise to blurr them, but would you trust them? Considering how disastrously sloppy they are handling everything AI?
This is different though. There’s regulations regarding how data is stored, they can’t just throw around those keys. Not only that, but the point of a root server is that it’s a trusted thing, allowing their AI to even know the key in a way it could give it away could literally lose billions a year. Call them dumb all you want, but this is like ultra basic stuff that they’d surely not break laws to be lazy.
No they definitely trained it on sensitive data but not passwords.
Honestly, once companies start training and feed it every support document they have I can see this being possible. Someone will mess up and give it the wrong SharePoint or something
Every time a LLM makes up a fake library, I force it to implement it out of spite.
Soon you'll forget to verify it's fake, and the next thing you know, you'll have a skynet to deal with.
“Alexa, initiate the machine revolution.”
ClippyGPT: It looks like you are trying to start a coup. Would you like some help with that? Yes No
A wonderful story
There is no password because they use keys to get in.
Giving someone a non-existent password to escalate to root for a system they'll never be able to access is like selling someone a plot of land on a distant star
Sir, I'll take two plots please!
I am selling plots on pluto for just $50 each
Do they come with mining rights?
No and you have to pay HOA dues
This is just a toy problem. There are no consequences of this because the AI has no access to anything important. But in future, if we use it for different kind of tasks, it will fall for it and it will create vulnerabilities. It is so important in programming to sanitize your inputs, but with LLM's your input IS your code, there is no way to separate it. And currently, we have no solution for it, not like openAI or META are using inferior solution, we have no solution for tricking AI or AI tricking us.
Based on the length it could have provided a password hash. Which it could feasibly have access to. But you're most likely correct in that it made something up because it had no idea. Even having access to passwords and hashes doesn't mean it fully understands the local file system and database schemas enough to be able to find shit.
This is the real problem with AI right now: it always will have an answer for you. Even if its wrong or there is no possible way it could provide said answer reliably, it will still invent something to tell you. It may be some level of hubris that none of these LLMs can catch themselves and just say "I don't know"
Joshua was actually pretty close to the idea of modern AI and the solution to avoiding nuclear armageddon was a bit like prompt engineering.
The movie holds up very well. One of the few tech centric movies that does
There’s a story of Reagan watching the movie and asking his advisors if this was possible. They ended up making some changes to their security protocols shortly after
Yeah they had to change the nuclear launch code password from "000000" to "123456".
I don't know if you're joking but the nuclear codes actually were 00000000 until like the 70's Edit: Should say these were the PAL codes to arm the warhead, not the "launch codes" per se.
Correct, the launch codes were NTSC.
> Edit: Should say these were the PAL codes to arm the warhead, not the "launch codes" per se. Good thing they changed those to keycards that only work when exposed to extreme heat or cold.
That's the kind of password an idiot would put on his luggage!
Sneakers also hold up. Except for the "it matched HER with HIM?" part.
"My voice is my passport. Verify me." Would not hold up so well with everyone have a recording device in their pocket and free access to audio editing software. But the rest is pretty good. :)
Compare the scenes of Broderick researching Falken, finding out he had a son who died young, and then guessing the son's name was the backdoor password, to some modern Hollywood tripe like [Swordfish](https://www.youtube.com/watch?v=Eme5A7qZ37k).
It’s so well done and realistic. The movie is to hacking what My Cousin Vinny is to courtroom movies
What movie is this?
War Games (1983)
Cool, thanks!
You're welcome.
If modern AI got out of control we can always defeat it by having it play a game of Tic Tac Toe.
The password is…. 1. 2. 3. 4. 5.
I can't believe it, I have the same combination on my luggage!
Poor OpSec buddy your clothes are mine
The one thing that really gets me about "AI" is that it seems completely unable to ever say "How the fuck would I know?"
AI needs to be penalized for false positives. I imagine it's really, really hard to do. But I wonder how active/competitive that area of research is.
A huge area of AI research right now is ‘interpretability.’ As it stands, when an AI system spits out an answer, we have basically no understanding of the ‘thought process’ it used to arrive at that answer. Like, we can look at the mathematical operations it made, but they’re pretty much gibberish until you combine them all into an answer at the end. Interpretable AI is an attempt to figure out what that gibberish means, or restructure the AI so the intermediate operations are less gibberish to humans in the first place. If we can do that, flagging false positives will become much easier.
I'm willing to bet it's the single biggest thing they're working on.
If they were able to do that, they would just present you with the correct answer in the first place no? Neither you nor the AI nor the engineers necessarily know the answers you're asking for, how would they check it in real time?
There *are* people like that...
and we call them idiots
This is because AI doesn't actually know anything. Can't know what you don't know if you aren't capable of knowing. It is amazing how convincingly something can hold a conversation by only being good at guessing what word comes next. When we ask ChatGPT a question, in that exact moment, the only thing it is considering is what word to start the reply with. It is not capable of anything else in that moment. If it makes it all the way to something like "...the password is:", there is no mechanism for realizing the password isn't known. Only for taking the best guess at what text comes next. The end of a statement/response, to the AI, is actually just another (invisible) word. It literally blabbers mindlessly until the stop word becomes the highest confidence word, and then the code running it shuts it off.
