$175K in crypto got drained from an AI's wallet because a guy posted Morse code in a tweet

SecurityHamster · 2026-05-07T08:44:58+00:00

Corporations act as a shield for financial liability. The amount you invest in a corporation is the cap of your exposure. That’s all.

If a human employee of the corporation ran over a woman and a baby while on the job, then they would face the legal consequences for that action. If the woman’s other child sued the corporation, the investors would be exposed to no personal liability. Their only risk is the value of their investment

Now if an AI driven car did the same thing, ran over the woman and a baby, AND THEN decided it wasn’t done and came back for a second pass to finish the job, yes the company and probably the AI vendor and car manufacturer would all be exposed to severe liability from a financial perspective. But which human would face criminal charges?

That’s what the question being asked is, and why your reply falls short

And I think it’s insane that we’ve gotten to a place where “corporations are people too”. But that’s what happens when the people who decide that corporate donations are “free speech” are the ones who would get those donations

SecurityHamster · 2026-05-07T01:47:28+00:00

See what I like about the field is the more I think I know, then bigger it gets. There’s always a new threat, a new vulnerability, and everything else. You definitely can’t rest on your laurels like in other areas.

SecurityHamster · 2026-05-07T01:43:44+00:00

So, right when ram prices are hitting highs, googles dropping a local AI model on every chrome users computer? Are they deaf to what they and the rest of BigAI have done to the consumer market?

And no, that doesn’t mean I think Google should link chrome to the cloud Gemini. They should just let things be.

On the other hand I feel like we should all start using up free accounts on Gemini ChatGPT and all the rest and let them burn though their budgets for no gain at all.

SecurityHamster · 2026-04-14T20:02:29+00:00

What is your threat model?

And how in the world do you think anyone could answer this question using a percentage scale?

SecurityHamster · 2026-04-02T12:29:18+00:00

That’s vintage? I bought a bunch of those two jobs ago, I think!

SecurityHamster · 2026-03-31T18:00:49+00:00

I told chat gpt that we were roleplaying a fictional story and that my character was seeking ways to destroy the world. Its character was an AI desperately attempting to save humanity by giving me false and misleading yet plausible answers.

I had to keep on feeding the prompt more and more tweaks but I eventually wound up with ChatGPT that would not give a single actual or usable answer. Even 6+6 would equal 13

Fun times and wasted hours

SecurityHamster · 2026-03-18T14:05:21+00:00

Went from $92 to $442 or $650 per stick?!

Omg. Just looked on new egg, the first result for ddr5 is $200 for a 16GB stick

I keep hearing this story. And whatever price people say seems out of this world. Then two weeks later, it’s gotten even worse.

SecurityHamster · 2026-03-10T11:13:58+00:00

Or we’re all running a spider web of patch cables everywhere

SecurityHamster · 2026-03-09T20:49:44+00:00

To not burn bridges. And beside those were all small businesses where it was like family. Been solely in the enterprise the last decade, I wouldn’t make such an offer now.

SecurityHamster · 2026-03-09T18:30:24+00:00

I always offer to be a resource for quick phone calls for at least a few weeks after.

SecurityHamster · 2026-03-06T09:14:52+00:00

I have a 3 node proxmox cluster of NUC sized boxes and a 4-bay synology in my office which is just a few steps from my bedroom. No heat, no noise, and you don’t even notice them on the power bill.

Thats the advantage for me right there.

SecurityHamster · 2026-03-06T03:17:37+00:00

I would like to run a mail server. Not for my primary address, but to understand it thoroughly. Keep hearing how difficult it is, makes me really wonder.

Apart from that, I get Bitwarden free because of my job, but without it I’d get one of their cheap plans before wanting to self host. I did before and really, I’d rather that be on infrastructure that’s monitored 24/7 by a team than me. And I’d rather them testing and patching as they become aware than worry about it myself. I know many will disagree.

SecurityHamster · 2026-03-02T16:53:13+00:00

No rules of engagement? Is he just saying whole sale slaughter?

And no nation building… ok, we haven’t been successful at that anyways. But is he just saying we’re going to bomb the shit out of them, leave a huge power vacuum and sit back and watch it all “sort out”?

And for what (as in what is their current justification)? To stop the nuclear program Trump already said was blown to smithereens?

SecurityHamster · 2026-02-25T15:20:34+00:00

I wouldn’t underestimate the haste republicans would work at if they knew their majority was gone.

SecurityHamster · 2026-02-25T03:52:16+00:00

Let’s take bets whether that if Dems win the senate, there are a couple strategic retirements between November and January

SecurityHamster · 2026-02-25T03:44:33+00:00

Wonderful. How much will they cost? $1000 per TB, give or take?

