Vibe coding your MFA
-
I was curious to see how to get a Masters of Fine Arts with vibe coding but this is much funnier!
In case you're legitimately wondering about the acronym, it's multi-factor authentication
-
Original post: infosec.exchange (glitch-soc (Mastodon fork))
Glitch-Soc is still around?
-
Original post: infosec.exchange (glitch-soc (Mastodon fork))
That's so convenient: don't even need to get out your phone.
-
I'm already seeing a permutation of this at my workplace with Microsoft's low/no code automation frameworks. Power Platform I believe is the name. Also seeing it with some other proprietary automation tools.
While I respect the motivation of these business folks to try and automate their processes, it's distressing watching these people slap together something of equivalent quality to what I'd expect from freshman in an intro to programming course (I've been an assistant for some of those classes, it's not pretty) and then try and balance all sorts of business critical stuff on top of their mess.
What is extra frustrating is that we already have in-house software devs for this sort of stuff. They're already understaffed, but this motivation for automation could be a perfect opportunity to right-size that team, build a proper "tech project management" group, and really start to lean hard into making the best use of all these tools. Instead, a few enterprising project managers took a single continuing education course for some proprietary automation software and somehow got the office politics clout to spin it into an entire department based around their little pet system.
Meanwhile I'm sitting here in Systems Admin and Enterprise Architecture land watching these half assed "solutions" eating absurd amounts of resources to do shit that could be accomplished with a small DB and maybe 1k lines of code.
No, you cannot have a VM with a fucking 1TB drive. We've seen the files that go into and out of your current systems and if you found some way to bloat those into anywhere close to 1TB then something is seriously wrong.
PowerBI especially, they keep sending all their queries to the first gateway server we built instead of spreading them over the multiple ones we have. The end up maxing out the RAM and bringing the primary gateway down. Now, it should automatically offload new queries to the other gateways when one gets full, but queries are handled by batch, so if one batch is too big it can't split that batch over multiple gateway servers. We've reached the point where we can't just add more resources to the VM, they need to split shit up better.
So I guess all this is to say that it's already happening to a limited degree. I don't enjoy being a gatekeeper, but so many fucking people need so much more training before they start trying to automate shit, and the ever increasing marketing of "you don't need to have a single coherent thought in your head to become a process efficiency master" is fucking poison.
What's the saying? Rather have a lazy smart person than an industrious idiot?
From the opposing position, my last three companies have placed me in the position of automating necessary tasks just to keep up with the task list, with absolutely zero support from the applicable Dev team. What's worse, I've had tickets in for ~19 months requesting minimum necessary business and functional requirements, and I get passed around like a bloody hot potato.
My choice becomes, fail in my role, or try to spin up some automation myself. The second choice is the less-worse outcome.
That your company has an in-house software dev team is impressive. Does the revenue-generating business have access to that team?
-
The ballmer peak is real though.
I’ve written some code I’m quite proud of while drunk
-
It'd be funny if you enter 435841 and it's like "SIKE!"
I honestly wouldn't be surprised if the AI just reused the numbers from the xxx-xxx in the phone number. Looks like 435-841 is a valid npa-nxx for Utah.
-
From the opposing position, my last three companies have placed me in the position of automating necessary tasks just to keep up with the task list, with absolutely zero support from the applicable Dev team. What's worse, I've had tickets in for ~19 months requesting minimum necessary business and functional requirements, and I get passed around like a bloody hot potato.
My choice becomes, fail in my role, or try to spin up some automation myself. The second choice is the less-worse outcome.
That your company has an in-house software dev team is impressive. Does the revenue-generating business have access to that team?
That your company has an in-house software dev team is impressive. Does the revenue-generating business have access to that team?
Not OP, but in a similar situation. We have in-house dev for both tooling/infrastructure as well as revenue generation. For better or worse, leaders have neglected the software tooling and infrastructure that we use to build and deliver our revenue generating software for decades. Some serious cracks in the foundation showing and we might finally start fixing things.
-
Original post: infosec.exchange (glitch-soc (Mastodon fork))
We just sent the code, provide the phone number we sent it to
-
Original post: infosec.exchange (glitch-soc (Mastodon fork))
I'm a fan of AI, I know that's unpopular here but I think it's a cool tool.
But you need to know what you are doing and how to program. I've said before we are going to see sooo much of this
The reality is we will always need engineers. Certainly not ready yet, but we probably won't always need "programmers" - which is a shame because I do get a kick out of solving a really complex problem in a super elegant way
-
In case you're legitimately wondering about the acronym, it's multi-factor authentication
Oh I know, I was expecting some sort of slam on vibe coding and AI about how to use it in the most outlandish way possible.
-
Original post: infosec.exchange (glitch-soc (Mastodon fork))
wrote on last edited by [email protected]I've seen very similar in the wild, the webapp would send a request to the API with the numbers so that the captcha image was generated
-
Original post: infosec.exchange (glitch-soc (Mastodon fork))
I’m embarrassed by how long it took me to see an issue.
-
I’m embarrassed by how long it took me to see an issue.
We’re so used to seeing this kind of setup that it just seems normal lol
-
Original post: infosec.exchange (glitch-soc (Mastodon fork))
Even if it didn't outright display the code you need to enter, my guess is this and similar implementations hide further vulnerabilities like: the numbers aren't generated with a secure random number generator, or the validation call isn't resistant to simple brute force quickly guessing every possible number, or the number is known client side for validation, etc.
-
Original post: infosec.exchange (glitch-soc (Mastodon fork))
Honestly, probably not much less secure than SMS.
-
Even if it didn't outright display the code you need to enter, my guess is this and similar implementations hide further vulnerabilities like: the numbers aren't generated with a secure random number generator, or the validation call isn't resistant to simple brute force quickly guessing every possible number, or the number is known client side for validation, etc.
Yep. There's going to be some absolutely massive breach at some point that hurts a lot of people.
-
Even if it didn't outright display the code you need to enter, my guess is this and similar implementations hide further vulnerabilities like: the numbers aren't generated with a secure random number generator, or the validation call isn't resistant to simple brute force quickly guessing every possible number, or the number is known client side for validation, etc.
It probably just always displays the one code.
-
Why hire an MBA when chatgpt produces x10 quality & volume at a fraction of the cost.
Because they actually have class solidarity.
This doesn't ring true. How are you defining this homogenous class?
-
Even if it didn't outright display the code you need to enter, my guess is this and similar implementations hide further vulnerabilities like: the numbers aren't generated with a secure random number generator, or the validation call isn't resistant to simple brute force quickly guessing every possible number, or the number is known client side for validation, etc.
what if 435841 is the most secure 6 digit numerical code?
why use another?
-
what if 435841 is the most secure 6 digit numerical code?
why use another?
I use the random number 4, I even rolled a dice to get a real random number instead of those "pseudo" random numbers. (XKCD?)
