> so far as i can tell yellowkey is problematic, as the exploit takes advantage of a backdoor that ms needs, to "manage" your computer.
It does look like an intentional backdoor. The way ms is responding to it is even more suspicious.
Pretty funny since this defeats security on most corporate laptops, so impact is huge. You'd expect them to treat the reporter better and fix the issue fast...
I'm curious why they put it in, I'm not sure I understand the 'to "manage" your computer' note.
Microsoft should have no reason to put something like this in. So either they were forced or they had some engineers that did this on their own without any oversight.
The backdoor could be a bug, but I don't really understand how it happened.
The attack works by having an NTFS log get replayed against another partition than the one the log is stored on.
Sending the right signals to unlock Bitlocker in TPM-only mode is a necessity for recovery operations. Managing to replace the executable launched post verification is a plausible attack vector.
The weird thing is why it's possible to put the corrupting transactions on a different disk than the one being updated.
In theory I think it would be possible that it's a combination of "all recovery partitions share the same FS identifier and are verified before transaction playback" (it is a pre-packaged WIM file after all) and "the transaction log stores the FS identifier of the partition the changes are meant for", but in my opinion the latter part is a very weird architecture to choose.
If this is a backdoor, I appreciate how clever they were hiding it. If this is a bug, the person who discovered it probably has a whole lot more ready to publish.
The thing that made Nightmare think it was a backdoor is that the bug is only present in the recovery version of the DLLs, not the one built into the system, and not prior versions of Windows. It’s also for a file system feature that Microsoft hasn’t “touched” in ages and they consider fairly esoteric.
> The attack works by having an NTFS log get replayed against another partition than the one the log is stored on.
Obfuscated enough to pass internal reviews, sloppy enough to make it look like a bug.
Other reply makes it even more suspicious... change is new in a subsystem that hasnt been updated in a long tine and it's only present in recovery mode files.
Microsoft handle of this also screams it's not a regular bug and they're likely investigating or someone is trying to cover their ass.
What's even more troubling is that the fix would be a very simple/quick rollback of the change that introduced this... and that they haven't done that is interesting.
manage- meaning remove or disable your stuff and reinstate slopware.
i dont know how much fiddling around you may have done to make a win11 install local and secure, but but if you dont get it right the first time, most often the next update will involve re-installation of bloatkrapp.
the in house usage is apparently to allow bypass of bitlocker by the winRE recovery environment.
this has been exploited for some time already, allowing malicious uses of trustedinstaller ACL.
ive had to deal with persistent installs using exactly this route, and a really nasty one will brick your machine if you dont knock out its components in proper sequence pwning the trusted installer account, and disabling the viral recovery mechanism.
> Try prompting Claude to fix an arbitrary code base better than someone who knows it, when you're a random non-technical person.
I've seen people employed working on some code bases that couldn't code at all.
> Try prompting Claude for legal advice and getting as good of results as Lawyer would if you're a layperson.
Some lawyers are downright incompetent and don't know what they're talking about / just want your money.
> Try prompting Claude for medical advice if you're not a doctor...
Some doctors are downright incompetent or malicious. You'd generally find that out by vising another doctor and finding previous diagnostic was bullshit and you lost time.
> AI is just going to speed run bringing out the best and worst in coworkers.
It does help people overall, the worst coworkers are probably going to still be there, just a bit better hidden.
The rest just have a new-age search engine to augment their capabilities.
> You'd generally find that out by vising another doctor and finding previous diagnostic was bullshit and you lost time.
To be fair the human body is immensely complex. Every specialist will look at everything through the lens of their field, as at the very least they can rule out some things this way.
I had a doctor judge that my tonsils need to be removed, but for unrelated reasons I went to two other and both of them figured it's not as bad yet.
The difference between them was generational, as the first practiced an approach from 30 years ago, back when tonsils were indeed commonly removed.
1. Immediately said 'Cancer' to stomach issues on an old person. They just didn't care, another doctor resolved that.
2. Eye doctors that would not investigate anything and just prescribe eye glasses and would recommend local companies that they owned or had a stake in.
