Gregory's Server
|
"The issue was detected by our new AI-powered vulnerability scanner" ... AAAAAAA
Show previous comments
   @bagder LangcChain (framework to build complex llm pipelines) has chatgpt powered bot, which tries to help in open issues by generating walls of "helpful" text It's smart enough to even quote some related code from repository, but... ...for me it results in not being able to read ANY FUCKING ISSUE. Because they're all are filled with walls of text. And knowing that, this text is very probably bullshit, my brain automatically infiltrates it :blobcatgooglyholdingitsheadinitshands: People have asked, and I aim to please. The collection of fun/weird/odd/threatening emails I received. Probably incomplete, but here it goes: https://github.com/bagder/emails Current count: 74
Show previous comments
@bagder  Please don't make this a new trend. π (issue closed by bot because the user filing the issue has not starred the repository...)
Show previous comments
  How the first gen ipod was reverse engineered to run #Rockbox: 1. Someone figured out that when loading a particular HTML page (for viewing on the device), the device would reboot. It crashed. A buffer overflow in the HTML viewer! 2. The device remembered what it did before the crash, so it would reload the HTML page again after boot. Unless you connected to it over USB and removed the HTML file it would stick in this cycle. (continues...)
Show previous comments
@bagder this is really awesome. I had Rockbox on one of the later-gen iPods and used it as my daily driver for YEARS. On this day, 27 years ago, httpget 0.1 was released. The tool I found and started playing with and soon was maintainer of. It started something. In 1998 that tool was renamed to curl. https://curl.se/docs/history.html the OpenSSL API is the gift that just keeps on giving And its like one of those gifts you get from an older relative that you rather wished they'd keep to themselves... curl has used OpenSSL since it was born in 1999 - and to this very day, we apparently still can't figure out how to init and cleanup the library properly. It might be because we have only stupid people in the project. Or the explanation could be elsewhere. We disclosed this #hackerone report against #curl when someone asked Bard to find a vulnerability, and it hallucinated together something:
Show previous comments
@bagder I suspect the reporter's last comment in that thread was also written by an LLM  @bagder I could understand using some kind of AI to get something similar to a fuzzer but this is utterly ridiculousβ¦
How I made a heap overflow in #curl Let me talk CVE-2023-38545 a bit https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
Show previous comments
  "we are a monster-sized US tech firm with almost a trillion dollar market cap.We are a bureaucratic nightmare so please give us the info for free instead of us having to help your open source project financially and we can keep using it for free in all eternity. kthxbye"
Show previous comments
Today we got what must be the most alarming first line in a newly file sec issue to #curl: "To replicate the issue, I have searched in the Bard about this vulnerability" ... followed by a complete AI hallucination where Bard has dreamed up a new issue by combining snippets from several past flaws. Creative, but hardly productive. Closed as bogus.
Show previous comments
"CVE-2020-19909 is everything that is wrong with CVEs" A claimed "9.8 CRITICAL" flaw in #curl that does not exist. https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/
Show previous comments
@bagder As a way of saying how old I am without saying how old I am. Mitre used to have a mechanism that potential issues were assigned a CAN-number. Then the elite would vote if it was indeed a vulnerability. If so, a CAN would become a CVE. Of course this soon became a mess as the CANs piled up and checking if a CAN ended up as CVE just for reference became a dreadful chore. I guess youβre on the accepted risk end of the choice made to end the CAN/CVE naming and stick with CVE. Today in 2000, 23 years ago, we introduced #libcurl into the world. #curl 7.1 was the first release featuring a separate library for Internet transfers, that curl was then made to use. PHP adopted it almost instantly to become their default built-in transfer engine, which greatly helped the library "take off". libcurl was not an instant success but has gradually grown more popular over time. Over 23 years. Today we estimate 20 BILLION installations worldwide.
Show previous comments
 @bagder Happy b'day! π The modern internet/devops would not be the same without your tools...  @bagder also #curl is way more versatile and useful than #wget and is available as a #standalone #binary: No need to fiddle with shit: #ItJustWorks! #curl no longer supports the NSS TLS library: https://github.com/curl/curl/pull/11459 @bagder@mastodon.social for the uninitiated, what is the NSS TLS library and why was it removed? Can you explain what this means to curl users? What is NSS?
The #Gemini protocol seen by this #HTTP client person https://daniel.haxx.se/blog/2023/05/28/the-gemini-protocol-seen-by-this-http-client-person/ - tldr: I think they have some improvements left to do. @bagder However your other points not related to the markup/visual style are perfectly accurate IMHO  Hi [name], I certainly am a lead developer of libcurl, but I have no contractual agreement with either XXXX or YYYY so I do not think I can be qualified as a provider or a vendor to you. In this context, I'm but an individual. We could arrange for a curl support contract to make me/us a provider.  @bagder What kind of requests do you get? I have a feeling a large number of them has to do with certifying various aspects of the security of the software? How about questions about whether your developers are trained? #trurl turns 6 days old and reaches 1500 GitHub stars: https://github.com/curl/trurl Twenty-five years of curl: https://daniel.haxx.se/blog/2023/03/20/twenty-five-years-of-curl/ - 3600 words on the biggest events in #curl history, year by year.
Show previous comments
Thank you for curl! It's served me quite well over the years, and also served as proof to my engineer colleagues that this Technical Project Manager is no slouch, technically. πΈ |
@bagder That screenshot is from a time when windows was actually a half-decent OS. Long gone.
@bagder
So, if the machines can not auto-update to a newer curl that supports new cipher-suites, and the platform is 32-bit windows, what do you think will happen?
#RhetoricalQuestion
@bagder Hey Daniel! This reminds me of a photo I took in my car on Monday. (Pardon the dust.)