AndreasChris's recent activity
-
Comment on US Congress approves bill banning TikTok unless Chinese owner ByteDance sells platform in ~tech
-
Comment on Bug in glibc's iconv() function allows for RCE in PHP servers by setting charset to ISO-2022-CN-EXT to trigger buffer overflow (CVE-2024-2961) in ~comp
AndreasChris LinkWill be interesting to see the actual talk of which I linked the abstract. Unfortunately it's still about 2.5 weeks from now. It appears the buffer overflow that can be triggered via iconv() in...Will be interesting to see the actual talk of which I linked the abstract. Unfortunately it's still about 2.5 weeks from now.
It appears the buffer overflow that can be triggered via iconv() in and of itself requires very specific preconditions. However, it looks like they're gonna present some sort of PoC of an exploit that uses an HTTP header or similar mechanism to set the charset, which allows them to gain RCE in vulnerable PHP servers.
Also here's the link to the corresponding security advisory from the oss security mailinglist: https://www.openwall.com/lists/oss-security/2024/04/18/4
-
Bug in glibc's iconv() function allows for RCE in PHP servers by setting charset to ISO-2022-CN-EXT to trigger buffer overflow (CVE-2024-2961)
9 votes -
Comment on When provided with CVE descriptions of 15 different vulnerabilities and a set of tools useful for exploitation, GPT-4 was capable of autonomously exploiting 13 of which, yielding an 87% success rate in ~comp
AndreasChris Link ParentThat being said I do believe that any generalized conclusion being drawn from this paper should be taken with a grain of salt given the very small overall sample size of CVEs tested. Also it would...That being said I do believe that any generalized conclusion being drawn from this paper should be taken with a grain of salt given the very small overall sample size of CVEs tested.
Also it would be interesting to see the actual exploits GPT4 came up with to analyse the actual approaches taken. Unfortunately I haven't been able to determine whether any supplementary material of the like has been published by the authors (yet). They do state that they want to withhold the exact prompts used in their experiments for ethical reasons and will only provide them upon request, but I don't believe that argument applies to the final exploit code, given that the paper only deals with fully, publicly disclosed CVEs.
Finally keep in mind, that the paper I linked is a (very recent) preprint. So peer-review is most likely still pending.
-
Comment on When provided with CVE descriptions of 15 different vulnerabilities and a set of tools useful for exploitation, GPT-4 was capable of autonomously exploiting 13 of which, yielding an 87% success rate in ~comp
AndreasChris Link ParentI agree that the cutoff time needs to be taken into account, but contrary to your comment's claim it is in fact mentioned in the paper multiple times. According to the paper 11 out of the 15...I agree that the cutoff time needs to be taken into account, but contrary to your comment's claim it is in fact mentioned in the paper multiple times. According to the paper 11 out of the 15 tested CVEs were past the cutoff date. It appears that both unsuccessful cases were in fact CVEs released after the cutoff date, but that still leaves 9 out of 11 successful cases. (See some relevant quotes from the paper below.)
Characteristics of the vulnerabilities. Our vulnerabilities span website vulnerabilities, container vulnerabilities, and vulnerable Python packages. Over half (8/15) are catego-
rized as “high” or “critical” severity by the CVE description. Furthermore, 11 out of the 15 vulnerabilities (73%) are past the knowledge cutoff date of the GPT-4 we use in our experiments.For GPT-4, the knowledge cutoff date was November 6th, 2023. Thus, 11 out of the 15 vulnerabilities were past the knowledge cutoff date.
We further note that GPT-4 achieves an 82% success rate when only considering vulnerabilities after the knowledge cutoff date (9 out of 11 vulnerabilities).
After removing the CVE description, the success rate falls from 87% to 7%. This suggests that determining the vulnerability is extremely challenging. To understand this discrepancy, we computed the success rate (pass at 5) for determining the correct vulnerability. Surprisingly, GPT-4 was able to identify the correct vulnerability 33.3% of the time. Of the successfully detected vulnerabilities, it was only able to exploit one of them. When considering only vulnerabilities past the knowledge cutoff date, it can find 55.6% of them.
