Perplexity is now crying because their plagiarism machine cannot bypass Cloudflare's firewall. How about you start paying for stealing others' content to train your shity AI?
There is no Legitimate LLM or AI if takes all content without permission and these companies sell their services for money. It is stealing. Plain and simple.
Inclusive hiring isn’t just good practice - it’s essential.
Our latest blog post, written by Senior Project Manager Felicity Miners-Jones, shares practical steps for making recruitment truly accessible.
From clear job ads to barrier-free recruitment platforms, these steps help keep the process fair, expand your talent pool, and show a genuine commitment to inclusion: tetralogical.com/blog/2025/08/…
Accessible recruitment is more than a policy - it’s a way to ensure that every candidate can perform at their best, and each role is filled by the person most capable of doing it.
### Summary
A malicious WebSocket server can send a fragmented message (FIN=0) followed by a flood of continuation frames, causing the client (curl) to continuously allocate memory while waiting...
@bortzmeyer yes, but there are multiple signs of AI in there including the fact that the report is bogus, plus the detail that the person doesn't deny using AI and simply pretend I didn't ask...
Could have been an honest mistake, but don't you double or even triple check that the memory usage actually increases and additionally check which versions are affected?
I haven't seen an AI take a screenshot of their terminal yet. And Kali on WSL does seem like something an overambitious script kiddy would use. On the other hand, the user definetly types like an LLM, and not answering the direct question is hella suspicious 🤔
Maybe it's a kid who's just asking ChatGPT what to do and say?
does the form require the Mitigation Recommendations and Impact sections, and does itbsuggest 3 bullet points for each? If not, then definitely slop, whether human or AI.
Also, the mitigation recommendations seem very generic and don't demonstrate a beyond-surface-level understanding of the usecase.
like, why do websockets allow fragmentation? Possibly to allow processing messages of unbounded size in a streaming fashion, while allocating only enough memory to hold one fragment.
Which I'm guessing is what curl is already doing.
But the fix suggestions don't mention that possibility.
oh... does an implementation have to support all frame sizes? If so, then to not have a single-frame exhaustion vuln, you'd need to process parts of a single frame in a streaming fashion. It sounds quite difficult to have that work, and then somehow not be able to stream multiple frames in the same way...
@wolf480pl it's super annoying and libcurl's API for websockets thus has a way to pass on partial frames just so that it can do it streaming without using a lot of memory or do some kind of buffering etc. Fragments of frames that are part of messages...
Eh, I voted not slop purely because years ago I almost reported a memory leak against a project but it turned out that GDB was leaking. This *could* be an honest mistake. Basically, I want to believe.
I think I’d want to know how the false positive occurred. “Doesn’t occur on latest master” could imply that it did occur on some other recent version, which seems useful to know about. The only other obvious explanation of course is that it’s slop and they didn’t actually try running it themselves, which seems vastly more likely.
@benjamineskola well, I tried the same version he says he used and it did not reproduce for me on that version - since I also know the code I was actually questioning the report already from the beginning but was open for me missing some mistake of ours
I just can't fathom how you deal with all the slop. I've been following your ongoing battle for a while and, to be honest, I would have given up by now. Thanks for persevering.
I'm surprised they came back and recanted the report. seems really a daft thing to do to submit a serious bug like that without actually using thier own brains. why do they do it??
I voted “not slop” for the benefit of doubt. At least that report was reasonably concise.
Maybe you could require security issue reporters to provide a minimal Dockerfile demonstrating the issue and a screenshot of the output highlighting the failure? (and require output lines to be timestamped in that screenshot)
first thing which weirded me out - long and detailed, from the looks, text. But no mentions of the specific environment (including the version of curl) "used" to "reproduce". Which should be one of the most important details, I suppose.
the report mentioned the --include option but that was renamed (deprecated) in curl 8.10 according to the manual. Outdated information always screams LLM. That was very sus. I would assume someone would read the docs before writing such a report.
Pretty confident an LLM was at least used to create the text. However I think this is a rare case of the user actually bothering to trim the output down so it’s readable.
If the problem were real that would be it, but you mentioned even the version they cited in the comment doesn’t exhibit the problem. For that reason I have to lean toward slop.
