The argument here is that the AI is a glorified input page. The input field asks for your username and email and sends it to a backend function. Such an input page is working as intended.
The problem is when the backend function doesn't verify that the email matches the username.
Why on earth would the backend function even take an email?
Or perhaps said different: use the submitted info to identify the account; send any sensitive messages (recovery codes, password resets whatever) to only the contact info on file. If the chat bot can send such email it should do so via an API that sends only to contact info on file for the associated account and not to an email that's provided by the bot.
> Why on earth would the backend function even take an email?
In principle, it could be designed to do so to handle cases where a new email address has been confirmed out of band, e.g. for an account representing a company or a political office. But that's a relatively unusual situation, not something you'd want to be available to every user writing in. (Even if you had an all-human support department, this sort of functionality would only be available to a select few agents.)
Some sites do this to prevent password recovery spam; you need to provide two pieces of information. Ideally not telling the client if they wrote the wrong email, that'd be a security issue of its own.
If the backend function was so poorly coded to allow such a gargantuan security hole, then it is an even worse problem. Basically Meta is throwing its own engineers under the bus so that its AI chatbot can save face. Scary stuff.
Unless the backend was _also_ vibe-coded, in which case it is still an AI problem.
Okay, I hear you. I do. From a technical viewpoint, that may very well be how their systems are implemented. But this still doesn't answer the question of why the fuck this matters to these states' AGs and the people they represent.
They're incentivised because they're offering plans at a loss and/or pricing out potential customers. All these LLM companies are competing on accuracy and price.
I think we're more like car mechanics in a lot of ways. The same way they might learn cars by working on their own, we learn computers. But I suppose that's still background of a sort.
> Such skull-and-dagger behavior by the tech elite is going to provoke a backlash by non-technical people who don't like to be manipulated. You can't tug on the levers of power indefinitely before it starts to annoy other people in your democratic society.
This article is from 2016; now it doesn't feel like backlash is strictly a function of manipulation.
> any grant program would need to be “aligned with administration policies and priorities.”
From a naive perspective, this sounds a lot like the breeding ground for Lysenkoism (Stalin-approved). In that example, aligning science to the party line led to a couple of famines. I say naive because there were other factors at play (e.g. it was forbidden to criticize Lysenko's theories).
The industry, on average, approves of responsible disclosure because there's a tacit agreement that making risk-proof software isn't feasible. Though admittedly some companies don't seem to be trying very hard anymore.
It's not a dichotomy either, they can both have put the customers at risk.
My reply is that no, that's not why they're pleasant. If that were the only criteria, we could conclude Python is only as pleasant as Forth.
reply