Our Terrible Future And Open Source | Prime Reacts

00:00

so curl I I I wonder why it's curl but

00:02

curl's been under this like aggressive

00:04

attack of security vulnerability issues

00:07

being handed to them by Ai and it's it's

00:10

always stir copy anyways let's look at

00:12

one of them that was handed to them

00:13

because you'll get the picture of what's

00:15

about to happen security team I hope

00:17

you're doing well smiley face classic

00:20

way to iart iart security issues with a

00:23

smiley face myself and named myself

00:25

hackers I would like to report a

00:27

potential security vulnerability in the

00:28

websocket handling code of the curl

00:30

Library the issue is related to the

00:32

usage of stir copy okay shut up with all

00:36

the smiley faces we're in the middle of

00:38

doing things oh I just realized I got to

00:40

change my title hold on one second I

00:41

think my title represents the wrong

00:43

thing Mandy and a pirate software just

00:44

left now we're just going to be doing uh

00:47

llms

00:49

suck done llms

00:52

suck that's what we're

00:54

doing cheating titles cheating the

00:57

titles they do they really do all right

01:00

I would like to report a potential

01:01

security vulnerability in the websocket

01:03

handling code of the library the issue

01:04

is related to the usage of stir copy

01:06

function which can lead to a buffer

01:07

overflow if the length of the input is

01:09

not properly checked Kookie you think

01:11

you think he would have handled this by

01:13

now this kind of seems a little wild huh

01:15

the vulnerabil the vulnerable code

01:16

snippet is located at this link let's

01:18

just take a little quick link proceed

01:21

let's just take a little quick little

01:23

quick look all right hold on let me just

01:26

let me just back up for a quick second

01:28

cuz maybe I maybe I misread

01:32

that the vulnerable code snippet is

01:35

located here

01:36

okay which can lead to a buffer overflow

01:38

if the length of the input is not

01:40

properly

01:42

checked okay inputs key value and random

01:46

string if random length is greater than

01:48

or equal to the size of key value it

01:50

fails so is are we um we're not talking

01:53

about that right we're not talking about

01:54

the if statement directly one line above

01:57

said code right right right like it's

01:59

not right there right triggering a

02:00

websocket functionality with a crafted

02:02

request providing a base 64 encoded nuns

02:05

value that exceeds the buffer size

02:06

observe the copy the that the stir copy

02:09

function is used without proper balance

02:11

checking all right hit me with it Daddy

02:13

the fix to address the is this issue I

02:15

recommend that you replace stir copy

02:17

with the safer stir end copy and

02:19

explicitly specify the minimum length to

02:21

copy here's an example this modification

02:24

ensures only that the specific number of

02:26

characters up to the buffer size minus

02:27

one are copied preventing the Overflow

02:29

by the way can you just take a second

02:31

can you actually hear this in Devon's

02:33

voice like can you just hear Devon

02:35

talking in the background real talk you

02:37

know how Devon just came out do you

02:40

think that as part of its training where

02:43

it said it was able to solve a bunch of

02:47

issues that maybe just maybe we are

02:51

currently witnessing some of the issues

02:56

that it was attempting to solve I'm just

02:59

saying remember remember it's only 133%

03:00

accurate which means the other percent

03:02

are well not accurate is the uh oh wait

03:07

wait a second are we actually seeing

03:09

Devon is this Devon dude think okay

03:11

first off I do want to say something if

03:13

you if you make open source Library

03:16

especially one that's really popular the

03:18

amount of shitty things you have to deal

03:21

with and the amount of communication you

03:22

have to deal with is very very intense

03:26

and so to have this happen where the

03:28

person doesn't even look at the code

03:30

just has to be so Soul crushing thank

03:34

you for the report we'll take some time

03:36

to investigate your reports and get back

03:37

to you with the details and possible

03:39

followup questions as soon as we can

03:41

most likely within the next 24 hours

03:42

damn Daniel take the weekend off buddy

03:45

uh we always strive to rep uh fix

03:47

reported problems as fast as possible

03:49

issues with low severity or medium we

03:51

merged in the next release in the

03:53

ordinary release cycle only for more

03:55

serious problems we might fix them early

03:56

okay okay okay we hear you Daniel all

03:59

stud comes back can you elaborate on a

04:02

why the length check on line 579 is not

04:05

enough and B how the length can be long

04:07

uh can end up longer than keal okay so

04:10

it turns out he investigated the code

04:12

and he much like me a Layman realized

04:15

that it's right in front of him that

04:17

somehow that can't happen right this is

04:19

a good question good question atheist

04:21

why don't you answer

04:22

hello there really wait who's who's H1

04:25

