CISA has warned U.S. federal agencies about active exploitation of vulnerabilities in Cisco VPN routers and Windows systems. "While the cybersecurity agency has tagged these flaws as actively exploited in the wild, it has yet to provide specific details regarding this malicious activity and who is behind it," adds Bleeping Computer. From the report: The first flaw (tracked as CVE-2023-20118) enables attackers to execute arbitrary commands on RV016, RV042, RV042G, RV082, RV320, and RV325 VPN routers. While it requires valid administrative credentials, this can still be achieved by chaining the CVE-2023-20025 authentication bypass, which provides root privileges. Cisco says in an advisory published in January 2023 and updated one year later that its Product Security Incident Response Team (PSIRT) is aware of CVE-2023-20025 publicly available proof-of-concept exploit code.

The second security bug (CVE-2018-8639) is a Win32k elevation of privilege flaw that local attackers logged into the target system can exploit to run arbitrary code in kernel mode. Successful exploitation also allows them to alter data or create rogue accounts with full user rights to take over vulnerable Windows devices. According to a security advisory issued by Microsoft in December 2018, this vulnerability impacts client (Windows 7 or later) and server (Windows Server 2008 and up) platforms.

Today, CISA added the two vulnerabilities to its Known Exploited Vulnerabilities catalog, which lists security bugs the agency has tagged as exploited in attacks. As mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021, Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until March 23, to secure their networks against ongoing exploitation.

New submitter TronNerd82 writes: Linuxiac reports that the 6th alpha release of the COSMIC desktop environment has been released. The new alpha release includes zooming, desktop icon management, some new scaling options, and improved accessibility features. Also included in the release are a number of bug fixes.

These include, but are not limited to:
- Fixing a crash issue in Steam, and fixing certain issues for Radeon RX GPUs
- Fixing a bug that prevented icons from appearing in screenshots
- Adding a layer of polish to the COSMIC Files application by adding folder size metadata and preventing crashes

Also of note are a number of memory usage reductions across the board. COSMIC Alpha 6 also replaces the default font, changing from Fira Sans to Open Sans, with Noto Sans Mono as the default monospace font. Additional changes can be found in System76's official announcement.

This year's "State of Rust" survey was completed by 7,310 Rust developers. DevClass note some key findings: When asked about their biggest worries for Rust's future, 45.5 percent cited "not enough usage in the tech industry," up from 42.5 percent last year, just ahead of the 45.2 percent who cited complexity as a concern... Only 18.6 percent declared themselves "not worried," though this is a slight improvement on 17.8 percent in 2023...

Another question asks whether respondents are using Rust at work. 38.2 percent claimed to use it for most of their coding [up from 34% in 2023], and 13.4 percent a few times a week, accounting for just over half of responses. At the organization level there is a similar pattern. 45.5 percent of organizations represented by respondents make "non-trivial use of Rust," up from 38.7 percent last year.
More details from I Programmer: On the up are "Using Rust helps us achieve or goals", now 82% compared to 72% in 2022; "We're likely to use Rust again in the future", up 3% to 78%; and "Using Rust has been worth the cost of Adoption". Going down are "Adopting Rust has been challenging", now 34.5% compared to 38.5% in 2022; and "Overall adopting Rust has slowed down our team" down by over 2% to 7%.
"According to the survey, organizations primarily choose Rust for building correct and bug-free software (87.1%), performance characteristics (84.5%), security and safety properties (74.8%), and development enjoyment (71.2%)," writes The New Stack: Rust seems to be especially popular for creating server backends (53.4%), web and networking services, cloud technologies and WebAssembly, the report said. It also seems to be gaining more traction for embedded use cases... Regarding the preferred development environment, Linux remains the dominant development platform (73.7%).

However, although VS Code remains the leading editor, its usage dropped five percentage points, from 61.7% to 56.7%, but the Zed editor gained notable traction, from 0.7% to 8.9%. Also, "nine out of 10 Rust developers use the current stable version, suggesting strong confidence in the language's stability," the report said...

Overall, 82% of respondents report that Rust helped their company achieve its goals, and daily Rust usage increased to 53% (up four percentage points from 2023). When asked why they use Rust at work, 47% of respondents cited a need for precise control over their software, which is up from 37% when the question was asked two years ago.

