Seems like a reasonable report to me. Offline mode intentionally hides you from friends in the UI, so you would assume it would keep you hidden.
I have a number of friends who, for various social reasons, keep their Steam status as "Offline" so their friends don't know they're still logging in. If "Offline" can be bypassed, it ruins the point
> Setting yourself to "Offline" is basically a UI illusion.
I always assume this is such in every case. Every "I'm offline" or "hide me" or "don't save this" or "delete this forever!" UI element is a facade until proven otherwise. "Temporary" chats with LLMs are also permanent and are likely eventually public via massive data leak in future year 20XX.
Admittedly that's my policy anyway just because of my experience with users.
> future year 20XX
All I can think of is Megaman.
People should always consider the "abusive friend" scenario with regards to privacy.
Even marriages can be extremely abusive...
The assumption that people on your friend's lists, Steam or anywhere (even just people in the same household) should be able to see your personal information, such as computer use, is a bananas assumption. It is an assumption that I'm pleased to say has failed privacy reviews at at least one company larger than Steam.
I think it's a quite small demographic that have abusive friends on Steam that they can't simply unfriend for whatever reason, and it's not a reasonable expectation on Steam to design for that case. It'd be like a pencil company trying to prevent people from writing hurtful messages.
I'd think it's quite common to have "abusive friends" on Steam. It's not uncommon to get invites from people you've never met offline and were just in a game you played together.
In that setting I don't think there's much "trust" happening. Certainly an average user would not think they are sharing this information with that type of person and certainly the average user believes that setting themselves to be invisible means nobody can see when they're online or any of their activity.
Besides, why would it matter if it is common? At any given point in time Steam has 20m-45m active users. 0.01% is still 2k-4.5k people. Take every single person you know by name, this is probably 10x that. This is 10x-20x the number of friends the median facebook user has. It's a very small percentage but a very large number.
We work in computing... scaling means small percentages are still big numbers.
> It's not uncommon to get invites from people you've never met offline and were just in a game you played together.
What? Why does this imply that they're "abusive" or that they'd want to spend effort trying to find my "sleep schedule"?
Note that I'm not saying the bug shouldn't be fixed, but the original author clearly is just getting up in arms about it because he wants the bug bounty. Why others are being so alarmist I cannot understand, but I see this behavior a lot among the younger generation.
> We work in computing... scaling means small percentages are still big numbers
While I've also fallen into the trap of thinking "I'm so special because I work in computing" before, I can assure you we're not even close to the only industry that deals with scaling. The pencil manufacturer I mentioned before has a lot more scaling and also a lot more real-world consequences if they do something wrong.
What about people who have their online friends on Steam just to play together with someone else? Worst case, this could leak a child’s daily schedule to a predator.
By that logic, we should remove all friend-level privacy settings entirely. I don't think that would go over well with most of the userbase.
No, that is obviously not logical. A feature can be nice-to-have for most people, while still not needing to be perfectly secure against all sorts of far-fetched scenarios.
If you want to guess how most of the userbase would react, just imagine how much the average user would care when you told them about this "vulnerability".
People should also remember that scaling means very small percentages are still very big numbers. 0.01% of active steam users is still several thousand people. Which may seem small but it is probably 10x more people than you're friends with and more than every person you know. We get so used to seeing big numbers that we think they're small.
> I showed them how I could reconstruct a target's daily sleep cycles despite them being "Invisible" for weeks.
Yes, if the target gets on their PC every day after they wake up.
And have Steam auto-launch on startup.
What if the user keeps their PC on and never logs off?
Privacy shouldn't require leaving your PC running 24/7.
I think they were being sarcastic. It's too stupid a comment otherwise.
It’s not that stupid, I think many PC gamers do exactly this, including me.
Still, it’s a bug that should be fixed.
Yes in that case there would be no data transmitted, and no risk.
Another example: if the user turns off "Turn on when Windows starts up" or whatever equivalent, this would also be a non-issue.
