Rendered at 08:15:45 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
sixtyj 2 days ago [-]
> The leak occurred when four Fields Medal laureate lecture fields, marked "HIDDEN," were discovered in the front-end code of the ICM 2026 official schedule.
So it was easier than I thought. Bot just scraped public page with hidden fields, not a secret page or to-be-published page from database.
bronson 2 days ago [-]
I'm tired of the framing in the media these days.
"Mythos will end the world!!"
"How?"
"By finding a bunch of wide open security holes that have existed for years."
Oookay. Is this a Mythos problem? Or a lazy/greedy/uncaring people problem?
Arainach 2 days ago [-]
On the one hand, news coverage is overblown.
But scale and accessibility are absolutely a new class of problem.
In the 1960s you could pay thousands of people to watch hundreds of cameras and listen to hundreds of phone lines to monitor people, but the cost was so enormous that unless you were in East Germany or Moscow it wasn't a realistic threat model.
Now with computers we can cheaply have thousands of cameras with cheap storage that's retained forever and automatic image processing that means everyone is exposed to that kind of surveillance, which is a brand new problem.
intrasight 2 days ago [-]
Storage is less cheap right now
I've often shared my prediction that future historians will study us all and that every living human will be the subject of someone's PhD thesis. I'm updating that prediction to be that those future someone's will be silicon based.
Arainach 5 hours ago [-]
Not by an order of magnitude.
Compared to "pay humans to watch hours of footage and take notes", $700 for a 16TB hard drive that will hold months of video footage is an absolute steal.
afarah1 2 days ago [-]
Yes but also as always a people problem. People put the cameras and monitoring systems in place and operate them, to govern other people who ultimately yield to be governed, as the alternative is made too costly / dangerous by the governors.
ben_w 2 days ago [-]
> as the alternative is made too costly / dangerous by the governors.
There's nothing government (corporate or political) has made "costly" or "dangerous" about not having them, society did that all by itself: people will actively pay more to have these things because they see the benefit more than the risk, video calls with friends and family, not a hacker being able to duplicate their keys from one photo.
There's 6 cameras on my desk right now, attached to internet-capable devices. Two phones, two laptops. I've got covers over all of them, which is easy, and sometimes mandatory e.g. when visiting the headquarters of certain big-tech firms.
I'd never buy a smart camera. Don't trust them not to spy on me. But I do have a Raspberry pi upstairs, with a NoIR camera module, and an AI-coded bit of webcam software. Might consider it for seeing what animal gets into the garden at night.
ApolloFortyNine 2 days ago [-]
Heartbleed, one of the worst bugs in terms of exploitability and reach, was a bug that many engineers would be able to spot, if they were explicitly looking for it.
That's the risk of tools like Mythos/Fable/any LLM. While a human's eyes would glaze over what looks like a standard memcpy, an LLM with the right context might instantly realize the payload length was never actually verified.
And since Heartbleed existed for years, despite the full bug existing in pretty much one file, in one of the most important libraries out there, it's right to be afraid of what other obvious bugs exist and are just waiting to be found.
ben_w 2 days ago [-]
> Oookay. Is this a Mythos problem? Or a lazy/greedy/uncaring people problem?
¿Porque no los dos?
All AI risk can be described with a narrative that ends in "some human were lazy and didn't care enough", it's just which humans and how much caring was enough.
joshspankit 2 days ago [-]
It’s systematic
“6-12 mo to shaky profitability + ability to quickly iterate” is a business that has a good chance of surviving while “However long it takes to be fully secure” is a business that is not only rigid but needs massive up-front capital to get there and even then there’s no guarantee that the market fit is right
And after that is something we could call the “Pareto spiral”: if a company find market fit and builds an excellent product, competitors can survive at 80% of that quality. If the “100%” fails for any reason, the competitors become the new ceiling and now their competitors can survive at 80% of that (now 64%)
And only one round in, how secure could that 64% company be?
cadamsdotcom 1 days ago [-]
Surely there's a competitive dynamic where if you really want to take down your competition you point your weaponized agent at their stuff and find some holes.
