Responding to bug bounty reports is a thankless job. Especially these days it's a flood of AI spam, language barriers, "pay me first", incomplete reports, huge egos, and people who think every find should be treated as a critical vulnerability. The people who handle these reports often do so after-hours or on holidays. In smaller companies they're also often the ones who manage the triage, patching, testing, and security release process. In larger companies they have to find owners for every line of code and convince those code owners of the severity (often knowing that neither or them will be rewarded for doing the work).
All it takes is one wrong person to be assigned as a report comes in, a person who doesn't understand the real value of a bounty program, or one person having a bad day to completely ruin a company's reputation. It seems like that might have happened here (of course MS has done this before so who knows if it'll matter in the end).
Microsoft needs to be completely transparent and to do so immediately. They should, with the reporters permission, release all communications. They can exclude technical details if patches aren't available yet. Doing anything less is going to prevent a lot of people from using their bounty program in the future and we'll all be worse off for it. They almost certainly made a mistake and they need to own up to it.
I had Claude code up a Slack bot so I could play any Z-machine game co-op with friends. We started up Zork 1, wandered the available map, made it to the cellar, walked north, and hit a room that was insta-death. We still haven't gotten back into it.
The absence of any explanation for the suspension does seem intentional. If it were me that's one of the first things I would've asked so that I could make sure it doesn't happen again.
The exploit they chose assumes ASLR is disabled for simplicity's sake, but if you read the full writeup they say they could've used the vulnerability to map memory layout. It's nice to have ASLR but some types of vulnerabilities can be used to bypass it.
I watched the talk as well and it's very interesting. But isn't this just a buffer overflow in the NFS client code? The way the LLM diagnosed the flaw, demonstrated the bug, and wrote an exploit is cool and all, but doesn't this still come down to the fact that the NFS client wasn't checking bounds before copying a bunch of data into a fixed length buffer? I'm not sure why this couldn't have been detected with static analysis.
I honestly think there's more going on here. It seems to be primarily the vain billionaires that are going off the deep end. I experimented with stimulants when I was young and I remember being shocked at how they changed my personality. I went from pretty stoic to wanting to fight people over the slightest perceived insult. I can't help but think these billionaires with their expensive implants, hair and skin treatments, blood boys, etc. are on some life-extending or performance enhancing stimulants that are affecting their state of mind.
Ironically, Trivy was the first known compromised package and its purpose is to scan container images to make sure they don't contain vulnerabilities. Kinda like the LLM in your scenario.
Kids aren't stupid. They'll just create another account when they're old enough to figure it out. They'll tell their friends how to do it and the rest of us will be stuck with these stupid prompts forever like it's a cookie banner.
Absolutely. They kinda brag about it now. But I think it was just the founders making multiple accounts. It sounds like the new Digg was worried about bots scaring people away from the site with thinly disguised ads.
One of the things I always disliked about the original Digg was their threading. The slashdot like feed where the oldest comments were at the top and there was only one level of replies tended to encourage the "first" comments and harmed the quality of the discussion. I was glad to see it use a reddit-like comment thread for the new site, but it also meant there wasn't much reason to use it over reddit.
I'm a bit surprised with Alexis' involvement they didn't anticipate the bot problem. Alexis left reddit several years ago but I'm sure he's still in touch with the folks who run the place. It would've been worth it to talk to them about the threats they currently face and how they deal with them.
DESQview was absolutely not crashy. I ran several different types of BBS software in it without issues. The "DESQview (or worse...)" comment raised the hair on the back of my neck. DESQview was revolutionary at the time and I was annoyed at having to use Windows many years later.
ASCII windows may not have been everyone's cup of tea but I loved it.