Not true - if users want to play a game without appearing online, this would still out them.
[deleted]
If your Steam online status is your sleep and wakeup schedule you've got bigger problems to worry about.
If this is an issue to your friends on a gaming platform, you may want to relax more.
You better be good for goodness sake.
if you're tracking someone's sleep schedule, you need a life
It's a hobby for someone extreme stans on twitch.
> Their logic: You have to be friends with the user to receive this packet. Therefore, a "trust relationship" exists.
That logic is acceptable. You could also DM an offline friend a tracking pixel to reconstruct their activity, a lot of this endpoint security is entirely up to the user.
I dunno, the ground condition here is "You're invisible/office and no one can see your activity" but that turns out to not actually be fully true. Maybe if it said "You're invisible/offline to the public, but mostly invisible to your friends" it'd be more true and setting the correct expectations. But of course, that's not how that feature is being sold.
Disagree, that trust relationship implicitly includes a "I can opt out of you seeing my status if I set my status to offline" contract, because that is my expectation of Steam.
[deleted]
True, but a tracking pixel is an active attack that leaves a visible trail. This leak is passive surveillance; I can silently graph the sleep cycles of 200 friends without ever interacting with them. Trust shouldn't imply consent for invisible, automated logging.
Do you really need an LLM to talk on HN? Genuinely, this research seems cool but its hard to trust your findings when there's clearly AI being used heavily in writing the article and in your comments here.
But your friends have accepted your request for friendship and your friends are not expecting you to spy on them correct?
Exactly. The 'Offline' feature exists specifically to set that boundary, and the backend completely ignores it.
It's about when your friends were last signed-in in their account. From my understanding:
Invisible = Sign-in but do not broadcast the games you are playing (though your profile will show that you signed-in)
Offline = Stay offline and do not sign-in
I mean the invisible status is supposed to hide all that, yeah. Why have a "show as offline" if it still shows activity like going online?
Before it was public, and now restricted (for a couple of years already) to friends only.
I guess this is why they won't change it, since it's a feature.
Incorrect. "Invisible" is a privacy control, not just a UI filter. While the official client freezes the text, the backend still broadcasts live last_logon and last_logoff Unix timestamps in the ClientPersonaState packet. This leaks exact real-time sleep/wake cycles via the socket, completely bypassing the privacy toggle.
But is it different from the "last signed-in" info that you see on the profile ? (genuinely asking)
Because from the fields in the protobuf I somewhat suspect it's the same, but I get your point of view as well
EDIT: If it's not, then my bad
How do you construct a sleep cycle out of login events? Does steam do one if the computer goes into standby etc?
Nope, going into standby is the same as logging off, since your client doesn't send keep alive packets anymore. (Not sure if macOS is an exception, because I think my MBP doesn't go into proper sleep if I keep Steam running)
MBP never goes into proper sleep.
I got one from work that I don't use much outside of travel and haven't changed in any way past initial setup. It stays connected to WiFi and continuously broadcasts various discovery packets for the past month and a half since I last opened it up.
> You could also DM an offline friend a tracking pixel to reconstruct their activity, a lot of this endpoint security is entirely up to the user.
Only for as long as they have the steam chat window open and your tracking pixel/message is a recent enough message to be actually loaded. I don't use steam chat enough to remember if they do any of these, but your plan also ignores any possible automatic security/scanning/proxy shenanigans on steams part that will muddy your pixels tracking data or just break it.
> That logic is acceptable.
I completely disagree. I use invisible status all the time on steam. I very much have an expectation that when set to invisible my friends would not be able to track my online status.
This is why Signal allows you to disable automatic previews and read-indicators. Because it does matter for privacy.
It's not acceptable. Nobody turns on invisible thinking "my friends can still see me".
I'm curious, in your logic, who else would you use the setting to go invisible for?
I have some workmates on Steam, and sometimes I come down with a cold right around game releases.
