Open market for ethical AI?

What mandatory reporting is in place? They should have been required to disclose to all the affected users and companies.

its not only AI companies. companies in general are often really bad at handling vulnerability reports. slow response times. bad triage and payouts etc. Microsoft are pretty notorious. payed a dude $300 for wormable 0 click teams rce via a csti -> WAF bypassed xss -> electron jailbreak. they only payed for the xss. because they "only accept rce reports in system applications" even tho teams has 300 million users. Its not just Microsoft I'm calling them out because thats particularly agregious but its actually the standard. not to mention practices like log patching (monitoring the logs to see what bug hunters are doing so you can patch it before the report and avoid paying them. I've had 2 companies do that to me. and a friend had Tesla do it to them. False duping is also a common tactic to avoid payouts. Its ridiculous by mistreating and overlooking security researchers they actively incentivize blackhat activity. Let me make something absolutely clear companies only really care about their users security to the extent that a large breach harms their reputation. If they think it will ONLY harm their users but they the company will be okay. chances are they give no fucks

Who should ​@@Kane0123

Are you referring to Hungary or another country? I know of people who abused this in Budapest (the guy who reported it was arrested). There was no server side validation at all if I remember correctly. You could just send the 0 amount in the POST request and it would blindly accept that.

@@TheOfficialT3Si yep.

That is messed up

I've heard of other stories where a student does the same and they end up arrested with criminal charges. Literally just telling them that if they're going to poke around, do it maliciously and not disclose any vulnerabilities they find.

Similar thing happened in the States, some MIT students hacked Boston city transit. I'm not sure if they reported it through proper channels, but their charges were dropped anyway. There's a Powerpoint presentation about it floating around somewhere online.

The issue is they didn't use rules to secure the app, Firebase API keys are safe to be public. The documentation even says so.

​@@juanmacias5922 How they are secure in public. Anyone can take your key and use it to show information on his website. For example when you have READ that get data for everybody like products on the website

​@@juanmacias5922 even the secrets?? Cuz I have seen so many repos with all the five keys left on github 💀 I was like, aren't they scared?

I had a guy push aws secrets

Will you do a AI dubbed reaction vídeo from this?

Then they also aren't qualified for handling private information like people's credit cards, addresses, etc. Who knows if this made it's way towards any medical application where this could trigger millions in E-HIPAA violations alone.

Yes, this part doesn't sit right with me. Implementing your own things to do with security generally is not a good idea. The problem is the intersection between "easy to use" and "possible to mis-configure". I think "easy to use" is only completely true if it is also "easy to correctly configure". The real answer is to teach people which tools are good and bad by this metric, and teach them how to tell.

@@RobFisherUK if you'd argue that someone making a fake donation tap-to-pay box isn't "easy to use" then I think this would be an arguement of semantics

yep

Doesn't need to. I just remember my first time having a similar feeling at a similar age and think "welcome to the club" instead of turning it into a dick measuring contest.

I guess I'm too old to feel offended by that 😅

Exactly, this is in the Firebase documentation.

What is a documentation? something you eat? :o

I used to work with Firebase a while ago so take this with a grain of salt. Yes, its okay to expose public config as long as you have setup the rules. Without the rules authorization doesn't exist, meaning any user can write to any other user. If you don't setup correct rules then Firebase will keep yelling at you with a red warning, but it is possible to ignore it and still proceed.

@@DiegoxKa apparently something no one reads. This is why the meme of "RTFM" has merit.

@@wlockuz4467 writing Firebase security rules would make you want to kill yourself. Tooling around it is just so sloppy. I once worked in a team who used Firebase where the security rules were basically treated like after-thoughts, at least as long as I was there. No wonder shit like this happened.

a 24 year old bug in the GNU C Library (tracked as CVE-2024-2961) that can allow a threat actor to get remote code execution on virtually any PHP application that is running on a system with GlibC (pretty much every Linux Operating system and by extension most websites on the internet) -> Mental Outlaw made a video about it (watch?v=u8jLUjpCWrs)

The reality of web development and actually caring about what you publish on a url does that to you.

Dealing with the same stuff at my job. Ship this PWA with hard coded MQTT username and password please. Okay can I at least configure the dynamic security plugin with proper roles so credentials can only do what their supposed to no there is no time ship it now it works.

​@@Iswimandrun One thing I learned the hard way was to never build a good proof-of-concept or demo and present it to non-technical higher ups, it will 100% get shipped because "it works".

@@wlockuz4467 It will work tell the credentials get exfiltrated out of WASM and used to do well anything the attackers want.

Well given we are now 4 months on from the hack them trying to got the companies to do something ... it this is the spur to kick them up the arse then all the better

That sounds interesting, is it a public repo?

