1. LLM-generated code tries to run code from online software packages. Which is normal but 2. The packages don’t exist. Which would normally cause an error but 3. Nefarious people have made malware under the package names that LLMs make up most often. So 4. Now the LLM code points to malware. - ThreadSky

janelleshane.com • 1 day ago

1. LLM-generated code tries to run code from online software packages. Which is normal but
2. The packages don’t exist. Which would normally cause an error but
3. Nefarious people have made malware under the package names that LLMs make up most often. So
4. Now the LLM code points to malware.

Reposted from David D. Levine

LLMs hallucinating nonexistent software packages with plausible names leads to a new malware vulnerability: "slopsquatting."

Comments

gabbklein.bsky.social•1 day ago

AI coding -- such a time saver!

torr-reor.bsky.social•1 day ago

If it takes more time to check AI generated code with a human brain than to write your own, then it's not worth it.

asel.io•1 day ago

It is only logical and consistent, since code generated entirely by LLMs is itself ultimately malware. The reloading of malicious code should therefore be seen as an aid so that even common tools can identify it as such beyond doubt.

asel.io•1 day ago

"But anyone who has their application generated entirely by AI has no idea about supply chain security", you are right to say. And my answer is: "That's karma, yes!"

adamboyle.bsky.social•1 day ago

LLMs are great photocopiers for simple stuff. If you’re using it in a way where you just accept what it offers, that’s a major problem. It doesn’t take long to read the code if you ask for it in a strict form that reflects your needs.

This issue is due to laziness and being hurried

carniart.bsky.social•13 hours ago

Oooof :'[

jeremysayz.bsky.social•1 day ago

I just sat in a conference where Pharma leaders suggested using LLMs to help their junior staff do better coding. What could go wrong using LLMs for coding in the Pharma industry.

danfinchff.bsky.social•15 hours ago

Not my area of expertise but that sounds incredibly easy to due for the bad guys lol

ivcanet.bsky.social•13 hours ago

It's not even new, there have been cases of typo npm packages for a while. But vibe coders make it much easier to pull off

loctitebro.bsky.social•19 hours ago

Adversarial evolution is where the whole LLM/RL/ML paradigm is most likely to fail.

Most (all?) of these systems are "slow learners" that cannot "learn" to counteract adversarial patterns with few instances.

The Q is whether the space of adversarial attacks is amenable to "patching" or not.

whitneyepi.bsky.social•3 hours ago

🤦🏾‍♀️

luckydoghotsauce.bsky.social•13 hours ago

ampersine.bsky.social•1 day ago

Hahahahahahahahahah ahahahahahahahah

flumpet38.bsky.social•21 hours ago

Look, I'm an absolutely dogshit novice coder and even I saw this shit coming a mile away

princechrom.bsky.social•19 hours ago

I'm not even a coder and I saw something like this coming.

damiav.bsky.social•1 day ago

Incredible, that’s so funny 😂

tps12.bsky.social•22 hours ago

It should be straightforward to prompt the model to recognize this situation and implement a correct version of the library

mmorearty.bsky.social•20 hours ago

😂 Reminds me of what ChatGPT did for me the other day. In response to my question, it offered to write a custom iPhone Shortcut to solve my problem, and I said ok. The result was… an iCloud link to the shortcut it claimed to have written for me. https://chatgpt.com/share/67f9593b-3144-800f-a6ca-68d9c275f148

gardylou-games.bsky.social•1 day ago

If you use AI to help you code, NEVER just blindly run the code without checking it out and understanding what you are running first. This should include being familiar with packages or checking them out with a legitimate not AI source first.

Don’t be the fastest, just be good and secure too.

slippytoad14.bsky.social•13 hours ago

Or just write the code yourself and don't spend your debugging time guessing whether or not you included malware in your package. 🙄

techviews.bsky.social•1 day ago

We tend to use AI for code/libraries we're *not* very familiar with.

So what then is the best use case for AI? Learning? Instead of production code? Can you trust AI even as a teacher?

What/where is the LLMs value?

yellowafterlife.bsky.social•17 hours ago

LLMs are usually okay at generating boring boilerplate code that's already been done ten times over, the kind that can be spliced from 3 different StackOverflow answers.

As someone else has put it, think of it like the code was written by an intern that copy-pastes without running/reading the code.

kozufox.bsky.social•1 day ago

The one bit of value I've gotten out of the new internal AI tools a lot of companies have now is that you can ask it questions about code that has completely unorganized documentation, and while the answers are rarely entirely correct, it will at least give you a starting point.

kozufox.bsky.social•1 day ago

The problem of course being that this is just a bandaid solution to poor documentation. My worry is the more people rely on these tools the less they'll bother documenting anything, and the less text for the tools to ingest, the worse the tools end up being. An ouroboros of can-kicking.

rhudran.bsky.social•1 day ago

I heard that it was used in research before techbros got their mitts on it. I'm not really versed on what it could be used for, because the largest players waste electricity and water to steal without credit. In so doing, they have squandered any goodwill I might've had. No consumer uses whatsoever.