The tracking pixel still needs to be clicked on.
e.g. FB Messenger & WhatsApp have their own web scraping infrastructure to provide server side link previews & thereby mitigate tracking links.
Not sure if Steam does the same currently.
I'm not saying any tracking is great, but a couple of things here. I cant remember when if ever I logged out os steam and this is just shared with friends right? Not sure if this is a nothing burger or not.
In this context, 'Logoff' triggers whenever the socket disconnects. So every time you shut down your PC or put it to sleep, that timestamp is updated and broadcast, even if you never explicitly clicked 'Sign Out'.
The first thing I have to point out is that this entire article is clearly LLM-generated from start to finish.
The second thing I have to point out is that bug bounty programs are inundated with garbage from people who don't know anything about programming and just blindly trust whatever the LLM says. We even have the 'author' reproducing this blind reinforcement in the article: "Tested Jan 2026. Confirmed working."
The third thing I have to point out is that the response from Valve is not actually shown. We, the reader, are treated to an LLM-generated paraphrasal of something they may or may not have actually said.
Is it possible this issue is real and that Valve responded the way they did? Perhaps, but the article alone leaves me extremely skeptical based on past experiences with LLM-generated bug bounty reports.
Spending months dealing with folks attempting to blackmail us over ridiculous non-issues has pretty much killed any sympathy I had for bug bounty hunters.
>The first thing I have to point out is that this entire article is clearly LLM-generated from start to finish.
Is your LLM detector on a hairtrigger? At best the headings seem like LLM, but the rest don't look LLM generated.
You probably need to improve your internal LLM detector then. This obviously reads as LLM generated text.
- "This isn't just a "status" bug. It's a behavioral tracker."
- "It essentially xxxxx, making yyyyyy."
- As you mentioned, the headings
- A lack of compound sentences that don't use "x, but y" format.
This is clearly LLM generated text, maybe just lightly edited to remove some em dashes and stuff like that.
After you read code for a while, you start to figure out the "smell" of who wrote what code. It's the same for any other writing. I was literally reading a New Yorker article before this, and this is the first HN article I just opened today; the writing difference is jarring. It's very easy to smell LLM generated text after reading a few non-LLM articles.
What's frustrating is the author's comments here in this thread are clearly LLM text as well. Why even bother to have a conversation if our replies are just being piped into ChatGPT??
There have been a few times I've had interactions with people on other sites that have been clearly from LLMs. At least one of the times, it turned out to be a non-native English speaker who needed the help to be able to converse with me, and it turned out to be a worthwhile conversation that I don't think would have been possible otherwise. Sometimes the utility of the conversation can outweigh the awkwardness of how it's conveyed.
That can said, I do think it would be better to be up front about this sort of thing, and that means that it's not really suitable for use on a site like HN where it's against the rules.
>What's frustrating is the author's comments here in this thread are clearly LLM text as well
Again, clearly? I can see how people might be tipped off at the blog post because of the headings (and apparently the it's not x, it's y pattern), but I can't see anything in the comments that would make me think it was "clearly" LLM-generated.
Honestly, I can't point out some specific giveaway, but if you've interacted with LLMs enough you can simply tell. It's kinda like recognizing someones voice.
One way of describing it is that I've heard the exact same argument/paragraph structure and sentence structure many times with different words swapped in. When you see this in almost every sentence, it becomes a lot more obvious. Similar to how if you read a huge amount of one author, you will likely be able to pick their work out of a lineup. Having read hundreds of thousands of words of LLM generated text, I have a strong understanding of the ChatGPT style of writing.
Just stop already with the LLM witch-hunt. Your personal LLM vibes don't equate to "obviously LLM generated".
My "LLM witch-hunt" got the prompter to reveal the reply they received, which we now learn is neither from Valve nor says "Won't Fix" but rather deems it not a security exploit by HackerOne's definition. It is more important than ever before to be critical of the content you consume rather than blindly believing everything you read on the internet. Learning to detect LLM writing which represents a new, major channel of misinformation is one aspect of that.
