Mastodawn

@mcc the tone may have been a little jokey here but I really cannot emphasize enough how seriously the vibe has shifted in industry. I perennially want to do more game dev but never really have the time, so I am always curious and asking around the industry to find out what I should learn. In 2019 there was broad consensus “you just gotta learn unity, no way around it”. Post pricing scandal, there’s 100% unanimity on “maybe godot, maybe unreal, under no circumstances even consider unity”

Jernej Simončič �1h ago

Viss 2h ago

those cartoony looking drawings going up everywhere? thats gen ai. everyone knows its gen ai. you arent fooling anybody.

Jernej Simončič �1h ago

boB Rudis 🇺🇦 🇬🇱 🇨🇦2h ago

ngl: macOS 26 is Apple's "Windows Vista" moment. Big time.

Show thread

Jernej Simončič �2h ago

@infoseclogger @mttaggart @cR0w @catsalad I think you misspelled isn't there.

Jernej Simončič �3h ago

evacide 3h ago

Every once in a while, someone tells me that an abusive partner left them alone because they were afraid of what I would do if they didn't, and I feel like I have done something right.

Jernej Simončič �3h ago

🅰🅻🅸🅲🅴 (🌈🦄)15h ago

Are you a boy or a girl?
I'm nonbinary.

Yeah, but what were you born as?
A baby.

No, I mean what is your sex?
Awesome.

FFS! Do you have a penis or a vagina??
I've had my share of both.

OMFG!! WHAT IS IN YOUR PANTS??
A frankly disturbing number of lockpicks.

Show thread

Jernej Simončič �3h ago

@Viss I've got NextCloud with CalDavSynchronizer plugin for Outlook for calendar at a few clients, and it works fine (I'm also migrating one client to Exchange Subscription Edition, but they get cheap licenses through Ministry of Education).

Jernej Simončič �4h ago

stux⚡7h ago

Remember, there are no ghosts... Only #cats..

daniel:// stenberg://2d ago

It has gone zero days since the latest slop

Show thread

daniel:// stenberg://2d ago

the most excellent copy and paste mistake of the day. This line in the end of a comment in hackerone:

"hey chat, give this in a nice way so I reply on hackerone with this comment"

Show thread

Viss 2d ago

@bagder bug bounties were a mistake

Show thread

Bill 2d ago

@Viss @bagder see, I don't think so. In a larger organization with a mature application security environment, they are awesome. Point blank. I have two clients on them. I help with triage, and we found things that never would have been found otherwise.

For open source projects though, we got to come up with something else. Unless they're going to start paying people somehow.

Show thread

Viss 2d ago

@Sempf @bagder your two success stories are woefully outnumbered by the hundreds of occurences of where bugbounty just creates noise and fraud, though

Show thread

Bill 2d ago

@Viss But every one of those that I've seen, have been mismanaged. I agree that triage is a real big thing. You need somebody on the front end like hackerone triaging and then someone on the back end like me making sure that the query actually even makes sense. The good outweighs the bad.

Show thread

Richard Levitte 2d ago

@Viss @bagder
For some, it seems to work. My experience of bug bounties (through #openssl) has mostly been slop, even before AI entered the scene. @bagder has had a better experience, it seems.

Show thread

Gregory 2d ago

@bagder "make it sound as serious as possible"

Show thread

daniel:// stenberg://2d ago

@grishka I suppose he managed to not copy that part =)

Show thread

Wolf480pl 2d ago

@bagder I miss the times when "hey chat" was unambiguously addressing twitch audience

Show thread

Lucas Pardue 2d ago

@bagder what a plonker. hey chat, give this in a nice way so I reply on mastodon with this comment

Show thread

Daniel Evers 1d ago

@bagder
I hope that users doing this get blocked immediately...

Show thread

daniel:// stenberg://2d ago

Now disclosed: https://hackerone.com/reports/3230082

curl disclosed on HackerOne: Stack-based Buffer Overflow in TELNET...

**Title:** Stack-based Buffer Overflow in TELNET NEW_ENV Option Handling **Vulnerability Description:** **Summary:** A stack-based buffer overflow vulnerability exists in the `libcurl` TELNET handler. When `libcurl` connects to a malicious TELNET server, the server can trigger an overflow by sending a `NEW_ENVIRON SEND` request. This causes the client to construct a response that overwrites...

HackerOne

Show thread

daniel:// stenberg://2d ago

... and added to the list: https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d1cd

AI slop security reports submitted to curl

AI slop security reports submitted to curl. GitHub Gist: instantly share code, notes, and snippets.

Gist

Show thread

primalmotion 2d ago

@bagder the guy seems to be sorry about it and realizing this AI shit is not magic.

The fact they were believing in magic is the most troublesome to me...

Show thread

Exa

1d ago

@bagder Wow, I just read the first two links and it's amazing, it feels like the submitters think they're going to be paid for submitting nothing of value. Will continue reading.

Show thread

daniel:// stenberg://1d ago

@Exagone313 it is educational. And frustrating...

Show thread

Exa

1d ago

@bagder I have found that one of the submitters listed there got awarded more than $1000 from a company on Hacker One. I guess sometimes it pays off.

Show thread

Natasha Nox 🇺🇦🇵🇸1d ago

@Exagone313 @bagder The second one is funny in hindsight given today you can immediately tell from the wording it's just copied directly off of ChatGPT.

"Hello <user>,
Certainly! Let me elaborate on the concerns raised by the triager:

[...]

I hope this clarifies the concerns. If you have any further questions or need additional details, feel free to ask."

ChatGPT LOVES its "Certainly!" starter.
They didn't even bother writing a comprehensive LLM command not to use the default slop wording.

Show thread