#data leaks

On paper, having a public facing, open source repository sounds great, and GitHub is one them. But it’s all too easy to abuse. The number of malware campaigns and vulnerabilities I have written about that have ties to GitHub is enough that my word processor can accurately autofill the name with predictive text. But what is it, precisely?

GitHub is a developer platform used to create, store, manage and share code (source: Wikipedia). As of June 2023, it is the largest host in the world for open source software development projects. Microsoft was a significant user of GitHub during the boom of software engineering in the 2010’s that has become part and parcel of Windows. Things like PowerShell, Visual Studio Code and Windows Terminal were all developed there. In 2018, Microsoft acquired GitHub and continues to operate it independently as a community and platform.

It hasn’t always been smooth sailing, though. The issue with open source software is that there are no limits, which is good for development, but not so good when it brushes against restrictions of one kind or another. Sanctions, accusations of censorship, unpopular contracts, these have all been issues GitHub has faced. And now AI has entered the chat, to coin a phrase. In an article released yesterday, Wiz reported that 65% of the leading AI companies had leaked verified secrets on GitHub. These leaks were often buried in a way that typical scanning through the archives wouldn’t necessarily find them, but if one knew what they were searching for, it was remarkably simple to come across sensitive data.

It would be easy to blame GitHub for this, but frankly, generative-AI is rife with security issues at its core. I’ve made the analogy of AI being a toddler doing surgery before, and I feel like this is another example of it.

Coding, at its foundation, is about setting parameters. If/then scenarios that inform a program of where its limits are. AI being an aggregation tool, those parameters do not always functionally limit its response. An argument can be made, for instance, that while the sky is blue, sometimes it’s orange. Dawn and dusk are variables in the otherwise ‘normal’ behavior of the sky. We can take note of those exceptions because we have a cognitive understanding that variables exist as specific instances, not absolutes. A machine, on the other hand, cannot make that distinction as easily. If the parameters set don’t filter out dawn and dusk, an AI would come to the conclusion that the sky is blue, yes, but it’s also orange. And the contradiction would not be apparent to the machine, because it’s not actually thinking, it’s just collecting information.

The same is true for sensitive data. An LLM cannot distinguish between what is okay to share and what isn’t, if it isn’t given absolute filters. And with the sheer amount of data available in the digital world, it’s impossible to actually, functionally set parameters to confine it. To an LLM, all data is merely data. The only way to prevent leaks via generative-AI is by not giving it any to begin with. And there’s no putting that genie back in the bottle.

Wiz’s report hypothesizes that any AI company with a big enough GitHub footprint has leaked secrets. Period. But is that because of GitHub’s open source platform or because AI’s don’t know how to keep their metaphorical mouths shut? I think it’s both. And I agree with Wiz; this is less a matter of doing business as it is a gap in security keeping up with evolution.

Only heard of this site a few days ago and only heard about this happening just last night, but if you signed up for this site, you're personal info (e-mail, phone, etc) is at risk.

I bring this up as I see all the user-unfriendly practices going on with Twitter (as an outside observer) and people looking for alternatives.

Cloudflare, a network meant to keep in memory a lot of passwords, usernames, and general security information, just revealed there’s been a huge leak in information that’s been bleeding out and being posted to public internet pages for months now.

Change your passwords! The list of affected sites is long and it’s still growing. If you have any sensitive information it’s highly recommended you use two-factor authentication and/or change your passwords to something more complex.

A snippet of affected sites are;

- discordapp .com - account.leagueoflegends .com - patreon .com - 4chan .com - uber .com - a couple bitcoin sites - okcupid .com - change .org - pastebin .com - a couple anime sites, like crunchyroll .com - a lot of hentai/porn sites (…a lot) - wattpad .com - some torrenting/game torrenting sites - mangafox .com - omegle .com - storeenvy .com - teespring .com - many more

The list is pretty long and it’s not even complete yet, these are just some of those that I thought stuck out more because my friends use them.

Pavel Durov Links 41 Crypto Kidnappings in France to Data Leaks

Telegram founder Pavel Durov links 41 crypto kidnappings in France to data leaks, warning rising risks from expanding data collection systems.