Slashdot Mirror

← Back to Stories (view on slashdot.org)

AI Can Scour Code To Find Accidentally Public Passwords (qz.com)

Posted by msmash on from the interesting-usecase dept.

An anonymous reader shares a report: Researchers at software infrastructure firm Pivotal have taught AI to locate this accidentally public sensitive information in a surprising way: By looking at the code as if it were a picture. Since modern artificial intelligence is arguably better than humans at identifying minute differences in images, telling the difference between a password and normal code for a computer is just like recognizing a dog from a cat. The best way to check whether private passwords or sensitive information has been left public today is to use hand-coded rules called "regular expressions." These rules tell a computer to find any string of characters that meets specific criteria, like length and included characters.

25 of 47 comments (clear)

  1. Just Look for Camel case plus numbers and symbols by goombah99 · · Score: 2

    There's realtively few instances where mixed capitals, symbols and numbers are valid syntax. yes there are, but few. sounds like we just made it easy to spot thepassword.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  2. I do this sometimes by houghi · · Score: 2

    I do this from time to time myself. I just do the following:
    # grep -r Pa55W0rd $HOME
    Note the space before the grep. That way it does not end up in .bash_history and cause an issue there.
    I have found some from time to time.

    I am the only person on my PC, but security is a mentality.

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re: I do this sometimes by nghate · · Score: 1

      This wouldnâ(TM)t scale very well if you started using unique passwords per site as you should....

    2. Re:I do this sometimes by Junta · · Score: 1

      Actually, not all bash setups are configured to ignore things that start with spaces.

      $ echo $HISTCONTROL
      ignoredups

      ignorespaces has confused so many people that I think a lot of distributions have stopped putting that in HISTCONTROL.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    3. Re: I do this sometimes by Guybrush_T · · Score: 1

      A funny answer to a troll. Love it.

    4. Re:I do this sometimes by Junta · · Score: 2

      Another option is to use the read command to store it in an environment variable, never having it on the CLI in the first place. This lets history still show you everything you did, but without the password and such in it.

      --
      XML is like violence. If it doesn't solve the problem, use more.
  3. I think they are saying AI is better than regex by raymorris · · Score: 1

    I think what they are trying to say is this:

    Researchers have a new way using AI.
    In currently deployed, publicly available systems, the best way is regex. The new AI way may be better.

    While regex is a reasonably good tool for the task, I don't know that it's the BEST way currently used. A small, simple routine built specifically for the task may be better because regex takes characters in order. It's difficult (and slow) to build a really good regex for this because you mostly don't care what order they are in. You care that you have groups of upper case, lower case, numbers, and certain punctuation. Regex is good for finding this OR that, but not so good at this AND that AND that, in any order.

  4. You know where they should be looking? by bobstreo · · Score: 2

    Google Search. site:Domain and the word password.

    You'd be dismayed at how stupid some people are. Or maybe just not surprised.

  5. Third problem by goombah99 · · Score: 2

    Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.

    and if it becomes self-aware regex then they have three problems, two of which don't matter anymore

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Third problem by Zontar+The+Mindless · · Score: 1

      Regexes are not self-aware.

      XSLT is self-aware.

      --
      Il n'y a pas de Planet B.
  6. When all you've got is a hammer.. by mccalli · · Score: 1

    Sounds like another "let's force everything into TensorFlow's image prediction system" thing.

    1. Re:When all you've got is a hammer.. by rkordmaa · · Score: 1

      Well sorta, but in their defense AI type systems seem to be very versatile as far as hammers go and we certainly haven't found every application they can do. Chucking AI at any random problem might not get you the best of all possible solutions, but in many cases it can give you a solution nobody has tried before, well worth the experiment.

  7. Can it scour the front page of Slashdot... by Anonymous Coward · · Score: 1

    ...to find clickbait articles about AI?

  8. Regular Expressions by jbwiebe · · Score: 3, Insightful

    Have we really reached the point on a 'News for Nerds' site where we need to explain the term 'regular expression'?

    1. Re:Regular Expressions by religionofpeas · · Score: 1

      Yeah, it's not even a special expression, just plain old regular.

    2. Re:Regular Expressions by mrwireless · · Score: 1

      And even on Slashdot algorithms are "AI" now..

  9. Easy? by frank_adrian314159 · · Score: 2

    telling the difference between a password and normal code for a computer is just like recognizing a dog from a cat.

    Well, unless the code is PERL - then it looks like a password that has been spread over however many lines.

    --
    That is all.
  10. rot13 by petes_PoV · · Score: 1

    best way to check whether private passwords or sensitive information

    Easily defeated

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  11. FTFY by 3vi1 · · Score: 1

    > ...is to use hand-coded rules called "regular expressions."

    You mean: ...is to use hand-coded rules called "^regular expressions\.$"

  12. Re:Just Look for Camel case plus numbers and symbo by ichimunki · · Score: 2

    Good luck avoiding those "relatively few instances" in a Perl script.

    --
    I do not have a signature
  13. You just made my point I think by goombah99 · · Score: 1

    every language is parsable. Parsing rule sets can be written out in YACC. the rules tend to be incredibly simple and simply use recursion for deep nested cases. As a result it's not a terribly hard task to decide if a small fragment could be expanded to legal code or if it's not legal code.

    Perls use of sigils actually is actually there to improve both to simplify parsing as well as to make it human readable. Yeah yeah... human readable jokes about perl. Ha Ha. But really you can look at perl and tell what catergory a variable is from the sigils-- it's actually giving you information. And as result constrains the parse.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:You just made my point I think by angel'o'sphere · · Score: 1

      But really you can look at perl and tell what catergory a variable is from the sigils--
      Actually you cant. For obscure reasons the sigils sometimes change when accessing arrays or hashes.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  14. No the AI is probably writing the regexs by goombah99 · · Score: 1

    If I were doing it I'd have the AI discriminate what regexes will extract passwords most efficiently.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  15. Re:Just Look for Camel case plus numbers and symbo by Oswald+McWeany · · Score: 1

    There's realtively few instances where mixed capitals, symbols and numbers are valid syntax. yes there are, but few. sounds like we just made it easy to spot thepassword.

    When you're talking about b00B$ but don't want to hit on any keyword censors at work?

    --
    "That's the way to do it" - Punch
  16. Re:Just Look for Camel case plus numbers and symbo by UnknownSoldier · · Score: 1

    /sarcasm Ah, cool, another alternative to for:

    // HACK, co-worker was a

    // B(.)(.)B