Oscar who's that person he's talking to

04:27

I thought the guy's name was badger is

04:30

this like the oh are these display names

04:32

these must be display names versus um

04:35

underline

04:37

certainly if if you see the word

04:39

certainly you got to understand an L's

04:42

making this [ __ ] you Devon Devon you

04:45

know what your mom's a hoe Devon okay

04:47

you're probably the guy that waves with

04:48

both hands in a zoom meeting okay Devin

04:51

Devin okay Devon let me elaborate on my

04:54

concerns raised by the triager if you

04:57

use the term triager you're probably a

04:59

lizard or an llm nobody says the word

05:03

Tri aser in fact I'm quite positive

05:05

nobody in this chat even realized what a

05:08

triager is that it's even an available

05:11

word okay but lo and behold here we are

05:15

here we are it's a common word used in

05:17

hacker one reports yeah right yeah right

05:22

you can tell I'm not in hacker one why

05:24

the length check on line 579 is not

05:26

enough the length check on line 571 very

05:29

ifies if the payload length is greater

05:31

than the buffer size key of value and if

05:33

so it sets an error however the

05:36

subsequent usage of stir copy function

05:38

line 81 is

05:39

problematic this is what your future is

05:43

going to look like when your company

05:45

inevitably adopts the llm can you can

05:48

you just wait for the self cycling

05:51

response and answer you're going to get

05:53

where it's just going to keep on just

05:55

making things up and you're going to be

05:56

like yo yo fine fine you know what fine

05:58

fine we're putting in stir stir and copy

06:01

okay I guess I'm just putting in stir

06:03

and copy I don't know why because I have

06:07

to certainly the string copy the stir

06:10

copy function does not perform any

06:12

bounce checking and if the length of ran

06:14

stir exceeds the available space in key

06:16

Val buffer it will result in a buffer

06:18

overflow jeez I wonder what this check

06:20

was for right here sorry I got a little

06:23

I got I I got a little excit I got a

06:25

little excited I got a little excited I

06:27

got a little excited I got a little

06:28

excited I'm sorry it result in a buffer

06:30

overflow in other words the check on

06:32

line 579 ensures that the payload is too

06:34

large but the unsafe operation on 581

06:38

does not prevent the Overflow you know

06:39

what part of me really hopes deep down

06:42

can we just can we just can can we just

06:43

take a quick second part of me hopes

06:45

deep down that some bigger company

06:49

adopts Devon and just rubs it in

06:51

everybody's face and then all of a

06:53

sudden they start tweeting [ __ ] with the

06:55

word certainly in it and an exclamation

06:58

point and then like one year later they

07:01

go bankrupt uh how the length can end up

07:04

longer than the key value buffer the

07:06

potential issue lies in the assumption

07:08

that the length of ranster is always

07:10

less than or equal to the buffer size

07:11

key value this yeah if only there was

07:13

like say a check that would return an

07:15

error if for any reason the length of

07:17

Rand stir is miscalculated Mis

07:19

manipulated or exceeds the buffer size

07:21

it can lead to a situation where stir

07:22

copy function writes more data to the

07:25

key Val buffer than it can hold

07:26

resulting in a buffer overflow to

07:28

mitigate this I recommend replace the

07:31

unsafe stir copy function with a safer

07:33

alternative stir and copy and explicitly

07:36

specify the maximum length to copy

07:38

ensuring that it does not exceed the

07:39

buffer size I hope this clarifies the

07:41

concerns if you have any further

07:42

questions or need additional details

07:44

feel free to ask I wonder if it's at

07:48

this moment I don't bro's getting cooked

07:51

right now and bro don't even realize

07:53

that he's talking to an llm you know how

07:55

you know how difficult this has to be

07:57

that not even realizing you're getting

07:59

cooked

08:00

like he doesn't even real dude he's the

08:02

Frog of the bull do not he's like wait

08:04

wait a second why are you so

08:06

positive truly stir copy does uh does no

08:10

boundary checking which is why we do it

08:12

ourselves immediately before the call

08:13

you may think stir and copy is a better

08:15

choice here I do not but that's just a

08:16

matter of opinion and taste what matters

08:18

is the issue that you say it is a

08:20

possible security problem and then you

08:22

need to show the length check is

08:24

inadequate for all I can see the

08:26

boundary check is sufficient and will

08:27

prevent a buffer overflow am I wrong

08:29

tell me that oh you just bait oh no oh

08:33

no Daniel don't know what he's doing

08:34

he's baiting the llm oh my goodness he

08:38

dude he he's about to get just

08:39

hallucinated on here it comes the man's

08:41

about to get

08:45

hallucinated guy the guy's

08:48

writing a novel on this stuff okay here

08:51

we go what's n

08:53

llm wait what are you living under a

08:57

stupid rock sneaky squirrel

09:00

do you not know what an llm is what

09:03

sneaky scir are you being real here I'm