Seems given that the new security equilibrium baseline will settle much higher.
joshspankit 1 days ago [-]
This has always been true to some extent: some have used weaponized security tools against competitors. It comes with legal risks (as it does with AI) but overall it doesn’t really improve the security baseline unless those holes are made public
2 days ago [-]
afavour 2 days ago [-]
It’s still a problem we wouldn’t have without LLMs like Mythos existing. Yes, the solutions are different when you know the full context but “it’s just bad code” doesn’t mean there isn’t a problem.
dgellow 2 days ago [-]
The AI labs are 100% responsible for that framing
bdangubic 1 days ago [-]
If the prompt was “Who are 2026 Field Medal Winners” it is impressive regardless of the stupidity of people managing the website
toomuchtodo 2 days ago [-]
People want simple answers to complex problems. When you find out most of society is held together with duct tape, promises, and trust, and then you have tool accelerant come along like GenAI, expectations violently meet reality. GenAI simply democratized the ability to evidence, inexpensively and at scale, in a wide variety of contexts, that "The Emperor has no clothes."
edoceo 2 days ago [-]
I've been working on a site. It's new, domain is only a few weeks old. It's got SSL, so all the bots know it exists. It's never had any sub-pages exposed, just the placeholder lander, no links.
Somehow in Google search one of the unguessable pages is indexed. We have used Claude and Gemini to assist with some design aspects.
I'm thinking some aggressive data ingestion/indexing is happening by all the bots in the quest for frontier models.
resonious 2 days ago [-]
I've also seen Google indexing pages with random values in the path that don't get linked to statically (server asks for the URL then redirects to it immediately). I'm pretty sure they index straight out of the Chrome address bar.
st_goliath 2 days ago [-]
Yep. I remember a similar story as GP described from a friend back in 2008. The site he was working on that wasn't linked to yet was suddenly indexed after he checked out what it looked like in the fancy new "Chrome" browser that Google had just released, causing some moderate panic on his end.
Holy crap I hope that's not true. I've also had unguessable pages indexed, though, and don't have an explanation.
FabCH 2 days ago [-]
It’s absolutely true. It is a documented fact. It was discovered and entered into public record during the DOJ antitrust investigation into Google Chrome.
They call the signal „popularity“ and it is a successor of the Google Toolbar signal.
I'll take a wild guess and assume they are of a German or Polish language background. Wait 'til you encounter a French person who accidentally uses guillemets if you want one even «weirder».
This is why Chrome begs you to login constantly and will do it automatically when you login to Gmail through Chrome. Everything you do in the browser (bookmarks, settings, address bar) is data about you sent to Adsense. No need for cookies when you control the browser and know who is using it.
Edit: also private browsing isn’t exactly private when you’re logged in to the browser.
jacekm 2 days ago [-]
Chrome sends home the urls you visit together with the page performance data (and probably more). That's how they build Chrome User Experience Report (CrUX) for the most popular sites: https://developer.chrome.com/docs/crux
nicce 2 days ago [-]
Something worth inspecting further. We know that Chrome stores and sends the browsing history but this is an interesting vector.
DANmode 2 days ago [-]
I’d be more surprised if they weren’t capturing this information.
Especially if you have autocomplete-while-searching type of features on.
EGreg 2 days ago [-]
Why don’t they also capture information you enter into forms on Chrome?
They control the entire browser surface, technically they can know everything, even TLS and E2E encrypted data, that they silently phone home…
If you think this is silly, consider that Microsoft Recall had been observing everything on people’s entire SCREENS and phoning home much of it. That is how a guy was caught recently: https://x.com/t3chfalcon/status/2074134314145489195
The tools in gmail in some sense "read" all your mail in order to classify spam and do things like calendar integration. The extent to which they do other things with the information is .. unclear.
inigyou 2 days ago [-]
Because your bank doesn't send your password to your Gmail because if they did they know Google would read it.
applfanboysbgon 2 days ago [-]
> Why don’t they also read your gmail
Boy do I have news for you.
saghm 2 days ago [-]
Yeah, I thought it was pretty obvious that is literally the whole reason that Gmail even exists
2 days ago [-]
cynerx 2 days ago [-]
Are you using Cloudflare by any chance? I think the Crawler Hints setting [1] exposed some of my "secret" pages in the past.
