So you want to steal Healthcare Data...

แชร์
ฝัง
  • เผยแพร่เมื่อ 21 ธ.ค. 2024

ความคิดเห็น • 378

  • @DanielBoctor
    @DanielBoctor  วันที่ผ่านมา +6

    To try everything Brilliant has to offer -free- for a full 30 days, visit 👉 brilliant.org/DanielBoctor/. You'll also get 20% off an annual premium subscription!
    THANKS FOR WATCHING ❤
    JOIN THE DISCORD! 👉 discord.gg/WYqqp7DXbm
    👇 Let me know what type of content you would like to see next! 👇
    Thank you for all of the support, I love all of you

    • @YodaWhat
      @YodaWhat 7 ชั่วโมงที่ผ่านมา

      Does BRILLIANT teach all the technical and cognitive methods that programmers MUST USE to stop themselves from making these continual stupid programming errors? If so, then a proper course of BRILLIANT lessons should be REQUIRED as PREREQUISITES for all programmers seeking jobs, as well as those already employed. How's that for progress?

  • @AQDuck
    @AQDuck วันที่ผ่านมา +844

    "Why are you so worried about Microsoft and Google having all your personal data?"
    Me:

    • @Tannerlegasse
      @Tannerlegasse วันที่ผ่านมา +45

      Well you don't have anything to hide, right? What do you care? 😂 (sarcasm)

    • @ecMathGeek
      @ecMathGeek วันที่ผ่านมา +28

      Yeah, I see this and I think "And they expect us to believe Recall AI is going to be secure?"

    • @Tannerlegasse
      @Tannerlegasse วันที่ผ่านมา +15

      @@ecMathGeek yo, they started rolling out recall in beta and I immediately transitioned 100% to Linux. I do not play with Microsoft, and as little as humanly possible with Google (Android).

    • @amigalemming
      @amigalemming วันที่ผ่านมา +6

      In Germany they started an opt-out solution to putting all private health data into the cloud. They are proud that only few citizens actually opt out.

    • @Valerius123
      @Valerius123 วันที่ผ่านมา

      Honestly, this is negligible to the real issue with them having all your personal data. They create psychology profiles on you and force feed you propaganda that aligns with their political interest in order to sway elections.

  • @weshuiz1325
    @weshuiz1325 วันที่ผ่านมา +259

    The real question is "who trusted Microsoft with healthcare data"

    • @Peaches-i2i
      @Peaches-i2i 14 ชั่วโมงที่ผ่านมา +14

      The average person who barely understands the magic box they hold in their hands.

    • @zehph
      @zehph 14 ชั่วโมงที่ผ่านมา +9

      @@Peaches-i2i Well in this instance this was by more than one health provider, these cloud offerings abstract everything from the clients consuming, they might be forced by management to integrate AI in their offerings and contracted an “enterprise” solution to not have to deal with exactly this kind of bs that is not hard but tedious to setup and maintain.

    • @cosmotraumatika7474
      @cosmotraumatika7474 11 ชั่วโมงที่ผ่านมา +3

      Pretty much and all HR executives in any corporation if it was offered to reduce costs.

    • @gschgvt2956
      @gschgvt2956 11 ชั่วโมงที่ผ่านมา +3

      Those last 3 words were unnecessary.

    • @JeremyAndersonBoise
      @JeremyAndersonBoise 11 ชั่วโมงที่ผ่านมา +2

      Amazon bought the second largest healthcare provider in the US two years ago. Doom.

  • @tristonhoang3881
    @tristonhoang3881 วันที่ผ่านมา +510

    Why on earth would a health application need to execute remote JavaScript from client to server? Most of these bugs wouldn't exist if this feature hadn't been implemented in the first place

    • @user-ks1oh2wx6o
      @user-ks1oh2wx6o วันที่ผ่านมา +48

      My question exactly. It's literally a health bot (which I presume you ask about health concerns and such), not a programming assistant.

    • @lucmon98
      @lucmon98 วันที่ผ่านมา +32

      🎉 well, I got on the "path traversal" was the most complicated one, really? Exactly this Input would be caught by any proper pentesting/fuzzy program.
      All exploits are basic (at most) compared to the state of the art.
      Thus, I have to expect that they deployed a service with access to health data without any proper testing (?)
      Fix in production mentally 😂🎉

    • @volkerengels5298
      @volkerengels5298 วันที่ผ่านมา

      Surprisingly humans make 'errors' now and then. Assembling a complex thing leaves lot of space over time. "American telephone is hacked...." How that?? :))

    • @Otherfox-be9up
      @Otherfox-be9up วันที่ผ่านมา +5

      ran out of money for hiriny offsecs

    • @jacklimestone2559
      @jacklimestone2559 22 ชั่วโมงที่ผ่านมา +18

      As an old Medical Software developer, requests to have an ability to execute arbitrary code is pretty common unfortunately. The best we do is to prevent WHO can do that, is to limit it to sysadmins, but ya.