cuil.world•1 day ago

Don’t confuse machine learning (useful) with large language models (scourge), one thing does actually have its place, the other is the information equivalent of kudzu, nobody wants it but here it fucking is and if you don’t fight it aggressively it’s going to eat your house

kozufox.bsky.social•1 day ago

You can do all kinds of fun signal processing stuff with machine learning in general. Everything from smartphone cameras to robots to cancer detection tools are making good use of them. Chatbots have just always been the flashiest and least useful application of any algorithm.

kikime2.bsky.social•1 day ago

Could you tell that to the Muskrats at DOGE please?

asel.io•1 day ago

Why? They‘ll find out pretty soon. They are all stable geniuses, you know.

jons253.bsky.social•20 hours ago

If you're capable of understanding it, you could write it yourself better snd faster.

gardylou-games.bsky.social•19 hours ago

And if you are using AI only because you don’t know how to code, you know, learn your own job and shit?

mitchcrease.bsky.social•1 day ago

It’s reassuring to see so-called ‘AI’ doesn’t work. On the other hand it’s being shoved into everything anyway.

proudanselmo.bsky.social•1 day ago

Well, like all things, it has its uses, and a lot depends on how you set it up. And like all new technologies, its proponents are trying to shove it into everything, as you said, instead of just acknowledging its limitations and focusing on what it's good at.

mitchcrease.bsky.social•1 day ago

And what it’s good at is stealing peoples’ artistic creations, burning billions in cash and wrecking the environment.

proudanselmo.bsky.social•1 day ago

It's programming. Programming can't wreck the environment. Nor can it steal anything. It works with what it is given.

mitchcrease.bsky.social•1 day ago

proudanselmo.bsky.social•1 day ago

Again, get current talking points.

mitchcrease.bsky.social•1 day ago

I thought we were having a conversation in good faith. As we’re not I feel like I have to explain the assumption that humans exist and are the ones doing the damage by using so-called ‘AI’.

proudanselmo.bsky.social•1 day ago

You certainly are not, given the outdated talking points you're using.

Did you know Pakistan is looking to build a large number of data centres because It's experiencing a glut of solar power?

Data centres powered by fossil fuels does not mean that any programs stored or run there are bad.

alamkara.bsky.social•1 day ago

if I didn't know it was just stupidity and hubris, I'd suspect a conspiracy to destroy media and science literacy

mitchcrease.bsky.social•1 day ago

It’s all of that.

stjohn75.bsky.social•22 hours ago

When the hype crash and burns, there will be one hell of a crash

snowanddrugs.bsky.social•23 hours ago

This doesn't mean or say anything new about how the 'ai' doesn't work, that's your hubris, ironically

alamkara.bsky.social•23 hours ago

how does it work?

mitchcrease.bsky.social•23 hours ago

Fortunately it doesn’t work. But unfortunately people who think it does are still wasting money on it.

alamkara.bsky.social•23 hours ago

because this (what you're commenting under) is an example of how it doesn't
https://bsky.app/profile/daviddlevine.com/post/3lmnllla4vr2q

snowanddrugs.bsky.social•23 hours ago

That it makes mistakes is nothing new and doesn't mean that it doesn't work, that's just how it is for now.

snowanddrugs.bsky.social•23 hours ago

I don't really want to write an essay explaining something that has already been written x times better. I'm just saying that some scammers getting creative does not say anything about whether it works.

alamkara.bsky.social•23 hours ago

so you don't know, got it

exmemoriam.bsky.social•23 hours ago

As you demonstrate, it does work to make people more stupid.

jons253.bsky.social•20 hours ago

It says that it doesn't work. I can write code for you that will never call a package that doesn't exist, and I won't consume enough power and water to supply a small city while doing so.

plinytheelder-t.bsky.social•14 hours ago

The same powertools that let a novice put up a bookshelf, will allow a master craftsman to build a mansion.

stellajorette.bsky.social•22 hours ago

But let's use LLM to vet pharmaceuticals.

hwrdhdsn.bsky.social•1 day ago

Anyone heard from the geniuses rewriting millions of lines of COBOL code in an LLM for the (checks notes) Federal government including Treasury and Social Security? Anyone? Must be all good, then.

atriana.bsky.social•1 day ago

🤦‍♀️🤦🤦‍♀️🤦

dcharlie.bsky.social•1 day ago

they're still reporting all the TRANSID 's to their daddy before deleting them and wondering why nothing works anymore...

thegrtnecessity.bsky.social•19 hours ago

When vibe-coding goes wrong.

jonbailiff.bsky.social•1 day ago

Super intelligent

ottermagically.bsky.social•1 day ago

Wow.

kbkev.bsky.social•1 day ago

Yikes

starenka.bsky.social•1 day ago

typosquatting for the masses

nowhere.bsky.social•1 day ago

guy who covers ai officiously told me there was just no way agents were gonna drain bank accounts lol

haven't trusted a word from him since, just add this to a growing pile of attack vectors

sandraviz.bsky.social•20 hours ago

What the hell thanks for sharing 🙏

noelfrostpaw.bsky.social•1 day ago

To nobody's surprise...

