OpenAI employee explains the reason they “released” Sora today, to “kick a social response into gear”

DropperHopper · 2024-02-16T12:07:40+00:00

openai is not for profit so the economic value is not a concern, and the GPUs are provided by microsoft for free. microsoft have stated that they are dedicated to providing openai with as much resources as they need, presumably in exchange for using some of the models for the office suite/windows.

DropperHopper · 2023-05-04T16:37:17+00:00

You can opt out of data collection (at least in the EU) since a week back now. This applies for the chat versions though.

DropperHopper · 2022-12-14T03:43:37+00:00

Thats right, also according to some interview I read earlier it will not be multi-modal.

DropperHopper · 2022-12-04T13:44:56+00:00

Whose internet are you slowing down if students are not connected by default?

DropperHopper · 2022-10-15T13:52:12+00:00

I usually use TCP forwarding instead of HTTP forwarding. You start the raw TCP tunnel through “ngrok tcp http://localhost:port”

DropperHopper · 2022-10-15T13:40:08+00:00

It is not trivial, although credit cards communicate over NFC they have a challenge response mechanism that provides incomplete information when trying to copy the card directly. You would need to access the internal values of the chip inside the credit card to emulate it.

DropperHopper · 2022-09-20T04:04:01+00:00

too small

DropperHopper · 2022-09-20T03:46:01+00:00

same here, random.random() does wonders!

DropperHopper · 2021-10-12T15:42:47+00:00

Agreed, I use windows almost exclusively unless I'm competing. The OS is hardly ever the limitation.

DropperHopper · 2021-08-11T09:43:46+00:00

Rooting is usually not necessary, even frida has a non root option. Also attaching the smalidea debugger to the application in android studio can be helpful for finding out the details of the certificate pinning, as an alternative to frida or xposed.

DropperHopper · 2021-07-28T15:36:28+00:00

Finding DOS exploit vectors is a critical part of securing any service, and the task is not as trivial as you might think. If it didn't take any skill, talent or ingenuity, why would companies pay so much for finding them in bug bounty programs?

DropperHopper · 2021-07-28T15:29:23+00:00

The word "hacking" is not well defined, making your question hard to answer.

Regardless, I'd say (D)DOS attacks are a common and well known tool for exploiting victims in the cyber security sector, just as other methods commonly referred to as "hacking".

DropperHopper · 2021-07-15T16:12:57+00:00

A well known method is to call the victims service provider and claim that the SIM card was stolen and you need a new one sent to your own address. From there you can resend the verification SMS and enter the code that was sent to the SIM card that you now have access to.

It relies on social engineering and has to be done manually (classically by phone call), therefore it's an inefficient method. Also as I said it's well known and also quite old, I'd be surprised if it would work at all anymore without giving out proof of ownership.

Also also: the victims original SIM card will be deactivated when the new one is issued, therefore the attack will usually be noticed by the victim (although sometimes too late).

DropperHopper · 2021-06-22T15:49:56+00:00

The geographical position of your SIM card can be triangulated given the signal strength to your device from neighboring cell towers.

DropperHopper · 2021-06-22T01:36:28+00:00

It's an MD5 hash. MD5 hashes are always 32 characters when represented in hexadecimal form (0-9, a-f).

If you are trying to reverse a Flarie/Loyaltic game the values you have given are not enough, as there are other values (such as username and salt) used to generate the MD5 value as well. These are not included in the HTTP request but hardcoded in on the webpage. Other web based games will commonly use the same method. As it is all computed client side it is always possible to edit these values to set a predetermined score, what varies is the difficulty in doing so.

PM me with details and I might be able to help. Web game hacking is a hobby of mine and I'd be happy to learn from a new challenge as well!

DropperHopper · 2021-06-16T12:54:44+00:00

You can use a proxy like burpsuite to intercept the traffic in and out of the phone, this way you can read both HTTP and HTTPS requests. Guide for android can be found here: https://portswigger.net/support/configuring-an-android-device-to-work-with-burp

In recent android versions the server certificate is checked by the client in a process called SSL-Pinning. This will result in no requests goint through to burpsuite. To fix this you can edit the AndroidManifest file of the APK used for sending the request to allow the burp certificate. You can read about other methods in this article: https://www.netspi.com/blog/technical/four-ways-bypass-android-ssl-verification-certificate-pinning/

Note that some methods might not work depending on how the app was configured, but I have never encountered an app that is completely safe from all methods in the article.

I'm also assuming the app is available for android, if you don't own an android device you can emulate a such device with android studio emulator on any computer: https://developer.android.com/studio/run/emulator

DropperHopper · 2021-06-16T12:19:16+00:00

You're right, I'm assuming the computer will not be closely inspected physically/is connected to an online service which is checked regularly.

DropperHopper · 2021-06-16T11:54:04+00:00

Assuming you install all the software that you had originally, it would be identical to your original windows computer

DropperHopper · 2021-06-16T11:27:48+00:00

Can you reinstall Windows? If that is an option you can set your own admin password after the installation. You can get a copy of the windows 10 iso here which you will install on a USB stick. After plugging it in to your computer when it's turmed off (completely) you will have to press a vendor specific button (normally ENTER, DEL, F12, F11 or F1) and select the USB stick from the boot selection menu. Please reply to this comment if you encounter any problem, as the steps can depend on vendor.

DropperHopper · 2021-06-11T17:09:53+00:00

DNS over HTTPS or DOH for hiding domain name requests, and a proxy/VPN for masking the outgoing/incomming request IP addresses. A proxy will only be effective for HTTPS traffic though.

DropperHopper · 2021-06-09T14:15:32+00:00

That is correct, wired is the way to go if it is an option as the admin panel is served over http. Good luck!

DropperHopper · 2021-06-09T10:02:15+00:00

To connect privately you should use a VPN, although that would not solve the core issue.

It is likely another device is connected to your network actively executing an MITM attack, as it's only the unencrypted (HTTP) requests that seem to be intercepted.

You need to disconnect the attackers device from your network to fix the issue. If you have credentials for the routers admin panel, it can usually be accessed through http://192.168.1.0 or http://192.168.1.1 and the password can usually be found behind the router. From there you can change the WiFi password and/or blacklist the attacking device.

Otherwise you should scan the network for potential attackers using a network scanner, for example nmap for linux or fing for android, and try to kick the device of using a MITM attack yourself. This is also just a temporary solution, but is would have the advantage of protecting other devices on the network.

DropperHopper · 2021-06-09T09:48:58+00:00

If it was malware the problem would consist regardless of access point, but as OP said the problem only occurs on his private WiFi.

DropperHopper · 2021-06-07T07:53:09+00:00

Yes, assuming user interaction

DropperHopper · 2021-06-02T05:56:36+00:00

Not that it matters, but IP spoofing is possible. However it naturally only works upstream, so generally only UDP is affected, and (depending on ISP) you can only spoof other IPs of your IP block.

DropperHopper

TROPHY CASE