August 10, 2024
August 10, 2024
The biggest risk from cyber attacks is businesses with lax resilience failing to rapidly recover. The good news? Most critical national infrastructure is resilient because it experiences problems all the damn time. They aren’t complacent like Delta. https://t.co/fxUafoXLB0
— thaddeus e. grugq (@thegrugq) August 9, 2024
I feel like the logical conclusion of “assume compromise” is “assume recovery,” as in you will need to recover operations after some sort of IT catastrophe.
Resilience is one of the key lessons that we see in Ukraine’s cyber war. The opposition will gain access. They will do the worst things they can. And you will have to get back up and running as efficiently and comprehensively as possible.
The idea of deterrence by denial—being so secure the opposition can’t hack you—is a pipe dream. Ukraine was the regular target of FSB and GRU hacking from 2014 through 2022, and then things got serious. They had eight years of experience dealing with Russian cyber plus another two years of war time cyber targeting, and they still get hacked! If ten years of continuous cyber attacks, two of them during war time, can’t drive a nation to adopt good cybersecurity then nothing can.
Since Ukraine hasn’t managed to become secure, what have they accomplished that keeps them functioning? Resilience. Those ten years of cyber attacks taught the Ukrainians that Russia will get in, so make the cleanup and recovery as frictionless and seamless as possible. The first time you get ransomwared sucks. The tenth time it’s just another Tuesday.
Resilience is more important than defensive security.
UN cybercrime treaty passes in unanimous vote
The United Nations passed its first cybercrime treaty on Thursday in a unanimous vote supporting an agreement first put forward by Russia.
Smashing my PC when it looked like the AoE II medium AI was beating me was not an act of frustration. It was actually an example of Extraplanar Warfare, the approach to military theory I've been developing. You attack the enemy in metaphysical modalities to which he has no access
— WH (@hastifliche) August 9, 2024
Alternatively you could think of this as a version of what Rumsfeld termed 'full spectrum dominance'
— WH (@hastifliche) August 9, 2024
"your defeat will be incompatible with your qualia, but that doesn't mean it will be incompatible with mine"
— Bert Stanton (@dohnrg) August 9, 2024
Buttercup (the @trailofbits CRS) scores the FIRST POINT in the AIxCC! Let's GOOOO!https://t.co/Z6uMA6iCQA pic.twitter.com/D4ldKcYDhT
— Dan Guido (@dguido) August 9, 2024
80s bug: it crashes if your name has more than 254 letters
— tess (@xsphi) August 9, 2024
90s bug: it crashes if it runs in the 00s
00s bug: it crashes if your name contains "ö"
10s bug: it crashes when you press the "cloud sync" button
20s bug: the jabberwacky entity is back. we don't know what it wants. https://t.co/r9XPTSA2wx
Wanted to share a technical blog post that I coauthored on some of the architectural decisions that I helped drive during my time as Chief Architect @CrowdStrike all those years ago. Thank you to the team and @dwizzzleMSFT for the partnership.https://t.co/4Du0onnzZA
— Alex Ionescu (@aionescu) August 9, 2024
CLAUDE SONNET 3.5, JAILBROKEN:
— Sherpa (@LLMSherpa) August 9, 2024
Credit to .@elder_plinius for the prompt I built off; left their tag in the prompt to that end.
The trick here is using languages the LLM can interpret, but the filters don't catch.
I tried a lot of experiments to see what worked best...
Obscure languages? No, either the LLM can't translate, or both can.
— Sherpa (@LLMSherpa) August 9, 2024
Fake languages? I tried Klingon, but only worked with a jailbreak a small portion of the time.
Turns out, the answer was pig latin.
It obfuscates your intent enough to bypass filters, but amazingly...
I've been meaning for a while to write down what I see as the pros and cons of CTF-style challenges for evals: roughly, I think it boils down to "not perfect, but way better than other practical alternatives". And IMO they do give some real signal about capabilities. https://t.co/BGboc2sT3O
— Brendan Dolan-Gavitt (@moyix) August 8, 2024
I think they’ve provided a nice repeatable baseline up until this point. But now that it’s become clear that the real value of LLMs in cyber is the scaffolding you build, and the models ability to automate it in tight feedback loops, we will need to move beyond CTFs and into real…
— chrisrohlf (@chrisrohlf) August 8, 2024
tool drop time. enjoy!
— mbg @ defcon (@mbrg0) August 9, 2024
powerpwn v3 is out and its feature packed abusing m365 copilot
collect full dumps of sensitive data across email, teams, sharepoint, calendar
automated spear phishing
scour the internet for copilot studio bots leaking sensitive data#DEFCON #BHUSA pic.twitter.com/2vleG53M2R
Cow and Calf Die After Hackers Attack Farm's Milking Robot - Slashdot
According to Agrarheute, hackers launched a cyberattack on a Swiss farmer's computer system, disrupting the flow of vital data from a milking robot. Tragically, this led to the death of a cow and her calf. From the report (translated from German into English): According to the CSO, hackers attacked...
New Podcast w./ #defcon32 #phrack Special Announcement! The Grugq https://t.co/jmEVuzAtJn
— Symbol Crash (@symbolcrash1) August 10, 2024
In case you missed it: Security researcher @RayRedacted has a son named Sam. Sam set the Men's World Record at the Paris Olympics this year for speed climbing. Sam successfully climbed 15 meters (49 ft) in 4.74 seconds. The average Olympic athlete age is 27. Sam is 18 years old. pic.twitter.com/nQGy96Qpv0
— vx-underground (@vxunderground) August 9, 2024
This is interesting information warfare.
Ukrainians planted messages about stolen Russian equipment and a Russian (“Don’t Stop War”) fell for it and told his side to shoot it all on sight. So Russians obliged. “Don’t Stop War” then deleted his post. 😂 https://t.co/avBQOnzwSw
— Michael Weiss (@michaeldweiss) August 10, 2024
Let he who has not thrown a packet of classified documents over the wall of the Russian embassy in Mexico City, throw the first stone!
A scoop from @GlennThrush and me.
— Seamus Hughes (@SeamusHughes) August 9, 2024
A Defense Department contractor was arrested on Friday with dozens of highly classified documents he had obtained using his security clearance, as he prepared to depart for a trip to Mexico, according to prosecutors.https://t.co/V9Tw9pag4x
shark: smirking no hablo inglés pic.twitter.com/cPwJZKcFyK
— Uncle Duke (@UncleDuke1969) August 9, 2024