Well the latter point may have more relevance, that a lot of embedded scenarios are like the Apple II scenario, never subjected to rigorous security review and largely banking on no one bothering to reverse engineer the closed source runtimes.

So this can shift the cost/benefit ratio to go look at some of those embedded applications and find ways to induce misbehavior. Depending on the scenario, the vendor is long gone or the design was never made to be field upgradeable. So you end up with known vulnerabil

There's a reason he cited Apple II as an example . You might be alarmed to learn how much legacy code - decades old - is still run on equally aged hardware in production . Perhaps not on Apple II, but a recent example I saw was a rack of PDP-9's still in control of machinery at an observatory.

So, for the open ended general purpose of a platform without the concept of privilege separation, you are right, and that's realistically where Apple II sits.

But what if you had a similarly loose platform but it's running a kiosk and that kiosk software is purportedly designed to keep the user on acceptable rails. Then finding a way to break that kiosk software might be significant.

So I'll grant that the concept *could* map to real-world concerns, given how wild west a lot of embedded applications have bee

There are two points to it:

1) It can find security issues in machine language

2) It even can do this for Apple II

I am always confused why people don't understand proof of concepts. If you get doom to run on your toaster, you are not looking for the best gaming platform, but are proving what you can do with the toaster hardware. If you find security bugs in Apple II binaries, you do not want to fix decades old software, but show that your tool understands decades old binaries. In practice you then apply your

> Security issues on an Apple II? It's difficult to imagine what kind of "security" they think is possible on an Apple II.

Malware could upload your Apple Writer and VisiCalc files using a modern. OS, application, and data files being on the same disk. :-)

Reminds me of an episode of Futurama where Fry runs into the room and breathlessly exclaims, "I got here as quickly as I could once I found out what happened a thousand years ago!"

Apple IIs are all highly secure, thanks to their built-in air-gap firewall!

No, it's busy making more of a mess of Windows 11.

I wonder if [1]Dr. Mark Russinovich [digiater.nl] himself would be interested if the AI could identify the differences between [2]Windows NT and Server [digiater.nl].

[1] https://www.digiater.nl/openvms/decus/vmslt97a/ntstuff/ntnodiff.html#idkern:~:text=was%20done%20by-,NT%20Internals%20expert,-Dr.%20Mark%20Russinovich

[2] https://www.digiater.nl/openvms/decus/vmslt97a/ntstuff/ntnodiff.html#idkern:~:text=NTS%20and%20NTW%3F-,Identical%20Kernels,-It%20turns%20out

Is Windows 11 a hot mess due to security vulnerabilities , or is it a hot mess due to the enshittification of the platform for the benefit of CoPilot? Such as removing Wordpad, making Notepad a complex Wordpad, making Paint less versatile,....?

On the other hand, who put Claude up to finding bugs in that Apple II? Mark Russinovich?

Win11 is too complex as that AI could fix anything in there. It can make things worse though. "Code Review" AI already already starts failing in more complex teaching examples.

What a ridiculous take.

Russinovich is 59 years old this year (2026). 40 years ago he was 19 years old and in high school.

Are you really criticizing someone who wrote code with a bug (or really, incomplete error handling) as a teenager? That may be one of the most "terminally online" comments I've ever seen. Check out the guy's Wikipedia page. He's done some neat stuff.

This was some little program a guy wrote at 20 years old that doesn't have any *real* reason to test for security (if you could run his code, you could just run whatever code you wanted anyway, it was a single user platform without any authentication or anything), and that should say anything one way or another about his capabilities as a 60 year old person?

You know, you usually have some really interesting things to say. I have you on my friend list so your comments get a +6 so I see what you have to say regardless of what people moderating think about your comments. I've been reading your journal entries for literally decades.

But, if I may paraphrase Bill Gates here, "this is the dumbest fucking thing I've read since I've been on Slashdot." You're suggesting that someone who hacked the BASIC interpreter on the Apple ][ forty years ago should have been usi

Indeed. Well said. The thing is a self-own, nothing else. Of course the AI fan idiots will not see it that way.

> I do not find it reassuring that a chief technology officer is pleased that he wasn't clever enough to write or test code correctly.

I was a shitty programmer once. So were you. So was every now-decent programmer, because being a shitty programmer and paying the price for making n00b mistakes is how one learns to becomes a good programmer. Nobody was born with the knowledge of how to apply all known best practices, and there's no shame in admitting it.

Not really. Claude is considered the best for coding and analysis. The others are not too bad either, but not quite as good as opus 4.6. So it's logical he'd use Claude for this personal experiment. If you think it's political you're adding that yourself. However it would be interesting to take the original apple ii buggy code and see if the other coding affects can find the same bugs.

I work for a Microsoft shop and use Copilot a lot. When I have a hard question, I use Claude Opus, otherwise ChatGPT is fine.

I think you can't beat Claude Opus at such tasks with other models currently. But that comes at a price. Literally.

> But take a step back and realize what that means. Less documentation. Less availability. Less general knowledge on how the platform works overall.

That's 100% backwards, except for the parts which are irrelevant, like availability. Being such an old processor there is more documentation, more commentary, it's very well known.

Think larger. What about binary obfuscation techniques? A LLM can read the machine language and collect facts without getting frustrated by all the reverse-engineering traps developers may have put in there and slowly gets to the core of what the thing does. Things may become quite interesting soon.

I was swayed by another comment in this discussion that points out that, for whatever reason, his example is an LLM analysis of a single routine manifested as 120 bytes of machine code. The choice to use something so utterly short is enough to perhaps re calibrate expectations for practical use. It did spot a couple of real issues but mostly buried the user in a list of "I know already" about how the general environment is not exactly credibly secure at all. 75% of the 'findings' were just "Hey, Apple II

> Less documentation. Less availability. Less general knowledge on how the platform works overall.

Yes, the little known 6502. What an [1]obscure device [wikipedia.org]. Only like five billion of them were produced, definitely not a lot of documentation or knowledge out there.

[1] https://en.wikipedia.org/wiki/MOS_Technology_6502

These are exactly the kind of questions that came to my mind too.

Russinovich's post offers scarce details on how it was done. I would be interested if the "AI decompiled" code was compared to actual disassembler output to verify accuracy (or if the model used some external disassembler tool for it? Shrug.)

Does it matter if it "decompiles" or reads the machine language without intermediate step (even though one might suspect some kind of decompiled representation in the latents then)?

The point is the thing had the machine code (I guess some hex representation of it?) and understood it and found a bug.

When I asked Claude Opus to disassemble the code and add comments, it did that, yes. I'd post it here (with comments) but it would trip the lame lameness filter. Ironic that posting code to slashdot is considered "junk."

That's kind of interesting to consider that the model is large enough to encode an assembler and disassembler in its parameter matrix.

> If that is the great proof of performance they have for their thing, I can only conclude it is a toy.

No need to conclude anything; try it for yourself. Take your best code, the code that you've been debugging and polishing for years, the code that you've shipped in a hundred releases already, the code that you've run through every static analyzer and runtime test-harness you could get your hands on to try and ferret out any bugs, to the point where all of them returned "no further issues found". Dump that codebase into Claude Code (or whatever AI you think it appropriate) and ask it to scan the codebase