WEBVTT

00:00.000 --> 00:10.000
Hi, now I intend to start the time is up.

00:10.000 --> 00:15.000
I have a little talk to you.

00:15.000 --> 00:18.000
It's this and then we can go home.

00:18.000 --> 00:19.000
You look a little tired.

00:19.000 --> 00:22.000
It feels like I've talked to almost all of you already.

00:22.000 --> 00:23.000
It's for us, Dan.

00:23.000 --> 00:26.000
But if it's a repetition, I apologize.

00:26.000 --> 00:28.000
But this is me.

00:28.000 --> 00:30.000
I am Daniel.

00:30.000 --> 00:34.000
I am the president of the European Apostles Academy.

00:34.000 --> 00:37.000
I actually have a new medal in my bag.

00:37.000 --> 00:39.000
Yeah, so that must be my student.

00:39.000 --> 00:40.000
That's my size.

00:40.000 --> 00:42.000
So I work on a tool.

00:42.000 --> 00:43.000
Some of you have seen it.

00:43.000 --> 00:44.000
It's really the thing.

00:44.000 --> 00:46.000
It's rather new.

00:46.000 --> 00:49.000
Anyway, I'll get back to that later.

00:49.000 --> 00:51.000
But anyway, that's probably the course curl.

00:51.000 --> 00:54.000
And most of you know all of this already.

00:54.000 --> 00:56.000
I started this a long time ago.

00:56.000 --> 00:59.000
I've been working on it a lot.

00:59.000 --> 01:04.000
So it has taught me and most of you,

01:04.000 --> 01:07.000
I mean, many of you at least have followed my struggles with this.

01:07.000 --> 01:09.000
So AI nowadays has really,

01:09.000 --> 01:12.000
It's really a tool that augments us humans,

01:12.000 --> 01:14.000
right in many cases.

01:14.000 --> 01:17.000
And humans can go either way, right?

01:17.000 --> 01:20.000
You can go into the left or to the right up or down.

01:20.000 --> 01:23.000
And it certainly helps AI.

01:23.000 --> 01:26.000
It certainly helps us to go either way.

01:26.000 --> 01:28.000
The bad way or the good way.

01:28.000 --> 01:30.000
You decide which way, right?

01:30.000 --> 01:33.000
So yeah, that's the way it works.

01:33.000 --> 01:36.000
So we can seriously get a lot of AI.

01:36.000 --> 01:40.000
Slop because people don't even try to find out.

01:40.000 --> 01:42.000
If it's too not, you just pass it on.

01:42.000 --> 01:43.000
No breaks at all.

01:43.000 --> 01:46.000
Or you can use the AI to find some awesome tools.

01:46.000 --> 01:48.000
We'll never could find before.

01:48.000 --> 01:51.000
You can use AI by reports.

01:51.000 --> 01:54.000
Generated with an AI tool to actually help projects.

01:54.000 --> 01:56.000
Because you can find things you never could before.

01:56.000 --> 02:01.000
Or you can use those tools to just overload a project.

02:01.000 --> 02:03.000
Because you can do that now.

02:03.000 --> 02:07.000
Even if they legitimate, if you happen to be a really big tech company.

02:07.000 --> 02:09.000
And that's the little small open source project.

02:09.000 --> 02:11.000
Yeah, that's overloading.

02:11.000 --> 02:14.000
You know who I talk about.

02:14.000 --> 02:19.000
And of course, you can use all these new powerful tools.

02:19.000 --> 02:23.000
I mean, I don't mean I'll get back into some details.

02:23.000 --> 02:29.000
You can use all of these new tools to find fun flaws never found before.

02:29.000 --> 02:32.000
And you can use them in really malicious ways.

02:32.000 --> 02:34.000
And nefarious and attack.

02:34.000 --> 02:36.000
And find new flaws and be your bad person.

02:36.000 --> 02:39.000
Or you can use the AI tools to review your code.

02:39.000 --> 02:43.000
Make sure your code actually gets a lot better before you merge your PRs.

02:43.000 --> 02:47.000
There are a lot of ways to improve the world with AI.

02:47.000 --> 02:52.000
Or you can just overload every open source site in the world with your AI scraper bots.

02:52.000 --> 02:55.000
So we can suddenly get a lot of bad scrap.

02:55.000 --> 02:57.000
We can get good crap.

02:57.000 --> 02:59.000
But anyway.

02:59.000 --> 03:00.000
Yeah, all right.

03:00.000 --> 03:01.000
And then we have these skills.

03:01.000 --> 03:06.000
You can use AI in the analyzer and this means valid bug reports,

03:06.000 --> 03:09.000
which has also happened a few times already.

03:10.000 --> 03:12.000
So there's a lot of AI.

03:12.000 --> 03:13.000
A lot of bad AI.

03:13.000 --> 03:14.000
Some good AI.

03:14.000 --> 03:15.000
So yeah.

03:15.000 --> 03:17.000
But everything has AI.

03:28.000 --> 03:34.000
And you know, one advantage we're doing to talk about AI is so much easier to pronounce than

03:34.000 --> 03:36.000
HTTP 3 in the talks.

03:37.000 --> 03:38.000
I've been here before.

03:38.000 --> 03:40.000
I've selected better words this time.

03:40.000 --> 03:43.000
So I'm going to say AI like a bazillion times this talk.

03:43.000 --> 03:46.000
So but I just wanted to sort.

03:46.000 --> 03:49.000
AI is a sensitive subject to many people.

03:49.000 --> 03:52.000
And AI is a questionable technology.

03:52.000 --> 03:57.000
And just by using the word AI, I know I upset sort of half the audience.

03:57.000 --> 03:59.000
But no, it's not AI every time.

03:59.000 --> 04:02.000
It's not an LLM and it could be machine learning.

04:02.000 --> 04:04.000
And in my talk, I don't care.

04:04.000 --> 04:07.000
I'm using sort of the marketing language.

04:07.000 --> 04:08.000
It's all AI.

04:08.000 --> 04:13.000
And usually when people say something at me, they say they use AI to do it.

04:13.000 --> 04:14.000
Or they didn't say AI.

04:14.000 --> 04:16.000
But I don't know which technology, right?

04:16.000 --> 04:19.000
I don't know if it was an LLM or machine learning.

04:19.000 --> 04:21.000
They say AI, I use the phrase AI.

04:21.000 --> 04:23.000
So they use a lot of energy.

04:23.000 --> 04:26.000
We have the license, the rate, right?

04:26.000 --> 04:30.000
They free load on a lot of open source.

04:30.000 --> 04:33.000
They spy that the web to the death, right?

04:33.000 --> 04:34.000
We are overloaded.

04:34.000 --> 04:35.000
I'll talk more about that.

04:35.000 --> 04:40.000
They take all the money right now because now no one can do anything that is not AI

04:40.000 --> 04:43.000
because no one will pay you anything at all.

04:43.000 --> 04:51.000
And you know, yes, try to buy your computer with memory now.

04:51.000 --> 04:57.000
And no one is paying anything for this, right?

04:57.000 --> 05:00.000
How is that possible?

05:00.000 --> 05:02.000
It's free forever.

05:03.000 --> 05:06.000
And again, AI is a vague term.

05:06.000 --> 05:07.000
Sure.

05:07.000 --> 05:09.000
There are a lot of different technologies underneath.

05:09.000 --> 05:11.000
But I'm going to talk about the term as AI.

05:11.000 --> 05:14.000
Anyway, because, yeah, that's me.

05:14.000 --> 05:15.000
Okay.

05:15.000 --> 05:20.000
And everyone who thinks this is a good technology will tell us all,

05:20.000 --> 05:21.000
sure it'll be better.

05:21.000 --> 05:23.000
And maybe it will, right?

05:23.000 --> 05:26.000
But yeah, I'm allowed to complain.

05:26.000 --> 05:29.000
And by the way, this is my talk number 16 at first.

05:29.000 --> 05:30.000
Okay.

05:30.000 --> 05:33.000
So back to Carl, I started it a long time ago.

05:33.000 --> 05:40.000
We're celebrating 30 years in November.

05:40.000 --> 05:46.000
Thank you.

05:46.000 --> 05:51.000
So yeah, that means we went from 100 lines to 180,000 lines.

05:51.000 --> 05:54.000
In just 30 years, imagine 160.

05:54.000 --> 05:56.000
And yeah, we're 1,400 authors.

05:56.000 --> 05:58.000
I work on this whole time.

05:58.000 --> 06:04.000
20, 25 authors per month, 3500 people, or have a name in the thanks file.

