Paul Barnfather
Haileyshot, chaser
Graham Sutherland / Polynomial@hailey so he did not, in fact, know what he was doing.
s0 Traingirl Era@gsuberland @hailey “the author of this library may possibly have been coding based on vibes as it turns out”
SorceryForEva 🏳️🌈 🏳️⚧️He didn't know what he wasn't doing because knowing what he should have been doing made him think he knew what he was doing.
Why you would start a project with possibly error-riddled initial state and then iterate with possibly error-riddled improvements I don't know.
Jim Salter@SorceryForEva @s0 @gsuberland @hailey that's been my biggest objection to using AI as a coding agent for quite a while now.
Personally, I find writing my own code easier and less stressful than debugging others' code.
Similarly, I'd MUCH rather drive my own (sigh) Tesla than "supervise" the idiot Autopilot driving my (sigh) Tesla.
Chris Adams@jimsalter @SorceryForEva @s0 @gsuberland @hailey It hits the deeper problem that humans are much better at recognizing wrong things in front of us than we are at recognizing that something is missing. LLMs don't create that problem but they're a catalyst for hitting it more since they often exude confidence and don't leave the same tells as a human in over their head might leave.
gaytabase@gsuberland @hailey i recognise the name and i guess we could say "he knew what he wasn't doing"
sleepy silhouette@hailey i don't mind the job security but there probably should be a company policy to not utilize LLM-generated code in the first place
ity [unit X-69]@hailey at least the author admitted that he fucked up lmao
dirty badwrong person
Mik3y
FandaSinI don't know, I am trying to avoid "AI" as much as i can...
But if I have to check EACH line, why not to write EACH line - then I'll know what each line does instead of guessing it.🤔
FranchescaAs someone who reviews code from time to time I must say...Yes, it's completely different. (to think as someone else is hard)
I think, that the angle they are comming at it is "I would love to fire all expensive programmers/writters/people who can create stuff" and pay few dollars for "AI".
Reed Mideke
stibbons@hailey Ask an AI to play stupid games. And strangely it's not the AI that wins stupid prizes.
kel
Paul Cantrell
Luna Lactea
cyplo@jackemled @inthehands @hailey @dalias you might be familiar with https://github.com/auchenberg/volkswagen
Erik Ableson
embix@inthehands @erik @hailey @dalias "you just" could solve a lot of problems, unfortunately no-one "just"
@brezelradar
Indeed, though in this case, “you just” is a joke; it very much cannot solve the problem. The post is satire of people who think that tests guarantee code correctness.
It’s analogous to saying you can make a turtle fly by putting it on the back of another turtle that can already fly. “And how does •that• turtle fly?” “It’s turtles all the way down!”
@inthehands I see. 😀👍
My irony/satire/sarcasm detector is kinda on the fritz since around 2019 when all those lunatics went totally bonkers.
> It’s analogous to saying you can make a turtle fly by putting it on the back of another turtle that can already fly. “And how does •that• turtle fly?” “It’s turtles all the way down!”
That's how recursion works, right? Or was it induction 🤔
@brezelradar
Induction! If you decide you don’t need a base case, then with induction you can prove anything!
Induction! If you decide you don’t need a base case, then with induction you can prove anything!
mkj@hailey This sounds like a case of "just because everything in the code matches the specification, that does not imply that the code correctly implements the specification".
Can't merely cross-reference the actual code with the spec. Also needs to make sure that every requirement in the spec has code!
Which of course is a mistake you can make also *without* generative AI. But I'm sure the generative AI helped out here... /s
🤦♂️
fuzzyfuzzyfungus@fuzzyfuzzyfungus Oh, certainly! But if your claim to fame, as the case might be, is that everything in the code maps to something in the relevant standard, you've still got some distance to go. 🙂
da_667
Riley S. Faelan
Mark Pauley@hailey let’s be clear: this is 100% the kind of thing that happens when we do a full rewrite. It’s just that LLM’s make doing a full rewrite much less expensive, so people are going to do it more often.
@unsaturated @hailey The part that is slightly surprising is that this happened despite the claim that "I was trying to validate my skepticism".
It's not like the red team gets a magic bonus to competence; but wanting to find fault should, at least, make you less likely to be misled by something looking pretty competent overall; where someone who is basically skimming to see if the new guy is a loser or not would be more likely to see that it's basically workmanlike and relax.
KNova
crispy branzino ☭ (skin)@hailey Claude pls.
DNA schedule@hailey smh I'd thought Kenton was smarter than that. Sad
Chris Hartgerink (they/them)@hailey the vibe is vulnerable
Mike Taylor 🦕
Wait a minute. How did this happen? We’re smarter than this. Apparently Not
aburka 🫣
Mark T. Tomczak@hailey In general I concur that LLMs are not how we're going to be writing code in the next N years, but in defense of the library and its author, OAuth is a hot mess of a spec and it's an easy mistake to make even if you're hand-coding the thing.
Jaime Buelta
junkyard dogboy 
@hailey this is delightful i love watching ai people eat shit
Neville Park@hailey sauces: https://github.com/cloudflare/workers-oauth-provider?tab=readme-ov-file#written-using-claude
https://nvd.nist.gov/vuln/detail/cve-2025-4143
alternatively, here's an even less accessible version
Seph
feld
doragasu
Splinux 
@hailey I am off coding since many years. How do you code securely wrt to the RFC? Do usually RFC nowadays have a section on how securely implement things that are known to be exploitable like in this case? I can't recall seeing anything of the sort in most Protocols RFCs (only because I never had to implement them).
a kilo of saucepans (rakslice)@splinux @hailey I mean something, that very straightforwardly has security implications like an authorization framework, absolutely https://datatracker.ietf.org/doc/html/rfc6749#section-10.15
RFC 6749: The OAuth 2.0 Authorization Framework
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]
@splinux @hailey but also, like it's no sweat to also go see what OWASP has to say about it https://cheatsheetseries.owasp.org/cheatsheets/OAuth2_Cheat_Sheet.html
Kevin Granade@splinux @hailey most protocols are specified in an amorphous bundle of different RFCs, some of which are mandatory, some are options that must be implemented as written if adopted, and others are entirely advisory.
I haven't looked at any oauth RFCs in a long time, but I recall requirements along the lines of, "do this specific thing this specific way or else" being relatively common.
@hailey is it just me or is the highlighted sentence a really weird thing to write, even under the circumstances?
@hailey like it kind of goes without saying that somebody could miss something for reasons other than that they've never heard of the concept before; why does somebody decide this belongs in the literal description of a CVE
WillTootMaybe
Petr Tesařík
Noé Lopez
Sharlatan