Rambling on Bobby's Headspace

The Rising use of AI in Cybersecurity

smiles@bobbysmiles.xyz (Bobby Smiles) — Thu, 08 May 2025 16:31:48 +0530

AI in Cybersecurity

Ever since the ChatGPT was released on the 30th of November 2022, it was inevitable that AI would become a crucial part of our lives. Nowadays (even though its been only 3 years since it came out), we see AI used everywhere. We write code with AI, generate images and videos with AI, summarize our meetings with AI, and with the recent introduction of tools like Ghidra MCP, we are seeing its increased use in Cybersecurity. But is this entirely as evil as the recent situation on HackerOne makes it out to be? I wouldn’t be too quick to judge.

The HackerOne Bug Report

Before I continue, I recommend checking out the actual bug report here. To quickly summarize, there is a critical bug in HTTP/3 capabilities of curl, which can be leveraged to corrupt the memory, hence leading to Remote Code Execution, or RCE in short.

In the initial stages of reading this report, all seems normal and it seems like a standard report for a high severity bug. But reading further, it begins to seem more and more suspicious (to say the least). Firstly the curl staff member mentions that the patch is not applicable here and asks a question, to which the reply looks SUSPICIOUSLY like it’s AI generated markdown. The user provides the steps to APPLY a patch, without actually providing the patch in question.

Some more discourse later, one of the other curl staff members drops a banger about this part of the report:

Analysis shows:
- Return address overwritten
- Stack recursion at ngtcp2_http3_handle_priority_frame

Staff comments:

There is no function named like this in current ngtcp2 or nghttp3.
Please clarify what you talk about. Which versions of ngtcp2 and nghttp3
did you find the problem in?

The function he was talking about, ngtcp2_http3_handle_priority_frame does not exist. This, reveals the fundamental problem with relying completely on AI to do the heavy lifting on a high-skill job.

So What’s the Issue?

AI generated reports are nothing new. There have been many reports, made using AI over the years and so far, according to the founder of the curl project, Daniel Stenberg, no valid bugs have been reported by these so-called AI generated slop reports (read his full linkedin post here). It is not uncommon to run into situations where the AI hallucinates things that do not exist in order to fulfill the task given to it by a user.

Generic AI concept art I randomly found online

This is a worrying trend as in the recent years, the number of these reports have only been increasing. The problem is that the people behind triaging and validating a submission are human, and, it takes time. Triaging a submission is no simple task and people put a lot of time into this. Simply spamming AI-generated reports on these platforms only makes this job harder, as:

The report cannot be ignored in the off-chance that it reports an actual exploit.
Producing these kinds of reports takes very little time and the staff will not be able to keep up with the speed of incoming reports, resulting in lesser security.

The curl founder called it a DDoS Attack against curl due to this. And, he’s not wrong.

What Causes this Issue?

I think the major problem with all this, is rooted in the fact that many people, beginners and professionals alike, have begun to SUBSTITUTE their workflow with AI, as opposed to AUGMENTING their workflow with AI.

AI is not 100% accurate, it never has been nor will it ever be, as it stands. AI is trained to give answers that SEEM correct. Obviously, this is not intentional, rather it is a consequence of how the current methods of training these AI models work. At the end of the day, the AI is only doing it’s job. It is us, as humans, whose job it is to validate this before making a submission.

But is AI completely Evil?

No, absolutely not. I am not going to pretend that I never use AI for my tasks. I do, and I think the benefits to having something like an LLM enhancing your workflow shouldn’t be slept on. However, the key distinction is that AI ENHANCES my workflow, it is not my ENTIRE workflow. What I mean is that say, for example, in a project, I won’t be vibe coding that whole project using some random LLM, I would rather be using it to write boilerplate code, find resources online, or as a last resort, suggest fixes to bugs in the code.

And I feel that a similar approach must be adopted by the wider community at large. I am not saying my approach to this is perfect, not at all, but rather the knowledge of Enhancement vs Substitution must be more widespread.

The classic AI villain, AUTO from WALL-E

It is due to this same pitfall, that vibe coding (a term which I absolutely hate by the way), is gaining more and more traction, when in reality, you can simply learn to code, put in the hours, and write FAR better applications than an AI ever could. Even better, you could double that productivity, by then finally using AI to enhance your already existing workflow, making this endeavour all the more worth it.

