Re: Sales pitch doc
22 views
Skip to first unread message
Romain Baugue
May 9, 2019, 12:14:35 PM5/9/19
to t hepudds, Dmitry Vyukov, Golang Fuzzing, Josh Bleecher Snyder
Same, I received the invitation but nothing else. I don't think there is any moderation in place, anyway I'll add you both to the administrators as you probably will have more use to the tools than me.
Didn't had the time to look at the doc either. Didn't had the time for anything today :P
On Thu, May 9, 2019, 17:28 t hepudds <thepud...@gmail.com> wrote:
Hi Dmitry,I did receive an invitation from Google Docs to edit that document several hours ago.
However, I did not see anything like your first email below until just now. (I do not see it in the Google Group, nor in my Gmail).thepuddsOn Thu, May 9, 2019 at 11:07 AM Dmitry Vyukov <dvy...@google.com> wrote:I've sent this to the group 6 hours ago, did anybody receive it? It's
still not on the web list:
https://groups.google.com/forum/#!forum/golang-fuzzing-proposal
Or do we have moderation enabled?
Date: Thu, May 9, 2019 at 10:41 AM
To: <golang-fuzz...@googlegroups.com>
> Until we have fuzzing as part of the standard Go toolchain, I think it
> would be useful to have a 1-pager sales pitch doc explaining why we
> badly need this on high level. I started a draft:
>
> https://docs.google.com/document/d/1N-12_6YBPpF9o4_Zys_E_ZQndmD06wQVAM_0y9nZUIE/edit#
>
> You should have edit access, and for now it's open for comments from anybody.
> I still hear that there is no enough interest in Go fuzzing esp from
> larger players, so this is meant to be the doc that we can show to
> these larger players.
>
> Did I miss any good points in the doc? Anybody wants to volunteer to
> turn this into actual text?
> Do add yourself to authors as you do any changes.
>
> Read-only version is also available at:
> http://tiny.cc/why-go-fuzzing
t hepudds
May 11, 2019, 9:59:03 AM5/11/19
to Dmitry Vyukov, Golang Fuzzing, Josh Bleecher Snyder, Romain Baugue
Dmitry Vyukov
May 11, 2019, 9:59:03 AM5/11/19
to golang-fuzz...@googlegroups.com
Dmitry Vyukov
May 11, 2019, 9:59:03 AM5/11/19
to Golang Fuzzing, Josh Bleecher Snyder, t hepudds, Romain Baugue
I've sent this to the group 6 hours ago, did anybody receive it? It's
still not on the web list:
https://groups.google.com/forum/#!forum/golang-fuzzing-proposal
Or do we have moderation enabled?
Date: Thu, May 9, 2019 at 10:41 AM
To: <golang-fuzz...@googlegroups.com>
still not on the web list:
https://groups.google.com/forum/#!forum/golang-fuzzing-proposal
Or do we have moderation enabled?
Date: Thu, May 9, 2019 at 10:41 AM
To: <golang-fuzz...@googlegroups.com>
Romain Baugue
May 11, 2019, 1:50:20 PM5/11/19
to Golang Fuzzing
Started redacting a few paragraphs, but my head is cloudy today, and I don't feel like I've really improved the document :P . I'll have another try tomorrow.
On Saturday, May 11, 2019 at 3:59:03 PM UTC+2, Dmitry Vyukov wrote:
I've sent this to the group 6 hours ago, did anybody receive it? It's
still not on the web list:
https://groups.google.com/forum/#!forum/golang-fuzzing-proposal
Or do we have moderation enabled?
Date: Thu, May 9, 2019 at 10:41 AM
Romain Baugue
May 12, 2019, 9:53:04 AM5/12/19
to Golang Fuzzing
So, I've fully redacted the bullet points, and added whatever I could come up with. It's by no means perfect but IMHO this is a base we can work with and improve as needed.
Dmitry Vyukov
May 16, 2019, 8:35:07 AM5/16/19
to Romain Baugue, Golang Fuzzing
Thanks! I did another pass on top of your change.
