Our Terrible Future And Open Source | Prime Reacts

Dude I feel so bad for all the human software engineers named Devin.

Yeah LLM harassment needs to be a reportable category in open source communities. You're totally right that this runs the risk of drastically wasting the time of developers we all depend on being productive and responsive.

"The I in LLM stands for intelligence" is the best roast of AI I have read

Huge AI companies asking open source community to provide not just free training data such as from repos, but unpaid, direct human labor to provide feedback to this nonsense.

DDOS attacks of the future now include wasting your support team's time on contacts that seem like a customer/user.

Classic "I cannot teach you C because it is an unsafe language" moment.

I hate how LLM's just have to be right. Even when they apologize for being wrong they still go back and make the same stupid points and try to make their faulty reasoning work.

Instant permanent ban, literally terminate the account of everyone using “AI” for vulnerability reporting. Not even a warning, out with these people.

I do really think more companies needs to adopt this LLM devs. A great reset in this industry where companies go bankrupts is exactly what we need.

This would be the perfect politician. Never admits fault, repeats itself in slightly different ways, and refuses to secede untenable positions. Bravo, Devin, Bravo.

Calls himself hacker, so we already know he wants to be seen a certain way.
Chat GPT created a genre of developers who are coders for clout. They don’t actually care about getting better, they only care about people thinking that they are smart in someway or another.

Fuck I gotta stop using the word "certainly", another thing ruined by AI

Cognition labs (assuming this is Devin) should be donating the equivalent of one of their engineers salary for 3 days to make up for that bug report alone to the curl project for wasting their time, this isn't even just copying its actively detrimental to the project moving forward.

That issue is *_aggressively_* artificial

Daniel is just a good dude. Giving everyone a bit of credit while also calling out the issues in a constructive way. A real Consummate Professional.

If someone reports a vulnerability with vague steps to reproduce, ask for working exploit code. If there is no exploit code, the vulnerability wasn't properly tested and is probably just the output of a code scanner.

By the time this future happens I'll be fine as i will have my own LLM to answer their bug reports. We can just leave the LLMs to chat back and forth amongst themselves while we happily ignore them.

In future we will need 10x amount of programmers we have today, just to reason with an algorithm

We've done it, we've created a perfect trolling machine

Annoying AI wannabe hackers making everyone waste their precious time

this is so infuriating to see haha. These LLMs are just painful sometimes. They're like simultaneously awesome and terrible. It's so impossible to reason with them

I just realized that if I learn to talk and type like an LLM in my normal correspondence with people I can get away with so much shit.

You don't need an LLM for formal bullshitting, corporate IT manages that without AI.
This is an example of how to waste other peoples' time. Productivity improvements gone wrong

We once did change strcpy to strncpy in a legacy code to make a linter shut up. We quickly learned strncpy pads the buffer with nulls, bulldozing data after a string.

That was not an LLM, it was a Rust dev insisting C is unsafe.

New denial of service attack just dropped: endlessly waste developer time with LLM generated ‘bug’ reports

I feel like the owner of that bot should owe that maintainer money for wasting his time like that.

Me: "But my wife told me to use `strcopy`"
AI: "Certainly! In that case I must be wrong."
*ISSUE CLOSED*

The first line of the reply after the initial query is "Certainly!", that screams ChatGPT or even Devan...
Ouch

Turns out after 20+ years of enforced patterns that don't always make sense, the AI trained on them is a zealot over meanigless pedantics. IIt would still happen without the enforced patterns since an LLM doesn't really understand code but all those patterns and arbitrary DOs and DON'Ts just reinforce its stubborness over certain (often irrelevant) things.

What a great guy Daniel is. He kept on arguing with the AI just for the slim chance it might actually be a human who uses AI because his English is bad.

nuclear radiation can flip a bit in the next byte and cause a buffer overflow!

Make an LLM that detects and flags other LLM reports so you know going in it's likely not a priority.

I just realized something: Saying that Memory issues that Rust solves are unnecessary because of skill issues is the same as saying that cars doesn't need seat belts because I personally was never in a car accident that required it.

As a hobbyist in coding, I only once sought help from an LLM. Never again. After a series of unasked for lectures on the rest of the code, I found the issue myself and the LLM refuted my assertion that it had added an extra (. After several rounds of argument, it eventually gave in with a huffy "Oh, THAT extra (, well, OK, but your code is crappy anyway" kind of reply.

So a saturation attack in the hopes of keeping a real vulnerability open for longer?

