cryptographers: need strict guarantees on code ordering and timing because even compiler optimizations can introduce exploitable flaws into code that looks secure
the go cryptographer: there’s no reason not to completely trust a system that pastes plagiarized code together so loosely it introduces ordering-based exploits into ordinary C code and has absolutely no concept of a timing attack (but will confidently assert it does)
it’s so weird how the garbage finds us in bursts, like all week it’ll be relatively quiet then the weekend comes and the floodgates open
From 2018 to 2022, I worked on the Go team at Google, where I was in charge of the Go Security team.
Before that, I was at Cloudflare, where I maintained the proprietary Go authoritative DNS server which powers 10% of the Internet, and led the DNSSEC and TLS 1.3 implementations.
Today, I maintain the cryptography packages that ship as part of the Go standard library (crypto/… and golang.org/x/crypto/…), including the TLS, SSH, and low-level implementations, such as elliptic curves, RSA, and ciphers.
I also develop and maintain a set of cryptographic tools, including the file encryption tool age, the development certificate generator mkcert, and the SSH agent yubikey-agent.
I don’t like go but I rely on go programs for security-critical stuff, so their crypto guy’s bluesky posts being purely overconfident “you can’t prove I’m using LLMs to introduce subtle bugs into my code” horseshit is fucking terrible news to me too
but wait, mkcert and age? is that where I know the name from? mkcert’s a huge piece of shit nobody should use that solves a problem browsers created for no real reason, but I fucking use age in all my deployments! this is the guy I’m trusting? the one who’s currently trolling bluesky cause a fraction of its posters don’t like the unreliable plagiarization machine enough? that’s not fucking good!
maybe I shouldn’t be taking this so hard — realistically, this is a Google kid who’s partially funded by a blockchain company; this is someone who loves boot leather so much that most of their posts might just be them reflexively licking. they might just be doing contrarian trolling for a technology they don’t use in their crypto work (because it’s fucking worthless for it) and maybe what we’re seeing is the cognitive dissonance getting to them.
but boy fuck does my anxiety not like this being the personality behind some of the code I rely on
you have no idea how much I’ve been tempted to do UUCP
To be fair, it was the moderator that deleted their message, not the poster. Mods are always stifling discussion around here. Feels like Reddit.
it’s really weird how nobody wants your awful fucking posts in any community. must be the mods!
anyway, time to stifle discussion around here
sorry about your posts
This $6.5 billion round will give OpenAI an alleged “valuation” of $150 billion, up from $86 billion earlier this year.
so pets.com had a valuation of $87 million (~$159 million adjusted for inflation) right before the market crashed, and that shit’s so radioactive capitalists still use it as an example of a shitty bubble business that never should have been valued that high cause who in their right mind thinks pet stuff online’s worth that much?
this next crash is going to be a fucking doozy isn’t it
Awful.systems can get a pass since the domain name is just that good.
a new source of anxiety has formed
in all seriousness, a backup domain name might not be the worst idea one day. I don’t think Lemmy’s federation particularly likes being ripped out of one FQDN and migrated to another, but it’s probably preferable to shutting down cause the owners of our TLD thoroughly shit the bed
quoted because this is fucking gold and paraphrasing isn’t doing it:
Do you have any references/examples of this?
tons
rapid7 for example use LLMs to analyze code and identify vulnerabilities such as SQL injection, XSS, and buffer overflows.
Can you point me to a blog or feature of them that does this? I used to work at R7 up until last year and there was none of this functionality in their products at the time and nothing on the roadmap related to this.
must've been another company then which i got confused with the name
Good thing you have tons of examples.
Right?
e: you’ll never guess what a bunch of DEI Steve’s other posts are about
so for posting it's definitely less than ideal (not pictured: the 15 second delay before typing and the comment text being filled in), but it actually renders lemmy with shockingly few issues
image descriptions
screenshots of awful.systems rendering in Servo. it looks both janky and weirdly normal. for some reason, servo seems to be running inside of the emacs text editor.
holy fuck awful.systems works on servo
this isn’t surprising, but now it’s confirmed: in addition to the environmental damage generative AI does by operating, and in spite of all attempts to greenwash it and present it as somehow a solution to climate change, of course Microsoft’s been pushing very hard for the oil and gas industry to use generative AI to maximize resource exploitation and production (via Timnit Gebru)