There's a couple avenues besides just stealing what's in your URL bar.
If you don't use wildcard certs all of your subdomains can be scraped from the certificate transparency logs.
Additionally, any domain+cert using HSTS with preload enabled end up in a big list at Google to speed up the initial connection from browser to site.
brookst 2 days ago [-]
For hosts, but not pages on the site.
But I think the other explanations take care of pages: cloudflare hints, chrome reporting addresses visited, etc.
basilikum 2 days ago [-]
> HSTS with preload enabled end up in a big list at Google to speed up the initial connection from browser to site.
HSTS preload is not for speed. It's to protect against SSL stripping on first connection. Modern browsers already try port 443 first or in parallel with 80.
fragmede 2 days ago [-]
CT logs just explain how they found the domain. T doesn't explain how they could have found unlinked content on the domain itself. If I put up secret-example.com/asdf-1234567.html, how does that page get found if there are no public links to it?
pohuing 2 days ago [-]
True. I just assumed imprecise phrasing.
Google misusing chrome browser history as a hitlist for indexing sounds wild to me, so I tried to see if there's another way.
It also felt unlikely because there's multiple subdomains of mine that aren't indexed, and wildcards+no preload are the only precautions I've made myself for my private sites.
This might also be an EU vs rest of World thing, or my stuff isn't interesting enough to index(in retrospect the most likely reason I suppose)
Lomlioto 2 days ago [-]
Don't underestimate people not knowing were they share stuff by accident.
Creating Sitemaps, sharing it somewere public, putting the url in some 3th party service, server logs, some indirect path in javascript.
But if you never mention that url, it will not be found if not leaked by your server.
saghm 2 days ago [-]
> But if you never mention that url, it will not be found if not leaked by your server
That sounds like a claim that security through obscurity is infallible, which is dubious. Don't get me wrong, it can be a reasonable part of defense-in-depth strategy, but like, brute force attacks are kinda a well known thing, especially if your URLs aren't truly random...
f311a 2 days ago [-]
Google Chrome used to report visited pages back to Google, not sure if this still the case. Also, Google Analytics can see visited pages and Google uses it.
Finding domains is easy, everybody uses CTL to find them.
dreambigwrkhard 2 days ago [-]
Depending on the CMS, if it's wordpress (15% chance, ha) there is a sitemap function built-in out of the box. The bots don't need to guess.
edoceo 2 days ago [-]
No CMS, no sitemap, no robots.txt either.
dataviz1000 2 days ago [-]
The tin hat guess. Did you include Google analytics embedded in the pages? Do you navigate to pages and Google analytics sends that data home? 10 years ago I discovered that Google analytics would send the equivalent amount as organic users; meaning if we sent an email newsletter with links to articles, Google would send almost 1:1 ratio the same number of people from search results. They are tracking everything and using it for more than just reporting.
Do you use a CMS or other tools that auto generate sitemap.xml? Perhaps you unknowingly told Google about those sub-pages.
edoceo 2 days ago [-]
No GA, no external assets, no Google fonts. I really thought I was being careful.
VladVladikoff 2 days ago [-]
Google uses data from chrome. If you visited it with chrome, google knows it exists.
yread 2 days ago [-]
I have about 50 subdomains. One was used by a colleague who cant do his shoelaces without claude. That subdomain gets 10 times more spam and hacking attempts.
htek 2 days ago [-]
Nothing you enter into an LLM not hosted by you, or put onto the web is safe from being collected and exploited by these "AI" companies and their LLM's voracious appetite.
malwrar 2 days ago [-]
They log all DNS requests made to their public resolver in a searchable internal database, at least when I worked there a decade or so ago. I wonder if they seed their crawler with it?
