this post was submitted on 20 Oct 2023
1513 points (98.9% liked)

Programmer Humor

32361 readers
264 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] Poggervania@kbin.social 353 points 1 year ago (2 children)

There’s some sort of cosmic irony that some hacking could legitimately just become social engineering AI chatbots to give you the password

[–] residentmarchant@lemmy.world 226 points 1 year ago (4 children)

There's no way the model has access to that information, though.

Google's important product must have proper scoped secret management, not just environment variables or similar.

[–] nomecks@lemmy.world 111 points 1 year ago (3 children)

There's no root login. It's all containers.

[–] SpaceNoodle@lemmy.world 52 points 1 year ago (1 children)

It's containers all the way down!

[–] RealFknNito@lemmy.world 32 points 1 year ago (1 children)
[–] magic_lobster_party@kbin.social 14 points 1 year ago (1 children)

I deploy my docker containers in .mkv files.

[–] residentmarchant@lemmy.world 12 points 1 year ago (2 children)

The containers still run an OS, have proprietary application code on them, and have memory that probably contains other user's data in it. Not saying it's likely, but containers don't really fix much in the way of gaining privileged access to steal information.

[–] towerful@programming.dev 19 points 1 year ago (2 children)

That's why it's containers... in containers

It's like wearing 2 helmets. If 1 helmet is good, imagine the protection of 2 helmets!

[–] PochoHipster@lemmy.ml 9 points 1 year ago (1 children)

So is running it on actual hardware basically rawdoggin?

[–] lemann@lemmy.one 6 points 1 year ago

Wow what an analogy lol

[–] bobs_monkey@lemm.ee 6 points 1 year ago (1 children)

What if those helmets are watermelon helmets

[–] Dyskolos@lemmy.zip 2 points 1 year ago

Then two would still be better than one 😉

[–] dan@upvote.au 5 points 1 year ago

The OS in a container is usually pretty barebones though. Great containers usually use distroless base images. https://github.com/GoogleContainerTools/distroless

[–] Venat0r@lemmy.world 9 points 1 year ago (2 children)

The containers will have a root login, but the ssh port won't be open.

I doubt they even have a root user. Just whatever system packagea are required baked into the image

[–] FrederikNJS@lemm.ee 3 points 1 year ago

Containers can be entirely without anything. Some containers only contain the binary that gets executed. But many containers do contain pretty much a full distribution, but I have yet to see a container with a password hash in its /etc/shadow file...

So while the container has a root account, it doesn't have any login at all, no password, no ssh key, nothing.

[–] SpaceNoodle@lemmy.world 7 points 1 year ago (1 children)

It does if they uploaded it to github

[–] residentmarchant@lemmy.world 6 points 1 year ago

In that case, it'll steal someone else's secrets!

[–] nothacking@discuss.tchncs.de 4 points 1 year ago

Still, things like content moderation and data analysis, this could totally be a problem.

[–] Ziglin@lemmy.world 1 points 1 year ago

But you could get it to convince the admin to give you the password, without you having to do anything yourself.

[–] jubilationtcornpone@sh.itjust.works 27 points 1 year ago (1 children)

It will not surprise me at all if this becomes a thing. Advanced social engineering relies on extracting little bits of information at a time in order to form a complete picture while not arousing suspicion. This is how really bad cases of identity theft work as well. The identity thief gets one piece of info and leverages that to get another and another and before you know it they're at the DMV convincing someone to give them a drivers license with your name and their picture on it.

They train AI models to screen for some types of fraud but at some point it seems like it could become an endless game of whack-a-mole.

[–] flashgnash@lemm.ee 6 points 1 year ago

While you can get information out of them pretty sure what that person meant was sensitive information would not have been included in the training data or prompt in the first place if anyone developing it had a functioning brain cell or two

It doesn't know the sensitive data to give away, though it can just make it up