Getting in to hacking

mrk · 28 Jan 2024 at 21:48

Moley said:
It's really not. AI lacks something that all good hackers have - imagination.

It's exactly the direction machine learning is heading and the current progress of AI is clear. Imagination bears little relevance here really going forwards, whilst right now it may matter, that won't be the case soon enough as exploit finding is just much faster with AI than it is with human imagination.

Cloudflare have a great article on it:

As artificial intelligence advances by leaps and bounds, the possibility arises of training this technology to find vulnerabilities even more effectively. In fact, in 2023 the US agency DARPA announced a program called Intelligent Generation of Tools for Security — INGOTS. (DARPA, notably, was the agency that created ARPANET, the precursor to the Internet.)

The program "aims to identify and fix high-severity, chainable vulnerabilities before attackers can exploit them" by using "new techniques driven by program analysis and artificial intelligence to measure vulnerabilities." INGOTS looks for vulnerabilities in "modern, complex systems, such as web browsers and mobile operating systems."

theNET | AI-powered vulnerability detection

Can AI be used by attackers to detect vulnerabilities in software? Discover how to protect against AI-assisted vulnerability detection with Cloudflare.

www.cloudflare.com

So yes, just as suspected, right now humans still need to review AI's findings to sanity check them, but that won't be the same landscape as the technology evolves faster and faster every year. It's pretty clear that human intervention will be reduced at each stage as machine learning gets to the point of singularity said to be around 2035-2045).

Moley · 28 Jan 2024 at 22:14

The CloudFlare article is weak - lots of speculation and little substance.

The other article is full of hyperbole - although the Darpa Grand Cyber Challenge it talks about, I am familiar with as my old boss ran the team that came second in that challenge - this quote is notable "The DEF CON 2016 conference was being hosted nearby, and "Mayhem" was invited to participate in DEF CON's own Capture the Flag game against human hackers. Mayhem came in last place, and it wasn't close."

AI has a long way to go before it can replace the best human hackers - if it even happens at all. Will it bring new and better tooling to do the job, including improved automation? Certainly, but that's a far cry from making humans redundant.

mrk · 28 Jan 2024 at 22:24

I knew you'd quote that without emphasis on the fact that it was 10 years ago when AI was nowhere near what i is now.

dowie · 28 Jan 2024 at 22:27

mrk said:
Pointless nowadays surely, AI is taking over this realm quite quickly making human hacking roles fatly redundant.

That doesn't at all, at least not at the moment if anything it just makes humans more efficient and removes some obstacles (coding can be way more efficient when you have the boilerplate stuff generated automatically).

AI can be useful for finding exploits and speed up the search for them.

mrk said:
It's pretty clear that human intervention will be reduced at each stage as machine learning gets to the point of singularity said to be around 2035-2045).

That's just a prediction plucked out of thin air... there isn't even consensus on what AGI and ASI really mean, to some people, AGI is already here in the form of LLMs, to others LLMs are just data compression and they took many human lifetimes worth of reading a big chunk of the useful text on the internet to form their text-based world model whereas a human baby with a relatively small stored program can learn things rapidly just via observation.

And if you're going with some broad super-AI will make hacking useless argument then that applies to any endeavour... why train for anything, why not just go on the dole and wait for this life of abundance in a few years (or indeed inevitable destruction of the human race when the robots takeover). Well we don't know what's going to happen in the future so you might as well carry on making money now and doing stuff that has value now.

In fact he's not even said that this is for a career, maybe Diddums is interested in hacking just as a hobby/curiosity - AI is great there, it's gotta be an easier time to start than ever if for personal interest; open a ChatGPT window and get it to help with unix and vi commands, programming, whatever...

Moley · 28 Jan 2024 at 22:38

mrk said:
I knew you'd quote that without emphasis on the fact that it was 10 years ago when AI was nowhere near what i is now.

Irrelevant.

New types of AI - as in large language models - have come along but Machine Learning has barely moved in the last 10 years with the possible exception of modest progress in the deep learning field and ML is the current (and likely future) bedrock for automated attack systems.

That automated attack systems can search for novel vulnerabilities is nothing new - the Darpa challenge formalised funding into the research (and it's interesting, take a look at ShellPhish's site if you are really interested https://shellphish.net/cgc/index.html ) however those same technologies can just as easily be deployed in the Software Quality Assurance process to ensure vulnerabilities are eradicated before bad actors have the chance to find and exploit them.

