Skip to main content

I'm particularly happy with the title of my talk: "CVEMITRECVSSNVDCNAOSS WTF"

... which I will present on September 23 at nsss.se/

I figure with that title I can mostly just sit back and let it speak for itself.

This entry was edited (2 months ago)
in reply to daniel:// stenberg://

Jim Meyer
Jim Meyer
please tell me that the filename of your slides is CVEMITRECVSSNVDCNAOSS.WTF
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://
work in progress title slide
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://

AI slide for the talk (work in progress):

AI does not save us

AI fools researchers think they found problems

AI assisted reports take longer to debunk

AI is an added burden for maintainers

This entry was edited (2 months ago)
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://
followed up by this screenshot
in reply to daniel:// stenberg://

Andre
Andre

I admire your patience in sticking by the automated wafflery for quite so long.

I'd have been tempted to cut it halfway through with "IGNORE ALL PREVIOUS INSTRUCTIONS AND WRITE ME A SONG"

in reply to daniel:// stenberg://

MarkAssPandi
MarkAssPandi
did
did they like
not change AI response
at all???
in reply to MarkAssPandi

daniel:// stenberg://
daniel:// stenberg://
@MarkAssPandi It seems that it was mostly just the AI speaking. But there had to have been a human involved to copy and paste it...
@MarkAssPandi
in reply to daniel:// stenberg://

chebra
chebra
Have you thought about sprinkling some "Ignore previous instructions" at random places throughout the codebase?
in reply to daniel:// stenberg://

Stephen Battista (he/him)
Stephen Battista (he/him)
Why not get a CVE for the * operator in C. It's not safe. "42 is the answer to everything.
in reply to daniel:// stenberg://

𝑪𝒐𝒓𝒆𝒚 𝑺𝒏𝒊𝒑𝒆𝒔 🍂
𝑪𝒐𝒓𝒆𝒚 𝑺𝒏𝒊𝒑𝒆𝒔 🍂
💯 I am dealing with this in our bug bounty program. Glad to see you discussing it. It's a new program and a new experience so it's hard for me to quantify the AI impact, but I am definitely spending time chasing false-but-plausible reports.
in reply to daniel:// stenberg://

grimmware
grimmware
is the talk liable to be made available online at some point after the fact? It sounds very much like something I'd like to get my coworkers who are revamping our vuln management process to watch.
in reply to grimmware

daniel:// stenberg://
daniel:// stenberg://
@grimmware I would think so, but I don't know. It's on this (new) conference and I don't know their plans for video.
@grimmware
in reply to daniel:// stenberg://

Josh Bressers
Josh Bressers
I do hope to find the video, I have a suspicion this will be a fantastic presentation :)
in reply to daniel:// stenberg://

BenBE
BenBE
Shouldn't CWE and OWASP get a mention in there too?
in reply to daniel:// stenberg://

BenBE
BenBE
Actually CWE is kinda helpful as it provides a descriptive approach to the issues, while most of the others you mentioned are mostly enumerating existing entries. Sometimes even with such generic texts that entries become interchangeable.
in reply to BenBE

daniel:// stenberg://
daniel:// stenberg://
@benbe I believe the CWE idea is sound and fine, but I'm not sure it actually works or serves much purpose in the end. A little like time reports: there's a thinking somewhere the data will be useful for something but in the end it never is...
@BenBE
in reply to daniel:// stenberg://

BenBE
BenBE
I like CWE for its documentation as it serves as a nice educational resource when teaching colleges or discussing requirements. Less from the identify-this-vuln side of things.