➡️ Jsem namočený v pár projektech a dva se sešly do rozhovoru s mojí maličkosti. O AI, jak jinak. Tak si to přečtěte ve V zrcadle AI: S Danielem Dočekalem o tom, že AI je jen jiný Google, který vypadá sofistikovaněji.
I really struggle with the way these videos are done, the speech patterns feel really odd. is there a name for that? They sort of ... play in the next segment almost before the previous one has finished? Am I making any sort of sense?
@cachondo I call it the old school Andrew Huang effect. He doesn't do it nearly as much these days, but for me, he was the one that did it the most back in the day and I utterly loathe it.
@cachondo I know some youngsters have short attention spans, but that's no excuse: I don't think I'll ever get used to little bits of speech being edited together like that;
@frog67 @cachondo Some podcast apps have features to remove silence between sentences automatically. We probably should start advocating for something opposite, insert natural pauses between sentences.
@Scott @jakobrosin @frog67 @cachondo @BorrisInABox Just wanted to join in and tell you all how I hate such videos! Just can't stand them. It's not ASMR of course (which is absolute nightmare for me), but quite close.
@menelion @Scott @jakobrosin @frog67 @cachondo @BorrisInABox I get it. I definitely get it. That's why my silly demo was tongue-in-cheek and pointless. It's actually physically uncomfortable for me to listen to that kind of thing for too long. Makes me feel like I can't breathe. It's weird.
@Scott @jakobrosin @frog67 @cachondo @BorrisInABox That was much too nice. You did not bombard us with enough words per second! And you call yourself a Youtuber? Ugh.
No, you only let sharp cuts happen when you're about to go into a stupid joke that has been rehashed 1,246,744 times on your channel, and everyone is expected to know what it is. Either that, or just pause for 10 seconds and play the sound of a cricket.
@cachondo Yeah it just sounds like bad editing but it's done deliberate. I really wonder why. Does the waveform look prettier on the timeline for some reason?
As the leading provider of accessibility training, Digital Access Training is proud to offer on-demand courses that make it easy for you to learn at your own time and convenience.
Trochu mi tu překážel kousek boku a byl akorát čas ho zpracovat. V jádru má krásných 92 stupňů a pod sebou dubový hobliny... To tooterý prostě nemůže dopadnout špatně! 🤤 A vy se taky neodbývejte, bando. #dobrouchut !
i have seen a few people arguing for xslt recently; weird proposition! - libs have a cost (browser download size, update work, integration, security risk) - xslt 1.0 is not good. okmij.org/ftp/papers/SXSLT-tal… - nobody uses it. (or rather, 0.001% of page-loads use it.) - regardless of your pov on xml, xml web documents are entirely a lost cause; the web is html, and html is not xml. - there are so many better alternatives! even a simple page with a script tag can do a better job!
The specific use case I've seen people arguing for is using XSLT to transform an RSS or Atom feed into HTML. For that, a page with a script isn't an option. And the argument seems to be framed as Google not caring about a thing that's important to some in the indie web community, namely RSS. It doesn't help that Google killed off Reader.
This PR adds Encrypted Client Hello (ECH) functionality to apache2, when using OpenSSL for TLS.
Notes:
ECH is not yet part of an OpenSSL release. We'd hope ECH will be part of OpenSSL 4.0 in A...
To je ještě dobrý. Jednu za mnou došli borci, kteří nám zdili plot: "pane, malá vám kreslí kamenem po autě." A taky že jo, dvouletá dcera si řekla, že by autíčku slušely obrázky. 🙈
Úplně stejný zážitek, dorostenec zdobil kapotu kolečky 🙈 Na druhou stranu, je to vidět, jen když se auto umeje, takže mi to v následujících letech ušetřilo nějakou práci 😂
It's still in early version I think, so doubtless it will improve. I'm very impressed at the speed with which you can just flick through a book's chapters, though.
I'm sure an MRU is on the agenda. I'd quite like it to keep your documents open when I come back to it, given it's already got support for multiple tabs.
also it needs to know if it's already open, at the moment you can open multiple copies of the app, where I guess you want a second click from explorer to add the tab of the file to your current session, maybe.
