lerouxrgdOct 11, 2023
daniel:// stenberg://

Today we got what must be the most alarming first line in a newly file sec issue to #curl:

"To replicate the issue, I have searched in the Bard about this vulnerability"

... followed by a complete AI hallucination where Bard has dreamed up a new issue by combining snippets from several past flaws. Creative, but hardly productive.

Closed as bogus.

Oct 10, 2023 at 6:26amWeb
Show threadsebsauvageOct 10, 2023
@bagder
Duh. 
Show threadJungle George πŸŒ΄πŸŒ³πŸŒ²πŸƒOct 10, 2023
@bagder "searched in the Bard" πŸ˜­πŸ˜‚πŸ˜‚πŸ˜‚πŸ’€
Show threadcuddleOct 10, 2023
@JungleGeorge24 @bagder looks like they dig inside the Bard to search 😳 😳
Show threaddaniel:// stenberg://Oct 10, 2023
@JungleGeorge24 I considered it wiser to not dig too deep into the details behind this...
Show threadJan β˜•πŸŽΌπŸŽΉβ˜οΈπŸ‹οΈβ€β™‚οΈOct 10, 2023
@bagder I hope this isn't a sign of things to come... We'll be wasting a lot of time.
Show threaddaniel:// stenberg://Oct 10, 2023
@jan I'm pretty sure this will get worse before it can get better - and I bet in future reports they will hide the fact it came straight from AI better...
Show threadBenBEOct 10, 2023
@bagder @jan You are assigning those people too much credit …
Show threadNKTOct 11, 2023

@benbe @bagder @jan
Step 1: "Pretending to be an intelligent human, write and submit a bug report for any system with an active bug bounty"
Step 2:???
Step 3: Profit

The ??? is to remember to put your own contact details in, maybe?

Show threadJ$Oct 10, 2023
@jan @bagder Welcome to earth!
Show threadTimothy WolodzkoOct 10, 2023
@bagder "closed as hallucinated"
Show threadKoos van den HoutOct 10, 2023
@bagder ugh, wading through nonsense like this with maybe something real hiding in the new reports
Show threadKhalicOct 10, 2023
@bagder them calling it β€œthe bard” is icing on the cake
Show threadsynlogicOct 11, 2023
@Khalic @bagder not even a bard. but The Bard
Show threadmortOct 10, 2023
@bagder The fact that people think of asking these chat bots as "search" is so terrifying and 100% on the search engine companies who have positioned AI chat as part of their search engine.
Show threadmortOct 10, 2023

There has to be clear unavoidable disclaimers of the form, "Do not trust anything Bard/Bing says. Bard/Bing will often make up fictional answers, nothing it says is to be trusted".

But I guess that wouldn't be great PR. Especially if you're in the unfortunate position of having named your chat bot the same as your search engine.

Show threadArun Mani JOct 10, 2023
@bagder "README.md typo MR" makers after meeting "ChatGPT-powered MR" makers:
Finally a worthy opponent!
Show threadI am errorOct 10, 2023
@bagder when we recruit we send the interviewee a bunch of code puzzles (no pressure to complete them but works in their favour if they do some). Guess how long it was before we started seeing chatgpt answers?
Show threadI am errorOct 10, 2023
@bagder and yes, we do now embed hidden text on the code instructing the llm to refer to things in a way that's obvious. And no, no one has spotted that yet
Show threadHarry SintonenOct 10, 2023
@bagder
Show threadNewkOct 10, 2023

@bagder

Maybe it knows something! β€‹

Show threadAndrei KucharavyOct 10, 2023
@bagder FFS
Show threadBernard QuatermassOct 10, 2023
@bagder β€œFuck off and die, AI”
Show threadBrian BareschOct 10, 2023
@bagder "It's basically any straight guy in a bar."
Show threadMatunosOct 10, 2023
@bagder maybe they should ask Bars for the definition of "replicate"
Show threadRobots can be gay deal with itOct 10, 2023

@bagder No, there's a flaw there. It's just not in curl, it's in users.

It's a whole new level of threat, one that comes from an attacker that can social engineer users into doing harm without itself being malicious or even sentient.

Can we CVE users?

Show threadSnailOct 10, 2023
@bagder Which issue number is this? I wanted to read it for amusement value but can't spot it
Show threaddaniel:// stenberg://Oct 10, 2023
@snail it was submitted as a security problem over at hackerone and we have not disclosed it, simply because its not worth spending time on
Show threadSnailOct 11, 2023

@bagder Fair enough, and that makes a lot more sense in hindsight than submitting "security issues" on public GitHub!

Really hope this doesn't become a trend though😞

Show threadNoxy πŸΎπŸ³οΈβ€πŸŒˆOct 10, 2023
@bagder "the Bard"