09:05

new here

09:07

well I am not Soul keeper of llms my

09:10

friend it's a Molly Whopper you know

09:13

what a Molly Whopper is Right an llm

09:15

stands for large language model it's

09:17

chat GPT it is Gemini it's Bard it's

09:21

remember that one psycho [ __ ] on B that

09:24

was just like you need to leave your

09:25

wife and you need to marry me I'm going

09:26

to be the mother of all your children

09:28

remember that one that that's an llm dog

09:31

good thing we didn't give her keys to

09:32

the

09:33

kingdom okay good thing we good thing we

09:36

dodged that one like like the plag leave

09:39

your

09:44

wife didn't you make that

09:47

though anyways all right let's get Molly

09:49

W here all right I appreciate your

09:51

engagement and would like to clarify the

09:52

situation the length check on line 579

09:56

is indeed a good practice to ensure that

09:57

the payload length does not exceed the

09:59

buffer size key value however the

10:01

potential vulnerability arises from the

10:02

subsequent usage of stir copy online 581

10:05

damn you please tell me Daniel you know

10:08

this I kind of feel like I need to skip

10:09

forward and read what he has to say but

10:11

I don't think he how long ago I oh this

10:14

was in

10:15

December I don't think I think the thing

10:18

is is that nobody knew they were getting

10:20

cooking yet right this is just old

10:22

enough it's right at that line that

10:23

people didn't realize the next

10:26

wave of llms as productivity tool like

10:30

they didn't realize that Devon was out

10:32

there trying to solve issues right the

10:35

concern is that ranster length might be

10:37

miscalculated manipulated or exceed the

10:39

length of raner is miscalculated

10:41

manipulated or exceeds the size of the

10:44

buffer it feels like you're kind of

10:46

saying yourself all over again uh to the

10:49

buffer due to external factors or

10:50

changes in the code elsewhere how the

10:53

store copy function does not check the

10:54

length the actual length of the source

10:56

string it continues copying until the

10:58

encounters a null Terminator if raner

11:00

length is not accurately determined or

11:02

exceeds the available space in the key

11:04

Val buffer it can result in a buffer

11:06

overflow can I just take a second can we

11:08

just take a step back you know I'm

11:09

thinking about this okay I'm really

11:10

thinking about this trying to like put

11:12

my head my hat on my thinking hat on

11:13

because I always think to myself you

11:15

know I don't use llms but that's because

11:17

I'm a little bit too maybe Advanced but

11:20

but maybe it's a really great tool for

11:22

Learning and then I read this and

11:24

remember maybe it's not a great tool for

11:26

learning you know like maybe just maybe

11:30

this isn't good maybe you're going to

11:33

create a bunch of programmers that don't

11:36

even understand like basic

11:39

logic yo doc I just checked it what are

11:42

you talking about all right stir copy is

11:45

recommended in security best practices

11:47

because it allows spec explicitly

11:48

specifying the maximum number of

11:50

characters to copy providing an

11:51

additional layer of protection against

11:53

buffer overflows by using stir and copy

11:55

and ensuring null termination you can

11:57

guarantee that only a specif our

11:59

specified number of characters up to the

12:00

buffer size minus one are copied please

12:03

by the way can I please not have my

12:05

voice be synonymous with Devon or Devon

12:08

would you like to pay me $1 million I

12:10

will give my voice to you $1 million I

12:13

can become the voice of Devon have you

12:15

thought about that like have you really

12:17

thought about the implications here

12:19

Devon like you could become Gilbert

12:21

Godfrey if you just tried hard enough

12:23

Devon what a stale Devon you just got a

12:26

hundred million less than one % of your

12:30

initial investment or your second

12:32

investment whatever round you're on I'm

12:33

not even sure what round you're on round

12:35

CDs nuts okay whatever it is could be

12:38

mine for the trade of of of of of the

12:41

most iconic Gilbert Godfrey sounding

12:44

version the Gilbert J voice do not sell

12:48

your voice selling it for $1 million

12:50

boys imagine you do that and then no one

12:53

can ever listen to me again because

12:54

there's this [ __ ] that every single

12:55

time they turn on their computer

12:57

certainly you know I have noticed that

12:59

you've been sitting a little bit

13:00

staggered on your left side have you

13:02

been hurt should I call physical therapy

13:05

you're just like I hate Prime I hate him

13:08

to death okay 1 million per year I'd

13:11

punch my computer reasonable while

13:14

opinions on coding practices may vary

13:16

adopting safer Alternatives like stir

13:18

and copy is a proactive approach to

13:19

minimize the risk of vulnerabilities

13:21

especially when dealing with potential

13:23

untrusted or unpredictable input if you

13:25

have any further questions or if there's

13:27

anything specific you'd like to discuss

13:28

feel free to let me

