Recently, there was a clash between the popular @FFmpeg project, a low-level multimedia library found everywhere… and Google. A Google AI agent found a bug in FFmpeg.
FFmpeg is a far-ranging library, supporting niche multimedia files, often through reverse-engineering. It is entirely the result of volunteers and a marvellous piece of technology.
For people who have never been on the receiving end of ‘security researchers’, it is difficult to understand why there is a pushback against them.
Think about the commons. In Quebec, these are pieces of land where farmers send their cows during the summer. It is collectively owned, like FFmpeg.
Everyone is responsible to care for the commons if they are using it. If you are not using it, you are supposed to stay away.
Now, imagine a rich corporation comes in and sends its well-paid agents into the commons to find issues with it. Maybe a broken barrier or a dangerous hole. So far so good… But instead of fixing the issues, the corporation says “you have a month to fix the issue or else I will report you to the government”.
How much love would the big corporation get in this context?
Why do the security researchers insist on disclosing the issue without having contributed to fixing it? So that they can get credit for it. That's their entire scheme: find issues, irrespective of whether they affect the use case of their employer... after all, all issues no matter how small can be potentially significant at some point... and then brag about it without doing the hard work of trying to fix it.
Let me be clear that no everyone working in security behaves this way. Many are good actors. But there are enough 'security researchers' behaving as parasites that it has become a recognizable pattern.
« But Daniel, who should be fixing the bugs then? »
If you are paying for commercial support, then get in touch with the folks you are paying. If you are not paying, then it is on you.
It says so in the licenses. It is part of the moral code open source. It is part of the legal framework.
Let me be clear. You do not get to bite back at Linus Torvalds if a bug in the linux kernel crashes your server. What you do is that you identify the issue, narrow it down and propose a fix. If you cannot do it, then you pay someone to do it. Or you just do not use Linux.
FFmpeg isn't a "vendor"—it's a volunteer army powering *every* video you stream. Google drops 100s of CVEs? Cool, send patches. Don't demand free labor from open-source heroes. #SendPatches#FFmpeg#OpenSource
The Python Documentary by @CultRepo will premiere tomorrow at 10am PDT / 19:00 CET. We'll have an online release party / live chat (with the director, myself and others) https://t.co/faY4zLAwgw
At this age, I’ve realized I have some bad habits, but I can’t change them or fix my character. However, I can pay more attention and better control the consequences of my behavior.
@hemn_hp اصلا اسم خاصی داره CSAPP book
کلا هرکسی این رو نخونده باشه اصلا نمیتونه در مهندسی کامپیوتر حرفی بزنه خیلی مسايل قشنگی داره وقتایی خوابم نمیبره میرم میشینم مسيله هاش رو حل میکنم
@m_iraji کلا چیزی که توی یوتیوب اطلاعات ش هست جذاب نیست
چجوری از اون استفاده بشه مهمه
یوتیوب کلاس درسه استریم اون حل تمرین
بازم تاکید میکنم زبان فارسی فایده نداره کسی نمیاد
@m_iraji اینکه مثلا بخوای انجین ها رو بررسی کنی جالب نیست
کدوم زبون برنامه نویسی مناسبه نه
مثلا یک کد اماده بنویس بیا توی یک ساعت آخر استریم کن تکمیل ش کن و نتیجه رو نشون بده
برای کاربرهای استریم چجوری به نتیجه رسیدن حل باگ در لحظه جذابه
البته ایرانی کلا اینجور استریم ها نمیتن
At this point, nobody’s trying to understand AI — they just wanna be first to tweet the latest hype for likes and views. Congrats, you're now unpaid testers for half-baked, useless tools. What a time to be alive.