"The issue was detected by our new AI-powered vulnerability scanner" ...
AAAAAAA
The thing will report so many false positives they'll take it offline within a week.
@angelastella the user seems to have created the account to report this as their first issue. It does not bring hope.
@bagder @angelastella does it spark joy?
Dunno. They externalize all the real work (make people like badger do it) so why not let the thing run?
@angelastella @bagder Yes to the first part (the detection), but what makes you believe they take it offline?
@angelastella @bagder The thing will report so many false positives that everyone else will want it taken offline within a week.
FTFY.
(The perpetrator will think it's doing good things for the next couple of years, at least. )
@bagder "You really need to add some actual intelligence to the mix."
Yes, AI does not stand for Actual Intelligence.
https://github.com/curl/curl/issues/12983#issuecomment-1962738924
@bagder And you just know this is going onto a pitch deck "detected X number of security flaws in its first week" without any validation whatsoever.
@9erdelta oh right, what a depressing thought...
@bagder this reminds me of an interview enquiry, which I ignored, about how LLMs can improve the efficiency of penetration testing.
I should probably check if it's too late to reply, just to make sure they don't get any funny ideas from some "AI enthusiasts".
@bagder The issue was detected by our new AI-powered vulnerability scanner. It found:
int x = 2 + 1;
Because we also detected addition in a different library, we are assigning this issue a severity of: high.
@jimfl @bagder I guess I should add such #Spambot -Accounts to my blocklist:
https://github.com/greyhat-academy/lists.d/blob/main/users.github.block.list.tsv
Cuz I think such #bots are #ValueRemoving!
https://infosec.space/@kkarhan/111988975123194422
@bagder Not the most important part but “subtracting from from to” is sending me
[ ] Please sign here if your bug report was NOT detected or written by an AI. Otherwise we will close it unseen.
@bagder I have to wonder what they expected the response to be. It's like they want to be the public punching bag. Absolutely idiot behavior. Any person (or even fish) with a single braincell knows not to report security issues in public. Also their "issue" is so dumb. "Detected by AI", where AI stands for absolute idiots.
@bagder Jesus another one?!?!
@bagder and holy mackerel, *they opened a GitHub account just to make this report rather than going to HackerOne*
The account has *zero* other activity
@bagder they have now linked this to an issue they logged on a wget mirror repo. Given that it's issue 25 I doubt it's even the right place .
@bagder
Gotta appreciate the huge amount of electrons they wasted on the description alone. But yeah, eh gods...
@bagder LMAO gottem
@bagder I suggest you change the #CodeOfConduct and explicitly ban #AI-based or otherwise fully-automatic tools without proper checking by the submitting user, with banning said user for #spam if they violate that policy...
I doubt the situation would better otherwise!
@bagder lmao, oof, as much as I personally think LLMs can be powerful linter-like tools for added visibility on things when wielded by the right person, this is clearly a wrong usage by a person that isn't even capable of understanding the output it produces. You should be smarter than the tools you use, if you give a fool a hammer everything will look like a nail.
@bagder seeing people like this always pisses me off. why waste the time of maintainers and make their life more difficult? automation when pentesting is completely fine, but there still has to be the manual process of validating the vulnerability before reporting it.
@bagder More like "AI-powered lie generator and time waster".
I don't envy popular projects right now, this spam sucks.
@bagder it’s a bit rich to have “undefined behavior always means vulnerability” come out of a model that’s essentially ten billion undefined behaviors in a trenchcoat
@bagder I took a quick glance on my phone and it wasn’t immediately obvious. Is this ssh as in secure shell embedded into curl somehow?
Edit: wow, lots more. Hrmf.
@bagder I wonder if it will identify its creator as a vulnerability if they are posting the (potental) exploits publicly.
@bagder if from is zero and to is 2^63. size should turn out to be zero. Curl wont download anything, afaict. Isn't this more of a bug than a vulnerability?
@CodingThunder correct. In the real word. Doom sayers will claim differently.
We‘ll probably need reporters to use foul language prohibited to AI models or their issues will be auto closed.
@bagder wget received a similar report: https://lists.gnu.org/archive/html/bug-wget/2024-02/msg00005.html
They are even referencing the issue they raised with curl.
@bagder see I wouldn't have given that account a chance - that's just a permaban
@bagder@mastodon.social the end is nigh
@bagder He’s doing the same thing at wget… what a brave new world
@bagder if you have 8192 petabyte sized files. Good last comment.
@bagder “8192 petabytes should be enough for everyone”
"I believe it is about 8192 petabytes"
wow xD
That said, I would not be /against/ the use of AI for this purpose, but not like this person did. It might be handy to spot oversights or really deeply buried stuff. But then it still needs to be checked and (in)validated by a human.
https://github.com/curl/curl/issues/12983#issuecomment-1962753276
@bagder I know people who rather say "fix this" than listen to reason.
@Naughtylus curious amount of hostility in the bugreport. I haven't checked whether my filesystem would handle 8 EB sized sparse file but if yes, it could be input to the code. And it seems to be still an overflow bug, whether meaningless or not. Fixing it probably would take 5 seconds, much less than those 15 comments on the issue.
IMO
@grin @Naughtylus look again, I provided a PR to fix it yesterday
@grin There is more at hand than just the overflow being pointed out.
Also, I don't remember interacting with you before. Please don't @ me on a post I only boosted.
@bagder I'm sorry this is the attention I got you by boosting this post, and also sorry for the noise. I salute your patience when dealing with all of this. Keep up the good work!
@Naughtylus "Also, I don't remember interacting with you before. "
Great! Now that's changed.
Also, thanks for "noise"ing me. Nice.
@bagder LangcChain (framework to build complex llm pipelines) has chatgpt powered bot, which tries to help in open issues by generating walls of "helpful" text
It's smart enough to even quote some related code from repository, but...
...for me it results in not being able to read ANY FUCKING ISSUE. Because they're all are filled with walls of text. And knowing that, this text is very probably bullshit, my brain automatically infiltrates it
@bagder at least they admit it. Next is coming people who don't put that in. (or edit it out).
@bagder might be cheaper to just pay out some minimal amt (1 US cent) to AI submissions ... of course I jest.
@bagder but what if someone sends a file over 8192 petabytes in one chunk via cURL? Why is this case not covered????
/s