In my opinion, security is one of the most forgotten aspects of software engineering. It rarely gets focused on until itās too late. Even though at least one incident lands on HackerNews every week where some data gets leaked or someone gets hacked ā people still think, āNobody cares about my little startup.ā You might think you're too small to be noticed by the big, evil hackers. Wrong. Size doesn't matter. You're always a target; thereās always data to leak and ways to exploit your business.
This is a great primer for the security-related items you need to consider when youāre building software.
Some takeaways:
First, any human-built product is going to be insecure. Nothing is 100% secure, ever. The best you can do is make the bad guys earn it by making it difficult to break into.
Second, your biggest vulnerabilities are almost always human. You can build Fort Knox, but if Iām able to trick your guard into opening the door for me, then whatās the point?
Third, Iām grateful for frameworks like Ruby on Rails which handle a good chunk of the authorās āstep 0ā items out of the box. Picking the right tool (and keeping that tool sharpened) is the best first step.
Fourth, thereās never a moment with software when you can dust your hands and say, āope, weāre done!ā
Security is especially an area in which you canāt sit still. If you build an app and let it sit for a decade without any updates, I can almost guarantee you that thereāll be a vulnerability in one of your dependencies which I could exploit to take over your system.
Finally, if you reach a certain size of organization, you need someone thinking about this stuff full time and orchestrating all the pieces needed to keep a secure system.
Continue to the full article
→
Whenever I talk about a knowledge win via robots on the socials or with humans, someone snarks, āWell, how do you know itās true? How do you know the robot isnāt hallucinating?ā Before I explain my process, I want to point out that I donāt believe humans are snarking because they want to know the actual answer; I think they are scared. They are worried about AI taking over the world or folks losing their job, and while these are valid worries, itās not the robotās responsibility to tell the truth; itās your job to understand what is and isnāt true.
Youāre being changed by the things you see and read for your entire life, and hopefully, youāve developed a filter through which this information passes. Sometimes, it passes through without incident, but other times, itās stopped, and you wonder, āIs this true?ā
Knowing when to question truth is fundamental to being a human. Unfortunately, weāve spent the last forty years building networks of information that have made it pretty easy to generate and broadcast lies at scale. When you combine the internet with the fact that many humans just want their hopes and fears amplified, you can understand why the real problem isnāt robots doing it better; itās the humans getting worse.
Iām working on an extended side quest and in the past few hours of pairing with ChatGPT, Iāve found myself constantly second guessing a large portion of the decisions and code that the AI produced.
This article pairs well with this one I read today about a possible social exploit that relies on frequently hallucinated package names.
Simon Willison writes:
Bar Lanyado noticed that LLMs frequently hallucinate the names of packages that donāt exist in their answers to coding questions, which can be exploited as a supply chain attack.
He gathered 2,500 questions across Python, Node.js, Go, .NET and Ruby and ran them through a number of different LLMs, taking notes of any hallucinated packages and if any of those hallucinations were repeated.
One repeat example was āpip install huggingface-cliā (the correct package is āhuggingface[cli]ā). Bar then published a harmless package under that name in January, and observebd 30,000 downloads of that package in the three months that followed.
Iāll be honest: during my side quest here, Iāve 100% blindly run npm install
on packages without double checking official documentation.
These large language models truly are mirrors to our minds, showing all sides of our personalities from our most fit to our most lazy.
Continue to the full article
→
In September last year, a breach at LastPassā parent company GoTo (formerly LogMeIn) culminated in attackers siphoning out all data from their servers. The criticism from the security community has been massive. This was not so much because of the breach itself, such things happen, but because of the many obvious ways in which LastPass made matters worse: taking months to notify users, failing to provide useful mitigation instructions, downplaying the severity of the attack, ignoring technical issues which have been publicized years ago and made the attackersā job much easier. The list goes on.
Now this has been almost a year ago. LastPass promised to improve, both as far as their communication goes and on the technical side of things. So letās take a look at whether they managed to deliver.
TL;DR: They didnāt. So far I failed to find evidence of any improvements whatsoever.
If you arenāt using a password manager, the likelihood of every single one of your online accounts getting hacked is extremely high.
If youāre using a bad password manager, I guess itās just as high? š¬
Continue to the full article
→
At around 7 am on a quiet Wednesday in August 2017, Marcus Hutchins walked out the front door of the Airbnb mansion in Las Vegas where he had been partying for the past week and a half. A gangly, 6'4", 23-year-old hacker with an explosion of blond-brown curls, Hutchins had emerged to retrieve his order of a Big Mac and fries from an Uber Eats deliveryman. But as he stood barefoot on the mansion's driveway wearing only a T-shirt and jeans, Hutchins noticed a black SUV parked on the streetāone that looked very much like an FBI stakeout.
Journalism students should study this as a quintessential way to write a profile piece. I find computer security a fascinating topic, but it's hard to present it to non-nerds as a compelling story. Andy Greenberg did this story justice.
Continue to the full article
→
For those of you not following the story, some hackers have found code to this software on mobile devices (both the iPhone and Android) called Carrier IQ. It allegedly sends a ton of data back to the carriers, including logging keystrokes and recording data sent through Wi-fi, even if it's encrypted.
The important thing to take away, however, is that even though we all like to fight the "Apple vs. Android" battle, the real war is The People vs. the Carriers.
Continue to the full article
→