I was thinking a bit about the bugs I found in the Piefed codebase yesterday. And these led to an emergency fix by the dev that’s now been implemented. https://codeberg.org/rimu/pyfedi/commit/093a466935849f27b3ecf2eab159129186320417
And what the real takeaway for me here is that the whole dynamic of how we approach security has now changed in ways most people don’t appreciate.
It used to take a lot of effort to find exploits in software projects because you’d have to spend a long time to familiarize yourself with the codebase, then comb through the code looking for mistakes that could be exploited. And to even do that, you’d need a good understanding of the protocols and specifications used by the application.
You basically had to be a domain expert with a deep understanding of how the application works. A random person looking at the source code would have little chance of finding any non trivial problems or figuring out how to actually exploit them.
And in that world, doing a private disclosure made a lot of sense because you did a lot of hard work to find it, and it wasn’t easy for somebody to replicate. This was valuable and dangerous knowledge that had to be communicated in a responsible fashion.
But now, anybody can throw an LLM at the code and it’ll sniff out vulnerabilities and even explain step by step how to exploit these security holes. So, the information itself isn’t really that valuable anymore. If I can throw an LLM at the code and find these problems in a few minutes, anybody else can do the same thing too.
I’m not a Python developer, I don’t have any deep knowledge of the Python stack used in Piefed, and on my own, I’d have zero chance of finding these exploits. But once the LLM identifies them, it’s very easy for me to verify that they are indeed real exploits, and to realize how they can be used maliciously.
The attacker doesn’t even need to have any deep knowledge of programming because the LLM can guide them through the exploit step by step.
Open source projects are particularly vulnerable here since anybody can just grab the source and throw an LLM at it to see if it can find exploits.
I’d argue that raising awareness that this is now the state of things is really important, and I would suggest that running an LLM against the code is minimal due diligence at this point.
Obviously, the LLM vulnerability check is not exhaustive, and if it doesn’t find anything that doesn’t mean there aren’t exploits in the code. But anything it does find should absolutely be checked by the developers.
People should be aware that we’re now living in the world where the bar for finding vulnerabilities is far lower than it used to be. And that means security must be taken far more seriously.
Brother, Rimu is an enemy of the fediverse. Why? Because he re-created reddit. He basically reinvented shadow banning, controls the narrative of his instance, actively keeps spreading misinformation about other instances and users, will actively suppress certain instances using his platform and lashes out against criticism like a petty tyrant.
I’m tired of this nonsense that “We’re all here to leave reddit!” Yes. We are here to leave reddit. So stop giving Spez 2.0 a pass.
Many people would say the same thing about the admins of various different Lemmy instances. In the end admins can do whatever they want on their own instance, thats how the Fediverse works. Whats important is that they can only do these things on their own site. So if you dont like it, just block and move on.
Worth pointing out here that this is the mentality of the oh so authoritarian and scary communist devs of Lemmy, while the “anti-authoritarian” one is making sure to insert as much as possible of his personal bias hardcoded into the project and then lash out at random people for calling him out on it.
Sorry to continue the infighting a bit but the contradiction here is just glaring. I appreciate your stance and the Fediverse would never be what it is without people like you
Invalid comparison. Rimu is not a simple admin, he is a dev of the leading alternate competitor to Lemmy and is personally hardcoding his bias into the project itself.
You want to try that again but with a more accurate comparison?
Piefed is an open source project which is provided for free by volunteers. You dont have any right to make demands to the developers. If you dont like it, fork or ignore it.
Cool. I am not making demands of the developer. I’m just saying that his behavior is problematic as hell. Honestly, so is yours if you’re going to repeatedly dodge the point being made. Problematic behavior doesn’t get to be dismissed just because its open source. People are allowed to criticise something even if it is open source. That defense is worthless.
Thats just your opinion. You can criticise as much as you want, but Piefed is part of the Fediverse and neither of us can change that. I prefer to get along well rather than getting into pointless fights, but you do you.
And I wouldn’t have gotten into a pointless fight if Rimu didn’t randomly pick one by saying that simple criticism was “coordinated harassment”. But you do you. ¯_(ツ)_/¯