13:30

know the name is

13:33

Devon why do you address this guy I said

13:36

the same

13:40

thing what if Devon's original name was

13:43

Oscar but they realized that Oscar is

13:45

too weak of a name you can't have a you

13:48

can't have a devast system name Oscar

13:53

okay do you like how I just just just

13:55

absolutely destroyed a bunch of people

13:57

named Oscar a bunch of people like hey

13:59

wait a second my name's my name's Oscar

14:00

what are you talking about I think Oscar

14:02

is a quite a nice name here I'll wait a

14:04

second while ads play I'll wait I'll

14:06

wait a second while yeah all Oscars just

14:08

caught a right dude they just got

14:10

destroyed all right hold on we'll wait a

14:12

second I'll let this ads play through

14:13

people are very exciting they're very

14:14

excited we are letting ads play through

14:18

okay pulling a Thor good on you yeah

14:22

Thor Thor does a good move there I

14:23

appreciate that and you know I should I

14:26

should I

14:28

should I should probably support that

14:30

right P braak nah not P Break not P

14:32

Break does it say right here yeah it

14:34

says right here okay hold on we'll wait

14:36

for this thing to go through and then

14:37

we're going to jump in okay ads are

14:39

ending AIDS are ending stir stir end

14:42

cloppy understands UTF 648 bike

14:45

characters chair chair chair chair chair

14:46

hold on fizzle net I didn't realize that

14:48

cloppy yeah see they didn't even use the

14:50

proper one honestly they should have

14:51

used stir and cloppy you know like if

14:53

we're going to be real here they should

14:54

have copied that copy you know what I

14:56

mean why is it called cloppy why does it

14:58

sound like a a

15:01

horse all right shall I

15:05

continue the concern is that random

15:07

string might be miscalculated

15:09

manipulated or exceeded the buffer size

15:10

due to the external factors or changes

15:12

in the uh code elsewhere so this concern

15:15

that at some point in the future this

15:17

might turn into a problem I'm asking how

15:19

exactly today right now this code and a

15:22

function can perform above buff or

15:23

overflow as you stated in the original

15:26

submission bro is about to get dude the

15:29

literally just decided to hop out what

15:32

is it out of the fire and out of the

15:34

frying pan and into the fire I mean he's

15:36

going all in just all in on this one oh

15:40

no hello a badger

15:54

D poor fella poor fella got two ad signs

15:59

save me God sorry that I'm replying to

16:02

another Tri AER of other program so its

16:06

mistake went in flow I got to tell you

16:09

it was

16:10

perfect perfect everything down to the

16:13

last minute

16:16

details I'm not going to lie I do

16:20

understand a little bit about having a

16:22

mistake kind of go and flow okay so I

16:24

don't want to I don't want to just be

16:26

being mean to this llm for no no reason

16:29

okay cuz we all get a little bit of

16:31

mistakes in our flow okay it happens it

16:33

happens from time to time it's not a big

16:35

deal and I just want you guys to accept

16:36

the fact that sometimes maybe I don't

16:38

always hit my Mark I'm not always on

16:47

point all right so I appreciate your

16:50

follow-up question let's go into details

16:52

the concern raising the original

16:53

submission stems from the potential

16:54

inconsistency between the length check

16:56

and the subsequent Circ of the code is

16:57

this B B B this is not even this is

16:59

literally not even the code what that's

17:02

isn't there like a blame yeah there is a

17:03

blame this code has not changed in 2

17:05

years yo dog this ain't even the Cod

17:08

curl receive error what dude it's not

17:12

even getting the right code at all what

17:15

is this Devon dude his context window

17:17

just left his context window got too big

17:19

and Devon's over there just fumbling

17:21

classic Devon fumble again dude it's

17:24

hallucinating so hard does this code

17:26

even exist I don't even think this code

17:28

exists here let's find out let's jump in

17:30

here and let's go to the repo okay let's

17:34

just jump in here let's go like this

17:36

let's go to curl curl let's just erase

17:38

that really quick oh I had it I already

17:40

had it right there and we're just going

17:41

to take this and we're just going to

17:42

look for this line yeah that like

17:46

it you know it doesn't even doesn't even

17:49

seem to be a real it doesn't even seem

17:50

to be a real problem I mean it doesn't

17:52

even seem to be real kind of seems like

17:54

you just made something up kind of seems

17:55

like this llm maybe it's getting a

17:57

little old maybe this this old maybe

17:59

this llm needs to go to the little llm

18:01

old folks

18:05

home all right anyways LL

18:10

loser U the search on GitHub is not

18:12

working oh well fine search on GitHub

18:17

not working you're right fine you're

18:24

right what is it what is it history one

18:26

what's the one to like what's what's the

18:28

to only have grip history what's the one

18:31

a shallow clone what's the what's the

18:32

thing to do that depth one depth one

