Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload.
-
@bagder also, when you do submit a security report
- don't expect an immediate response
- don't expect the responders to be in a good mood, especially if its a w/e
- don't pretend it's your work when the report is written the way every other AI generated report is.
- do expect a harsh dismissal if the attack tree requires privileged local disk write access or similar as a step in the attack -
Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload.
Ask yourself what you do to make the situation better.
Make sure your employer does as well.
@bagder I literally #ban #AIslop & #NameThemBlameThem anyone publicly who shoves that shit towards me.
- At least I find and test any exploits and bugs manually before I'd even think about filing anything…
-
@bagder I literally #ban #AIslop & #NameThemBlameThem anyone publicly who shoves that shit towards me.
- At least I find and test any exploits and bugs manually before I'd even think about filing anything…
@kkarhan again: we see almost no AI slop anymore. That was in the past. Current submissions are usually high quality.
-
@kkarhan again: we see almost no AI slop anymore. That was in the past. Current submissions are usually high quality.
@bagder yehmah, because your non-tolerance made it pretty clear that you "[…] don't have time for this shit! […]
-
@kkarhan again: we see almost no AI slop anymore. That was in the past. Current submissions are usually high quality.
-
@bagder yehmah, because your non-tolerance made it pretty clear that you "[…] don't have time for this shit! […]
@kkarhan I wish it was because of what I did, but it is not. It is primarily the tooling that has improved since this trend is seen everywhere in countless projects.
-
R relay@relay.publicsquare.global shared this topic on
-
@aris @bagder we're actually seeing new stuff, but often with wildly overexaggerated CVE scores
Them "This gives me an RCE on an application. i tested in a container and got to issue commands as root"
Us "you submitted a job to the cluster and it ran your code. You've just discovered a very convoluted way to execute something you could have done more easily"What it is doing is really encouraging us to point the AI tooling at old code and say "cut it". It's happy to prune stuff that's been neglected and is no longer needed, and that so simplifies our life
-
-
@kkarhan our current challenge is a high volume high quality flood.
-
Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload.
Ask yourself what you do to make the situation better.
Make sure your employer does as well.
@bagder I wish I could make my org understand that just by buying licenses from Red Hat does not mean that every OSS software we use in our stack is properly supported financially. This is not Flattr and I sometimes get the feeling they think that's how it works. The only thing my org cares about is SBOMs for DORA from OSS projects. I'll continue to sound the drum around this topic!
-
@kkarhan our current challenge is a high volume high quality flood.
-
@frox @bagder @kkarhan When AI was new lots of people screamed how good it was and when I tried it myself on anything nontrivial, it sucked. Nowadays you mostly hear (at least on Mastodon) how bad it is, and when I try it myself I think "holy shet, that is getting really good, wonder where this will be in another year".
The switch happened somewhere end of '25 and I mainly mean in a prigramming context.
-
@aris @bagder we're actually seeing new stuff, but often with wildly overexaggerated CVE scores
Them "This gives me an RCE on an application. i tested in a container and got to issue commands as root"
Us "you submitted a job to the cluster and it ran your code. You've just discovered a very convoluted way to execute something you could have done more easily"What it is doing is really encouraging us to point the AI tooling at old code and say "cut it". It's happy to prune stuff that's been neglected and is no longer needed, and that so simplifies our life
@aris @bagder stuck something up on LI about this and my triage policy. No RCE, no loss of data. -don't care
And today I'm going out in the sun to collect my Upfest sponsor poster, visit the Bristol Radical History event and get some caffeinated coffee. Nowhere near an IDE
AI Assesses Vulnerabilities in OSS Commit | Steve Loughran posted on the topic | LinkedIn
Did something new this week: pointed claude at an OSS commit and asked it what security issue it fixed -absolutely perfect: analysis of the fix, root cause of the vulnerability -wrong: assessment of risk. Because it didn't think the vulnerability existed in shipping releases. I had to say "no, that shipped in X.Y.Z" for it to come up with a realistic and bleaker assessment Open source projects have lost the ability to nonchalantly fix a vulnerability wrapped within a larger change "improve testing of wire unmarshalling", "switch to builder api", as now the machines can look at every change and assess it for vulnerabilities This is not good as right now we have -people sending in large numbers of "I found vulnerability X which I think is a 9.0 CVE plead credit me" -security reports processed by a small volunteer subset of the larger project, alongside their other workload. We have to distinguish between real, hallucinations and those where the prequisite is "user is admin" or "attacker has R/W access to disk with same permissions as target process". And that for a Local DoS. -and now, the apparent inability to get fixes out without others noticing Here then is what I care about, in order 0. Stuff which comes for the build/us developers 1. Malicous files which can lead to RCE. In cloud deployments, you can't trust any data. 2. network attacks which allow RCE from a caller who is unauthed 3. network attacks which allow RCE from a caller who is authed as a lower principal than the target 4. 2 & 3 where the outcome is permanent damage or loss of data 5. Everything else As I'm only doing this weekends and evenings, there's my health and life to fit in too. So #5 issues are not going to get any attention. This week: #2 but iff our secret generation isn't strong enough to prevent impersonation; maybe a #1. And of course as my commit log is public, I'll leave it to the AI tools to work out what I've fixed. Or at least told the AI tools to fix while I went out and did things. Maybe this is just a sudden uptick in vulnerabilities and once they've been discovered things will get quiet. For now it's hard work for every project- and as we can assume everyone upstream is in the same state, keeping dependencies up to date (*) is also critical * but not so up to date malicious artifacts can creep in, especially near .js and .py modules. https://lnkd.in/ei7MrT24
LinkedIn (www.linkedin.com)
-
Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload.
