You did this with an AI and you do not understand what you're doing here (hackerone.com)

To be honest, I do not understand this new norm. A few months ago I applied to an internal position. I was a NGO IT worker, deployed twice to emergency response operations, knew the policies & operations and had good relations with users and coworkers.

The interview went well. I was honest. When asked what my weakness regarding this position I told that I am a good analyst but when it comes to writing new exploits, that's beyond my expertise. The role doesn't have this as a requirement so I thought it was a good answer.

I was not selected. Instead they selected a guy and then booted him off after 2 months due to his excessive (and non-correct like the link) use of LLM and did not open the position again.

So in addition to wasting the hirers' time those nice people block other people's progress as well. But, as long as the hirers expect wunderkinds crawling out of the woods the applicants try to fake it and win in the short term.

This needs to end but I don't see any progress towards it. This is especially painful as I am seeking a job at the moment and thinking these fakers are muddying the waters. It feels like no one cares about your attitude - like how geniunely you want to work. I am an old techie and the world I was in valued this rather than technical aptitude for you can teach/learn technical information but character is another thing. This gets lost in our brave new cyberpunk without the cool gadgets era I believe.

I once had a conversation with a potential co-founder who literally told me he was pasting my responses into AI to try to catch up.

Then a few months later, another nontechnical CEO did the same thing, after moving our conversation from SMS into email where it was very clear he was using AI.

These are CEOs who have raised $1M+ pre-seed.

I watched someone do this during an interview.

They were literally copy and pasting back and forth the LLM. In front of the interviewers! (myself and another co-worker)

https://news.ycombinator.com/item?id=44985254

Just try to challenge and mentor people on not using it because it’s incapable of the job and wasting all our time when the mandate from down high is to use more of it.

This resonates a lot with some observations I drafted last week about "AI Slop" at the workplace.

Overall, people are making a net-negative contribution by not having a sense of when to review/filter the responses generated by AI tools, because either (i) someone else is required to make that additional effort, or (ii) the problem is not solved properly.

This sounds similar to a few patterns I noted

- The average length of documents and emails has increased.

- Not alarmingly so, but people have started writing Slack/Teams responses with LLMs. (and it’s not just to fix the grammar.)

- Many discussions and brainstorms now start with a meeting summary or transcript, which often goes through multiple rounds of information loss as it’s summarized and re-expanded by different stakeholders. [arXiv:2509.04438, arXiv:2401.16475]

If seen more than one post on reddit being answered by a screenshot of a chatgpt mobile app including OP's question and the llm's answer

Imagine the amount of energy and compute power used...

I like the term "echoborg" for those people: https://en.wikipedia.org/wiki/Echoborg

> An echoborg is a person whose words and actions are determined, in whole or in part, by an artificial intelligence (AI).

I've seen people who can barely manage to think on their own anymore and pull out their phone to ask it even relatively basic questions. Seems almost like an addiction for some.

For all we know, there's no human in the loop here. Could just be an agent configured with tools to spin up and operate Hacker One accounts in a continuous loop.

This has been a norm on Hacker One for over a decade.

Ha! We've become the robots!

We're that for genes, if you trust positivist materialism. (Recently it's also been forced to permit the existence of memes.)

If that's all which is expected of a person - to be a copypastebot for vast forces beyond one's ken - why fault that person for choosing easy over hard? Because you're mad at them for being shit at the craft you've lovingly honed? They don't really know why they're there in the first place.

If one sets a different bar with one's expectations of people, one ought to at least clearly make the case for what exactly it is. And even then the bots have made it quite clear that such things are largely matters of personal conviction, and as such are not permitted much resonance.

I don't think there are humans involved. I've now seen countless PRs to some repos I maintain that claim to be fixing non-existent bugs, or just fixing typos. One that I got recently didn't even correctly balanced the parenthesis in the code, ugh.

I call this technique: "sprAI and prAI".