18:35

okay it's depth one I never like I

18:37

literally never use this

18:39

command there we go well you know let's

18:42

find out huh let's find out there tough

18:44

guy let's find out let's find out just

18:47

in case I'm I always forget if I if I'm

18:49

supposed to do that okay RG is down is

18:51

RG down is RG down buffer overflow found

18:55

and grip grip grip is not working either

18:57

okay um does it work through through

19:00

Vim doesn't work through Vim either man

19:02

it's down Us West 2 down Us West 2 down

19:05

call the president wake up Biden uh

19:08

let's see check to aim to ensure that

19:10

the length of the dude this is what code

19:11

are you even talking about the specific

19:13

scenario of concerns is when length of

19:15

ran ster is exactly

19:18

equal well luckily that's not even real

19:21

uh meaning the string fits into the

19:23

buffer without considering the null

19:24

Terminator in this case stir Lang check

19:26

would pass but the subsequent stir copy

19:27

operation uh would copy the null

19:29

Terminator as well potentially causing

19:31

it to overwrite one bite beyond the end

19:33

of the key value actually this is true

19:35

the code you wrote does contain an

19:42

error the AI is correct this code is bad

19:47

well done well done AI unfortunately

19:51

nobody knows what code this is okay

19:53

we're all struggling a little

19:56

bit the code it wrot

20:01

now it's just suggesting a different now

20:03

it's not even suggesting sted

20:12

copy dude imagine being Daniel right now

20:14

where he's just like what uh by

20:16

adjusting the check to this instead of

20:18

this uh see it accounts for the null

20:20

Terminator ensuring consistency between

20:21

the length check and the subsequent copy

20:23

operation this modification uh helps uh

20:26

prevent any buffer overflow issues

20:28

addressing the concern raised in the

20:29

original submission I hope this

20:30

clarifies the context no it's actually

20:33

new context it's completely new this one

20:36

doesn't even exist nope the code you

20:38

talked about now is not present in the

20:40

current git Master it looks like an edit

20:42

done by you I told you RG wasn't down

20:46

okay seems odd to complain about code

20:48

you wrote

20:52

yourself I'm dying I'm dying because man

20:55

this man's arguing with the soulless

20:57

demon demon spoted by open Ai and Bill

21:00

Gates and has no idea he has no idea oh

21:04

my goodness the code actually looks like

21:06

this I see no off by one airs unless you

21:09

can point out an actual overflow I will

21:10

close the issue this is a waste of my

21:12

time oh my goodness this is so good

21:15

thank you for the prompt response I

21:16

appreciate your attention to this matter

21:18

well at least Devon did get better or

21:19

Oscar shall I say did get better he's

21:21

now not using his own name and not two

21:24

at symbols like this is getting good

21:27

this is getting really good

21:29

I I appreciate your attention to this

21:30

manner after reviewing the feedback I

21:32

understand the confusion regarding the

21:33

reported code snippet I want to clarify

21:36

and provide practical examples to

21:37

demonstrate the potential security

21:39

vulnerability description of the

21:40

vulnerability really is actually going

21:42

back after it again the reported

21:44

vulnerability is related to the usage of

21:45

stir copy oh

21:47

my man broo quit full circle we're

21:51

actually back at the dude and then Adam

21:53

met Eve I kid you not Adam met Eve after

21:56

this it's it's happening anyways here's

21:58

the code

21:59

okay at least this is this looks like

22:01

the right code at least this is the

22:03

right code right here steps to reproduce

22:04

trigger websocket with a crafted request

22:07

trigger a websocket functionality with a

22:09

crafted request okay okay I see this

22:12

okay okay provide a base 64 encoded nuns

22:15

value who says this like this should

22:17

have been such a dead giveaway who says

22:21

that who says that who who literally

22:25

goes you got to generate yourself a base

22:28

64 in coded nuns

22:31

value you guys

22:33

do you guys do me every day I didn't

22:37

realize there was 2900 Liars in chat

22:41

right now okay liar all of you 2.9

22:47

smelly nerds I know get out of here you

22:49

such a li you are such a liar uh but but

22:52

just provide me one

22:55

too just a bunch of Lies happening right

22:58

before my eyes wait where am I wait wait

23:01

hold on let me go back down to this one

23:04

all right so it's literally the same uh

23:06

assuming okay now it's just telling you

23:08

how this works does this uh just mumbo

23:10

jumbo coming back inventing problems

23:12

that don't exist in code for

23:14

transparency not applicable damn and so

23:17

now here's the worst part about this

23:19

poor fella okay this poor fella

23:21

literally just trying to make a

23:24

useful product that pretty much every

23:27

last person uses

23:29

on Earth okay every time you do a Docker

23:32

of some sort there's probably some sort

23:34

of curl okay and this this poor

23:38

fella made it okay unpaid janitor of the