  • @Graverman
    @Graverman วันที่ผ่านมา +248

    200k is not a fair price. Even if microsoft stock only fell down 5% after leaking 100 million *medical* data, this would cost them 162 billion.
    This is equivalent to paying someone a dollar for protecting your millions... after you mess up.

    • @YT7mc
      @YT7mc 21 ชั่วโมงที่ผ่านมา +9

      such is fair market 🤷‍♂️ it all comes down to capitalism and end of the day this makes them the most money.

    • @itech40
      @itech40 20 ชั่วโมงที่ผ่านมา

      I agree...

    • @nikkiofthevalley
      @nikkiofthevalley 20 ชั่วโมงที่ผ่านมา

      ​@@YT7mcThe problem is less capitalism and more that companies are allowed to pay to change the laws. They've slowly, insudiously, obliterated all protections for customers and the public in general.

    • @hydra4370
      @hydra4370 19 ชั่วโมงที่ผ่านมา +8

      200k is not enough for a bug like this, but a guy who can do this casually, four times in a row, is probably making that a year already

    • @DeltaNovum
      @DeltaNovum 13 ชั่วโมงที่ผ่านมา +1

      Class... Action... Lawsuit!

  • @ciscodisco9155
    @ciscodisco9155 วันที่ผ่านมา +512

    Should have gotten way more than 200k for something this severe…

    • @AQDuck
      @AQDuck วันที่ผ่านมา +2

      Personal data is only valuable when databrokers gets their greasy hands on it.

    • @magfal
      @magfal วันที่ผ่านมา +38

      200M would be fitting given the situation.

    • @ciscodisco9155
      @ciscodisco9155 วันที่ผ่านมา +33

      @ imagine the damages if those records got out, would be in the tens of billions easily

    • @coletcyre
      @coletcyre วันที่ผ่านมา +41

      Goes to show much value they assign to people's privacy compared to how much they make selling our data

    • @ciscodisco9155
      @ciscodisco9155 วันที่ผ่านมา +9

      @@coletcyre puts the $ in M$

  • @matt_milack
    @matt_milack วันที่ผ่านมา +154

    tHErE wiLL Be nO SuCH thINg aS teCH joBS BY 2030!!!

    • @andybaldman
      @andybaldman 18 ชั่วโมงที่ผ่านมา +5

      There will be no people left by 2030

  • @H33t3Speaks
    @H33t3Speaks วันที่ผ่านมา +73

    Wow, giving user interactive chat robots Root Privileges hasn't worked out well. Who would have thought. Please, let us hold hands in stunned silence.

    • @RickySupriyadi
      @RickySupriyadi วันที่ผ่านมา +1

      is this azure even Linux?

    • @DaveEeEeE-hu7gu
      @DaveEeEeE-hu7gu 20 ชั่วโมงที่ผ่านมา +1

      @@RickySupriyadiit’s a hypervisor dude, can run anything

    • @RickySupriyadi
      @RickySupriyadi 20 ชั่วโมงที่ผ่านมา

      @@DaveEeEeE-hu7gu ok thanks

    • @BoringLoginName
      @BoringLoginName 10 ชั่วโมงที่ผ่านมา +2

      I'm out of stunned silence. Can I use bewildering contempt instead?

  • @logananderon9693
    @logananderon9693 วันที่ผ่านมา +228

    Leave it to Microsoft to do something so stupid it boggles the mind.

    • @Ilovecruise
      @Ilovecruise วันที่ผ่านมา +10

      Heck we have a saying in our team, as long as it’s data being managed by vendor, it’s not our responsibility. (Password managed in self hosted open source key manager with compliant encryption and security - not OK, password stored in OneNote in plaintext - not so good but OK)

    • @battokizu
      @battokizu วันที่ผ่านมา +6

      Well, (chuckles to self), your using microsoft products so of course its unsafe!
      This includes the entirety of the medical industry so idk. Were all doomed.

  • @mikeyangyang8816
    @mikeyangyang8816 17 ชั่วโมงที่ผ่านมา +26

    Microsoft CEO even announced last week that they would replace the entire azure product line with only ai "agents" where the bots would be able to create, update and delete all data on your services on azure...

    • @HideBuz
      @HideBuz 13 ชั่วโมงที่ผ่านมา

      Nuclear ROLF!

    • @lilshippo2799
      @lilshippo2799 7 ชั่วโมงที่ผ่านมา +1

      what could go wrong? :3

  • @PanchoPU88
    @PanchoPU88 วันที่ผ่านมา +321

    "AI WiLl RePlAcE SoFtWaRe EnGiNeErS!"