The future of everything with a text entry box is AIs shoveling plausible looking nonsense into it. This will result in a rise of paranoia, pre-verification hoops, Cloudflare like agent-blocking, and communities "going dark" or closed to new entrants who have not been verified in person somewhere.

(The CVE system has been under strain for Linux: https://www.heise.de/en/news/Linux-Criticism-reasons-and-con... )

Don't need a human until someone is ready to pay a bounty!

I think you might be onto something-- perhaps something from the first sentence of the post to which you are replying.

Faking grammar mistakes is the new meta of proving that you wrote something yourself.

Or faking generated content into real one.

I have a long-running interest in NLP, LLMs basically solved or almost solved a lot of NLP problems.

The usefulness of LLMs for me, in the end, is their ability to execute classic NLP tasks, so I can incorporate a call for them in programs to do useful stuff that would be hard to do otherwise when dealing with natural language.

But, a lot of times, people try to make LLMs do things that they can only simulate doing, or doing by analogy. And this is where things start getting hairy. When people start believing LLMs can do things they can't do really.

Ask an LLM to extract features from a bunch of natural language inputs, and probably it will do a pretty good job in most domains, as long as you're not doing anything exotic and novel enough to not being sufficiently represented in the training data. It will be able to output a nice JSON with nice values for those features, and it will be mostly correct. It will be great for aggregate use, but a bit riskier for you to depend on the LLM evaluation for individual instances.

But then, people ignore this, and start asking on their prompts for the LLM to add to their output confidence scores. Well. LLMs CAN'T TRULY EVALUATE the fitness of their output for any imaginable criteria, at least not with the kind of precision a numeric score implies. They absolutely can't do it by themselves, even if sometimes they seem to be able to. If you need to trust it, you'd better have some external mechanism to validate it.

So basically a hundred billion dollar industry for just spam and fraud. Truly amazing technological progress.

You don't spot the ones you don't spot

AI's other acronym...

Probably yes, but not as smooth and eloquent as the AI they use.

The username sounds Turkish. Make what you will of it.

You dont even have to instruct it for emojis, it does it on its own. printf with emoji is an instant red flag

It loves to put emojis in print statements, it's usually a red flag for me that something is written by AI.

What was it with em dash?

Some people actually do that on Github too. Absolute psychopaths.

Who was likely to start it and for what purpose?

The rationale is that the AI companies are selling the shovels to both generate this pile as well as the ones we'll need to clean it up.

And on externalizing costs - the actual humans who have to respond to bad vulnerability report spam.

If it's an individual, it could be as simple as portfolio cred ('look, I found and helped fix a security flaw in this program that's on millions of devices ')

I really loved how easy MacOS made these (option+hypen for en, with shift for em), so I used to use them all the time. I'm a bit miffed by good typography now being an AI smell.

Just because you don’t, doesn’t mean other people don’t. Plenty of real humans use emdash. You probably don’t realise that on some platforms it’s easy to type an emdash.

And where did you suppose AIs learned this, if not from us?

Turns out lots of us use dashes — and semicolons! And the word “the”! — and we’re going to stuff just because others don’t like punctuation.

The AI is trained on human input. It uses the dash because humans did.

Or at least not anymore since this became the number 1 sign whether a text was written with AI. Which is a bit sad imo.

I do all the time, but might have to stop. Same with `…`.

That got a giggle out of me. Not entirely relevant but AI tends to be overzealous in its use of emojis and punctuation, in a way people almost never do (too cumbersome on desktop where majority of typing work is done)

https://www.scottsmitelli.com/articles/em-dash-tool/

Academia certainly does, although, humorously, we also have professors making the same proclamation you do, while while en or em dashes in their syllabi.

I started using hyphens a few years ago. But now I had to stop, because AI ruined it :(

Keep in mind that now that people know what to pay attention to: em-dash, emojis, etc. they will instruct the LLM to not use that, so yeah.

Two dashes on the Mac or iOS do it unless you explicitly disable it, I think.