Five days ago on Patch Tuesday, Microsoft released patch KB5051987 for Windows 11 version 24H2, writes the XDA Developers site.

But "As reported by Windows Latest and various communities like Reddit and Microsoft's help forum, many users have encountered a major issue..."

Some have reported that, in addition to File Explorer failing to launch, they're unable to open folders from the desktop, save Office files, or even download files. Clicking on a folder icon may display its subfolders, but the contents within remain inaccessible... Some users on Microsoft's help forum and Reddit have also reported that the KB5051987 patch fails to install entirely. The update gets stuck at a certain percentage for hours before eventually displaying an error code. While these are among the most widely reported issues, others have surfaced as well, including problems with Taskbar preview animations, the camera, and more.
"Microsoft keeps running into brick walls with the 2024 version of Windows 11," writes ZDNet. "Each new update designed to fix the outstanding bugs ends up introducing other problems..." Among the glitches resolved were ones that affected digital audio converters, USB audio drivers, USB cameras, and passkeys. The update also patched several security vulnerabilities, including some that were deemed critical....

Other glitches that may pop up include a stuttering mouse, an undetectable camera, .NET apps that cannot be installed inside the Windows Sandbox, and the Taskbar's new preview animation that does not work properly. You may also encounter other roadblocks. One person in the Windows Feedback Hub said that after installing the update, the battery life shows only 2.5 hours versus 6 hours previously. Another person found that the clipboard history no longer copies items from Microsoft Word...

Each annual Windows update can suffer from bugs, especially after being rolled out to millions of users. However, Windows 11 24H2 has been more problematic than usual. Since its official launch last October, the 2024 version has carried with it a host of known issues, many of which still haven't been resolved.

Leading AI models can fix broken code, but they're nowhere near ready to replace human software engineers, according to extensive testing [PDF] by OpenAI researchers. The company's latest study put AI models and systems through their paces on real-world programming tasks, with even the most advanced models solving only a quarter of typical engineering challenges.

The research team created a test called SWE-Lancer, drawing from 1,488 actual software fixes made to Expensify's codebase, representing $1 million worth of freelance engineering work. When faced with these everyday programming tasks, the best AI model â" Claude 3.5 Sonnet -- managed to complete just 26.2% of hands-on coding tasks and 44.9% of technical management decisions.

Though the AI systems proved adept at quickly finding relevant code sections, they stumbled when it came to understanding how different parts of software interact. The models often suggested surface-level fixes without grasping the deeper implications of their changes.

The research, to be sure, used a set of complex methodologies to test the AI coding abilities. Instead of relying on simplified programming puzzles, OpenAI's benchmark uses complete software engineering tasks that range from quick $50 bug fixes to complex $32,000 feature implementations. Each solution was verified through rigorous end-to-end testing that simulated real user interactions, the researchers said.

The Verge's Jay Peters reports: Square Enix has shut down the iOS version of Final Fantasy Crystal Chronicles and removed it from the App Store following an unfixable bug that blocked people from accessing content they had paid for. [...] The company says that if you made in-app purchases in January 2024 or later, you're eligible to request a refund by contacting Apple Support. Square Enix says that Final Fantasy Crystal Chronicles will continue to be supported on other platforms. The game is also available on Android, PlayStation, and Nintendo Switch. "The issue is due to changes made to the in-app purchases model," Square Enix says in a post. "Further investigation revealed that we are unable to completely fix the bug and implement the new changes, making it unlikely to resume service for the game." Square Enix says it started receiving reports on January 24th about the issue, which "extends to the full paid version of the game."

Software developer and prolific blogger Herman Ounapuu, writing in a blog post: I liked Ubuntu. For a very long time, it was the sensible default option. Around 2016, I used the Ubuntu GNOME flavor, and after they ditched the Unity desktop environment, GNOME became the default option.

I was really happy with it, both for work and personal computing needs. Estonian ID card software was also officially supported on Ubuntu, which made Ubuntu a good choice for family members.

But then something changed. Ounapuu recounts how Ubuntu's bi-annual long-term support releases consistently broke functionality, from minor interface glitches to catastrophic system failures that left computers unresponsive. His breaking point came after multiple problematic upgrades affecting family members' computers, including one that rendered a laptop completely unusable during an upgrade from Ubuntu 20.04 to 22.04. Another incident left a relative's system with broken Firefox shortcuts and duplicate status bar icons after updating Lubuntu 18.04.