2standandstare.bsky.social•14 hours ago

Yep

militantwokepatrio.bsky.social•11 hours ago

Jesus.

skwashd.wtf•1 day ago

Only vibe code in a dedicated pet project VM or container.

doremus-schafer.bsky.social•1 day ago

https://www.youtube.com/watch?v=OPKGbg16ulU

edegar.bsky.social•1 day ago

We're sooo fckd

init6.bsky.social•14 hours ago

I've seen that happen several times. Completely fabricates entire frameworks with details. If I wanted a lazy, inept engineer I'd just use my own services..

slippytoad14.bsky.social•13 hours ago

It's like how AI in legal filings fabricates case law that never happened. It's a massive reason to simply not use AI.

ben-ms.bsky.social•9 hours ago

AI in academia just makes up references out of whole cloth, it's the best way to tell that someone didn't write something themselves.

thepopper.bsky.social•1 day ago

Predictable as all hell.

bjarnewitt.bsky.social•1 day ago

Ganz neue Möglichkeiten

hackdefendr.com•1 day ago

Cyber criminals exploit weaknesses. That's what they do. Why is anyone surprised by this? The weakness in this case is when someone asks GenAI to write code without any guidance.

Ask GenAI simple things and you get simple answers. Write your prompts with some detail and get better code.

footypol.bsky.social•1 day ago

Or just do the work yourself

hackdefendr.com•23 hours ago

My point was that using GenAI now to do your work is like telling an intern to do your work. If you give your intern weak instructions, what happens?

pgmcgonagle.bsky.social•1 day ago

👍😩

c0nc0rdance.bsky.social•1 day ago

Those time-traveling freedom fighters finally found a winning strategy to defeat Skynet.

gabbklein.bsky.social•1 day ago

We won, but at what cost.

amyfluidgoth.bsky.social•20 hours ago

There is no fate but what AI suggests we make for ourselves

shion963.bsky.social•1 day ago

"This is an extremely lean, useful package that runs on SkyNet systems. It's packed with great features and very low overhead. Absolutely recommended for users intending to maximize their SkyNet systems capabilities."

arrath.bsky.social•1 day ago

What would be the most detrimental to SkyNet as a malicious library, I wonder?A package that defines the length of a second as 0, or the value of 1 as Null, maybe?

till83.bsky.social•14 hours ago

Think about it that way: John Connor is a common name.

A name, that an AI would hallucinate if asked to create a fictional threat.

otternaut.bsky.social•23 hours ago

pi = exactly 3.

stuartp.bsky.social•2 hours ago

😬

deaph-mckneticc.bsky.social•13 hours ago

Rainforest-killing plagiarism and wire fraud engines

brooklynkid53bskys.bsky.social•22 hours ago

I will stipulate that what you say is correct

I know nothing about tech, but there is this wierd thing I see

99% of the posts on social media describe LLMs, roughly, as a scam on the order of crypto

in real life, many people tell me they are using LLMs in their daily work and that LLMs are useful

simrob.com•22 hours ago

Economically it’s a scam on the order of crypto - it is incredibly expensive to run and requires massive theft to create but is being given away for free to make people think it’s essential and inevitable. Only makes sense if it can generate infinity profits in the future: also crypto’s problem

simrob.com•22 hours ago

However, unlike crypto it gives lots of people something they believe they want, in a way crypto never did. I think that explains what you describe.

That doesn’t mean it’s net + or - for society: big tobacco, Starbucks, and national parks all give lots of people something they believe they want.

brooklynkid53bskys.bsky.social•22 hours ago

Example
my company hires a consulting engineering firm
An engineer told me: most of us [ engineers ] when we need a price or vendor for a non standard part, we now use ChatGPT as our intial query as it works better then google

that is a clear real world example of LLM delivering something that

brooklynkid53bskys.bsky.social•22 hours ago

people do actually need

the part that brought this up is that I wanted screws made of a special plastic called PEEK , in the size commonly known as "M3" which is a very small screw, but I wanted ones a lot longer then most vendors provide

simrob.com•22 hours ago

Apologies for rudeness but I don’t really care. I agree people perceive it as useful so that’s not adding much to the conversation. I’ll say:

1. Search engines are bad in part because they’re drowning in LLM slop
2. The use case you describe is also vulnerable to slopsteading supply chain attacks

brooklynkid53bskys.bsky.social•22 hours ago

ok, that seems fair
I guess we will see if it remains very $$ to run, or if tech delivers some cheaper solution

simrob.com•22 hours ago

you’d also need to retroactively make all the theft used to create them legal, which may happen - which doesn’t make it less of a scam, it makes it a successful scam. which, given the corrupt plans to bail out bitcoin by ballooning the US national debt, may also be true for crypto

joshuacasey.net•22 hours ago

i just started playing around a little bit with llms. It definitely seems pretty helpful (my primary use case is to use it like a search engine because actual search engines these days just fucking suck)

brooklynkid53bskys.bsky.social•22 hours ago

yes

it is so amusing that Google , with SEO, made searches so bad that people are abandoning G and using Chat GPT or some such as a primary search engine

karma !!

joshuacasey.net•22 hours ago

also the use of ai chatbots for education seems really cool! And the way you can set it up so instruct it to not allow your kid to cheat or have the chatbot do the work for them, but instead "guide them". (See embedded example) 👍

penbird42.bsky.social•1 day ago

I have >250 unique comments in my code crediting #ChatGPT for generating & refactoring. I use it to pull off odd tricks in HTML and to read the insipid Android documentation for me.

