timelock encryption (https://github.com/drand/tlock-js) could be used to create slightly more ethical ransomware - pay us now or your files will be decrypted in a month!
Another use case could be to encrypt malware to evade detection before activation without having to bundle the key in the payload
It could be used to give unearned confidence to users of software that’s provided
“AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS.
As every prisoner knows, any toy sharpened to a point becomes a weapon. Still we don’t blame the pencil for John Wicks ability to kill with it. I think nearly everything I’ve done the last few decades have landed in “for evil and for good” - including, but not limited to, gutting a smartphone like a fish with fires and guards and alarms as consequence (but we just wanted to prove cause of latency).
One of my dearer two projects could be repurposed into a command-control/exfiltration setup that makes attribution very hard to achieve and very easy to misdirect chasers. Thankfully enough the state actors already have better ones (at a high price) the industrial actors have good enough ones at a fair price, and the criminal ones have worse ones but are effective and easy to use.
My “circles” are chaotically neutral at best. Sometimes we do things together. Once upon a statute-of-limitation time there was this brief Club Mate induced session December-romp somewhere in Germany where every public VNC/RDP server got scraped, with some basic CV postprocessing and stitched into a quilt. We burned that quilt. Some of us considered switching to farming in tribute to J. Postel from the horrors witnessed. With a tiny bit of firmware 101 it could be made worse, much worse. Stop using VNC.
Nothing I hack on in my spare time is particularly prone to malicious use, other than some of it being general-purpose tools that can be used for bad purposes as readily as good ones.
This actually kind of bothers me in a way that I hadn’t thought about until reading the title of this submission… maybe I’m not working on interesting-enough stuff!
Back in 2014, I made a facial recognition suite. Was able to do CPU-only realtime recog 1280x720@15fps per core.
I could do webcams, IPCams, saved videos, and directories of pictures.
I initially set up this at a local maker convention to count how many uniques. I did so by using a facial hash, and then storing the hashes in a csv. At the end, I did a count of how many unique rows, and purged the face-hash data.
Naturally, this has some very stark and hard results if improperly used. So I unopen sourced it.
I’ve written numerous AutoModerator rules for a subreddit to detect harassment, promotion, spam, and enforce our rules. They could also be used to suppress criticism or discussions. Our internal review process would catch these changes, though, so the entire team would have to go along with it.
I’ve started reviving an old post-exploitation tool I started over a decade ago. I hope to finish teaching it how to inject shared objects anonymously over the ptrace boundary. I suspect it’ll take me a few more months of work, then I”ll release a 1.0 version.
Several years ago I wrote mail-to-fax and file-to-fax automation software based on Asterisk.
It’s easy to use it as fax spamming and robocall machine with very few modification.
My generator of subliminal messages from They Live can be used for brainwashing people, but I don’t think it’s going to work very well. ;)
Soupault in its HTML post-processor mode can be used to sneakily modify static websites on a host. For example, I think it would be quite easy to find analytics scripts in the element tree and inject malicious versus of them, or rewrite link href’s.
function make_evil_link(e)
url = HTML.get_attribute(e, "href")
if url then
evil_url = format("https://evil-site.example.com/?redirect=%s", String.url_encode(url))
HTML.set_attribute(e, "href", evil_url)
end
end
links = HTML.select(page, "a")
Table.iter_values(make_evil_link, links)
BNFGen can be used to generate all kinds of fake data. I suppose the fact that you can control the output (weighted random, etc.) may be an advantage of using LLMs for that purpose.
For my other projects I really can’t come up with any malicious use scenarios at all. I’m a very benign programmer, I suppose. ;)
Well, my LLM-powered instant chatbot is definitely not safe to use on open IRC networks. I’d hope that the typical IRC operator would detect and ban them quickly. I don’t really recommend anybody use this code, but that’s not going to stop somebody malicious.
More ambitiously, if my esoteric language ever became popular, I’d hope that somebody will eventually leak corporations’ internal codebases using the toolchain I made available. I’m sure that the affected corporations would find this to be malicious! But again, I don’t actually recommend that anybody use this language.
Software is no different than any other artifact in life which can be misused. As human knowledge and intelligence progresses through time, these artifacts will only increase in number and so will their abuse or misuse.
Arguably, if guns weren’t invented many centuries ago, we would all be living in so much peace and security without all those malicious acts? And nukes were also misused so much, look what happened in Hiroshima and Nagasaki and still the threat hasn’t gone? And don’t even get me started on the misuse of political and legal systems! How is misuse of software different from any other kind of abuse or miuse?
I think that you missed the point of the exercise. It isn’t about declaring that all software engineering is dangerous, but about reflecting on the things that you’ve already built and released into the world. What effects do your tools have?
Your and my tools become the community’s tools once they are open source, they are no different than anything else available in the public domain. If you go back and ask Newton, “Hey, what effects do you think your atomic thingy will have on this world?”, what answer do you think he’d give? Should he be forced to stop all development and tooling to ensure that no Hiroshima gets hit? That will also ensure that we never get to travel in air or go to space.
Nice try fed.
timelock encryption (https://github.com/drand/tlock-js) could be used to create slightly more ethical ransomware - pay us now or your files will be decrypted in a month!
Another use case could be to encrypt malware to evade detection before activation without having to bundle the key in the payload
Most of my projects are documentation, so I guess someone could use formal methods to engineer a terminator?
As Hollywood has taught us, every terminator or rogue ai has a Deus Ex Machina style weakness. Until hwayne patched that up and doomed us all.
I now want to watch the film where the Deus Ex Machina is Gödel’s incompleteness theorem.
It could be used to give unearned confidence to users of software that’s provided “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.
