Login Signup
Lunduke
News • Science & Tech
Make Computers Fun Again - Linux, UNIX, Alternative Operating Systems, Computer History, and Retro Computing. Also dad jokes.
Interested? Want to learn more about the community?

Show me more content first

In Search of Vulnerabilities

How real is the threat of AI to OSS? How powerful is AI in doing code and security reviews? I already regularly benefit from AI code and security review of my own work. It’s not even a close call, it is OBVIOUSLY powerful and helpful. But what about all that AI Slop PR’s that are plaguing OSS?

So I picked an OSS that is popular, currently maintained and isn’t “millions and millions” of lines of code. It’s a web server, and that’s all I’m going to say about which project. It’s written in C. I’m not a C developer of any kind. I’m not a security expert of any kind. I’ve never hacked into anything in my life - I’m not a hacker of any kind.

But I have a subscription to ChatGPT/Codex.

I pull down the code and have Codex do a review with Gpt 5.5 high. Code and security review, and explicitly told it to ignore anything trivial. I’m looking for zero days and other “we must fix this now!” issues. The code passed review with no major issues found. This isn’t surprising, this is a popular and well supported app.

I change tactics. I had Codex act as red team to find vulnerabilities, to hack it. It found one vulnerability. Something to do with poison caching. I had to ask a couple times in different ways to understand the relevance. Ultimately, under certain circumstances customer data could be retrieved. Think of a SaaS app that has many customers that all use the same app. There’s a way where customer A could bring back customer B data. Still, very esoteric in the details.

So I have Codex develop a demo exploit locally. It does so. I interrogate the solution looking for just HOW a hacker could accomplish the needful to compromise the data. I did not come away with anything concrete enough to bring to the project maintainers. But - maybe an expert hacker could see more potential than me. I’m just not going to bring something esoteric to the maintainers having not enough expertise to establish this is something that needs their attention.

I do believe the vulnerability is real, it’s probably worthy of a low priority PR. The fix is simple, it’s really just an oversight. I will not be submitting the PR. I do not know C, I do not know web server development, I have no relationship with this team. I am not a stupid, lazy, greedy or evil human of the type that’s spamming these projects having just done an automated scan and then created the PR.

I did the due diligence to really tie down “how important is this?”

But — keep in mind, I found an area in the code that is a legitimate vulnerability. Don’t know C, or web server development, nor am I a hacker. Imagine someone talented in this area probing your OSS code with these tools combined with their talent. Imagine that scanning happens at scale so that they don’t have to initially target you specifically.

This vulnerability was human coded and survived all human review. We have humans and we have AI, we should be using both to best effect.

Reply
Interested? Want to learn more about the community?

Show me more content first
What else you may like…
Videos
Podcasts
Posts
Articles
Bryan Lunduke@Lunduke
15 hours ago
XLibre Turns One Year Old

"XLibre is the most actively developed community-maintained X11 display server."

Grab a discounted Lifetime Sub & get on the Wall:
https://lunduke.substack.com/p/behold-the-win-2k-and-mac-system

More from The Lunduke Journal:
https://lunduke.com/

00:13:48
Reply
Bryan Lunduke@Lunduke
June 06, 2026
Win2K & Mac System 1 Walls!

Supporters of The Lunduke Journal have now filled up 8 retro computer themed walls!

Grab a discounted Lifetime Sub & get on the Wall:
https://lunduke.substack.com/p/behold-the-win-2k-and-mac-system

More from The Lunduke Journal:
https://lunduke.com/

00:10:02
Reply
Bryan Lunduke@Lunduke
June 04, 2026
Linux App Store Bans Software Touched by AI in Any Way

Flathub Team: "Applications containing Al-generated or Al-assisted code, documentation, or other content are not allowed."

Massively Discounted Lifetime Subs Through June:
https://lunduke.substack.com/p/50-off-yearly-and-massively-discounted

More from The Lunduke Journal:
https://lunduke.com/

00:14:04
Reply
Bryan Lunduke@Lunduke
November 22, 2023
The futility of Ad-Blockers

Ads are filling the entirety of the Web -- websites, podcasts, YouTube videos, etc. -- at an increasing rate. Prices for those ad placements are plummeting. Consumers are desperate to use ad-blockers to make the web palatable. Google (and others) are desperate to break and block ad-blockers. All of which results in... more ads and lower pay for creators.

It's a fascinatingly annoying cycle. And there's only one viable way out of it.

Looking for the Podcast RSS feed or other links? Check here:
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

The futility of Ad-Blockers
Reply
Bryan Lunduke@Lunduke
November 21, 2023
openSUSE says "No Lunduke allowed!"

Those in power with openSUSE make it clear they will not allow me anywhere near anything related to the openSUSE project. Ever. For any reason.

Well, that settles that, then! Guess I won't be contributing to openSUSE! 🤣

Looking for the Podcast RSS feed or other links?
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

openSUSE says "No Lunduke allowed!"
Reply
Bryan Lunduke@Lunduke
September 13, 2023
"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044

This episode is free for all to enjoy and share.

Be sure to subscribe here at Lunduke.Locals.com to get all shows & articles (including interviews with other amazing nerds).

"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044
Reply
leebase@leebase
8 hours ago

Not Tested by AI is Inexcusable

Let’s say, as a given, that you can write better code than AI. This isn’t the current debate. You are good, you know you are good. You may have even experimented with AI for coding and have determined it does not pass your muster. All good.

If you aren’t incorporating AI in your testing at this point, I’d say you are being negligent. It doesn’t matter if you are great at coding, nobody who codes loves testing. And if you think your peers are doing a rigorous job in code review - you are naïve.

