I have no inside knowledge on this particular work, but their previous work on the OSS-fuzz targets and on Firefox were all excellent quality bug reports.

Seriously. Look them up.

They were all reproducible ways to trigger faults in ASan builds. That’s by definition memory corruption. We can argue about whether all of them are exploitable, but a) they need to get fixed regardless b) we know that even tiny memory corruptions can often be leveraged into a compromise given enough effort.

I know it’s cool to be blasé about AI stuff, but if there’s an area where the hype is warranted it’s computer security research.

I don’t want to look at AI “art” or read an AI generated “book”, but the exploits derived from an AI-enabled process work just as well as the organic version. And you don’t need a warehouse full of Eastern European zoomers and junk food to get them.

I’m worried about the tons of barely maintained software run by your average company. Most commercial software is made by relatively small outfits and is drowning technical debt. The only thing saving their customers is the effort of picking through it.

But now any loser with a decompiler and a $100 Claude sub can ruin a whole lot of people’s day.

Things will get better, but the near term is pretty fucked.

NATO is likely to muddle on until we have a genuine article five situation, and then we’ll see where we are. I’m not putting any money on it.