logoalt Hacker News

snvzzyesterday at 1:57 PM3 repliesview on HN

The AI chatbot vulnerability reports part sure is sad to read.

Why is this even a thing and isn't opt-in?

I dread the idea of starting to get notifications from them in my own projects.

Replies

trollbridgeyesterday at 2:19 PM

Making a strcpy honeypot doesn’t sound like a bad idea…

  void nobody_calls_me(const char *stuff) {
          char *a, *b;
          const size_t c = 1024;

          a = calloc(c);
          if (!a) return;
          b = malloc(c);
          if (!b) {
                  free(a);
                  return;
          }
          strncpy(a, stuff, c - 1);
          strcpy(b, a);
          strcpy(a, b);
          free(a);
          free(b);
  }
Some clever obfuscation would make this even more effective.
show 1 reply
easterncalculusyesterday at 3:59 PM

It's a symptom of complete failure of this industry that maintainers are even remotely thinking about, much less implementing changes in their work to stave off harassment over false security impact from bots.

Y_Yyesterday at 1:59 PM

Because humans generate and relay the slop-reports in the hopes of being helpful

show 2 replies