    • @paca3107
      @paca3107 วันที่ผ่านมา +20

      the biggest lie of the recent years

    • @_Billy
      @_Billy วันที่ผ่านมา

      YoU aRe veRy ShOrt siGhtEd

    • @nateh379
      @nateh379 วันที่ผ่านมา +3

      At the same time, Alexnet was just 2012. And ChatGPT was just 2022. Imagine what another 10 years will do.

    • @PanchoPU88
      @PanchoPU88 วันที่ผ่านมา +43

      @@nateh379 I'm sorry man but anyone that says that either can't code for sh1t or doesn't realize that if human ingenuity is replaced by AI then all engineers can be replaced by AI, not just the software ones...

    • @hello19286
      @hello19286 วันที่ผ่านมา

      ​@@nateh379 That's all that you can do, imagine. Extrapolating technological breakthroughs doesn't make sense, they don't follow some linear or exponential timeline, they are breakthroughs.

  • @golvistavarez9946
    @golvistavarez9946 วันที่ผ่านมา +130

    Probably was due to AI code being used for the backend! People don’t understand how many security vulnerabilities are to come out from all the AI code being written!

    • @daveb3910
      @daveb3910 23 ชั่วโมงที่ผ่านมา +7

      Yup! I work in the HIPPA field and it's surprising how many people want to use AI code, luckily in my business we can't, so it's easy for me to say no, as i can't validate a black box, which step by step validation is required for our data since it directs health decisions, but other fields can and it will continue to produce large vulnerabilities. It's honestly scary

    • @slomnim
      @slomnim 20 ชั่วโมงที่ผ่านมา +2

      And yet google openly says something like 60%+ of its code now is ai generated...

    • @RoryEckel
      @RoryEckel 18 ชั่วโมงที่ผ่านมา +3

      AI code is fine but it needs an experienced reviewer

    • @MaakaSakuranbo
      @MaakaSakuranbo 16 ชั่วโมงที่ผ่านมา

      @@daveb3910 wdym, validate a blackbox. AI code means code you generated via AI, not using AI to write code live?
      The generated code isn't a black box

    • @JasonAtlas
      @JasonAtlas 13 ชั่วโมงที่ผ่านมา +2

      Its just so much faster to do my own coding then try and catch all of the insane things and ai code might do. Like 95% of the time it's fine 4% it's broken and the last 1% it's doing something genuinely insane.
      I know what mistakes I tend to make and where to look for them. I've spent a long time learning good practise. The ai has every mistake in recorded history at it's finger tips and usually it's the stuff reviewed enough to not immediately be obvious.
      Ai coding is a big gamble.

  • @aaroncarney7733
    @aaroncarney7733 วันที่ผ่านมา +92

    Why the hell was it connected to the medical data in the first place?

    • @pseudomemes5267
      @pseudomemes5267 วันที่ผ่านมา +24

      Selling "insights" about people to ad networks. It's not just knowing what people like anymore. It's knowing all medical conditions to better target them.

    • @lopiklop
      @lopiklop 22 ชั่วโมงที่ผ่านมา +3

      Thank YOU! Yes. Hello. These are private medical records.

    • @lopiklop
      @lopiklop 22 ชั่วโมงที่ผ่านมา +3

      @@pseudomemes5267 You say that as if they have the right.

    • @lopiklop
      @lopiklop 22 ชั่วโมงที่ผ่านมา

      @@pseudomemes5267 At which point during my doctor visit did I agree to such a thing? How does it go from a doctor visit to building artificial intelligence? So they're benefiting from my interaction. How much value does MY MEDICAL RECORDS generate for THEIR product?

    • @ARockRaider
      @ARockRaider 20 ชั่วโมงที่ผ่านมา +4

      ​​@@lopiklop it's probably included as part of the Windows EULA, something like "if you have ever used windows for any reason we have the right to gather and sell any information about you"
      this is obviously a joke, but also not out of the scope of what mega corps think they can get away with through their EULAs (remember that Disney tried to say the EULA for a free trial of their streaming service ment they couldn't be sued for a lethal allergic reaction at one of their parks)

  • @LeetHaxington
    @LeetHaxington วันที่ผ่านมา +57

    I’m surprised the microsoft patch wasnt to just ban his ip and then have bugfixes to add his new ip every time

  • @Richard-gs6oq
    @Richard-gs6oq วันที่ผ่านมา +84

    Sound like a HIPPA violation!

    • @your_new_sjw_waifu
      @your_new_sjw_waifu 22 ชั่วโมงที่ผ่านมา +7

      Nah doesn't apply if you have enough money

    • @nekonikku
      @nekonikku 13 ชั่วโมงที่ผ่านมา +1

      Don’t be a hippo, it’s HIPAA.