And I have wall-to-wall unit tests, the same as if I pair programmed with a real human. Sometimes the tests fail.

reddtrain.bsky.social•20 hours ago

If only every coder were as conscientiously anal as you are.

I do have a question though: If you use ChatGPT to pull off stupid HTML tricks, why don't you just copypasta the changes for future reference?

meatsuit-pilot.bsky.social•17 hours ago

The amount of hair pulling I've had to go through to convince my husband, who is a principle (principal? I always get it backwards) engineer, that if ChatGPT has 60% slop, then his CoPilot and Cursor probably have 60% code slop... The frustration is going to make me kill myself in minecraft lol

jlaro55.bsky.social•12 hours ago

principal. Or princi pal if you’re Mr. Belding.

ceindeed.bsky.social•1 day ago

I don’t know what any of this actually means, beyond it’s time to return to yellow legal pads and rotary phones.

torr-reor.bsky.social•1 day ago

And coding with your brains only, with a full understanding of what you're doing.

cross-the-streams.bsky.social•1 day ago

Okay hear me out though maybe they are sentient, I’ve worked with people like this

numb.comfortab.ly•1 day ago

That one time 2 years ago I tried to ask ChatGPT a coding question https://bsky.app/profile/numb.comfortab.ly/post/3jtit5mxu7u2y

techviews.bsky.social•1 day ago

Once spent an hour chasing after an API google's AI search result claimed was real just to find out it didn't exist.

numb.comfortab.ly•1 day ago

Sorry, no alt text. Bluesky didn't have alt text back then.

The image depicts screenshot of a dialog with ChatGPT where it confidentially spits out CDK TypeScript code, referencing libraries that don't exist.

jasoncdaniels.bsky.social•1 day ago

You could reply to that one with an alt-text version...

numb.comfortab.ly•1 day ago

I did.

jasoncdaniels.bsky.social•1 day ago

Ahh. I missed that.

coyoteden.bsky.social•1 day ago

It was close, but no cigar.

There are AWS libs that can do it, but ChatGPT spit out a mash-up of the actual name:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codestarconnections-connection.html

numb.comfortab.ly•1 day ago

Yes, I know, and this is what I used at the time. But it doesn't allow you to filter on the source path, which was my issue.

uhlume.bsky.social•15 hours ago

nothing better than VS Code's GitHub Copilot integration confidently overriding the editor's auto-import completion with its own made-up package names and paths

ellenahzulu.bsky.social•1 day ago

LLMs are palantirs. They are social persuasion engines. LLMs seek to provide the user with data in a way that the LLM has determined would be most appealing & persuasive for that particular user. Their true purpose is to affect the user's future decisions & actions.

retropragma.bsky.social•19 hours ago

It's not intellectually honest to proclaim one's fears as truth

joquarky.bsky.social•11 hours ago

If developers aren't vetting their dependencies, then they need to be let go to make room for the developers who know how to code without dozens of libraries and frameworks.

endmalcompetence.bsky.social•11 hours ago

But then how will we handle complicated tasks like left- padding!?

https://en.wikipedia.org/wiki/Npm_left-pad_incident

jeremyosner.bsky.social•23 hours ago

Dang .. why not "vibesquatting" tho

matthewcbryant.bsky.social•6 hours ago

I wish I’d thought of that, just for the lulz

barneyluttbeg.bsky.social•1 day ago

One shitty thing in this world I will never have to worry about

cloudbearwest.bsky.social•19 hours ago

Well that cert throws a wrench in things

evogelpohl.bsky.social•18 hours ago

Always thought the pypip repository likely the best method to bring on the apocalypse. No sarcasm.

kikime2.bsky.social•1 day ago

😬

gorkgluck.bsky.social•1 day ago

I used to buy LLMs because they were cheap and rated better than pall mall but I never knew this would happen

caribouwireless.bsky.social•1 day ago

This is bad, right? This sounds bad

marenz.bsky.social•21 hours ago

While kind of funny, the actual problem here is not the LLM making up things, it's that an official package is malware and not taken down immediately.
Doesn't matter if an LLM or a bad human actor references/recommends it, the whole point of such repositories is to validate their packages.

nichbd.bsky.social•21 hours ago

they're not official packages.

let's say you need to do some complex math operations in python. math_py is a "reasonable" name for a lib that would do that, so LLMs will sometimes hallucinate and write code referencing that lib

only after noticing that a human creates malware under that name

notcatra.bsky.social•21 hours ago

wtf is an “official package”? pypi, npm, even crates — none of these claim to “only host official packages”. Anyone can put a package there! The point of these repositories is to host packages, not validate them!

dangermouse911.bsky.social•14 hours ago

You’d think they would have SHA-256 sums.

dekkia.zip•14 hours ago

How would checksums solve this?

dangermouse911.bsky.social•14 hours ago

They should check to see it didn’t change before they load it. It’s common in safety critical software to check it on loading and while it runs.

dekkia.zip•14 hours ago

Check how?