06:04.000 --> 06:08.000
Yeah, you know, an ordinary open source project.

06:08.000 --> 06:10.000
We run in a few things.

06:10.000 --> 06:12.000
I mean, this screen is really horrible.

06:12.000 --> 06:14.000
It doesn't show, but you get the point.

06:14.000 --> 06:15.000
Yes.

06:15.000 --> 06:19.000
We estimate somewhere around 20, 30 billion installations.

06:19.000 --> 06:22.000
But basically, everywhere, it makes, at least,

06:22.000 --> 06:27.000
sort of, in our project, we take then security seriously, right?

06:27.000 --> 06:28.000
There.

06:28.000 --> 06:34.000
It could possibly make the bad impact if we have a terrible security thing somewhere.

06:34.000 --> 06:36.000
And at the same time, we have AI, right?

06:36.000 --> 06:42.000
So it's finally, we can make it come true.

06:42.000 --> 06:45.000
I want my favorite old quotes.

06:45.000 --> 06:49.000
Well, I don't know why.

06:49.000 --> 06:53.000
But people think about curl as something that is easy to do.

06:53.000 --> 06:57.000
So anyway, this is my hobby.

06:57.000 --> 07:07.000
And just going back, and all of those products are showed.

07:07.000 --> 07:08.000
The curl runs in that.

07:08.000 --> 07:12.000
And I mean, curl is not unique in that everything runs on open source.

07:12.000 --> 07:14.000
So I think the entire world actually runs on open source.

07:14.000 --> 07:18.000
It has been mentioned many times at first time, and we all know that right now.

07:18.000 --> 07:21.000
So the world has turned into this.

07:21.000 --> 07:23.000
Everything runs something.

07:23.000 --> 07:25.000
Most of it is now open source.

07:25.000 --> 07:27.000
And you put something on top of it, which isn't.

07:27.000 --> 07:32.000
And I couldn't talk about this without XKCD.

07:32.000 --> 07:35.000
So yeah, this is just how the word works.

07:35.000 --> 07:42.000
And when everything runs your code, I'm sure that I'm sharing this with a lot of you.

07:42.000 --> 07:47.000
But when you have a lot of users, you're a little bit sensitive.

07:47.000 --> 07:49.000
That's a security problem.

07:49.000 --> 07:54.000
Someone tells that something really bad can happen if this condition is true.

07:54.000 --> 07:59.000
And so it tends to take the top priority, right?

07:59.000 --> 08:02.000
Security problems, number one.

08:02.000 --> 08:06.000
So at the same time, maintaining open source as we all know, right?

08:06.000 --> 08:12.000
It's where the average or the median number of maintainers in a regular open source project is one, right?

08:12.000 --> 08:15.000
We're all solo maintainers of at least one project.

08:15.000 --> 08:19.000
Probably seven or 13 in this crowd.

08:19.000 --> 08:21.000
Yes.

08:21.000 --> 08:24.000
Most of them, or many, are a spare time project.

08:24.000 --> 08:25.000
Hobby thing.

08:25.000 --> 08:29.000
We do at this side, or partially paid or whatever.

08:29.000 --> 08:33.000
Underfunded is sort of the middle name of every open source project.

08:33.000 --> 08:35.000
We have a lot of outstanding tasks.

08:35.000 --> 08:38.000
Always because what's not the to-do list, right?

08:38.000 --> 08:41.000
Always a lot of things we should do if we have the time and inspiration.

08:41.000 --> 08:44.000
Or someone submits a PR or something.

08:45.000 --> 08:49.000
With a lot of us struggling with a burnout, what do we do with that constant to do list?

08:49.000 --> 08:53.000
Lots of things to do, people submit issues, wine, whatever.

08:53.000 --> 08:54.000
Yeah.

08:54.000 --> 08:56.000
There are normal open source projects.

08:56.000 --> 08:59.000
And then AI.

08:59.000 --> 09:00.000
Yeah.

09:00.000 --> 09:03.000
So AI can potentially don't help us.

09:03.000 --> 09:04.000
Yes.

09:04.000 --> 09:07.000
So we add AI to everything.

09:07.000 --> 09:08.000
Yes.

09:08.000 --> 09:10.000
Okay.

09:10.000 --> 09:15.000
It's super easy to ask your LLM to find a problem.

09:15.000 --> 09:21.000
And I haven't tried this really myself, but I imagine that some projects are easier to find problems in the others.

09:21.000 --> 09:22.000
I mean, find problems.

09:22.000 --> 09:28.000
But possibly if the machines have trained a lot on your code, maybe they find more or less.

09:28.000 --> 09:29.000
I don't know.

09:29.000 --> 09:36.000
And there's really, and since we're not paying for this, there's really no cost to try this.

09:36.000 --> 09:37.000
And effortless.

09:37.000 --> 09:38.000
Just ask it.

09:38.000 --> 09:40.000
It answered something for you.

09:40.000 --> 09:42.000
Ask it to provide really long answer.

09:42.000 --> 09:43.000
And it'll do that.

09:43.000 --> 09:44.000
Make it.

09:44.000 --> 09:46.000
Ask it to make it sound really horrible.

09:46.000 --> 09:47.000
And it'll do that.

09:47.000 --> 09:50.000
And then you just send that report away.

09:50.000 --> 09:53.000
But you know, can it actually find problems?

09:53.000 --> 09:55.000
Who knows?

09:55.000 --> 10:04.000
In a lot of cases, it seems to be that this is a marketing machine that has to really solve this myth to a large part of the world.

10:04.000 --> 10:06.000
And to a lot of engineers, right?

10:06.000 --> 10:12.000
It seems that a lot of people genuinely think that if you ask chatchipit for a security problem, it will tell you one.

10:12.000 --> 10:14.000
And we better report it.

10:14.000 --> 10:22.000
So yeah, it works like that before in the old days, you know, someone actually invent invested a lot of time.

10:22.000 --> 10:23.000
Effort.

10:23.000 --> 10:27.000
It took hours to dig up some details about the security report.

10:27.000 --> 10:29.000
It was a built-in friction here.

10:29.000 --> 10:31.000
There was a break.

10:31.000 --> 10:33.000
Someone had to do something a lot.

10:33.000 --> 10:34.000
It was a contract, right?

10:35.000 --> 10:36.000
You spend a lot of time.

10:36.000 --> 10:38.000
You report it.

10:38.000 --> 10:40.000
We spend time on assessing it in our end.

10:40.000 --> 10:43.000
But now there's no effort at all in doing this.

10:43.000 --> 10:46.000
The sort of the floodgates are open.

10:46.000 --> 10:48.000
Send it over.

10:48.000 --> 10:50.000
And of course, it doesn't work.

10:50.000 --> 10:56.000
And for some reason, we're more targeted by this development than a lot of others.

10:56.000 --> 11:01.000
But based on the fact that this is so easy to do.

11:01.000 --> 11:04.000
But anything in the world that is sort of.

11:04.000 --> 11:09.000
We have removed the part where there is sort of you have to invest some work to make it happen.

11:09.000 --> 11:13.000
Everything that is like this in the world is broken now when you can get to AI to do it.

11:13.000 --> 11:15.000
Even though they can't do it.

11:15.000 --> 11:19.000
But apparently people don't really check that.

11:19.000 --> 11:21.000
So how do you, how does this appear?

11:21.000 --> 11:24.000
People then constantly ask me, how do you know it's an AI?

11:24.000 --> 11:27.000
And yeah, how do you know it's an AI?

11:27.000 --> 11:40.000
Yeah, no human ever started like I apologize.

11:40.000 --> 11:43.000
But I found a problem.

11:43.000 --> 11:46.000
No way.

11:46.000 --> 11:48.000
I mean, we all know that.

11:48.000 --> 11:50.000
We've been working with open source for a long time.

11:50.000 --> 11:54.000
People tend to be a little bit more on the other side, right?

11:55.000 --> 11:59.000
They're upset, they're angry, how stupid can I be that I made this bug?

11:59.000 --> 12:03.000
Okay, yeah, they're all perfect English.

12:03.000 --> 12:08.000
And for sure, I mean, we're all, I'm not an native English speaker.

12:08.000 --> 12:12.000
I do lots of mistakes and sure I can use spelling checks and everything.

12:12.000 --> 12:15.000
But normal humans actually have quite a lot of errors.

12:15.000 --> 12:16.000
And I mean, that's what makes a human.

12:16.000 --> 12:17.000
That's fine.

12:17.000 --> 12:19.000
But the machines never do that.

