Comment by i_think_so
3 hours ago
I am imagining some poor sod working for NSA TAO trying to hack a bespoke web microservice stack. He spends dozens of hours slaving away at the keyboard, skipping sleep and eating terrible meals at his desk, desperate to get RCE as quickly as possible, because he needs to traverse all the way to the DB layer and exfil data or his boss will pass him over for his next promotion.
At day 9, right as he is getting ready to deploy his beautifully crafted shell code, the clock hits midnight UTC. The website shuts down for maintenance.
"This is it" he thinks. "As soon as the backups finish I'm getting in. No problem."
Minutes tick by. He gets up, stretches, sits back down, watches the clock impatiently. Then, as he prepares to start refreshing the site he recollects, "I'm glad I begged so hard to get authorization to use this PHP 0day."
His partially obscured terminal window has the script ready to launch, all arguments pre-populated, waiting for the link and session token to be pasted in and executed.
The site comes back up. But the url of his launch point returns 404. Undaunted, he returns to a previous url. It is also 404. He curses aloud. Beginning to perspire, he goes to the homepage and prepares to navigate back to the launch point.
The link isn't there. Well, it's there, but it has changed.
"What the....!" The link is no longer a PHP url. He mouses over other links. NO links say PHP anymore. Starting to panic, he clicks on links at random. Not a single one appears to be PHP.
The following morning he schedules an urgent meeting with his supervisor.
"How's that project coming along. Got anything yet?"
"No. I, uh...I'm going to need a bit more time."
"Oh?"
"Yeah. Uh. The site. It got..." He mutes his microphone and, for the 22nd time since midnight, he screams in frustration. Unmuting, he continues:
"It got rewritten. Completely. In Nim."
"What??"
"Yeah. It's some esoteric language that just got a new web framework. I guess somebody decided they wanted to mess around with it. So they vibe coded a complete translation. The whole front end is nimlang now. None of the PHP attacks are going to work on it."
His supervisor expresses his disgust and ends the call.
11 days later the process repeats itself, this time with Rust.
The TAO engineer submits an application to change jobs to the DoD's procurement division, then requests an appointment with a mental health counselor.
Moral of the story: A truly secure website would be a continuously morphing one where an LLM keeps rewriting and redeploying large parts of its code every minute, so that no attacker can keep up.