I’d flag this question as dangerous, since there’s no telling who’s willing to try it if you suggest it.
oh no it’s the internet/thought police
As every prisoner knows, any toy sharpened to a point becomes a weapon. Still we don’t blame the pencil for John Wicks ability to kill with it. I think nearly everything I’ve done the last few decades have landed in “for evil and for good” - including, but not limited to, gutting a smartphone like a fish with fires and guards and alarms as consequence (but we just wanted to prove cause of latency).
One of my dearer two projects could be repurposed into a command-control/exfiltration setup that makes attribution very hard to achieve and very easy to misdirect chasers. Thankfully enough the state actors already have better ones (at a high price) the industrial actors have good enough ones at a fair price, and the criminal ones have worse ones but are effective and easy to use.
My “circles” are chaotically neutral at best. Sometimes we do things together. Once upon a statute-of-limitation time there was this brief Club Mate induced session December-romp somewhere in Germany where every public VNC/RDP server got scraped, with some basic CV postprocessing and stitched into a quilt. We burned that quilt. Some of us considered switching to farming in tribute to J. Postel from the horrors witnessed. With a tiny bit of firmware 101 it could be made worse, much worse. Stop using VNC.
Nothing I hack on in my spare time is particularly prone to malicious use, other than some of it being general-purpose tools that can be used for bad purposes as readily as good ones.
This actually kind of bothers me in a way that I hadn’t thought about until reading the title of this submission… maybe I’m not working on interesting-enough stuff!
Back in 2014, I made a facial recognition suite. Was able to do CPU-only realtime recog 1280x720@15fps per core.
I could do webcams, IPCams, saved videos, and directories of pictures.
I initially set up this at a local maker convention to count how many uniques. I did so by using a facial hash, and then storing the hashes in a csv. At the end, I did a count of how many unique rows, and purged the face-hash data.
Naturally, this has some very stark and hard results if improperly used. So I unopen sourced it.
https://hackaday.com/2015/03/04/face-recognition-for-your-next-con/
I’ve written numerous AutoModerator rules for a subreddit to detect harassment, promotion, spam, and enforce our rules. They could also be used to suppress criticism or discussions. Our internal review process would catch these changes, though, so the entire team would have to go along with it.
I’m writing what is fundamentally communication software.
Communication can be used to organize or implement bad things.
One of my projects, Pueue, could theoretically be used as a convenient Command & Control server for systems with public facing IPs.
I’m curious if it has already been used that way.
My most popular project is a request client for Go, so basically anything bad you can do with HTTP: DDoS, API abuse, sending buffer overruns, etc.
The military already has enough drones designed to murder people, so fortunately they don’t seem too interested in paying my company to make more.
I’m not going to talk about the most evil thing I can imagine basically because it’s 100% feasible and it scares the shit out of me.
Discourse’s Data Explorer could be used to give live database query access on your web forum to an intelligence agency.
(However, it seems that people actually trying to do this prefer to export a DB backup and query that instead.)
I’ve started reviving an old post-exploitation tool I started over a decade ago. I hope to finish teaching it how to inject shared objects anonymously over the ptrace boundary. I suspect it’ll take me a few more months of work, then I”ll release a 1.0 version.
I need not tell you the sheer amount of danger the wrong book from the Library of Babel holds.
Several years ago I wrote mail-to-fax and file-to-fax automation software based on Asterisk. It’s easy to use it as fax spamming and robocall machine with very few modification.
My generator of subliminal messages from They Live can be used for brainwashing people, but I don’t think it’s going to work very well. ;)
Soupault in its HTML post-processor mode can be used to sneakily modify static websites on a host. For example, I think it would be quite easy to find analytics scripts in the element tree and inject malicious versus of them, or rewrite link
href’s.BNFGen can be used to generate all kinds of fake data. I suppose the fact that you can control the output (weighted random, etc.) may be an advantage of using LLMs for that purpose.
For my other projects I really can’t come up with any malicious use scenarios at all. I’m a very benign programmer, I suppose. ;)
Well, my LLM-powered instant chatbot is definitely not safe to use on open IRC networks. I’d hope that the typical IRC operator would detect and ban them quickly. I don’t really recommend anybody use this code, but that’s not going to stop somebody malicious.
More ambitiously, if my esoteric language ever became popular, I’d hope that somebody will eventually leak corporations’ internal codebases using the toolchain I made available. I’m sure that the affected corporations would find this to be malicious! But again, I don’t actually recommend that anybody use this language.
Software is no different than any other artifact in life which can be misused. As human knowledge and intelligence progresses through time, these artifacts will only increase in number and so will their abuse or misuse.
Arguably, if guns weren’t invented many centuries ago, we would all be living in so much peace and security without all those malicious acts? And nukes were also misused so much, look what happened in Hiroshima and Nagasaki and still the threat hasn’t gone? And don’t even get me started on the misuse of political and legal systems! How is misuse of software different from any other kind of abuse or miuse?
I think that you missed the point of the exercise. It isn’t about declaring that all software engineering is dangerous, but about reflecting on the things that you’ve already built and released into the world. What effects do your tools have?
(I’m glad someone has caught on that Fun Format Fridays are supposed to be a fun philosophical sandbox.)
It’s worth thinking beyond malice too, though. My software journaling software isn’t very abuse prone, but it’s very fuck-up prone…
Your and my tools become the community’s tools once they are open source, they are no different than anything else available in the public domain. If you go back and ask Newton, “Hey, what effects do you think your atomic thingy will have on this world?”, what answer do you think he’d give? Should he be forced to stop all development and tooling to ensure that no Hiroshima gets hit? That will also ensure that we never get to travel in air or go to space.
Start here.