Still, it’s a bug that should be fixed.
Another example: if the user turns off "Turn on when Windows starts up" or whatever equivalent, this would also be a non-issue.
Even marriages can be extremely abusive...
The assumption that people on your friend's lists, Steam or anywhere (even just people in the same household) should be able to see your personal information, such as computer use, is a bananas assumption. It is an assumption that I'm pleased to say has failed privacy reviews at at least one company larger than Steam.
I have a number of friends who, for various social reasons, keep their Steam status as "Offline" so their friends don't know they're still logging in. If "Offline" can be bypassed, it ruins the point
The second thing I have to point out is that bug bounty programs are inundated with garbage from people who don't know anything about programming and just blindly trust whatever the LLM says. We even have the 'author' reproducing this blind reinforcement in the article: "Tested Jan 2026. Confirmed working."
The third thing I have to point out is that the response from Valve is not actually shown. We, the reader, are treated to an LLM-generated paraphrasal of something they may or may not have actually said.
Is it possible this issue is real and that Valve responded the way they did? Perhaps, but the article alone leaves me extremely skeptical based on past experiences with LLM-generated bug bounty reports.
Is your LLM detector on a hairtrigger? At best the headings seem like LLM, but the rest don't look LLM generated.
LLMs didn’t randomly invent their own unique style, they learned it from books. This is just how people write when they get slightly more literate than nowadays texting-era kids.
And these suspicions are in vain even if happen to be right this one time. LLMs are champions of copying styles, there is no problem asking one to slap Gen Z slang all over and finish the post with the phrase “I literally can’t! <sad-smiley>”. “Detecting LLMs” doesn’t get you ahead of LLMs, it only gets you ahead of the person using them. Why not appreciate example of concise and on-point self-expression and focus on usefulness of content?
- "This isn't just a "status" bug. It's a behavioral tracker."
- "It essentially xxxxx, making yyyyyy."
- As you mentioned, the headings
- A lack of compound sentences that don't use "x, but y" format.
This is clearly LLM generated text, maybe just lightly edited to remove some em dashes and stuff like that.
After you read code for a while, you start to figure out the "smell" of who wrote what code. It's the same for any other writing. I was literally reading a New Yorker article before this, and this is the first HN article I just opened today; the writing difference is jarring. It's very easy to smell LLM generated text after reading a few non-LLM articles.
Again, clearly? I can see how people might be tipped off at the blog post because of the headings (and apparently the it's not x, it's y pattern), but I can't see anything in the comments that would make me think it was "clearly" LLM-generated.
I would be surprised if responsible Valve staff would agree that this is not something they should fix at some point.
That was a typo on my side, should be "security".
>It seems fair to me that the security reporter vendor triaged this as not a security report. It feels like saying "the wedding venue kicked me out" when actually the third party bartender just cut you off.
For all intents and purposes getting your report marked as "informative" or whatever is the same as your report being rejected. To claim otherwise is just playing word games, like "it's not a bug, it's a feature". That's not to say that the OP is objectively correct that it's a security issue, but for the purposes of this argument what OP wrote (ie. 'Valve: "WontFix"' and Valve closed it as "Informative.") is approximately correct. If you contact a company to report a bug, and that company routes it to some third party support contractor (microsoft does this, I think), and the support contractor replies "not a bug, won't fix", it's fair to characterize that as "[company] rejected my bug report!", even if the person who did it was some third party contractor.
That is not what happened, though. You can contact Valve/Steam directly. They specifically went to the third-party vendor, because the third-party vendor offers a platform to give them credit and pay them for finding security exploits. It is not the responsibility of the third-party vendor to manage all bug reports.
Certainly, public pressure is another way :)
I think raising that the raw Valve response wasn't provided is a valid, and correct, point to raise.
The problem is that that valid point is surrounding by what seems to be a character attack, based on little evidence, and that seemingly mirrors many of these "LLM witch-hunt" comments.
Should HN's guidelines be updated to directly call out this stuff as unconstructive? Pointing out the quality/facts of an article is one thing, calling out suspected tool usage without even evidence is quite another.
This will inevitably get abused to shut down dissent. When there's something people vehemently disagree with, detractors come out of the woodwork to nitpick every single flaw. Find one inconsistency in a blog post about Gaza/ICE/covid? Well all you need to do is also find a LLM tell, like "it's not x, it's y", or an out of place emoji and you can invoke the "misinformation generated by a narrative storyteller spambot" excuse. It's like the fishing expedition for Lisa Cook, but for HN posts.
If any of the other instances whereby HN users have quoted the guidelines or tone policed each other are allowed then calling out generated content should be allowed.
It's constructive to do so because there is obvious and constant pressure to normalize the use of LLM generated content on this forum as there is everywhere else in our society. For all its faults and to its credit Hacker News is and should remain a place where human beings talk to other human beings. If we don't push back against this then HN will become nothing but bots posting and talking to other bots.
Things should be judged for their quality, and comments should try to contribute positively to the discussion.
"I suspect they're a witch" isn't constructive nor makes HN a better place.
Creating a social stigma against the use of LLMs is constructive and necessary. It's no different than HN tone policing humor, because allowing humor would turn HN into Reddit.
You point about Valve's response is valid though.
Yes, if the target gets on their PC every day after they wake up.
I always assume this is such in every case. Every "I'm offline" or "hide me" or "don't save this" or "delete this forever!" UI element is a facade until proven otherwise. "Temporary" chats with LLMs are also permanent and are likely eventually public via massive data leak in future year 20XX.
All I can think of is Megaman.
bigyabai•2h ago
That logic is acceptable. You could also DM an offline friend a tracking pixel to reconstruct their activity, a lot of this endpoint security is entirely up to the user.
xmrcat•2h ago
wernerb•2h ago
rvnx•2h ago
nemomarx•1h ago
rvnx•1h ago
On the profile of a friend you can see the last time they signed-in to their account:
https://preview.redd.it/can-anyone-beat-my-last-online-frien...
Before it was public, and now restricted (for a couple of years already) to friends only.
I guess this is why they won't change it, since it's a feature.
xmrcat•1h ago
rvnx•1h ago
Because from the fields in the protobuf I somewhat suspect it's the same, but I get your point of view as well
EDIT: If it's not, then my bad
xmrcat•1h ago
nemomarx•2h ago
smileybarry•1h ago
nagisa•1h ago
I got one from work that I don't use much outside of travel and haven't changed in any way past initial setup. It stays connected to WiFi and continuously broadcasts various discovery packets for the past month and a half since I last opened it up.
scratchyone•1h ago
embedding-shape•1h ago
pityJuke•1h ago
causalscience•1h ago
breakingcups•1h ago
vermilingua•1h ago
Spunkie•1h ago
ycombinatrix•1h ago
e.g. FB Messenger & WhatsApp have their own web scraping infrastructure to provide server side link previews & thereby mitigate tracking links.
Not sure if Steam does the same currently.
viraptor•48m ago