I absolutely bloody do -- though more commonly as a double dash when not at the keyboard -- and I'm so mad it was cargo-culted into the slop machines as a superficial signifier of literacy.

I used to.

"Progressive compilation" would be more fun: The compiler has a candidate output ready at all times, starting from a random program that progressively gets refined into what the source code says. Like progressive JPEG.

Best I can do is a system that gives you a random answer no matter how much time you give it.

This might be a similar but possibly more sensible approach? -> https://en.wikipedia.org/wiki/Anytime_algorithm

When you get the wrong answer you can just say 'ah yes, the halting problem'

You should send a pull request to DreamBerd/Gulf of Mexico[0], it's surely the only language that can handle it properly!

[0]https://github.com/TodePond/GulfOfMexico

Soft real time systems often work like that. "Can't complete in time, best I can do is X".

AIighT

Good teacher. He really seems to care.

About what, I have no idea.

Prove to me that it's not perfectly random.

It’s better with the comment

https://xkcd.com/221/

> If you're using AI, you need to be that human, because as soon as you create a PR / hackerone report, it should stop being the AI's PR/report, it should be yours. That means the responsibility for parsing and validating it is on you.

And then add to that the pressure to majorly increase velocity and productivity with LLMs, that becomes less practical. Humans get squeezed and reduced to being fall guys for when the LLM screws up.

Also, Humans are just not suited to be the monitoring/sanity check layer for automation. It doesn't work for self-driving cars (because no one has that level of vigilance for passive monitoring), and it doesn't work well for many other kinds of output like code (because often it's a lot harder to reverse-engineer understanding from a review than to do it yourself).

>but there needs to be a human in the loop.

More than that - there needs to be a competent human in the loop.

We've going from being writers to editors: a particular human must still ultimately be responsible for signing off on their work, regardless of how it was put together.

This is also why you don't have your devs do QA. Someone has to be responsible for, and focused specifically on quality; otherwise responsibility will be dissolved among pointing fingers.

You joke, but some companies are pushing this idea unironically by putting "use AI to expand a short message into a bloated mess" and "use AI to turn a bloated mess into a brief summary" into both sides of the same product. Good job everyone, we've invented the opposite of data compression.

Two economists are walking in a forest when they come across a pile of shit. The first economist says to the other “I’ll pay you $100 to eat that pile of shit.” The second economist takes the $100 and eats the pile of shit.

They continue walking until they come across a second pile of shit. The second economist turns to the first and says “I’ll pay you $100 to eat that pile of shit.” The first economist takes the $100 and eats a pile of shit.

Walking a little more, the first economist looks at the second and says, "You know, I gave you $100 to eat shit, then you gave me back the same $100 to eat shit. I can't help but feel like we both just ate shit for nothing."

"That's not true", responded the second economist. "We increased the GDP by $200!"

I invented a new technique that cuts down on the AI bill. I call it "just send me the prompt": https://blog.gpkb.org/posts/just-send-me-the-prompt/

that's still a huge waste of time and resources. Rather, Daniel has focused on promoting good use of AI that has yielded good results for curl: https://mastodon.social/@bagder/115241241075258997 https://joshua.hu/llm-engineer-review-sast-security-ai-tools...

And then alien civilization will wonder how humans went extinct.

Isn’t curl open source? I was under the impression that they are all working volunteer. This isn’t a net positive. It will burn out the good willed programmers and be a net negative on OSS.

Do you mean bash.org?

I've never heard of base.org so if I'm thinking of the wrong thing, please let me know

bagder is both extremely grumpy about the state of it and fascinatingly patient.

He's like 80% wise old barn owl.

I think you're veering too far into politics on what was originally not a very political OP/thread, but I'll indulge you a tiny bit and also try to bring the thread back to the original theme.