And if you are a great tester and work for a company where the testers are amazing…time is money. The FIRST line of testing should be automated with AI code and security review.

No developer should be foisting the work of finding his obvious bugs onto humans. He should have complete testing and security coverage that he runs himself - as first step.

Not last step. The ultimate quality gate is the human. But solving all the easy bug and security finding by tools ...

Reply
fossman@Fossman
8 hours ago

https://www.theatlantic.com/philosophy/2026/06/no-artificial-intelligence-is-not-conscious/687378/?gift=1ga2TvL-DbuHDQIcYF7oR7CsNA92bD_yo6VqlH7-uco

Reply
John Paul Wohlscheid@JohnBlood
16 hours ago

It’s that time. Time for another stream. I’ve delay the start time because I’ll be getting home later from Church. I’ll post the invite link shortly before the stream starts at 7pm.

placeholder
Reply
Bryan Lunduke@Lunduke
June 06, 2026
post photo preview
Behold! The "Win 2K" & "Mac System 1" Lifetime Sub Walls!

Woah! The 8th Lifetime Subscriber Wall of The Lunduke Journal (aka “The Windows 1.0 Wall”) is already full! After only one week! That’s nuts!

So I’m opening up two new, retro computer walls!

  • Wall 9 - “The Macintosh System 1 Wall”

  • Wall 10 - “The Windows 2000 Wall”

 

Show your support for The Lunduke Journal, and be immortalized in a retro computer screenshot. Win-win!

If the past is any indicator, these will fill up crazy fast. First come, first served.

Plus: For the entire month of June, Lifetime Subscriptions are discounted down to $125 (regularly $300).

  1. Scroll down and grab a new Lifetime Subscription (at that bonkers discount).

  2. Choose which of the two new Walls you’d like to be on (Mac System 1 or Windows 2000). Totally optional.

How to Grab a Discounted Lifetime Subscription:

There are 3 different ways to pick up a Lunduke Journal Lifetime sub. All of them work great and include the same perks. Choose whichever works best for you!

Get a Lifetime Subscription via Locals:

  1. Go to Lunduke.Locals.com/support.

  2. Select “Give Once“.

  3. Enter “125“ into the amount field.

  4. After checking out, Lunduke will toss you an email once your account is set to full lifetime status. (This usually happens within a few hours.)

Get a Lifetime Subscription via Substack:

  1. Go to Lunduke.Substack.com/subscribe.

  2. Select the “Lifetime Subscription” option.

  3. After checking out, Lunduke will toss you an email once your account is set to full lifetime status. (This usually happens within a few hours.)

If you would also like full, Lifetime access to Lunduke.Locals.com (which is included):

  1. Make a free account on Lunduke.Locals.com.

  2. Email “bryan at lunduke.com” with the email address you use on both Substack and Locals (can be different email addresses).

  3. Lunduke will toss you an email once your account is set to full lifetime status on Locals.

Get a Lifetime Subscription with Bitcoin:

Bonus: Save an extra $10 with the Bitcoin option, as Bitcoin processing has fewer fees associated with it.

bc1qyjakve8fywm8pz2v99v57yhjj0vzr2vjze6fcq

  • Email “bryan at lunduke.com” with the following information: What time you made the transaction, how much was sent (in Bitcoin), and the email address you use (or plan to use) on Locals.com or Substack.com.

-Lunduke

Read full Article
Reply
Bryan Lunduke@Lunduke
June 05, 2026
Windows 1.0 Wall almost full! Last call!

Holy Guacamole, Batman!

The 8th Lifetime Subscriber Wall (“The Windows 1.0 Wall”) of The Lunduke Journal launched exactly one week ago… and it’s already almost full! Bonkers!

 

At the current rate, the “Windows 1.0 Wall” will be full sometime tomorrow (Saturday).

Want your name immortalized in that glorious 1985 styled goodness, proclaiming to the world your support of The Lunduke Journal?

Don’t have a Lifetime Subscription?

  1. Grab one for $125 (normally $300).

  2. You’ll get a confirmation email (within just a few hours). Reply to that email with how you would like your name displayed on a Lifetime Wall.

  3. Then enjoy the other perks of being Lunduke Journal subscriber. Forum access, MP4 downloads, and PDF eBooks.

Already have a Lifetime Subscription?

  1. Just toss an email to bryan [at] lunduke.com with how you would like your name displayed on a Lifetime Wall.

Easy peasy.

First come, first served. Once the “Windows 1.0 Wall” is full, the final version will be added to Lunduke.com and the 9th Lifetime Wall will debut!

-Lunduke

Read full Article
Reply
Bryan Lunduke@Lunduke
May 29, 2026
The "Windows 1.0" Lunduke Lifetime Wall is here!

Two awesome tidbits:

  1. The 7th Lifetime Subscriber Wall (aka “The Solaris Wall”) is full! No room for any more names! You can see the final version on the bottom of Lunduke.com (and at the end of new shows).

  2. The 8th Lifetime Wall will make its debut on Monday! The retro computing platform chosen for Wall number 8 will be… Windows 1.0!

If you would like to see your name immortalized in a screenshot of the very first version of Windows, from 1985, displayed on both Lunduke.com & at the end of all Lunduke Journal shows (you know you do):

Support the Lunduke Journal… and, at the same time, have your name immortalized in a screenshot of the operating system with (arguably) the worst color scheme in human history.

It’s a win-win.

 

-Lunduke

Read full Article
Reply
See More
Available on mobile and TV devices
google store google store app store app store
google store google store app tv store app tv store amazon store amazon store roku store roku store
Powered by Locals