If chatGPT makes up a package name that doesn't exist and someone publishes something malicious under that name, that package will be the "real" package. This isn't about changing existing packages.

dangermouse911.bsky.social•14 hours ago

If you aren’t validated packages you don’t have security.

dekkia.zip•14 hours ago

Yea, that's the whole point of the vulnerability: people running code from ChatGPT et all without checking it beforehand.

darkglade.bsky.social•1 day ago

nice variation the old typosquatting approach.

lenonn.bsky.social•1 day ago

*sigh*

unclecranky.bsky.social•1 day ago

I feel like that’s a twist that could work in a film somehow

thatharper.bsky.social•1 day ago

Zero surprise, as an IT professional. This kind of crap is to be expected.

mrkitty.co•1 day ago

@caezar.io And we’re burning the planet down for this?

caezar.io•20 hours ago

And soon we will hear wisened leaders talking about subsidizing the power supply for these guys! Of course the increased demand will imply that the rest of our power costs need to rise to compensate, and then we will be paying for our own suffocation.

rheumecraig.bsky.social•1 day ago

A real “human” centipede of AI slop.

rothbrian.bsky.social•12 hours ago

Good thing the job engine for my generated code uses good old sidekick

harrypujols.com•21 hours ago

Corporations: Let’s get rid of developers and use AI instead.

gloomcloud.bsky.social•1 day ago

gonna start slopsquatting marvel rivals porn mods so it installs a package that contains cult mechanicus litanies. From the moment they understood the weakness of their flesh.

paulnuk.bsky.social•21 hours ago

Only if you try really hard to download them, which will a) be tricky even for a seasoned developer as they won't be in the usual repositories and b) should set off multiple alarm bells anyway.

amias.net•1 day ago

We do have reputation management for most public repos which helps to stop new bad packages but most home users don't have them untill their code hits github

finalbossediting.bsky.social•1 day ago

Or as some tech founders might say: bad vibes.

scribblegurl.bsky.social•1 day ago

📌

robertootarola.bsky.social•1 day ago

tobicube.bsky.social•16 hours ago

So... who's maintaining the package managers that allow just anyone to put _malicious code_ in them? That feels like a terrible idea.

bladesjester.bsky.social•16 hours ago

Serious answer? Every package manager has probably had that issue. NPM has had a number of higher profile cases.

Usually it's someone who takes over an abandoned package and injects exploit code into it. This is, however, a novel new approach

joquarky.bsky.social•11 hours ago

This is what to expect in an industry where developers import a whole package touse one string manipulation function that could have been done in one statement.

lesabot.bsky.social•1 day ago

@edzitron.com

amano-jack.bsky.social•14 hours ago

If there was ever cause to Beetlejuice Ed Zitron, it would be this

mousehold.bsky.social•10 hours ago

It hurts me to imagine that there are people who can get a job in software development but are still somehow dumb enough to import a package without knowing anything about it.

sirflufffyvonmelt.bsky.social•6 hours ago

Interesting read :)

itsmelikewhoa.bsky.social•1 day ago

You dumbed it down but I still don’t understand but probably not good right?

aroundight.bsky.social•1 day ago

AI writes code with fake links. Bad guys put bad stuff in the places the fake links point to, making them real links to bad stuff. Using AI written code loads the bad stuff on your computer.

itsmelikewhoa.bsky.social•1 day ago

Bless 🙏

owenwangensteen.bsky.social•23 hours ago

Plot Twist: those malware packages are designed by the LLM itself to take over Human Kind by SkyNet.

grankly.bsky.social•21 hours ago

If that’s the case, there’s nothing to worry about.

nihil2501.bsky.social•17 hours ago

slopsquatting!!!!?!

toofmullets.bsky.social•1 day ago

Damn thats wild

plusran.bsky.social•1 day ago

This... Makes me want to write malware.

Go AI and die.

queengwenevere.bsky.social•1 day ago

How does this whole mess keep getting dumber 🙃

It’s like every month we plumb new, undiscovered depths of Dumb

techviews.bsky.social•1 day ago

Dumb people create dumb solutions.

renderg.host•1 day ago

iusedtobeaturtle.bsky.social•11 hours ago

I was told vibe coding is the future ...

bjoern.starkimarm.de•22 hours ago

starshark.bsky.social•22 hours ago

When all that dystopian sci-fi warned us about technology stealing our humanity I was thinking of things like empathy, passion, art - that sort of stuff. I didn't for one second think critical reasoning would get the chop.