12:19.000 --> 12:22.000
And I don't know why, but they like this mixed case.

12:22.000 --> 12:26.000
So that's the, you know, if this submission starts title,

12:26.000 --> 12:29.000
and then there's spelled out the bug all mixed case.

12:29.000 --> 12:31.000
You know, that's weird.

12:31.000 --> 12:34.000
That's not, that's not a human writing that.

12:34.000 --> 12:36.000
And of course, I mean, that's a constant thing.

12:36.000 --> 12:37.000
I'm that she's not.

12:37.000 --> 12:41.000
And when I say I'm that she's done three people in the audience

12:41.000 --> 12:44.000
who will tell me that they all use them that she's in their notebooks.

12:44.000 --> 12:48.000
But, you know, this combination here, it never were perfect is.

12:48.000 --> 12:51.000
And for some reason, I don't know, I don't, it's weird.

12:51.000 --> 12:55.000
But we're told that they're trained on a lot of source code right.

12:55.000 --> 13:00.000
But really, emojis in every source code example.

13:00.000 --> 13:03.000
I must be really old, I think so.

13:03.000 --> 13:05.000
I don't, I don't ever use that.

13:05.000 --> 13:08.000
But what's like to do that?

13:08.000 --> 13:10.000
And actually one of the problems.

13:10.000 --> 13:12.000
And I don't really know why.

13:12.000 --> 13:14.000
I'm, I guess they asked for this.

13:14.000 --> 13:18.000
But the reports tend to get really, really, really, really long.

13:19.000 --> 13:22.000
Which is maybe, I mean, back in the day,

13:22.000 --> 13:25.000
we try to get serious real bug reporters.

13:25.000 --> 13:27.000
Can you please tell me a little bit more, right?

13:27.000 --> 13:28.000
It doesn't work.

13:28.000 --> 13:30.000
No, but tell me more, right?

13:30.000 --> 13:32.000
Now, now, now we're in the other camp.

13:32.000 --> 13:35.000
Tell me less, sort of, please.

13:35.000 --> 13:40.000
So, one of the things I've started recently is like,

13:40.000 --> 13:42.000
there's a long report.

13:42.000 --> 13:44.000
I don't read it because it's too long.

13:44.000 --> 13:47.000
I sort of, this is probably, I ask you for the web question.

13:47.000 --> 13:50.000
And then I ask you sort of, okay, can you please explain this

13:50.000 --> 13:52.000
in 10 lines or less?

13:52.000 --> 13:55.000
Because if I don't, I will get another 200 lines

13:55.000 --> 13:56.000
in a follow-up report, right?

13:56.000 --> 13:58.000
You're absolutely right.

13:58.000 --> 13:59.000
blah blah blah.

14:04.000 --> 14:10.000
And yes, every paragraph needs three bullet points in the list.

14:10.000 --> 14:13.000
And of course, again, a human might do that,

14:13.000 --> 14:16.000
but not like 12 paragraphs with three bullet points.

14:16.000 --> 14:17.000
It's three bullet points in each.

14:17.000 --> 14:19.000
I mean, that's super crazy.

14:19.000 --> 14:23.000
And then, as I said, if, if you don't qualify in a thing,

14:23.000 --> 14:25.000
you get a long report and you ask a follow-up question,

14:25.000 --> 14:26.000
what happens?

14:26.000 --> 14:28.000
You're absolutely right.

14:28.000 --> 14:29.000
I'm sorry.

14:29.000 --> 14:31.000
I'm, my mistake.

14:31.000 --> 14:32.000
You've misunderstood.

14:32.000 --> 14:34.000
And blah blah blah blah blah.

14:34.000 --> 14:36.000
And that's how it works.

14:36.000 --> 14:39.000
And the funny thing is that it easily loses track

14:39.000 --> 14:42.000
and goes in some other direction than it started.

14:42.000 --> 14:45.000
I mean, humans also do that, but yeah.

14:46.000 --> 14:50.000
So we'll end up with a copy, or the proxy,

14:50.000 --> 14:55.000
me and the bot chatting, sort of downhill.

14:55.000 --> 14:58.000
Yeah, that never ends well.

14:58.000 --> 15:00.000
It's okay.

15:00.000 --> 15:03.000
Let me give you one of our favorite examples.

15:03.000 --> 15:06.000
It's going, oh, no, I think it may 2025.

15:06.000 --> 15:10.000
So yeah, a little over soon a year ago.

15:10.000 --> 15:11.000
I mean, okay.

15:11.000 --> 15:15.000
So this, okay, curl is slightly technical project.

15:15.000 --> 15:18.000
You know, we speak internet things, internet things

15:18.000 --> 15:20.000
can be complicated.

15:20.000 --> 15:22.000
Where HP3 is a complicated protocol.

15:22.000 --> 15:24.000
All of these complicated things.

15:24.000 --> 15:26.000
Okay.

15:26.000 --> 15:30.000
HP3 stream dependency cycle exploit.

15:30.000 --> 15:33.000
And, you know, they're always critical.

15:33.000 --> 15:34.000
This critical.

15:34.000 --> 15:35.000
The world is burning.

15:35.000 --> 15:37.000
Everyone is going to die.

15:37.000 --> 15:40.000
So stream dependency cycle exploit.

15:40.000 --> 15:42.000
You know, no, the export blah, blah, blah.

15:42.000 --> 15:44.000
Some serious, right?

15:44.000 --> 15:46.000
Zero x zero zero over view.

15:46.000 --> 15:47.000
I don't know what that is.

15:47.000 --> 15:48.000
Okay.

15:48.000 --> 15:50.000
Tested on version 813.

15:50.000 --> 15:52.000
I think that was the current one at the time.

15:52.000 --> 15:53.000
Maybe.

15:53.000 --> 15:54.000
Yeah.

15:54.000 --> 15:56.000
There's a proof of concept required amount of environment setup,

15:56.000 --> 15:57.000
attack execution.

15:57.000 --> 15:59.000
Yeah, you just need to apply.

15:59.000 --> 16:02.000
I mean, you need to apply this little patch on your,

16:02.000 --> 16:08.000
this is a existing HP3 server written in Python version.

16:08.000 --> 16:09.000
This looks legitimate.

16:09.000 --> 16:12.000
You just need to apply this little patch to reproduce the bug.

16:12.000 --> 16:13.000
Perfect.

16:13.000 --> 16:14.000
Cool.

16:14.000 --> 16:15.000
This guy is done something.

16:15.000 --> 16:19.000
And then this, well, so yeah, this is then you need this exploit code

16:19.000 --> 16:21.000
to run proof of concept.

16:21.000 --> 16:22.000
Cool.

16:22.000 --> 16:23.000
Okay, reproducible.

16:23.000 --> 16:26.000
And when you do that, this is proof of what happens.

16:26.000 --> 16:28.000
You run curl with that command line.

16:28.000 --> 16:31.000
And you set a break point and just function and you run.

16:31.000 --> 16:33.000
It's the exact segmentation fault.

16:33.000 --> 16:34.000
That's not good, right?

16:34.000 --> 16:35.000
Sigma.

16:35.000 --> 16:36.000
Bad.

16:36.000 --> 16:37.000
Wait a minute.

16:37.000 --> 16:38.000
What is that?

16:38.000 --> 16:39.000
So it looks.

16:39.000 --> 16:42.000
I mean, from, it's like a TV show.

16:42.000 --> 16:45.000
Anyone who's actually never seen the code,

16:45.000 --> 16:48.000
it looks totally credible because anyone on the outs,

16:48.000 --> 16:50.000
I have no idea if this is real or not.

16:50.000 --> 16:53.000
And the person who did it, certainly have no idea if this is real

16:53.000 --> 16:54.000
or not.

16:54.000 --> 16:57.000
But by the time, you know, this is down to 500 lines,

16:57.000 --> 16:58.000
down in the report.

16:58.000 --> 17:01.000
And, you know, wait a minute.

17:01.000 --> 17:03.000
That function actually is strong.

17:03.000 --> 17:04.000
Okay.

17:04.000 --> 17:05.000
Better read the rest.

17:05.000 --> 17:06.000
Okay.

17:06.000 --> 17:11.000
Here you can see his using GDB, analyzing the crash.

17:11.000 --> 17:12.000
You know, this is your tear.

17:12.000 --> 17:13.000
So, okay.

17:13.000 --> 17:17.000
Look in the registers, the frame data are 15 shows.

17:17.000 --> 17:18.000
Yeah, 41, 41 for one.

17:18.000 --> 17:19.000
You know that ask a code.