Analemma_ 2 days ago [-]
DNS servers never see subpaths you request, only the domain itself, so that wouldn’t help with a hidden path. But there are lots of other ways to get it: caches/CDNs can leak paths, Chrome presumably sends Google a bunch of request details, and so on.
It’s a different story if it’s a subdomain though, OP wasn’t clear.
mirekrusin 2 days ago [-]
Isn't leaking browser extension used by one of people on the team (doesn't need to be developer, could be qa or anybody with whom the access was shared) more plausible?
phoghed 2 days ago [-]
You ISP also collects and sells data to companies like Moz, and possibly to Google too.
soblemprolver 2 days ago [-]
URL paths over https wouldn't be transparent to the ISP though, would they?
throw10920 2 days ago [-]
They would not - GP was probably bringing up something not directly relevant, but still related. (they should have clarified though)
edoceo 2 days ago [-]
What can I add? I know the domain could be found. But how did Google index a page that is example.com/$MD5.html - guessing 128bit numbers is hard.
I have visited that page from a signed-in Chrome profile.
throw10920 2 days ago [-]
Erm sorry when I said GP I meant of my comment - that is, phoghed's irrelevant comment about ISPs collecting data.
The information you mentioned is relevant. Unfortunately, it could be either Google/Chrome, or the LLM service you're using for development is misusing your data.
phoghed 1 days ago [-]
That assumes it was using it from the get go and every time, which might not be a safe assumption.
animex 2 days ago [-]
I've always wondered if Chrome leaks these URLs too.
NDlurker 2 days ago [-]
Hmm. Seems like this could be used for an ARG
2 days ago [-]
brador 2 days ago [-]
Chat programs catch links you send.
Also that browser setting to check urls are safe sends them out “sometimes“.
DonHopkins 2 days ago [-]
I've gotten unguessable hits in the logs because somebody who was authorized to use them had a virus that exfilterated their browser history.
Might have been an evil chrome extension, but ever since Google went IOK2BE ("It's OK to be Evil"), maybe it's just Chrome itself.
stavros 2 days ago [-]
It's indexed some unlisted draft blog posts of mine that were never touched by AI or published anywhere. I use a static site generator so there's no earthly way they ever found the pages by scraping, at most I visited the pages once or twice from my browser.
ashu1461 2 days ago [-]
Someone used Codex to scrape the ICM website schedule and discovered that the winners list was simply hidden in the front-end code with a "hidden" tag
This is on the devs and feels like a very basic leak which could have exploited in the non LLM world as well.
st_goliath 2 days ago [-]
Well, the angle is kind of important here. The company gets their name in the news, they have a reasonable explanation why they were scraping around, and we end up with a story about innovative tech company whiz-kids who made a funny discovery, while it was the webdevs on the other side that goofed up.
Imagine a private individual just scraped the website (or simply clicked 'view source') for no reason in particular and then told people about it... They'd be labeled an uber-haxxor, face a civil lawsuit asking for ridiculous damages while being threatened with a prison sentence over CFAA violations. Hell, that might even drive some people to suicide.
brookst 2 days ago [-]
The fact that an egregious case happened once, decades ago, is probably not sufficient grounding to act like every bit of equally trivial “hacking” always results in massively disproportionate law enforcement response.
Sucks it happened. But we all know that is not the typical scenario.
st_goliath 2 days ago [-]
> But we all know that is not the typical scenario.
Back in the day, you could read a stories on Slashdot practically every other week that usually went something like this: Company/institution does something stupid, somebody finds out, tries to be a good citizen and tells them. The organization then throws a tamper tantrum in the media, fires the legal department on all cylinders, screaming "hacker!" and throwing the book at them. The most egregious cases usually happened in the US, the CFAA happens to be a particularly strong book to throw.
People eventually got the hint and either talked to the press instead, or organizations like the CCC (at least in this part of the world) and let them deal with the organization and not talk to them directly.