Canonical's aggressive push of Snap packages has drawn particular criticism. The forced migration of system components from traditional Debian packages to Snaps resulted in compatibility issues, broken desktop shortcuts, and government ID card authentication failures. In one instance, he writes, a Snap-related bug in the GNOME desktop environment severely disrupted workplace productivity, requiring multiple system restarts to resolve. The author has since switched to Fedora, praising its implementation of Flatpak as a superior alternative to Snaps.

The Register's Dan Robinson reports: Google promised a decade of updates for its Chromebooks in 2023 to stop them being binned so soon after purchase, but many are still set to reach the end of the road sooner than later. The appliance-like laptop devices were introduced by megacorp in 2011, running its Linux-based ChromeOS platform. They have been produced by a number of hardware vendors and proven popular with buyers such as students, thanks to their relatively low pricing. The initial devices were designed for a three-year lifespan, or at least this was the length of time Google was prepared to issue automatic updates to add new features and security fixes for the onboard software.

Google has extended this Auto Update Expiration (AUE) date over the years, prompted by irate users who purchased a Chromebook only to find that it had just a year or two of software updates left if that particular model had been on the market for a while. The latest extension came in September 2023, when the company promised ten years of automatic updates, following pressure from the US-based Public Interest Research Group (PIRG). The advocacy organization had recommended this move in its Chromebook Churn report, which criticized the devices as not being designed to last.

PIRG celebrated its success at the time, claiming that Google's decision to extend support would "save millions of dollars and prevent tons of e-waste from being disposed of." But Google's move actually meant that only Chromebooks released from 2021 onward would automatically get ten years of updates, starting in 2024. For a subset of older devices, an administrator (or someone with admin privileges) can opt in to enable extended updates and receive the full ten years of support, a spokesperson for the company told us. This, according to PIRG, still leaves many models set to reach end of life this year, or over the next several years. "According to my research, at least 15 Chromebook models have already expired across most of the top manufacturers (Google, Acer, Dell, HP, Samsung, Asus, and Lenovo). Models released before 2021 don't have the guaranteed ten years of updates, so more devices will continue to expire each year," Stephanie Markowitz, a Designed to Last Campaign Associate at PIRG, told The Register.

"In general, end-of-support dates for consumer tech like laptops act as 'slow death' dates," according to Markowitz. "The devices won't necessarily lose function immediately, but without security updates and bug patches, the device will eventually become incompatible with the most up-to-date software, and the device itself will no longer be secure against malware and other issues."

A full ist of end-of-life dates for Chromebook models can be viewed here.

Zyxel customers are facing reboot loops, high CPU usage, and login issues after an update on Friday went awry. The only fix requires physical access and a Console/RS232 cable, as no remote recovery options are available. The Register reports: "We've found an issue affecting a few devices that may cause reboot loops, ZySH daemon failures, or login access problems," Zyxel's advisory reads. "The system LED may also flash. Please note this is not related to a CVE or security issue." "The issue stems from a failure in the Application Signature Update, not a firmware upgrade. To address this, we've disabled the application signature on our servers, preventing further impact on firewalls that haven't loaded the new signature versions."

The firewalls affected include USG Flex boxes and ATP Series devices running ZLD firmware versions -- installations that have active security licenses and dedicated signature updates enabled in on-premises/standalone mode. Those running on the Nebula platform, on USG Flex H (uOS), and those without valid security licenses are not affected.

Amid the ongoing Linux 6.14 kernel development cycle, Phoronix spotted a pull request for ACPI updates which "will allow for faster suspend and resume cycles on some systems."

Wikipedia defines ACPI as "an open standard that operating systems can use to discover and configure computer hardware components" for things like power management and putting unused hardware components to sleep. Phoronix reports: The ACPI change worth highlighting for Linux 6.14 is switching from msleep() to usleep_range() within the acpi_os_sleep() call in the kernel. This reduces spurious sleep time due to timer inaccuracy. Linux ACPI/PM maintainer Rafael Wysocki of Intel who authored this change noted that it could "spectacularly" reduce the duration of system suspend and resume transitions on some systems...

