176 private links
ICMP packets with "LOVE" in ASCII.
TCP packets with different window sizes.
This strange traffic mimics legitimate data streams, and while it's not known if it's malicious, its true purpose remains a mystery.
quick recap
- arc boosts can contain arbitrary javascript
- arc boosts are stored in firestore
- the arc browser gets which boosts to use via the creatorID field
- we can arbitrarily chage the creatorID field to any user id
thus, if we were to find a way to easily get someone elses user id, we would have a full attack chain
when someone referrs you to arc, or you referr someone to arc, you automatically get their user id in the user_referrals table, which means you could just ask someone for their arc invite code and they'd likely give it
Context:
To understand what’s happening here you need to remember that it’s a category error to treat LLMs as thinking entities.
They are statistical models that work with numbers – tokens – that represent language and the relationships between the words. It’s statistics about language wrapped up in an anthropomorphic simulation.
Attack:
The token stream (Strategic Text Sequence) itself – the numbers not the words – is an attack surface.
Reality of the threat:
This is going to get automated, weaponised, and industrialised. Tech companies have placed chatbots at the centre of our information ecosystems and butchered their products to push them front and centre. The incentives for bad actors to try to game them are enormous and they are capable of making incredibly sophisticated tools for their purposes.
Vu que les fuites de données ne sont pas vraiment évitables, est-ce que ces sociétés vont moins collecter des données?
(via https://sebsauvage.net/links/?Qgk2LA)
Constatant que le TLD .mobi (TLD qui est par ailleurs une mauvaise idée, mais c'est une autre histoire) avait changé son serveur whois, de whois.dotmobiregistry.net à whois.nic.mobi, et que le nom de domaine dotmobiregistry.net, non renouvelé, avait expiré et était donc libre, les chercheurs ont enregistré le nom dotmobiregistry.net, mis en place un serveur whois (je rappelle que le protocole est très simple et que n'importe quel·le étudiant·e peut programmer un serveur whois en un quart d'heure) et récolté d'innombrables requêtes provenant de clients whois qui n'avaient pas mis leur base à jour.
Les chercheurs ont ensuite analysé ces requêtes.
Afin d'éviter cette faille et "si on veut faire les choses proprement, on ne doit plus utiliser whois mais son successeur RDAP"
Un article détaillé de ArsTechnica est disponible à https://arstechnica.com/security/2024/09/rogue-whois-server-gives-researcher-superpowers-no-one-should-ever-have/
generates electromagnetic radiation from a device's RAM to send data from air-gapped computers.
The RAMBO attack achieves data transfer rates of up to 1,000 bits per second (bps), equating to 128 bytes per second, or 0.125 KB/s.
Transmissions are limited to a maximum range of 3 meters, with an error rate being 2-4%.
EICAR files in different file formats.
CoPilot can be encouraged to launch HTTP requests on the server side, potentially enabling access to data from other companies.
A server-side request forgery (SSRF) bug in Microsoft's tool for creating custom AI chatbots potentially exposed info across multiple tenants within cloud environments.
Though the research proved inconclusive about the extent that the flaw could be exploited to gain access to sensitive cloud data
The official website can be found on https://www.cedarpolicy.com/en
Cedar is a language for defining permissions as policies, which describe who should have access to what. It is also a specification for evaluating those policies. Use Cedar policies to control what each user of your application is permitted to do and what resources they may access.
It's called Mastodon Stampede: a link shared on an instance gets downloaded by all instances. A DDoS follows for small hostings.
2.9 milliards de personnes. La probabilité est forte que nous soyons impactés.
Les utilisateurs de applications de rencontres ont des risques d'être geolocalisé. Cela est d'autant plus inquiétant car ces applications sont utilisés par des harceleurs.
A great resource to get into them
Oups. Les mots de passes de 15 millions d'utilisateurs sont dans la nature.
Center for Internet Security BenchMarks
Forks are copy of the original repository. As such, leaked credentials remains in the forks.
A deleted repository still has the commit from the original repository and it can access it. Demo on youtube
Example:
They immediately deleted the repository, but since it had been forked, I could still access the commit containing the sensitive data via a fork
Also related to private repositories:
We demonstrate how organizations open-source new tools while maintaining private internal forks, and then show how someone could access commit data from the private internal version via the public one.
How to access the data? By direct access to the commit.
If you know the commit hash you can directly access data that is not intended for you.
AND
Commit hashes can be brute forced through GitHub’s UI, particularly because the git protocol permits the use of short SHA-1 values when referencing a commit.
because there are 65.536 minimal values, and 16.777.216 is a more realistic approach (6 characters per commit).
Also, "deleting a repository or fork does not mean your commit data is actually deleted."
The flaw also exists in other version control system products.