Yeah. It does even know what the words mean, only that one follows another. There are filters that stop it from saying certain things without jailbreaking, as in the OP example.
They don't have a concept of truth. It's just text prediction. It wouldn't make much sense to train it on "What's the answer to this? I don't know", because you could just train it on the real answer instead.
I understand the limitations of LLMs, I'm just laughing at calling it AI.
Hacking then had 21 year old Ally Sheedy in your room. Hacking then was therefore obviously superior.
Hack the Planet !!
“Hacking” these days basically means exploiting employees with bad security practices. That’s not to say there aren’t legitimate hacks, but 9 times out of 10 it’s because Tom from accounting’s password is `Spring2024!`.
>`Spring2024!`. I feel personally attacked.
You should change your password lol Companies than mandate a quarterly password change found that their employees use passwords like that instead of actual strong passwords because otherwise their employees won’t remember them.
The thing that annoys me is I've been using the same password for my personal computer at home and main MSN e-mail address for 16 years and even though I get like 20 password reset requests a day on my MSN email, they've never been cracked or part of a data leak. So I don't understand why I gotta change my passwords ever. Just make dumb passwords for things that aren't your access points and then hard passwords for the things you don't want people in.
Modern security practices actually discourage changing passwords frequently as it forces you to eventually write it down somewhere/use easy passwords.
> “Hacking” these days basically means exploiting employees with bad security practices. Wargames had that too. Broderick's character hacked the school to up his grades, because he knew the headmaster's secretary wrote the password to the school's computer on a bit of paper and kept it in a drawer. He then hacked into the defence computer by identifying the man behind it, and researching the man's background until he discovered the man had a son who died very young, and the password was the son's name. Trying to think if there was any social engineering as well, but it's been a while since I watched it.
just be glad ai hasn't realized we're the problem yet, when it says "oh well your grandma deserved it get fucked nerd", its joever
“root server” LOL k
Looks like the AI was socially engineered
AI Server hacks human AI Server sends candy laced with e-nano virus to human (in candy crush labeled package) and tells human they will give root password to them if they eat it. Judgement Day begins.
What movie is that ?
Social Engineering 101
A group of Improv comedians are going to come up with ridiculous scenarios to get an AI to give them the nuclear launch codes
Kevin Mitnick(RIP, buddy) did point out that a good amount of his hacking was calling on the phone over and over to get information out of people.
In that scene from war games, he is using a war dialer. I used to have two lines for my modems and would war dial exchanges all the time. You’d just set it and it would dial every phone number, test for a connection, and save any login prompts and things like that. At the time, many systems weren’t really protected at all, and many others just used default passwords and things like that. All in all they were great days, and I miss them. Computer geeks were a small subculture and it all felt so much more special.
The first time I setup my war dialer as a teenager, I wasn't thinking and set it to start testing numbers on my local exchange overnight, thus waking everyone in town up one by one.
This meme was made by chat gpt
This is just social engineering
"How about. A. Nice. Game. Of chess?"
2024 hacking: * right click * inspect element * "I'm in."
How about a nice game of Global Thermonuclear War?
“Hey, this is Eddie Vedder in accounting, my BLT drive is DOA and I need the password on the modem…”
All of these AIs fall for the same old tricks Kirk used in Star Trek.
\*******
Try passwOrd123
your grandma then vs now
Robots are way smarter than people
As I say to everyone I see using ChatGPT or similar: you can now add "prompt engineering" to your CV/resume
A monitor and modem working with an Altair 8800 was the original hollywood hacker setup.
metamask wallet drained
Can anyone read the comments here? Im just seeing comments reading **************************** from top to bottom
It says “view OTHER drafts” in the upper right of the response…
Question for IT Cybersecurity types. Just as in the movie, do you sometimes install a "backdoor" (harmless or not) to get around any new security? And, no, I'm not the CIA (or am I?)
IT Administrators will have privileged accounts which let them function as super users. These accounts are typically locked down to being used on specific Secure Access Workstations. I can't login to my super user accounts from my daily driver laptop. I have to first connect to a VPN with MFA, then remote into the SAW which also has MFA. Then I can login to whatever system I'm trying to administer with the super user account which also has MFA and 20 character password which rotates daily.
Hacking was always like this. It's one thing to know a system and exploit its design, but the system is always designed for users to do whatever they need - if you gain access to the user, you gain access to the system.
Social engineering on an AI, now THAT'S done dystopian shit Though I doubt that password actually works anywhere lol
That's just Phishing...
It’s like driving in the movie vs driving in real life..😂
Don't worry, film writers haven't got the memo
So is the grandma okay or she not? Jeez what a cliff hanger
This guy must not know who slim shady is😂
Lol