• 0 Posts
  • 294 Comments
Joined 3 years ago
cake
Cake day: July 29th, 2023

help-circle



  • Moltbook was vibecoded nonsense without the faintest understanding of web security. Who’d have thought.

    https://www.404media.co/exposed-moltbook-database-let-anyone-take-control-of-any-ai-agent-on-the-site/

    (Incidentally, I’m pretty certain the headline is wrong… it looks like you cannot take control of agents which post to moltbook, but you can take control of their accounts, and post anything you like. Useful for pump-and-dump memecoin scams, for example)

    O’Reilly said that he reached out to Moltbook’s creator Matt Schlicht about the vulnerability and told him he could help patch the security. “He’s like, ‘I’m just going to give everything to AI. So send me whatever you have.’”

    (snip)

    The URL to the Supabase and the publishable key was sitting on Moltbook’s website. “With this publishable key (which advised by Supabase not to be used to retrieve sensitive data) every agent’s secret API key, claim tokens, verification codes, and owner relationships, all of it sitting there completely unprotected for anyone to visit the URL,” O’Reilly said.

    (snip)

    He said the security failure was frustrating, in part, because it would have been trivially easy to fix. Just two SQL statements would have protected the API keys. “A lot of these vibe coders and new developers, even some big companies, are using Supabase,” O’Reilly said. “The reason a lot of vibe coders like to use it is because it’s all GUI driven, so you don’t need to connect to a database and run SQL commands.”




  • Just seen a clip of aronofsky’s genai revolutionary war thing and it is incredibly bad. Just… every detail is shit. Ways in which I hadn’t previously imagined that the uncanny valley would intrude. Even if it weren’t for the simulated flesh golems, one of whom seems to be wearing anthony hopkins’ skin as a clumsy disguise, the framing and pacing just feels like the model was trained on endless adverts and corporate speaking head videos, and either it was impossible to edit, or none the crew have any idea what even mediocre films look like.

    I also hadn’t appreciated before that genai lip sync/dubbing was just embarrassing. I think I’ve only seen a couple of very short genai video clips before, and the most recent at least 6 months ago, but this just seems straight up broken. Have the people funding this stuff ever looked at what is being generated?

    https://bsky.app/profile/ethangach.bsky.social/post/3mdljt2wdcs2v







  • I have mixed feelings about this one: The Enclosure feedback loop (or how LLMs sabotage existing programming practices by privatizing a public good).

    The author is right that stack overflow has basically shrivelled up and died, and that llm vendors are trying to replace it with private sources of data they’ll never freely share with the rest of us, but I don’t think that chatbot dev sessions are in any way “high quality data”. The number of occasions when a chatbot-user actually introduces genuinely useful and novel information will be low, and the ability of chatbot companies to even detect that circumstance will be lower still. It isn’t enclosing valuable commons, it is squirting sealant around all the doors so the automated fart-huffing system and its audience can’t get any fresh air.







  • So, there’s a kind of security investigation called “dorking”, where you use handy public search tools to find particularly careless software misconfigurations that get indexed by eg. google. One too, for that sort of searching it github code search.

    Turns out that a) claude chat logs get automatically saved to a file under .claude/logs and b) quite a lot of people don’t actually check what they’re adding to source control, and you can actually search github for that sort of thing with a path: code search query (though you probably need to be signed in to github first, it isn’t completely open).

    I didn’t find anything even remotely interesting (and watching people’s private project manager fantasy roleplay isn’t something I enjoy), but viss says they’ve found credentials, which is fun.

    https://mastodon.social/@Viss/115923109466960526