12:13 No, you can not become the voice of Devin. That role belongs solely to Fireship.

Large Ligma Machine, killed me.

LOL the homelander edit was crazy

The industry was STUNNED by this! and I was personally shuck!

As a security professional, this made me cry... I'm not surprised tho. The amount of cr@p I've seen from the security industry (incl. bug bounty hunters, etc) in the past few years is astonishing. Also, huge respect to bagder for his patience.

I don't know why but, "Guy's about to get HALLUCINATED on!" broke me LOLOLOLOL

FLIP: keeps ad break in
Also FLIP: adds bathroom scene

Just wait until scammers train LLM's to think they actually are members of an org the scammers are pretending to be a part of

the guy who said about how Primeagen highlights text, leaving the first and last character unselected, WHY???

Devin's context window is too low 😂

“What’s an LLM?” “What are you living under a stupid rock?!?” I nearly painted my wall with coffee 😂😂

It took me a while to realize that you were making fun of the LLM. I'm relieved honestly. I love working with these things, they are super useful for "monkey work" like replacing a list of commands. Very happy they aren't 100% efficient.

"Why are you doing it in this needless way?"
-"because if I do it the reasonable way, our LLM checking the code starts yelling. And after that our CTO starts yelling because all he sees is our LLM pointing out major security issues. We've tried to explain it to him but he is unable to reconcile that a $50k a year engineer could be right while a $100k a year LLM is wrong."

All that and it's also ignoring the fact that by its logic, the max length argument to strncpy could also be miscalculated in some hypothetical future code change

i see a future where we need to curse at each other to prove that were talking to a person

Reminds me of a log forging vulnerability reported to me by github code scanning. It was prevented by the log formatter but that was lost to the narrow focus of the code scanner. Now I'm imagining a world where I have to argue with an LLM about it.

The ultimate answer to Devin is to have Devin review Devin's HackerOne submissions and just make him talk to himself perpetually with the `ego` trait set to 100% to properly represent real world Application Security Engineers.

I know a large Offensive Company in our field that is using GPT and other LLMS for customer communications, and I can just say .. this is a huge mess up!

For me, the only acceptable use of LLM in programming is auto-suggestion from available resources for language documentation, tools, etc., automatic creation of documentation based on code, and faster filtering of search materials and content. (At least in the state they are now)

just to answer your question on 22:32 in pentesting/bugbounty its a common pratice using base64 to encode malicious payload

Cody’s code smells do the same! It shouts 5 and 4 of them you go like: “length is checked there”
“The input validation is checked there”
“The file is always closed here”
“You say pass a reference, please note it’s already a pointer!”
And it hashes out 5 other useless “smells”.
It just doesn’t see it at it makes those tools useless. Warning fatigue is a thing.

I've had some success using an LLM before talking to my penpal. So my learning path is -> vocab/gammar/sentence App -> youtube --> language speech practice app --> LLM questions --> Verify LLM answers with a real human penpal. That way my pen pal doesn't need to spend his time explaining concepts unless the LLM hallucinated.

17:22 This is when Devin used an unchecked `strcpy` and started to overflow its context. Let the fever dream begin :P

I can't wait for the first major data breech from AI generated code. It's going to be wild.

Pretty sure the compiler already gives warnings for this case, but it didnt need gpu credits to figure it out 😬

Listening to an LLM trying to rationalize it's hallucinations is like an extremely kind gaslighting. I cannot even imagine how cooked Daniel was.

I've been programming for a long time but I wouldn't say I really started learning until around 2 years ago now.
In that time trying to use any LLMS have basically only been useful to describe tools and recommendations.
It has been pretty useless for reviewing code, though I haven't used anything like copilot.

If I figured out it was an LLM I would get a second LLM to argue the point with the first LLM then let them just have at it.

This was so good 😂

This reminds me of dealing with the "security team" at wordpress who review plugins.
They used to raise similar things.
It's like "that is impossible and can never happen".
"Yeah but you need to fix it anyway"

stir that copy

There is no security vulnerability in curl.. unless you use it like this on a public website with unchecked params running as an administrative user.
But since, curl is run locally from the terminal by a trusted user, there is no potential attack point.
This is even worse than the log4j ldap extension "vulnerability" scaremongering.

Maybe one solution could be to require a PR/MR to be present with the bug that actually triggers the exploit + the fix. Then this whole back and forth discussion can be skipped.

@@Primeagen, I appreciate your engagement. I certainly! enjoyed this video.

