Talk: Keeping the World from Burning
Daniel Stenberg's talk at the Nordic Software Security Summit addressed security challenges in open-source projects, focusing on issues like bogus CVEs and AI hallucinations. A live-stream is scheduled for September 30, 2024.
Read original article
Daniel Stenberg recently delivered a talk titled "Keeping the world from Burning" at the Nordic Software Security Summit in Stockholm, Sweden. The presentation focused on various security challenges faced by high-profile open-source projects, particularly those involving cURL and libcurl, which are used in billions of instances worldwide. Stenberg discussed issues such as bogus CVEs, conflicting databases, AI hallucinations, and inflated severity scoring, drawing on real-life examples to illustrate the complexities of maintaining security in open-source software. The talk was well-received, with many attendees referencing it in subsequent discussions. Since the event was not recorded, Stenberg plans to present the talk again via a live-stream on Twitch on September 30, 2024, at 14:00 UTC. This version will include some updates and refinements based on his previous experience. The session will be interactive, allowing for audience questions and engagement without any registration or fees required.
- Daniel Stenberg's talk addressed security challenges in open-source projects.
- The presentation will be live-streamed on Twitch on September 30, 2024.
- Key topics included bogus CVEs, conflicting databases, and AI hallucinations.
- The talk aims to provide insights for maintaining security in widely used software.
- Audience participation will be encouraged during the live-streamed session.
Related
Syd the perhaps most sophisticated sandbox for Linux
A course covers security topics like Chrome vulnerabilities, Amazon's "Stuffer Concept," Rust language safety. Tools include GCC 14, BOLT, Google Closure Compiler. Emphasizes firewalls, Seccomp, eBPF, Syd sandbox, F*, CompCert, TCC compilers.
Linus Torvalds: XZ Utils Breach Raises Questions About Trust in Open Source [video]
The video discusses trust in open source development, highlighting security challenges, breaches, and ethical implications. It emphasizes the Linux kernel's trust network through in-person verification to prevent attacks effectively.
So the Department of Energy emailed me
The U.S. Department of Energy requested a Secure Software Development Attestation for libcurl from Daniel Stenberg, who was unaware of their use of the software and suggested contacting wolfssl.com for assistance.
The Web We've (Never) Lost
Jan Vlnas' talk at PragueJS highlights the decline of mainstream web platforms, introducing the "peripheral web" as a vibrant alternative. He encourages exploring decentralized spaces and personal websites for creativity.
9.9 Linux CVE
A critical unauthenticated remote code execution vulnerability affecting GNU/Linux systems, rated 9.9 in severity, is set for disclosure soon, with no effective fix or CVE identifiers available yet.
2 commentsRelated
Syd the perhaps most sophisticated sandbox for Linux
A course covers security topics like Chrome vulnerabilities, Amazon's "Stuffer Concept," Rust language safety. Tools include GCC 14, BOLT, Google Closure Compiler. Emphasizes firewalls, Seccomp, eBPF, Syd sandbox, F*, CompCert, TCC compilers.
Linus Torvalds: XZ Utils Breach Raises Questions About Trust in Open Source [video]
The video discusses trust in open source development, highlighting security challenges, breaches, and ethical implications. It emphasizes the Linux kernel's trust network through in-person verification to prevent attacks effectively.
So the Department of Energy emailed me
The U.S. Department of Energy requested a Secure Software Development Attestation for libcurl from Daniel Stenberg, who was unaware of their use of the software and suggested contacting wolfssl.com for assistance.
The Web We've (Never) Lost
Jan Vlnas' talk at PragueJS highlights the decline of mainstream web platforms, introducing the "peripheral web" as a vibrant alternative. He encourages exploring decentralized spaces and personal websites for creativity.
9.9 Linux CVE
A critical unauthenticated remote code execution vulnerability affecting GNU/Linux systems, rated 9.9 in severity, is set for disclosure soon, with no effective fix or CVE identifiers available yet.