The NIST record refers to a gist by LLM4IG - and associates buffer overflow with NullPointerException. Methinks, this is the work of GenAI. Great, another thing AI makes worse.

Excellent thread. I am shocked, shocked and… well not really: SAST tools can’t replace mark 1 eyeball in real world scenarios!

The best way of consuming keynotes is by reading about them second hand from Corey Quinn

I unironically used “delve into” the other day. Let’s hope I hadn’t done it on my CFP submissions!

Every single time! #infosec #supplychain

The case I've been working in 2024.Q1: The CONTINUATION Flood is a class of vulnerabilities within numerous HTTP/2 protocol implementations. A single TCP connection can lead to server crash. Check the advisory at: nowotarski.info/http2-continua…

Two teams:

Team A: 'Architects' write the spec. 'Devs' implement it. On rollout, there are issues. Who is at fault? Finger pointing.

Team B: 'Architects' write the spec. 'Architects' also implement it. On rollout, there are issues. The team fixes these. No fingers to point.

Almost all of the work here would qualify for funding under Google's patch rewards program and/or the OpenSSF's Alpha Omega program.

Get paid to help out open source projects and maintainers! These programs exist and are real and are funded by companies across the industry.

In the aftermath of the XZ Backdoor fiasco, there have been suggestions that open source is to blame. I couldn't disagree more. But there is an open source problem in the software industry. Some thoughts:

beny23.github.io/posts/xz_backd…

#xz #xz backdoor #opensource

So by that reasoning, remote working is actually AI-coding, I think we've just solved the problem created by 'return-to-office' AND 'let's use AI' c-level requirements!

Squeaky bum time for Microsoft

Anybody who blithely uses AI to create code should be terrified by this:
theregister.com/2024/03/28/ai_…

Beware of the reverse centaur. Great thread on what’s wrong with the current approach to “AI”.

The recent XZ backdoor CVE-2024-3094 looks like a highly sophisticated attack with details constantly emerging from many different sources.
Our research team is currently analyzing, verifying and aggregating everything in a single place -
jfrog.com/blog/xz-backdo…

Life imitates AI…

Really good take. Don’t blame the maintainer, this could have happened to anyone. Don’t blame open source, I’m betting there’s plenty of assets in corporations!

Microsoft engineer: 500ms lag in liblzma? Something's up.

Also Microsoft engineer: 45 minute lag in Microsoft Teams? Perfect.

McKinsey understand development practices? World’s greatest open source… it’s too much, I can’t finish typing the tweet because of laughter.

🤔 What’s the probability #xz is the only package with a malicious maintainer?
What’s the probability there are other similar backdoors that just haven’t been spotted yet?
We know it’s significantly higher than zero. We are only just starting to realize the implications of that.

An apt name. An early Easter present for fear-mongering security sales departments who will be pushing this to sell SBOM solutions until their ass bleeds.