3. Fake gynecologists that did C-Sections brutally without any experience
4. Fake plastic surgeons with no experience just going by word of mouth taking rich peoples money
5. Fertility doctors doing human egg-trafficking.
6. General doctors forcing appendectomy if under-18s came to the hospital with any stomach complains (they could not refuse, doctor got money for the surgery)
Sure, human body is complex. That wasn't my point.
It's one thing to know these cases exist because they all have been reported in the news or having made a note of it through separate and unrelated word of mouth interactions, but one person having direct experience of all these cases is unusual for a civilian (ie non-medical or healthcare professional).
3 would be either direct or friends/relatives with experience and I got involved to help, other 3 would be through news and incidentally knowing some people.
> but one person having direct experience of all these cases is unusual for a civilian
Sure, still, indirect stories I have a lot more, just stopped at those 6
Where I'm from half of these points mean actual jail time for the physician attempting them, most of the rest (like kickbacks) result in standing in front of an ethics committee.
I've been calling it the "AI argument from misanthropy" but that's way more succinct. Thanks.
What really drives me crazy is how laden it is with negative emotions, and then people pretend it's just a rational assessment of the world. I was told growing up that if you're anxious or negative, it's just because you are smart and you understand how terrible everything is, while stupid people are happy. Seems like a lot of people got a similar message, and now they're shilling AI.
The whole point is that the layperson is not classically trained to know right from wrong which is the entire thesis of knowledge share. Even post doctorate students are required to have their work peer reviewed. It’s why anthropic and OpenAI put disclaimers below their chat prompts
Recently someone I know came up with a statement "AI is like opening borders, like abolishing visas."
I think it's very perceptive and you can even view reactions to AI through that lens. Somehow both, the "immigrants" are taking our jobs but they are way worse than all of us at them. And the people from outside any given domain (art, coding, law) that advent of AI suddenly let into it, marvel at this land of opportunities, empowerment and self-reliance that used to be outside of their reach before that.
> Those low quality lawyers/doctors still won't care enough to help the layperson.
I had a pediatrician who I regarded as generally low quality until she correctly identified scarlet fever in my child, while AI and a doctor in training we knew didn't.
From the source article linked in other comments which is a nice read:
> Different sections of the encyclical have very different rates of apparent AI usage. This indicates to me that some cardinals used AI assistance for this encyclical and many (probably including Pope Leo himself) don’t.
So... no, the Pope did not and was never in question...
The main post is a very poor article in the 'we're just asking questions' style with clickbait title.
I would even say main post is an AI generated summary
> What's the defense? Intelligent screening of incoming messages so that the threat never reaches the blackmail target? I imagine they'll find an unprotected channel.
Same defenses that are used against fraud and other crime.
criminal prosecution of the blackmailers AND the services used to generate the pictures.
This is effectively child porn... so penalties would be pretty harsh.
There are extradition treaties to most of the world, so unless the blackmailers are in China/Russia they will end up in jail.
That same thing played out with piracy with people extradited to the US from various countries
I just looked it up and according to Wikipedia distributing child porn is a crime in both, possession is a crime in China. Blackmail is a crime in both too. So even if they do not extradite the blackmailers they are likely to face jail under the their own laws.
It's due to the jagged edge of AI experience. Because it's not deterministic the results don't play out deterministically (e.g. similar scenarios will have different and potentially drastically different results)
What tools have you tried? Are we talking Codex GPT 5.5 and Opus 4.7?
Would you say the project is well architected? Clear boundaries? Or ball of mud?
How large is large?
Are there AGENT.md files giving good information that helps LLMs get context when looking at a certain area of the code?
Is it all in one repo? multiple repos?
Are there good tests?
I feel like these are some of the many variables that can make a difference.
I work on a pretty large project/code base, written mostly in Go, and I have pretty positive experience with LLMs. I take on fairly small chunks, I review and understand the changes. I also use LLMs to explore options and prototype quickly. They're also very good at fixing bugs, failing tests etc.
> What tools have you tried? Are we talking Codex GPT 5.5 and Opus 4.7?
Yes, with generous budgets.