    • @yoyoma2831
      @yoyoma2831 8 ชั่วโมงที่ผ่านมา

      What i was thinking too

  • @Some1_Some1_Some1_Some1
    @Some1_Some1_Some1_Some1 วันที่ผ่านมา +24

    Running arbitrary code on a machine with sensitive data sounds like a recipe for disaster, even when sandboxed...
    They should definitely give the "running javascript" bit to some other server that only does this. That server can then be isolated from the rest, making any breach somewhat useless.

  • @snudget
    @snudget วันที่ผ่านมา +170

    It seems like QA and security is irrelevant today. The only thing that matters is getting out a semi-broken thing as fast as possible

    • @HamidKarzai
      @HamidKarzai วันที่ผ่านมา +25

      if you take the time to do that stuff right then minimum viable product move-fast-and-break-stuff crowd will eat your lunch with their rapid results and problems that don't show up until later down the line. And since you've now sold a product that constantly breaks you can now as a bonus get even more money out of expensive maintenance/support contracts! how's that for a win-win! disruptive capitalist innovation at its finest

    • @TheGreatNoticing00
      @TheGreatNoticing00 วันที่ผ่านมา +22

      MS developers are generally a different flavour today. Same goes for Google. I'd expect less and less from them going forward, as they continue to hire based on "appearance" rather than talent. Maybe I'm a bit salty, but it's true nonetheless.

    • @happygofishing
      @happygofishing วันที่ผ่านมา +4

      @@TheGreatNoticing00 They are too busy "doing the needful"

    • @vaakdemandante8772
      @vaakdemandante8772 วันที่ผ่านมา +2

      In a way it has always been like that in the business. In the old days of software, there wasn't so much competition on the market, so you could've focused a bit more on quality, but every established market with competition sooner or later reaches a stage, where you can't spend too much money on perfection and need to earn income ASAP. Software has reached this milestone about a decade or two ago.

    • @entropycat
      @entropycat วันที่ผ่านมา +6

      Microsoft removed all QA teams years ago.

  • @lopiklop
    @lopiklop 22 ชั่วโมงที่ผ่านมา +14

    I think a better question is why does Microsoft AI have access to private medical records.

    • @BlackMatt2k
      @BlackMatt2k 7 ชั่วโมงที่ผ่านมา +1

      Medical institutions use 3rd-party developers for their apps, and hire vendors to upload or stream data to cloud services for them to load. There are more rules and paperwork than you can imagine to keep things compartmentalized and "safe", theoretically, but current dev culture attitudes and perverse corporate incentives undermine it daily. My anxiety level has dropped substantially since leaving that industry, cuz you either fight your conscience or fight literally everyone on the call over obvious stuff like this, every day.

  • @stevesteve8098
    @stevesteve8098 20 ชั่วโมงที่ผ่านมา +11

    Simple , it's Microsoft....
    they write their programs to just do things... security, safety and non-crashing come later...
    I went to a MS conference once with their programming team... where they outlined their programming development and internal "mantra"
    when i left I was completly shocked at how lax they were...
    They basically write software with as few checks and balances as possible, it just matches the spec & that is it..
    when they have to modify the systems for other uses.. they just make changes & fix what visibly breaks

    • @YodaWhat
      @YodaWhat 7 ชั่วโมงที่ผ่านมา

      Are you suggesting that is any different from how ALL big companies write the CRAP they pass off as software?

  • @aajas
    @aajas 23 ชั่วโมงที่ผ่านมา +13

    One of the great things about being American:
    I ain't been to a doctor in decades, you got nothin on me

    • @jaysonrees738
      @jaysonrees738 17 ชั่วโมงที่ผ่านมา

      Honestly, I wouldn't go that often even if it was free. All they do is try to push pills on me and do a crappy job of finding potential problems. The best medicine is not eating trash, getting some exercise, and enjoying time with friends. That stuff doesn't net piles of money though, so they never bring it up.

    • @laulaja-7186
      @laulaja-7186 7 ชั่วโมงที่ผ่านมา +1

      Couldn’t afford to visit a doctor, same as the rest of us? That can only last so long…

  • @Jeza921
    @Jeza921 18 ชั่วโมงที่ผ่านมา +6

    Data breaches are often the result of errors in system management or configuration, not “automated” AI. More importantly, the responsibility lies with the humans who design, deploy, and monitor the system, not the AI ​​itself.

  • @arkorat3239
    @arkorat3239 17 ชั่วโมงที่ผ่านมา +11

    as if i wasnt already worried by the whole "copilot takes screenshots of your computer"

    • @YodaWhat
      @YodaWhat 7 ชั่วโมงที่ผ่านมา

      Say more on this. And WHICH versions and variants of Copilot? Only the web versions? If so, in which browser(s) does these TOTAL BS exploits occur? Does it also affect the Copilot running inside Skype?

