Weekend Edition 47: AI Is Stupid & More
MS 365 Accounts Hacked… Again
Zoom: “Trust us, Bro.”
ChatGPT Sucks as a Knowledgebase
GPTBot to Scrape Your Website: Here’s How to Block It.
AI Steals Passwords? Knowledge Is Power
OSS Moq Temporarily Included Extra Tracking Tools in Its Codebase… Oops…
Hear About Trump’s Twitter Subpoena?
WE 1 – Massive Phishing Campaign Against C-Level Execs
Filed under the category of “Microsoft Sucks”, a bad actor has been attempting to take control of a plethora of C-level executives’ accounts at various large companies, again. It appears to have a Turkish origin and uses a known tool, called EvilProxy to send about 120,000 emails to similar accounts over the last few months. It costs about $400 per month, and is being used to steal MFA codes, login credentials, and other things through a labyrinthine series of redirects until they land on a very carefully crafted, specialized landing page for each organization they target. How do they know that it is related to Turkey? If a targeted person uses a VPN with a Turkish endpoint, they don’t actually get phished.
Ok, I guess this isn’t really MS’s issue, but I still want to take whatever chance I can to bash them. Not sure that they could legitimately make reasonable changes to make their platforms and services un-phishable. That kind of social engineering attack has been a “thing” since the early days of networking, back in the late 70’s, it was how Kevin Mitnick gained access to that DEC server system in 1979, as well as the Pac Bell voicemail system in the early 90s. We do, however, need to raise awareness and observational skills for people in positions of power. If we effectively train people to only trust those sorts of emails from their own IT personnel, then I think we would make a big step toward defeating these kinds of attacks in the future. Unfortunately, this is likely a nearly insurmountable problem at this point. For those of you who work in corporate America, always check random emails asking for credentials with your IT department before you just blindly offer up your sign-in to some bad actor. Practice better digital hygiene. This will save everybody involved many unnecessary headaches.
https://www.techradar.com/pro/microsoft-365-users-targeted-by-major-phishing-campaign
WE 2 – Zoom: Private, or a Giant AI Nightmare?
Recently, Zoom did a rewrite on their terms of service and privacy policies. By recently, I mean that they were rolled out in March 2023. They were recently uncovered by a hawkeyed researcher. There was a justifiable uproar about these changes across the interwebz. They appeared to give Zoom blanket permission to use every call, every chat to train AIs and associated algorithms. After the fracas. The Chief Product Officer issued a blog as well as some quick edits to the documents in question. Sections 10.2 and 10.4 seem to give the platform carte blanche rights to grab any user interaction with the platform as a source of data for its AI models and algorithms. The company clarified their position with a rather tepid, “Trust us, bro. We would NEVER do that WITHOUT permission from our users. Your user data (voice, video, and chat inputs) is safe and private, unless you opt into this.” Right. I believe them. Thanks to Microsoft’s purchase of the Lion’s Share of OpenAI last year and forcing chatGPT out before the fledgling chat bot was ready to fly, we have this wide open, anything goes situation around so called AI. Truth is that there isn’t much that is intelligent about AI, right now. It’s kind of like T9 predictive texting on steroids, right now. Auto-correct run amok. We will talk about that in the next story, though.
https://www.pcmag.com/news/zoom-revises-terms-after-changes-spark-fears-of-ai-learning-from-video
WE 3 – ChatGPT Sucks as a Knowledgebase
ChatGPT was recently set up with a series of 517 programming related questions and limited to looking within StackOverflow for answers, and 52% of the time, it came up with the wrong answer. Yikes. Next week, we’ll talk more about this, once my co-host has a chance to get home and digest all that he learned at Black Hat this week. All I’m saying here is that we can’t trust these tools for anything mission-critical. Connor will weigh in more heavily on this issue next week. As I said above, think of these tools as glorified T9 texting. Remember that predictive texting algorithm from the time before touchscreens and full keyboards on phones? Remember how messed up some of those predictions were, especially when you first got a new phone, back in the day? That is chatGPT, right now. Given, the more input we give it, the theoretically better it will get, but is it worth being a guinea pig for Big Tech? Personally, I say, “No.” What about you? Is a little bit of convenience (which is not really convenient) worth giving up digital sovereignty and your own brain power in order to use? These tools are meant to eventually create a WALL-E situation in us, where we never really use the ol’ gray matter between our ears because, well, why should we, if we have all this info at our fingertips through AI tools? Aside from that, there are massive privacy and security issues, which are not going away anytime soon. Seems like a crapshoot, and I’m not a gambling man. No, thanks, I’ll pass.
https://www.techradar.com/pro/chatgpt-is-a-bad-knowledge-base-confirms-new-study
WE 4 – Speaking of AI and Security…
We have a new hole to be concerned with. An infected smartphone could funnel the sounds of your keystrokes to an AI tool, which can interpret them and discern, within a keystroke, what your passwords are. Uhhh, yikes. One can also use Zoom to the same end, though it is less accurate than a separate, but nearby device. The training involved was 25 keystrokes per key on a given keyboard, so on a 105 key, that is over 2500 keystrokes. These capture methods were 95 and 93% accurate, respectively, which means that an average, strong password would have a single wrong or missing character. In the words of Nigel Ng’s character, Uncle Roger, “Haiyahhh!!”
