daniel:// stenberg://I'm doing a keynote next month at an Open Source conference about AI (abuse) in #curl's security program etc. I could use your help:
1. Give me a clever title
2. What details would you like such a talk to contain?
Wow, thank you everyone. What a treasure trove of ideas and feedback!
Abstract:
In these days of "vibe coding" and chatbots, users ask AIs for help with everything. Asked to find security problems in Open Source projects, AI bots tell users something that sounds right. Reporting these "findings" wastes everyone's time and causes much frustration and fatigue. Daniel shows how this looks, how it DDoS projects and how totally beyond crazy stupid this is. With examples and insights from the #curl project.
----
Good enough maybe?
Title: AI slop attacks on the curl project
---
Contains "AI slop", mentions attack, includes curl.
No pun in there, but I also like this direct style.
@p it's not my term and I don't make the rules. When "everyone" calls it AI, I do it too so that we refer to the same concept. It doesn't imply there is any intelligence in there.
Ozzelot 
m0xEE@[email protected] @[email protected] @[email protected]
We do all this on Fedi among our folk, but here it's basically preaching to the choir. This keynote is to reach those who are currently optimistic about this stuff, so no derogatory terms should be used IMO, so no "slop", no quotes — maybe neutral terms instead, like LLMs or neutral networks, neural-network-assisted coding 🤷
We do all this on Fedi among our folk, but here it's basically preaching to the choir. This keynote is to reach those who are currently optimistic about this stuff, so no derogatory terms should be used IMO, so no "slop", no quotes — maybe neutral terms instead, like LLMs or neutral networks, neural-network-assisted coding 🤷
RBSG
Rapid Bullshit Generator tbh
@[email protected]
True.
Actually, I think not LLMs, but neural networks in general could be useful for security audit and more broadly — advisory. But not code generation!
Because same as with big data — they are good at discovering patterns humans might fail to see due to complexity.
But of course these tools should be used by those who know both the craft and the particular code base — not by third-parties to submit "improvement requests". And if I got it right, that's exactly what is the problem here.
@[email protected] @[email protected]
True.
Actually, I think not LLMs, but neural networks in general could be useful for security audit and more broadly — advisory. But not code generation!
Because same as with big data — they are good at discovering patterns humans might fail to see due to complexity.
But of course these tools should be used by those who know both the craft and the particular code base — not by third-parties to submit "improvement requests". And if I got it right, that's exactly what is the problem here.
@[email protected] @[email protected]
Siim Ošur@ozzelot @bagder @p That was an interesting perspective to me at first too because, well we already had AI from like the 80s? And to me that concept was even further fetched because to me AI was as in Red Alert 2 AI? Or Age of Mythology AI? We've had AI in that blasted sense since forever. But the mainstream of'course doesn't dabble in any of that so to them this is novel and AI.
AI... maybe more like LLMs, would make more sense calling it.
AI... maybe more like LLMs, would make more sense calling it.
Gene Pasquet@bagder AI slop curling: get your brooms ready!
AnneH@bagder Curl project inundated with tidal wave of AI?
Thomas Thyberg@bagder
Detta jävla AI-slask!
Wuäck säger jag bara :-)
Brahms@bagder "how it DDoS projects" sounds a bit hard to read, but maybe thats just me.
also, is it technically distributed? I'd say its plain DoS, isn't it?
Ingvar
jelte
Léon Planken
Solemarc@bagder out of curiosity I asked Gemini "are there any code vulnerabilities in curl" and it gave me an answer that was basically
"yes, obviously, just like every other project, here's some of the most recent, make sure your software is up to date."
Makes me wonder what people ask the models and what models they use to make these reports.
@Solemarc they all can make up a plausible sounding security report if you ask them. chatgpt and copilot are happy and eager to oblige.
Gustav H Meyer@bagder I shudder to imagine AI with full access to backend systems; the risks are real, and deeply unsettling.