Neal Walfield

@nwalfield
366 Followers
882 Following
1.5K Posts

I work on Sequoia, a project to improve the OpenPGP ecosystem.

Antifa. Pro democracy. Pro positive and negative liberty.

Neal Walfield11h ago
I had a weird hardware experience today. I built a new PC, but shuffled around RAM and NVMEs, because prices. I put two NVME drives into the new build: a Samsung SSD 980 Pro and a Kingston KC3000. They were already in PCIe adapters so I plugged them in. The Supermicro motherboard refused to post and reset at initializing AHCI. Ok, pulled one drive, it booted. Put that back in and pulled the other, it booted. Eventually I tried moving the Samsung 980 to the on-board m.2 slot and it worked.
Show threadNeal Walfield15h ago

@fesshole That the numbers are both prime is a cool coincidence, but all numbers show up in irrational numbers like pi and e.

Edit: We don't know that all numbers show up in irrational numbers; it's just a conjecture. Thanks to those who replied for clarifying (and see below for more details).

Show threadNeal Walfield2d ago

@guenther It's not so easy. I don't want to use LLMs. And not all of the issues are actually found via LLMs, but nearly all of the reporters use LLMs to help them write the reports.

My theory is that most of them don't speak English very well. The people that I interact with are from countries like Algeria and the Philippines where English is not taught as well as it is in places like Europe. Bug bounty programs are attractive to them, because 500 Euro is a lot more than for someone in Europe.

Show threadNeal Walfield2d ago
@phryk I feel like I'm in a bind. I'm against LLMs and don't use them and don't want people who contribute to Sequoia to use them. That said, these hunters with their LLMs are finding issues (albeit most of them are inconsequential). Should I ignore their reports and then not fix the issues? What would you do in my situation?
Neal Walfield2d ago
Sequoia has a bug bounty program and nearly all hunters use LLMs. If we were to decide that we would prohibit LLM submissions, we may as well close down the program. When interacting with hunters, I'm experimenting with saying: "Please keep your response to less than 200 words. Do not change the topic. Only consider the reported issue." Initial results are positive. The responses are still from an LLM, but they are shorter and seem more on-topic.
Show threadNeal Walfield2d ago
@ffmancera Yes, this is a minor issue, which should be fixed, but the reporter spilled over 1200 words and suggested a CVSS score of 5.5. So, not such a nice report.
Show threadNeal Walfield2d ago
@ffmancera This project also considers some crashes as security vulnerabilities. In this case, it's about a one-shot CLI tool that fails to parse an argument.
Neal Walfield2d ago
New bug bounty report: if a user supplies a time very far in the future to sq --time, then sq doesn't elegantly reject it, but crashes due to an overflow. Yes, this is a minor issue, but where's the security vulnerability?
Show threadNeal Walfield3d ago

@phf If you're willing to change kernels, you could try running redox. They have a strict no LLM policy.

https://gitlab.redox-os.org/redox-os/redox/-/blob/master/CONTRIBUTING.md#ai-policy

CONTRIBUTING.md · master · redox-os / redox · GitLab

Redox: A Rust Operating System

GitLab
Neal Walfield3d ago

TIL about bash's caller builtin, which makes it easy to get a backtrace in bash.

https://www.gnu.org/software/bash/manual/html_node/Bash-Builtins.html#index-caller

Bash Builtins (Bash Reference Manual)

Bash Builtins (Bash Reference Manual)