17:19.000 --> 17:20.000
AA, AA.

17:20.000 --> 17:21.000
It looks bad.

17:21.000 --> 17:24.000
Memory, corruption, evidence, blah, blah, blah, blah.

17:24.000 --> 17:27.000
And that energy to be in command line again.

17:27.000 --> 17:28.000
Yep.

17:28.000 --> 17:30.000
And bullet points.

17:30.000 --> 17:34.000
Risk.

17:34.000 --> 17:35.020
Aye.

17:35.020 --> 17:36.020
Aye.

17:36.020 --> 17:37.000
He placed out corruption.

17:37.000 --> 17:41.000
And, you know, we everything in courley's written in C, right.

17:41.000 --> 17:43.000
Memory, language, also so.

17:43.000 --> 17:46.000
Memory, memory safety is sort of a weak point.

17:46.000 --> 17:47.000
We'd see.

17:47.000 --> 17:50.000
So, potentially this could be really bad.

17:50.000 --> 17:53.000
But.

17:53.000 --> 17:57.000
So, this report came back in May and I think I was a little bit

17:57.000 --> 17:58.000
inexpressible youtuber.

17:58.000 --> 17:59.320
in experience back then.

17:59.320 --> 18:02.920
So I actually wasted far too much time

18:02.920 --> 18:05.360
before I actually started looking at the detail in this report.

18:05.360 --> 18:13.480
But basically, he said a break point on the function

18:13.480 --> 18:16.440
and ran, but the function doesn't exist.

18:16.440 --> 18:17.040
Wait a minute.

18:17.040 --> 18:20.240
How did he set the break point?

18:20.240 --> 18:22.920
So the entire GDP session is made up.

18:22.920 --> 18:25.400
The contents of those registers, it actually

18:25.400 --> 18:27.800
can't be that way, because it has the wrong content.

18:27.800 --> 18:28.920
This never happened.

18:28.920 --> 18:33.400
It's just generated fake GDP session.

18:33.400 --> 18:34.480
Yeah, they're all made up.

18:34.480 --> 18:37.800
Enough thing of this happened, and it's all right.

18:37.800 --> 18:39.520
Nothing was real, and the entire description

18:39.520 --> 18:41.920
is just totally made up.

18:41.920 --> 18:43.680
The bad TV show.

18:43.680 --> 18:45.920
So no.

18:45.920 --> 18:49.960
And I think back in the spring of last year,

18:49.960 --> 18:52.960
I still actually spend some time to try to figure that out.

18:52.960 --> 18:55.000
Before I learned this, that it should actually

18:55.000 --> 18:57.200
never spend the time, I should just ask the person

18:57.200 --> 18:59.080
in a lot of questions before I do that.

18:59.080 --> 19:02.480
So yeah, I tend to call this terror reporting now.

19:02.480 --> 19:04.120
So that's the feeling we're having the team.

19:07.760 --> 19:10.840
So yes, a total waste of time and energy

19:10.840 --> 19:14.640
in the Carl Project, where seven persons in the Carl

19:14.640 --> 19:16.800
security team, and we receive these.

19:16.800 --> 19:19.960
And over the years, every time we have received

19:19.960 --> 19:23.240
the security report, that's a bad feeling in your stomach.

19:23.240 --> 19:26.560
Wow, now it's something bad happened, potentially.

19:26.560 --> 19:30.240
We used to have one in six reports, we're genuine, one in six.

19:30.240 --> 19:31.200
Yeah, that's still pretty often.

19:31.200 --> 19:34.000
We got two, three per week, maybe.

19:34.000 --> 19:36.880
So when you wake up in the morning,

19:36.880 --> 19:40.440
and you see one of these, you have a incoming mail

19:40.440 --> 19:43.600
from the security backbound to report.

19:43.600 --> 19:45.160
It's felt a little bit bad.

19:45.160 --> 19:49.280
But over 2025, through the end, and into 2026,

19:49.280 --> 19:51.120
now the rate has gone.

19:51.120 --> 19:55.160
So now it's more like one in 20, or one in 30, that is accurate.

19:55.160 --> 19:58.960
Which means, you know, we spend a busload of time

19:58.960 --> 20:02.440
just to figure out that it's just not accurate in the end.

20:02.440 --> 20:03.720
So it doesn't really work.

20:03.720 --> 20:06.360
And we spend a lot of time on this.

20:06.360 --> 20:10.440
But what is interesting, and I actually

20:10.440 --> 20:13.240
have no good explanation for this other than I think

20:13.240 --> 20:16.120
that a lot of people have now also started to use the AI

20:16.120 --> 20:19.160
to get the report, but they don't write the report with the AI.

20:19.160 --> 20:23.400
Because the new generation of stupidity

20:23.400 --> 20:26.600
doesn't trigger all those warnings with AI.

20:26.600 --> 20:31.360
So we get a lot of just stupid things.

20:31.360 --> 20:33.840
I don't know how often we get someone telling me

20:33.840 --> 20:37.320
that the Git repository is, you can see it on the website.

20:40.680 --> 20:41.240
Thank you.

20:44.960 --> 20:47.440
Critical.

20:47.440 --> 20:51.600
And some other things, when you can then go into that Git repository

20:51.600 --> 20:53.640
and show me that you can actually see a source

20:53.640 --> 20:56.320
fight from the Git repository on the website.

20:56.320 --> 20:58.840
Yes.

20:58.840 --> 21:08.960
Or why do they report this to me?

21:08.960 --> 21:12.400
I honestly think that this is something the AI has been

21:12.400 --> 21:14.600
trained on that is really bad, because you can access

21:14.600 --> 21:16.560
local files with file colon slash.

21:16.560 --> 21:21.280
Yes, that's sort of what it means.

21:21.280 --> 21:24.400
But we get it over and over and over.

21:24.400 --> 21:27.520
And of course, this regular old thing we've always had.

21:27.520 --> 21:30.040
People want to tool something and they send it,

21:30.040 --> 21:33.800
but it's more good old stupidity.

21:33.800 --> 21:39.400
But anyway, of course, it leads to that I think,

21:39.400 --> 21:43.160
for some reason, in the beginning of January, 2026,

21:43.160 --> 21:44.040
something happened.

21:44.040 --> 21:46.360
I guess people had more time over the holidays or something,

21:46.360 --> 21:49.600
but I think I received seven security reports.

21:49.600 --> 21:51.560
First Monday, I've got to work.

21:51.560 --> 21:54.360
I spent the entire day reading and arguing

21:54.360 --> 21:56.080
with reporters about their stuff.

21:56.080 --> 22:00.200
Obviously, when we get a lot of this stuff,

22:00.200 --> 22:01.480
we do little else.

22:01.480 --> 22:04.800
So of course, it starts out what else we can do in the project.

22:04.800 --> 22:07.900
And I can guarantee you, we have other things that we

22:07.900 --> 22:10.160
rather do.

22:10.160 --> 22:17.000
So of course, this overload of stupidity makes us less

22:17.000 --> 22:19.960
other things, and then risk that we just overdo something,

22:19.960 --> 22:24.400
or we just get so bored that we close them all and just go home.

22:24.400 --> 22:28.240
And it's certainly impact our mental health,

22:28.240 --> 22:37.840
or just will to live because it's such a stupidity.

22:37.840 --> 22:39.520
And of course, in the end, seriously,

22:39.520 --> 22:41.840
it could potentially impact the supply chain,

22:41.840 --> 22:45.120
because if we are used in all these places,

22:45.120 --> 22:50.840
and we are getting slow, just because we get bored and overloaded

22:50.840 --> 22:54.600
and tired because of all of this, it'll lead to something bad, right?

22:54.600 --> 22:55.280
Potentially.

22:59.480 --> 23:01.960
But why?

23:01.960 --> 23:07.200
So our theory, we hope that a lot of people are doing this

23:07.200 --> 23:07.880
for the money.

23:07.880 --> 23:09.560
We have a bug bounty.

23:09.560 --> 23:13.040
You could potentially, or rather, we say that if they actually

23:13.040 --> 23:18.400
get a critical report confirmed, we offer them $10,000.

23:18.400 --> 23:20.000
So that's the sort of the pipe dream.

23:20.000 --> 23:22.840
I guess that's why everything is critical.

23:22.840 --> 23:27.240
For the early low report, with severity low,

23:27.240 --> 23:28.760
we give them $500.

23:28.760 --> 23:35.040
So that's the price span, or the award span they're looking for.

23:35.040 --> 23:38.920
But really, a lot of them, when I abandon them,

23:38.920 --> 23:40.120
because I do, right?

