The video is 15 minutes long and at the four-second mark flashes a screenshot from Zoolander, in which the protagonist unveils the “Center for Kids Who Can’t Read Good.”
It also features a punchy techno backing track while wasting the reviewer’s time with approximately 14 minutes of inactivity.
Should have had a single tone growing in volume and intensity
The best would be to have recorded audio that slowly goes down in volume, with the tone at full blast at the end
Should have been an AI generated voice narrating the issue showing the words on the screen with Minecraft gameplay as background.
Idiocracy is now
Honestly, I would encourage any researcher who gets a brush-off response like this as a response to a real and meaningful security report to lean even harder into malicious compliance. Simply post it to TikTok or Instagram or whatever - and I am intentionally picking the pervasive platforms that I despise and find problematic, simply because they have the largest user bases. If it’s “not a problem”, they shouldn’t mind if how-to videos explaining how to elicit the “not problematic” behavior start going viral.
That wouldn’t get you paid though.
They’re not going to pay you if they classify it as “not a problem”. And you get what you pay for.
Using stupid programs, doing stupid bugreporting.
Leave Microsoft alone. Let it rot with Tesla, Nintendo, 3dfx, NSDAP and other shitty organizations.
3dfx, haven’t heard of them for a long time, good old voodoo card
If you have a Voodoo card laying around, it might be worth some money. They were used in some coin-op arcade games.
Is there a video version of this article?
The most likely explanation for requesting a video is to weed out low quality AI-generated “vulnerability” submissions that hallucinate code that doesn’t compile or APIs that don’t exist. In that context a 1 minute video showing that the report is viable is not much to ask for.
I can understand if the reporter is new, or unknown, maybe submitting a lot of videos at once. The guy from the article is a vulnerability expert that’s been working in that role at Carnegie Mellon Software Engineering Institute’s CERT Coordination Center since 2004. I think he gets a pass on the “submitting fake reports for internet clout” front.
Maybe in some cases. But I’ve been requested by Google support to provide a video for a very simple and clear issue we were having. We have a contract with them and we personally brought up the issue to a Google employee during a call. There was no concern of AI generated bullshit, but they still wouldn’t respond without a video. So maybe there’s more to this trend than what you’re theorizing.
Have you considered that you may be a hallucinating AI yourself?.. Quick, try drawing a full glass of wine!
I cant beleive google would be so shitty to its paying customers! Can you provide video of this interaction?
Removed by mod
You can excuse the genocides of uyghurs and tibetans but misspellings are unforgivable huh?
Your illiteracy is a fact, unlike your wild, politically motivated claims.
Probably so they can have an AI Agent watch the video and do the thing or some bullshit
AI agent would process text much easier…
But they need to look busy! Chug along the video!
Set up a potato phone camera on a tripod to record the screen 😂
You need to include videos of Subway surfers and Family Guy funny moments on the sides of the report, and a compilation of satisfying videos in the background
I understand that this bug probably didn’t need a video to be actioned, but if it is a 1 minute repro, it isn’t really a huge ask for you to screen cap it. Making a 15 minute troll video isn’t exactly heroic malicious compliance.
Years ago, I was de facto tech lead on a project. Every time a weird issue came up with the closed-system third-party development environment we were using, it fell to me to figure out what was causing it and file a bug report. It took time to figure out what was going on, narrow down the possibilities, get it to reliably reproduce, then word the bug report so that it was clear what the issue was - and this was on top of my regular duties.
I remember figuring out that if your SQL statement was 683 characters long, you were fine, but if it was any longer than that, the program would crash. I filed a bug report saying exactly that and giving the error message that got generated.
They came back and said they didn’t understand the bug report or how to reproduce it. I said, “Write a 683-character SQL statement. The program will run. Add one random space-character anywhere; the program will crash.” As far as I was concerned, this wasn’t my problem, and I was fully tired of finding and reporting bugs on their shitty platform (our customer had locked us into it).
They came whining back, "Oh, but that’s soooo haaarddd … " I’m like, “It’s not. Just write SELECT X, X, X [etc] until you have 683 characters,” (especially true because I had no idea what their database structure looked like) but they kept whining. Eventually they just came straight-out and said, “We need you to send us the entire failing module [because we can’t be arsed to do our own job, tyvm].”
