My takeaway from stories like this is that it was always really easy to crack in to companies, but most knowledgeable people had better things to do.
My feeling is companies leave themselves open by allowing everyone access to the network so the idiot who has been told 50 times not to click on a link in a suspicious email will still do it or hand out passwords to anyone on the phone. Even if you run a tight ship you’ll give access to some contractor who doesn’t.
A poor IT department is working overtime with limited funds for staff trying to fix stuff while bosses breathing down their necks.
Most knowledgeable people are employed
I mean, pretty much
The attacker’s inexperience was also evident in his operational security failures. At one point he asked Claude to help edit his resume, which contained his full name, location, education history, and LinkedIn profile.
Later, while investigating a potential compromise of one of his own hosts, he inadvertently confirmed his home IP address to the agent. Based on this and other corroborating evidence, the researchers believe the attacker to be a young man based in Addis Ababa, Ethiopia.
Wow.
script kiddies wrecking corporate security is funny
prompt kiddies doing it is just depressingDidn’t think I’d ever side with no script kiddie but at this point fuck it.
If your company can’t be bothered to do the bare minimum in security then yeah I hope the least skilled hacker ever comes along and wrecks it.Thing is, with the latest frontier models, the least skilled person can find a crack in the most secure company around, as long as they can string a few sentences together.
It isn’t about “bare minimum” anymore. All it takes is a single lapse in vigilance from a single employee, and they’re in… and the LLM doesn’t have to pause to figure out what to do next.
Pentesters have access to LLMs too
some hacker unleashes malicious AIs to the internet, breaking it apart cause AI keeps finding vulnerabilities in everything and break things faster than humans can fix
corporates build corporate internet and the blackwall, which is AI to fight malicious AIs
Gooooood morning Night City!
Yeah, but an LLM’s arms race isn’t “doing the bare minimum in security”, which is what the poster before was saying.
This is a genuine concern, where whoever has access to the best/most recent/most expensive models can unleash chaos - I’m talking state-sponsored attacks, mega-corp espionage, bored billionaires,…
The people you listed were already doing this. The problem is Darrell, the guy who thinks Earth is flat, can also do this.
Meh. When you’re expecting to have to defend against an army battalion, how much of a thread is Darrell the flat-earther and his AR-15?
Because if Darrell is doing damage, you’ve been conquered and didn’t even noticed.
Edit: in case you’re not following the thread and feel an urge in your loins to come defend Darrell, do note that I’m not disparaging the issues a dimwit with AI can cause. I’m pointing out that other players will have even larger sticks than your friend Darrell.
Case in point, Darrell will not have Claude Fable. Others will.
With AI as the army battalion, Darrell becomes a general.
In this analogy Darrell fires an ICBM, because everyone has access to a ton of those for $20/mo.
The overall point is that doing (what used to be) the bare minimum is no longer even close to enough. To be considered adequate, you need super ironclad defense, because even low skilled attackers have access to very powerful weapons.
It’s easier to destroy a house than to build it.
And no-skilled attackers can buy exploits.
Claude helping is insignificant to the story.
The real headline should be:
At least 14 companies’ IT security is practically non-existent
At least 14. *screams until hoarse in industrial cybersecurity researcher*
It is significant because a random teenager can’t google “download exploits” and have them available 5mins later.
Powerful AI models and agents though are on your fingertips without you even asking.
Sure, people can buy guns. But what if every person could materialize a chainsaw instead regardless of their skill, maturity, age, or criminal record? 🤔
Random teenagers can absolutely google “download exploits” and have them available, that’s pretty much always been the case…
Full disclosure was a thing once upon a time, where exploits and proofs of concept were dumped publicly, forcing companies to fix the issue or be compromised. That’s mostly been moved away from in favor of responsible disclosure, giving companies time to patch the issue before it’s known publicly.
Maybe we should be moving back to full disclosure to force these companies to take data security seriously. Or at least then we could point to a known vulnerability as proof the company is shitty and is neglecting their infrastructure.
Sometimes I read stories of how reading web page source code is tried to be presented as hacking in order to not actually do anything for security, and of white hats sued for doing their job, and think that there are plenty of targets even for someone without exploits or LLMs
Teenagers are definitely able to find exploits via google in 5 if they’re motivated.
Buying a disassembled ak-47 on post order and having it shipped to your address anywhere in the world is also possible.
