this post was submitted on 24 Dec 2024
40 points (100.0% liked)

Hacker News

333 readers
414 users here now

RSS Feed of HackerNews

founded 3 months ago
MODERATORS
patrick@lemmy.bestiver.se
rssbot@lemmy.bestiver.se
40
Open source maintainers are drowning in junk bug reports written by AI (www.theregister.com)
submitted 2 days ago by rssbot@lemmy.bestiver.se to c/hackernews@lemmy.bestiver.se
9 comments fedilink hide all child comments
 

Comments

you are viewing a single comment's thread
view the rest of the comments
[–] nightwatch_admin@feddit.nl 10 points 2 days ago* (last edited 2 days ago) (2 children)

Agreed, but also: if it works and is merged, you get credited, and your Github account gets a better reputation. This makes it easier to deploy attacks like xz as you have a track record of merges.
Also, plain vandalism, because people are like that.

Edit: probably also bug bounty attempts. If you’ve ever been on the receiving side of a Responsible Disclosure program , you’ll know what I mean.

Edit edit: it’s all in the article, darnit. Sorry.

[–] ArbitraryValue@sh.itjust.works 2 points 1 day ago (1 children)

Edit edit: it’s all in the article, darnit. Sorry.

It is? I must have missed it but I can't find any discussion of motivation even on a second read-through.

[–] nightwatch_admin@feddit.nl 1 points 1 day ago* (last edited 1 day ago)

I meant it’s all about security vulnerability submissions, and although not explicit in the article, those submissions are therefore very likely

  • meant to up the reputation for xz-like attacks
  • meant to annoy/bully the devs
  • denial of service by delaying triage and therefore delaying creating patches
  • submitted by boatloads in the hope of cashing in on bug bounties
[–] syklemil@discuss.tchncs.de 1 points 1 day ago (1 children)

Yeah, I'd count that credibility as a real benefit from helping with bugs.

As far as xz scenarios go though, the AI slop seems to be a really bad strategy.

[–] nightwatch_admin@feddit.nl 2 points 1 day ago (1 children)

I agree, it isn’t a great tactic, but with enough attempts you’ll probably hit a few times.

[–] syklemil@discuss.tchncs.de 2 points 1 day ago (1 children)

Yeah, I don't disagree. And if you hit something small or relatively insignificant but common, that's all you need

[–] nightwatch_admin@feddit.nl 1 points 1 day ago

I ran an RD program years ago. Lots of bored and/or poor, greedy devs submitted metric shit tons of pseudo vulnerabilities (“if I do ctrl-u I can see source code on your web site!” No shit, Sherlock.). I can only imagine how much easier this has become with the help of generative ai…