At least in my perception/memory, it started improving over the 2010s, but stories like this are now starting to pop up again in recent years. I guess we have a new crop of computer enthusiasts who need to learn the same lessons again.
Of the top of my head, the CTF group in Malta comes to mind who gave a talk at (last years?) CCCongress. A badly worded E-mail asking about a bug bounty resulted in several arrests, house searches and ultimately a presidential pardon (https://timesofmalta.com/article/pardon-issued-students-lect...).
pixl97 2 days ago [-]
>But we all know that is not the typical scenario.
Eh, it's typical enough that most cyber security researchers are cautious. The laws around 'hacking' can be rather stupidly written while judges and juries aren't the smartest bunch.
Cycl0ps 2 days ago [-]
Unfortunately we don't have to imagine
"In early October, Renaud discovered that Social Security numbers for teachers, administrators and counselors were visible in the HTML code of a publicly accessible site operated by the state education department..."
"Yet despite the fact that officials within the Missouri Department of Elementary and Secondary Education initially wanted to thank Renaud for uncovering the flaw... [Governer] Parson labeled the reporter a hacker and called for criminal prosecution."
Yeah that happens all the time. Anyone/thing with popular public releases has fans/journeys scraping the website looking for unreleased material or scoops.
In the early days one of the high profile soaps in the UK published their "catch up" summaries for the week ahead which you could get just by editing the date in the URL. But back then not so many people were looking, so they were doing it for months...
sigmar 2 days ago [-]
Most of what an LLM does "could have" been done by a human if you throw enough human hours at it. But the reality in this circumstance is that a new tool helped find this leak. Saying this could have happened in a "non LLM world" is analogous to "someone else could have discovered special relativity, let's not mention Einstein"
My point is about the emphasis of Codex in the title. That emphasis makes more sense when Codex is credited with finding something that would have been difficult or impractical to discover without substantial human effort.
efficax 2 days ago [-]
twist: codex also wrote the code that placed the winners list in a hidden element
really tacky of the finders to disclose the names.
2 days ago [-]
tw1984 2 days ago [-]
too bad that those winners can no longer bet themselves on polymarket as the winner and make big money.
crypttales 2 days ago [-]
The winners have known for a while; their families need visas to be at the ceremony, afterall
whalesalad 2 days ago [-]
This is like when a news site throws up a paywall and hides half the article. Open inspector. Select the body, delete the overflow/scroll capture styles, delete the masks... and boom there is the entire article. Only some sites are smart enough to actually truncate the content server-side.
picafrost 2 days ago [-]
> Hong Wang will become the third female mathematician in history to receive the Fields Medal
Interestingly, if true, it will also be the first time an MIT PhD graduate has won the Fields Medal.
micromacrofoot 2 days ago [-]
ai bots will have more privacy than we do
rurban 2 days ago [-]
It's Wang Hong, my god. Cannot they still don't write proper Chinese names?
So it was easier than I thought. Bot just scraped public page with hidden fields, not a secret page or to-be-published page from database.
"Mythos will end the world!!"
"How?"
"By finding a bunch of wide open security holes that have existed for years."
Oookay. Is this a Mythos problem? Or a lazy/greedy/uncaring people problem?
But scale and accessibility are absolutely a new class of problem.
In the 1960s you could pay thousands of people to watch hundreds of cameras and listen to hundreds of phone lines to monitor people, but the cost was so enormous that unless you were in East Germany or Moscow it wasn't a realistic threat model.
Now with computers we can cheaply have thousands of cameras with cheap storage that's retained forever and automatic image processing that means everyone is exposed to that kind of surveillance, which is a brand new problem.
I've often shared my prediction that future historians will study us all and that every living human will be the subject of someone's PhD thesis. I'm updating that prediction to be that those future someone's will be silicon based.
Compared to "pay humans to watch hours of footage and take notes", $700 for a 16TB hard drive that will hold months of video footage is an absolute steal.