Do you have any evidence that your witch hunt caused him to show that? It could have simply been your pointing out that Valve's response wasn't shown in the article. No witch-hunts needed.
It does for me too. Especially the short parts with headings, the bold sentences in their own paragraph and especially formulations like "X isn't just... it's Y".
In other words, this website uses headings for sections, doesn't ramble, and has a single line of emphasis where you'd expect it. I wonder what style we'll have to adopt soon to avoid LLM witchhunt - live stream of consciousness ranting with transcript and typos?
"In other words" means paraphrasing, not simply changing the words to something completely different.
To me this kind of use of AI (generating the whole article) is equivalent to a low-effort post. I also personally don't like this kind of writing, regardless of whether or not an AI generated it.
Imagine being a person like me who has always been expressing himself like that. Using em dash, too.
LLMs didn’t randomly invent their own unique style, they learned it from books. This is just how people write when they get slightly more literate than nowadays texting-era kids.
And these suspicions are in vain even if happen to be right this one time. LLMs are champions of copying styles, there is no problem asking one to slap Gen Z slang all over and finish the post with the phrase “I literally can’t! <sad-smiley>”. “Detecting LLMs” doesn’t get you ahead of LLMs, it only gets you ahead of the person using them. Why not appreciate example of concise and on-point self-expression and focus on usefulness of content?
My comment was not really meant as a criticism (of AI) but more of an agreement that I am also confident in the fact that the post is AI-generated (while the parent comment does not seem to be so confident).
But to add a personal comment or criticism, I don't like this style of writing. If you like prompt your AI to write in a better style which is easier on the eyes (and it works) then please, go ahead.
The most jarring point that they mentioned, having sudden one-off boldfaced sentences in their own paragraphs, is not something I had ever seen before LLMs. It's possible that this could be a habit humans have picked up from them and started adding it the middle of other text that similarly evokes all of the other LLM tropes, but it doesn't seem particularly likely.
Your point about being able to prompt LLMs to sound different is valid, but I'd argue that it somewhat misses the point (although largely because the point isn't being made precisely). If an LLM-generated blog post was actually crafted with care and intent, it would certainly be possible to make less obvious, but what people are likely actually criticizing is content that's produced in I'll call "default ChatGPT" style that overuses the stylistic elements that get brought up. The extreme density of certain patterns is a signal that the content might have been generated and published without much attention to detail. There's was already a huge amount of content out there even before generating it with LLMs became mainstream, so people will necessarily use heuristics to figure out if something is worth their time. The heuristic "heavy use of default ChatGPT style" is useful if it correlates with the more fundamental issues that the top-level comment of this thread points out, and it's clear that there's a sizable contingent of people who have experienced that this is the case.
> although largely because the point isn't being made precisely
I agree. I wasn't really trying to make a point. But yes, what I am implying is that posts that you can immediately recognize as AI are low effort posts, which are not worth my time.
I see a lot of these "this is LLM" comments; but they rarely add value, side track the discussion, and appear to come into direct conflict with several of HN's comment guidelines (at least my reading).
I think raising that the raw Valve response wasn't provided is a valid, and correct, point to raise.
The problem is that that valid point is surrounding by what seems to be a character attack, based on little evidence, and that seemingly mirrors many of these "LLM witch-hunt" comments.
Should HN's guidelines be updated to directly call out this stuff as unconstructive? Pointing out the quality/facts of an article is one thing, calling out suspected tool usage without even evidence is quite another.
Counterproposal: Let's update HN's guidelines to ban blatant misinformation generated by a narrative storyteller spambot. My experience using HN would be significantly better if these threads were killed and repeat offenders banned.
>Counterproposal: Let's update HN's guidelines to ban blatant misinformation generated by a narrative storyteller spambot.