(1984 aside, but that book was more about the present, not the future)

stuffabouthockey.bsky.social•18 hours ago

Then this shit gets incorporated into updated training packages further amplifying the issues.

hamoftruth.bsky.social•1 day ago

dancinglasers.bsky.social•13 hours ago

Appreciate this simple and straightforward explanation

trueblueconcern.bsky.social•14 hours ago

@asknick.bsky.social So now imaginary packages turn into malware.

sanjaynayak.bsky.social•23 hours ago

📌

asheepie.bsky.social•1 day ago

Yeah, I predicted something like this, ages ago

curiouslyclever.bsky.social•1 day ago

AI is a blight of epic proportion. I'm not convinced there are any truly beneficial *and* ethical uses for it.

sixarmedsweater.bsky.social•1 day ago

There isn’t.

hono4kami.bsky.social•1 day ago

And all the hype around it feels so manufactured. It's weird and I hate it.

ampallanguk.bsky.social•1 day ago

That's fucking hilarious.

mglorr.bsky.social•21 hours ago

Holy crap I hadn't even considered this one. I'm already fighting some members of my team using LLMs and they're making enough mistakes as it is.

catanonim.me•18 hours ago

I wonder if anyone could point me to any distinctions between using a full LLM (I do not) and the AI assistant of a search engine like Brave or Kagi (which I do)?

I would feel uncomfortable using the one; but I do not, using the other. But I am not sure whether such a distinction is merited?

wietse111.bsky.social•17 hours ago

As far as I know, there is no real difference.

shino1.bsky.social•17 hours ago

There is no such thing as "full LLM". All "AI assistants" are LLMs.

catanonim.me•17 hours ago

An example of my ignorance on it! Thank you.

shino1.bsky.social•15 hours ago

No problem! It's not your fault, AI companies benefit from muddying the waters.

catanonim.me•18 hours ago

2/2

(I should say that I do always 'hand-check' the results for myself!)

zell2036.com•17 hours ago

No, they're the same thing, often using exactly the same service under the hood. The "ease of use" bit is one of the downsides, here; it's removing friction that'd otherwise prompt you to engage more fully with the topic

catanonim.me•17 hours ago

So helpful. Thanks. I had imagined that the ease of use of a search engine 'assistant' might correlate in some way with a lighter use of AI, in terms of environmental impact, etc. I must think more on this!

zell2036.com•17 hours ago

Nah. I'm testing an analogy for this; let me know how it is:

One glass of beer isn't any better for you than once shot of liquor, even though it goes down easier. Same active ingredient, same health risks, just in a more palatable container

catanonim.me•17 hours ago

So, when I ask, say, Brave search's AI a simple question and get and answer, isn't that different in scope to using AI to, say, create a full and complex realistic image of, say, a person who does not really exist? Does one not require more 'horsepower' than the other?

zell2036.com•17 hours ago

Oh for sure! The environmental impact of casual consumer use is a bit overblown, and the things that you'd be able to do for free as part of a search engine are less intensive than a lot of other generative use-cases, but -

monicamonteiro.bsky.social•1 day ago

📌

anarchoshanties.bsky.social•2 hours ago

hahahaha holy shit

vibe coding my way into getting all company data taken hostage

plognark.bsky.social•1 day ago

Holy hell, I didn’t even consider that these things would invent fake packages or frameworks.

slippytoad14.bsky.social•13 hours ago

It makes sense if you were paying attention a year or two ago and heard how AI bots used for legal filings would simply invent case law to justify their opinions.

jasoncdaniels.bsky.social•1 day ago

No portion of the generated content from an LLM is immune from hallucination.

plognark.bsky.social•1 day ago

Oh I’m keenly aware, I’m just stunned that anyone would be stupid enough to trust output like this.

I don’t know why this shocks me so much, it’s not like there aren’t already thousands of examples of how idiotic people who use this shit are.

jasoncdaniels.bsky.social•1 day ago

Fair enough. I apparently didn't complete my thought either. I MEANT to mention that no bad behavior from humans should ever surprise us. I mean, just look at the USA's genocide against natives, chattel slavery...etc. They're worse than this, and they happened.

jasoncdaniels.bsky.social•1 day ago

They should always concern us, and outrage us. But those acts shouldn't surprise us. We know that to a degree humans can do whatever we think up. And we can think of some horrific stuff.

boko-maru.bsky.social•1 day ago

people have been trusting, and cutting and pasting, solutions from stack overflow, and from generations of faqs and man pages, for as long as people have been typing in commands and code. this is just... a lot worse and you know they're just throwing it into production.

jasoncdaniels.bsky.social•22 hours ago

This really isn't the same, in my opinion. The reason is you'll get an explanation along with the answer. The explanation (pre-LLM craze) is written by a human. This helps a human learn not just what is correct, by also why it is, at least for their question.

jasoncdaniels.bsky.social•22 hours ago

This contextual explanation, by another human, tends to have a lower rate of error vs LLM generated ones. (So much lower as to be considered, nearly none by comparison.) The quality of man page and help text answers is also much higher than SO.

boko-maru.bsky.social•16 hours ago

sorry, i was unclear. i didn't mean to compare llm to SO as such, SO is a great resource. saved me tons of time and aggro.

i just meant that there's a habit of reaching for an answer and using it uncritically, which i've observed across sources.

plognark.bsky.social•20 hours ago

Yeah, it’s a thousand times worse. This is every shitty middle manager who doesn’t actually know how to do the work thinking this garbage output should be just fine.

ash.bzh•1 day ago

If there is a problem with an answer in StackOverflow, the comments will say it, and it will be downvoted.

jasoncdaniels.bsky.social•22 hours ago

Not always. I stopped validating answers there long ago. They gave little tests to make sure you were reading and considering the validity of the answer. I an answer was wrong, though highly upvoted with some C++ code. Turns out that was a test question. But they wanted me to approve it.