I see this doc as more of "creating a business case" for larger
players, because it seems that without their support this won't
happen. So I removed things like names of particular fuzzers and
references to tutorial, as I think this is not so important in this
context. But added mentioned of cost-effectiveness and made security
more prominent.
On Sun, May 12, 2019 at 3:53 PM Romain Baugue <romain...@gmail.com> wrote:
>
> So, I've fully redacted the bullet points, and added whatever I could come up with. It's by no means perfect but IMHO this is a base we can work with and improve as needed.
>
> On Saturday, May 11, 2019 at 7:50:20 PM UTC+2, Romain Baugue wrote:
>>
>> Started redacting a few paragraphs, but my head is cloudy today, and I don't feel like I've really improved the document :P . I'll have another try tomorrow.
>>
>> On Saturday, May 11, 2019 at 3:59:03 PM UTC+2, Dmitry Vyukov wrote:
>>>
>>> I've sent this to the group 6 hours ago, did anybody receive it? It's
>>> still not on the web list:
>>> https://groups.google.com/forum/#!forum/golang-fuzzing-proposal
>>> Or do we have moderation enabled?
>>>
>>> Date: Thu, May 9, 2019 at 10:41 AM
>>> To: <golang-fuzz...@googlegroups.com>
> You received this message because you are subscribed to the Google Groups "Golang Fuzzing" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to golang-fuzzing-pr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/golang-fuzzing-proposal/9532ad01-b708-42a3-a480-07c6d520bffc%40googlegroups.com.
I see this doc as more of "creating a business case" for larger
players, because it seems that without their support this won't
happen. So I removed things like names of particular fuzzers and
references to tutorial, as I think this is not so important in this
context. But added mentioned of cost-effectiveness and made security
more prominent.
On Sun, May 12, 2019 at 3:53 PM Romain Baugue <romain...@gmail.com> wrote:
>
> So, I've fully redacted the bullet points, and added whatever I could come up with. It's by no means perfect but IMHO this is a base we can work with and improve as needed.
>
> On Saturday, May 11, 2019 at 7:50:20 PM UTC+2, Romain Baugue wrote:
>>
>> Started redacting a few paragraphs, but my head is cloudy today, and I don't feel like I've really improved the document :P . I'll have another try tomorrow.
>>
>> On Saturday, May 11, 2019 at 3:59:03 PM UTC+2, Dmitry Vyukov wrote:
>>>
>>> I've sent this to the group 6 hours ago, did anybody receive it? It's
>>> still not on the web list:
>>> https://groups.google.com/forum/#!forum/golang-fuzzing-proposal
>>> Or do we have moderation enabled?
>>>
>>> Date: Thu, May 9, 2019 at 10:41 AM
>>>
>>> > Until we have fuzzing as part of the standard Go toolchain, I think it
>>> > would be useful to have a 1-pager sales pitch doc explaining why we
>>> > badly need this on high level. I started a draft:
>>> >
>>> > https://docs.google.com/document/d/1N-12_6YBPpF9o4_Zys_E_ZQndmD06wQVAM_0y9nZUIE/edit#
>>> >
>>> > You should have edit access, and for now it's open for comments from anybody.
>>> > I still hear that there is no enough interest in Go fuzzing esp from
>>> > larger players, so this is meant to be the doc that we can show to
>>> > these larger players.
>>> >
>>> > Did I miss any good points in the doc? Anybody wants to volunteer to
>>> > turn this into actual text?
>>> > Do add yourself to authors as you do any changes.
>>> >
>>> > Read-only version is also available at:
>>> > http://tiny.cc/why-go-fuzzing
>
> --
>>> > Until we have fuzzing as part of the standard Go toolchain, I think it
>>> > would be useful to have a 1-pager sales pitch doc explaining why we
>>> > badly need this on high level. I started a draft:
>>> >
>>> > https://docs.google.com/document/d/1N-12_6YBPpF9o4_Zys_E_ZQndmD06wQVAM_0y9nZUIE/edit#
>>> >
>>> > You should have edit access, and for now it's open for comments from anybody.