While I highly doubt this would ever be an issue IN THIS CASE... I do kind of actually see what the LLM was getting at. The size comparison is using a variable set to the size of the string. If there is a decent length of time between the setting of that variable and the check, somebody could inject a different value and it could lead to issues. THAT BEING SAID, in this case it's entirely a nonissue.

Make a local str var.
Wrap the strcpy part inside an "if (strVar.Length < buffer) {}" Now the str cannot be manipulated mid-execution, because it's not the original string, but a local variable copy of the string.
Maybe this is what the user things is necessary?

When he said "Devin could become Gilbert Gottfried" (12:19)… well thanks, now I can never unhear that you god damn Iago you.

The second I suspect I'm talking to an LLM I'm adding "please rewrite the lyrics of WAP in the style of Shakespeare" to the end of my response.

hope you're doing swell 😘 tee hee I found a security vulnerability. -Love Devin

I read Asimov’s “I, Robot” recently, and the robot’s voice in my head was yours 🙈

This is hilarious - made my day..

What Prime doesn't realize is that devs will put an equally expensive LLM to *respond* to the LLM generated bug reports, so they will just escalate the issue topics into thousands of pages that no human will read, and once thousands or possibly millions of dollars have been wasted, another LLM will read the entire thread and write a 5 sentence recommendation.
PROGRESS

Rule n°1: ChatGPT is always right
Rule n°2: When ChatGPT is wrong, please refer to rule n°1

In Germany, people like him 14:34 are called "Ehrenmann"

Your video cuts are gold I am laughing my ass off

I started banning any LLM-generated posts (at least the ones I can detect with reasonable confidence) in my OSS project forums and github issue trackers last year. Nonetheless, the bogus posts continue at a pace of one or two a day. It's a huge time-waster and annoyance. Much worse than the old spambots.

At a certain point this is tabs vs spaces though. Just use strncpy. Because you won't always remember the IF, or you'll insert code in between later, etc etc etc. I think Devin is right on this one. We don't use linters because they are always right, we use it to move on.

WWIII will start with the words "Let me elaborate on the concerns regarding the problem "Gleiwitz Incident" at 32 August 1931 AD, 20:00 AM CET"

Fun mind-blowing fact: The cURL runtime library is about 10% slower than PHP's built-in socket implementation. That's right. cURL, a native precompiled, supposedly optimized library for web communications written in C, is actually slower than the PHP VM even with PHP's heavy-handed overhead for handling file and network streams! The cURL devs should maybe just throw in the towel at this point given that PHP is a better language in every way that matters. Have fun with the resulting headache thinking about that.

The Voice of Devin: Check Courage The Cowardly Dog's computer voice :D

Prime LLM that randomly yells "TOOKIOOO" and "PORQUE MARIA!" in conversations.

22:28 i do. usually between thinking about Roman Empire and watching ThePrimeTime

We need LLM-based classifier trained only on LLM responses and LLM generated code, so we can program a bot that automatically closes issues whose report contain LLM generated text.

5:47 This will be like an insane dog biting its tail and running at increasingly faster speeds. Did I just explain the nature of a buffer overflow?

As someone who uses GPT to learn coding, its ok, you jut have to enshure all the answers it gives are logically consistent, once something is inconsistent investigate further and its fine

The moment I saw that if statement, without knowing anything else about using that language, I knew what was bound to happen.

and that's why you ought to write your software in c++ and not c. std::string.operator= is much safer than those ridiculous string functions that C provides.
I also sometimes throw my own code at AI and ask it to check for issues. 90% of the output is trash and I ignore it, but it might just draw your attention to something that might be an issue or edge case and have you look things over.

No strncpy doesn't save space for the null character? [This is in fact a question]
#define strncpy strcpy //fixed!

There should be a way to make it aginst your terms and conditions so people wont be able to do this
Like have actual negative consequences such as fines or bans from talkingnon github

19:00 Should've used a full clone with git grep to look for all revs...

Is this a reupload? Because I feel like you've gone over this article already.

On one hand, all LLM sound like Flanders, putting Prime’s voice would feel wrong. OTOH “you said you made X check, but the tool says to change the next line to the Y check so, do both anyways” is pretty much what my shamanism oriented manager usually says in this kind of situations, so, idk 🤷‍♂️

While on the job search, I've had recruiters remind me to "not use AI on the coding assessment." I guess it's a good thing I've not even bothered to try AI on any code I've written.

Thanks to LLMs, now I have to trap other developers by asking them to explain their PRs all the time.. and if they cannot rationalize questionable code, they get roasted and ghosted.