23:40.120 --> 23:50.360
When I, they get very upset, right?

23:50.360 --> 23:52.760
Because here I am reporting a bargain.

23:52.760 --> 23:56.400
What will you do is banning me and sort of being rude to me

23:56.400 --> 23:58.640
when I try to help in out in your project?

23:58.640 --> 24:01.200
So clearly, of course, they might be lying,

24:01.200 --> 24:04.440
but given the trend, I genuinely think that a lot of them,

24:04.440 --> 24:09.000
actually, did this with some amount of actually believing

24:09.000 --> 24:10.360
that they were helping out.

24:10.360 --> 24:13.960
And that makes me just sad, right?

24:13.960 --> 24:15.800
So yeah, I have a lot of discussions.

24:15.800 --> 24:19.080
And of course, I could just mention it.

24:19.080 --> 24:21.640
Of course, ridiculeing people in the public.

24:21.640 --> 24:23.960
That's not recommended way to do it either,

24:23.960 --> 24:27.040
because, of course, in some cases, they actually

24:27.040 --> 24:29.400
were genuinely trying to help out.

24:29.400 --> 24:31.880
But what do we do?

24:31.880 --> 24:33.280
Yes.

24:33.280 --> 24:34.640
So how often doesn't happen?

24:34.640 --> 24:35.560
It's really hard.

24:35.560 --> 24:40.320
And back again, to talking about AI and saying, AI

24:40.320 --> 24:42.040
will the time, the AI is, of course, also

24:42.040 --> 24:44.040
change over time, right?

24:44.040 --> 24:46.040
As we know, a lot of things are happening with AI

24:46.040 --> 24:47.040
all the time.

24:47.040 --> 24:52.400
So the look of the AI generated stuff from a year ago

24:52.400 --> 24:53.080
has changed.

24:53.080 --> 24:57.600
So the AI generated reports don't look exactly the same anymore.

24:57.600 --> 24:59.640
That means also that it's harder sometimes

24:59.640 --> 25:02.200
to detect what is an AI output or not.

25:02.200 --> 25:03.880
I mentioned a lot of typical things,

25:03.880 --> 25:06.400
but people also tend to skew there, because they know

25:06.400 --> 25:10.000
that if they say, is AI, I will ban them and fill that them.

25:10.000 --> 25:11.960
So they, of course, they lie and say, do you

25:11.960 --> 25:14.120
say, I know, no, no, I apologize.

25:20.760 --> 25:21.720
You're absolutely right.

25:24.680 --> 25:26.680
But yeah, so that's also why I think some of them

25:26.680 --> 25:29.120
are just rewritten to not sound like AI.

25:29.120 --> 25:32.160
But there's somewhere around 30 to 70% of the submissions

25:32.160 --> 25:38.520
we got up to, at some point, late of 2025, early 2026.

25:38.520 --> 25:42.520
At least until I started saying that I would stop

25:42.520 --> 25:47.840
the bug bounty, just saying it, put a break on it.

25:47.840 --> 25:49.720
But again, exactly it is really hard,

25:49.720 --> 25:53.840
because it's not an exact science.

25:53.840 --> 25:57.400
And right, two years ago, nothing.

25:57.400 --> 25:59.200
So this is certainly a new trend.

25:59.200 --> 26:02.480
And this is not a new trend that is happening just to me

26:02.480 --> 26:03.200
or to us, right?

26:03.200 --> 26:05.840
We can see that in a lot, especially when I started talking more

26:05.840 --> 26:08.720
loudly about it, I've heard from a lot of projects

26:08.720 --> 26:12.440
having maybe not the same rates, and the exact rate,

26:12.440 --> 26:14.760
doesn't really matter, but the same problem,

26:14.760 --> 26:18.600
and the same problem in a little bit of different ways

26:18.600 --> 26:22.160
and looks, but certainly happens to a lot of us.

26:22.160 --> 26:24.400
So what do we do?

26:24.400 --> 26:25.280
We try this, right?

26:25.280 --> 26:27.120
But ban the reporter instantly.

26:27.120 --> 26:28.040
That's good.

26:28.040 --> 26:30.720
But if you use a platform when the user can instantly create

26:30.720 --> 26:34.720
a new account tomorrow, the banning is really, really

26:34.720 --> 26:36.120
useless.

26:36.120 --> 26:36.960
They don't really care.

26:40.040 --> 26:43.880
And we try this, pretty early on in 2025,

26:43.880 --> 26:47.840
I added a little section in the submission form that you should

26:47.840 --> 26:51.320
tell us upfront if you use an AI to do this.

26:51.320 --> 26:53.680
Which worked, I think, for three, four reports.

26:53.680 --> 26:55.680
But then since then, no one has used AI.

26:55.680 --> 26:56.520
Hi.

26:59.880 --> 27:00.880
Yeah.

27:00.880 --> 27:03.360
Then they worked at all.

27:03.360 --> 27:06.200
But back again to us being an open source.

27:06.200 --> 27:07.360
Of course, we want to be open source.

27:07.360 --> 27:10.680
We want to be available accessible and transparent,

27:10.680 --> 27:13.080
like everyone else who's doing open source.

27:13.080 --> 27:17.200
We don't want to raise the bars and add walls

27:17.200 --> 27:18.960
and everything to make it really complicated.

27:18.960 --> 27:20.520
Also, we want to make sure that currently

27:20.520 --> 27:21.680
security is safe and everything.

27:21.680 --> 27:24.720
So we want genuine, really reports submitted.

27:24.720 --> 27:29.720
So we can fix it for everyone and make everything better.

27:29.720 --> 27:34.280
But that's a tricky combination and challenge.

27:34.280 --> 27:37.280
So I started it partly because some of them

27:37.280 --> 27:43.400
were so stupid, so it becomes pure whom humor sometimes.

27:43.400 --> 27:47.520
After they settled down and take the breath

27:47.520 --> 27:49.840
and sort of take a good night's sleep and come back.

27:49.840 --> 27:52.920
And then you'd realize that sometimes just pure humor,

27:52.920 --> 27:55.880
so I had to share quite a lot of them online.

27:55.880 --> 27:58.080
And then I started making a list with all of them

27:58.080 --> 28:00.280
that I could easily detect.

28:00.280 --> 28:03.200
And I think public shaming worked to some degree,

28:03.200 --> 28:05.920
because I talked to some of the genuine security reporters

28:05.920 --> 28:09.960
that they actually reconsidered and double checked before they

28:09.960 --> 28:10.680
reported.

28:10.680 --> 28:13.160
But unfortunately, that only puts a little break

28:13.160 --> 28:15.680
to the real sensible, wise people.

28:15.680 --> 28:18.280
And they were already good ones, right?

28:18.280 --> 28:20.920
So this doesn't really help either.

28:20.920 --> 28:25.240
So back to doing good or bad with AI.

28:25.240 --> 28:27.000
This is a really about AI.

28:27.000 --> 28:29.240
Everyone, then when I say something about this,

28:29.240 --> 28:31.480
half of everyone I talked to, they say,

28:31.480 --> 28:34.040
you should use AI to combat AI.

28:34.040 --> 28:37.080
But that's not the problem.

28:37.080 --> 28:38.680
The problem is not the AI here.

28:38.680 --> 28:40.600
The problem is the human in between,

28:40.600 --> 28:43.240
because it's the human that submitted to this to us.

28:43.240 --> 28:46.960
So it doesn't really matter AI or not.

28:46.960 --> 28:47.920
It's the human here.

28:47.920 --> 28:53.200
And humans, no, I can't fix the humans, not even with AI.

28:53.200 --> 28:55.240
The AI makes this really easy.

28:55.240 --> 28:56.680
Marketing says this works.

28:56.680 --> 28:58.240
They're going to continue to do this.

28:58.240 --> 29:02.240
As long as it's very easy, low effort passes it on.

29:02.240 --> 29:03.680
It's a human-created thing.

29:03.680 --> 29:05.680
And as long as the humans can do this easily,

29:05.680 --> 29:06.720
they will continue to do that.

29:06.720 --> 29:07.760
AI or not.

29:07.760 --> 29:12.280
So we close the down, starting actually officially today.

29:12.680 --> 29:20.920
APPLAUSE

29:20.920 --> 29:25.320
I mean, we hope we wish we think that this will put an end

29:25.320 --> 29:27.720
to sort of, at least, they can't go for the money,

29:27.720 --> 29:29.960
because now there's no money.

29:29.960 --> 29:33.320
But we'll see if that actually turns out to be true.