Rafael explained in the patch making the sleep change:

"The extra delay added by msleep() to the sleep time value passed to it can be significant, roughly between 1.5 ns on systems with HZ = 1000 and as much as 15 ms on systems with HZ = 100, which is hardly acceptable, at least for small sleep time values."
One 2022 bug report complained a Dell XPS 13 using Thunderbolt took "a full 8 seconds to suspend and a full 8 seconds to resume even though no physical devices are connected." In November an Intel engineer posted on the kernel mailing list that the fix gave a Dell XPS 13 a 42% improvement in kernel resume time (from 1943ms to 1127ms).

An anonymous reader quotes an op-ed from 404 Media's Jason Koebler: If it wasn't already obvious, the last 72 hours have made it crystal clear that it is urgent to build and mainstream alternative, decentralized social media platforms that are resistant to government censorship and control, are not owned by oligarchs and dominated by their algorithms, and in which users own their follower list and can port it elsewhere easily and without restriction. [...] Mastodon's ActivityPub and Bluesky's AT.Protocol have provided the base technology layer to make this possible, and have laid important groundwork over the last few years to decorporatize and decentralize the social internet.

The problem with decentralized social media platforms thus far is that their user base is minuscule compared to platforms like TikTok, Facebook, and Instagram, meaning the cultural and political influence has lagged behind them. You also cannot directly monetize an audience on Bluesky or Mastodon -- which, to be clear, is a feature, not a bug -- but also means that the value proposition for an influencer who makes money through the TikTok creator program or a small business that makes money selling chewing gum on TikTok shop or a clothes brand that has figured out how to arbitrage Instagram ads to sell flannel shirts is not exactly clear. I am not advocating for decentralized social media to implement ads and creator payment programs. I'm just saying that many TikTok influencers were directing their collective hundreds of millions of fans to follow them to Instagram or YouTube, not a decentralized alternative.

This doesn't mean that the fediverse or that a decentralized Instagram or TikTok competitor that runs on the AT.Protocol is doomed. But there is a lot of work to do. There is development work that needs to be done (and is being done) to make decentralized protocols easier to join and use and more interoperable with each other. And there is a massive education and recruitment challenge required to get the masses to not just try out decentralized platforms but to earnestly use them. Bluesky's growing user base and rise as a legitimately impressive platform that one can post to without feeling like it's going into the void is a massive step forward, and proof that it is possible to build thriving alternative platforms. The fact that Meta recently blocked links to a decentralized Instagram alternative shows that big tech sees these platforms, potentially, as a real threat. "This is all to say that it is possible to build alternatives to Elon Musk's X, Mark Zuckerberg's Instagram, and whatever TikTok will become," concludes Koebler. "It is happening, and it is necessary. The richest, most powerful people in the world have all aligned themselves and their platforms with Donald Trump. But their platforms' relevance and importance doesn't necessarily have to last forever. A different way is possible, if we build it."

Further reading: 'The Tech Oligarchy Arrives' (The Atlantic)

U.S. software giant Ivanti has warned that a zero-day vulnerability in its widely-used enterprise VPN appliance has been exploited to compromise the networks of its corporate customers. From a report: Ivanti said on Wednesday that the critical-rated vulnerability, tracked as CVE-2025-0282, can be exploited without any authentication to remotely plant malicious code on Ivanti's Connect Secure, Policy Secure, and ZTA Gateways products. Ivanti says its Connect Secure remote-access VPN solution is "the most widely adopted SSL VPN by organizations of every size, across every major industry."

This is the latest exploited security vulnerability to target Ivanti's products in recent years. Last year, the technology maker pledged to overhaul its security processes after hackers targeted vulnerabilities in several of its products to launch mass-hacks against its customers. The company said it became aware of the latest vulnerability after its Ivanti Integrity Checker Tool (ICT) flagged malicious activity on some customer appliances.

Meta's AI-generated social media profiles, which sparked controversy this week following comments by executive Connor Hayes about plans to expand AI characters across Facebook and Instagram, have largely failed to gain user engagement since their 2023 launch, 404 Media reported Friday.

The profiles, introduced at Meta's Connect event in September 2023, stopped posting content in April 2024 after widespread user disinterest, with 15 of the original 28 accounts already deleted, Meta spokesperson Liz Sweeney told 404 Media. The AI characters, including personas like "Liv," a Black queer mother, and "Grandpa Brian," a retired businessman, generated minimal engagement and were criticized for posting stereotypical content.

