AIs have been finding bugs and vulnerabilities in #curl for some time.
-
AIs have been finding bugs and vulnerabilities in #curl for some time.
Is it work to fix those? Yes.
Has someone paid for this? Partially (wolfSSL and @sovtechfund)
Are the AIs annoying? Yes, very.
Could humans find the same bugs? Yes, if they‘d somehow avoid being bored to death through it.
Was there something „heartbleed“ like? No.
Were there lots of C mistakes? No, logic bugs mostly.
Do AIs run out of steam? Yes. After a while a model stops finding things. Findings differ per model.
-
R relay@relay.infosec.exchange shared this topicR relay@relay.publicsquare.global shared this topic
-
AIs have been finding bugs and vulnerabilities in #curl for some time.
Is it work to fix those? Yes.
Has someone paid for this? Partially (wolfSSL and @sovtechfund)
Are the AIs annoying? Yes, very.
Could humans find the same bugs? Yes, if they‘d somehow avoid being bored to death through it.
Was there something „heartbleed“ like? No.
Were there lots of C mistakes? No, logic bugs mostly.
Do AIs run out of steam? Yes. After a while a model stops finding things. Findings differ per model.
@icing @sovtechfund I’ve been in security almost 30 years and seen so many claims of “this will change the industry forever”. What’s remarkable to me is how constant it has been. We are still seeing basically the same issues as in 1999: bad passwords, missing updates, code injections, and, well, Microsoft. I may be getting blasé but I’m highly skeptical that this AI stuff is going to change anything fundamental about that. @bortzmeyer
-
System shared this topic
-
AIs have been finding bugs and vulnerabilities in #curl for some time.
Is it work to fix those? Yes.
Has someone paid for this? Partially (wolfSSL and @sovtechfund)
Are the AIs annoying? Yes, very.
Could humans find the same bugs? Yes, if they‘d somehow avoid being bored to death through it.
Was there something „heartbleed“ like? No.
Were there lots of C mistakes? No, logic bugs mostly.
Do AIs run out of steam? Yes. After a while a model stops finding things. Findings differ per model.
-
@icing @sovtechfund I’ve been in security almost 30 years and seen so many claims of “this will change the industry forever”. What’s remarkable to me is how constant it has been. We are still seeing basically the same issues as in 1999: bad passwords, missing updates, code injections, and, well, Microsoft. I may be getting blasé but I’m highly skeptical that this AI stuff is going to change anything fundamental about that. @bortzmeyer
@mkoek @icing @sovtechfund @bortzmeyer
Isn't the fundamental difference the speed of discovering new issues, mixing highlevel knowledge from various parts of the stack?
It's going to be a bit hairy for the next months/years while everybody cope on?
-
@mkoek @icing @sovtechfund @bortzmeyer
Isn't the fundamental difference the speed of discovering new issues, mixing highlevel knowledge from various parts of the stack?
It's going to be a bit hairy for the next months/years while everybody cope on?
@jfbucas @mkoek @sovtechfund @bortzmeyer
The speed is enabled by skewing the economics. People can search for bugs using billions of investment at little cost.
Open Source has increased load due to this, but is not at risk. We do not guarantee any fitness for purpose.
Businesses, especially the ones not *always* running the latest version of software, are more exposed.
But we do not see an uptake of investment into project security from the commercial side.
-
@connynasch @icing @sovtechfund
Update from daniel
https://mastodon.social/@bagder/116407367327224765 -
AIs have been finding bugs and vulnerabilities in #curl for some time.
Is it work to fix those? Yes.
Has someone paid for this? Partially (wolfSSL and @sovtechfund)
Are the AIs annoying? Yes, very.
Could humans find the same bugs? Yes, if they‘d somehow avoid being bored to death through it.
Was there something „heartbleed“ like? No.
Were there lots of C mistakes? No, logic bugs mostly.
Do AIs run out of steam? Yes. After a while a model stops finding things. Findings differ per model.
@icing @sovtechfund Call me overly skeptic, but remembering Builder.ai I would not be surprised if Anthropic has a bunch of engineers run Mythos on a few high-profile projects and filter out all the bad reports before they get actually posted to make their model look better than it is.
-
@icing @sovtechfund Call me overly skeptic, but remembering Builder.ai I would not be surprised if Anthropic has a bunch of engineers run Mythos on a few high-profile projects and filter out all the bad reports before they get actually posted to make their model look better than it is.
@tkissing @icing @sovtechfund Even better: #Anthropic’s own employees whipped up some pipeline to channel all the findings to Upwork and similar click-work platforms, which then makes underpaid laborers do the actual work.
-
@mkoek @icing @sovtechfund @bortzmeyer
Isn't the fundamental difference the speed of discovering new issues, mixing highlevel knowledge from various parts of the stack?
It's going to be a bit hairy for the next months/years while everybody cope on?
@jfbucas @icing @sovtechfund @bortzmeyer For a while, I guess. There is a limit we already seem to be seeing: the amount of bugs is large, but not infinite. Also: once we integrate a check using these LLM’s into our build chains, the amount of bugs discovered after release may actually go down, eventually.
-
AIs have been finding bugs and vulnerabilities in #curl for some time.
Is it work to fix those? Yes.
Has someone paid for this? Partially (wolfSSL and @sovtechfund)
Are the AIs annoying? Yes, very.
Could humans find the same bugs? Yes, if they‘d somehow avoid being bored to death through it.
Was there something „heartbleed“ like? No.
Were there lots of C mistakes? No, logic bugs mostly.
Do AIs run out of steam? Yes. After a while a model stops finding things. Findings differ per model.
@icing @sovtechfund the biggest problem I see is #AIslop flooding #BugTrackers and literally burning out #developers.
-
@jfbucas @mkoek @sovtechfund @bortzmeyer
The speed is enabled by skewing the economics. People can search for bugs using billions of investment at little cost.
Open Source has increased load due to this, but is not at risk. We do not guarantee any fitness for purpose.
Businesses, especially the ones not *always* running the latest version of software, are more exposed.
But we do not see an uptake of investment into project security from the commercial side.
That investment into security isn't guaranteed though. I did on one occasion hear somebody say they wouldn't hire more security people because they would rather invest more in AI.
