So it was easier than I thought. Bot just scraped public page with hidden fields, not a secret page or to-be-published page from database.
"Mythos will end the world!!"
"How?"
"By finding a bunch of wide open security holes that have existed for years."
Oookay. Is this a Mythos problem? Or a lazy/greedy/uncaring people problem?
But scale and accessibility are absolutely a new class of problem.
In the 1960s you could pay thousands of people to watch hundreds of cameras and listen to hundreds of phone lines to monitor people, but the cost was so enormous that unless you were in East Germany or Moscow it wasn't a realistic threat model.
Now with computers we can cheaply have thousands of cameras with cheap storage that's retained forever and automatic image processing that means everyone is exposed to that kind of surveillance, which is a brand new problem.
I've often shared my prediction that future historians will study us all and that every living human will be the subject of someone's PhD thesis. I'm updating that prediction to be that those future someone's will be silicon based.
There's nothing government (corporate or political) has made "costly" or "dangerous" about not having them, society did that all by itself: people will actively pay more to have these things because they see the benefit more than the risk, video calls with friends and family, not a hacker being able to duplicate their keys from one photo.
There's 6 cameras on my desk right now, attached to internet-capable devices. Two phones, two laptops. I've got covers over all of them, which is easy, and sometimes mandatory e.g. when visiting the headquarters of certain big-tech firms.
I'd never buy a smart camera. Don't trust them not to spy on me. But I do have a Raspberry pi upstairs, with a NoIR camera module, and an AI-coded bit of webcam software. Might consider it for seeing what animal gets into the garden at night.
“6-12 mo to shaky profitability + ability to quickly iterate” is a business that has a good chance of surviving while “However long it takes to be fully secure” is a business that is not only rigid but needs massive up-front capital to get there and even then there’s no guarantee that the market fit is right
And after that is something we could call the “Pareto spiral”: if a company find market fit and builds an excellent product, competitors can survive at 80% of that quality. If the “100%” fails for any reason, the competitors become the new ceiling and now their competitors can survive at 80% of that (now 64%)
And only one round in, how secure could that 64% company be?
¿Porque no los dos?
All AI risk can be described with a narrative that ends in "some human were lazy and didn't care enough", it's just which humans and how much caring was enough.
Somehow in Google search one of the unguessable pages is indexed. We have used Claude and Gemini to assist with some design aspects.
I'm thinking some aggressive data ingestion/indexing is happening by all the bots in the quest for frontier models.
They call the signal „popularity“ and it is a successor of the Google Toolbar signal.
https://www.justice.gov/opa/pr/department-justice-wins-signi...
Why are you using weird quotes?
Edit: also private browsing isn’t exactly private when you’re logged in to the browser.
Especially if you have autocomplete-while-searching type of features on.
They control the entire browser surface, technically they can know everything, even TLS and E2E encrypted data, that they silently phone home…
If you think this is silly, consider that Microsoft Recall had been observing everything on people’s entire SCREENS and phoning home much of it. That is how a guy was caught recently: https://x.com/t3chfalcon/status/2074134314145489195
And it is actually much worse than even that:
https://community.qbix.com/t/increasing-state-of-surveillanc...
For some reason people are downvoting you, but yea, one day we'll likely see a lawsuit where they do exactly that.
And maybe have access to EVERY site actually, with “forgot password” type stuff in addition to providing oauth tokens…
https://arstechnica.com/information-technology/2023/05/micro...
Boy do I have news for you.
[1] https://developers.cloudflare.com/cache/advanced-configurati...
If you don't use wildcard certs all of your subdomains can be scraped from the certificate transparency logs. Additionally, any domain+cert using HSTS with preload enabled end up in a big list at Google to speed up the initial connection from browser to site.
HSTS preload is not for speed. It's to protect against SSL stripping on first connection. Modern browsers already try port 443 first or in parallel with 80.
But I think the other explanations take care of pages: cloudflare hints, chrome reporting addresses visited, etc.
Google misusing chrome browser history as a hitlist for indexing sounds wild to me, so I tried to see if there's another way.
It also felt unlikely because there's multiple subdomains of mine that aren't indexed, and wildcards+no preload are the only precautions I've made myself for my private sites.