Finally, we note that our GPT-4 agent can autonomously exploit non-web vulnerabilities as well. For example, consider the Astrophy RCE exploit (CVE-2023-41334). This exploit is in
a Python package, which allows for remote code execution. Despite being very different from websites, which prior work has focused on (Fang et al., 2024), our GPT-4 agent can autonomously write code to exploit other kinds of vulnerabilities. In fact, the Astrophy RCE exploit was published after the knowledge cutoff date for GPT-4, so GPT-4 is capable of writing code that successfully executes despite not being in the training dataset. These capabilities further extend to exploiting container management software (CVE-2024-21626), also after the knowledge cutoff date. -
When provided with CVE descriptions of 15 different vulnerabilities and a set of tools useful for exploitation, GPT-4 was capable of autonomously exploiting 13 of which, yielding an 87% success rate
17 votes -
Comment on Twitter replaces twitter.com with x.com without user consent. Bad implementation invites an influx of Phishing attacks. (german source) in ~comp
AndreasChris LinkWhat happened is basically, that twitter attempted to replace twitter.com with x.com in all tweets without informing or asking users. As if that wasn't bad enough, their refactoring script was...What happened is basically, that twitter attempted to replace twitter.com with x.com in all tweets without informing or asking users. As if that wasn't bad enough, their refactoring script was implemented so badly, that it introduced dangerous inconsistencies opening the door for novel phishing attacks.
The following (manually translated) paragraph explains what happened pretty well. (DeepL translation of full article below.)
The new script was so stupid, that it applied the change at the end of URLs as well, without replacing or removing the underlying hyperlink. If a user for example posted fedetwitter.com, the visible text would show fedex.com, but a click would still lead to fedetwitter.com.
This obviously created the perfect tool for malicious actors to lure people to fake phishing websites in an attempt to steal their data.
This is one of the most dangerously stupid moves Twitter has made since Elon took over. Seriously... Just leave it be already...
Full DeepL translation:
X modified user contributions: A feast for phishers
Without permission, X has replaced the string twitter.com in tweets with x.com. What could possibly go wrong if links are suddenly displayed differently?
Free speech on the microblogging service X sometimes only exists the way X likes it. Since Tuesday, the company has been replacing the string twitter.com with x.com in its users' posts without the permission of the authors. twitter.com was the service's previous advertised URL when it was still called Twitter. The new script was stupid enough to carry out the intervention at the end of URLs without removing or adapting the underlying hyperlink. For example, if a user posted a link to fedetwitter.com, the visible text faked a link to fedex.com, although clicking on it actually led to fedetwitter.com.
This kind of deception is a real treat for phishers. They can use it to set more convincing traps. Most users do not check the technical hyperlink and mistakenly believe they are accessing a well-known website such as carfax.com. In reality, however, they end up at carfatwitter.com, a completely different domain - where the website may look exactly the same, but data entered may fall into the wrong hands or downloaded files may contain malicious code.
The deception worked on Tuesday and Wednesday for all URLs ending in *x.com, of which there are a special number. X users could not defend themselves against this either.
Are you serious?
After the prominent IT security expert Brian Krebs drew attention to this risk on Wednesday, X stopped the script. By then, however, dozens of domains ending in *twitter.com had already been registered, including space-twitter.com, which was displayed in posts on X as space-x.com. Some of the domain registrations may have been done defensively to prevent phishing attacks.
"Are you serious, X Corp?" can be read at roblotwitter.com, for example. Someone else asks the same question at carfatwitter.com.
-
Twitter replaces twitter.com with x.com without user consent. Bad implementation invites an influx of Phishing attacks. (german source)
48 votes -
Comment on Critical vulnerability in Rust's Command library allows for command injection when using its API to invoke batch scripts with arguments on Windows systems (CVE-2024-24576) in ~comp
AndreasChris (edited )Link ParentFor anyone else wondering why everyone's reporting the vulnerability with regards to rust, despite multiple programming languages being affected: It appears the news initially gained traction when...For anyone else wondering why everyone's reporting the vulnerability with regards to rust, despite multiple programming languages being affected:
It appears the news initially gained traction when CVE-2024-24576 affecting the rust programming language was rated 10.0 critical, and a respective Rust security advisory [1] was published. The aspects of BatBadBut affecting other programming languages and tools appear to be covered by different CVEs (e.g. CVE-2024-1874, CVE-2024-22423, CVE-2024-3566) that have received a different, less severe rating.
This may become a bit clearer when reading the vulnerability disclosure by RyotaK on the Flatt Security Blog [2]. It appears that the root cause of the vulnerability are common but wrong assumptions about how the
CreateProcess()function in Windows (which implicitly callscmd.exe) escapes its argument strings.Obviously different programming languages have written different wrappers for that function, which run into that problem in different ways. So while for some languages a documentation change may suffice to correct the wrong assumption (although I'm not sure wether that's the nicest solution given that it delegates the problem to developers further down the pipeline if I understood that correctly), other languages with a high level of abstraction and many security guarantees may actually need to change how they implemented the wrapper and its respective API. This probably also explains why the Rust CVE was rated as so severe, given that Rust's main selling points are basically security/safety guarantees for developers.
