@bagder "You really need to add some actual intelligence to the mix."

Yes, AI does not stand for Actual Intelligence. 😂

https://github.com/curl/curl/issues/12983#issuecomment-1962738924

@bagder And you just know this is going onto a pitch deck "detected X number of security flaws in its first week" without any validation whatsoever.

@bagder this reminds me of an interview enquiry, which I ignored, about how LLMs can improve the efficiency of penetration testing.

I should probably check if it's too late to reply, just to make sure they don't get any funny ideas from some "AI enthusiasts".

@bagder The issue was detected by our new AI-powered vulnerability scanner. It found:

int x = 2 + 1;

Because we also detected addition in a different library, we are assigning this issue a severity of: high.

@bagder omg

@bagder

@bagder Not the most important part but “subtracting from from to” is sending me

@bagder

[ ] Please sign here if your bug report was NOT detected or written by an AI. Otherwise we will close it unseen.

@bagder I have to wonder what they expected the response to be. It's like they want to be the public punching bag. Absolutely idiot behavior. Any person (or even fish) with a single braincell knows not to report security issues in public. Also their "issue" is so dumb. "Detected by AI", where AI stands for absolute idiots.

@bagder Jesus another one?!?!

@bagder they have now linked this to an issue they logged on a wget mirror repo. Given that it's issue 25 I doubt it's even the right place 🙄.

@bagder
Gotta appreciate the huge amount of electrons they wasted on the description alone. But yeah, eh gods...

@bagder LMAO gottem

@bagder I suggest you change the #CodeOfConduct and explicitly ban #AI-based or otherwise fully-automatic tools without proper checking by the submitting user, with banning said user for #spam if they violate that policy...

I doubt the situation would better otherwise!

@bagder lmao, oof, as much as I personally think LLMs can be powerful linter-like tools for added visibility on things when wielded by the right person, this is clearly a wrong usage by a person that isn't even capable of understanding the output it produces. You should be smarter than the tools you use, if you give a fool a hammer everything will look like a nail.

@bagder seeing people like this always pisses me off. why waste the time of maintainers and make their life more difficult? automation when pentesting is completely fine, but there still has to be the manual process of validating the vulnerability before reporting it.

@bagder More like "AI-powered lie generator and time waster".

I don't envy popular projects right now, this spam sucks.

@bagder

@bagder it’s a bit rich to have “undefined behavior always means vulnerability” come out of a model that’s essentially ten billion undefined behaviors in a trenchcoat

@bagder I took a quick glance on my phone and it wasn’t immediately obvious. Is this ssh as in secure shell embedded into curl somehow?

Edit: wow, lots more. Hrmf.

@bagder I wonder if it will identify its creator as a vulnerability if they are posting the (potental) exploits publicly.

@bagder He also caused havoc here: https://github.com/mirror/wget/issues/25

@bagder if from is zero and to is 2^63. size should turn out to be zero. Curl wont download anything, afaict. Isn't this more of a bug than a vulnerability?

@bagder 🙈

We‘ll probably need reporters to use foul language prohibited to AI models or their issues will be auto closed.

@bagder wget received a similar report: https://lists.gnu.org/archive/html/bug-wget/2024-02/msg00005.html

They are even referencing the issue they raised with curl.

@bagder see I wouldn't have given that account a chance - that's just a permaban

@bagder

You laugh (and/or scream), but in a few centuries, when everyone's using 64-exabyte data crystals for storage, transferring data over 1Pbps network interfaces, and curl is still in regular use because of course it is, then your distant descendants will be sorry!

@bagder oh boy I can't wait for LLM generated spam CVEs to waste developers time

@bagder@mastodon.social the end is nigh

@bagder He’s doing the same thing at wget… what a brave new world 😭

https://github.com/mirror/wget/issues/25

@bagder if you have 8192 petabyte sized files. Good last comment.

@bagder “8192 petabytes should be enough for everyone”

@bagder

"I believe it is about 8192 petabytes"

wow xD

That said, I would not be /against/ the use of AI for this purpose, but not like this person did. It might be handy to spot oversights or really deeply buried stuff. But then it still needs to be checked and (in)validated by a human.

https://github.com/curl/curl/issues/12983#issuecomment-1962753276

@bagder I know people who rather say "fix this" than listen to reason.

@bagder Oh, you don't have 8192 PB lying around? :D

@bagder LangcChain (framework to build complex llm pipelines) has chatgpt powered bot, which tries to help in open issues by generating walls of "helpful" text

It's smart enough to even quote some related code from repository, but...

...for me it results in not being able to read ANY FUCKING ISSUE. Because they're all are filled with walls of text. And knowing that, this text is very probably bullshit, my brain automatically infiltrates it :blobcatgooglyholdingitsheadinitshands: