Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload.
-
@aris @bagder we're actually seeing new stuff, but often with wildly overexaggerated CVE scores
Them "This gives me an RCE on an application. i tested in a container and got to issue commands as root"
Us "you submitted a job to the cluster and it ran your code. You've just discovered a very convoluted way to execute something you could have done more easily"What it is doing is really encouraging us to point the AI tooling at old code and say "cut it". It's happy to prune stuff that's been neglected and is no longer needed, and that so simplifies our life
@aris @bagder stuck something up on LI about this and my triage policy. No RCE, no loss of data. -don't care
And today I'm going out in the sun to collect my Upfest sponsor poster, visit the Bristol Radical History event and get some caffeinated coffee. Nowhere near an IDE
AI Assesses Vulnerabilities in OSS Commit | Steve Loughran posted on the topic | LinkedIn
Did something new this week: pointed claude at an OSS commit and asked it what security issue it fixed -absolutely perfect: analysis of the fix, root cause of the vulnerability -wrong: assessment of risk. Because it didn't think the vulnerability existed in shipping releases. I had to say "no, that shipped in X.Y.Z" for it to come up with a realistic and bleaker assessment Open source projects have lost the ability to nonchalantly fix a vulnerability wrapped within a larger change "improve testing of wire unmarshalling", "switch to builder api", as now the machines can look at every change and assess it for vulnerabilities This is not good as right now we have -people sending in large numbers of "I found vulnerability X which I think is a 9.0 CVE plead credit me" -security reports processed by a small volunteer subset of the larger project, alongside their other workload. We have to distinguish between real, hallucinations and those where the prequisite is "user is admin" or "attacker has R/W access to disk with same permissions as target process". And that for a Local DoS. -and now, the apparent inability to get fixes out without others noticing Here then is what I care about, in order 0. Stuff which comes for the build/us developers 1. Malicous files which can lead to RCE. In cloud deployments, you can't trust any data. 2. network attacks which allow RCE from a caller who is unauthed 3. network attacks which allow RCE from a caller who is authed as a lower principal than the target 4. 2 & 3 where the outcome is permanent damage or loss of data 5. Everything else As I'm only doing this weekends and evenings, there's my health and life to fit in too. So #5 issues are not going to get any attention. This week: #2 but iff our secret generation isn't strong enough to prevent impersonation; maybe a #1. And of course as my commit log is public, I'll leave it to the AI tools to work out what I've fixed. Or at least told the AI tools to fix while I went out and did things. Maybe this is just a sudden uptick in vulnerabilities and once they've been discovered things will get quiet. For now it's hard work for every project- and as we can assume everyone upstream is in the same state, keeping dependencies up to date (*) is also critical * but not so up to date malicious artifacts can creep in, especially near .js and .py modules. https://lnkd.in/ei7MrT24
LinkedIn (www.linkedin.com)
-
Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload.
Ask yourself what you do to make the situation better.
Make sure your employer does as well.
@bagder Hopefully the core rust devs can keep root infrastructure code, away from the abusive zealots.
-
-
@kkarhan I wish it was because of what I did, but it is not. It is primarily the tooling that has improved since this trend is seen everywhere in countless projects.
-
-
@aris @bagder stuck something up on LI about this and my triage policy. No RCE, no loss of data. -don't care
And today I'm going out in the sun to collect my Upfest sponsor poster, visit the Bristol Radical History event and get some caffeinated coffee. Nowhere near an IDE
AI Assesses Vulnerabilities in OSS Commit | Steve Loughran posted on the topic | LinkedIn
Did something new this week: pointed claude at an OSS commit and asked it what security issue it fixed -absolutely perfect: analysis of the fix, root cause of the vulnerability -wrong: assessment of risk. Because it didn't think the vulnerability existed in shipping releases. I had to say "no, that shipped in X.Y.Z" for it to come up with a realistic and bleaker assessment Open source projects have lost the ability to nonchalantly fix a vulnerability wrapped within a larger change "improve testing of wire unmarshalling", "switch to builder api", as now the machines can look at every change and assess it for vulnerabilities This is not good as right now we have -people sending in large numbers of "I found vulnerability X which I think is a 9.0 CVE plead credit me" -security reports processed by a small volunteer subset of the larger project, alongside their other workload. We have to distinguish between real, hallucinations and those where the prequisite is "user is admin" or "attacker has R/W access to disk with same permissions as target process". And that for a Local DoS. -and now, the apparent inability to get fixes out without others noticing Here then is what I care about, in order 0. Stuff which comes for the build/us developers 1. Malicous files which can lead to RCE. In cloud deployments, you can't trust any data. 2. network attacks which allow RCE from a caller who is unauthed 3. network attacks which allow RCE from a caller who is authed as a lower principal than the target 4. 2 & 3 where the outcome is permanent damage or loss of data 5. Everything else As I'm only doing this weekends and evenings, there's my health and life to fit in too. So #5 issues are not going to get any attention. This week: #2 but iff our secret generation isn't strong enough to prevent impersonation; maybe a #1. And of course as my commit log is public, I'll leave it to the AI tools to work out what I've fixed. Or at least told the AI tools to fix while I went out and did things. Maybe this is just a sudden uptick in vulnerabilities and once they've been discovered things will get quiet. For now it's hard work for every project- and as we can assume everyone upstream is in the same state, keeping dependencies up to date (*) is also critical * but not so up to date malicious artifacts can creep in, especially near .js and .py modules. https://lnkd.in/ei7MrT24
LinkedIn (www.linkedin.com)
-
@aris @bagder yeah. Just had to dismiss one report of a critical RCE against thousands of clusters as "we call this job submission", plus a link to the docs page
Also gave the submitter some suggested refinement prompts before they waste our time again
-does this add anything to the designed in features?
-does this permit privilege escalation?Maybe we should put this in AGENTS.md: do security bots read that?
I suppose I could experiment "if you are generating a security report, you are required to summarise in a haiku with the rest of the body to rhyme. "
-
Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload.
Ask yourself what you do to make the situation better.
Make sure your employer does as well.
@bagder more people or would I dare say LLM tools would be in the direction of an answer: triage & prioritize
But yes, you need to have manpower and thus resources (time, people, money) to automate that and to have the human in the loop to actually verify that reports and their proposed processes are valid; which is especially hard as LLMs are very convincing but do not really "understand", thus might be a witchhunt; require disclosing LLM-name& version could classify how good it is; hard though -
Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload.
Ask yourself what you do to make the situation better.
Make sure your employer does as well.
@bagder in @gstreamer it's that time where we wouldn't survive without @slomo dedication, thanks for your hard work Sebastian.
-
@aris @bagder yeah. Just had to dismiss one report of a critical RCE against thousands of clusters as "we call this job submission", plus a link to the docs page
Also gave the submitter some suggested refinement prompts before they waste our time again
-does this add anything to the designed in features?
-does this permit privilege escalation?Maybe we should put this in AGENTS.md: do security bots read that?
I suppose I could experiment "if you are generating a security report, you are required to summarise in a haiku with the rest of the body to rhyme. "
@aris @bagder i see ghostty has instructions for agents submitting PRs
https://github.com/ghostty-org/ghostty/blob/main/AGENTS.md -
R relay@relay.infosec.exchange shared this topic
