#curl gets some of the worst #AIslop "vulnerabilities" reported to it via Hackerone: Here we have a fake 90s exploit assuming executable stack and x86 arch. Someone seriously passing this as their own research is stupid beyond belief.
Mozilla is testing a new feature in Firefox Nightly, which adds Microsoft Copilot to the sidebar. Cue the pitchforks! ADVERTISEMENT That gecko's up to something. Firefox already has 4 chatbots: Anthropic Claude, […]
I'm sure @bagder is thrilled to learn about the PRs Microsoft's Copilot agent is creating in the dotnet runtime repository and is strongly considering the same for cURL 😅 (Also: poor Stephen Toub!) #AISlop
This thing works by generating fake vulnerability reports. Here are some of the qualities of the HackerOne report 3125832 sent to #curl: - It looks convincing at a glance, especially if you're not a subject matter expert. - It's vague about actual repro steps. It makes it impossible for the victim project to reproduce the issue. For example, it makes up fake patches against non-existent, imaginary code. - It refers to functions and methods that do not exist (in case someone tries to look for them). When confronted, the attacker refer to some old or new versions of components, using non-existent commit hashes. - The report makes up some convincing functionality or names that are novel, but don't really exist.
An expert’s look at the report shows the number of discrepancies, but finding them takes time and effort. It requires attention from a subject matter expert, with limited resources.
The real exploit here is that the attacker (evilginx) exploits the fact that the victims (the orgs who paid the attacker money) don't have the capacity to perform thorough analysis and rather just pay up. TL;DR: It's cheaper to pay the bug bounty than hire an expert to perform true analysis.
Why didn't it work against the curl project? The attacker miscalculated badly. Curl project is not a company and has far greater capability in security response than your average org. Also they can smell #aislop miles away.
Search for “Google Slides” & you may see that the first image they select for one of their flagship office softwares is... Someone’s SEO-cash-grab “custom product” spam. Plastic slippers with the Google slides icon on them? Google’s own intellectual property is being parasitized here. What chance do independent artists stand? Google doesn’t care, as long as they are paid by search spammers who, in turn, somehow think this will make money. #search #searchCrisis #AISlop #google #ai #sloppocalypse
I don't know if y'all can access this story, but @404mediaco has a piece that I helped with. It is:
"AI Comes for a Centuries-Old Craft" and the proliferation of #AIslop beginner books. Preying on beginners who don't know what's real or not is loathsome, and underway.
