"The issue was detected by our new AI-powered vulnerability scanner" ...
AAAAAAA
daniel:// stenberg://
"The issue was detected by our new AI-powered vulnerability scanner" ... AAAAAAA 55 comments
daniel:// stenberg://
@angelastella the user seems to have created the account to report this as their first issue. It does not bring hope.
Newk
Dunno. They externalize all the real work (make people like badger do it) so why not let the thing run?
Andreas Scherbaum
@angelastella @bagder Yes to the first part (the detection), but what makes you believe they take it offline?
Hugo Mills
@angelastella @bagder The thing will report so many false positives that everyone else will want it taken offline within a week. FTFY. (The perpetrator will think it's doing good things for the next couple of years, at least. :sadcat1:)
Gert van Dijk
@bagder "You really need to add some actual intelligence to the mix." Yes, AI does not stand for Actual Intelligence. ๐ https://github.com/curl/curl/issues/12983#issuecomment-1962738924
Matt Brown
@bagder And you just know this is going onto a pitch deck "detected X number of security flaws in its first week" without any validation whatsoever.
Konstantin Weddige
@bagder this reminds me of an interview enquiry, which I ignored, about how LLMs can improve the efficiency of penetration testing. I should probably check if it's too late to reply, just to make sure they don't get any funny ideas from some "AI enthusiasts".
Kevin Karhan
@jimfl @bagder I guess I should add such #Spambot -Accounts to my blocklist: https://github.com/greyhat-academy/lists.d/blob/main/users.github.block.list.tsv Cuz I think such #bots are #ValueRemoving!
Andreas Scherbaum
[ ] Please sign here if your bug report was NOT detected or written by an AI. Otherwise we will close it unseen.
Thomas Frans ๐บ๐ฆ
@bagder I have to wonder what they expected the response to be. It's like they want to be the public punching bag. Absolutely idiot behavior. Any person (or even fish) with a single braincell knows not to report security issues in public. Also their "issue" is so dumb. "Detected by AI", where AI stands for absolute idiots.
The Original Stripey Goodness
@bagder and holy mackerel, *they opened a GitHub account just to make this report rather than going to HackerOne* The account has *zero* other activity
Richard Levitte
@bagder
Caleb James DeLisle
Oh no... You're-relying-on-undefined-behavior-this-is-going-to-get-someone-killed-as-a-service ๐ฑ
Kevin Karhan
@bagder I suggest you change the #CodeOfConduct and explicitly ban #AI-based or otherwise fully-automatic tools without proper checking by the submitting user, with banning said user for #spam if they violate that policy... I doubt the situation would better otherwise!
Anthropy :verified_dragon:
@bagder lmao, oof, as much as I personally think LLMs can be powerful linter-like tools for added visibility on things when wielded by the right person, this is clearly a wrong usage by a person that isn't even capable of understanding the output it produces. You should be smarter than the tools you use, if you give a fool a hammer everything will look like a nail.
Magnus Ahltorp
Jorin, Subcontra Sorceress
@bagder this has the same vibe as that whole spam wave of people PRing "x is an awesome project" to READMEs to qualify for some giveaway a while back
Kรฉvin โ
Yusef Napora
@bagder itโs a bit rich to have โundefined behavior always means vulnerabilityโ come out of a model thatโs essentially ten billion undefined behaviors in a trenchcoat
Autumn~: :blinking_cursor:
@bagder He also caused havoc here: https://github.com/mirror/wget/issues/25
Yaksh Bariya
@bagder if from is zero and to is 2^63. size should turn out to be zero. Curl wont download anything, afaict. Isn't this more of a bug than a vulnerability?
argv minus one
Not necessarily. Signed integer overflow can cause all manner of weird stuff to happen. http://blog.llvm.org/2011/05/what-every-c-programmer-should-know.html#signed_overflow
Stefan Eissing
@bagder ๐ Weโll probably need reporters to use foul language prohibited to AI models or their issues will be auto closed.
SchwarzeLocke
@bagder wget received a similar report: https://lists.gnu.org/archive/html/bug-wget/2024-02/msg00005.html They are even referencing the issue they raised with curl.
argv minus one
You laugh (and/or scream), but in a few centuries, when everyone's using 64-exabyte data crystals for storage, transferring data over 1Pbps network interfaces, and curl is still in regular use because of course it is, then your distant descendants will be sorry!
polprog68k
@bagder "Integer overflows in C are undefined behavior, and the behavior of the application is unknown when they arise."
truer words have never been spoken
Fox
"I believe it is about 8192 petabytes" wow xD That said, I would not be /against/ the use of AI for this purpose, but not like this person did. It might be handy to spot oversights or really deeply buried stuff. But then it still needs to be checked and (in)validated by a human. https://github.com/curl/curl/issues/12983#issuecomment-1962753276
Moana Rijndael ๐๐
@bagder LangcChain (framework to build complex llm pipelines) has chatgpt powered bot, which tries to help in open issues by generating walls of "helpful" text It's smart enough to even quote some related code from repository, but... ...for me it results in not being able to read ANY FUCKING ISSUE. Because they're all are filled with walls of text. And knowing that, this text is very probably bullshit, my brain automatically infiltrates it :blobcatgooglyholdingitsheadinitshands: |
@bagder
The thing will report so many false positives they'll take it offline within a week.