TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

74% Positive

Analyzed from 975 words in the discussion.

Trending Topics

#curl#security#maintainers#more#https#animations#saying#aisle#skilled#based

Discussion (26 Comments)Read Original on HackerNews

bagder•about 2 hours ago
I already offered the following comments on Aisle

"my experience from working with them on and off for many months now is nothing but good. Skilled, professional engineers without any bureaucracy. They know their stuff, and they've been very good at listening in and adjusting for our needs and wants."

Who am I? I'm Daniel, curl lead developer.

https://mastodon.social/@bagder/116807425534711479

vessenes•about 2 hours ago
Aren’t you supposed to be on vacation?? Don’t waste it all on HN! :) Hope your summer is going well.
sylware•about 1 hour ago
Not to mention, it seems HN started to block login from user agents which are not based on a 'whatwg cartel' web engines... or their security provider loves gogol a bit too much...

(How do I post this messase then, well, my browser is faking a real user agent from some browser using a 'whatwg cartel' web engine)

hsbauauvhabzb•about 1 hour ago
Blocking the curl useragent can obviously be worked around, but is probably a net good. This isn’t a conspiracy, HN would be getting spammed by crawlers but they won’t care about legitimate users.
bflesch•22 minutes ago
I must admit I read your profile and noticed your website https://s6.xyz/ seems to be down.

Your self-made story sounds very interesting, you're a Bitcoin insider from 70s/80s Chicago with touch points to several families of really old money. Unfortunately your Wikipedia is deleted (or the page was never there and someone linked it anyways).

You seem to be financially secure with an interesting story to tell, why not spill the beans?

I'm poking the bear here and sincerely hope you are one of the truly self-made guys ;)

vessenes•about 2 hours ago
Really nice result, congrats to the Aisle team.

What stood out the most to me here was their pitch that harness currently matters most, over and above a specific model capacity. That’s one of my conclusions reading cloudflare’s Mythos debrief as well — the work right now that’s most valuable is in getting the models to loop effectively on tasks - so it’s super interesting to read the same perspective from a clearly effective org.

moomin•about 1 hour ago
I'm thinking it's rapidly not becoming "can you find a security issue in XYZ?" and "what is the cost of finding a security issue in XYZ?". I want to know what the spend was.
EmilStenstrom•about 3 hours ago
There's something unnerving about this blog post.

Paraphrasing: "The world's top security researches and AI labs are pouring all their VC money into finding as many security issues in curl as possible". At the same time, we know that curl is run by volunteers that needs to handle all of this. I'm not saying that we shouldn't do security review of open source libraries, just saying that this situation puts a lot of pressure on the maintainers.

The second unnerving thing is that many of the listed vulnerabilites target embedded libcurl; a library with a much slower update cycle. I'm guessing that many of the listed bugs are still in active use, inside the thousands of applications that use curl internally. Another tricky situation.

Both of these stand in contrast to the posts "braggy" style of "we found the most vulnerabilities of all!!!".

hhthrowaway1230•about 3 hours ago
Would be great if people would brag with quotes and feedback from the maintainers. I'd be more interested to see that. Instead our model found x, I want something that really helps the maintainers.
Vinnl•about 1 hour ago
Your wish came true: https://news.ycombinator.com/item?id=48671717
stavros•about 1 hour ago
Here: https://news.ycombinator.com/item?id=48671717
zarzavat•about 2 hours ago
Another way to read it is that the public now have access to resources on a scale that was formerly the domain of three letter government agencies throwing millions of dollars to hire humans to do this work. While in the short-term it's painful for maintainers, in the long-term we all end up safer.
graemep•about 1 hour ago
> The second unnerving thing is that many of the listed vulnerabilites target embedded libcurl; a library with a much slower update cycle.

I am guessing the slower update cycle is an issue where it is statically linked?

postexitus•about 2 hours ago
If they don't do it, somebody else will. It's better white hats get there first.
robertlagrant•about 2 hours ago
> I'm not saying that we shouldn't do security review of open source libraries, just saying that this situation puts a lot of pressure on the maintainers.

This is true, and worth saying, but it is also a problem of the OSS philosophy. All software is used at your own risk, so if maintainers want their software used they need to keep up, and the (true) promise of "more eyeballs means more secure software" has this downside built in.

amiga386•22 minutes ago
It's all things at once.

It's good that the world has thrown enormous resources into finding curl bugs, and found not very much. Most of the CVEs are low priority and in the more esoteric parts of curl. Some (like CVE-2026-9080) seem so obscure, I'm doubtful anyone other than the reporters have ever experienced it. That shows that curl was already pretty good to begin with.

This is ultimately a marketing piece for Aisle, but at least they did some public good to get their marketing.

The most important part is that these researchers were respectful of the maintainers, and spent their own time and money fully verifying their findings before raising them with the project. They have taken on board the message that the curl project won't even talk to slop flingers. The less diligent researchers, the Dunning-Krugerands who feel enabled by AI but actually just waste the maintainers time, are the real problem.

jdw64•about 1 hour ago
It seems that just from the site's animations and UI layout alone, you can recognize whether they are highly skilled programmers.
roelschroeven•26 minutes ago
How? Looks like a bog standard corporate website to me, and it would surprise me if they would let their highly skilled programmers spend time on creating the website.
christophilus•about 1 hour ago
As in inverse correlation? The best programmers I know have barebones text-based sites.
jdw64•about 1 hour ago
I like sites with lots of animations, but I've noticed that a lot of people dislike them.
lelandfe•about 1 hour ago
On some posts, HN hates scroll animations, on others they're the work of highly skilled programmers https://aisle.com/platform
jdw64•about 1 hour ago
I grew up in the Flash game generation, so I feel that the more animations, the better. I remember putting a lot of animations on my homepage at first, but then I cut back on them after getting criticism that it had too much animation for a tech blog.
shakna•about 2 hours ago
The presentation from the time might be worth watching, if this reads too much like hype PR. [0]

[0] https://youtu.be/t4wqREXVEAc

rho138•about 3 hours ago
Someone needs a lesson in accessibility
bflesch•about 2 hours ago
Thanks for making open source a bit more secure, even though your website is super laggy with all these ridiculous animations.

Based on the eye candy I imagine the team consists of a bunch of VC bros on their macbooks drinking chai lattes. Not sure if that is the impression you want to portray to a technical audience. The eye candy might work with nontechnical crowds though, so you do you.

Edit: To elaborate on the nontechnical macbook user angle: If the tagline is "outsmart your adversaries" I wonder how you plan to outsmart anyone if your security company is set up on backdoor-infested MacOS or Windows systems? You can't assume that the backdoors put in by USUK are not known to other foreign adversaries. Maybe I'm wrong and they are a Linux/BSD shop. In that case a report about running a security startup in a secure manner based on an open-source operating system would be a more interesting contribution than yet another CVE.