I was one of the “lucky” few to witness the school of slur-fish.
Being in security I laughed because of how egregious it was but also because I knew someone on HN with some actual time on their hands to help properly would be along soon.
I also appreciate this post mortem. Vibe-coded anything in prod is a lot of my work load in IR these days but it was nice to see such a low stakes project properly documented.
bombcar · 1h ago
People will be quick to jump on the "it was vibe coding's fault" but at least two of the issues are pretty common even in designed systems without AI - leaving in a "test admin" access and verifying tokens but not cross-checking them.
JohnMakin · 30m ago
This is pretty reductive of the actual problem people typically complain about with vibe coding - It produces very workable prototypes fairly quickly and without a lot of hassle. Great! The problem is, and this is a great example (of many) where someone mistook the working prototype with a system that was ready for production. The JWT thing in particular is not really a mistake many people who work on that kind of thing would make.
People need more understanding of the risks of vibe coding and YOLOing to prod with these tools. They are powerful, but like all powerful tools, can be wielded irresponsibly.
autoexec · 24m ago
I think it's pretty reasonable to expect AI to produce systems with issues "pretty common even in designed systems without AI" because that's what AI was trained on.
dmje · 40m ago
Great project and a good post too, you write well and are funny. Would like to see more for my rss reader :-)
dmje · 39m ago
…if you had RSS…
thehamkercat · 29m ago
You can also upvote any fish without auth, limit is 20 votes per minute per IP
That's actually intentional desgin - I think you can like a fish a little or like a fish a lot, and therefore should be able to upvote/downvote to your hearts content :)
Havoc · 1h ago
Wild that some random used a security hole to try and counter the malicious actions actively lol
bombcar · 1h ago
This has happened a number of times that I remember - one was a worm/exploit that would patch the hole.
robotnikman · 1h ago
I remember reading about 5 or so years ago that the FBI was doing exactly this to counter the EternalBlue exploit (I might be getting the exploit name wrong)
bobson381 · 1h ago
this was awesome. people are surprising
lawlessone · 30m ago
If you are the dev think you need to add an option to mirror the fish drawing.
I can draw a fish facing left, but for some reason it's very difficult to draw one facing right.
busymom0 · 3m ago
Can't you just draw facing left and then flip it horizontally?
jmull · 1h ago
On the allure of vide coding the author says,
> It is really fun to just have high velocity, and it is really fun to not do code reviews and to just push stuff.
Was slurfish fun?
Looks like if you don't like doing deep and thorough code reviews, LLM-generated code is not for you.
As the author concludes, "...LLMs are a tool. They let you generate a lot of code really fast...it is up to you to review it"
ofrzeta · 1h ago
I am sure someone somewhere works on making LLMs commit code. Aside from that it was great witnessing the site in action and reading the postmortem. I wonder how the "hacker" made the connection to the user acount on neopets.com but maybe they just tried something like "ahallak"?
comrade1234 · 1h ago
I wish there some screenshots of the vandalism.
Here in Zurich there's a mural of maybe twenty dinosaurs (not accurate but something that looks like it would be in a children's book). One day someone drew a dick on every single dinosaur. Even the flying pterodactyl had a big dick hanging off of him. It was so puerile and primitive it cracked everyone up that saw it. No tags. No football club graffiti. Just dicks everywhere. Thankfully the mural was repaired pretty quickly.
morkalork · 18s ago
There's a screen shot of a certain site in the footnotes of the blog and if you visit it, you can probably find some screenshots in the 30-something page thread about OP's game.
kergonath · 1h ago
That was quite something. Thanks for all the fish. Also for posting this.
Being in security I laughed because of how egregious it was but also because I knew someone on HN with some actual time on their hands to help properly would be along soon.
I also appreciate this post mortem. Vibe-coded anything in prod is a lot of my work load in IR these days but it was nice to see such a low stakes project properly documented.
People need more understanding of the risks of vibe coding and YOLOing to prod with these tools. They are powerful, but like all powerful tools, can be wielded irresponsibly.
POST https://fishes-be-571679687712.northamerica-northeast1.run.a... {"fishId":"xxxx","vote":"up"}
I can draw a fish facing left, but for some reason it's very difficult to draw one facing right.
> It is really fun to just have high velocity, and it is really fun to not do code reviews and to just push stuff.
Was slurfish fun?
Looks like if you don't like doing deep and thorough code reviews, LLM-generated code is not for you.
As the author concludes, "...LLMs are a tool. They let you generate a lot of code really fast...it is up to you to review it"
Here in Zurich there's a mural of maybe twenty dinosaurs (not accurate but something that looks like it would be in a children's book). One day someone drew a dick on every single dinosaur. Even the flying pterodactyl had a big dick hanging off of him. It was so puerile and primitive it cracked everyone up that saw it. No tags. No football club graffiti. Just dicks everywhere. Thankfully the mural was repaired pretty quickly.