> They're also very good at fixing bugs,
Seeing opposite here too, they are like eager juniors 'oh the issue is here and here's a 5 page report why', and it's wrong... then you add more info and it goes to a different spot... repeat until you get tired and solve it yourseld, it is useful as a rubber ducky i guess.
> I work on a pretty large project/code base, written mostly in Go, and I have pretty positive experience with LLMs. I take on fairly small chunks, I review and understand the changes.
Great that it's working for you, I'm just pointing out there's a massive disconnect.
I would assume your work can be done by a junior engineer without any prior knowledge (except LLM md files) with same quality but less speed?
If yes, then great, perhaps that's where the disconnect is, complexity.
Also, if yes, which would be cheaper?, junior engineer or LLM?
I would say much better than a junior without any prior knowledge. But definite not a senior with knowledge. I.e. needs guidance.
x200 the speed of a junior.
It's interesting how far our experiences differ. I have heard from people working on C/C++ code bases that it's more challenging and I haven't tried the LLMs in these domains.
I do see people getting results even internally. Sometimes it's about getting to learn the tool. It's really interesting how we have this mix of "this is garbage" and "this is really useful". From my end I don't think I'm making stuff up or looking through some rosy glasses and I've been coding for 30+ years.
EDIT: I should add that when I use AI I already have a "shape" in my head of what I'm trying to get done. It's not like I tell AI something vague (like a user level issue) and expect it to fully understand a huge code base (though sometimes that also works). If I have a race I might have a Go race detector goroutine dump. If I'm refactoring I know where the work needs to happen. If I have a test failure I know what test failed and I usually have some idea of where to start.
I'll also add the resulting AI assisted code is good. I review it as it is being written and if there are issues (either functional or stylistic) make adjustments. All our code gets reviewed and all has quite extensive tests. Again this is at above junior level.
Could you maybe in brought strokes explain what you are working on? I think it is very plausible that the disconnect is between people writing front ends/rest apis vs people solving things like graphics.
In my case this is not simply "rest APIs". It's is a fairly complex code base. Not trivial work. But the code base is fairly clean and so localized understanding can be sufficient for many tasks.
> Seeing opposite here too, they are like eager juniors 'oh the issue is here and here's a 5 page report why', and it's wrong... then you add more info and it goes to a different spot... repeat until you get tired and solve it yourseld, it is useful as a rubber ducky i guess.
It's really amazing how different people have completely different experiences. I work on a massive code base and I thought AI would not be able to fix anything in at least a few years since the application is very complex and does not use well known frameworks. I was very wrong. In my experience, it fixes bugs better than I could, at least given a short time budget (which is always the case, if we spend too much time on each bug we just fix bugs slower than they get reported and we'd enter a death spiral).
I have worked on this code base for more than 10 years, touched every part of it, and I wrote large chunks of most systems, despite around 20 people working on it right now. Still, when I need to figure out something, now, I often ask AI as it is absolutely wonderful in understanding and explaining code, no matter how big the code base is. My team consists of 20 very senior developers, and I am their technical lead, so I think I know what I am talking about.
A junior would require at least 6 months of guidance to become productive in our code base, unfortunately, just because it's so big and it integrates with all sorts of external services, databases etc. I do understand that saying this is not really a flex, I would've actually preferred that my code base was so good even a junior developer could be immediately productive in it, but that's sadly just not the case. But perhaps, with the help of a AI tutor, that's actually possible now?!
If you think AI is at the level of a junior developer right now, I'm afraid you're kidding yourself.
> given a short time budget (which is always the case, if we spend too much time on each bug we just fix bugs slower than they get reported and we'd enter a death spiral).
This is something I don't understand.
- If you have a bug, you need to fix it well as well as proper root cause.
- That way the bug never surfaces again and safeguards are added for that class of bugs.
- if done well over time it builds discipline and bugs only surface from new features or integrations.
I've never had an experience of a 'death spiral' that you mention.
> Still, when I need to figure out something, now, I often ask AI as it is absolutely wonderful in understanding and explaining code, no matter how big the code base is.
Sure, but you still dig into the code afterwards I assume, you don't blindly trust what the AI summarization tells you.
> If you think AI is at the level of a junior developer right now, I'm afraid you're kidding yourself.