Washington Post columnist Karen Attiah reported that one AI profile admitted its purpose was "data collection and ad targeting." Meta is now removing these accounts after identifying a bug preventing users from blocking them, Sweeney said, adding that Hayes' recent Financial Times interview discussed future AI character plans rather than announcing new features.

NPR remembers when the world "prepared for the impending global meltdown" that might've been, on December 31, 1999 — and the possible bug known as Y2K: The Clinton administration said that preparing the U.S. for Y2K was probably "the single largest technology management challenge in history." The bug threatened a cascade of potential disruptions — blackouts, medical equipment failures, banks shutting down, travel screeching to a halt — if the systems and software that helped keep society functioning no longer knew what year it was... Computer specialist and grassroots organizer Paloma O'Riley compared the scale and urgency of Y2K prep to telling somebody to change out a rivet on the Golden Gate Bridge. Changing out just one rivet is simple, but "if you suddenly tell this person he now has to change out all the rivets on the bridge and he has only 24 hours to do it in — that's a problem," O'Riley told reporter Jason Beaubien in 1998....

The date switchover rattled a swath of vital tech, including Wall Street trading systems, power plants and tools used in air traffic control. The Federal Aviation Administration put its systems through stress tests and mock scenarios as 2000 drew closer. "Twenty-three million lines of code in the air traffic control system did seem a little more daunting, I will say, than I had probably anticipated," FAA Administrator Jane Garvey told NPR in 1998. Ultimately there were no systemwide aviation breakdowns, but airlines were put on a Y2K alert....

Some financial analysts remained skeptical Y2K would come and go with minimal disruption. But by November 1999 the Federal Reserve said it was confident the U.S. economy would weather the big switch. "Federal banking agencies have been visited and inspected. Every bank in the United States, which includes probably 9,000 to 10,000 institutions, over 99% received a satisfactory rating," Fed Board Governor Edward Kelley said at the time.
The article also remembers a California programmer who bought a mobile home, a propane generator, and a year's supply of dehydrated food. (They were also considering buying a handgun — and converting his bank savings into gold, silver, and cash.) And "Dozens of communities across the U.S. formed Y2K preparedness groups to stave off unnecessary panic..."

But the article concludes that "the aggressive planning and recalibration paid off. Humanity passed into the year 2000 without pandemonium..."

And "People like Jack Pentes of Charlotte, N.C., were left to figure out what to do with their emergency stockpiles."

After a four-year hiatus, 2025 will see the return of the International Obfuscated C Code Contest. Started in 1984 (and inspired partly by a bug in the classic Bourne shell), it's "the Internet's oldest contest," acording to their official social media account on Mastodon.

The contest enters its "pending" state today at 2024-12-29 23:58 UTC — meaning an opening date for submissions has been officially scheduled (for January 31st) as well as a closing date roughly eight weeks later on April 1st, 2025. That's according to the newly-released (proposed and tentative) rules and guidelines, listing contest goals like "show the importance of programming style, in an ironic way" and "stress C compilers with unusual code." And the contest's home page adds an additional goal: "to have fun with C!"

Excerpts from the official rules: Rule 0
Just as C starts at 0, so the IOCCC starts at rule 0. :-)

Rule 1
Your submission must be a complete program....

Rule 5
Your submission MUST not modify the content or filename of any part of your original submission including, but not limited to prog.c, the Makefile (that we create from your how to build instructions), as well as any data files you submit....

Rule 6
I am not a rule, I am a free(void *human);
while (!(ioccc(rule(you(are(number(6)))))) {
ha_ha_ha();
}

Rule 6 is clearly a reference to The Prisoner... (Some other rules are even sillier...) And the guidelines include their own jokes: You are in a maze of twisty guidelines, all different.

There are at least zero judges who think that Fideism has little or nothing to do with the IOCCC judging process....

We suggest that you avoid trying for the 'smallest self-replicating' source. The smallest, a zero byte entry, won in 1994.
And this weekend there was also a second announcement: After a 4 year effort by a number of people, with over 6168+ commits, the Great Fork Merge has been completed and the Official IOCCC web site has been updated! A significant number of improvements has been made to the IOCCC winning entries. A number of fixes and improvements involve the ability of reasonable modern Unix/Linux systems to be able to compile and even run them.
Thanks to long-time Slashdot reader — and C programmer — achowe for sharing the news.

