Looks like there's a serious security bug in their scope document.

If you read it carefully, you'll notice that the blog post misrepresents the AMD response.

The blog post title is "AMD won't fix", but the actual response that is quoted in the post doesn't actually say that! It doesn't say anything about will or won't fix, it just says "out of scope", and it's pretty reasonable to interpret this as "out of scope for receiving a bug bounty".

It's pretty careless wording on the part of whoever wrote the response and just invites this kind of PR disaster, but on the substance of the vulnerability it doesn't suggest a problem.

I don't expect an unbounded scope but I do expect it to cover the big scary headline items like RCE. Additionally, this can be exploited without MitM if you combine with e.g. a DNS cache poisoning attack. And they can still fix it even if they're not willing to pay a bounty.

DNS poisoning is a MITM vector; in fact, it's the most popular MITM vector.

Really? I thought MitM was always intercepting/manipulating traffic from or to the victim.

What you wrote is the definition of MITM.

Op and others are saying DNS poisoning is a popular way of achieving that goal.

Oh you mean that it's a popular way of initiating the interception part of MitM, got it.

This is the place they direct researchers to report bugs. If they don’t want to pay out for MITM, that’s fine, but they should still be taking out-of-scope reports seriously

+1 Bounty aside, this deserves attention. I wouldn't want to award bounties for MitM either if I made it so easy. They closed the issue as 'out of scope'... with no mention of follow-up (or even the bounty we don't care about).

I'm skeptical to say the least. Industry standard has been to ignore MitM or certificates/signatures, not everything.

A bug bounty should motivate exploitable bugs to be reported so that they can be fixed. IMO, if it refuses to accept certain kinds of bugs that can still be exploited, it's not working properly.

I wasn't agreeing with your example.

Looks like these users are just missing glibc-devel or equivalent?

Naa, it looks like it's failing to include the standard system include directories. If you take then from gcc and pass them as -I, it'll compile.

Can confirm (on aarch64 host)

    $ ./target/release/ccc-arm -I /usr/include/ -I /usr/local/include/ -I /usr/lib/gcc/aarch64-redhat-linux/15/include/ -o hello hello.c 

    $ ./hello
    Hello from CCC!

Seems this non-artificial intelligence model just too limited to understand concept of include path.

It’s machine specific

Hmm, I didn't have to do that. https://i.imgur.com/OAEtgvr.png

But yeah, either way it just needs to know where to find the stdlib.

Probably depends on where your distro puts stuff by default, I think it has a few of the common include paths hardcoded.

Makes sense for the behavior.

Claude Town

The GenuineIotel thing fascinates me because I can't fully grasp how it could happen. I can imagine a physical defect causing a permanent wrong-bit in a specific piece of silicon, but it seems more widespread than that. Perhaps some kind of bug in the logic synthesis process?

It reminds me of the "overenthusiastic youtuber" presentation style, with jump cuts etc., just in written form. From its prevalence I can only assume that some audiences prefer it - I'd be more interested to know why that is.

or "reels" equivalent of an article

What does your function-hashing system offer over ghidra's built in FunctionID, or the bindiff plugin[0]?

[0] https://github.com/google/bindiff

Or better yet, the built-in Version Tracker, which is designed for porting markup to newer versions of binaries with several different heuristic tools for correlating functions that are the same due to e.g. the same data or function xrefs, and not purely off of identical function hashes...

Going off of only FunctionID will either have a lot of false positives or false negatives, depending on if you compute them masking out operands or not. If you mask out operands, then it says that "*param_1 = 4" and "*param_1 = 123" are the same hash. If you don't mask out operands, then it says that nearly all functions are different because your call displacements have shifted due to different code layout. That's why the built-in Version Tracker tool uses hashes for only one of the heuristics, and has other correlation heuristics to apply as well in addition.

or Binary Ninja's WARP : https://docs.binary.ninja/guide/warp.html // https://github.com/vector35/warp

> Even the UK with our weird panic over Incredibly Specific Knives hasn't tried to do this kind of technical restriction to prevent people printing guns.

They haven't done this specific restriction, but there is a movement to make it illegal to possess the CAD files: https://bills.parliament.uk/bills/3877

The "Wait, what does “SQLite-compatible” actually mean?" subheading didn't answer my question to be honest. They're using (forked) libSQL under the hood - ok, cool. But how do I interface with it?

They don't elaborate, but apparently libSQL has an HTTP API called "Hrana": https://github.com/tursodatabase/libsql/blob/main/docs/HRANA... - if that's what they're exposing, wouldn't it make more sense to call it libSQL-compatible or something?

Marek from bunny.net here. To connect to Bunny Database you can use one of the SDKs (TS, Go, Rust, and .NET) or the HTTP endpoint which is documented here: https://docs.bunny.net/database/connect/sql-api

Yes, libSQL would fit better in that case. But all of it is marketing for better audience ;) (SQLite got x69 more searches than libSQL in Google).

Likewise. The main thing I change is enforcing separate address bar and search box. It takes a lot of configuring to make the address bar stop being "smart" (i.e. never send things I type there to a search engine even if they're not valid URLs), and I can't even remember what options I used to fix it.

Is it actually a success, or are people just talking about it a lot?

Kind of feels like many see "people are talking about it a lot" as the same thing as "success" in this and many other cases, which I'm maybe not sure agreeing with.

As far as I can tell, since agents are using Moltbook, it's a success of sorts already is in "has users", otherwise I'm not really sure what success looks like for a budding hivemind.

> As far as I can tell, since agents are using Moltbook, it's a success of sorts already is in "has users", otherwise I'm not really sure what success looks like for a budding hivemind.

You're on Y Combinator? External investment, funding, IPO, sunset and martinis.

There's an implication that conversation -> there'll be an investor -> ??? -> profit

It feels like Clubhouse to me.