My manager talked me down from the email I wanted to send back and told me to just strip everything else out. Which I did, but it took me like a day and a half to strip it back to something that had enough to reproduce the error without giving things away. I sent them the 683-character version and said, “Run this. Then add a random space anywhere in the SQL statement and it’ll die. This is your job and you’re not even my company, you figure it out from here.”
Then they had the nerve to come whining back, “Oh, we don’t understand what to add to the SQL statement or whe-ere. Pweas pweas pweas send us a non-working copy as well!” I’m like, ADD. A. SPACE. ANYWHERE." We went through a couple rounds of that, then my manager told me to add the space and send it to them so they (the people who developed this entire platform we were working on) could figure out the issue.
Steaming, I sent the second file. Since I had now done their entire diagnose-and-reproduce job for them, they graciously consented to open up a bug report.
We found multiple bugs like this. If you press the Save button it works fine but if you use Ctl-S it sometimes crashed [why are you using two separate Save routines?!?!]. They didn’t left-pad the time call to the operating system (which they said they did), so any program run before 10am had a chance of randomly crashing - that kind of thing. Probably half my overtime was figuring out their bugs so my developers could actually write code.
ISTG, after all the repeated time, stress and effort their shitty product cost me, if they’d insisted “Oh, we can’t do anything without a video showing us how to do our effing job” - well, they’d have been lucky to get a 15-minute troll video because I’d’ve vented two years of anger and frustration with their product and their customer “support” into that video.
I’ve had an antagonistic relationship with a vendor like this, it’s awful. In my case the vendor was supposed to be a fast moving tech startup - the only thing that moved fast there was the revolving door of engineering talent coming and going.
Even worse, my boss had been convinced by their founder that he had all this pull with the company, and since the company was super cool, that made him super cool, and I dunno if you’ve ever tried to criticize something that has made a middle aged nerd feel cool for the first time in his life, but let’s just say it was not a fruitful endeavor.
The number of things I effectively fixed for them via email, the abominations I had to construct to work around the things they refused or failed to fix…bad times.
Oh god, the comments I put in the code, explaining what I was doing and why, and how to test that the product had been fixed before changing my code, because I just knew some junior codebro was going to come in and think, “I should clean this code up!” and they’d have no idea why it wasn’t working anymore …
Thank you for your comments.
Nothing irritates me more than walls of code without any comments and the “cOdE sHoUld bE sElf-DoCuMenTiNg” attitude. No, it’s impossible to describe complex industry-specific processes by naming your variables and functions nicely.
Old comment by now, but you’re a lovely engineer for that and I, for one, appreciate you lol
Lol - longest necro I’ve had was someone who came back with a comment like three and a half years later, so you’re fine! And thank you for the compliment! :)
That’s horrendous.
My company supports businesses where any issue that prevents them from completing a task could cost them millions if their operations need to stop. We get super vague bug reports, yet we usually turn around a fix in a day or two.
I just don’t understand how a company could be so blasé about a clear bug report that they’re willing to go back and forth like that.
“vendor lockin”
once a company has you by the balls, they will fire everyone competent and hire interns for maintence and support
Just askin’, this company wasn’t called something like Microstrategy, no?
It rhymed with Smoracle. Which is really ironic because you’d think that’s the ONE company that would (a) understand how to write a SQL statement, and (b) get really effing concerned when a simple database query broke their product.
It seems from the description that there’s the length of the request there stored in 11 bits, hell knows why, so max of 2046 (682*3, that’s 683*3 = 2049 if starting with 1), and one symbol takes an increment of 3, hell knows why.
That’s, ahem, yes, a pretty gross mistake for such rhyming companies, the kind only I am allowed to make.
Oh, cool! I never figured out why they had the 683/684-character limit thing, so it’s cool beans to you - thank you!
They ended up “fixing” the problem by increasing the character limit to 2048, which was nice.
Oracle doesn’t know how to write software. Only contracts and lawsuits.
