• esa@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      9
      ·
      edit-2
      21 hours ago

      Hanlon’s razor seems to work well here. I wouldn’t be surprised if it were a mix of people who want some real or imagined benefit from bug reports without doing or understanding the work, and people who just think LLM output is gospel—a gospel that must be spread.

      • Nightwatch Admin@feddit.nl
        link
        fedilink
        English
        arrow-up
        10
        ·
        edit-2
        21 hours ago

        Agreed, but also: if it works and is merged, you get credited, and your Github account gets a better reputation. This makes it easier to deploy attacks like xz as you have a track record of merges.
        Also, plain vandalism, because people are like that.

        Edit: probably also bug bounty attempts. If you’ve ever been on the receiving side of a Responsible Disclosure program , you’ll know what I mean.

        Edit edit: it’s all in the article, darnit. Sorry.

        • ArbitraryValue@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          19 hours ago

          Edit edit: it’s all in the article, darnit. Sorry.

          It is? I must have missed it but I can’t find any discussion of motivation even on a second read-through.

          • Nightwatch Admin@feddit.nl
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            15 hours ago

            I meant it’s all about security vulnerability submissions, and although not explicit in the article, those submissions are therefore very likely

            • meant to up the reputation for xz-like attacks
            • meant to annoy/bully the devs
            • denial of service by delaying triage and therefore delaying creating patches
            • submitted by boatloads in the hope of cashing in on bug bounties
        • esa@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          1
          ·
          19 hours ago

          Yeah, I’d count that credibility as a real benefit from helping with bugs.

          As far as xz scenarios go though, the AI slop seems to be a really bad strategy.

            • esa@discuss.tchncs.de
              link
              fedilink
              English
              arrow-up
              2
              ·
              17 hours ago

              Yeah, I don’t disagree. And if you hit something small or relatively insignificant but common, that’s all you need

              • Nightwatch Admin@feddit.nl
                link
                fedilink
                English
                arrow-up
                1
                ·
                14 hours ago

                I ran an RD program years ago. Lots of bored and/or poor, greedy devs submitted metric shit tons of pseudo vulnerabilities (“if I do ctrl-u I can see source code on your web site!” No shit, Sherlock.). I can only imagine how much easier this has become with the help of generative ai…