Contrary to what most movies show the majority of “hacking” and similar is mainly or even entirely social engineering, i.e. phishing, etc., it’s far easier to “break” a human than to break a database
6 Likes
As I said, renaming the funny.exe to funny.png wouldn’t corrupt it. The sus addon can just rename it again to funny.exe and run it.
I guess hacking a very specific person/company includes social engineering.
2 Likes
That is changing with all the agentic systems that people run on their systems. When a simple text file, like a SKILL, could be enough to hack the target, all the vibe coders.
The overwhelming majority of people aren’t running such though, and it is unlikely to ever be significant enough to be a primary vector, compared with getting pensioners to click random links or boomers to go to websites for free stuff, or anyone to click a random “your package needs your attention” email that looks really really like it’s from DHL, etc., etc.
2 Likes
Most of the time it does, for example finding the name of their pets or children (a painfully common password) or directly targeting them with various attacks, breaking encryption or logins by force is infeasible for the majority of cases, even with a high value target, much easier to do a man-in-the-middle attack or exploit cookies or any number of other techniques, all depending on exploiting human behaviors
The digital equivalent of looking for the key under the doormat instead of picking the lock
(You also have attacks like spoofing networks, which is more practical, but it also involves levels of social engineering, like going to the coffee shop near an office building where you’re running an attack to try to gain access to their devices etc.)
2 Likes
One of the reasons that I am on high alert with addons that look LLM-generated is they are more likely to be dangerous, if not malicious. The person who “made” them literally has literally no idea what code is in there or how it works.
On top of the fact that, while yes, this is a small audience, when you can have an LLM make malicious code for you, then it might be worth the time to prompt it to see if you can make some money off it - or even just to test it. Because it’s literally very low effort.
4 Likes
Exactly, and given the multiple cases of “agentive” LLMs just wiping all the data of their project that’s not a good start
3 Likes
What I had to learn after a couple of years in IT is that:
- People will click on links and give out their info far more frequently than you think
- Those same people will lie about it to avoid feeling ashamed afterwards.
The amount of times I was told “I just added this person to my friends list and I immediately got hacked”, then later on figured out that they: Added this person, said person said they are from X company doing Y, and “you need to click this link and log in here to confirm your identity” and they did… just… humans are flawed.
Your system is only as strong as it’s weakest link, and that’s usually humans.
8 Likes
This is partially because humans hate systems that would otherwise keep them safe, like multifactor authentication, or confirm dialogs, etc.
It’s also arguably partially due to the poor working environments of some places, where they expect you to use private devices for work, because that way they can also track you etc., meaning that there’s a greater vulnerability of users using their “work” devices in unsafe ways
Or that companies don’t understand IT and refuse to pay for important things because they don’t get them
5 Likes
I’ve been at a few companies where they sent out fake phishing attacks every few weeks, and if you clicked on a link you had to do the security training module all over again.
At one place, you had to not only not click the link, you had to right-click on the email and report it to IT as a phishing attempt. Failure to do so would also get you sent to training. That was a Biotech company. They were serious about security.
5 Likes
The primary vector for all malware, that could be correct. I thought more on topic for this thread, that a plugin or addon could easy contain prompt injections, espec. vibecoded ones. And vibe coder are less likely to check the code of an addon or plugin.
I think an indirect vector of infecting someone else’s plugin through hijacking their agent is unlikely
Gosh i missed a lot. Well. anyone mind my joining in?
2 Likes
We’re just yapping about hacking : )
2 Likes
Ahh, OK. thank you, Somehow I dont think “del tree” is a malware anymore, am I incorrect?
2 Likes
A growing problem is that people rely on LLMs to tell them how to do anything, instead of looking online at reputable places or ask questions in forums, “oh yes if the thing say it needs administrator privileges that’s fine, it just needs to be able to update your driver” or something random, it might not give that advice but it might
The internet has this beautiful (and horrible) self correcting mechanism relying on that people love correcting other people on the internet
2 Likes
So will new devs listen when SlopGPT tells them to delete system32?
Probably.
3 Likes
I like being corrected if it means gaining more wisdom 
nevertheless, yes there are many issues including as you mentioned, with the modern internet.
2 Likes
Lol, its more funny to tell them not to do it as experienced devs, by telling them to do it and right before they do explain why not to.
That has so much word sphagetti
1 Like
Well I have seen people try and use gpt to fix something and end up deleting important stuff.
Also seen vibe coders place semicolons in the middle of a line.
Vibe coders truly are a special breed.
4 Likes