This is silly, people don't need AI to send you garbage. If your project is getting lots of junk reports, you should take it as a good sign, that people are looking at it a lot now. You don't remove the incentive, you ask for help to triage the junk.
Curl is a popular and well supported tool, if it needs help in this area, there will be a long line of competent people not volunteering their time and/or money. If you need help, get more help. don't use "AI slop" as an excuse to remove the one incentive people have to not sell exploits or just hoard them.
Curl did already tend to get a decent number of junk reports from people who just didn't know what they were doing, but this was limited to the number of productive idiots who focused their productivity on curl specifically. AI allows significantly less motivated idiots to create substantially more workload, and therefore upgrades this phenomenon from a minor annoyance to a big problem, one that may just render publicly submitted bug reports not worth the project's time.
(And no, curl does not have a huge pool of potential maintainers to pull from on this. Open-source software in general suffers from a big lack of manpower, especially relative to the popularity of the tool)
My point was #1 that it is a volume problem, and #2, you don't need maintainers to triage bugs and prs, even bots can do that for simpler things. They can have a pool of project members to upvote a bug report before maintainers look at it.
There are many incentives not to sell exploits, the major one being that it's not logistically feasible. First of all the people submitting these false reports don't have any real exploits.
But imagine you were sitting on an actual RCE exploit in curl, who would you sell it to? How would you convince them it's working without disclosing the details for free? How would you get paid?
> Curl is a popular and well supported tool, if it needs help in this area, there will be a long line of competent people not volunteering their time and/or money
I'm not sure if that not is a typo, but yes, even though a tool is very popular, there's almost nobody competent and willing to work on it for free. This has been a well-known problem in open source for decades now.
It's a typo, even if they don't sell it why report it to curl? for clout? You can still exploit it against real world apps. Who would they sell it to? I would sell it to zerodium instead of report to curl personally.
How much time do people spend finding bugs, is their time not worth anything because some other random people decide to use AI?
Curl is high-visibility, there are people. and it doesn't take a lot of competency to triage. Heck, I like to think I have a good handle at C and memory exploitation, I will volunteer my time for free if they need help.
What's your point? Because people smoke cigarettes, people who buy unrelated things should be punished? Or because a store sells cigarettes, stores in general shouldn't be paid for what they sell? Or is the time and effort to find vulns valueless?
No, the implication that "THING" is the cause of something and therefore something needs to be done must withstand the scrutiny of "other THINGS" also causing that thing, and therefore the solution is attacking either only one cause or not the real root cause.
The fact that bad reports have to be triage doesn't change with AI. What changed is the volume, clearly. So the reasonable response is not to blame "AI" but to ask for help with the added volume.
If HN gets flooded by AI spam, is the right response shutting down HN? spam is spam whether AI does it or a dedicated and coordinated large numbers of humans do it. The problem doesn't change because of who is causing it in this case.
The change in volume was the tipping point between bug bounties being offered and devs being able to handle bad reports, and bug bounty nixed because devs no longer willing to handle the floos.
And the root cause for the change in volume is generative AI.
So yes, this is causally related.
> The problem doesn't change because of who is causing it in this case.
Wrong.
Because SCALE MATTERS. Scale is the difference between a few pebbles causing a minor inconvenience, and a landslide destroying a house.
So whatever makes the pebbles become a landslide, changed the problem. Completely.
How can you say "wrong." and then go on to say scale matters, that means scale is the problem, not who is reporting it, you contradicted yourself.
We're in agreement that it is a scale issue. When something needs to scale, you address the scale problem. Obviously the devs can't handle this volume, and I agree with that there too. Our disagreement is the response.
I guarantee that if they asked for volunteers they'll get at least 100 within a week. They can filter by previous bug triage experience and experience with C and the code base. My suggestion is to let people other than the devs triage bug reports, that will resolve the scale problem. curl devs never have to see a bug not triaged by a human they've vetted. There is also no requirement on their part to respond to a certain number of bug reports, so with or without help, they can let the stack pile up and it will still be better than nothing.
I disagree with this strongly. The intended use case of NAT or the existence of inbound connections being blocked by routers is irrelevant.
For NAT, of course it isn't meant for security, but it has a side-effect of creating a network boundary, and that has positive security implications.
If your router doesn't have a firewall blocking any connections, NAT still has security implications as it is deployed typically on consumer networks, which is a one-way port-address-translation for outbound traffic.
The important bit here is not NAT or firewalls, but layer 3 network segments!!!
An RFC1918 private addrerss space is not internet routable. Furthermore, routers shouldn't "default route" traffic from arbitrary connected networks by default. But "should" aside, the typical default consumer router behavior is that they don't NAT translate inbound traffic, they can't!