    • @arkorat3239
      @arkorat3239 4 ชั่วโมงที่ผ่านมา

      ​@@YodaWhat Been a while ago, but i think its just ordinary copilot. the same that comes with windows 11.
      Its not really an exploit, its how microsoft desinged it. And it sparked quite the contreversy when word got out, a few years ago.

    • @YodaWhat
      @YodaWhat 3 ชั่วโมงที่ผ่านมา

      @@arkorat3239 - Ah, thanks. I don't use Windows 11 or any of that extra crap even in Windows 10. First thing I do with a new Windows machine is turn that $hit off as much as possible.

  • @SeRoShadow
    @SeRoShadow วันที่ผ่านมา +32

    4:50 - using query code that is not read-only / execute is a security issue

  • @amigalemming
    @amigalemming วันที่ผ่านมา +9

    In Germany the Bug Hunter would have been sent to jail because of the Hackerparagraph and the bugs would persist.

  • @test-rj2vl
    @test-rj2vl 15 ชั่วโมงที่ผ่านมา +5

    Personally I would never ask AI for any serious health issues, even if they were 100% private and 100% secure because if AI happens to hallucinate then I can easily end up on 10x worse situation than I started with. If there is something I don't know how to deal with I would rather go to doctor and get some real advice than for example trying to heal flu by standing uv light and drinking mercury.

  • @cassusgames
    @cassusgames วันที่ผ่านมา +17

    Imagine if a certain legend asked for help removing a specific cylinder…

    • @commander3494
      @commander3494 วันที่ผ่านมา +2

      Amazing reference

    • @jacobeii
      @jacobeii 15 ชั่วโมงที่ผ่านมา

      seems rather imperative that it remains unharmed.

  • @privateness.network
    @privateness.network วันที่ผ่านมา +10

    "Can't fix stupid" theory confirmed

  • @rory_o
    @rory_o 19 ชั่วโมงที่ผ่านมา +4

    AI and nodejs. Name a more iconic duo of security terribleness.

  • @howardstern9764
    @howardstern9764 20 ชั่วโมงที่ผ่านมา +5

    These Lawsuits need to be far more punitive, there needs to be drastic consequences for exposing and harming so many people!

  • @V3racious3
    @V3racious3 วันที่ผ่านมา +8

    I can't wait to cash my $2.49 check after the lawyers suck all the value out of the class action data breach lawsuit.

  • @AK-vx4dy
    @AK-vx4dy วันที่ผ่านมา +22

    But this story is not about AI anyway.... AI bot not leak anything, stupid platform architecture and stuipd developers (who maybe were expert in AI but not not in other areas)

    • @matt_milack
      @matt_milack วันที่ผ่านมา

      Imagine how dumb AI is if leading AI expert developers, engineers and architects are this dumb.

  • @VelociraptorX
    @VelociraptorX 19 ชั่วโมงที่ผ่านมา +3

    That's why I don't use gadets to monitor my health, our data is incredibly valuable.

  • @GauteAnimationNorway
    @GauteAnimationNorway 16 ชั่วโมงที่ผ่านมา +4

    This makes me just think about co-pilot. Microsoft is getting greedy with their data stealing.

  • @primgrb
    @primgrb วันที่ผ่านมา +26

    Node js is a menace, dude

    • @skyrimax
      @skyrimax 23 ชั่วโมงที่ผ่านมา +10

      Been saying it for years, JavaScript on the server was web development's original sin

    • @jbird4478
      @jbird4478 12 ชั่วโมงที่ผ่านมา

      ​@@skyrimax JavaScript was the original sin. Running it on servers was when we said screw it and let the devil take over.

  • @laulaja-7186
    @laulaja-7186 7 ชั่วโมงที่ผ่านมา +2

    The omniscient AI has certified that the code was secure. Oops that was a hallucination. Okay delete/ fire that AI and try uploading a new one… which is almost identical, and trained on the same data set. It’s just good business.

  • @jsonstea
    @jsonstea วันที่ผ่านมา +5

    while the services of M$ have been becoming broader and more sophisticated, the quality really keeps going down the toilet.

  • @Huey-ec1
    @Huey-ec1 วันที่ผ่านมา +24

    What medical records? Most of us can't afford healthcare to begin with.

    • @DetectiveRackham
      @DetectiveRackham 18 ชั่วโมงที่ผ่านมา +1

      Your birth certificate did not write itself.