Rules only apply to people that care about them.
As someone who works in security, llms just make security happen or not happen faster.
I also work in security.
My company (which can damn well afford the costs) 100% REFUSES to leverage AI in any meaningful fashion. The CISO himself wrote the most braindead email to the CIO saying basically that AI isn’t a threat and then showed it to the rest of us like he’s proud of it.
I tried to push some adoption of AI based tools to help detect our own weaknesses and do some basic cleanup work. Nope. Stonewalled. I argued that every attacker is stealing accounts and burning tokens to tear us to shreds using every possible tools they can steal or even buy. We use Copilot.
Blank stares and crickets. We just keep managing our shit in spreadsheets that some dumbass emails as attachments and wonders why everyone has a different version of some useless thing.
At least they’re paying me well. When they collapse in a little while, I suppose I won’t be too surprised.
Only for a year or so. Any company still vulnerable after these tools have been out long enough deserve it.
Most people on lemmy seem to condemn use of LLMs in any way for anything, I wonder what those folks opinion of this stance is - should companies use the tools or not?
Cybersecurity is actually one of the few fields that can benefit from AI. There are companies like Horizon3 who are using it alongside their other threat models to do continuous pen testing.
Yeah imo the one thing ai is legitimately useful for is finding answers to difficult problems that can be trivially verified as correct.
In this case hallucinations actually help…
Gonna take a guess here that what is used in cybersecurity is not LLMs but one of the more useful machine learning applications. Just a nitpick cause today “ai” and “LLM” are sadly synonymous.
No, LLMs can definitely be useful for cyber too. It’s the whole reason the US government banned Claude Fable for export.
An LLM can not just try existing exploits like a script kiddy, but with iteration it can try variations and if you know what runs on the server, inspect the source for potential exploits.
They can also look at your setup and say what issues they see (reverse proxy config, etc).
Doesn’t replace an expert, but can be useful for a first pass before you get the highly paid people involved.
You know what, fair enough. I don’t know enough about that particular one.
I do. I reverse engineered some proprietary software using an agent. A pro could’ve maybe done it faster, but I did it AFK with little knowledge about reverse engineering.
An agent could similarly try tons of attacks against online targets. Fairly sure some are doing it.
Finding holes in software has employed “fuzzing”, where you send completely random payloads, as a research tactic for quite a while (and it has found exploits). LLMs just seem like “educated” fuzzing, I don’t see why anyone would complain about updating your suite with them.
I’ve been fucking around with using Claude to solve CTF challenges. I’m using a harness built out of a custom agent I wrote that progressively loads specific a specific skill for the challenge category, cryptography, binary exploitation, reverse engineering, forensics, etc.
It’s solving the simple shit in <1m using sonnet. It’s solved some shit that I couldn’t figure out at all during the CTF in the time limit we had in ~20 minutes. There’s been 2 challenges that after about 25 minutes I’ll kill the agent working on it, change to opus, then opus solved them in about 20m. One crypto challenge was so math heavy i never would have figured it out. One bin exp challenge didn’t provide a local binary, everything was remote. There was a catch that I never would have solved bc it was remote only and I couldn’t locally debug it.
It’s fucking scary good at solving these things. I just prompt with “use <agent> to solve ./category/challenge/“ and it fully just does everything. It’s definitely akin a fuzzer that can be used for way more than just finding crashes and memory leaks. It takes some work and understanding to make it context/token efficient I think, but it lowers the bar so tremendously that I definitely see why there’s concern here. And again it’s solving most of these things with sonnet, not even opus and definitely not fable.
All told, this feels like the same panic that happened when metasploit first got released/demo’d at defcon back in the day.
As long as they produce a PoC like fuzzing tools, I don’t think anyone is complaining
It’s the theoretical attacks that nearly always turn out to be impossible, wasting time, and making it harder to find the real issues that need investigation that’s the problem with slop reports
Well the problem is that for example curl got flooded with generated security reports where only 5% had some true security potential. So your llm will basically flood you with false positives
If 5% of the reports are genuine security vulnerabilities that they wouldn’t have found otherwise, that’s looking like a big win to me, not sure how you see it differently.
No 5% is very low compared to before AI and this still does not mean the absolute number of found bugs has risen. From my understanding it didn’t for curl. Further it is unlikely that bugs in curl are not found. Basically everything works with curl and it’s a paid bug bounty program so a lot of security researchers are looking at it
The problem is identifying which 5%. Nobody wants to filter that much AI slop.