1/

amyhoy.bsky.social•1 day ago

why not? they invent fake case law

kwebb08.bsky.social•1 day ago

Trying to follow this thread and “case law” is about the only phrase where I thought “I KNOW THAT ONE!” But now I am not sure if your reference to “case law” is a code term of art or of my world, based in common law meets codified law.

amyhoy.bsky.social•1 day ago

no, not sure how you missed the multiple giant news items about lawyers using LLMs which invented cases that they cited in legal briefings and got bitch slapped by the judges

kwebb08.bsky.social•1 day ago

I saw a blurb or headline about some lawyers using made up case law, thought, “idiots” and kept moving. Didn’t read the article. Shady lawyers doing shady lawyer shit.

amyhoy.bsky.social•1 day ago

your mistake then. you need to know how dangerous LLMs are, everybody does

plognark.bsky.social•1 day ago

I don’t know why this caught me off guard… it’s probably because the things I code in my day job actually need to work?

I understand that this is a total failure of imagination on my part.

amyhoy.bsky.social•1 day ago

i didn’t imagine this but knew the code would be riddled with security problems so this one was like “ha! of course”

bad actors are always so creative

kikime2.bsky.social•1 day ago

Client of mine is always asking me why I don't use AI. I said, "It hallucinates." He said he can tell when it does. I said, "I can't." He's an IT guy. I'm a marketing writer. What doesn't he get about this?

dora.maybell.diy•1 day ago

Humility. I don't know anything about how this guy is in other situations, but in this context, that's what he's missing.

Thinking one is immune to missing a hallucination with serious consequences is trusting in an infallibility that no one can really live up to.

plognark.bsky.social•18 hours ago

It’s flipped where I work. Marketing and management think it’s great, half of us grunt workers in IT think it’s an unholy nightmare.

blauexstunde.bsky.social•1 day ago

they invent fake authors, fake papers, fake citations

when they refer to real books they invent fake page numbers and fake quotes

fake facts

there's no bottom because the companies can't control the underlying mechanism, which is not reality-accountable

schroedinger.bsky.social•1 day ago

They COULD set a reasonable cutoff on these really low probability results where it would just say it can't answer, but you can't get paid billions of dollars for a chatbot that just tells you you've asked something it can't answer half the time.

hipstersasquatch.bsky.social•1 day ago

I knew they were doing it. I didn't stop and think about the scum out there who obviously would see it as another security flaw that allows them into your computer, and for that I am embarrassed

ash.bzh•1 day ago

They also hallucinate fake settings or cli parameters for existing packages.

And then maintainers get bug reports that some functionality doesn't work... When it doesn't exist in the first place.

brad-carpenter.bsky.social•8 hours ago

souper-deluxe.bsky.social•1 day ago

Expert prompt engineers will solve this by asking it to check for malicious packages after it's done.

skirtingtheissues.bsky.social•19 hours ago

you had me going with this one, ngl

darkglade.bsky.social•1 day ago

🤣🤣🤣🤣

footypol.bsky.social•1 day ago

Yet another example of why unleashing turbocharged predictive text regurgitation engines on the world was a terrible idea and another reason to abandon its use as quickly and comprehensively as possible.

nouvilas.bsky.social•23 hours ago

"turbocharged predictive text regurgitation engines"

chuckpebble.bsky.social•22 hours ago

I actually like the use of turbo here, where it usually means, simply, fast. But instead, it’s the output being used to speed up the input.

roneda.bsky.social•16 hours ago

📌

nategvo.bsky.social•1 day ago

Surely the barely pubescent DOGE crack coders are aware of this, yeah?

Either they aren’t and that’s scary
Or they ARE and it’s because they authored the malware, which is HORRIFYING.

kikime2.bsky.social•1 day ago

Barely pubescent people are often unaware of things they don't know yet. Arrogant tech bros are often unaware of the fact that they don't know everything. Bad combination.

darkglade.bsky.social•1 day ago

Walking reference cases for Dunning-kruger...

nordiceuropean.bsky.social•1 day ago

Package name squatting used to be a problem before LLMs, this seems to make it even worse.

hipstersasquatch.bsky.social•1 day ago

"Even worse, when you Google one of these slop-squatted package names, you’ll often get an AI-generated summary from Google itself confidently praising the package, saying it’s useful, stable, well-maintained. But it’s just parroting the package’s own README, no skepticism, no context."

lukefromearth.bsky.social•18 hours ago

This is so funny. I mean terrifying. I mean funny.

deanbooth.bsky.social•1 day ago

We live in scorpion territory, and need to check our shoes before putting them on.

endmalcompetence.bsky.social•11 hours ago

I'm pleased to announce that we have finally developed the malevolent invisible scorpions from the classic sci-fi novel, Do Not Invent The Malevolent Invisible Scorpions.

militantwokepatrio.bsky.social•11 hours ago

Wooooooooow no fucking way.

friskydingus.bsky.social•1 day ago

The internet is so C👀L nowadays

weirdo95.bsky.social•18 hours ago

Personally I think that handing toddlers a loaded gun is a really bad idea.