If a random internet IP wanted to connect to port 80 on a device at 192.168.1.200 in your home network, it doesn't know how to tell your router what IP to translate it's request to the router's public IP to. That is the essential positive security implication. In commercial grade routers, the same applies except even if the external IP knew to direct the router to the right internal IP, or if the route knew to direct the traffic to the right external IP for outbound connections, unless you configure a default route, or a more explicit route, it won't forward such traffic.
With IPv6, end devices in your network get a globally routed address, someone can try to connect to that same internal device as my earlier example and succeed with the same exact default behavior in place.
IPv6 is thus, by relative metrics, insecure by default. It does not mean it cannot be secured, but it is less secure than IPv4 in typical deployments where extra care isn't taken to secure it properly. If your answer to this is "well that's just because people who deploy networks are dumb" then save your self the effort or arguing that, it is irrelevant. That is how networks are deployed in the real world, period. People make mistakes in the real world. People don't know best practices in the real world. So out of the box, things need to consider real world hazards, and IPv6 does not do that.
You can support the adaption of IPv6 nonetheless and I would have no disagreement there.
The problem is, as I understand it, is this hypothetical network where there is a NAT but no firewall just does not exist.
>In commercial grade routers, the same applies except even if the external IP knew to direct the router to the right internal IP, or if the route knew to direct the traffic to the right external IP for outbound connections, unless you configure a default route, or a more explicit route, it won't forward such traffic.
This is typically handled by the firewall, not the NAT. You can easily come up with scenarios that without the firewall, the NAT could be trivially defeated, e.g. by port scanning.
It is not, you guys are talking from a specific american ISP perspective where you have these modem+router+gateway+firewall combo devices. Not everyone gets that.
Many get just a modem and buy a cheap router which may not have a firewall. MANY more get just a modem and their laptops are directly exposed to the internet (!!!), those you can't do much about, but many put a "router" that's just a cheap wifi access point with layer 3 routing and NAT. If you chose to "bridge" a device (like those internet exposed laptops) or port-forward, it will just work (even with ISP routers!!) there is no firewall rule change required.
I've worked in this space supporting consumer grade routers, and then worked in enterprise networking. But don't take my word for it, you all can take a trip to shodansafari, how many devices are listening port 3389 and 445 with consumer grade laptop names?
But it isn't a popular thing to say for whatever reason. I guess IPv6 is a political ideology now lol.
>Many get just a modem and buy a cheap router which may not have a firewall
What cheap router are you buying that doesn't have a firewall. I think the problem is when people hear "firewall" they think the router is running pfSense or something. Even cheap routers will have a basic, non-configurable, firewall that will block inbound connections. That is separate from NAT and has nothing to do with IPv4/IPv6.
It's an AP that serves DHCP addresses on the lan port. that's it. It has some port forwarding too if you set it up, no firewalling there. For modems, most cable ISPs let you buy a DOCSIS modem, there is no router, whatever device you connect gets a DHCP lease right on the internet (and ipv6), most people buy cheap "routers" like that one to add "wifi" to it, and it works great for the money. And honestly, I have yet to see one that does have a firewall, but then again I've never tried the $500 router options or seen someone who did.
These devices are not meant to firewall, they have no need to firewall. if you do "bridge" or "portforward" they assume you want everything forwarded, they don't let you configure any firewalling by design, and they don't have any firewalling because it isn't needed. They have a dedicated WAN port, the management interface doesn't listen on that port and LAN devices are NAT'ed with IPv4 so there is no need to firewall anything even behind the scenes. Their main use is to either extend wifi coverage or add wifi capability to modems.
Most people with fiber or *DSL get an ISP provided gateway which has a firewall,that's not the same as what I'm talking about.
I hate to complain about downvotes, but you all need to realize that it is the poorest and most vulnerable around the world that get hurt over this stuff. yes, ipv6 can cause unintended internet exposure of internal devices. period. that's not a dismissal or disapproval of ipv6, it is what it is, and that needs to be considered when deploying it. It assumes you'll configure your network properly, unfortunately the people who made ipv6 didn't consider consumers or people who screw up, they wanted to force people to configure firewalls, that works for corporations (until it doesn't) but not for most regular internet users.
The nat is a belt and braces approach - especially when combined with rpf. How will your packet reach 192.168.0.1 from the internet without having a nat rule to translate the packet, even if there is a firewall rule allowing all traffic
(If you control the next hop and the router doesn't have rpf checks on the wan interfaces you can forge a packet with a destination of 192.168.0.1 and route it via the public IP of 40.50.60.70)
Everyone is saying data center build outs are the main thing to look out for. But those data centers with all those gpus will need to replace those gpus right? Nvidia will come up with better, faster, more efficient gpus.
LLM use age won't crash either, it might decline or taper off but it's here to stay.
My concern is better models that won't need a whole of GPU, or China comping up with their own foundry and GPUs that compete. There is also the strategy issue, can Nvidia's leadership think global enough? will they start pursuing data centers in europe, latam, asia? can they make gpus cheap enough to compete in those regions?