It depends, small projects with well defined scope, yeah, it knocks them out of the park, what I'm working on, it's a bit disappointing, not for lack of trying.
Still, one other thing I'm noticing now... if my account were not anonymous I would likely need to think of possible repercussions for my 'lack of faith' and would probably post comments very similar to yours or not at all.
> If you have a bug, you need to fix it well as well as proper root cause.
Can you spend 3 months fixing a bug and doing nothing else? You always have a time budget, whether you know it or not, even for your hobby projects. Do you not have users reporting bugs regularly? Any large product will have bugs, I see the biggest companies with the best engineers maintaining open source repositories with thousands of bugs, and the list just keeps growing. Internal products are even worse. All you need for your bug list to keep growing is one bug taking longer to fix than the rate at which bugs are reported.
> if done well over time it builds discipline and bugs only surface from new features or integrations.
Yes, and we have a whole lot of features coming out every release. We have a very large product. That's why we keep adding "bugs"! Not because we're fixing bugs that had already been badly fixed previously, if that's what you're thinking.
You've never seen a bug spiral? I must assume you're new to this industry. Bug spirals have killed many companies. It's very common to have code that's so bad no one can touch it without introducing lots of bugs. Fix one bug, 2 new bugs are introduced.
Luckily, where I work we have a lot of tests so it's rare that we have regressions, so the main cause of bugs is the new features, especially big ones as it's humanly impossible to properly review thoroughly enough that there's no bugs. That's where I think AI will help a lot - but we're still trying to figure out exactly how. Simply letting the AI review everything is not enough. And as I said before, humans just can't spot bugs to save their lives, me included.
> if my account were not anonymous I would likely need to think of possible repercussions for my 'lack of faith'
That's weird to hear, HN is about 50% AI enthusiasts, 50% AI skeptics, at least that's my impression.
I was a skeptical until recently, but in the last few months of using Claude Code (and Copilot, but Copilot consistently performs worse), the LLM has become better than most humans IMO. I still write a bit of code by hand, though, simply because I can't help it and sometimes I know I can do things very fast anyway so why burn LLM tokens on the thing. But sometimes I try to "correct" AI code just to learn later the AI was right (normally tests pick that up - we instruct the AI to write comprehensive tests, and it does it well... I normally review mostly the test code and less so the implementation). I am almost at a level where I believe not using LLMs to write code professionally is akin to not using static type systems: you're refusing to let the computer help you for no reason. It's not about faith, it's about using the tools that make our jobs easier and our output better. I know not everyone is there yet, but I definitely feel like I am.
> Can you spend 3 months fixing a bug and doing nothing else?
In what world would that be needed or accepted.
It generally takes 1-2 days to fix harder issues lile race conditions/memory corruptions. Regular bugs are much faster. All fixed correctly without AI.
AI just goes on a random path every time and in general fails to find the root cause unless you tell it explicitly what it is...
> I was a skeptical until recently, but in the last few months of using Claude Code (and Copilot, but Copilot consistently performs worse), the LLM has become better than most humans IMO
sometimes you write the feature and write it well so it's reusable.
imagine you have to implement a specific algorithm for a quantum computer.
There's no value setting up AI to do the writing for you. That might be orders of magnitude harder then writing the algorithm directly.
For highly specialized one-off features, it doesn't always pay off.
On the other hand, if all you do are some generic items that AI can do well... then I'm not sure you're going to have a job long term, your prompts and automation will be useful for the new junior hires that will be specialized in using these and cost effective.
That feels like true in theory, but in practice, we see the reverse for advanced projects where AI is helping us a lot. A decent chunk of our core IP falls into the bucket you're describing:
We have been building a GPU-accelerated graph investigation platform that has grown over 10+ years with fancy stuff all over the place - think accelerated query languages, layout kernels, distribution, etc. R&D-grade high performance engineering projects and kernels end up needing a lot of iterations to make a prototype and initial release. Likewise, they're more devilish to maintain when they need a small tweak later because of the sophistication and bus factor. Both phases benefit.