29:33.320 --> 29:35.560
I will come back with that.

29:35.560 --> 29:37.240
But at the same time, I want to emphasize,

29:37.240 --> 29:41.640
because I show you, and I'll give you,

29:41.640 --> 29:44.920
given URL, later, that you can use to exercise yourself

29:44.920 --> 29:46.200
in these superitatives.

29:46.200 --> 29:50.040
But at the same time, this is a tool.

29:50.040 --> 29:51.080
AI is a tool.

29:51.080 --> 29:53.920
If you want to do that, and ask it to find a security problem

29:53.920 --> 29:57.080
with a tool, and you never verify you get really stupid things.

29:57.080 --> 30:00.520
But if you use it for, I mean, if you're a clever person,

30:00.520 --> 30:04.120
and you use a good tool, you can do really good stuff.

30:04.120 --> 30:08.760
So we work with several AI powered analyzing tools now.

30:08.760 --> 30:11.440
Even though AI can be used to do really bad stuff,

30:11.440 --> 30:14.880
that you can use it to do really good stuff.

30:14.880 --> 30:18.400
And it's actually so.

30:18.400 --> 30:21.040
I mean, if you're doing writing in kind of code,

30:21.040 --> 30:25.280
like me, I'm old, I'm working with C, old stuff,

30:25.280 --> 30:27.240
we throw everything at the code, right?

30:27.240 --> 30:29.360
We have the most picky compiler options enabled.

30:29.360 --> 30:31.120
We run code analyzers.

30:31.120 --> 30:32.120
A lot of them.

30:32.120 --> 30:33.000
We do fuzzing.

30:33.000 --> 30:35.840
We do have security or it's multiple times.

30:35.840 --> 30:37.120
We fix everything.

30:37.120 --> 30:41.400
Every picky morning, we have a few users who report bugs.

30:41.400 --> 30:43.200
When they find bugs, you would imagine

30:43.200 --> 30:45.800
that we would have a pretty good state.

30:45.800 --> 30:46.960
You know, fix most bugs.

30:46.960 --> 30:48.800
It shouldn't be terrible.

30:48.800 --> 30:51.880
Running one of these more powerful tools,

30:51.880 --> 30:54.000
I have fixed more than 100 bugs

30:54.000 --> 30:56.960
found by these tools, so I started to use them.

30:56.960 --> 30:59.400
And I mean, back again, yeah, that's AI.

30:59.400 --> 31:01.800
That was so bad on the in one way.

31:01.800 --> 31:04.640
Still is bad in one way, or some in the other way.

31:07.680 --> 31:10.000
So yeah, there's certainly a lot of things.

31:10.000 --> 31:11.640
No other tools previously found.

31:11.640 --> 31:16.200
And in ways, no other tools previously could find.

31:16.200 --> 31:20.160
And yes, that means that if you want to find something

31:20.160 --> 31:23.320
to exploit in something somewhere, the bad guy

31:23.320 --> 31:26.200
is, of course, also run these tools and find things

31:26.200 --> 31:29.680
and bugs to exploit security problems in existing tools.

31:29.680 --> 31:34.560
So it certainly up the games here quite significantly,

31:34.560 --> 31:38.160
because these tools find things in what sometimes

31:38.160 --> 31:41.840
feels like magic of ways.

31:41.840 --> 31:45.240
Yeah, but again, you need a clever human involved here.

31:45.240 --> 31:47.880
You need probably somewhat experienced

31:47.880 --> 31:50.920
engineer to actually figure out, even though you

31:50.920 --> 31:53.200
have a capable tool that finds a lot of things,

31:53.200 --> 31:56.720
or the things real, or the important, or the valid,

31:56.720 --> 32:02.400
part of the fed, sort of a tax surface or not.

32:02.400 --> 32:05.080
Yeah, so we have fixed a lot of things.

32:05.080 --> 32:10.520
For example, one of our bigger fancy things with these tools

32:10.520 --> 32:12.600
is that no other code analyzer can do.

32:12.600 --> 32:14.720
They're really human-like behavior.

32:14.720 --> 32:18.440
When the AI is back again, you know that curl talks a lot

32:18.440 --> 32:23.200
of networks, like 29 or so, and the underlying protocols.

32:23.200 --> 32:24.120
A lot of stuff, right?

32:24.120 --> 32:26.840
So when you look at a code and the code does something,

32:26.840 --> 32:28.080
is it right or wrong?

32:28.080 --> 32:29.800
It's really hard, and you have to know a lot

32:29.800 --> 32:33.240
about internals and curl protocols networking, blah, blah.

32:33.240 --> 32:35.360
It's hard to review that as a human.

32:35.360 --> 32:38.120
And then when you have a tool that can say,

32:38.120 --> 32:42.600
hey, this code uses octet 252 here, but the telnet

32:42.600 --> 32:45.360
spes says that is invalid.

32:45.360 --> 32:47.560
Wait a minute, that's almost magic.

32:47.560 --> 32:49.440
How does it know what the telnet spes says?

32:49.440 --> 32:52.080
No one has read that since 2012.

32:54.080 --> 32:56.560
And it's a fascinating helper, right?

32:56.560 --> 32:59.480
And I mean, telnet spes might be a niche thing,

32:59.480 --> 33:02.040
but it can also sort of relate to other things.

33:02.040 --> 33:08.400
Or one of my favorite things is when I update a code,

33:08.400 --> 33:11.400
or I have code and the comment above the code,

33:11.400 --> 33:14.720
they disagree, which is right.

33:14.720 --> 33:16.720
That might sound like a subtle thing,

33:16.720 --> 33:19.920
but it's an awesome thing because the rest of my code, right?

33:19.920 --> 33:23.360
The rest of when you make a function, even if it's internal,

33:23.360 --> 33:27.240
you have if you're having things in the best possible way.

33:27.240 --> 33:29.680
You have this heavily little documentation for your function

33:29.680 --> 33:33.360
that may be above, and if that's the documentation is wrong,

33:33.360 --> 33:38.040
the users of that function in your code is possible wrong.

33:38.040 --> 33:41.240
And it's perfect for finding, for getting an edge case,

33:41.240 --> 33:44.880
or for getting you used to use this in 28 other places

33:44.880 --> 33:47.440
in your code, but you don't do it here, why?

33:47.440 --> 33:51.640
Like, yeah, a human can find that and find the humans do.

33:51.640 --> 33:54.800
But it's boring, and people are really bad at code review.

33:54.800 --> 33:55.720
We all know that, right?

33:55.720 --> 33:57.320
But the machines, they don't go tired.

33:57.320 --> 33:58.680
And my favorite thing is, what do you do?

33:58.680 --> 34:03.080
That's two in the morning, the bots are there.

34:05.280 --> 34:07.600
Yeah, one of my favorite thing is when it tells me,

34:07.600 --> 34:11.000
when I forgot to do test case for my new code.

34:11.000 --> 34:16.120
And also, it's really good, for example, analyzing other libraries.

34:16.120 --> 34:18.400
So you do do function calls from your code

34:18.400 --> 34:20.960
into third-party library, and it can tell me

34:20.960 --> 34:23.320
about assumptions I do on the date I'd returns,

34:23.320 --> 34:26.600
which also is nothing a normal code analyzer can do,

34:26.600 --> 34:29.520
because a normal code analyzer only analyzes your code,

34:29.520 --> 34:32.720
not the other code, or the interaction between them.

34:32.720 --> 34:35.160
So really fascinating tools.

34:35.160 --> 34:37.920
So it really opens up a new way to improve code

34:37.920 --> 34:39.600
and make things stable and better.

34:39.600 --> 34:42.560
So you can really do a lot of good things.

34:42.560 --> 34:43.760
Yeah.

34:43.760 --> 34:48.600
And nowadays, I'm talking a lot with a code review.

34:48.600 --> 34:50.920
And a for code review is really good, too,

34:50.920 --> 34:54.960
because all of these, especially back, I should also

34:54.960 --> 34:58.560
practice with, I mean, we're not paying the cost still.

34:58.560 --> 35:01.600
So we're getting a lot of good stuff here without paying for it.

35:01.600 --> 35:02.800
And that's good.

35:02.800 --> 35:06.440
I mean, at some point, we're going to have to start to pay for it.

35:06.440 --> 35:08.880
And then it's going to be a different tune.

35:08.880 --> 35:14.200
But anyway, right, when I do my PR2 in the morning,

35:14.200 --> 35:16.280
usually my other colleagues are not around,

35:16.280 --> 35:18.800
but my review bot is.