There's nothing government (corporate or political) has made "costly" or "dangerous" about not having them, society did that all by itself: people will actively pay more to have these things because they see the benefit more than the risk, video calls with friends and family, not a hacker being able to duplicate their keys from one photo.
There's 6 cameras on my desk right now, attached to internet-capable devices. Two phones, two laptops. I've got covers over all of them, which is easy, and sometimes mandatory e.g. when visiting the headquarters of certain big-tech firms.
I'd never buy a smart camera. Don't trust them not to spy on me. But I do have a Raspberry pi upstairs, with a NoIR camera module, and an AI-coded bit of webcam software. Might consider it for seeing what animal gets into the garden at night.
That's the risk of tools like Mythos/Fable/any LLM. While a human's eyes would glaze over what looks like a standard memcpy, an LLM with the right context might instantly realize the payload length was never actually verified.
And since Heartbleed existed for years, despite the full bug existing in pretty much one file, in one of the most important libraries out there, it's right to be afraid of what other obvious bugs exist and are just waiting to be found.
¿Porque no los dos?
All AI risk can be described with a narrative that ends in "some human were lazy and didn't care enough", it's just which humans and how much caring was enough.
“6-12 mo to shaky profitability + ability to quickly iterate” is a business that has a good chance of surviving while “However long it takes to be fully secure” is a business that is not only rigid but needs massive up-front capital to get there and even then there’s no guarantee that the market fit is right
And after that is something we could call the “Pareto spiral”: if a company find market fit and builds an excellent product, competitors can survive at 80% of that quality. If the “100%” fails for any reason, the competitors become the new ceiling and now their competitors can survive at 80% of that (now 64%)
And only one round in, how secure could that 64% company be?
Seems given that the new security equilibrium baseline will settle much higher.
Somehow in Google search one of the unguessable pages is indexed. We have used Claude and Gemini to assist with some design aspects.
I'm thinking some aggressive data ingestion/indexing is happening by all the bots in the quest for frontier models.
They call the signal „popularity“ and it is a successor of the Google Toolbar signal.
https://www.justice.gov/opa/pr/department-justice-wins-signi...
Why are you using weird quotes?
Edit: also private browsing isn’t exactly private when you’re logged in to the browser.
Especially if you have autocomplete-while-searching type of features on.
They control the entire browser surface, technically they can know everything, even TLS and E2E encrypted data, that they silently phone home…
If you think this is silly, consider that Microsoft Recall had been observing everything on people’s entire SCREENS and phoning home much of it. That is how a guy was caught recently: https://x.com/t3chfalcon/status/2074134314145489195
And it is actually much worse than even that:
https://community.qbix.com/t/increasing-state-of-surveillanc...
For some reason people are downvoting you, but yea, one day we'll likely see a lawsuit where they do exactly that.
Especially in managed environments where it’s someone’s job to keep systems autonomously updated…
And maybe have access to EVERY site actually, with “forgot password” type stuff in addition to providing oauth tokens…
https://arstechnica.com/information-technology/2023/05/micro...
Boy do I have news for you.
[1] https://developers.cloudflare.com/cache/advanced-configurati...
If you don't use wildcard certs all of your subdomains can be scraped from the certificate transparency logs. Additionally, any domain+cert using HSTS with preload enabled end up in a big list at Google to speed up the initial connection from browser to site.
But I think the other explanations take care of pages: cloudflare hints, chrome reporting addresses visited, etc.
HSTS preload is not for speed. It's to protect against SSL stripping on first connection. Modern browsers already try port 443 first or in parallel with 80.
Google misusing chrome browser history as a hitlist for indexing sounds wild to me, so I tried to see if there's another way.
It also felt unlikely because there's multiple subdomains of mine that aren't indexed, and wildcards+no preload are the only precautions I've made myself for my private sites.
This might also be an EU vs rest of World thing, or my stuff isn't interesting enough to index(in retrospect the most likely reason I suppose)
Creating Sitemaps, sharing it somewere public, putting the url in some 3th party service, server logs, some indirect path in javascript.
But if you never mention that url, it will not be found if not leaked by your server.
That sounds like a claim that security through obscurity is infallible, which is dubious. Don't get me wrong, it can be a reasonable part of defense-in-depth strategy, but like, brute force attacks are kinda a well known thing, especially if your URLs aren't truly random...
Finding domains is easy, everybody uses CTL to find them.
Do you use a CMS or other tools that auto generate sitemap.xml? Perhaps you unknowingly told Google about those sub-pages.
It’s a different story if it’s a subdomain though, OP wasn’t clear.
I have visited that page from a signed-in Chrome profile.
The information you mentioned is relevant. Unfortunately, it could be either Google/Chrome, or the LLM service you're using for development is misusing your data.
Also that browser setting to check urls are safe sends them out “sometimes“.
Might have been an evil chrome extension, but ever since Google went IOK2BE ("It's OK to be Evil"), maybe it's just Chrome itself.
This is on the devs and feels like a very basic leak which could have exploited in the non LLM world as well.
Imagine a private individual just scraped the website (or simply clicked 'view source') for no reason in particular and then told people about it... They'd be labeled an uber-haxxor, face a civil lawsuit asking for ridiculous damages while being threatened with a prison sentence over CFAA violations. Hell, that might even drive some people to suicide.
Sucks it happened. But we all know that is not the typical scenario.
Back in the day, you could read a stories on Slashdot practically every other week that usually went something like this: Company/institution does something stupid, somebody finds out, tries to be a good citizen and tells them. The organization then throws a tamper tantrum in the media, fires the legal department on all cylinders, screaming "hacker!" and throwing the book at them. The most egregious cases usually happened in the US, the CFAA happens to be a particularly strong book to throw.
People eventually got the hint and either talked to the press instead, or organizations like the CCC (at least in this part of the world) and let them deal with the organization and not talk to them directly.
At least in my perception/memory, it started improving over the 2010s, but stories like this are now starting to pop up again in recent years. I guess we have a new crop of computer enthusiasts who need to learn the same lessons again.
Of the top of my head, the CTF group in Malta comes to mind who gave a talk at (last years?) CCCongress. A badly worded E-mail asking about a bug bounty resulted in several arrests, house searches and ultimately a presidential pardon (https://timesofmalta.com/article/pardon-issued-students-lect...).
Eh, it's typical enough that most cyber security researchers are cautious. The laws around 'hacking' can be rather stupidly written while judges and juries aren't the smartest bunch.
"In early October, Renaud discovered that Social Security numbers for teachers, administrators and counselors were visible in the HTML code of a publicly accessible site operated by the state education department..."
"Yet despite the fact that officials within the Missouri Department of Elementary and Secondary Education initially wanted to thank Renaud for uncovering the flaw... [Governer] Parson labeled the reporter a hacker and called for criminal prosecution."
https://missouriindependent.com/2022/02/11/prosecutor-isnt-p...
In the early days one of the high profile soaps in the UK published their "catch up" summaries for the week ahead which you could get just by editing the date in the URL. But back then not so many people were looking, so they were doing it for months...
https://news.ycombinator.com/item?id=48902814
See also
Zhihu (Chinese Reddit): https://www.zhihu.com/question/2060133066643879544/answer/20...
Reddit: https://www.reddit.com/r/math/comments/1urv4id/comment/oxak6...
Second, fitting that codex enters the picture.
The last time the fields medals were announced llms were still very nascent :)
And I am convinced this is the last time pure human fields medalists will be announced.
The next batch’s winners are all going to have llms as coauthors.
google translate link:
https://mp-weixin-qq-com.translate.goog/s/DPsMKToa_sbi_Nx3X1...
Interestingly, if true, it will also be the first time an MIT PhD graduate has won the Fields Medal.
Some Indian restaurants near me sell Aloo Saag, others sell Alu Sag.
Esp. in this case with Wang having a special meaning in China.
Such as waste of energy to argue on
Amusing to see someone complaining about not using their definition of "proper language" when they themselves are not using proper language.