this post was submitted on 07 Apr 2026
310 points (98.7% liked)

Fuck AI

6703 readers
102 users here now

"We did it, Patrick! We made a technological breakthrough!"

A place for all those who loathe AI to discuss things, post articles, and ridicule the AI hype. Proud supporter of working people. And proud booer of SXSW 2024.

AI, in this case, refers to LLMs, GPT technology, and anything listed as "AI" meant to increase market valuations.

founded 2 years ago
MODERATORS
VerbFlow@lemmy.world
MrMcGasion@lemmy.world
TootSweet@lemmy.world
BigMikeInAustin@lemmy.world
cynar@lemmy.world
drmeanfeel@lemmy.world
pavnilschanda@lemmy.world
CriticalMedicine@lemmy.world
WonderfulWanderer@lemmy.world
Communist@lemmy.ml
eatCasserole@lemmy.world
SpaceNoodle@lemmy.world
NutWrench@lemmy.world
Soup@lemmy.cafe
iAvicenna@lemmy.world
Tinks@lemmy.world
wizblizz@lemmy.world
corus_kt@lemmy.world
Prandom_returns@lemm.ee
JimSamtanko@lemm.ee
TrickDacy@lemmy.world
TheFriar@lemm.ee
ArmokGoB@lemmy.dbzer0.com
HawlSera@lemm.ee
andrew_bidlaw@sh.itjust.works
MeDuViNoX@sh.itjust.works
33550336@lemmy.world
Nougat@fedia.io
Lost_My_Mind@lemmy.world
Quill7513@slrpnk.net
glowing_hans@sopuli.xyz
e8d79@discuss.tchncs.de
ThefuzzyFurryComrade@pawb.social
310
Hey we solved software development, no need to learn programming anymore (Claude's source code leak) (lemmy.world)
submitted 5 days ago by tired_n_bored@lemmy.world to c/fuck_ai@lemmy.world
41 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[โ€“] yetAnotherUser@discuss.tchncs.de 11 points 5 days ago (1 children)

That may actually work a little?

I mean, it scraped the entirety of StackOverflow. If someone answered with insecure code, it's statistically likely people mentioned it in the replies meaning the token "This is insecure" (or similar) should be close to (known!!) insecure code.

[โ€“] addie@feddit.uk 14 points 5 days ago

I was part of that OWASP Application Security Verification Standards compliance at my work. At a high level, you choose a compliance level that suitable for the environment you expect your app to be deployed in, and then there's a hundred pages of 'boxes to tick'. (Download here.)

Some of them are literal 'boxes to tick' - do you do logging in the proscribed way? - but a lot of it is:

  • do you follow the standard industry protocols for doing this thing?
  • can you prove that you do so, and have protocols in place to keep it that way?

Not many of them are difficult, but there's a lot of them. I'd say that's typical of security hardening; the difficulty is in the number of things to keep track of, not really any individual thing.

As regards the 'have you used this thing in the correct, secure way?', I'd point my finger at something like Bouncy Castle as a troublemaker, although it's far from alone. It's the Java standard crypto library, so you think there would be a lot of examples showing the correct way to use it, and make sure that you're aware of any gotchas? Hah hah fat chance. Stack Overflow has a lot of examples, a lot of them are bad, and a lot of them might have been okay once but are very outdated. I would prefer one absolutely correct example than a hundred examples have argued over, especially people that don't necessarily know any better. And it's easy to be 'convincing but wrong', and LLMs are really bad in that case. So 'ticking the box' to say that you're using it correctly is extremely difficult.

I see the Claude prompt is 'OWASP top 10', not 'the full OWASP compliance doc', which would probably set all your tokens on fire. But it's what's needed - the most slender crack in security can be enough to render everything useless.