Gregory's Server"The issue was detected by our new AI-powered vulnerability scanner" ...
AAAAAAA
 55 comments
@angelastella the user seems to have created the account to report this as their first issue. It does not bring hope.   Dunno. They externalize all the real work (make people like badger do it) so why not let the thing run? @angelastella @bagder Yes to the first part (the detection), but what makes you believe they take it offline?  @angelastella @bagder The thing will report so many false positives that everyone else will want it taken offline within a week. FTFY. (The perpetrator will think it's doing good things for the next couple of years, at least. :sadcat1:) @bagder "You really need to add some actual intelligence to the mix." Yes, AI does not stand for Actual Intelligence. 😂 https://github.com/curl/curl/issues/12983#issuecomment-1962738924 @bagder And you just know this is going onto a pitch deck "detected X number of security flaws in its first week" without any validation whatsoever.  @bagder this reminds me of an interview enquiry, which I ignored, about how LLMs can improve the efficiency of penetration testing. I should probably check if it's too late to reply, just to make sure they don't get any funny ideas from some "AI enthusiasts".   @jimfl @bagder I guess I should add such #Spambot -Accounts to my blocklist: https://github.com/greyhat-academy/lists.d/blob/main/users.github.block.list.tsv Cuz I think such #bots are #ValueRemoving! [ ] Please sign here if your bug report was NOT detected or written by an AI. Otherwise we will close it unseen.  @bagder I have to wonder what they expected the response to be. It's like they want to be the public punching bag. Absolutely idiot behavior. Any person (or even fish) with a single braincell knows not to report security issues in public. Also their "issue" is so dumb. "Detected by AI", where AI stands for absolute idiots. @bagder and holy mackerel, *they opened a GitHub account just to make this report rather than going to HackerOne* The account has *zero* other activity  @bagder  Oh no... You're-relying-on-undefined-behavior-this-is-going-to-get-someone-killed-as-a-service 😱
 @bagder I suggest you change the #CodeOfConduct and explicitly ban #AI-based or otherwise fully-automatic tools without proper checking by the submitting user, with banning said user for #spam if they violate that policy... I doubt the situation would better otherwise!  @bagder lmao, oof, as much as I personally think LLMs can be powerful linter-like tools for added visibility on things when wielded by the right person, this is clearly a wrong usage by a person that isn't even capable of understanding the output it produces. You should be smarter than the tools you use, if you give a fool a hammer everything will look like a nail.  @bagder this has the same vibe as that whole spam wave of people PRing "x is an awesome project" to READMEs to qualify for some giveaway a while back
  @bagder it’s a bit rich to have “undefined behavior always means vulnerability” come out of a model that’s essentially ten billion undefined behaviors in a trenchcoat  @bagder He also caused havoc here: https://github.com/mirror/wget/issues/25  @bagder if from is zero and to is 2^63. size should turn out to be zero. Curl wont download anything, afaict. Isn't this more of a bug than a vulnerability?  Not necessarily. Signed integer overflow can cause all manner of weird stuff to happen. http://blog.llvm.org/2011/05/what-every-c-programmer-should-know.html#signed_overflow  @bagder 🙈 We‘ll probably need reporters to use foul language prohibited to AI models or their issues will be auto closed. @bagder wget received a similar report: https://lists.gnu.org/archive/html/bug-wget/2024-02/msg00005.html They are even referencing the issue they raised with curl. You laugh (and/or scream), but in a few centuries, when everyone's using 64-exabyte data crystals for storage, transferring data over 1Pbps network interfaces, and curl is still in regular use because of course it is, then your distant descendants will be sorry! @bagder "Integer overflows in C are undefined behavior, and the behavior of the application is unknown when they arise."
truer words have never been spoken  "I believe it is about 8192 petabytes" wow xD That said, I would not be /against/ the use of AI for this purpose, but not like this person did. It might be handy to spot oversights or really deeply buried stuff. But then it still needs to be checked and (in)validated by a human. https://github.com/curl/curl/issues/12983#issuecomment-1962753276    @bagder LangcChain (framework to build complex llm pipelines) has chatgpt powered bot, which tries to help in open issues by generating walls of "helpful" text It's smart enough to even quote some related code from repository, but... ...for me it results in not being able to read ANY FUCKING ISSUE. Because they're all are filled with walls of text. And knowing that, this text is very probably bullshit, my brain automatically infiltrates it :blobcatgooglyholdingitsheadinitshands: |
@bagder
The thing will report so many false positives they'll take it offline within a week.