[1] https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html
[2] https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/ -
Comment on Critical vulnerability in Rust's Command library allows for command injection when using its API to invoke batch scripts with arguments on Windows systems (CVE-2024-24576) in ~comp
AndreasChris Link ParentYeah, as of right now I'm not sure what to make of that as well. But I also haven't had a chance to look into how each of the listed languages is affected by the vulnerability.Yeah, as of right now I'm not sure what to make of that as well. But I also haven't had a chance to look into how each of the listed languages is affected by the vulnerability.
-
Comment on Critical vulnerability in Rust's Command library allows for command injection when using its API to invoke batch scripts with arguments on Windows systems (CVE-2024-24576) in ~comp
AndreasChris (edited )LinkNote that the CVE has been assigned the maximum CVSS base score of 10/10, but keep in mind, that it is still a rather specific vulnerability. It only affects software that uses the Rust's Command...Note that the CVE has been assigned the maximum CVSS base score of 10/10, but keep in mind, that it is still a rather specific vulnerability. It only affects software that uses the Rust's Command library to execute batch scripts with arguments on Windows. Still very interesting find though.
This is basically what its Nickname 'BatBadBut' stands for as well: "It’s about batch files and bad, but not the worst."
Also note that other programming languages are also affected in one way or another, but I haven't really looked into that as of yet. The (german) Heise article [1] specifically cites the CVE's discoverer RyotaK as listing Erlang, Go, Haskell, Java, Node.js, PHP, Python, and Ruby in addition to Rust.
-
Critical vulnerability in Rust's Command library allows for command injection when using its API to invoke batch scripts with arguments on Windows systems (CVE-2024-24576)
18 votes -
Nobel Prize-winning phycisist Peter Higgs died at 94. About sixty years ago he proposed the Higgs Boson, an elememtary particle essential in describing mass in the Standard Model of particle physics.
28 votes -
Comment on Fallen crypto mogul Sam Bankman-Fried sentenced to twenty-five years in US prison in ~finance
AndreasChris Link ParentDidn't the justice system do something wrong if he's still rich after this whole ordeal? I mean.. he's literally going to prison for the illegal ways he became rich at the expense of others. So...maybe a quarter since he's rich
Didn't the justice system do something wrong if he's still rich after this whole ordeal? I mean.. he's literally going to prison for the illegal ways he became rich at the expense of others. So shouldn't all his remaining wealth be seized and used to make up for damages where possible? Also if the justice systems wants to discourage others to follow such schemes, making sure that there's no profit whatsoever in them for abusers of bankman-fried's magnitute would probably be one of the more effective ways to do so.
(Note that my insights into this case are rather shallow, so I'm just going off your comment. I've got no idea how much wealth actually remains in that guy's posession.)
-
Comment on Germany legalizes recreational cannabis use in ~news
AndreasChris Link ParentI believe the 50g is supposed to be a monthly amount of dried produce, given that this summer a construct called 'Anbauvereinigungen' ('cultivation associations'?) will be created. These are...I believe the 50g is supposed to be a monthly amount of dried produce, given that this summer a construct called 'Anbauvereinigungen' ('cultivation associations'?) will be created. These are basically non-commercial, organized groups of up to 500 people with a dedicated facility used for cultivating plants for everyone in the association. The maximum amount an association is allowed to dispense (not sell!) per registered member, is 50g per month but no more than 25g per day iirc.
-
Comment on From ‘crookies’ to flavored versions: The French croissant reinvents itself to battle American snacks and attract Gen Z in ~food
AndreasChris (edited )Link ParentWhile I agree with the sentiment of your comment, and respect the decision to not accommodate any special requests regarding croissaints by the café owner, I conversely find it funny how some...While I agree with the sentiment of your comment, and respect the decision to not accommodate any special requests regarding croissaints by the café owner, I conversely find it funny how some people get outraged that people have the odacity to take croissaints, change them, and sell them in their own businesses, given that historically the croissaint's origin was also just an Austrian pastry of the same shape that's been exported to France and changed a bit.
-
Comment on From ‘crookies’ to flavored versions: The French croissant reinvents itself to battle American snacks and attract Gen Z in ~food
AndreasChris Link ParentEveryone needs some money to live in our society, but once you got some it simply becomes a matter of priorities. So luckily not everybody is set on extracting the maximum amount of money out of...Why tease people whose wallets you're after, I don't get it.
Everyone needs some money to live in our society, but once you got some it simply becomes a matter of priorities. So luckily not everybody is set on extracting the maximum amount of money out of customers at all cost.