Closing Thoughts

This situation on HackerOne clearly demonstrates the flawed mindset that many people have started to adopt with regards to the usage of AI and a shift in this mindset is necessary if the usage of AI in high-skill fields is to be a net-positive. However, not all of this is bad, and if anything, we should learn from the pitfalls clearly demonstrated by this incident and continue to improve in our respective disciplines.

Have a nice day! :)

The Recent Resurgence of Linux

smiles@bobbysmiles.xyz (Bobby Smiles) — Sat, 03 May 2025 17:33:45 +0530

The OS Disillusionment

A major sentiment among general audiences and tech enthusiasts alike is that popular operating systems like Windows are becoming more and more inaccessible as the days go by. Higher hardware requirements, lack of support for older OS versions and an overall decrease in quality are opening the masses to open source alternatives.

With the end of support for Windows 10 fast approaching, many older devices will be rendered seemingly useless, and upgradation to a more modern piece of hardware might not be an option. In such cases, open-source comes to the rescue.

Linux and its Benefits

Linux needs no introduction. Almost all low level hardware runs some form of linux. Servers, wifi routers, smartphones, all are powered by a Linux distribution.

Nintendo switch running Ubuntu

Linux comes with many more benefits as well, like being less prone to cyberattacks, being fast and performant, high customizability, and a HUGE and passionate community behind it.

So where am I going with all this?

The Recent Resurgence of Linux

Recently I have observed that many big Content Creators are making the switch to Linux AND encouraging their community to give it a shot. For example, PewDiePie (in this video) recently switched to Linux, detailing his reasons for doing so (please watch the video it’s excellent).

Even before this video came out, my YouTube feed was already dotted with tech content titled something like “I switched to Linux and I could never look at Windows the same again”, all of them detailing similar reasons for switching to Linux.

Customizability
Performance
Stability (ok this one’s a little debatable)
Control

A fully customized GNOME desktop

A Linux nerd myself, seeing regular people start to give Linux a shot sort of surprised me, considering that many times (coming from personal experience) I was told that Linux is too hard because it’s quite terminal centric and that’s intimidating for a guy who is not a “basement-dwelling” nerd. Little did they know about Linux Mint, Ubuntu or Fedora.

Personal Anecdote

Due to the video made by PewDiePie, one of my friends (completely not into tech, has an age-old computer used only for watching movies and TV shows) asked me about switching over to Linux and was surprisingly open even to try Arch Linux. Now, to preserve both their sanity and mine, I told them to switch to something like Linux Mint first, to get a feel for the OS and it’s workflow, and to ease into the new ecosystem, and they were surprisingly receptive.

As it stands, I am yet to hear back from them regarding how the switch went, but considering they seemed pretty satisfied with the computer last we spoke, I suspect it went quite well.

Don’t Fully Believe the Hype

Now, it might seem VERY appealing to immediately switch to Linux after all the newfound buzz regarding the topic, but I would still ask that one consider this decision carefully. Despite its caveats, almost all software in the world is supported by Windows and Microsoft still provides some of the best tools in the market.

The Ms Office suite, boasting some of the best software for tasks like spreadsheets, text editing and presentations, for example, is not natively supported on Linux. It has to be run through a compatibility layer like wine, which does provide support for SOME Windows applications, not to mention that wine in and of itself can be a little hard to setup.

GNOME Desktop environment configured in Garuda Linux

There is also the issue with stability of certain distributions of Linux like Arch Linux, which follows a rolling-release model. While you can always stay up-to-date with the latest updates and security patches, this can also cause instability in a system, affecting your workflow and productivity. In such cases, I would still recommend that you stick to Windows, or at least try a Linux distro on a VM or live boot before switching completely.

Closing Thoughts

Linux has always been, and continues to be, a viable operating system to switch to—provided you know what you’re getting into. It is not like Windows, nor is it meant to be. Both operating systems serve their purpose, and both do it well.

With Linux, you get speed, control, stability, and customizability. With Windows, you benefit from familiarity, broader software support, and ease of use.

Whether or not you choose to switch to Linux is entirely up to you—but make sure to do your homework before making a decision.

Have a nice day! :)