35:18.800 --> 35:20.520
And they find things really fast,

35:20.520 --> 35:24.760
and they find things humans tend to miss.

35:24.760 --> 35:27.080
They really make my pull request better.

35:27.080 --> 35:29.640
I would probably have found those bugs later anyway,

35:29.640 --> 35:31.280
but sure, it makes things better.

35:33.720 --> 35:37.640
Funny thing is that the different tools, as I said,

35:37.640 --> 35:40.240
we use three different AI review bots.

35:40.240 --> 35:42.040
They find different things, all of them,

35:42.040 --> 35:44.080
even though you would imagine that there are basically

35:44.080 --> 35:47.080
trained provided by the same AI

35:47.080 --> 35:48.960
to join in the bottom anyway.

35:48.960 --> 35:49.960
It's just fascinating.

35:49.960 --> 35:51.080
It's also fascinating.

35:51.080 --> 35:55.440
Just to show that they are certainly not perfect.

35:55.440 --> 35:57.760
And there's certainly not a compliment to test cases,

35:57.760 --> 36:02.320
because it's kind of fun to ask the AI for a review,

36:02.320 --> 36:04.080
and then run the test cases, and see if they

36:04.080 --> 36:05.720
review or actually found the problems,

36:05.720 --> 36:07.400
the test cases can find.

36:07.400 --> 36:09.680
But they really do that.

36:09.680 --> 36:11.040
Yeah.

36:11.040 --> 36:13.520
So it's a cheap, especially for us,

36:13.520 --> 36:16.960
because I'm fortunate to have a project people see.

36:16.960 --> 36:21.000
So they throw these at me to test it for them.

36:21.000 --> 36:23.200
Where there's a luxury, of course.

36:23.200 --> 36:27.960
But test cases is still way more important, of course,

36:27.960 --> 36:28.600
as always.

36:32.280 --> 36:36.120
AI, using an AI to write code, I don't use that.

36:38.600 --> 36:39.400
I'm not impressed.

36:39.400 --> 36:40.080
I don't like it.

36:40.080 --> 36:40.920
I don't use it.

36:40.920 --> 36:42.960
I don't think anyone actually in the code project do.

36:42.960 --> 36:46.200
So I hear that's a fun thing to do.

36:46.200 --> 36:47.800
I've never been impressed.

36:47.800 --> 36:49.360
And all of these tools are really good.

36:49.360 --> 36:51.480
For example, all of these AI detection tools

36:51.480 --> 36:53.080
that can find problems in your code.

36:53.080 --> 36:56.680
All of them offer, like, a generate to patch to fix this,

36:56.680 --> 36:58.200
but they're never good.

36:58.200 --> 37:05.040
So fixing code is still, I think, way better to do as a human.

37:05.040 --> 37:08.920
Proper human fixes code, way better than the AI is to.

37:08.920 --> 37:11.080
But of course, having an eager junior

37:11.080 --> 37:13.480
providing good suggestions, maybe that is good.

37:13.480 --> 37:16.400
You get a lot of suggestions from the AI, at least.

37:16.400 --> 37:18.240
And some of them, parts of them are good, right?

37:18.240 --> 37:22.920
And then you can cherry-pick the good parts and forget the rest.

37:22.920 --> 37:24.360
So we don't use it.

37:24.360 --> 37:31.040
Officially, I don't know if someone who provides a PR tomorrow,

37:31.040 --> 37:35.120
I don't know if they used AI or not.

37:35.120 --> 37:38.560
The good thing about having a good test coverage,

37:38.560 --> 37:42.240
or lots of test cases, is that if someone would just

37:42.240 --> 37:46.400
throw a bad PR generated, sloppy with AI,

37:46.400 --> 37:48.360
it would all just turn red in the CI,

37:48.360 --> 37:49.920
and I wouldn't care about it.

37:49.920 --> 37:52.800
If they wouldn't fix them, I would just close it and move on.

37:52.800 --> 37:54.120
So it's not a waste.

37:54.120 --> 37:59.400
I think the primary thing that our security program, for example,

37:59.400 --> 38:02.800
is that we keep security reports secrets, right?

38:02.800 --> 38:05.200
It's a closed group, limit in amount of people that

38:05.200 --> 38:06.720
have to care about it.

38:06.720 --> 38:08.640
When it comes to issues and pull requests,

38:08.640 --> 38:10.000
they are done in the open.

38:10.000 --> 38:12.320
They're potentially everyone who has could help out

38:12.320 --> 38:15.200
and close them or ask for what questions and everything.

38:15.200 --> 38:19.400
So less of a problem, at least for us.

38:19.400 --> 38:22.400
And of course, what I mentioned already there,

38:22.400 --> 38:24.680
I cannot mention this without a course

38:24.680 --> 38:27.120
talking about the AI scraper, overloaded a bit more.

38:27.120 --> 38:30.200
In the curl project, I'm fortunate to be sponsored

38:30.200 --> 38:32.600
by one of these CDN giants.

38:32.600 --> 38:37.280
So they easily swallow 75 terabytes per month,

38:37.280 --> 38:39.800
which is just a ridiculous amount of traffic,

38:39.800 --> 38:42.120
and you would have any added down with curl all the time.

38:42.120 --> 38:43.920
No, they don't.

38:44.880 --> 38:50.000
There's less than 0.01% of the traffic.

38:50.000 --> 38:51.080
So what are they doing?

38:51.080 --> 38:52.080
I don't know.

38:55.080 --> 38:58.720
Look, again, the luxury of being sponsored

38:58.720 --> 39:01.200
and they eat all the traffic, and I don't have any logs.

39:01.200 --> 39:02.160
I don't have any tracking.

39:02.160 --> 39:03.240
I don't know what they do.

39:03.240 --> 39:07.840
I can just see, where I'm in this bandwidth span.

39:07.840 --> 39:09.320
It's super crazy.

39:09.320 --> 39:14.200
And of course, I mean, I mean,

39:14.200 --> 39:15.880
then in this fortunate market position,

39:15.880 --> 39:18.880
when I can say I get this sponsored by someone who takes this cost,

39:18.880 --> 39:21.320
I understand that certainly not the entire world,

39:21.320 --> 39:22.760
it is in that position.

39:22.760 --> 39:25.320
So this certainly causes a lot of problems

39:25.320 --> 39:28.960
for a lot of projects, not only money,

39:28.960 --> 39:31.160
but just overloading and handling that

39:31.160 --> 39:33.640
when you're right, you're servers and everything.

39:33.640 --> 39:36.160
So of course, AIs will improve.

39:36.160 --> 39:39.040
Everything will be better or some way

39:39.040 --> 39:41.120
for some use cases.

39:41.120 --> 39:43.720
But I mean, if you're just stupid,

39:43.720 --> 39:46.040
they ask for a security problem from these bots,

39:46.040 --> 39:47.520
I don't see how that's going to improve,

39:47.520 --> 39:50.360
because they live to satisfy you.

39:50.360 --> 39:53.280
They will say, yes, yes, here it is.

39:53.280 --> 39:54.560
That will continue.

39:54.560 --> 39:58.360
Because I mean, that's how they work, right?

39:58.360 --> 39:59.800
They're great.

39:59.800 --> 40:01.840
And humans certainly will not improve.

40:01.840 --> 40:05.840
And so I mean,

40:05.960 --> 40:08.280
we've always had a fair amount of users

40:08.280 --> 40:10.240
being the annoying users, right?

40:10.240 --> 40:12.640
The sort of more or less abusive users,

40:12.640 --> 40:16.000
it's always a certain percent of our user base.

40:16.000 --> 40:19.520
All the time, it's just that now that percentage of users

40:19.520 --> 40:22.480
have the ability to produce a lot of junk for you

40:22.480 --> 40:25.200
in ways they didn't before.

40:25.200 --> 40:28.960
Yeah, so I will continue to augment everything we do

40:28.960 --> 40:30.080
in different directions.

40:30.080 --> 40:32.760
Certainly a lot of bad ways, but potentially,

40:32.760 --> 40:35.960
and obviously also in a lot of good ways,

40:35.960 --> 40:37.760
it all depends on what you do with it.

40:40.400 --> 40:43.880
So at least until we start paying for what it actually costs,

40:43.880 --> 40:45.520
and then we'll see what happens.

40:47.640 --> 40:48.480
I don't know.

40:48.480 --> 40:52.040
But anyway, I've made a little list for some afternoon literature

40:52.040 --> 40:55.560
for you on that, that's a redirect.

