BeyondMachines Jun 16
#VibeCoding your MFA
Show threadNico Erfurth
@beyondmachines1 I fear it's real, isn't it?
Jun 16 at 2:05pmWeb
×
BeyondMachines Jun 16
#VibeCoding your MFA
Show threadJohndgeek 🌎Jun 16
@beyondmachines1 Talk about vibe coding the pipeline. 
Show threadSteffen VoßJun 16
@beyondmachines1 
Show threadAlerta! Alerta!Jun 16
@beyondmachines1 🤣
Show threadSherlock SchafJun 16
@beyondmachines1 🤪
Show threadTrunkless Legs Of StoneJun 16
@beyondmachines1 all I see is hunter2
Show threadkaeJun 16
@beyondmachines1 chat is this real?
Show threadBeyondMachines Jun 16
@kae_bytheocean no clue. But I'm thinking Debug = True
Show threadMartin SchröderJun 17
@beyondmachines1
Even then: When would the frontend ever get the code?
@kae_bytheocean
Show threadBeyondMachines Jun 17
@oneiros @kae_bytheocean seemed like a great idea at development debug time 🤷
Show threadVincent SparksJun 22

@beyondmachines1

Where did you get this image from, if you didn't take the screenshot yourself?

Also, why did you assume it was vibe coding?

Show threadBeyondMachines Jun 22
@AVincentInSpace I didn't. It was shared with me.
And I'm truly hoping that it's vibe coding, the alternative is scarier.
Show threadVincent SparksJun 22
@beyondmachines1
The alternative is that it's a joke. Quit catastrophizing.
Show threadBeyondMachines Jun 22
@AVincentInSpace Sure, let's go with that.
Show threadVincent SparksJun 22

@beyondmachines1

I'm not going to accept that this is a public facing page without proof, and neither should you. In its current form, it is nothing more than ragebait. That you're spreading.

Show threadBeyondMachines Jun 22
@AVincentInSpace whatever helps you sleep better. 🫡
Show threaddzamieJun 16
"x0cx0x" sure is an interesting way to censor the first six digits of a phone number
Show threadEmber Jun 17
@dzamie not ai generated, just typical OCR errors (probably the OCR software included in mastodon)
Show threaddzamieJun 17
I suppose "ai" is just a synonym for "general-purpose LLM" these days, yeah
Show threadvita is something :3Jun 16
@beyondmachines1 i took like a whole minute to understand this T~T
Show threadNico ErfurthJun 16
@beyondmachines1 I fear it's real, isn't it?
Show threadKit 🏳️‍🌈🏳️‍⚧️🇺🇦Jun 16
@beyondmachines1 What application is that, smh? I'm not sure the people know the purpose of sending a code to your phone XD
Show threadsullybikerJun 16
@beyondmachines1 Oh dear god
Show threadOzzelotJun 16
@beyondmachines1
Perhaps it is the number of an entirely different code. 
Show threadBeyondMachines Jun 16
@ozzelot That is so evil
Show threadOzzelotJun 16
@beyondmachines1 The correct code has arrived at the phone and this is for internal use by people who have access to the DB and have no intention to bother with phones, I assume
Show threadBeyondMachines Jun 16
@ozzelot that's what we call a back door. And having a back door is always a bad idea.
Show threadOzzelotJun 16
@beyondmachines1
Well, if it weren't for little old security through obscurity, it would be a front door!
Show threadlunchyJun 16
@beyondmachines1 is this real?
Show threadBeyondMachines Jun 16
@lunch I'm putting my money on Debug = True
Show threadJPeckJun 16
@beyondmachines1 really streamlines the authentication process
Show threadBeyondMachines Jun 16
@boscoandpeck we need HX, Hacker eXperience
Show threadJPeckJun 16
@beyondmachines1 😂 I can see the job listing now for a full stack hx developer
Show threadStanley Nerdlinger IIJun 16
@beyondmachines1
Wait. Let me get my phone.
Show threadJustin DerrickJun 16
@beyondmachines1 Your alt-text needs a little tweak, the 'xxx-xxx' looks a little messed up.
Show threadChief Master Sergeant Walter HJun 16
@beyondmachines1 Better UX, that.
Show threadBeyondMachines Jun 16
@chief everyone is happy. Customers, hackers, everyone!
Show threadAndy FletcherJun 16

@beyondmachines1 About 15 years ago I had a bank account in Qatar. They had SMS authentication for transfers.

