this LLM-emboldened, mass Dunning-Kruger schizophrenia has gone from hilarious to sad to simply invoking disgust. this isn't even an earnest altruistic effort but some insecure fever dream of finally being acknowledged as a "genius" of some sort. the worst i've seen of this is some random redditor claiming to have _the_ authoritative version of a theory of everything and spamming it in every theoretical physics adjacent subreddit, claims to have a phd but anonymous and doesn't represent any research group/institution nor does the spam have any citations.
These are the people that I imagine who go on forums and threads to announce how great AI is and are unable to provide any critique. They are blinded by ignorance.
Crazy how he doubled down by just pasting badger's answer into Chat and submitting the (hilariously obvious AI) reply:
> Thanks for the quick review. You’re right — my attached PoC does not exercise libcurl and therefore does not demonstrate a cURL bug. I retract the cookie overflow claim and apologize for the noise. Please close this report as invalid. If helpful, I can follow up separately with a minimal C reproducer that actually drives libcurl’s cookie parser (e.g., via an HTTP response with oversized Set-Cookie or using CURLOPT_COOKIELIST) and reference the exact function/line in lib/cookie.c should I find an issue.
Over time, I've gotten a feel for what kind of content is AI-generated (e.g., images, text, and especially code...), and this text screams "AI" from top to bottom. I think badger responded very professionally; I'd be interested to see Linus Torvalds' reaction in such a situation :D
Same as watching someone in school try to translate between French and English by a dictionary one word at a time ignoring context...
But frankly security theatre was always going to descend into this with a thousand wannabe l33ts targeting big projects with LLMs to be "that guy" who found some "bug" and "saved the world".
Shellshock showed how bad a large part of the industry is. It was not a bug. "Fixing" it caused a lot of old tried and tested solutions to break, but hey, we as an industry need to protect against the lowest common denominator who refuse to learn better...
I see this kind of things with new hires in my company. It is becoming depressing, stupid overly detailed but content free issue comments, stupid code that does not do what it is supposed to do but it is a fucking lot of code for you to review.
It's kind of depressing to read Daniel's article[1] on this issue given the rising "popularity" of these lazy attempts at cash grabbing. I hope they manage to combat the AI slop in a way that does not involve fighting fire with fire though.
Is there something about cUrl that attracts these AI bots, or is it just better documented by them - because I was going to say that this is old, but then I checked the date and realized that this is a new problem. Going down the rabbit-hole, @badger has made multiple posts [0][1] about AI slop.
Imagine if these “benevolent” erroneous AI bug reports were part of a coordinated effort to map how vulnerable the projects and maintainers are, not the code. Slow response, no response is a likely target for take over or exploits, and accepting code without review is an indication of ease of injecting a vulnerability.
79 comments
[ 3.0 ms ] story [ 67.1 ms ] threadWhat an absolute shamble of an industry we have ended up with.
> Thanks for the quick review. You’re right — my attached PoC does not exercise libcurl and therefore does not demonstrate a cURL bug. I retract the cookie overflow claim and apologize for the noise. Please close this report as invalid. If helpful, I can follow up separately with a minimal C reproducer that actually drives libcurl’s cookie parser (e.g., via an HTTP response with oversized Set-Cookie or using CURLOPT_COOKIELIST) and reference the exact function/line in lib/cookie.c should I find an issue.
Me: "yes, as a matter of fact I am"
Interviewer: "Whats 14x27"
Me: "49"
Interviewer: "that's not even close"
me: "yeah, but it was fast"
It finishes "I can follow up ... blah blah blah ... should I find an issue"
Tone deaf and utterly infuriating.
I suppose there's a reason why kids are usually banned from using calculators during their first years of school when they're learning basic math.
But frankly security theatre was always going to descend into this with a thousand wannabe l33ts targeting big projects with LLMs to be "that guy" who found some "bug" and "saved the world".
Shellshock showed how bad a large part of the industry is. It was not a bug. "Fixing" it caused a lot of old tried and tested solutions to break, but hey, we as an industry need to protect against the lowest common denominator who refuse to learn better...
[1] https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-s...
The “fix” was setting completely fictitious properties. Someone has plugged the GitHub issue into ChatGPT, spat out an untested answer.
What’s even the point…
> The reporter was banned and now it looks like he has removed his account.
[0] https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-s... [1] https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d...
I don't even... You just have to laugh at this I guess.