40:55.560 --> 41:00.560
It takes you to a gist with, I think, 49 fun reports.

41:02.800 --> 41:04.520
There's less fun and more fun.

41:04.520 --> 41:09.360
But there are all stupid AI generated things.

41:09.360 --> 41:10.560
Thank you.

41:10.560 --> 41:30.440
I think we have time for some questions.

41:30.440 --> 41:35.440
We might even have microphones.

41:35.440 --> 41:53.560
Yes, so we will have some questions.

41:53.560 --> 41:57.880
We will just need to figure out the logistics and their mic coming and there's a question

41:57.880 --> 41:58.880
there.

41:58.880 --> 41:59.880
Hello.

41:59.880 --> 42:03.880
Thank you for your presentation.

42:03.880 --> 42:10.560
Another short question, are you at all concerned about the legal ramifications of people

42:10.560 --> 42:15.240
contributing a I generated code in the future?

42:15.240 --> 42:20.520
Because right now there's not really any legal precedent if that's even legal, right?

42:20.520 --> 42:22.200
So that's my question.

42:22.200 --> 42:30.000
So when people are using, well, from my point of view, we've always had that, I don't

42:30.080 --> 42:36.240
I mean, when someone provides code to you, someone made that code, copied that code,

42:36.240 --> 42:39.240
copied it from Stack Overflow five years ago.

42:39.240 --> 42:41.480
I don't know where that code came from.

42:41.480 --> 42:45.880
So am I worried that the license for this now would be different than before?

42:45.880 --> 42:52.000
I think the risk is roughly the same, sure it might have been copied.

42:52.000 --> 42:55.840
In the current project, we say that whenever we accept a contribution from someone who

42:55.840 --> 42:59.960
provides code to us, we say that we assume that you have the right to do so.

43:00.480 --> 43:02.840
That might not suffice.

43:02.840 --> 43:03.440
I don't know.

43:03.440 --> 43:07.920
I don't think we have many other ways to handle it than that way.

43:07.920 --> 43:13.160
So I think we're going, unless something made your changes, I think we're going to just continue

43:13.160 --> 43:15.920
to have that policy and see where it takes us.

43:18.680 --> 43:19.720
There's another one.

43:21.000 --> 43:21.880
Sorry, hi.

43:21.880 --> 43:27.600
So we've never had a bug bounty, but in the last four months, we've seen a 600% increase in these

43:27.680 --> 43:34.480
wonderful security reports and it vise on how to help in that situation.

43:34.480 --> 43:37.280
Since we can't turn off the bug bounty since we've never had one.

43:39.760 --> 43:42.600
There are many different ways to handle the flood, right?

43:42.600 --> 43:49.000
In our case, we hope to shut up, turn down disabled money incentive.

43:49.000 --> 43:50.360
But I mean, there are many other ways.

43:50.360 --> 43:54.000
Everyone keeps saying that I should charge for the right to submit a security report.

43:54.000 --> 43:59.000
That's one way, or you can have a secret club that you only allow vetted users into

43:59.000 --> 44:01.320
and allow them to submit the reports.

44:01.320 --> 44:06.480
I know one of the other projects I shouldn't name, but the sort of race, the sort of requirements

44:06.480 --> 44:13.560
on users on hacker one before so they have to prove themselves to have a signal that is higher

44:13.560 --> 44:16.680
before they are allowed to submit a security report.

44:16.680 --> 44:22.760
All of those are different ways, basically, to make the newbies not submit the security reports.

44:22.800 --> 44:30.120
Unfortunately, almost every way we can think of the sort of limit the flood in flux means

44:30.120 --> 44:32.320
that we make it harder to submit the reports.

44:32.320 --> 44:38.600
All of that is unfortunate, but at the same time I don't know, I think we need to experiment

44:38.600 --> 44:40.120
and see what works or not.

44:40.120 --> 44:45.240
I think that's why it's also awesome that lots of projects go different ways because

44:45.240 --> 44:50.400
then we can possibly learn from the others, so what works, what doesn't work, and we can go forward.

44:50.400 --> 44:57.320
I mean, emails spam is similar in this, and we have a solution for that.

44:57.320 --> 45:00.880
It doesn't work, but we have at least tried it, and we have something, so I think it's

45:00.880 --> 45:01.880
similar to that.

45:01.880 --> 45:06.000
We just need to figure out ways how to break the inflat somehow.

45:06.000 --> 45:09.280
There's no more.

45:09.280 --> 45:14.280
Hey Daniel, thank you, Europe's absolutely right.

45:14.280 --> 45:17.800
Thank you.

45:17.800 --> 45:23.040
On the health of Microsoft, I'm wondering, when the AI's feature is coming to curl?

45:23.040 --> 45:30.480
I didn't even, I didn't, you know, the sound is this room is weird, because you hear

45:30.480 --> 45:32.680
you and me much better than I hear you.

45:32.680 --> 45:37.480
I've done it many times, I actually have a real question.

45:37.480 --> 45:43.720
I'm looking back at the history of FFNP, Google and Spotify, and I'm wondering, if it's

45:43.960 --> 45:52.120
breaking point for open source investment problem, so the problem of raising funds for investing

45:52.120 --> 45:59.240
those vulnerabilities, I didn't think about raising funds.

45:59.240 --> 46:02.160
Have you heard a story about FFNP, right?

46:02.160 --> 46:09.520
When they had a huge AI's slope of vulnerabilities found by Google, and they denied to do any

46:09.520 --> 46:13.040
contributions inside of, in the direction of Google.

46:13.040 --> 46:16.760
Hey, I tried to mention that without mentioning the names.

46:16.760 --> 46:22.200
Yes, FFNP, again, Google.

46:22.200 --> 46:26.620
The question is, isn't it a breaking point when we have to start talking more about

46:26.620 --> 46:30.080
funding open source software?

46:30.080 --> 46:35.560
The problem there was that, yeah, there's a giant company having a huge department of

46:35.640 --> 46:41.960
security specialist finding genuine problems in code, sending all those reports to poorly

46:41.960 --> 46:47.960
open source project with volunteer maintainers, getting a lot of, in this case, not

46:47.960 --> 46:51.720
sloppy, because they were actually valid, I think, several of them at least.

46:51.720 --> 46:55.720
Yes, and then demanding them to fix them within the next number of days, otherwise we will

46:55.720 --> 46:58.960
disclose them to the public, and you will feel bad.

46:58.960 --> 46:59.960
Is that bad?

46:59.960 --> 47:01.120
Yes.

47:01.120 --> 47:02.120
What do we do about it?

47:02.120 --> 47:04.120
We tell them to stop.

47:04.280 --> 47:09.080
I mean, really, or in this case, I think they write fully told Google, well, you should

47:09.080 --> 47:13.800
submit the fixes as well, because you have the manpower, and why don't you do that?

47:13.800 --> 47:14.800
And then they...

47:14.800 --> 47:15.800
Yes.

47:15.800 --> 47:30.880
And the rest of that follow-up answer you will get when the video is off.

47:30.880 --> 47:33.720
There are some more.

47:33.720 --> 47:39.080
Given the problems with AI that you put on the slides, for example, the energy use and

47:39.080 --> 47:46.440
such, is it ethically acceptable to use AI even just for code reviews?

47:46.440 --> 47:52.280
Possibly possible to use AI for a lot of things.

47:52.280 --> 47:59.200
I don't think using AI is a medicine for this problem either way, because, again, people

47:59.200 --> 48:04.440
are sort of doing this in ways that the AI won't detect anyway.

48:04.440 --> 48:13.040
I think it's a complicated issue, because then people tend to come and say, well, why don't

48:13.040 --> 48:17.480
I require that we can reproduce every bug before we even listen to them?

48:17.480 --> 48:24.200
But then, to me, that's sort of a cute suggestion, because curl runs in a 112 operating

48:24.200 --> 48:28.000
systems, 29 CPU architectures.

48:28.000 --> 48:33.080
It's ridiculous to me, if someone actually finds a problem on a source code in curl, if

48:33.080 --> 48:37.680
you find it, you say, hey, that's obviously wrong, because that happens, right?

48:37.680 --> 48:42.240
Should I then say, no, it's not because you can't reproduce it?

48:42.240 --> 48:48.040
So there's so many dimensions in this problem that makes it, it's not easy to dismiss anything

48:48.040 --> 48:54.040
with AI or not AI, because I want to know about the security problems, but I don't

48:54.040 --> 48:58.800
think it's a crap.

48:58.800 --> 49:01.200
I wonder if you made some fun out of...