daniel:// stenberg://There is virtually **no** AI slop security reports anymore submitted about #curl. They don't seem to happen any longer.
Almost everyone still uses AI though.
Viss@Viss we went back to h1. I think primarily because the AI tooling got a lot better.
@Viss they've done some minor tweaks, but I can't see how anything they've done is any factor here
Josh Bressers@joshbressers @bagder i have a buuuuuunch of research in working on, and the title of the talk is 'claude is your insider threat now'. fingers crossed securityfest and sec-t let me in :D
@joshbressers @bagder llms are at 'bad adhd intern levels now', it feels like, versus hallucinatory and outright intentional disinformation
Stefan Eissing@joshbressers @Viss @bagder It‘s a lot about edge cases in API use and things involving ‚malicious servers‘ - which…yeah, it‘s security, but…
Maryam Sheikh@joshbressers @Viss @bagder LLMs have been used to find security issues with a lot of success, though usually they're used more like static analyzers: https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyzers/
A new breed of analyzers
(See how I cleverly did not mention AI in the title!) You know we have seen more than our fair share of slop reports sent to the curl project so it seems only fair that I also write something about the state of AI when we get to enjoy some positive aspects of this technology. … Continue reading A new breed of analyzers →
@mahid @joshbressers @bagder even still, if the human driving the thing around is a ponce and doesnt know shit, thats how you get slop into security reports. llms will happily give you "code that compiles", but is thousands of times less efficient than human code, and often made of elegantly construed bullshit - so unless theres an expert at the helm, shit goes bad fast.