  • @yura34054
    @yura34054 วันที่ผ่านมา +7

    "Little Bobby Tables we call him"

    • @Fasteroid
      @Fasteroid วันที่ผ่านมา +1

      My name is "help im stuck in a drivers license factory"

  • @Amipotsophspond
    @Amipotsophspond วันที่ผ่านมา +6

    hackers are such nice people, that hacker could have made everyone's medical records say they tested positive for aids. it's wonderful we have bug bounties and they are paid, hard work was do to earn that small sum of money and the whole world benefits.

    • @Itsgone99
      @Itsgone99 วันที่ผ่านมา +1

      not at all a huge potential conflict of interest down the line if not already...

    • @crusher9z9
      @crusher9z9 22 ชั่วโมงที่ผ่านมา +1

      they should've added "tested positive for nothing" to all records

  • @KAZVorpal
    @KAZVorpal วันที่ผ่านมา +13

    Apostrophe fail.

  • @resekai
    @resekai วันที่ผ่านมา +4

    Total Recall and CopePilot+

  • @enermaxstephens1051
    @enermaxstephens1051 5 ชั่วโมงที่ผ่านมา +2

    Anyone else notice that bug bounties often have a habit of not paying? You'll find the bug and they'll say "Oh we already knew about that" then patch it and act like its no big deal.

  • @bitmau5
    @bitmau5 20 ชั่วโมงที่ผ่านมา +2

    So, it's basically like hunting for open folders, in 1997, to dump MP3's on unsecured FTP servers in order to share music. Gotcha.

  • @dany_fg
    @dany_fg 22 ชั่วโมงที่ผ่านมา +5

    this... this is why everyone hates JavaScript

  • @AROAH
    @AROAH 20 ชั่วโมงที่ผ่านมา +3

    😑
    This is why we shouldn’t be using JavaScript for non-UI purposes.

  • @thiswillprobhrt
    @thiswillprobhrt 11 ชั่วโมงที่ผ่านมา +1

    Can’t help but think the term “updationing” was part of conversations during development of this.

  • @SBTRIS
    @SBTRIS วันที่ผ่านมา +7

    My take away from this is that nodejs is not secure by default, and needs some careful design and hardening to make it production grade.
    Compounded with dynamic and super flexible JIT nature of node, it sounds like a nightmare.

  • @QXY01
    @QXY01 16 ชั่วโมงที่ผ่านมา +1

    All doctors that dared to upload personal info were compelled. Who is going to pay for this? I would say all corporations and doctors must pay.

  • @Zuranthus
    @Zuranthus วันที่ผ่านมา +2

    god these companies are stupid. they want AI to be a thing so bad that consequences be damned

  • @classico42
    @classico42 16 ชั่วโมงที่ผ่านมา +3

    In case you forget, Microsoft will help you Recall this instantly!

  • @yeetyeet7070
    @yeetyeet7070 วันที่ผ่านมา +16

    hearing the words nodejs backend sealed it for me

  • @boines
    @boines 22 ชั่วโมงที่ผ่านมา +2

    that wild bc most basic thing for sql is to prevent the moving of going back .. as well as doing a ls of a dir row colm etc. failed huge.

  • @WiseWeeabo
    @WiseWeeabo 17 ชั่วโมงที่ผ่านมา +2

    Whoever worked on this must be borderline non-functional. Was this whole project just 1 dude? How did not a single person on the team call out this insanity? Insane.

  • @UNcommonSenseAUS
    @UNcommonSenseAUS 23 ชั่วโมงที่ผ่านมา +3

    Its not an accident.
    Wake up fools

  • @qzwxecrv0192837465
    @qzwxecrv0192837465 10 ชั่วโมงที่ผ่านมา +1

    So once again, the super smart programmers of Microsoft allowed direct access to data, rather than buffering it, ensuring encrypted connection between intermediate server & data, as well as not keeping the AI software isolated from important data. Also, adding directory capabilities within a URL, rather than having the server or data server do the searching has been a known exploit/issue for decades.
    You never allow directory level execution or maneuvering at the URL level AND we have become so dependent on showing URL data, that this type of thing will happen due to sloppiness. as the old adage goes: it isn't the new guy that gets hurt (makes serious errors), it is the experienced person because he becomes so confident in his experience

  • @knarfxd4071
    @knarfxd4071 วันที่ผ่านมา +2

    I know little about software engineering n this kind of crap, but god I love your vids explaining it so clearly. Keep up the amazing work m8!

    • @DanielBoctor
      @DanielBoctor  วันที่ผ่านมา +2

      much appreciated, will do

  • @mattp7437
    @mattp7437 วันที่ผ่านมา +5

    Welcome back!

  • @issamelarmi
    @issamelarmi วันที่ผ่านมา +2

    Somehow all these big tech companies don't pentest their products...
    Good for bughunters and black hats

  • @yoyoma2831
    @yoyoma2831 วันที่ผ่านมา +2

    Very interesting. Underrated channel, you earned a new sub!