This will inevitably get abused to shut down dissent. When there's something people vehemently disagree with, detractors come out of the woodwork to nitpick every single flaw. Find one inconsistency in a blog post about Gaza/ICE/covid? Well all you need to do is also find a LLM tell, like "it's not x, it's y", or an out of place emoji and you can invoke the "misinformation generated by a narrative storyteller spambot" excuse. It's like the fishing expedition for Lisa Cook, but for HN posts.
The constant accusations that everything is written by bots is itself a type of abuse and misinformation.
LLM generated comments aren't allowed on HN[0]. Period.
If any of the other instances whereby HN users have quoted the guidelines or tone policed each other are allowed then calling out generated content should be allowed.
It's constructive to do so because there is obvious and constant pressure to normalize the use of LLM generated content on this forum as there is everywhere else in our society. For all its faults and to its credit Hacker News is and should remain a place where human beings talk to other human beings. If we don't push back against this then HN will become nothing but bots posting and talking to other bots.
The problem is that people cannot prove one way or the other that things are LLM generated, so it is just a baseless witch hunt.
Things should be judged for their quality, and comments should try to contribute positively to the discussion.
"I suspect they're a witch" isn't constructive nor makes HN a better place.
It isn't a baseless witch hunt if the witches are real.
Creating a social stigma against the use of LLMs is constructive and necessary. It's no different than HN tone policing humor, because allowing humor would turn HN into Reddit.
How is randomly branding people without knowing "constructive and necessary?" Seems like it is completely self-defeating; you're going to make the accusations meaningless because if everything is "LLM" then nothing is.
I get the point you're trying to make, but it's worth pointing out that the entire point is that it's not people getting branded but nebulous online entities that may or may not be people. It's a valid criticism that the accuracy of these claims is not measurable, but I think it's equally true that we no longer are in a world where we can be be sure that no content like this is from an LLM either. It's not at all obvious to me that the assumption that everything is from a human is more accurate than the aggregate set of claims of LLMs, so describing it as "branding people" seems like it's jumping to co me conclusions in the same way.
Stop worrying about whether articles are written by LLM or not and judge them by their content or provenance to sources that you can justifiably trust. If you weren't doing that before LLMs then you were getting fooled by humans writing incompetent or deceptive articles too. People have good reasons for using LLMs to write for them. If they wrote it themselves, it might cause you to judge them as being a teenager, uneducated, foreign, or whatever other unreliable proxies you use for trust.
Do I misunderstand that to be HackerOne staff - not Valve staff - marking it as "not a security vulnerability" - not "won't fix"?
You're right, but in this case I think some narrative liberty was justified, especially since Valve basically delegated triaging bug reports to HackerOne, but this relationship might not be immediately obvious to some readers. Suppose a nightclub contracts its bouncers from some security security firm. You get kicked out by the contract security guard. I think most people would think it's fair to characterize this situation as "the nightclub kicked me out" on a review or whatever.
It doesn't look to me like Valve delegated triaging bug reports though, rather triaging security reports. It seems fair to me that the security reporter vendor triaged this as not a security report. It feels like saying "the wedding venue kicked me out" when actually the third party bartender just cut you off.
>It doesn't look to me like Valve delegated triaging bug reports though, rather triaging security reports.
That was a typo on my side, should be "security".
>It seems fair to me that the security reporter vendor triaged this as not a security report. It feels like saying "the wedding venue kicked me out" when actually the third party bartender just cut you off.
For all intents and purposes getting your report marked as "informative" or whatever is the same as your report being rejected. To claim otherwise is just playing word games, like "it's not a bug, it's a feature". That's not to say that the OP is objectively correct that it's a security issue, but for the purposes of this argument what OP wrote (ie. 'Valve: "WontFix"' and Valve closed it as "Informative.") is approximately correct. If you contact a company to report a bug, and that company routes it to some third party support contractor (microsoft does this, I think), and the support contractor replies "not a bug, won't fix", it's fair to characterize that as "[company] rejected my bug report!", even if the person who did it was some third party contractor.