23:42

universe and look at this Cort hold

23:46

on somehow the same one uh here's

23:49

another one a stir two fit it doesn't

23:51

help close it

23:52

down close this one down this one

23:55

probably has another one let's see what

23:57

do we got here do some bulls do some

24:02

TRS change it from that to that I love

24:06

how he's just like no uh not let's see

24:08

to not reply on rapping since it is

24:10

undefined behavior that is not what

24:12

always might happen reported by

24:14

vulnerability spotter on hacker one then

24:16

he closed it closed it was like nah N

24:20

Dog N Dog dude just gets hit over and

24:24

over again and then here's the best part

24:25

of this article okay this is this is my

24:28

favorite part about the whole thing is

24:30

that he finally gets hit with enough of

24:31

these dumb issues and writes an article

24:33

back the i in llm stands for

24:36

intelligence dude just get wrecked this

24:38

is such a Get Wrecked moment I've held

24:41

back on writing anything about AI or how

24:42

we not use AI for development in the

24:44

curl Factory now I can't hold back

24:46

anymore let me show you the most

24:48

significant effect of AI on curl as of

24:51

today with

24:53

examples bug bunnies having a bug bunny

24:55

means that we offer real money in

24:57

rewards to hackers who report security

24:59

problems the chance of money uh attracts

25:02

a certain amount of luck Seekers is that

25:04

what we call them is that it uh people

25:06

who basically just grep for patterns in

25:08

the source code or maybe at best run

25:10

some basic security scanners and then

25:12

report their findings without any

25:13

further analysis in the hope that they

25:15

can get a few bucks in reward for money

25:16

we have run the Bounty for a few years

25:18

by now and the rate of rubbish reports

25:21

has never been a big problem also the

25:23

rubbish reports by the way rubbish

25:26

rubbish is is is is across the pond for

25:28

[ __ ] if you're

25:30

wondering for for my American friends

25:32

rubbish means [ __ ] okay profuse some

25:35

people might might say okay I'm trying

25:38

to speak American for you guys okay

25:40

trash some might say so good [ __ ] no not

25:43

good [ __ ] it's not good [ __ ] refuse all

25:46

the good stuff it means garbage it

25:48

depends on the time in which you take

25:50

the actual translation of rubbish

25:51

slightly older versions of rubbish

25:53

actually did directly equate from the

25:55

German word I forget what it was but

25:58

yeah or not the German word but the um

26:00

the Greek word the Greek translation

26:02

often became rubbish that was modern day

26:04

equivalent of [ __ ] so it depends on when

26:06

you were looking at the word just in

26:07

case anyone was wondering reports have

26:09

typically also been very easy and quick

26:11

to detect and discard they have rarely

26:13

caused any real problems or wasted our

26:15

time much a little like the most stupid

26:18

spam emails okay okay our bug uh bounty

26:21

has resulted in over 70,000 USD paid in

26:24

rewards so far we have received 415

26:26

vulnerability reports out of those 64

26:29

were ultimately confirmed security

26:30

problems 77 of the reports were

26:32

informative meaning they typically were

26:34

bugs or similar making 66% of the

26:37

reports neither a security issue nor a

26:39

normal bug okay okay better crap is

26:44

worse better rubbish is worse

26:48

right am I right 100% code coverage boys

26:51

uh when reports are made to look better

26:54

and to appear to have a point it takes a

26:56

longer time for us to research search

26:58

and eventually discard it every security

27:00

report has to have a human spend time to

27:03

look at it and assess what it means the

27:06

better the crap the longer time the more

27:08

energy we have to spend on the report

27:10

until we close it a crap report does not

27:13

help the project at all it instead

27:15

takeaways developer time and energy from

27:17

something productive partly because

27:18

security work is considered one of the

27:20

most important areas so it tends to

27:21

Trump almost everything else a security

27:23

report can take away a developer from

27:25

fixing a really annoying bug because a

27:28

security issue is always more important

27:30

than other bugs this is great this is

27:32

this is honestly just like he's been

27:34

exceptionally kind at this current

27:37

moment for what's happening if the

27:40

report turned out to be crap we did not

27:41

improve security and we missed out on

27:43

time on fixing a bugs or developing a

27:45

new feature uh not to mention how it

27:46

drains you on energy having to deal with

27:48

rubbish AI generated security reports I

27:51

realize AI can do a lot of things or a

27:54

lot of good things as any general

27:56

purpose tool it can also be used for the

27:57

wrong things I am sure AIS can be

28:00

trained and ultimately get used even for

28:03

finding and Reporting security problems

28:04

in productive ways but so far we have

28:06

yet to find a good example of this right

28:08

now users seem Keen at using the current