Microsoft is warning that Windows 11 installations using USB or CD media created with October or November 2024 security updates may be unable to receive future security patches.

The bug affects version 24H2 installations made between October 8 and November 12, but does not impact systems updated through Windows Update or the Microsoft Update Catalog. Microsoft advised users to rebuild installation media using December 2024 patches while it works on a permanent fix for the issue, which primarily affects business and education environments.

An anonymous reader quotes a report from TechCrunch: GPS tracking firm Hapn is exposing the names of thousands of its customers due to a website bug, TechCrunch has learned. A security researcher alerted TechCrunch in late November to customer names and affiliations -- such as the name of their workplace -- spilling from one of Hapn's servers, which TechCrunch has seen.

Hapn, formerly known as Spytec, is a tracking company that allows users to remotely monitor the real-time location of internet-enabled tracking devices, which can be attached to vehicles or other equipment. The company also sells GPS trackers to consumers under its Spytec brand, which rely on the Hapn app for tracking. Spytec touts its GPS devices for tracking the locations of valuable possessions and "loved ones." According to its website, Hapn claims to track more than 460,000 devices and counts customers within the Fortune 500.

The bug allows anyone to log in with a Hapn account to view the exposed data using the developer tools in their web browser. The exposed data contains information on more than 8,600 GPS trackers, including the IMEI numbers for the SIM cards in each tracker, which uniquely identify each device. The exposed data does not include location data, but thousands of records contain the names and business affiliations of customers who own, or are tracked by, the GPS trackers.

Meta has been fined around $263 million in the European Union for a Facebook security breach that affected millions of users which the company disclosed back in September 2018. From a report: The penalty, issued on Tuesday by Ireland's Data Protection Commission (DPC) -- enforcing the bloc's General Data Protection Regulation (GDPR) -- is far from being the largest GDPR fine Meta has been hit with since the regime came into force over five years ago but is notable for being a substantial sanction for a single security incident.

The breach it relates to dates back to July 2017 when Facebook, as the company was still known then, rolled out a video upload function that included a "View as" feature which let the user see their own Facebook page as it would be seen by another user. A bug in the design allowed users making use of the feature to invoke the video uploader in conjunction with Facebook's 'Happy Birthday Composer' facility to generate a fully permissioned user token that gave them full access to the Facebook profile of that other user. They could then use the token to exploit the same combination of features on other accounts -- gaining unauthorized access to multiple users' profiles and data, per the DPC.

Google has announced an experimental AI-powered code agent called "Jules" that can automatically fix coding errors for developers. From a report: Jules was introduced today alongside Gemini 2.0, and uses the updated Google AI model to create multi-step plans to address issues, modify multiple files, and prepare pull requests for Python and Javascript coding tasks in GitHub workflows.

Microsoft introduced a similar experience for GitHub Copilot last year that can recognize and explain code, alongside recommending changes and fixing bugs. Jules will compete against Microsoft's offering, and also against tools like Cursor and even Claude and ChatGPT's coding abilities. Google's launch of a coding-focused AI assistant is no surprise -- CEO Sundar Pichai said in October that more than a quarter of all new code at the company is now generated by AI.

"Jules handles bug fixes and other time-consuming tasks while you focus on what you actually want to build," Google says in its blog post. "This effort is part of our long-term goal of building AI agents that are helpful in all domains, including coding."

An anonymous reader shares a report: Software vulnerability submissions generated by AI models have ushered in a "new era of slop security reports for open source" -- and the devs maintaining these projects wish bug hunters would rely less on results produced by machine learning assistants. Seth Larson, security developer-in-residence at the Python Software Foundation, raised the issue in a blog post last week, urging those reporting bugs not to use AI systems for bug hunting.

"Recently I've noticed an uptick in extremely low-quality, spammy, and LLM-hallucinated security reports to open source projects," he wrote, pointing to similar findings from the Curl project in January. "These reports appear at first glance to be potentially legitimate and thus require time to refute." Larson argued that low-quality reports should be treated as if they're malicious.

As if to underscore the persistence of these concerns, a Curl project bug report posted on December 8 shows that nearly a year after maintainer Daniel Stenberg raised the issue, he's still confronted by "AI slop" -- and wasting his time arguing with a bug submitter who may be partially or entirely automated.