Comment by snvzz

1 day ago

The AI chatbot vulnerability reports part sure is sad to read.

Why is this even a thing and isn't opt-in?

I dread the idea of starting to get notifications from them in my own projects.

7 comments

snvzz

Making a strcpy honeypot doesn’t sound like a bad idea…

  void nobody_calls_me(const char *stuff) {
          char *a, *b;
          const size_t c = 1024;

          a = calloc(c);
          if (!a) return;
          b = malloc(c);
          if (!b) {
                  free(a);
                  return;
          }
          strncpy(a, stuff, c - 1);
          strcpy(b, a);
          strcpy(a, b);
          free(a);
          free(b);
  }

Some clever obfuscation would make this even more effective.

snvzz 1 day ago
That got those Core SDI abo vibes.
Flashback of writing exploits for these back in high school.
- trollbridge 5 hours ago
  
  In an interesting way, this is an attempt to exploit LLMs into revealing themselves.

easterncalculus 1 day ago

It's a symptom of complete failure of this industry that maintainers are even remotely thinking about, much less implementing changes in their work to stave off harassment over false security impact from bots.

Y_Y 1 day ago

Because humans generate and relay the slop-reports in the hopes of being helpful

nottorp 1 day ago

There is or was a cash bug bounty.
And even if not, the motivation is building a reputation as a security “expert”.
captn3m0 1 day ago

s/being helpful/making money.