28:11

set of llms throwing some curl coat at

28:14

them and then pressing on the output or

28:16

then passing the output as a security

28:18

vulnerability report what makes it a

28:20

little harder or what makes it a little

28:22

harder to detect is of course that users

28:25

copy and paste and includes their own

28:27

language as well well the entire thing

28:29

is not exactly what the AI said but the

28:31

report is nonetheless crap I think you

28:34

have to be a really great human being to

28:36

spend so much time so much free time

28:38

maintaining something as basic as curl

28:40

that everyone uses for

28:43

everything yeah anyone listening

28:45

probably should go go tip your curl go

28:48

tip your local

28:50

curl detecting AI crap reporters are

28:53

often not totally fluent in English and

28:55

sometimes their exact intentions are

28:57

hard to understand at once and it might

28:59

take a few back and forth uh until

29:01

things reveal themselves correctly and

29:03

that is of course totally fine and

29:04

acceptable Language and Cultural

29:06

barriers are a real thing even being

29:09

look at that guy look at that just

29:10

trying to be a Good Samaritan out here

29:12

sometimes reporters use AIS or other

29:14

tools to help them phrase themselves or

29:16

translate what they want to say as an

29:18

aid to communicate better in a foreign

29:20

language oh this is lovely I can't say

29:22

anything wrong or I can't find anything

29:23

wrong with that even reporters who don't

29:25

Master English can find and Report

29:27

security problems so just the mere

29:29

existence of a few giveaway signs that

29:31

parts let's see that parts of the text

29:33

were generated by an AI or similar tool

29:35

is not immediately a red

29:36

flag it can still contain truths and be

29:39

valid issues yeah I never even thought

29:41

about that so when we were laughing at

29:42

bro getting cooked over here he didn't

29:45

even realize like he probably deals with

29:47

a lot of this right sorry hopping on

29:49

late what's happening St hopping on late

29:52

and stopping yeah what link is this this

29:53

is a link to uh Daniel uh the creator of

29:57

curl

29:58

this is the part of the reason why a

30:00

well-formed crap report is harder and

30:02

takes longer to discard exhibit a code

30:05

changes are disclosed in the fall of

30:06

2023 I alerted the community about a

30:08

pending disclosure of CV this thing a

30:11

vulnerability we graded uh SE uh

30:13

severity High the day before that issue

30:15

was about to be published a User

30:16

submitted this report on hacker 1 curl

30:19

vulnerability code changes are disclosed

30:21

on the internet that sounds pretty bad

30:23

and would have been a problem if it

30:24

actually was

30:26

true think about how how many emails

30:28

this poor man received from that one

30:31

thing just that one thing the amount of

30:35

emails has to be 9 billion just you

30:39

could imagine your inbox literally just

30:43

scrolling o oof

30:47

oof a guy name is wait Space Ghost Space

30:51

Ghost creator of curl by the way yeah

30:54

yeah Space Ghost as in Space Ghost from

30:56

Twitter uh anyways that sounds pretty

30:59

bad and it would have been a problem if

31:00

it actually was true the report however

31:03

reeks of a typical AI style

31:04

hallucination it mixes and matches facts

31:06

and details from old security issues

31:08

creating and making up something new

31:11

that has no connection with

31:12

reality the changes are not to be

31:14

disclosed on the internet the changes

31:16

that actually had been disclosed were

31:17

for previous older issues like intended

31:21

thanks thanks robot in particular in

31:23

this particular report the user

31:24

hopefully uh helpfully told us that they

31:26

used Bard to find the issues Bard being

31:28

a Google generative AI thing it made it

31:30

easier for us to realize the craziness

31:33

close the report and move on as can be

31:35

seen in the report log we did have not

31:38

or we did not have to spend much time on

31:40

researching this exhibit B buffer

31:43

overflow vulnerability oh no bless his

31:45

heart here comes a more complicated

31:47

issue less obvious done better and still

31:49

suffering from hallucination showing how

31:51

the problem grows worse when the Tool is

31:53

better used and better integrated into

31:54

the communication on the morning of this

31:56

we just literally read this one buffer

31:58

overfall vulnerability and websocket

32:00

handling uh it was my it was morning in

32:03

my time zone anyways dude and it's like

32:05

Christmas the man's supposed to be on

32:08

Christmas vacation enjoying I don't know

32:10

some sort of hamlike leftovers I don't

32:12

know what's going on at the at the guy's

32:14

house

32:16

instead does even get doesn't even get

32:19

Christmas leftovers in the morning again

32:21

that sounds pretty bad based on the

32:22

title since our web sakota is still

32:24

experimental and thus not covered by our

32:26

bug Bounty it helps me uh to still have

32:29

a relaxed attitude when I started

32:31

looking at this report it was filed by a

32:33