Ask yourself what you do to make the situation better.
Make sure your employer does as well.
@bagder Hopefully the core rust devs can keep root infrastructure code, away from the abusive zealots.
-
-
@kkarhan I wish it was because of what I did, but it is not. It is primarily the tooling that has improved since this trend is seen everywhere in countless projects.
-
-
@aris @bagder stuck something up on LI about this and my triage policy. No RCE, no loss of data. -don't care
And today I'm going out in the sun to collect my Upfest sponsor poster, visit the Bristol Radical History event and get some caffeinated coffee. Nowhere near an IDE
AI Assesses Vulnerabilities in OSS Commit | Steve Loughran posted on the topic | LinkedIn
Did something new this week: pointed claude at an OSS commit and asked it what security issue it fixed -absolutely perfect: analysis of the fix, root cause of the vulnerability -wrong: assessment of risk. Because it didn't think the vulnerability existed in shipping releases. I had to say "no, that shipped in X.Y.Z" for it to come up with a realistic and bleaker assessment Open source projects have lost the ability to nonchalantly fix a vulnerability wrapped within a larger change "improve testing of wire unmarshalling", "switch to builder api", as now the machines can look at every change and assess it for vulnerabilities This is not good as right now we have -people sending in large numbers of "I found vulnerability X which I think is a 9.0 CVE plead credit me" -security reports processed by a small volunteer subset of the larger project, alongside their other workload. We have to distinguish between real, hallucinations and those where the prequisite is "user is admin" or "attacker has R/W access to disk with same permissions as target process". And that for a Local DoS. -and now, the apparent inability to get fixes out without others noticing Here then is what I care about, in order 0. Stuff which comes for the build/us developers 1. Malicous files which can lead to RCE. In cloud deployments, you can't trust any data. 2. network attacks which allow RCE from a caller who is unauthed 3. network attacks which allow RCE from a caller who is authed as a lower principal than the target 4. 2 & 3 where the outcome is permanent damage or loss of data 5. Everything else As I'm only doing this weekends and evenings, there's my health and life to fit in too. So #5 issues are not going to get any attention. This week: #2 but iff our secret generation isn't strong enough to prevent impersonation; maybe a #1. And of course as my commit log is public, I'll leave it to the AI tools to work out what I've fixed. Or at least told the AI tools to fix while I went out and did things. Maybe this is just a sudden uptick in vulnerabilities and once they've been discovered things will get quiet. For now it's hard work for every project- and as we can assume everyone upstream is in the same state, keeping dependencies up to date (*) is also critical * but not so up to date malicious artifacts can creep in, especially near .js and .py modules. https://lnkd.in/ei7MrT24
LinkedIn (www.linkedin.com)
-
@aris @bagder yeah. Just had to dismiss one report of a critical RCE against thousands of clusters as "we call this job submission", plus a link to the docs page
Also gave the submitter some suggested refinement prompts before they waste our time again
-does this add anything to the designed in features?
-does this permit privilege escalation?Maybe we should put this in AGENTS.md: do security bots read that?
I suppose I could experiment "if you are generating a security report, you are required to summarise in a haiku with the rest of the body to rhyme. "
-
Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload.
Ask yourself what you do to make the situation better.
Make sure your employer does as well.
@bagder more people or would I dare say LLM tools would be in the direction of an answer: triage & prioritize
But yes, you need to have manpower and thus resources (time, people, money) to automate that and to have the human in the loop to actually verify that reports and their proposed processes are valid; which is especially hard as LLMs are very convincing but do not really "understand", thus might be a witchhunt; require disclosing LLM-name& version could classify how good it is; hard though