The form asked you for your Qatar Id - easy as it was displayed at the top of the webpage then invited you to put in a phone number for the SMS authentication message to be sent to. You could use any phone number - your own, the wife or even a co-worker. I tried!

Show threadBeyondMachines Jun 16
@X31Andy I bet there are such implementations even now
Show threadDD ʕ´•ᴥ•`ʔσ🌱Jun 16
@beyondmachines1 LMAO 🤣
Show threadjbzJun 16
@beyondmachines1 accessibility feature here I come
Show threadOpenComputeDesignJun 16
@beyondmachines1 Please don't ask me how long I had to stare at this before I realized what was wrong 🤦
Show threadBeyondMachines Jun 16
@OpenComputeDesign like looking for my glasses while i'm wearing them 🤷‍♂️
Show threadimpossibleibex 🇺🇦Jun 16
@beyondmachines1 did you vibe code the alt text too?
Show threadBeyondMachines Jun 16
@impossibleibex Obviously, one has to be consistent
Show threadAvuton OlrichJun 16
@beyondmachines1 One step better, but still a hellscape, is when they're all individually typed, impossible to paste to, boxes.
Show threadMasonJun 16
@beyondmachines1 I don't get this please help 😭
Show threadDosFoxJun 16

@mason @beyondmachines1
It took me a minute - the code that is being sent as an SMS...

...is already displayed on the screen.

Show threadÖlbaumJun 16
@mason Apparently instead of just telling you it sent a code to your phone for verification, it also tells you the code, which defeats the purpose.
Show threadSpeed demon 🇪🇺 🇳🇴🇺🇦🇵🇸Jun 16
@oscherler They kept the phone-number hidden thogh, so it's not all bad. :-D @mason
Show threadMasonJun 16
@oscherler Oh now I just noticed haha
Show threadPaul CantrellJun 16

@beyondmachines1

This is a joke, right? It’s fake? It HAS to be fake.

@adamshostack

Show threadrk: it’s hyphen-minus actuallyJun 16

@inthehands @beyondmachines1 @adamshostack

There was a Lobste.rs thread a while back that linked to a vibe coded MFA thing where the MFA just…didn’t work. Basically it would bypass the actual auth checks in some common situation, and even had test cases generated that confirmed this to be the case.

I’ll see if I can find it.

Show threadAdam Shostack  Jun 16
@rk @inthehands @beyondmachines1 In the sense of LLMs being good at generating clocks at 10:10, it would not surprise me to discover that LLMs have preferences for certain MFA values that were used in a google blog post.
Show threadPaul CantrellJun 16

@adamshostack

Tangent off that: there’s a really crucial distinction frequently glossed over between (1) using an LLM to generate code which then executes normally, and (2) inserting an LLM into the runtime process. Both have enormous pitfalls, but they’re very different pitfalls: LLM-generated code is a review nightmare; LLM runtime behavior is a nondeterminism nightmare.

@rk @beyondmachines1

Show threadAdam Shostack  Jun 16
@inthehands @rk @beyondmachines1 💯 % agree. I've tried to show this visually in https://shostack.org/blog/strategy-for-threat-modeling-ai/ would appreciate your feedback.
Shostack + Friends Blog > Strategy for threat modeling AI

Clarifying how to threat model AI

Show threadPaul CantrellJun 16
@adamshostack
Oo! Bookmarked for when I have more than 3 min!
Show threadBeyondMachines Jun 17
@inthehands @adamshostack @rk Damn, this is so scary. And I need to think about it