You said a lot of words that I basically boil down to a thesis of, the value of "truth" is being diluted in real-time across our society (with flood-the-zone kinds of strategies), and there are powerful vested interested who benefit from such a dilution. When I say powerful interests, I don't meant to imply Illuminati and Freemasons and massive conspiracies -- Trump is just some angry senile fool with a nuclear football, who as you said has learned to reflexively use "AI" as the new "fake news" retort to information he doesn't like / wishes weren't true. But corporations also benefit.

Google benefited tremendously from inserting itself into everyone's search habits, and squeezed some (a lot of) ad money out of being your gatekeeper to information. The new crop of AI companies (and Google and Meta and the old generation too) want to do the same thing again, but this time there's a twist -- whereas before the search+ads business could spam you with low-quality results (in proto-form, starting as the popup ads of yesteryear), but it didn't necessarily directly try to attack your view of "truth". In the future, you may search for a product you want to buy, and instead of serving you ads related to that product, you may be served disinformation to sway your view of what is "true".

And sure negative advertising always existed (one company bad-mouthing another competitor's products), but those things took time and effort/resources, and also once upon a time we had such things as truth-in-advertising laws and libel laws but those concepts seem quaint and unlikely to be enforced/supported by this administration in the US. What AI enables is "zero marginal cost" scaling of disinformation and reality distortion, and in a world where "truth" erodes, instead of there being a market incentive for someone to profit off of being more truth-y than other market participants, on the contrary I would except that the oligopolistic world we live in would conclude that devaluaing truth is more profitable for all parties (a sort of implicit collusion or cartel-like effect, with companies controlling the flow of truth, like OPEC controlling their flow of oil).

HN is so outdated! Let's rewrite this old legacy code in React to make it modern!

One issue is who pays the processing fees for the deposit & refund transactions. HackerOne could work around that issue by copying the practices of video game "microtransaction" payments: sell "report points packs", say 2500 points for $25 minimum in a pack. User needs to deposit 100 points to report, for each report they open. If the report is accepted they get their 100 points back, if not they lose their 100 points. If they want to open more than 25 reports at once they need more points packs. The $25 pack is non-refundable, so there's no added transaction fee for the refund.

I can afford it but I would never spend money to submit a vulnerability report. I'd need to be reporting dozens of vulnerabilities on a single site like hackerone to work up the motivation to plug in payment details and risk having them leaked/stolen in order to do someone else's work for them.

I'd sooner click sponsor for the cURL project on github (something I already do for some OSS I use) than spend money to report a bug.

Exactly my thoughts.

I’d love to have this for phone calls and sms as well. If you didn’t spam me, I’ll refund.

That or the dark vuln market will find a way to vet bugs and pay out faster and easier than the actual project.

Reducing waste, fraud, and abuse is always only one side of the story. I agree it would have false negative impact (someone does not submit a good report that otherwise would have), but I don't think that instantly makes it a horrible idea. I think the net effect would have to be studied, but I highly doubt all true postive reports would become false negatives. The goal is reducing false positives, so it is going to be a tradeoff and you'd need specific numbers to conclude anything.

Do you really think it is a horrible idea? That is just so harsh of a label.

Are spelling correction PRs not welcome? I'd never put it on a résumé but if I'm following a README and I see a typo, I'll generally open a quick PR to fix that. (no automated tools, not scanning for typos, just a human reading a README).

https://knowyourmeme.com/photos/2054961-welcome-to-my-meme-p...

> they always let slip in just a hint of human drama

I haven't seen this so it's hard to visualize, but that seems potentially kind of tricky to do via AI. Is it actually tricky, are they donw in a way where AI could conceivably do it on its own, or are those hints easy to drop in without disturbing the bulk of the slop?

Wife is a high school history teacher - she would have to flunk 75% of her students. That is after proving they used AI, which would be extremely time consuming. Its very demoralizing for her, she has to spend a lot of time reading written essays generated by AI.

I think given time educators will adapt. Unless they get burnt out first. She could also just not give a shit and they let go on to be some college professor's problem, who could also not give a shit, and then they become our problem when they enter the workforce.

