Cybersecurity

7244 readers

241 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 2 years ago

MODERATORS

kid

[email protected]

Microsoft sues service for creating illicit content with its AI platform (arstechnica.com)

submitted 4 months ago by kid to c/cybersecurity

4 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 15 points 4 months ago (2 children)

This article is hilarious to me for some reason…

All 10 defendants were named John Doe because Microsoft doesn’t know their identity.

So Microsoft doesn’t know who the people are.

Microsoft didn’t say how the legitimate customer accounts were compromised but said hackers have been known to create tools to search code repositories for API keys developers inadvertently included in the apps they create. Microsoft and others have long counseled developers to remove credentials and other sensitive data from code they publish, but the practice is regularly ignored.

The accounts that were compromised were likely stolen because the account owners listed API creds directly in their code.

Microsoft didn’t outline precisely how the defendants' software was allegedly designed to bypass the guardrails the company had created.

Microsoft won’t explain how their system is busted.

The lawsuit alleges the defendants’ service violated the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, the Lanham Act, and the Racketeer Influenced and Corrupt Organizations Act and constitutes wire fraud, access device fraud, common law trespass, and tortious interference. The complaint seeks an injunction enjoining the defendants from engaging in “any activity herein.”

Whatever the hackers generated sure did piss Microsoft off.

[–] [email protected] 21 points 4 months ago

to bypass the guardrails the company had created

What a delightful way to say that those guardrails were worth, in effect, fuck all.

[–] bitwolf 3 points 4 months ago

It gets even better

These code-based restrictions have been repeatedly bypassed in recent years through hacks, some benign and performed by researchers and others by malicious threat actors.

Yet their public statement is

Microsoft’s AI services deploy strong safety measures, including built-in safety mitigations at the AI model, platform, and application levels.

Sounds like they preferred to keep it live and race to mitigate but the holes were still open.
But they're really going at them, suing someone they can't identify, and shouting off every violation they can hope to apply to it.

Its irresponsible.