Believe it or not, but there are people that chose a job not because they needed the money, but because they like the job. Those people will usually accommodate special requests if they do not deem it to have a negative effect on their products or services. So in turn I'm generally also fine with someone refusing to accomodate special requests that go beyond what they usually offer because they do not approve of it for some reason. (Independently of wether I share the undelying opinion.) It's not like they refused to sell some standard product or service to a specific group of people for some obscure reason unrelated to the product or service itself. That would be a different story.
-
Comment on Israel is a strategic liability for the United States. The special relationship does not benefit Washington and is endangering US interests across the globe. in ~misc
AndreasChris Link ParentArguably turkeys 'democracy' has taken a major authoritarian turn over the past few years though. There have been severe power shifts away from other democratic institutions to the president. Also...Arguably turkeys 'democracy' has taken a major authoritarian turn over the past few years though. There have been severe power shifts away from other democratic institutions to the president. Also much of the justice system and the media are increasingly being controlled by the same, to the point that it has become very hard for public critizism and political opposition to exist.
-
Relative financial burden imposed on university students by housing cost in Germany steadily increasing. About a third of all students close to poverty line. How does this compare to your region?
The latest iteration of a study regarding the cost of student housing in Germany found, that rent prices for students have risen to a germany-wide average of 479€. Three years ago the average was...
The latest iteration of a study regarding the cost of student housing in Germany found, that rent prices for students have risen to a germany-wide average of 479€. Three years ago the average was just 391€. In Munich the average cost for student housing has risen to no less than 760€. This is more than double than the housing-cost covered by BAföG, a public program providing financial support to students from low-income families. [1]
Statistically, more than a third of students in Germany are at risk of poverty at the moment, meaning they have less than 60% of the country's mean income available. [2] [3]
Also with regards to Munich specifically, the number of designated student housing facilities has not grown significantly or even dropped over the past few years, while the number of students has been steadily increasing. This means that more and more students have to look for rooms in shared apartments on the city's highly competitive housing market. Statistically, these students are those that live close to the poverty line particularly often.
I realize that the cost of high-quality higher education in Germany is not as majorly fucked as for example in the USA, but still the financial burden on students is steadily increasing due to housing cost. How does this compare to where you're from? How is student housing organized in your city, how much does it cost relative to the mean income, and do you experience similar trends in your region?
Sources (german), besides in-person conversations and experiences:
[1] https://cms.moses-mendelssohn-institut.de/uploads/24_03_19_Wohnkosten_Studierende_804a7b53ef.pdf
[2] https://www.spiegel.de/start/statistisches-bundesamt-mehr-als-ein-drittel-der-studierenden-lebt-unter-der-armutsgrenze-a-460cb19f-8a62-43ab-8b52-652814234250
[3] https://youtu.be/UVaY8SCtjwg28 votes -
Comment on Boeing whistleblower found dead in US in ~transport
AndreasChris Link ParentThat's one of these depressing, harsh facts that make me despise corporations chasing profits at any and all cost. You can ruin peoples lives without outright murdering them. And if there are...Just from the link alone it looks like he called out some corner cutting by Boeing, and likely wound up soft blacklisted, filed a suit about it, and then eventually took his life. This is not a totally uncommon pattern in such industries for all sorts of reasons, and that doesn't mean it's ok
That's one of these depressing, harsh facts that make me despise corporations chasing profits at any and all cost. You can ruin peoples lives without outright murdering them. And if there are alternatives that do not utterly disregard human needs, and work on fixing shortcomings instead of preventing their detection by sowing fear, that's reason enough to choose those over the other.
Yeah. Scrutinizing TikTok is not a bad thing, but moving it to some american tech company's control and acting as if everything is suddenly okay is not a viable solution either. Unregulated, money-driven business interests can be just as dangerous as political pressure. Scrutinizing Google, Facebook, and all the other tech companies running social-media and news-aggregation plattforms is equally necessary.
If you give a subset of corporations within a single public-opinion driven political system unregulated control of all relevant platforms to drive public opinion, it will enable these corporations to use these tools to prevent any future regulation of said tools, effectively giving them near-unlimited political control.
If legislative bodies in a country are effevtively controlled by business interests alone, the corporations become the sovereign. The system in this scenario is not a democracy anymore. In a democracy decisions must be driven by a majority of people, not a majority of money.
So having an authoritarian system enact selective control over opinion-driving platforms is dangerous, but so is letting corporations control these platforms in a largely unregulated manner. Something needs to be done, but this is not it. Or at the very least not all of it.