Posts by ecarlseen

Today: 0day RCE in Windows 11 Notepad.

No, that's not an article in The Onion.

That's real. A 0day RCE, CVSS 8.8, in fucking Notepad.

This should be literally impossible, but, nah, it's Microsoft, whose only innovations are in finding new and exciting was to fuck up stuff that should be bulletproof.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841

Continuous Release

"Pushing beta testing onto our user base didn't save us enough money, so let's push alpha testing onto them as well."

So is this an Interview or Press Release?

What is very, very briefly mentioned in passing in this well-buried lede is that, oh, yeah, Vishal Sikka just happens to now run a company that sells these companion bots:

“So we do that in our product Hila. We combine the LLM with a knowledge model for a particular domain and then, after that, Hila does not make mistakes.”

If their product genuinely does not make mistakes in a reliable and generalized sense, I think that it would be much bigger news that this.

Presenting an article as the Words of Wisdom from a well-seasoned greybeard when it's actually a completely uncritical sales pitch is, indeed, biting the hand that feeds IT.

Most investors understand curves, not tech.

They expect AI to follow previous curves for technological advancement, but those previous curves were built on very solid, deterministic foundations. Yes, there were growing pains at the leading edge of development, but the underpinnings were sound (when the web came out, we knew how to do TCP/IP, encryption, file storage, databases, etc. and we were already really good at all of that).

LLMs are probablistic to begin with, which is its own form of engineering hell, but nothing is solid or stable. Stuff is being built on a foundation of sand, and we barely understand the behavior of this sand in the immediate sense, let along the long-term.

Therefore, I don't expect the same exponential improvement curves we saw with previous major tech changes. Improvement will still happen, but it will be far bumpier and more uneven, and probably even move backwards significantly at certain points.

Obvious reaction:

Checking to make sure there are no Dow chemical processing facilities near my city.

Creating a language / toolchain is the ultimate in cherry-picking

Honestly, is there any topic in computer science that has been more heavily researched, written about, examples created, real-world polish applied with excruciating care over decades, in academia, business, and in the hobbyist / open source world, than language and compiler design?

There is ~75 years of thoroughly-documented history here.

As a topic for an LLM to crunch on, this is absolute cheat mode compared to pretty much any other meaningful product-size project.

If somebody uses AI in this manner, at this scale, to create a work product that can be used by a meaningful number of real people in the real world doing valuable things, then I will be genuinely impressed and amazed.

Don't get me wrong: this is still a very cool trick, but it's a trick with no real-world value (at least for now) and is not even close to being generally reproducible.

Core uncertainty.

To me, the core probablem is that we can do some cool stuff with AI, but we’re not yet to the point where we can just grind or death-march or brute-force compute our way to generally useful, reliable AI.

There are still fundamental breakthroughs needed on the software architecture side and on the hardware side. There are some cool concepts being developed in the hardware space. There might be similar things happening on the software side, but people are less chatty about the nuts and bolts of the bleeding edge there.

Right now, AI is a concept that will revolutionize the world, eventually,

Just like great battery tech (maybe cracked by Donut, time will tell), practical fusion energy, etc. The last 5% to 10% of the work takes 99+% of the time.

You can never predict when fundemental breakthroughs will happen. Took decades for blue LEDs. Lots of money came and went, and it turned out that the one guy who refused to give up eventually got it after spending a significant portion of his life chasing it. That guy should never be allowed to buy his own meals and drinks.

But AI is the same. I'm sure it will happen. Maybe next week. Maybe in 50 years. Nobody really knows.

But they're going to sell it to us / force it down our throats as best they can anyway.

Totally misunderstood that

I popped over to PostHog's website to read the blog post and for a moment I thought the hack was about replacing the UI on their site with the most godawful abortion imaginable but then realized they somehow decided inflict this on their visitors deliberately. Perhaps some sort of hazing ritual or reverse psychology sales technique?

The irony.

mfw DDoS prevention vendor DoS-es itself.

Blame it on AI

Layoffs due to an economy strangled by politicians and bureaucrats? Blame AI

Price hikes due to whatever? Blame AI

Bad weather on a weekend? Blame AI

It doesn't have to be open to the Internet...

...if an attacker has virtually any sort of presence inside of their network. Typically there are fairly few restrictions with regards to what kinds of systems can talk to WSUS. Traveling laptops with VPN connections, anyone?

Government-mandated remote device bricking vulnerability.

Can you imagine the headaches created with how easily-abused such a system would be?

Social-engineer a phone company or police department to kill somebody's phone, for fun and profit.

How difficult would it be to take two seconds, consider "Gee, how could miscreants abuse such a system?", and then weigh the potential cost/benefits? (this is a rhetorical question)

Also, even if you lock out a phone's IMEI it can probably still be used in mobile bot farms.

Cisco's quality has been tanking for many years.

I used to be a very loyal Cisco customer and, while their hardware is still above average (not as good as it used to be) and they have a wonderful product portfolio breadth, their software has become garbage: bug-ridden / broken features, unstable, and frequently insecure. It sucks for customers because they were once a great one-source vendor for all of your networking and some security needs, but now I aggressively get rid of them when I can. Stability and security issues more than outweigh any benefits.

Make Phishing Great Again!

Now their users (I refuse to use Alphabet products, and you can too!) won't just have to worry about phishing attacks agains themselves, but against their friends as well!

Also, passkeys are in no way whatsoever tied to devices - they often sync via password managers and can be stolen just like passwords can. They're marginally better than a username/password combination in that they can't as easily be fooled by a similar domain name, but that's it.

Simple solution

When the government bails out a large corporation due to its own negligence, the c-suite and board of directors go to prison until the bailout is repaid.

Sounds familiar

Meanwhile, another recent study from nonprofit research group Model Evaluation & Threat Research (METR) found that AI coding tools actually made software developers slower, despite expectations to the contrary, because they had to spend time checking for and correcting errors made by the AI.

Now do offshoring development to 50-packs of cheap developers.

They're all sucking up to Trump ...

... so they can get their inevitable "too big to fail" government bailouts.

Has anybody created a script or application...

... that looks at the complexity of an Excel workbook in terms of average formula complexity and gives it a toxicity rating on a scale of “nauseating” to “nuke every city containing a datacenter where this abombination has been stored in or replicated to?’

They literally have two jobs.

You’d think that a communications company owned by a CRM company wouldn’t screw this one up, but nah.

"Pudu Robotics is a Chinese robot manufacturer with over 100,000 units in over 1,000 cities doing everything from serving meals with the cat-like BellaBot,"

ngl I read that way too fast and got the wrong idea at first.

Let's just smear our attack surface all over the Internet.

After all, it's perfectly secure in theory.

In practice, it's perfectly secure just as long as software doesn't have exploitable bugs.

OEM identified based on specs?

According to this post:

https://x.com/MaxWinebach/status/1934632952366764447

it appears to be a re-skinned Wingtech REVVL 7 Pro 5G (made in Chyyyyna, of course). The specifications seem to be a pretty exact match.

This is why we need to take the term "glassholes" and make it stick.

The sad thing about this:

I'd !@$# every last one of you in your sleep if it would get me an intern or new hire as capable from learning from a first mistake as this one was. First mistakes are a cost of doing business. The endless repetition by some people is a bit much.