Slashdot Mirror
AI Can Scour Code To Find Accidentally Public Passwords (qz.com)
An anonymous reader shares a report: Researchers at software infrastructure firm Pivotal have taught AI to locate this accidentally public sensitive information in a surprising way: By looking at the code as if it were a picture. Since modern artificial intelligence is arguably better than humans at identifying minute differences in images, telling the difference between a password and normal code for a computer is just like recognizing a dog from a cat. The best way to check whether private passwords or sensitive information has been left public today is to use hand-coded rules called "regular expressions." These rules tell a computer to find any string of characters that meets specific criteria, like length and included characters.
There's realtively few instances where mixed capitals, symbols and numbers are valid syntax. yes there are, but few. sounds like we just made it easy to spot thepassword.
Some drink at the fountain of knowledge. Others just gargle.
The best way to check whether private passwords or sensitive information has been left public today is to use hand-coded rules called "regular expressions." These rules tell a computer to find any string of characters that meets specific criteria, like length and included characters.
So now "m/frist psot/gi" counts as AI? How much more diluted can we make the term?
Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.
How many people here don't know what regex is? And how is regex considered AI now?
Slashdot is desperately trying to make AI posts right now it seems...
I do this from time to time myself. I just do the following: .bash_history and cause an issue there.
# grep -r Pa55W0rd $HOME
Note the space before the grep. That way it does not end up in
I have found some from time to time.
I am the only person on my PC, but security is a mentality.
Don't fight for your country, if your country does not fight for you.
I think what they are trying to say is this:
Researchers have a new way using AI.
In currently deployed, publicly available systems, the best way is regex. The new AI way may be better.
While regex is a reasonably good tool for the task, I don't know that it's the BEST way currently used. A small, simple routine built specifically for the task may be better because regex takes characters in order. It's difficult (and slow) to build a really good regex for this because you mostly don't care what order they are in. You care that you have groups of upper case, lower case, numbers, and certain punctuation. Regex is good for finding this OR that, but not so good at this AND that AND that, in any order.
Google Search. site:Domain and the word password.
You'd be dismayed at how stupid some people are. Or maybe just not surprised.
Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.
and if it becomes self-aware regex then they have three problems, two of which don't matter anymore
Some drink at the fountain of knowledge. Others just gargle.
Sounds like another "let's force everything into TensorFlow's image prediction system" thing.
...to find clickbait articles about AI?
Have we really reached the point on a 'News for Nerds' site where we need to explain the term 'regular expression'?
telling the difference between a password and normal code for a computer is just like recognizing a dog from a cat.
Well, unless the code is PERL - then it looks like a password that has been spread over however many lines.
That is all.
That only works for hardcoded complex passwords, which I think most are not. Looking for password-like named variables and checking what they're set to would likely catch more. Or find the primary encryption/decryption function call and trace all calls to it. I read the short article. They created an numeric encoding of a string's metadata then they trained a NN on that data. That's all they did.
Both their NN and their regular expression approaches will miss entire classes of passwords. They will also miss all hard coded, generated passwords (ex: "admin".concat("123")). Number only passwords. Simple passwords. Passwords which look like variable names. Empty passwords. Normal text passwords. Etc... Seems like they wanted to toss machine learning at a problem rather than thinking about the most effective way to solve it.
Well, thinking about it for another minute. Tracing calls to specific functions is difficult to do on projects you haven't downloaded. Their system is for data mining all published code rather than checking specific projects.
best way to check whether private passwords or sensitive information
Easily defeated
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
> ...is to use hand-coded rules called "regular expressions."
You mean: ...is to use hand-coded rules called "^regular expressions\.$"
Good luck avoiding those "relatively few instances" in a Perl script.
I do not have a signature
every language is parsable. Parsing rule sets can be written out in YACC. the rules tend to be incredibly simple and simply use recursion for deep nested cases. As a result it's not a terribly hard task to decide if a small fragment could be expanded to legal code or if it's not legal code.
Perls use of sigils actually is actually there to improve both to simplify parsing as well as to make it human readable. Yeah yeah... human readable jokes about perl. Ha Ha. But really you can look at perl and tell what catergory a variable is from the sigils-- it's actually giving you information. And as result constrains the parse.
Some drink at the fountain of knowledge. Others just gargle.
If I were doing it I'd have the AI discriminate what regexes will extract passwords most efficiently.
Some drink at the fountain of knowledge. Others just gargle.
There's realtively few instances where mixed capitals, symbols and numbers are valid syntax. yes there are, but few. sounds like we just made it easy to spot thepassword.
When you're talking about b00B$ but don't want to hit on any keyword censors at work?
"That's the way to do it" - Punch
/sarcasm Ah, cool, another alternative to for:
I was about to forward this on to some of my team members that do a lot of code analysis and are always looking to ways to get better, but then the follow-up article happens to be about where to go and get high on 4/20, so nope.
Internet facing computers boot from cdrom and have no storage capability.
"accidentally public sensitive" Chris you Mongoloid.
SWOOOOOSH!
So can my notepad ++. And probably some grep afters linux is done molesting children.
No AI needed. Retards only believe this.
There you are shit posting with yet another fake account, you revenue stream hogging disgusting fat sexist tube of lard, Christopher Dale Reimer!
You can be sure I will be watching this fake account too. I know this is you because you told me you were working on your freepass 11 file server and you are so dumb that you can't even masquerade yourself properly.
Now, I told you I was out of meds last week and you didn't even care to contact me you lazy fucker.
How many times do I have to express the emergency of the situation??????
The python click script you wrote for my pheromone revenue stream web site suddenly stopped to work!!!!!!
You fucking incompetent python script writer!!!
When it works, I get 4000+ clicks a day on my pheromone revenue stream web site but only 5 or 6 without it!!!!
Now, it seems like you dont care and that you have abandoned me you heartless fucking pig!
Bonus:
Here is a story that creimer told me when convincing me what a hard life he had:
The tree was him and the tree knot was his butt hole!
So, his uncle packed his fat ass with lard and with his cock! Not that it makes much of a difference but anyway, there it is!
Signed:
Ethell, The girl that used to love you and now hates you, burn in hell where you belong you sexist pig!
Did I get it wrong. Did someone put AI and regular expressions in the same sentence ?
Is everything under the sun AI now ?
I like how someone comes up with a couple of algorithms that rely on each other to produce an accurate result and it suddenly is called "AI" and then they charge a couple million for their salary.