:-D :-D :-D :-D :-D :-D :-D

that was quick! the CEO’s denial is very funny for a number of reasons, but the jig’s up — the supposed point of this device (the assistant) just straight up works on an Android phone, and their modifications to AOSP are almost certainly relatively trivial shit (permissions hole-punching for app interoperability… I can’t actually name a second thing they’d need).

but speaking of that denial:

We are aware there are some unofficial rabbit OS app/website emulators out there. We understand the passion that people have to get a taste of our AI and LAM instead of waiting for their r1 to arrive. That being said, to clear any misunderstanding and set the record straight, rabbit OS and LAM run on the cloud with very bespoke AOSP and lower level firmware modifications, therefore a local bootleg APK without the proper OS and Cloud endpoints won’t be able to access our service.

hoo boy, in detail:

• what unofficial emulator? this is the APK the device runs.
• what rabbit OS? the fucking thing runs an AOSP fork locally.
• it seems to access rabbit’s cloud endpoints just fine in the video. they even make an account with the device.
• is the response here really that it isn’t an Android phone cause all the functionality is in the cloud? cause that really doesn’t sound like something that needs bespoke hardware to me.

And from the “it’s the same grifters with a new focus” department, an update

The craziest part is that it works as well on a standard phone.

We didn’t bother testing out any other functionality, such as Spotify integration, Vision, etc., but we wouldn’t be surprised if some of them didn’t work.

I’m no Catholic but if I were I’d take offense at a site with the URL catholic.com.

Not if they first claim to be an antipope

Naw, they didn't do anything really awful like ordaining a woman.

--the regular suspects, probably

we also added in an grammar checker

parody?

I'd rather drop the religion from that list. Some religions propagate harmful ideas too and historically sided with fascists.

Passwords are in plain text. Payment information does not display credit card information. Payment information displays preferred payment method (e.g. PayPal, Credit Card, Debit Card) and currency used (e.g. CAD, USD).

People actually pay money for the fucking Post Millennial.

Wish VXUG would post on fedi, it’s one of the things I’m missing since I stopped using twitter :|

you can’t just hit me with fucking comedy gold with no warning like that (archive link cause losing this would be a tragedy)

So my natural thought process was, “If I’m using AI to write my anti-malware script, then why not the malware itself?”

Then as I started building my test VM, I realized I would need help with a general, not necessarily security-focused, script to help set up my testing environment. Why not have AI make me a third?

[…]

cpauto.py — the general IT automation script

First, I created a single junk file to actually encrypt. I originally made 10 files that I was manually copy pasting, and in the middle of that, I got the idea to start automating this.

this one just copies a file to another file, with an increasing numerical suffix on the filename. that’s an easily-googled oneliner in bash, but it took the article author multiple tries to fail to get Copilot to do it (they had to modify the best result it gave to make it work)

rudi_ransom.py (rudimentary ransomware)

I won’t lie. This was scary. I made this while I was making lunch.

this is just a script that iterates over all the files it can access, saves a version encrypted against a random (non-persisted, they couldn’t figure out how to save it) key with a .locked suffix, deletes the original, changes their screen locker message to a “ransom” notice, and presumably locks their screen. that’s 5 whole lines of bash! they won’t stop talking about how they made this incredibly terrifying thing during lunch, because humblebragging about stupid shit and AI fans go hand in hand.

rrw.py (rudimentary ransomware wrecker) This was honestly the hardest script to get working adequately, which compounds upon the scariness of this entire exercise. Again, while I opted for a behavior-based detection anti-ransomware script, I didn’t want it to be too granular so it could only detect the rudi_ransom.py script, but anything that exhibits similar behavior.

this is where it gets fucking hilarious. they use computer security buzzwords to describe such approaches as:

• trying and failing to kill all python3 processes (so much for a general approach)
• killing the process if its name contains the string “ransom”
• using inotify to watch the specific directory containing his test files for changes, and killing any process that modifies those files
• killing any process that opens more than 20 files (hahaha good fucking luck)
• killing any process that uses more than 5% CPU that’s running from their test directory

at one point they describe an error caused by the LLM making shit up as progress. after that, the LLM outputs a script that starts killing random system processes.

so, after 42 tries, did they get something that worked?

I was giving friends and colleagues play-by-plays as I was testing various iterations of the scripts while writing this blog, and the consensus opinion was that what I was able to accomplish with a whim was terrifying.

I’m not going to lie, I tend to agree. It’s scary that was I was able create the ransomware/data wiper script so quickly, but it took many hours, several days, 42 different versions, and even more minor edits to fail to stop said ransomware script from executing or kill it after it did. I’m glad the static analysis part worked, but that has a high probability of causing accidental deletions from false positives.

I just want to reiterate that I had my AI app generate my ransomware script while I was making lunch…

of course they fucking didn’t

How it started:

it has to be behavior-based detection. I didn’t want to build a script that was only useful to detect and mitigate the specific ransomware executable I created for this blog. Signature-based detection is only useful for a particular file. The second a single byte changes, the file will have a new hash.

(which is not exactly how AV signatures work but anyways...)

How it's going:

[...] scans any file in the /home director, for the strings "cryptography", "cryptodome", "ransom", "locked", "encrypt".

The article almost looks like satire.

If all script kiddies waste their time trying to use generative AI to produce barely functional malware, we might be marginally safer for a while ^^. Or maybe this is the beginning of an entirely new malware ecology, clueless development using LLMs falling prey to clueless malware using LLMs.

this is most certainly a clerical error

From the bot-runners website:

Catholic Answers works each day to ensure our content is faithful to the Magisterium. Our staff apologists have decades of practice in apologetics, and several hold advanced degrees in theology and philosophy. We maintain a broad list of associates (clergy and laymen) who are experts in the fields of liturgy, history, bioethics, theology, philosophy, canon law, and more.

"And we've decided to throw the hard work of these people under the bus in favor of an unfinished toy that ridicules our faith. A consultant named Damien Thorn made a compelling case!"

Linked in the article: the designer/programmer has now done the obligatory "Well I didn't think there was anything wrong with it" AI bot post mortem interview with a Catholic blog.

I like the beautiful tangents into linguistics and arguing about how many present tenses English has, and of the dubious merit of distinguishing definiteness in articles.

Trying to invoke LLMs as a tool to pierce these supposedly pointless elements of the English language, for the benefit of non-native (or maybe non-confident native) speakers.

Where really this is exactly the sort of mistakes that LLMs can bring, it’s not just choosing between a non-standard and a standard spelling of a word (like for basic autocorrect) it’s choosing between valid forms depending on context and Intent, which no machine can divine.

The "survey" purporting to show most EA's are "left-wing" was run and hosted by Astral Codex Ten???? Are you fucking kidding me?

This had me wondering, how common is the name Fuentes at all? Cause I keep having a small brainfart and thinking about Nick and I really hope that is a problem between my keyboard and chair and not intentional.

E: also EA/LW shooting the messenger, as is tradition.

@dgerard I saw the first post and did not realize one could actually buy this...

yeah, poast are nazis