  • @talli-studios
    @talli-studios 16 ชั่วโมงที่ผ่านมา +1

    How was the underscore module modified remotely??

  • @aldproductions2301
    @aldproductions2301 18 ชั่วโมงที่ผ่านมา +1

    Why is the back-end in JS instead of a strongly typed language which would reject input and help require data be properly sanitized? Why is the database input not properly sanitized?

  • @RicoTrevisan
    @RicoTrevisan วันที่ผ่านมา +2

    Brilliant video, thanks!

  • @conceptrat
    @conceptrat วันที่ผ่านมา +1

    @5:55 I think you've either misinterpreted how the query injection works or the exploit you copied from wasn't documented correctly. Unless MS has made a mistake with implementation of building a quert. If this is even actually a reality. I feel like it's not. But first the query needs to be completed by providing an escaped ' and ) and then you can initiate the other escaping to insert the transversal and allow the query to be completed again.

  • @noThankyou-g5c
    @noThankyou-g5c 22 ชั่วโมงที่ผ่านมา +2

    since ur name is Boctor i thought this would be a medical channel first most that was just covering tech news 😅

  • @oportbis
    @oportbis วันที่ผ่านมา +1

    Please make more videos, I'm getting addicted to your explanations

  • @HardbassTV.
    @HardbassTV. วันที่ผ่านมา +4

    Microsoft does dumb shit

  • @_varianta007
    @_varianta007 17 ชั่วโมงที่ผ่านมา +2

    If only Microsoft would not always hurry tihings in their try to be the first maybe they would not have so shitty products.

  • @robyee3325
    @robyee3325 วันที่ผ่านมา +2

    Well explained!

    • @DanielBoctor
      @DanielBoctor  วันที่ผ่านมา +3

      Thanks for watching!

  • @iGame3D
    @iGame3D 10 ชั่วโมงที่ผ่านมา

    Where do we sign up for the class action suit?

  • @howardfairbanks8337
    @howardfairbanks8337 วันที่ผ่านมา +2

    Excellent video, editing, sound design. You deserve more views (:

    • @DanielBoctor
      @DanielBoctor  วันที่ผ่านมา +2

      glad you liked it!

  • @operator8014
    @operator8014 17 ชั่วโมงที่ผ่านมา +1

    Who tf gave Microshaft their medical data???

  • @kygagaming
    @kygagaming วันที่ผ่านมา +2

    Omg the vids are back!!!

  • @atxhooligan
    @atxhooligan วันที่ผ่านมา +5

    This must be why my organization sprang new AI rules on us recently regarding using AI with any sensitive medical or org info.

  • @lennyface6828
    @lennyface6828 22 ชั่วโมงที่ผ่านมา +1

    This is why I don't use ANY Microsoft products anymore. Including Windows.

  • @irvingchies1626
    @irvingchies1626 13 ชั่วโมงที่ผ่านมา +1

    The First exploit was already quite easy, it's like going to a final test about history, putting "it al begun in 1942... ... And that's how Nazi Germany fell" and getting an A+

  • @ImperialRoads
    @ImperialRoads วันที่ผ่านมา +1

    No way the legend is uploading again!!!

    • @ultimatums1
      @ultimatums1 วันที่ผ่านมา

      no way people make some unrelated remark about the video.

    • @DanielBoctor
      @DanielBoctor  วันที่ผ่านมา +2

      we back

  • @any1alive
    @any1alive 21 ชั่วโมงที่ผ่านมา +2

    sooo, they wernt sanitisign inputs? still watchign,.t hats A ENTRY LEVEL SECIURITY ISSUE and bug

  • @Huey-ec1
    @Huey-ec1 วันที่ผ่านมา +1

    AI is imprecise. It's not a bad tool for thinking through ideas, but using it to write code is rarely reliable and using it for healthcare should be illegal. Not that we have humane healthcare anyways, so I guess it makes sense they wouldn't care about ethics.

  • @mahiainti678
    @mahiainti678 วันที่ผ่านมา +6

    holy, javascript is so insecure. Im still shocked it's so wide-spread on the backend

  • @JeremyAndersonBoise
    @JeremyAndersonBoise 11 ชั่วโมงที่ผ่านมา

    People: Why don’t you trust AI tools?
    Me:

  • @brentsaner
    @brentsaner 14 ชั่วโมงที่ผ่านมา +1

    That is...certainly a way to pronounce "JavaScript" that I haven't heard before.

  • @a2bros186
    @a2bros186 วันที่ผ่านมา

    0:57 what's the background music?