Sounds interesting, working with firebase rules can be a pain

Coincidentally right after Schwab said so…

Why people store plaintext passwords? Ignorance, incompetence, laziness or a combination of the three.

damn even building your own password stuff from scratch is not excuse for plaintext pws.... its so damn simple, to at least hash and salt stuff. I really don't get it...

Companies hiring the cheapest js dev they can find to "ship shit fast"

@@MrLordLowbob even just hashing it would be enough and that would take what, one func call on client and one call on server just before you save it? it's insane

we didnt have youtube, but we still had forums and communities for these kind of stuff. Making a name for yourself was actually far easier cause the niche groups were smaller

@@darylphuah what niche groups? lol. I didn't know a single person who was interested in this stuff. And when I told the school district that I was able to access student records, they banned me from using technology in the school district for 2 years.

Firebase API keys are meant to be public. You're just not meant to give them so many permissions off rip (referred to as "proper security rules" by the blog post).

@@KebabTM What a bullshit excuse, why do people keep saying that like parrots, what the f.... That goes against every principle of security, like not exposing sensitive data and having multiple layers of security. That would be akin to, your file system should have proper access rules, now let everyone enter in your SSH server with anon access, right ? Firebase users are another thing... they're not professionals, sorry. A professional company wouldn't just put the database publicly on the internet. Please hire a backend developer.

@@monad_tcp Read the docs LMAO. It's a public API and it has a public key just like Google maps.

"having multiple layers of security" yet it was completely ignrored by the dev team when they were setting up firebase service. If they didn't care for access rules, they wouldn't for the entire backend system (at least the auth part).

@@svishQ because there are no layers, and no developers, there's only frontend and visual design, and plugged APIs that are made by others, and a bit of glue code. they don't care about anything, they're just rebranding an API others made and putting a visual panel on top of it. is that what we call "software development" now ? just user interface, no logic, and databases publicly open to the internet, they outsourced all the development and didn't even bother to properly configure the software they're using as "users". As others said a lot of times, it is a skill issue. But not a Firebase skill issue. No, Its a software development skill issue. If you just use others software and correctly configure it, I would still call you developer. But if you refuse to even configure it properly on top of outsourcing everything, and just plopping some visual templates and using others APIs, I find it hard to call those developers. What is exactly what they are developing ? the scam ? sure its not software with that low level of skill. I know wordpress resellers that do a better development job that those people using firebase.

You're right but I think what Theo is saying is that the design decision to make it this way is a bad design decision because in practice you get things like this happen. You could counter that by saying these people who don't bother to read the docs will not make more secure things using other tech but a counter to that is that some other options make it harder to make insecure things

And upload it

Firebase API keys are supposed to be used in public (in private wouldn't even make sense) with properly configured security rules, have you ever use Firebase?

@@simp- THATS WRONG no API key is EVER supposed to be used in public, the only thing that should be public is the token nonce used by the web server to manage the session, all API keys and data about the application go there. every single web server has sessions for this purpose. Firebase is just wrong, and dangerous, don't use it. Having the database exposed on the internet is NUTS. No one exposes a Postgree or SQLServer port on the internet and just says "the permissions should be enough", some might do but it would be a HUGE red flag.

No, to firebase works it needs to “expose” the api keys, to make firebase secure you need to configure the security rules of the application on the firebase console something that the devs in the video didn’t

If you intend to keep sensitive information in there then first learn how to protect it. Theo and many of the comments make it sound like you can't build something secure with it but that is not true it's just that you need to take the time to learn how to do it right. The problem with firebase is that it very easily lets you make your database unsafe so it's on you to make sure you're covered. My suggestion to you is try to play with it a little and try to understand how it works, then try to play with a different thing and see how they compare.

firebase auth and firebase cloud storage goes hand in hand. there is nothing to be afraid of if you authorize users with firebase auth and provide access to data through storage rules, leveraging firebase auth. just don't forget to set storage rules when you deploy.

Classic base64 encryption. I‘ve been told the same thing about gzip

So Android, ios and other types of developers shall learn JS? I agree that firebase rules are not good. But js doesn't seem to be an ideal solution for everyone using firebase. Instead, I think it would BE BETTER TO have certain presets which you can choose so you don't have to deal with the rules.

YES

I never understood firebase rules

The entire thing is stupid, who thought exposing a database to the internet would be a good idea ? No one exposes a Postgree or SQLServer port on the internet and with an anonymous login account, and just says "the permissions should be enough", some might do but it would be a HUGE red flag.

You are assuming most devs actually read docs lmao

Its impossible to not read docs , for making a video theo don't need to read docs but theo should've​@@superjke718

@@superjke718 then I go back to assume that a dev that doesn't read docs, will not be able to create a secure backend.

You're assuming that js devs are knowledgeable enough to even understand an inch of security.

@@rnts08 This