This article provides a few mitigation steps: 1. Use a noise filter to filter out the sound of your keyboard or 2. Vary your typing style to confuse the AI. These seem like stop gaps, not real solutions, to me. The noise filter is better than trying to remember to type like fremen walking across the desert… With no rhythm. I don’t know, you guys. I am not into fearporn. However, I really don’t like AI as it is. That is where I am at with the whole thing. Next week, we’ll have more concrete reasons to distrust it, and perhaps stop using it if you can. Remember the Sarah Silverman lawsuit I mentioned in the last couple of weeks? We are going to talk about the chatgpt web crawler bot and how to deny it access to your site and its content, next.
https://www.pcmag.com/news/ai-can-now-steal-your-passwords-by-listening-to-your-keystrokes
WE 5 – Want to Deny ChatGPT Access to Your Website & Its Content?
Of course you do, if you value privacy and intellectual property. Here’s how you handle that: either open up your cpanel for your website (or ask your hosting provider to do the following) and go to the file manager, then edit the robots.txt file, which should be in your site’s root directory.
If doing this yourself, scroll to the file manager in cpanel, open it, then use the search function to find robots.txt.
Once you establish connection to it, open the file editor and add the following to the end of the file, then save it:
User-agent: GPTBot
Disallow: /
However, if you want to limit, but not entirely deny its access, paste in the following, and adjust to reflect your desired level of permission for the bot:
User-agent: GPTBot
Allow: /directory-1/
Disallow: /directory-2/
I’m all about providing solutions to problems posed by big tech, y’all. That is what my FYI (Free Your Internet) service is about, giving you solid options to help you get away from Google, MS, and Apple, in particular. You should check it out over at: https://techfreedom.pro/internet-freedom/ . You can also peruse the blogs on that page to check out some options for yourself before you bite the bullet. I want as many people and businesses to break free from the convenience-spying trap that is Big Tech, as possible. If you want to check out what I was referencing earlier, here are the articles I culled the info from:
https://www.pcmag.com/news/openais-gptbot-will-scrape-your-website-to-train-its-ai-unless-you-opt
https://platform.openai.com/docs/gptbot
WE 6 – MOQ, the Popular FOSS .net Mocking Library, Not-So-Private?
In one recent version, the lead developer, who also works on the proprietary software he incorporated into v 4.20.0, put SponsorLink into the codebase to collect hashes of user email addresses. This was uncovered by BleepingComputer earlier this month, and upon its discovery and publication, the offending code was removed (as of v 4.20.2). Lol, he started including extra, closed source tracking DLLs in v 4.20, was he high? It was double-obfuscated, but come on, man. You don’t drop proprietary blobs into FOSS projects, particularly not when you don’t notify your users that you are doing it and why you are doing it beforehand. What is a .net mocking library? It allows you to more easily test .net calls in your codebases and projects, rather than writing all of it out long-form. More or less, it helps developers to save time in creating their programs and apps which use .net objects (which are legion). Why is it a big deal that this FOSS project suddenly (until caught red-handed) started using a closed-source tracker in its codebase? Well, ideologically, FOSS/Libre and proprietary things are like oil and water. They don’t mix well. Functionally, you could do whatever you want, however, as I said above, if you do something like that, I strongly suggest that you choose to inform your userbase of such changes and why you want to incorporate them before you include them, if you want to keep your users around in the future. That was a huge fauxpas. Time will tell if the project starts to die from this, but it was a huge, but avoidable misstep, if you ask me.
https://www.techradar.com/pro/top-open-source-project-moq-slammed-for-secretly-collecting-user-data
WE 7 – Trump’s Twitter Account Subpoenaed…
Jack Smith, special prosecutor, went on a fresh round of fishing excursions with this subpoena. This is surprisingly old news, in that the events actually took place about 6 months ago now, but had been under a gag order from the court. Smith requested these “data and records” from Mr. Trump’s Twitter account in regard to both of his investigations, about the documents stored at Mar-A-Lago, and relative to January 6. Twitter complied, but 3 days late, so were slapped with a $350,000 fine for contempt of court. Their team did not object to the request itself, but the secrecy of it. They argued that they should be able to notify users when their accounts are subject to warrants (which seems to be in line with the constitution, as I understand it, so right on, there, Twitter/X). The court rejected their arguments and enforced the gag order. I don’t care that Trump is a former president, here, this judicial overreach must be remedied, and soon. I can’t wrap my head around the banana republic ness of this whole series of events. The fact that they can do this to someone as high profile as Trump is should make any sane person sick to their stomach.
What have they already done to “little” people, the John & Jane Q. Public’s of Main St, USA? What will they push to do more of in the future, to keep us in line with their mind control efforts? (Remember, that is literally what govern-ment means, y’all, ment = mind, and to govern something is to control it)… Become un-governable. Reject their narratives, question everything, and encourage those around you to do the same. Choose to stop using tools which exist to spy on you. Twitter/ X, Meta (and its products), Microsoft products, Apple products, Google products and services. Reject it all. Go Open Source. Become more privacy-aware. Not paranoid, mind you, but privacy-aware. Regain your digital sovereignty. Tech Freedom can help you do just that. Mark37 and Altha Tech can help you as well. There are alternatives, sure, they are less convenient, but you also aren’t volunteering your data (privacy) to mega-corporations who are bent on running the world.