If you’re working for a company’s cybersec, that’s your job. And a much preferable one to waiting for an attacker to do it for you.
If you’re submitting a vulnerability to a public repo, that’s also your job. These slop reports that are wasting maintainers time should never have been reported. The person tasking the LLM is out of their depth and can’t be the human in the loop that verifies the vulnerability report before submitting because they don’t have the required knowledge to do that. It’s a shame, because if people who had the requisite knowledge were the ones submitting, the ratio of valid reports to noise would be way higher than 5% and open source maintainers wouldn’t be feeling burned the fuck out.
Exactly. If you go through 100 tickets and find 5 real vulnerabilities to patch, that sounds incredibly good…
Sure, but nobody wants to do that, even at fair pay. Unpaid open source volunteer projects REALLY don’t want to do that, and risk burning out what is typically a solo main dev.
Only if you’re stuck in the past.
they fired hordes of tech people, and neglected cybersecurity in many companies. this was bound to happen.
The IT Paradox :
- “Why am I paying IT if everything works”
- “Why am I paying IT if nothing works”
Every time i go on holiday something breaks. It reminds my employer of how many fires I deal with he never notices
Make the hidden work seen
You have a good employer if he can recognize that your work in IT has added value
We warned them but humans preach ignorance like gospel while pocketing dollars.
Reminds me of ISIS.
I would love to see the term ‘low-skilled’ used more often within the context of LLM’s and the manner in which people use them.
Skill is for l4m3rs
LLaMers
Huh?
“lamer” is old (sigh) forum/IM/IRC slang for a low-skilled/obnoxious individual, “someone who’s lame”
It’s even older than that, it was used in the 1980s pirate/demo coder scene, which means it probably originated in skater culture maybe.
;-)
The opposite of haxx0rZ
😨
Alternative title: the ubiquitous race for cheapest developers and fastest time to maket leaves everything insecure.
Wait until someone more skilled hacks the nuclear codes using AI and launches a few at US cities.
you need skills to type 0000-0000?
That’s the code for my luggage.
Doesn’t help more skilled people. Just lowers floor.
I really hope all of that is air gapped.
It probably was before the current assholes decided Grok needs access.
What a thumbnail!
@Grok, is this picture legit?
Tap for spoiler
/s
I’m nominating you for best spoiler reveal of the month.
dammit i wanted to win this one i'll have to wait until next month
If that is a “Low Skilled Attacker” we’re all cooked
Bad look for Claude after their vigorous insistence their model can’t be used this way.
Also bad look for the 50 people I get in my inbox telling me AI is completely useless every time I talk about it. These arguments were worthy of entertainment a few years ago but not in 2026.
What’s the use here? A random Ethiopian kid doxxing himself while “breaching companies”?
This article reads like yet another sensationalist advertisement for ai. How many people have supposedly now gained the ability to “breach dozens of companies” simply by typing “please” into a text box? Hundreds of millions? How is society still functioning if this is going on?
The reason things haven’t fallen apart is because there’s a lot of devs working a lot more than they used to making sure they’re patching vulnerabilities. Last year if you asked me what portion of my time was spent updating dependencies and responding to reports of vulnerabilities I’d say like 5-10%, this year that’s easily more like 30%
I’m sure not every company is doing this, but depending on the sensitivity of the data the company is holding I’d imagine you’d see similar patterns elsewhere
Exploit scripts can be bought on the darknet. Or possibly just googled. Claude’s role in this is close to insignificant.
AI (specifically LLM) isn’t unless unless you need it to be accurate. You don’t need to be accurate to find software vulnerabilities for example, you just need to be able to sift enough of the false positives to be able to identify the real bugs for example.
LLMs are over hyped and being given away below the cost of training and running the models in the hope of getting entrenched then ramping up the costs though.
Fair I agree it’s overhyped. But to be honest the amount I think it’s overhyped continues to decline as its capabilities continue to advance. And we’re at a point now where it is clearly useful for many tasks, even if it’s not appropriate for everything.
“low skill prompts”
😂
I am an engineer. I have a Master in Prompt Engineering.
I used to take that term as a joke too, but there is real complexity in it
Check this: https://microsoft.github.io/SkillOpt/
And this is why they want to know everything we’re doing online at all times.