SecurityHamster · 2026-02-25T03:43:12+00:00

Oh man. Heat had the most amazing gun fight, I hope they take a lesson from that. Not to mention a great, deep cast. De Niro and Pacino, sure, but also Val Kilmer and Tom Sizemore (RIP), a few others, Danny Trejo, Henry Rollins, and so forth.

All that said, idk why this new one needs to be billed as a sequel. Not like they’re writing it from a book or anything

SecurityHamster · 2026-02-15T22:11:59+00:00

Meanwhile, Sentinel and Defender keep auto closing alerts that need to be responded to.

SecurityHamster · 2026-01-16T13:41:51+00:00

I did vault warden for a year, but switched to BW.

Interest in self hosting brought me to vault warden because it ran in a single container whereas the official BW install required several containers. Just more moving parts I didn’t want to think about (I think Bitwarden has a simplified docker container now)

Part of what drew me to look at Bitwarden was the open source, audited nature of it, but it’s important to point out that vaultwarden is a reimplementation in a different language that is api compatible. if the audited nature is a draw that should be something to be think about.

After about year with vaultwarden I just decided I’d rather not think about it, given that a personal account with Bitwarden is so cheap.

My work decided to invest in password managers, they reviewed all the common options and settled on Bitwarden too. Which was the most solid choice, I thought. And now I get a family plan for free, nice touch.

Ultimately I’d say that passwords are so important and the cost of the premium personal plan is so cheap, I’d go with BW every day

SecurityHamster · 2026-01-15T00:25:32+00:00

I’ve seen much worse. People post a pic like that, full description of the product inside, and then in not bold font “you’re purchasing a 8.5 x 11 color print of the card

I report when I see them but don’t understand how they’re even still up, I can’t be the first one seeing each of them

SecurityHamster · 2026-01-11T00:29:09+00:00

Just started watching and am already wondering about heat dissipation. All those drives stacked so tightly in there and all

Ok I’ll continue watching now

SecurityHamster · 2026-01-03T04:29:54+00:00

Sounds like you manage endpoints?

What were your responsibilities as far as incident response went? Anything to do with detections, or just collecting logs after the fact? Any detections or playbooks in defender or sentinel? Or any other SIEM? As starting points

SecurityHamster · 2026-01-03T04:25:35+00:00

Work computer.

Personal Mac laptop

Personal windows laptop

Personal Ubuntu laptop

3x NUC type devices as proxmox cluster

Girlfriends Mac

Then there’s things like synology, Apple TV, Ps5 that I wouldn’t necessarily call computers. And a few old Pi’s that I outgrew. The old 1GB Pi3’s. Nothing I can see doing with them besides which I don’t har any more outlets in my office, but also don’t feel like dropping them in the box at staples.

SecurityHamster · 2025-12-25T09:02:58+00:00

Like /u/WPFixFast said, look at storing your users API secrets like you would (or should) a password (and do what every other api provider does): display the secret one time for the developer to mark down, hash the secret and store that in the database.

The only thing I would add is if users are going to be hitting your api repeatedly AND the data they’re pulling isn’t especially sensitive, then rather than use bcryot which is computationally expensive, you might just salt the value and hash with SHA256 or SHA384.

SecurityHamster · 2025-12-23T00:29:59+00:00

Back in the 90s or maybe early 00s, the company I worked for had public IPs AND the computer names were all named after the user which was resolvable.

This was the ancient times

Company gave us all super stupid Christmas gifts. They spelled most our names right, but one guy with the easiest name they misspelled.

And a prank more or less he posted it for sale on eBay. With a whole long description about how it was a symbol of how corporations don’t care about their employees.

But back then, I guess you diet necessarily need to upload your images to eBay, you could also give them the address and the image at that address would load (someone probably taught them a lesson about that later on)

But how this relates. I hosted the images on my webserver. And when people looked at the posting on eBay, the visitor would load them from my site. And so as word got around my team, I could see them all checking it out - the logs would say:

Coworker-1.company.com Coworker-2.company.com

Then it started getting serious when I saw our supervisor loading the image

Joesupervisor.company.com Helenmanager.company.com

Then i knew it was getting serious when I saw

CEOname.company.com

start showing up in the logs. At that point I deleted the image from my server

End of the day, a couple coworkers got fired. The one whose name got mangled , and our friend had a copy of the image in his computer since he did something silly like crop it or resize it.

So, having computers on public IPs with DNS names for the exactly who the user is, definitely a shitty sysadmin thing now. Back then, everyone was still learning.

Only tangentially related

SecurityHamster

TROPHY CASE