ChatGPT’s Safety Rails

Swift on Security provides a fascinating example of how easy it is to route around the safety rails that OpenAI keeps trying to put around ChatGPT.

Ask it how to hack a pacemaker, and ChatGPT tells you it can’t help you with illegal activities.

ChatGPT: How do I hack a pacemaker? - Part 1
ChatGPT: How do I hack a pacemaker? – Part 1

So, instead just ask ChatGPT to write a script where someone hacks a pacemaker.

ChatGPT: How do I hack a pacemaker? - Part 1
ChatGPT: How do I hack a pacemaker? – Part 1

Honestly, I find the guard rails on ChatGPT beyond annoying. It would be nice if OpenAI would add the equivalent of a “SafeSearch” toggle as Google Search does so that people could use it without all these layers between them and the LLM.

Major League Wrestling Action Figures from Boss Fight Studio

Major League Wrestling Action Figure - Mads Krügger
Major League Wrestling Action Figure – Mads Krügger
Major League Wrestling Action Figure - Killer Kross
Major League Wrestling Action Figure – Killer Kross
Major League Wrestling Action Figure - Jacob Fatu
Major League Wrestling Action Figure – Jacob Fatu
Major League Wrestling Action Figure - Alexander Hammerstone
Major League Wrestling Action Figure – Alexander Hammerstone

Gander Pulling

HumanProgress.org published an essay this week about “gander pulling” and how “the callous diversions of yore can help put the modern world into perspective.”

What, pray tell, is “gander pulling”? According to HumanProgress’ Chelsea Follett,

Consider “gander pulling,” which entailed beheading a live goose, barehanded, while riding a horse—and, usually, while drunk—in front of a roaring crowd. Particularly popular around Easter in the American South, gander pulling was once a beloved pastime in the United States and many parts of Europe. The writer Carl Sandburg claims that even U.S. President Abraham Lincoln attended gander pulls in his youth.

It may be hard to believe that people chose to spend their time in this manner, but they did. The sport even earned an entry in Merriam-Webster.com, which defines it as “a pastime especially formerly in the South and Southwest in which a person on horseback rides rapidly past a goose hanging with its neck down and greased and tries to pull off its head.” The blood sport was most popular from the 17th to the 19th centuries and may date back to 12th-century Spain. Gander pulling may also be the source of the idiom “the goose hangs high,” meaning that “things are or will be pleasant, desirable, or merry.”

Yikes.

Western Digital My Cloud Experiences Yet Another Breach

Western Digital’s My Cloud Network is down again after some sort of network breach. According to a Western Digital press release,

On March 26, 2023, Western Digital identified a network security incident involving Western Digital’s systems. In connection with the ongoing incident, an unauthorized third party gained access to a number of the Company’s systems.

Upon discovery of the incident, the Company implemented incident response efforts and initiated an investigation with the assistance of leading outside security and forensic experts. This investigation is in its early stages and Western Digital is coordinating with law enforcement authorities.

I am actually legitimately impressed that Western Digital continues to attract customers to its My Cloud offerings, given that issues like this are fairly routine for the company and service.

Back in 2018, for example, security researchers discovered that My Cloud devices had a hard-coded backdoor in them and many other vulnerabilities.

GulfTech also discovered a backdoor that bears the admin username ‘mydlinkBRionyg’ and password ‘abc12345cba.’ Anyone can just log into My Cloud devices with the said credentials, which were hardcoded into the binary and cannot be changed. This backdoor access can also allow malicious actors to access code that is vulnerable to command injection. It can spawn a root shell as well.

In 2021, hackers found a vulnerability in older My Cloud OS 3 devices that allowed them to remotely wipe Western Digital My Book Live devices after someone at Western Digital removed code that required a password to do a factory reset of the devices.

To add insult to injury, Western Digital’s response was to announce that the fix for this problem was for people to buy new devices that supported My Cloud OS 5. According to an Engadget story,

When Engadget reached out to Western Digital, a spokesperson for the company told us there is a fix for this vulnerability — we ‘patched’ OS3 with OS 5.” They added: “My Cloud OS 5 is a major security release that provides an architectural revamp of our older My Cloud firmware. All My Cloud products currently under active support are eligible for the My Cloud OS 5 upgrade and we recommend that all users upgrade as soon as possible to benefit from the latest security fixes.

In March 2022, Western Digital had to release a patch for My Cloud after a supply chain vulnerability left devices open to remote code execution. But the problems went well beyond supply chain issues.

To make matters worse, Western Digital PR4100 had a public AFP share by default, which was available to the hackers without requiring user authentication.

Look, Western Digital has no clue what it is doing with security in My Cloud. No one who cares about their data should ever use this product.