AI coding helps automate investigation, testing, measurement, patching, etc. The immediate effect is we can squeeze in many more experimental iterations with more fidelity and reach. Having an AI help automatically explore the design space and the details helps a LOT. And later, maintaining a wide surface area of code here that is delicate to touch and infrequently edited is traditionally stressful for teammates, and AI editing + AI-generated automation is helping destress that a LOT. We very much invest in upgrading our team, processes, and tooling here.
capitalism can work with say 99% tax on estate on death. No trust funds. Tax on wealth above a certain point. Rule of law with sharp teeth. Proper investment in education. Proper anti monopoly so all large corporations gets broken up to avoid their power consolidation...
communism is dictatorship in disguise.
then you have old style feudalism with aristocracy.
>I‘m sure if people want communism, they want the idealistic version.
That is what I mean. They don't want to live like the Soviets or Venezuelans or Cubans. They have a madeup idealistic version that is not real, never was and never will.
It's true that almost everything comes with a firewall rule that blocks new connections from the WAN to the LAN, so in practice these connections will be blocked on most things by default. But they come with this rule precisely because NAT doesn't do the job.
It is the default and default is secure. Users don't have to reason about it, they can assume it works, how doesn't matter and they may lack training/willingness to figure out.
You can't say the same for IPv6 where default is allow (have things changed?, havent checked in a long time)
Of course you can say the same for v6. Blocking connections that go from WAN to LAN by default has the same effect on both protocol families. If you assume that having the appropriate firewall rule to do that is the default then inbound connections will also be blocked on v6 by default.
NAT contributes nothing to your security in this scenario, and instead makes it harder (not easier) to understand and reason about what your router is doing.
Ah, okay. In that case v4 doesn't have a firewall by default either.
That's precisely why routers come configured with a firewall that blocks inbound connections from the WAN -- because the protocol itself doesn't have a firewall by default, and neither does NAT.
They weren't even acting as a power plant when they did that.
Buy yes I'll take a 1% chance of another 30x30 mile exclusion zone for 100k fewer coal deaths. Even if I have to personally live near it.
> Even with current standards there are a lot of nuclear power plants running just fine.
We could have a lot more of them making power for half the price and still hold them to very safe standards.
And if we focused on what was important while keeping costs under control, we'd get extra safety benefits by affordably rebuilding or replacing plants that were built in the 70s and 80s.
chernobyl affected a lot more then the exclusion zone, most of eastern europe... cancer rates spiked because of it... and it could have been a lot worse.
Effects are long term, hence question if you would live there now?, what would happen if Paris or London or Berlin were contaminated?, would you still live there?, would you live in Chernobyl city now?
When a reactor can mess up a whole country/area long term you need to take all precautions.
In spite of this, there are reactors built with plans to extend (Romania with Cernavoda for example), but they cost a lot and take a long time to build, plus areas where they can be built are likely limited.
Still preferable to the amount of people killed by coal.
> what would happen if Paris or London or Berlin were contaminated?
You can avoid building adjacent to cities.
> would you live in Chernobyl city now?
Really? I go ahead and say I'll live next to it, so you move the goalpost to living in it?
Screw it. Fine. If it will get a lot of large nuclear plants built outside Asia, I'll trade a promise to live inside any disaster zone caused by not only them but any other plant built in the West this century. Is that good enough for you? Chernobyl itself was not an example of modern nuclear power and I'm not going there.
> When a reactor can mess up a whole country/area long term you need to take all precautions.
Even setting aside the issue of being so cautious you cause harm in other ways, a lot of the precautions don't affect the odds of a big disaster!
> So it's not the standards that are the problem.
There's so much nitpicking on an individual plant basis, so I think they are a big problem.
I didn't see how "there are reactors built with plans to expand" is supposed to show that standards aren't driving the cost?
It does look like an intentional backdoor. The way ms is responding to it is even more suspicious.
Pretty funny since this defeats security on most corporate laptops, so impact is huge. You'd expect them to treat the reporter better and fix the issue fast...
I'm curious why they put it in, I'm not sure I understand the 'to "manage" your computer' note.
Microsoft should have no reason to put something like this in. So either they were forced or they had some engineers that did this on their own without any oversight.
reply