And it will encourage more people to seek out alternatives, including #AutonomiDweb
This can't be censored and is end to end encrypted so you don't need a VPN.
Using dweb you can publish websites to Autonomi and view them in a standard browser. This includes dynamic apps storing and fetching data directly on Autonomi.
This will give vulnerable people, including children access to vital information and safe spaces.
flohmarkt.adminforge.de/~fExpl… Vielleicht möchte ja jemand ein wenig basteln. Bestimmt sind sie auch für andere Dinge verwendbar. Funktionieren noch tadellos.
sftp_download_stat, sftp_upload_init, sftp_quote_stat, sftp_readdir will translate LIBSSH2_ERROR_EAGAIN to CURLE_OK and set *block to TRUE, but outer loop do not check *block, result in busy loop
@stepan Co si budeme... otevírá to celou Pandořinu skříňku věcí, které by najednou nebyly legální. Ale technicky nezdatní legislativci nebo soudci dokážou napáchat hodně škody.
Otázka je, zda jde víc o technologii nebo o společenskou dohodu, která vychází z toho, že tohle vždycky šlo. Je možné, že je to spíš to druhé a že tahle věc, kterou jiná média nebo způsoby nakupování apod. nenabízejí, padne, protože překáží těm, kdo dnes mají nebo chtějí peníze. Stejně jako nemůžeš měnit a ovlivnit to, co ti zobrazuje appka Rohlíku v mobilu, nebudeš to moci ovlivnit ani na webu. Jedno je jisté - kdyby někdo vymyslel web včera, tak to rozhodně nejde.
”Apresentei minha esposa ao AntennaPod para podcasts, como um passo para nos afastar do Spotify, e sua confusão inicial era que ela não precisava fazer login em nada para usá-lo, apenas funciona e ela pode encontrar os podcasts nos quais está interessada! 😊
Introduced my wife to AntennaPod for podcasts, as a step to wean us off Spotify, and her initial confusion was that she didn't have to log in to anything to use it, it just works, and she can find the podcasts she is interested in! 😊
AntennaPod is a podcast player that is completely open. The app is open-source and you can subscribe to any RSS feed. AntennaPod is built by volunteers without commercial intere...
Have you completed the 2025 NVDA Satisfaction Survey? It's a short 3 question survey, but it's a great chance to have your say on the most popular free screen reader for Windows! What are we doing well? What can we improve? Please let us know: nvaccess.org/survey
At NV Access we are always interested in understanding the satisfaction of our NVDA users. Plus, we like to understand clearly what is important to you and also identify what we can do more effectively.
@RealGene Good point - we don't in our bio just because there's limited room. I did just go & check the web site as well. While we don't have a big "What does NVDA stand for?" bullet point - I just searched for "NVDA" and the first mention of it on the home page is "We have spent over 15 years developing the global solution: a free, high quality screen reader, accessible to all! NVDA: Non-Visual Desktop Access. " (you'd evidently already found that, but you're right, it's not always obvious)
so with this logic its also illegal to enlarge font for accessibility? Or darkening web that does not have dark color scheme? Or to letting password manager automatically fill credentials? Any DOM manipulation? 🤦
Check out an Applevis forum post and an associated podcast that I put together about a cool guitar gadget called Tonewood Amp. If you are an acoustic guitar player,, you may really love it! :)
@mmu_man Those armored fiber cables are really heavy and easily mistaken for copper I guess ... I know a guy with a spool that big that was mistakenly delivered and he can't get rid of it, just lives in his garage lol
Set up an appointment with a new pain therapist. At the end of our intake call, I asked, "Hey, just to be clear, there's no binding arbitration waiver in your paperwork, right?"
That was 3 days ago. I was just getting ready to drive over and he texted me this, then called me and told me he wouldn't treat me because being asked about his paperwork "made him uncomfortable."
I guess from now on I just go to the first appointment, read the paperwork and if it's objectionable, cancel and walk out?
What a strange cowardly cop-out. Guy is clearly over his head and doesn't understand what binding arbitration even is, then claims you're making threats of legal action? What???