    • @janeviem7141
      @janeviem7141 วันที่ผ่านมา +2

      It sounds to me like Firecracker from LEMMiNO, but I'm not sure. Also, the music used in the video is in the video description

  • @mirroredchaos
    @mirroredchaos 21 ชั่วโมงที่ผ่านมา +1

    this is why not every damn thing needs AI ffs.

  • @sown-laughter4351
    @sown-laughter4351 15 ชั่วโมงที่ผ่านมา +1

    sounds like they are doing commands that microsoft does automated
    meaning microsoft is probably already selling that data

  • @Nah_Bohdi
    @Nah_Bohdi วันที่ผ่านมา +5

    I wish all of my data was in paper files in my closet, even passwords, because its always getting "found online".
    Meanwhile Im unable to access websites because I forget my password or questions, hackers have more access than I do...

    • @alexturnbackthearmy1907
      @alexturnbackthearmy1907 4 ชั่วโมงที่ผ่านมา

      Hackers? Try said websites not accepting right password just because, had to change a couple over absolutely nothing (the password and name were actually correct, it just refused to accept them).

  • @rekit7351
    @rekit7351 วันที่ผ่านมา +2

    Guy is making exploiting Azure into a career path 😂

  • @yt-sh
    @yt-sh วันที่ผ่านมา +1

    Note to self
    cl - Vulnerabilities in Microsoft's Healthcare"

  • @klwd5288
    @klwd5288 5 ชั่วโมงที่ผ่านมา +1

    Brilliant won't teach you that stuff but get your bag bro

  • @hannonsb
    @hannonsb 7 ชั่วโมงที่ผ่านมา +1

    Seems very similar to a modern version of SQL injection

  • @jbird4478
    @jbird4478 12 ชั่วโมงที่ผ่านมา +1

    Maybe we shouldn't build such things on stacks upon stacks of libraries and frameworks. A JS runtime environment running on a JS engine importing modules to implement an "indexof"... What the hell happened to writing software that compiles to machine code, instead of relying on dozens of layers that can each have vulnerabilities?

  • @denishohmo
    @denishohmo 15 ชั่วโมงที่ผ่านมา +1

    I wonder if they could have made more then 200k if they would have placed a short position on the stock and informed an hacker group about the holes.

    • @alexturnbackthearmy1907
      @alexturnbackthearmy1907 4 ชั่วโมงที่ผ่านมา

      And also sell the data separately cause more money is always better.

  • @morthim
    @morthim วันที่ผ่านมา +2

    how did they get 100 million records?

  • @JohnS-il1dr
    @JohnS-il1dr 23 ชั่วโมงที่ผ่านมา +1

    I hope AI dies off like the virtual reality glasses did a few years back

  • @illochese
    @illochese วันที่ผ่านมา +5

    How does an attacker override the _indexOf function though?

    • @avalonwmii3687
      @avalonwmii3687 วันที่ผ่านมา +6

      Javascript allows you to simple reattribute functions. _.indexOf = () => 10;

    • @illochese
      @illochese วันที่ผ่านมา +1

      @avalonwmii3687 okay, but that implies that attacker already has ability to execute some code on the backend. I don't get how

    • @ThisIsTheInternet
      @ThisIsTheInternet วันที่ผ่านมา +5

      @@illochese It's explained in the video. Azure Health Bot instances allowed you to setup your own code in them. 7:08

    • @omri9325
      @omri9325 วันที่ผ่านมา +2

      My guess is that if underscore is in the packagesAllowedList you can just require it and change it

    • @illochese
      @illochese วันที่ผ่านมา

      ​@@ThisIsTheInternet oh, now I see, what a wonderful attack vec... feature

  • @LV-426...
    @LV-426... วันที่ผ่านมา +1

    If you can't understand the difference between - users- and -users'- then what else does it tell about your IQ? I am going to consult my dog next time.

  • @y2ksw1
    @y2ksw1 22 ชั่วโมงที่ผ่านมา +1

    These are rookie bugs!😄

  • @NarcatasCor
    @NarcatasCor วันที่ผ่านมา +3

    how much DEDOTADED wam for the serwor..

  • @lambdadelta3105
    @lambdadelta3105 20 ชั่วโมงที่ผ่านมา +2

    I always wonder what society is supposed to do in these situations, when mega corporations incompetence and greed hurts millions. Give up? Continue as normal like nothing happened despite the damage? or... perhaps call Luigi?

  • @ComputerHead0001
    @ComputerHead0001 8 ชั่วโมงที่ผ่านมา

    In this video??? GREAT! Thought it would be in a different video.

  • @LBDluxe
    @LBDluxe 15 ชั่วโมงที่ผ่านมา +2

    Hunters need to start demanding more for information on these exploit bounties, I'm saving you millions or potentially billions of dollars I want a least a mill