AI Slop vs. OSS Security

Original Article ↗ Hacker News Discussion ↗

Limits of LLMs: Plausibility vs Truth

  • Several comments argue hallucinations are not a small tuning bug but a structural limit: models optimize for plausibility, not truth.
  • Ideas to reduce hallucinations include curated “truth” datasets (definitions, stable APIs, math) and MoE components that verify model reasoning.
  • Others counter that truth requires testability and external tools, not just better training data or fact databases; “knowing what is true” is framed as a hard philosophical and technical problem, not obviously solvable by more of the same architecture.

OSS, Licensing, and Structural Underfunding

  • Discussion links AI-enabled security slop to a long-running issue: huge value built on top of underpaid OSS maintainers.
  • Copyleft (e.g. GPL) is seen as having forced more corporate participation in Linux, whereas permissive/BSD-style projects like libcurl/libxml often get far less direct support.
  • However, even GPL hasn’t translated into broad wealth for contributors; incentives remain mostly corporate self‑interest.

CVE System and Security-Slop

  • Many view the CVE ecosystem as already broken before AI: lots of theoretical or irrelevant findings, regex DoS cited as a classic over-reported category.
  • Approvers tend to accept rather than reject, and the system incentivizes quantity, internet points, and low-quality bug bounties.
  • That said, some maintainers note that poorly written reports can still hide serious issues, so raising the bar too far risks missing real vulns.

“Form Without Substance” and Wider Social Effects

  • A recurring theme: LLMs replicate the form of expertise without its substance. This is likened to cargo culting, compliance bureaucracy, and Dunning–Kruger amplified at scale.
  • People worry about non-experts (investors, managers, scammers) treating plausible AI output as competence—affecting security reports, scams, dating apps, and more.

Trust, Writing Style, and AI Attribution

  • Commenters debate whether the linked essay “sounds AI-like.” The author discloses AI-assisted grammar edits.
  • Some now distrust polished, LinkedIn-esque prose and prefer imperfect human writing. Others note there’s a recognizable “default LLM style” (corporate, listicle, punchy contrasts) that people are starting to avoid.
  • Similar concerns surface in art: AI-like work undermines perceived authenticity and makes witch-hunts against human creators more likely.

Mitigation Ideas for AI Security Slop

  • Suggested defenses include: stricter PoC and reproducibility requirements, dockerized test setups, mandatory screencasts, or verified test cases.
  • Reputation and trust systems are proposed (age-weighted accounts, referrals, web-of-trust, HackerOne-style scores), but critics highlight gatekeeping, insider clubs, and difficulty for first-time reporters.
  • Economic friction—submission fees or refundable deposits—is seen by some as the most promising filter, though it risks excluding less wealthy but legitimate researchers.
  • Others suggest “fighting fire with fire”: AI agents to triage, sanity-check, or attempt to reproduce reported bugs, while noting cost and failure-modes remain open questions.