This is why in person tests are given and bad grades as a result as part of the student feedback performance improvement loop. Maybe with AI as a new interloper we need to decrease "report card" times to 3 weeks (it was 9 weeks in my day) so that students have some shortened loop time with parental unit reviews to help straighten out issues before they become real problems.

I mentioned it already, my sister resigned from her tenure track position due to a fight over this. She was strict, students reported her, faculty wouldn't assign her choice course, she resigned after one and a half year.

Because the US is assbackwards when it comes to education since the NCLB basically forces schools to make up metrics to prevent everyone losing their job through closure.

Because a teachers job is to make sure N% of the class passes as much as it is to teach. If you fail have the class, you have failed as a teacher because the administration will get parents coming in. If you force your class to do assignments by hand, especially in younger grades, more will fail, and you will be blamed and fired.

Because 1) you often can't prove it, and 2) there often isn't support from administration.

> Yeah, I guess if I was him, I would just close issues silently and ban the person who created them, if possible. I don't think I could be as nice as he is.

I think the shaming the use of LLMs to do stuff like this is a valuable public service.

Imagine the headline if a slop security report ends up real but the maintainer ignored it.

It’s a lose-lose situation for the maintainers

The problem is that AI can generate answers and code that look relevant and as if they were written by someone very competent. Since AI can generate a huge amount of code in a short time, it's difficult for the human brain to analyze it all and determine whether it's useful or just BS.

And the worst case is when AI generates great code with a tiny, hard-to-discover catch that takes hours to spot and understand.

A good one! I like how Daniel pretended like not disclosing it was an option just to show their reaction.

> "the best way for me and others to learn is by learning from our mistakes, and I think sharing this will help"

I guess it worked, that's their only hackerone report they made from that account.

Well, in reality the probably abandoned it, created another account and continued on with the script.

I'm using ChatGPT to generate some code for me quite often, and my instructions prompt for all chats is slowly gaining more and more ways to say "Answer shortly". And I need to prompt defensively to repeatedly tell it to only do what I tell it.

Only found a short but good article about such a case [0], i'm sure someone has bookmarked the original. There are support groups for people like this now!

[0] https://www.bgnes.com/technology/chatgpt-convinced-canadian-...

The good news is this AI stuff is not profitable. Big companies and VCs are subsidizing all this AI slop. If it had cost this moron $5 to generate the slop to file this bug they probably would not have bothered. Hopefully the bubble bursts soon, very hard, and forces the money people to figure out how to charge for these services.

There's this very weird idea that makes some people think that the maintainer must have a godawful workflow and if I just showed him the output of _my_ workflow, I can ~~save the day~~ fix a bug for them.

This is the AI that half of HackerNews insists is "the future" that you'll be "left behind" from if you don't embrace it.

Hah, the opposite of "AI" meaning "Actually Indian"... "Here's my CV, but actually all my work will be done by AI".

With apologies for stereotyping.

Might be easier for AI to generate this specific bullshit because of curl's long history.

s/much rejoicing/pandora's box/ I guess.

the thing is, these people aren't necessarily wrong - they're just 1) clueless 2) early. the folks with proper know-how and perhaps tuned models are probably selling zero days found this way as we speak.

GaaS, I like it!

> the only way to stem to tide is

I see no evidence thats the only way. Its the only way that has crossed your mind as you were writing that message.

The line of thought is that a slow response makes the time windows of an eventually found vulnerability exploit longer. Thus, increasing its value.

Clearly you just set an LLM to respond to messages that appear to be written by LLMs, then disregard that thread from that point on.

And false negatives too.

Given the nature of every other social media platform I wonder how many of these racebaiting green accounts are themselves just AI bots.

I know people copy and paste comments from AI all the time now, but someone has to be full on botting HN at this point.

[flagged]

[flagged]

Typical Claude answer to not see the irony and whine about it.