>>> > I still hear that there is no enough interest in Go fuzzing esp from
>>> > larger players, so this is meant to be the doc that we can show to
>>> > these larger players.
>>> >
>>> > Did I miss any good points in the doc? Anybody wants to volunteer to
>>> > turn this into actual text?
>>> > Do add yourself to authors as you do any changes.
>>> >
>>> > Read-only version is also available at:
>>> > http://tiny.cc/why-go-fuzzing
>
> You received this message because you are subscribed to the Google Groups "Golang Fuzzing" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to golang-fuzzing-pr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/golang-fuzzing-proposal/9532ad01-b708-42a3-a480-07c6d520bffc%40googlegroups.com.
Dmitry Vyukov
May 16, 2019, 9:08:55 AM5/16/19
to Romain Baugue, Golang Fuzzing
Are you going to do any more changes? Please do them atomically. I am
going to publish the link.
going to publish the link.
Dmitry Vyukov
May 16, 2019, 9:43:47 AM5/16/19
to t hepudds, Golang Fuzzing
On Thu, May 16, 2019 at 3:35 PM t hepudds <thepud...@gmail.com> wrote:
>
> Hi all,
>
> I had started to do a quick editing pass about 30 min ago, but at first, I thought they would be suggestions rather than edits, so then I stopped.
>
> Would it be worth adding a point or two around the state-of-the-art in fuzzing has progressed very significantly in the last few years?
>
> I think some people might have tried fuzzing, say, 4-5 years ago (or maybe tried more recently than that, but used a tool that is not as modern), and then not seen great results and have therefore put fuzzing into a "something for security experts" mental bucket.
>
> Two aspects of progress to consider mentioning are:
>
> 1. How fuzzing can be much, much friendlier now. E.g., from afl page:
>
> "No tinkering required. In contrast to most other fuzzers, the tool requires essentially no guesswork or fine-tuning. Even if you wanted to, you will find virtually no knobs to fiddle with and no 'fuzzing ratios' to dial in."
>
> 2. How fuzzing can be much better now at finding interesting inputs, especially when not used by an expert. E.g., maybe link to something like https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html
I start spreading the word:
https://twitter.com/dvyukov/status/1129012347065044992
so we need to be more careful with edits.
It can make sense to add a sentence at the the end of "Fuzzing is
effective" section. Do you have any suggestions on how to phrase it in
laconic way on the right detail level?
I see this as intended for a busy eng director level person, so that
it hopefully convinces them that they want fuzzing.
>> You received this message because you are subscribed to the Google Groups "golang-fuzzing-proposal" group.
>
> Hi all,
>
> I had started to do a quick editing pass about 30 min ago, but at first, I thought they would be suggestions rather than edits, so then I stopped.
>
> Would it be worth adding a point or two around the state-of-the-art in fuzzing has progressed very significantly in the last few years?
>
> I think some people might have tried fuzzing, say, 4-5 years ago (or maybe tried more recently than that, but used a tool that is not as modern), and then not seen great results and have therefore put fuzzing into a "something for security experts" mental bucket.
>
> Two aspects of progress to consider mentioning are:
>
> 1. How fuzzing can be much, much friendlier now. E.g., from afl page:
>
> "No tinkering required. In contrast to most other fuzzers, the tool requires essentially no guesswork or fine-tuning. Even if you wanted to, you will find virtually no knobs to fiddle with and no 'fuzzing ratios' to dial in."
>
> 2. How fuzzing can be much better now at finding interesting inputs, especially when not used by an expert. E.g., maybe link to something like https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html
I start spreading the word:
https://twitter.com/dvyukov/status/1129012347065044992
so we need to be more careful with edits.
It can make sense to add a sentence at the the end of "Fuzzing is
effective" section. Do you have any suggestions on how to phrase it in
laconic way on the right detail level?
I see this as intended for a busy eng director level person, so that
it hopefully convinces them that they want fuzzing.