This might also be an EU vs rest of World thing, or my stuff isn't interesting enough to index(in retrospect the most likely reason I suppose)
Creating Sitemaps, sharing it somewere public, putting the url in some 3th party service, server logs, some indirect path in javascript.
But if you never mention that url, it will not be found if not leaked by your server.
That sounds like a claim that security through obscurity is infallible, which is dubious. Don't get me wrong, it can be a reasonable part of defense-in-depth strategy, but like, brute force attacks are kinda a well known thing, especially if your URLs aren't truly random...
Do you use a CMS or other tools that auto generate sitemap.xml? Perhaps you unknowingly told Google about those sub-pages.
Finding domains is easy, everybody uses CTL to find them.
It’s a different story if it’s a subdomain though, OP wasn’t clear.
I have visited that page from a signed-in Chrome profile.
The information you mentioned is relevant. Unfortunately, it could be either Google/Chrome, or the LLM service you're using for development is misusing your data.
Might have been an evil chrome extension, but ever since Google went IOK2BE ("It's OK to be Evil"), maybe it's just Chrome itself.
Also that browser setting to check urls are safe sends them out “sometimes“.
This is on the devs and feels like a very basic leak which could have exploited in the non LLM world as well.
Imagine a private individual just scraped the website (or simply clicked 'view source') for no reason in particular and then told people about it... They'd be labeled an uber-haxxor, face a civil lawsuit asking for ridiculous damages while being threatened with a prison sentence over CFAA violations. Hell, that might even drive some people to suicide.
Sucks it happened. But we all know that is not the typical scenario.
Back in the day, you could read a stories on Slashdot practically every other week that usually went something like this: Company/institution does something stupid, somebody finds out, tries to be a good citizen and tells them. The organization then throws a tamper tantrum in the media, fires the legal department on all cylinders, screaming "hacker!" and throwing the book at them. The most egregious cases usually happened in the US, the CFAA happens to be a particularly strong book to throw.
People eventually got the hint and either talked to the press instead, or organizations like the CCC (at least in this part of the world) and let them deal with the organization and not talk to them directly.
At least in my perception/memory, it started improving over the 2010s, but stories like this are now starting to pop up again in recent years. I guess we have a new crop of computer enthusiasts who need to learn the same lessons again.
Of the top of my head, the CTF group in Malta comes to mind who gave a talk at (last years?) CCCongress. A badly worded E-mail asking about a bug bounty resulted in several arrests, house searches and ultimately a presidential pardon (https://timesofmalta.com/article/pardon-issued-students-lect...).
Eh, it's typical enough that most cyber security researchers are cautious. The laws around 'hacking' can be rather stupidly written while judges and juries aren't the smartest bunch.
"In early October, Renaud discovered that Social Security numbers for teachers, administrators and counselors were visible in the HTML code of a publicly accessible site operated by the state education department..."
"Yet despite the fact that officials within the Missouri Department of Elementary and Secondary Education initially wanted to thank Renaud for uncovering the flaw... [Governer] Parson labeled the reporter a hacker and called for criminal prosecution."
https://missouriindependent.com/2022/02/11/prosecutor-isnt-p...
In the early days one of the high profile soaps in the UK published their "catch up" summaries for the week ahead which you could get just by editing the date in the URL. But back then not so many people were looking, so they were doing it for months...
https://news.ycombinator.com/item?id=48902814
See also
Zhihu (Chinese Reddit): https://www.zhihu.com/question/2060133066643879544/answer/20...
Reddit: https://www.reddit.com/r/math/comments/1urv4id/comment/oxak6...
google translate link:
https://mp-weixin-qq-com.translate.goog/s/DPsMKToa_sbi_Nx3X1...
Second, fitting that codex enters the picture.
The last time the fields medals were announced llms were still very nascent :)
And I am convinced this is the last time pure human fields medalists will be announced.
The next batch’s winners are all going to have llms as coauthors.
Interestingly, if true, it will also be the first time an MIT PhD graduate has won the Fields Medal.
Some Indian restaurants near me sell Aloo Saag, others sell Alu Sag.
Esp. in this case with Wang having a special meaning in China.
Amusing to see someone complaining about not using their definition of "proper language" when they themselves are not using proper language.