abacabadabacaba

joined 1 year ago
[–] abacabadabacaba@infosec.pub 4 points 3 hours ago (4 children)

Why do all of them fail this question?

[–] abacabadabacaba@infosec.pub 15 points 2 days ago

Plot twist: the author fixed it themselves to make it appear that someone would pay for it.

[–] abacabadabacaba@infosec.pub 25 points 2 days ago (1 children)

Someone definitely took this XKCD too literally.

[–] abacabadabacaba@infosec.pub 4 points 3 weeks ago (1 children)

https://infosec.exchange/@harrysintonen/114455549143577092

Why does the #AISlop problem exist at #hackerone (and likely other bug bounty platforms)?

Because apparently it works: https://hackerone.com/evilginx/hacktivity?type=user

It seems that some projects pay bounties for such AI Slop reports.

This thing works by generating fake vulnerability reports. Here are some of the qualities of the HackerOne report 3125832 sent to #curl:

  • It looks convincing at a glance, especially if you're not a subject matter expert.
  • It's vague about actual repro steps. It makes it impossible for the victim project to reproduce the issue. For example, it makes up fake patches against non-existent, imaginary code.
  • It refers to functions and methods that do not exist (in case someone tries to look for them). When confronted, the attacker refer to some old or new versions of components, using non-existent commit hashes.
  • The report makes up some convincing functionality or names that are novel, but don't really exist.

An expert’s look at the report shows the number of discrepancies, but finding them takes time and effort. It requires attention from a subject matter expert, with limited resources.

The real exploit here is that the attacker (evilginx) exploits the fact that the victims (the orgs who paid the attacker money) don't have the capacity to perform thorough analysis and rather just pay up. TL;DR: It's cheaper to pay the bug bounty than hire an expert to perform true analysis.

Why didn't it work against the curl project? The attacker miscalculated badly. Curl project is not a company and has far greater capability in security response than your average org. Also they can smell #aislop miles away.

It's only going to get worse from here. This could easily kill the whole concept of #bugbounties. Why?

  • Genuine researches quit in frustration as they don't get proper reward for their hard work, and see #aislop scoop the money.
  • Orgs/projects abandon bug bounty programs since they get mostly AI Slop reports.
  • Financial backing (as donations or investment) for bug bounty programs disappears as the money is paid to scammers.
[–] abacabadabacaba@infosec.pub 2 points 1 month ago (1 children)

I just like what they post. If I find an interesting post (usually because someone I follow boosted it), I look at the author's other posts, and if I find them interesting, I follow them.

There is also a list of accounts with the most followers: https://fedidb.com/accounts.

[–] abacabadabacaba@infosec.pub 3 points 1 month ago (3 children)

@MissingThePt@mastodon.social

@i0null@infosec.exchange

@warandpeas@mastodon.social

@MicroSFF@mastodon.art

@404mediaco@mastodon.social

@Bellingcat@mstdn.social

[–] abacabadabacaba@infosec.pub 5 points 1 month ago (2 children)

I won't say that they really have separation of church and state until they remove mentions of god from their currency.

Also, the fact that this even became a state law just shows how backward their society is.

[–] abacabadabacaba@infosec.pub 30 points 1 month ago (4 children)

They would rather stop showing those extracts in Switzerland than pay the fee.

[–] abacabadabacaba@infosec.pub 14 points 1 month ago (2 children)

TIL that the country whose name literally means "southern" is a part of the Global North.

[–] abacabadabacaba@infosec.pub 22 points 1 month ago (8 children)

Banning abortions is also a religious absurdity, and a more dangerous one. After all, no one died from not having a dog.

[–] abacabadabacaba@infosec.pub 38 points 1 month ago (1 children)

For those interested, there is a list of lists of falsehoods.

view more: next ›