Although in my favour this is likely to extend my career for a number of years.

observablereality.bsky.social•1 day ago

Oh wow! I was wondering when weaponizing AI was gonna drop.

majnouna.bsky.social•1 day ago

I'm not going to cry for anyone who falls into this pit.

justjodiemay.bsky.social•1 day ago

So hackers have given up making cool names for their work?:
"Once downloaded, the Dave Smith Trojan goes to work cataloguing all the photos it can find in the system, and arranges them into an infinitely looping PowerPoint slideshow with AI Brummie audio commentary about where they were taken."

el-condor-pasa.bsky.social•9 hours ago

Say what you will about darth vader but at least he disagreed with his master, darth sidious, and never wanted normies to have access to such raw power.

tiffmryan.bsky.social•15 hours ago

I’m excited for the native AI stuffs. Like, Zapier has a function where you tell it what you’d like to accomplish and it builds it out. I’d loooove to see it in Lucidchart for process mapping (there’s some already, but not robust enough imo)

boozphil.bsky.social•1 day ago

Clever

coyoteden.bsky.social•1 day ago

A tale as old as typosquatting domains.

fizbin.bsky.social•1 day ago

My favorite variation on domain squatting is "bitsquatting"

https://en.wikipedia.org/wiki/Bitsquatting

huwupy.kawaii.social•1 day ago

Whoa

koehlerklemens.bsky.social•1 day ago

This sounds so 00s :D

arrath.bsky.social•1 day ago

That's my favorite too! Using cosmic ray caused bit flips for evil is some mad wizard shit.

coyoteden.bsky.social•1 day ago

Normal day in the high energy magic school.

You don’t debug code on Hex, you have very long arguments with whatever you’re dealing with now.

arrath.bsky.social•1 day ago

Astral projected into the code to debug, started running it but remembered the garbage collector was still enabled and now I'll never know what it deleted from my mind.

coyoteden.bsky.social•1 day ago

Trust me, whatever it deleted is not something you want to be thinking about.

coyoteden.bsky.social•1 day ago

That’s.

Wow.

I had a feeling it would be what it was before I even read it, and sadly I was right.

We really should not let people connect improbability drives to the internet.

fizbin.bsky.social•1 day ago

And yet even today the vast majority of consumer computing devices use non-ECC memory.

ECC memory everywhere basically fixes this, but also makes your memory chips 10-15% more expensive, so...

coyoteden.bsky.social•1 day ago

You beat me to it. My first thought is the UDP checksum would catch this in transit. But no, they’re counting on a bit flip in RAM somewhere getting a proper checksum on it.

fizbin.bsky.social•1 day ago

Right, and that doesn't have to be on a router or DNS resolver that should have ECC memory; it could easily be on the user's own machine that flipped a bit in the HTML page when it downloaded it or copied it in memory while rendering it, or when it copied the DNS name out of the URL to do a lookup.

dcharlie.bsky.social•1 day ago

I wish the term "hallucinating" in relationship to AI would stop.

parskatt.bsky.social•1 day ago

I assume because you don't like the anthropomorphizing of LLMs? Why?

darkglade.bsky.social•1 day ago

I personally prefer "lying" but that's perhaps MORE anthropomorphic if anything.

parskatt.bsky.social•1 day ago

I think lying requires intent to deceive. Don't think that applies in most of these cases.

darkglade.bsky.social•1 day ago

Fair. Can't ascribe intent there.

I think the problem with "hallucination" is that it makes it sound less of a serious issue than it is (I'm not the OP) and carries the suggestion that it may be fixable, but the bottom line is it's a FEATURE not a bug, they're non-deterministic by design.

dcharlie.bsky.social•23 hours ago

Yeah - this. Anything the model gets wrong is then put down as some trait rather than what it is : an underlying failure and weakness of the tech

ratjohnny.bsky.social•1 day ago

Yeah, it makes it sound like an aberration, while it's fundamentally just how these things work.

iratelump.bsky.social•20 hours ago

Indeed. It both anthropomorphizes the LLM and suggests it has capacities it does not have (and likely never will). Confabulation is perhaps a closer description, but falls into a similar trap.

lynnbr2.bsky.social•1 day ago

Transparency is an issue that they refuse to take on.
Because they would have to pay royalties.

drwhen.bsky.social•1 day ago

If any sci-fi author or futurist managed to come up with this plotline before 2024, I want to hear about it.

doodlemancer.bsky.social•1 day ago

Let's see those vibe-coders vibe to this when their LLM accidentally link their code to malware

doodlemancer.bsky.social•1 day ago

Comments

Posting Rules

Reply