The way things are, lots of countries want this tech local, but they can't deny the demand either.
Europe for example might not want anything to do with American AI companies, but they still need GPUs for their own models. But can Nvidia rebrand itself as a not-so-american-but-also-american company? Like Coca Cola for example. i.e.: not just operate in europe but have an HQ in europe that has half their execs working from there, and the rest from california. Or perhaps asia is better (doubt)? either way, they can't live off of US demand forever, or ignore geopolitics.
hiding this one, i hope others downvote it as well. Dick move by the person hosting this redirecting back to HN. Such incessant levels of pettiness are so irritating.
If you have raccoons in your neighborhood, get a laser pointer and watch them go crazy. other animals like squirrels, birds, opposums,etc.. don't care for the red dot, but raccoons try to chase it.
drive them crazy for a few nights, then go out to them the third night, they tense up, they are going to run but you crouch down trying to keep them calm, then you show them how to use the laser pointer, it will take a while but they will understand. When you see they have understood stand up and put your hands on your hips and laugh like the jolly green giant. Then go back inside. Look back out the window. They are all just standing there looking at you. They look pissed.
I'd pay $0.005 per conversation, provided the payment is not inconvenient, anonymous, and an account isn't required. That in my opinion is the root cause of the problem, people can't pay easily even if they wanted to pay instead of get ads.
I think the next natural evolution after showing ads in chat sessions is providing services where LLMs tailor site content to include ads in real time. Right now you get served a prepared advertisement after the bid is won and the ad for you is selected. With LLMs, both the bidding process and the ad served would be seamlessly integrated with the site content/context.
Part of the "problem" with ads is people know they're ads. What if this comment was edited by HN's servers and rephrased to mention a specific product? You might see a sentence about how OpenAI is the future, someone else might see how claude or anthropic are. Another person might see a paragraph from me about how I used Tide to clean laundry this morning with the help of AI, telling me the right portions for the right cloth. You might suspect it's AI but you won't always be able to tell. Even if they made it more obvious like how reddit is doing it, the content of the AD itself, pictures, text,etc.. could be crafted dynamically so that it embeds in your subconscious without much resistance.
The tech developed to make ads more effective is also used to influence people for other purposes. The current state of society came about after the widespread accessibility of smartphones, social media and the rise of surveillance capitalism. Russia's influence ops using ads is well documented for example. I mentioned all this to say how catastrophic the combination of LLMs and advertising could be, even by today's standards.
Given how LLMs are trained on its data, it's travesty to prevent the public from accessing it all the same.
I'm thinking it should be distributed using physical media given it's size. A 20 volume encyclopedia on hard drives? We used to do this when the internet was too slow back in the day. I've had friends give me anything from pirated encyclopedias to MSDN docs on CDs. if enough people have enough of the volumes, they could seed and keep it going. But if only a handful of people have the actual data, it's a matter of time before it's taken offline for good.
If you want to have the whole thing, it'd probably take dozens of hard drives each of which needs several hours to copy. For scale, individual chunks of the archive are several gigabytes, and there are thousands of chunks. It's not like that torrent with 1000 books you got in the day. There are millions of books and god knows what else in the archive.
I know. I've seen them as high as 24 TB. You'd still probably need at least a dozen of the highest capacity on the market. I believe the guys running the archive even have tape drives but the right kind of tape drive costs a fortune.
They could let buyers pay for the cost. Classify them based on topic category. The objective is, if enough of the drives exist out there, stopping it's distribution/access becomes a futile effort.
I don't think you understand how big of an ask that is in the US or any Western country. What you're proposing is in-person bootlegging with extra steps, but with very expensive equipment. There may be too many internet pirates to bother with, but the government will raid you for something like this. The more copies you make, the bigger the response is. If you're going to break the law it's best that you not be flagrant about it. The US government has scooped people in other countries that were thought to be neutral for taking a big role in piracy.
I could be wrong, but the laws apply just the same as a download. perhaps the scrutiny might be higher though. but over pdfs? I don't know. The shipping details could be tricky too, but dicier things are shipped from certain market places.
The fact it's PDF files is of little consequence. It's bootlegging. If it became popular, you would get raided for distributing copies. It doesn't happen for small-scale transfers between friends but if you start doing it on a large enough scale then you're asking for trouble. People have had similar ideas since recorded media has existed. Pirate copies of CDs, books, movies, etc. are sold freely in countries where IP laws are lax, and generally not sold in countries where these laws are enforced. The risk of getting caught could be lowered quite a bit by taking precautions, but if you're actively trying to be a large-scale pirate then you're bound to run into trouble eventually. Enforcement is focused on distributors rather than consumers usually. But with AI and increasingly invasive tech, that could change.
would it be more accurate to say "to store using information, using information"? Since everything ultimately boils down to information, humans trying to store information is a bit recursive?
reply