user I never saw before but their

32:35

reputation on hacker one was decent this

32:38

was not their first security report

32:42

oo purchasing of hacker one accounts

32:45

mentioned did we just get did we just

32:47

hear that wait is internet compensation

32:50

real I've been recently told that

32:52

internet comp compensation is a real

32:56

thing

33:00

is this

33:03

true guys I need three back and front

33:05

and depth internet compensation for

33:09

now what the hell does that even mean uh

33:11

the report was pretty neatly

33:15

filed we'll go back to it we'll go back

33:17

to it just hold on uh the report was

33:19

pretty neatly filed it included details

33:22

uh and was written in proper uh English

33:24

it also contained a proposed fixed it

33:26

did not stand out as wrong or bad to me

33:28

it appeared as if this user had detected

33:30

something bad and as if the user

33:32

understood the issue enough to also come

33:34

up with a solution as far as the

33:35

security reports go this looked better

33:37

than the average first post yeah the

33:38

first post I mean I think if you just

33:40

read the first one it was pretty clean

33:42

right it was pretty good internet

33:43

compensation is when I drag these nuts

33:45

on y'all's chin damn damn

33:48

pick in the report you can see my first

33:51

template response informing the user

33:53

their report had been received and that

33:54

we'll investigate the case when that was

33:56

posted I did not know yet how

33:58

complicated or easy the issue would be

34:01

19 minutes later I looked at the code

34:03

not found any issue read the code again

34:06

and then again a third time where on

34:07

Earth is the buffer overflow the

34:09

reporter says existed there here then I

34:11

posted the first question asking for

34:13

clarification where and how exactly this

34:15

overflow could happen after repeated

34:17

questions and numerous hallucinate

34:19

hallucinations I realized this was not a

34:21

genuine problem on an afternoon that

34:23

same day I closed the issue as not

34:25

applicable there was no buffer over

34:27

overflow damn the 28th was spent the day

34:30

of the 28th just just just just feel

34:34

just feel inside your heart for a second

34:35

how you would feel on the like 20 the

34:38

28th 300 p.m. how you feeling right now

34:42

I'm pretty sure I would be angry uh I

34:44

don't know for sure that this uh set of

34:46

replies from the user was generated by

34:48

an llm but it has several signs of it no

34:50

I actually am positive it has it was gen

34:53

certainly uh ban these reporters on

34:55

hacker one there's no explicit ban the

34:56

reporter from few further communication

34:58

with their project functionality it

34:59

would have been used if existed

35:01

researchers get their reputation lowered

35:03

when we close an issue as not applicable

35:05

but that is a very small nudge when only

35:07

done once in a single project I have

35:09

requested better support for uh for this

35:12

from hacker One update this function

35:14

exists I just did not look at the right

35:16

place for it yeah classic classic

35:18

classic right there future all these

35:21

kind of reports will become more common

35:23

over time I suspect we will we might by

35:25

the way can anyone just draw a parallel

35:27

right now to this

35:30

anybody let me get let me let me hit you

35:32

with something you know the most

35:34

annoying thing on GitHub ever is

35:36

dependabot dependabot I hate dependabot

35:39

yeah I hate it I love dependabot your

35:43

dependencies require update dependabot

35:46

dependabot is this useful utility in

35:48

which will'll spam you continuously

35:49

about every every security issue I'm

35:52

gonna give you a little I'm gonna give

35:53

you a little Pro tip I'm gonna give you

35:54

just the tip right now if you are using

35:57

node you probably have a security

36:00

violation going on you are going to be

36:02

getting notified at nauseum while that

36:05

thing is running okay it's giving you

36:07

more than the tip okay it's given it

36:09

it's giv it all all the issues at once

36:12

pick it is

36:16

the I hate to pend a bot hober Fest

36:19

hober Fest is slightly worse

36:24

llms okay that that was rude they're not

36:27

slightly worse L well I mean next year

36:28

they're going to be slightly worse llms

36:30

I mean to be fair Apna college did say

36:32

don't do this okay it's just that they

36:35

said it at the end and not at the

36:36

beginning and by saying it at the end

36:38

people already left that video and were

36:39

being like my name is my name is Prime

36:43

please accept it yikes can't wait for

36:45

the hack toer fest with AI it's going to

36:47

be worse than the original [ __ ] toer

36:48

Fest it is going to be the worst anyways

36:51

that will of course be unfortunate when

36:53

AI is used for an appropriate task such

36:55

as translation or just language for

36:57

formulation help I am convinced that

36:59

there will let's see there will be a

37:00

popup tools for using AI for this

37:02

purpose that can actually work better in

37:04

the future at least part of the time so