Llm

I chat with Joshua Rogers about a blog post he wrote as well as some bugs he submitted to the curl project. Joshua explains how he went searching for some AI tools to help find security bugs, and found out they can work, if you’re a competent human. We discuss the challenges of finding effective tools, the importance of human oversight in triaging vulnerabilities, and how to submit those bugs to open source projects responsibly. It’s a very sane and realistic conversation about what AI tools can and can’t do, and how humans should be interacting with these things. ...

Josh and Kurt talk about a paper describing using a LLM to automatically create exploits for CVEs. The idea is probably already happening in many spaces such as pen testing and intelligence services. We can’t keep up with the number of vulnerabilities we have, there’s no way we can possibly keep up with a glut of LLM generated vulnerabilities. We really need to rethink how we handle vulnerabilities. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_426_Automatically_exploiting_CVEs_with_AI.mp3 Show Notes OpenAI’s GPT-4 can exploit real vulnerabilities by reading security advisories paper: LLM Agents can Autonomously Exploit One-day Vulnerabilities Cisco Fixes RV320/RV325 Vulnerability by Banning “curl” in User-Agent Episode 219 – Chat with Larry Cashdollar Cory Doctorow: What Kind of Bubble is AI?