It actually does seem farfetched. You know how famous quotes get assigned to various other people than those documented to have said them? Half of the claims that a given historical figure carried out this experiment are probably just misattributions of the Herodotus story.
Doesn't seem farfetched to me, it's one of those obvious questions people frequently, spontaneously, ask themselves. Another is whether we both "see" the same colors associated with the names.
I'd be surprised if someone in our history didn't conduct this experiment. Ancient times had infanticide, slavery, and other terrible behaviors. This experiment is tame compared to many of those.
Exactly. One AI programmed with bad intentions will have bad intentions. One with good will do good as programmed. Which one outwits the other will simply result in a part of the code that has a programmed advantage over the other.
"Sanitize your inputs!" is the security equivalent of abstinence-only sex education. Yes, it technically will fix the problem if executed perfectly, but an endless history of failure should have convinced everyone by now that it is not the right solution for the real world. As other commenters have pointed out, shells were never designed with adversarial input in mind and so "sanitizing" them means hunting down and endless number of bugs and still not knowing if you've done it correctly.
The correct way is to design from the start so that user input cannot be executed. For SQL, everyone now knows that means parametrized statements; in this case, it means job queues and standalone processes with locked-down privileges.
Ehh... how many instances of unsanitized input leading to RCE were due to the subtleties of the interpreter, and how many are the result of people blithely passing user input into the interpreter, not using the sanitation functions available in most mainstream languages (in many cases, in the standard library)?
If getting people to do this is impossible, so is getting people to stop storing passwords in plaintext.
> If getting people to do this is impossible, so is getting people to stop storing passwords in plaintext.
This may very well be the case, though. You may get most people to know that storing passwords in plaintext is not a great idea (tm), but there will always be people ignoring that, be it due to downright ignorance or external factors.
I can envision some non-technical person in an organisation prescribing to IT that a new user password cannot look like one of the user's old passwords, where "look like" actually means something like an edit distance of <=2. Since the secure way of implementing this is looping over all possible passwords close to the one the user entered now, hashing them all and comparing them to a list of past hashes (which is quite resource-intensive, which costs mony), I bet there will be people that will give in and just store the last few passwords in plaintext. Maybe they'll encrypt them, but they'll be there.
I can give you an example of somethign that is relatively common and "bad".
Imagine a website that will take an URL and extract the text from it - removing markup - or another service that will scan a URL for meta-tags, etc. All the kind of things that you can find easily.
Now imagine what happens if a user passes input such as "file:////etc/passwd". There are a whole bunch of services which will spit out the contents of the file, because they use some URL-fetching library and don't limit the protocols to http or https.
I wrote a blog-post about that, which was featured here a while back:
Yes except now I have 40 microservices that I have to make sure all parse URL parameters properly instead of the one I used to have that would parse them and then put them where everyone else could find it.
Security in depth is hamstrung by an ever-increasing surface area.
I'd say that if your microservices aren't sharing that type of code, you've probably made a software design mistake. Perhaps beside the point, but that's a bit of a contrived example.
I mean, people doing things wrong isn't evidence that they cannot be done right... right?