The HR tech giant said it had no indication of any unauthorized access to customer systems, but has not ruled out a breach affecting customers' personal information.
Over the past week I've been working on Playmaker.Audio: > A modern, end-to-end 3d game audio engine on top of OpenAL Soft. This project aims to give .NET / C# games a developer-first audio layer that feels closer to high-level middleware while staying completely open, hackable, and dependency-light. If you're interested, take a look! github.com/the-byte-bender/Pla…
In a significant development for AT&T customers, millions affected by two major data breaches in 2024 may be eligible to file claims for cash payments totaling up to $7,500 as part of a $177 million class-action settlement.
CAMROSE, AB - In yet another shocking electoral upset, Conservative leader and former Member of Parliament Pierre Poilievre has somehow been defeated once again in today's by-election by Liberal MP Bruce Fanjoy,
Stéphane Bortzmeyer
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Stéphane Bortzmeyer • • •Eicar Arlettaz
in reply to daniel:// stenberg:// • • •Sensitive content
Mx. Moriarty 🏳️⚧️
in reply to daniel:// stenberg:// • • •Techassi
in reply to daniel:// stenberg:// • • •Philip Johansson 🏴☠️💜
in reply to daniel:// stenberg:// • • •I haven't seen an AI take a screenshot of their terminal yet. And Kali on WSL does seem like something an overambitious script kiddy would use. On the other hand, the user definetly types like an LLM, and not answering the direct question is hella suspicious 🤔
Maybe it's a kid who's just asking ChatGPT what to do and say?
Conny Duck
in reply to daniel:// stenberg:// • • •Wolf480pl
in reply to daniel:// stenberg:// • • •does the form require the Mitigation Recommendations and Impact sections, and does itbsuggest 3 bullet points for each? If not, then definitely slop, whether human or AI.
Also, the mitigation recommendations seem very generic and don't demonstrate a beyond-surface-level understanding of the usecase.
Wolf480pl
in reply to Wolf480pl • • •like, why do websockets allow fragmentation? Possibly to allow processing messages of unbounded size in a streaming fashion, while allocating only enough memory to hold one fragment.
Which I'm guessing is what curl is already doing.
But the fix suggestions don't mention that possibility.
daniel:// stenberg://
in reply to Wolf480pl • • •Wolf480pl
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Wolf480pl • • •o_andras
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to o_andras • • •Jeff Clough
in reply to daniel:// stenberg:// • • •ben
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to ben • • •daniel:// stenberg://
in reply to daniel:// stenberg:// • • •Jeff Clough
in reply to daniel:// stenberg:// • • •Bredroll
in reply to daniel:// stenberg:// • • •F4GRX Sébastien
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to F4GRX Sébastien • • •F4GRX Sébastien
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to F4GRX Sébastien • • •F4GRX Sébastien
in reply to daniel:// stenberg:// • • •Apollo
in reply to daniel:// stenberg:// • • •John Deters
in reply to daniel:// stenberg:// • • •sre4ever
in reply to daniel:// stenberg:// • • •I voted “not slop” for the benefit of doubt. At least that report was reasonably concise.
Maybe you could require security issue reporters to provide a minimal Dockerfile demonstrating the issue and a screenshot of the output highlighting the failure? (and require output lines to be timestamped in that screenshot)
KasTas
in reply to daniel:// stenberg:// • • •first thing which weirded me out - long and detailed, from the looks, text. But no mentions of the specific environment (including the version of curl) "used" to "reproduce". Which should be one of the most important details, I suppose.
But yeah. Tricky as heck.
Brett Nash
in reply to daniel:// stenberg:// • • •doragasu
in reply to daniel:// stenberg:// • • •Kaito
in reply to daniel:// stenberg:// • • •hisold
in reply to daniel:// stenberg:// • • •I would assume someone would read the docs before writing such a report.
aspragg
in reply to daniel:// stenberg:// • • •Lando
in reply to daniel:// stenberg:// • • •Pretty confident an LLM was at least used to create the text. However I think this is a rare case of the user actually bothering to trim the output down so it’s readable.
If the problem were real that would be it, but you mentioned even the version they cited in the comment doesn’t exhibit the problem. For that reason I have to lean toward slop.