In fact that latter point is probably the most important development here and I'm aware that Bain and other large VCs are actively looking to back start-ups in this space.

mrk · 28 Jan 2024 at 22:51

I'll be back in this thread in 10yrs time to say I told you so. This makes the 3rd thread to return to in years to come to poke a finger at now.

FoxEye · 28 Jan 2024 at 23:28

All I know about hacking I learned from Hollywood. You basically rotate a couple of neon green Rubik's Cubes on a black screen, whilst Halle Berry ... erm.. massages you, right?

dowie · 28 Jan 2024 at 23:54

Moley said:
New types of AI - as in large language models - have come along but Machine Learning has barely moved in the last 10 years with the possible exception of modest progress in the deep learning field and ML is the current (and likely future) bedrock for automated attack systems.

That's slightly muddled, separate fields of AI that don't involve ML are things that don't involve an algorithm learning from training data; expert systems, logic programming etc. for example a smart rice cooker using fuzzy logic can be said to use AI but there is no ML involved. LLMs however are very much making use of ML, ML is a subset of AI and most of the modern developments in AI are reliant on ML.

Both the diffusion models that are causing artists to stress and Taylor Swift to consult her lawyers and the LLMs such as ChatGPT are the result of machine learning at a huge scale using particular types of deep neural networks.

Derek W · 29 Jan 2024 at 07:43

dowie said:
Diddums in 6 months time, leaning out of the back of a police car:

Dunno if you've seen this site before but it might be a good place to start:

HackThisSite

HackThisSite.org is a free, safe and legal training ground for hackers to test and expand their ethical hacking skills with challenges, CTFs, and more.

www.hackthissite.org

I see a different future for @Diddums

Diddums x · 29 Jan 2024 at 07:48

Derek W said:
I see a different future for @Diddums

That's me browsing GD most days tbf

Cosimo · 29 Jan 2024 at 08:13

robfosters said:
Give it a couple of months and Diddums will be sitting at home with a barbie attached to a car battery and wearing a bra on his head

Waiting for extradition to the US.

aVdub · 29 Jan 2024 at 08:44

Probably not anywhere near the amount of fun now, as it was in the early days.

Pretty sure I've still got a floppy somewhere with Pri$m's goodies on it...

Pawnless Endgame · 29 Jan 2024 at 12:18

Derek W said:

I still got that video on my PC. It got passed around as one of those 'joke' emails where we'd all attach pictures, short videos and silly PowerPoint presentations when we should have been working

2001, so still during the days of floppy disks and dial-up internet.

Maccy · 29 Jan 2024 at 12:39

Street said:
Over the Wire is fun to play around with.

I miss the WEP days as they were so easy to get into.

Can't get past level 1

arknor · 29 Jan 2024 at 13:02

Malevolence said:
Saw a documentary on this a while back.

is that from mr robot or something? it looks like nonsense so I guess not?

AFAIK that show used real hacking/security tools and not CSI style screens

Most hacking is script kiddies, theres programmes that scan Ips for known vulnerabilities, totally legal on your own network.

wen you find one you get out the scripts and take it over.

back when I was into that stuff it was through some IIS exploit that let you inject code and upload an ftp daemon server with full root access.

this was like 15-20 years ago before windows updated itself and sys admins were lazy

moon man · 29 Jan 2024 at 13:12

I had been on the vino so my screenshot was using this site

Will Gill · 29 Jan 2024 at 14:28

moon man said:
I had been on the vino so my screenshot was using this site

epic, how have I never seen this before

Will Gill · 29 Jan 2024 at 14:40

I got busted injecting a python script into that site :'(

to clarify I had to check the source, it didn't disappoint

Semple · 29 Jan 2024 at 14:43

Diddums said:
That's me ~~browsing GD~~ reading a chesefest thread most days tbf

Fixed for you.

Mercutio · 29 Jan 2024 at 15:29

I keep seeing folks in my place jumping on the cybersec team. Currently a rather bored oracle DBA so maybe a reskill in this direction (had some networky bits in the past) might be a plan.

What's the generally accepted qualification these days (and pointers to any study material maybe). Dunno if I've quite the interest from the other side to be effective at it beyond some simple understanding (packet amplification, various forms of "injection" attacks that I think are a bit old hat these days). But still...