ISTM this developer did people a favor: He’s shown a real-world vulnerability pattern in a way that didn’t do real harm.
Odds are he’s not the first to think of this, he absolutely won’t be the last. If your agents, CI/CD pipeline, or whatever are vulnerable to this, it’s time to fix that now before something truly nasty comes down the pike.
This is wonderful. I grew up watching WKRP and wanted to be Doctor Johnny Fever when I grew up. Managed to work in radio for a few years part-time, but by then DJing was “here’s a program sheet. Play these songs, exactly” - not the dream of being a DJ doing their own programming. I also realized why Johnny was always broke.
Still, very cool, and a little jealous of the on-air staff that get to work there.
I am so happy that my local town has a non profit radio station where the DJs pick their own music. You never know what you are going to hear when you turn it on.
Lord. I pity the managers that are going to be worrying about their jobs sitting in 1:1s with people who are also looking for answers when there really aren’t any to give.
This doesn’t sound like they’ll be weaning off it, though: it’ll be cold turkey. That’s going to let wealth holders pick up more property at depressed prices and drive down wages.
If they’re hosting network services, sure. I wouldn’t put vibe-coded software outside a home network, ever. But it seems low risk if people are just creating their own desktop software: especially since it’s less likely to be vulnerable to widespread malware.
(Note: I’m not an LLM fan, don’t vibe code myself at all. But I would be unconcerned about security for the kind of things I would create if I did start doing so.)
Quite the opposite, in fact. But there’s a difference between the information being present somewhere, and a reasonable way to get that information in front of people in an actionable form.
We’re drowning in “information,” at present. But the mass media narratives that are most readily available distort things quite a bit for a lot of reasons. (Ratings, owner bias/interference, format.)
14.3 seems to come from some Red Hat-specific GCC version, which can be reported as "gcc (GCC) 14.3.1 20250617 (Red Hat 14.3.1-2)". See these random examples I found by googling:
On the same line it says kernel version 6.12.0-124.45.1.el10_1. Which is RHEL 10. This is the kind of typo that humans make -- the hard to type numbers are accurate because they're cut and pasted, but the "easy" numbers have errors because they're not cut and pasted.
ugh sorry should be fixed. There was some scrambling to get more info together to explain the issue (and yes, obviously marketing), so there are some minor mistakes. Thanks for pointing it out!
Hope the 'marketing' had the desired effect. This entire article of pure AI noise was an absolute slog to get through to get to useful information. I have no idea how you view that as positive advertising.
I don't quibble with your wanting to make money, but you also need to invest some resources on fact-checking, proofreading, and editing your work. You can hire technical writers and marketing copy editors on an hourly basis as needed. LLMs aren't good enough yet to produce high-quality output on their own; and the results tend to read similarly, loaded with clichés and identical turns of phrase.
(You're not alone in this, BTW; I don't mean to single you out.)
I would rather people who find this kind of stuff pad their resumes and get coolness points on HN than sell this exploit on the black market. But your priorities may be different and you might prefer they do the latter.
The fact that they have no idea RHEL 14, probably the most well known enterprise distro, is not a thing, and yet they "directly verified on it" casts some doubt on seriousness.
I don't know what to tell you. I'm sure you have them dead to rights on Linux distro knowledge reliability, but the exploit here is real, and the vulnerability researchers they have on staff are also real. Xint is not generally a slop factory.
It's ironic that the one thing LLMs can't do reliably in this space is "write copy for humans" (I don't trust them for that either).
Honestly I feel like a coding agent review would have caught this issue. I guess if you want to vibe-code your branded CVE web site it's not a bad idea to at least mash /review at the end.
Kind of funny to do something impressive and then ignore the details on the presentation, but perhaps that's not uncommon for security researchers?
I don’t know if “cool” is the word I’d use, but there isn’t an established “right” way to disclose a vulnerability that you found outside of a contracted security review or other employment/contracting arrangement.
To paraphrase a popular quote from IBM: “Executives and MBAs can never be held accountable: therefore executives and MBAs must not be allowed to make decisions.”
Slightly less flippant: The only way to stop this is to stop letting companies like MSFT gobble up smaller companies. That doesn’t seem likely in the near future, though. Once the Borg assimilate something, it’s just a matter of time before it’s digested and drained of value.
The process is necessary for both sides. Acquisition by large companies is the primary way that people get rewarded for building good things. If you take it away, there won't be many startups left - all new developments will come from the big companies that can afford them, and only the types of developments those companies' managers want to make.
It's only "necessary" if one accepts that the current way is the only way.
I'm not really sure what the point of encouraging new development is if the end result is "big company scoops it up and makes it shitty, but people get to enjoy it for a few brief moments before that happens."
Odds are he’s not the first to think of this, he absolutely won’t be the last. If your agents, CI/CD pipeline, or whatever are vulnerable to this, it’s time to fix that now before something truly nasty comes down the pike.
reply