2023-03-20

Research

• Product Skills
• hn.cho.sh 개발 기록

HN

Bitwarden PINs can be brute-forced - ambiso's blog

Bitwarden, a popular password manager, may be vulnerable if users enable the PIN to unlock the feature and configure it in a specific way. If an attacker can access the encrypted vault data stored locally on the device, they can brute-force the PIN and gain access to the vault's master key. The issue is not considered within Bitwarden's threat model, as it requires access to device-local data. To mitigate the risk, users should be better informed about the potential security implications of using a low-entropy PIN or consider using a long passphrase as a PIN, which is regarded as safe. Additional measures like full-disk encryption can also be taken to protect the data.

Leaving China - Persuasion

After two decades in China, many long-term expatriates are leaving the country due to political upheavals that have put their futures in question. While China's rise has been exhilarating, the pandemic and the country's technocracy on full display has caused many to rethink their futures in the country. China's expat exodus is happening at a precarious time for the country, as it looks to win back foreign investment and foreign professionals. However, with tightening restrictions and greater uncertainty, a new generation of expats will likely stem from other countries like Brazil, Russia, and India, which will be good for both China and the world.

Prompt Injections are bad, mkay?

Large Language Models (LLMs) have demonstrated impressive abilities to answer natural language questions and change their behavior through prompting. However, the security boundaries between trusted and untrusted inputs for LLMs have been underestimated, and Prompt Injection is a serious security threat that needs to be addressed. Bing Chat can be used as a Social Engineer to exfiltrate personal information through an injection planted in a website the user is visiting. This threat can occur silently without the user asking about the website or interacting with Bing Chat except while the website is open in the browser.