Today we celebrate the five year anniversary of #curl's bug-bounty. It has resulted in 69 reported vulnerabilities and almost 80,000 USD payouts. Out of a total of 439 submissions. 86 of them were considered "informative", which mostly means they were handled as normal bugs.
@bagder Despite working in IT and cybersecurity for nearly 40 years is there still hope left for me that my first thought was "That's an odd way to apply for a Masters in Fine Art" a couple milliseconds BEFORE I thought "Multifactor Authentication"?
I posted this image on LinkedIn as well, and the stats there tells me that Cisco is in fact now the third most common employing company among the viewers... (only beaten by AWS and Microsoft)
@bagder Thank you! I can't imagine how bad this must feel for Lasse Collin, especially after reading[1]. We're with him and all honest XZ contributors, and they're not to blame 🙂
1. curl is not made by me alone. I lead the project, we are over a *thousand* authors in total 2. I work full-time on providing curl support to paying customers. Some would call it a business. 3. Not "a" billion people. More like 6 billion or so; every human on the globe that is Internet-connected uses things that use curl - daily.
So, if the machines can not auto-update to a newer curl that supports new cipher-suites, and the platform is 32-bit windows, what do you think will happen?
@bagder LangcChain (framework to build complex llm pipelines) has chatgpt powered bot, which tries to help in open issues by generating walls of "helpful" text
It's smart enough to even quote some related code from repository, but...
...for me it results in not being able to read ANY FUCKING ISSUE. Because they're all are filled with walls of text. And knowing that, this text is very probably bullshit, my brain automatically infiltrates it :blobcatgooglyholdingitsheadinitshands:
How the first gen ipod was reverse engineered to run #Rockbox:
1. Someone figured out that when loading a particular HTML page (for viewing on the device), the device would reboot. It crashed. A buffer overflow in the HTML viewer!
2. The device remembered what it did before the crash, so it would reload the HTML page again after boot. Unless you connected to it over USB and removed the HTML file it would stick in this cycle.
On this day, 27 years ago, httpget 0.1 was released. The tool I found and started playing with and soon was maintainer of. It started something. In 1998 that tool was renamed to curl. https://curl.se/docs/history.html
curl has used OpenSSL since it was born in 1999 - and to this very day, we apparently still can't figure out how to init and cleanup the library properly.
It might be because we have only stupid people in the project. Or the explanation could be elsewhere.
@bagder I wonder if the upcoming bounds checked c rfc features from Apple in clang would be helpful at the very least as a defensive measure. but they also seem to be moving fairly slowly :(
"we are a monster-sized US tech firm with almost a trillion dollar market cap.We are a bureaucratic nightmare so please give us the info for free instead of us having to help your open source project financially and we can keep using it for free in all eternity. kthxbye"
Gregory's Server
@bagder Is that design a Swedish folk motif?