AI Can Scour Code To Find Accidentally Public Passwords

An anonymous reader shares a report: Researchers at software infrastructure firm Pivotal have taught AI to locate this accidentally public sensitive information in a surprising way: By looking at the code as if it were a picture. Since modern artificial intelligence is arguably better than humans at identifying minute differences in images, telling the difference between a password and normal code for a computer is just like recognizing a dog from a cat. The best way to check whether private passwords or sensitive information has been left public today is to use hand-coded rules called "regular expressions." These rules tell a computer to find any string of characters that meets specific criteria, like length and included characters.

Just Look for Camel case plus numbers and symbols

[goombah99]

There's realtively few instances where mixed capitals, symbols and numbers are valid syntax. yes there are, but few. sounds like we just made it easy to spot thepassword.

Re:

[ichimunki]

Good luck avoiding those "relatively few instances" in a Perl script.

You just made my point I think

[goombah99]

every language is parsable. Parsing rule sets can be written out in YACC. the rules tend to be incredibly simple and simply use recursion for deep nested cases. As a result it's not a terribly hard task to decide if a small fragment could be expanded to legal code or if it's not legal code.

Perls use of sigils actually is actually there to improve both to simplify parsing as well as to make it human readable. Yeah yeah... human readable jokes about perl. Ha Ha. But really you can look at perl and tell

Re:

[angel'o'sphere]

But really you can look at perl and tell what catergory a variable is from the sigils--
Actually you cant. For obscure reasons the sigils sometimes change when accessing arrays or hashes.

Re:

[Oswald McWeany]

There's realtively few instances where mixed capitals, symbols and numbers are valid syntax. yes there are, but few. sounds like we just made it easy to spot thepassword.

When you're talking about b00B$ but don't want to hit on any keyword censors at work?

Re:

[UnknownSoldier]

/sarcasm Ah, cool, another alternative to for:

// HACK, co-worker was a

// B(.)(.)B

I think they are saying AI is better than regex

[raymorris]

I think what they are trying to say is this:

Researchers have a new way using AI.
In currently deployed, publicly available systems, the best way is regex. The new AI way may be better.

While regex is a reasonably good tool for the task, I don't know that it's the BEST way currently used. A small, simple routine built specifically for the task may be better because regex takes characters in order. It's difficult (and slow) to build a really good regex for this because you mostly don't care what order they are

No the AI is probably writing the regexs

[goombah99]

If I were doing it I'd have the AI discriminate what regexes will extract passwords most efficiently.

Third problem

[goombah99]

Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.

and if it becomes self-aware regex then they have three problems, two of which don't matter anymore

Re:

[Zontar The Mindless]

Regexes are not self-aware.

XSLT is self-aware.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: I do this sometimes

[nghate]

This wouldnâ(TM)t scale very well if you started using unique passwords per site as you should....

Re:

[Guybrush_T]

A funny answer to a troll. Love it.

Re:

[Junta]

Actually, not all bash setups are configured to ignore things that start with spaces.

$ echo $HISTCONTROL
ignoredups

ignorespaces has confused so many people that I think a lot of distributions have stopped putting that in HISTCONTROL.

Re:

[Junta]

Another option is to use the read command to store it in an environment variable, never having it on the CLI in the first place. This lets history still show you everything you did, but without the password and such in it.

You know where they should be looking?

[bobstreo]

Google Search. site:Domain and the word password.

You'd be dismayed at how stupid some people are. Or maybe just not surprised.

When all you've got is a hammer..

[mccalli]

Sounds like another "let's force everything into TensorFlow's image prediction system" thing.

Re:

[aleksander suur]

Well sorta, but in their defense AI type systems seem to be very versatile as far as hammers go and we certainly haven't found every application they can do. Chucking AI at any random problem might not get you the best of all possible solutions, but in many cases it can give you a solution nobody has tried before, well worth the experiment.

Can it scour the front page of Slashdot...

[Anonymous Coward]

...to find clickbait articles about AI?

Regular Expressions

[jbwiebe]

Have we really reached the point on a 'News for Nerds' site where we need to explain the term 'regular expression'?

Re:

[religionofpeas]

Yeah, it's not even a special expression, just plain old regular.

Re:

[mrwireless]

And even on Slashdot algorithms are "AI" now..

Easy?

[frank_adrian314159]

telling the difference between a password and normal code for a computer is just like recognizing a dog from a cat.

Well, unless the code is PERL - then it looks like a password that has been spread over however many lines.

rot13

[petes_PoV]

best way to check whether private passwords or sensitive information

Easily defeated

FTFY

[3vi1]

> ...is to use hand-coded rules called "regular expressions."

You mean: ...is to use hand-coded rules called "^regular expressions\.$"