>> To unsubscribe from this group and stop receiving emails from it, send an email to golang-fuzzing-pr...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/golang-fuzzing-proposal/CACT4Y%2BbTOmQv38aKapnQB4Vo%3DVRihmOwuCfU77k49MmaY1qQrA%40mail.gmail.com.
Dmitry Vyukov
May 16, 2019, 10:32:16 AM5/16/19
to t hepudds, Golang Fuzzing
Accepted. Thanks.
On Thu, May 16, 2019 at 3:54 PM t hepudds <thepud...@gmail.com> wrote:
>
> Hi Dmitry,
>
> I added a suggested edit (before seeing your reply here).
>
> I think it is an important point that "the fuzzing of today" is actually quite different from "the fuzzing you might be familiar with", and it goes to the nature of what fuzzing is (and hence, arguably should be in the "What is Fuzzing" section). If someone is in a rush and deciding whether or not to read the rest of the document, I think it is useful to convey "hey, things have changed, you might want to invest another 30 seconds in reading this document" (and hence, arguably deserves to be early in the document).
>
> All that said, it could also go lower in the document as you suggested.
>
> Regards,
> thepudds
On Thu, May 16, 2019 at 3:54 PM t hepudds <thepud...@gmail.com> wrote:
>
> Hi Dmitry,
>
> I added a suggested edit (before seeing your reply here).
>
> I think it is an important point that "the fuzzing of today" is actually quite different from "the fuzzing you might be familiar with", and it goes to the nature of what fuzzing is (and hence, arguably should be in the "What is Fuzzing" section). If someone is in a rush and deciding whether or not to read the rest of the document, I think it is useful to convey "hey, things have changed, you might want to invest another 30 seconds in reading this document" (and hence, arguably deserves to be early in the document).
>
> All that said, it could also go lower in the document as you suggested.
>
> Regards,
> thepudds
Romain Baugue
May 26, 2019, 6:16:12 AM5/26/19
to golang-fuzzing-proposal
Sorry for the long silence, I've been quite busy and out of home for a few weeks.
I've reviewed the document, it's fine. Not one-page anymore, but that's not too-far off the target.
I've suggested a few edits that would make it easier to read and bring it down to one page.
>> >> > >>> To: <golang-fuzzing-proposal@googlegroups.com>
>> >> > >>>
>> >> > >>> > Until we have fuzzing as part of the standard Go toolchain, I think it
>> >> > >>> > would be useful to have a 1-pager sales pitch doc explaining why we
>> >> > >>> > badly need this on high level. I started a draft:
>> >> > >>> >
>> >> > >>> > https://docs.google.com/document/d/1N-12_6YBPpF9o4_Zys_E_ZQndmD06wQVAM_0y9nZUIE/edit#
>> >> > >>> >
>> >> > >>> > You should have edit access, and for now it's open for comments from anybody.
>> >> > >>> > I still hear that there is no enough interest in Go fuzzing esp from
>> >> > >>> > larger players, so this is meant to be the doc that we can show to
>> >> > >>> > these larger players.
>> >> > >>> >
>> >> > >>> > Did I miss any good points in the doc? Anybody wants to volunteer to
>> >> > >>> > turn this into actual text?
>> >> > >>> > Do add yourself to authors as you do any changes.
>> >> > >>> >
>> >> > >>> > Read-only version is also available at:
>> >> > >>> > http://tiny.cc/why-go-fuzzing
>> >> > >
>> >> > > --
>> >> > > You received this message because you are subscribed to the Google Groups "Golang Fuzzing" group.
>> >> > > To unsubscribe from this group and stop receiving emails from it, send an email to golang-fuzzing-proposal+unsub...@googlegroups.com.
>> >> > > To view this discussion on the web visit https://groups.google.com/d/msgid/golang-fuzzing-proposal/9532ad01-b708-42a3-a480-07c6d520bffc%40googlegroups.com.
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google Groups "golang-fuzzing-proposal" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send an email to golang-fuzzing-proposal+unsub...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages