this post was submitted on 17 Mar 2025

344 points (98.9% liked)

Technology

66831 readers

5007 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

[email protected]

344

Microsoft wouldn't look at a bug report without a video. Researcher maliciously complied. (go.theregister.com)

submitted 1 day ago by [email protected] to c/[email protected]

66 comments fedilink hide all child comments

(page 2) 17 comments

sorted by: hot top controversial new old

[–] [email protected] 131 points 1 day ago* (last edited 1 day ago) (4 children)

The video is 15 minutes long and at the four-second mark flashes a screenshot from Zoolander, in which the protagonist unveils the "Center for Kids Who Can't Read Good."

It also features a punchy techno backing track while wasting the reviewer's time with approximately 14 minutes of inactivity.

load more comments (4 replies)

[–] [email protected] 15 points 1 day ago (2 children)

The most likely explanation for requesting a video is to weed out low quality AI-generated "vulnerability" submissions that hallucinate code that doesn't compile or APIs that don't exist. In that context a 1 minute video showing that the report is viable is not much to ask for.

[–] [email protected] 32 points 1 day ago (5 children)

Maybe in some cases. But I've been requested by Google support to provide a video for a very simple and clear issue we were having. We have a contract with them and we personally brought up the issue to a Google employee during a call. There was no concern of AI generated bullshit, but they still wouldn't respond without a video. So maybe there's more to this trend than what you're theorizing.

load more comments (5 replies)

[–] [email protected] 56 points 1 day ago (1 children)

I can understand if the reporter is new, or unknown, maybe submitting a lot of videos at once. The guy from the article is a vulnerability expert that's been working in that role at Carnegie Mellon Software Engineering Institute's CERT Coordination Center since 2004. I think he gets a pass on the "submitting fake reports for internet clout" front.

load more comments (1 replies)

[–] [email protected] 2 points 1 day ago

Set up a potato phone camera on a tripod to record the screen 😂

[–] [email protected] 70 points 1 day ago (3 children)

Honestly, I would encourage any researcher who gets a brush-off response like this as a response to a real and meaningful security report to lean even harder into malicious compliance. Simply post it to TikTok or Instagram or whatever - and I am intentionally picking the pervasive platforms that I despise and find problematic, simply because they have the largest user bases. If it’s “not a problem”, they shouldn’t mind if how-to videos explaining how to elicit the “not problematic” behavior start going viral.

[–] [email protected] 5 points 1 day ago

A definite opportunity for a Loops video

load more comments (2 replies)

[+] [email protected] -10 points 1 day ago (3 children)

I understand that this bug probably didn't need a video to be actioned, but if it is a 1 minute repro, it isn't really a huge ask for you to screen cap it. Making a 15 minute troll video isn't exactly heroic malicious compliance.

[–] [email protected] 52 points 1 day ago (6 children)

Years ago, I was de facto tech lead on a project. Every time a weird issue came up with the closed-system third-party development environment we were using, it fell to me to figure out what was causing it and file a bug report. It took time to figure out what was going on, narrow down the possibilities, get it to reliably reproduce, then word the bug report so that it was clear what the issue was - and this was on top of my regular duties.

I remember figuring out that if your SQL statement was 683 characters long, you were fine, but if it was any longer than that, the program would crash. I filed a bug report saying exactly that and giving the error message that got generated.

They came back and said they didn't understand the bug report or how to reproduce it. I said, "Write a 683-character SQL statement. The program will run. Add one random space-character anywhere; the program will crash." As far as I was concerned, this wasn't my problem, and I was fully tired of finding and reporting bugs on their shitty platform (our customer had locked us into it).

They came whining back, "Oh, but that's soooo haaarddd ... " I'm like, "It's not. Just write SELECT X, X, X [etc] until you have 683 characters," (especially true because I had no idea what their database structure looked like) but they kept whining. Eventually they just came straight-out and said, "We need you to send us the entire failing module [because we can't be arsed to do our own job, tyvm]."

My manager talked me down from the email I wanted to send back and told me to just strip everything else out. Which I did, but it took me like a day and a half to strip it back to something that had enough to reproduce the error without giving things away. I sent them the 683-character version and said, "Run this. Then add a random space anywhere in the SQL statement and it'll die. This is your job and you're not even my company, you figure it out from here."

Then they had the nerve to come whining back, "Oh, we don't understand what to add to the SQL statement or whe-ere. Pweas pweas pweas send us a non-working copy as well!" I'm like, ADD. A. SPACE. ANYWHERE." We went through a couple rounds of that, then my manager told me to add the space and send it to them so they (the people who developed this entire platform we were working on) could figure out the issue.

Steaming, I sent the second file. Since I had now done their entire diagnose-and-reproduce job for them, they graciously consented to open up a bug report.

We found multiple bugs like this. If you press the Save button it works fine but if you use Ctl-S it sometimes crashed [why are you using two separate Save routines?!?!]. They didn't left-pad the time call to the operating system (which they said they did), so any program run before 10am had a chance of randomly crashing - that kind of thing. Probably half my overtime was figuring out their bugs so my developers could actually write code.

ISTG, after all the repeated time, stress and effort their shitty product cost me, if they'd insisted "Oh, we can't do anything without a video showing us how to do our effing job" - well, they'd have been lucky to get a 15-minute troll video because I'd've vented two years of anger and frustration with their product and their customer "support" into that video.

[–] [email protected] 4 points 1 day ago (4 children)

Just askin', this company wasn't called something like Microstrategy, no?

load more comments (4 replies)

load more comments (5 replies)

load more comments (2 replies)

[–] [email protected] 150 points 1 day ago (4 children)

I have heard from friend that teach in higher end that students are struggling more and more with getting information from text. It seems those students have now found there way into the work force.

[–] [email protected] 126 points 1 day ago (5 children)

bruh i know people in their 40s making 6 figures that couldn’t read an error message if it would save ten generations of their family.

[–] [email protected] 8 points 1 day ago

Savage

load more comments (4 replies)

[–] [email protected] 61 points 1 day ago (17 children)

But video is so damn annoying. If you wanna copy-paste something from the video, you're fucked unless you pause and type each character by hand. I don't get it.

But then again I'm not a zoomer.

load more comments (17 replies)

[–] [email protected] 44 points 1 day ago

got to submit those bugreports as tiktok dances

load more comments (1 replies)

[–] [email protected] 24 points 1 day ago (1 children)

Using stupid programs, doing stupid bugreporting.

Leave Microsoft alone. Let it rot with Tesla, Nintendo, 3dfx, NSDAP and other shitty organizations.

[–] [email protected] 14 points 1 day ago* (last edited 1 day ago) (1 children)

3dfx, haven't heard of them for a long time, good old voodoo card

load more comments (1 replies)

load more comments