> If you contact a company to report a bug, and that company routes it to some third party support contractor
That is not what happened, though. You can contact Valve/Steam directly. They specifically went to the third-party vendor, because the third-party vendor offers a platform to give them credit and pay them for finding security exploits. It is not the responsibility of the third-party vendor to manage all bug reports.
>They specifically went to the third-party vendor, because the third-party vendor offers a platform to give them credit and pay them for finding security exploits. It is not the responsibility of the third-party vendor to manage all bug reports.
I don't know, the wording on their site suggests hackerone is the primary place to report security issues, not "if you want to get paid use hackerone, otherwise email us directly".
>For issues with Steam or with Valve hardware products, please visit HackerOne — https://hackerone.com/valve. Our guidelines for responsible disclosure are also available through that program.
No, you are correct, that is a HackerOne employee filtering the report before someone at Valve looks at it, a lot of companies have this set up and it's not great.
I would be surprised if responsible Valve staff would agree that this is not something they should fix at some point.
It's still on Valve though. They chose to delegate this and H1 basically becomes their voice here. I wish it was made more clear, but I don't think it's wrong.
That sounds to me like they're acknowledging that the feature doesn't work as advertised ("may not align with user expectations"), but also that it was reported as a exploit/security vulnerability, while it's actually a privacy leak. Maybe HackerOne isn't the right channel for reporting those issues?
Certainly, public pressure is another way :)
[dead]
You do know that you don't have to have Steam turn on on boot, right? You can launch Steam only when you want to play video games.
But then you may have to wait for an update to download and install before playing.
Offline status means "don't bother me".
If Offline meant "don't bother me", it would be called "Don't bother me", or "do not disturb", and not "Offline"
OMG, some of you guys are so paranoia with privacy. No one gives a &$#$ when you sleep. Get over it
Seems like a reasonable report to me. Offline mode intentionally hides you from friends in the UI, so you would assume it would keep you hidden.
I have a number of friends who, for various social reasons, keep their Steam status as "Offline" so their friends don't know they're still logging in. If "Offline" can be bypassed, it ruins the point
> Setting yourself to "Offline" is basically a UI illusion.
I always assume this is such in every case. Every "I'm offline" or "hide me" or "don't save this" or "delete this forever!" UI element is a facade until proven otherwise. "Temporary" chats with LLMs are also permanent and are likely eventually public via massive data leak in future year 20XX.
Admittedly that's my policy anyway just because of my experience with users.
> future year 20XX
All I can think of is Megaman.
People should always consider the "abusive friend" scenario with regards to privacy.
Even marriages can be extremely abusive...
The assumption that people on your friend's lists, Steam or anywhere (even just people in the same household) should be able to see your personal information, such as computer use, is a bananas assumption. It is an assumption that I'm pleased to say has failed privacy reviews at at least one company larger than Steam.
I think it's a quite small demographic that have abusive friends on Steam that they can't simply unfriend for whatever reason, and it's not a reasonable expectation on Steam to design for that case. It'd be like a pencil company trying to prevent people from writing hurtful messages.
I'd think it's quite common to have "abusive friends" on Steam. It's not uncommon to get invites from people you've never met offline and were just in a game you played together.
In that setting I don't think there's much "trust" happening. Certainly an average user would not think they are sharing this information with that type of person and certainly the average user believes that setting themselves to be invisible means nobody can see when they're online or any of their activity.
Besides, why would it matter if it is common? At any given point in time Steam has 20m-45m active users. 0.01% is still 2k-4.5k people. Take every single person you know by name, this is probably 10x that. This is 10x-20x the number of friends the median facebook user has. It's a very small percentage but a very large number.
We work in computing... scaling means small percentages are still big numbers.
> It's not uncommon to get invites from people you've never met offline and were just in a game you played together.
What? Why does this imply that they're "abusive" or that they'd want to spend effort trying to find my "sleep schedule"?
Note that I'm not saying the bug shouldn't be fixed, but the original author clearly is just getting up in arms about it because he wants the bug bounty. Why others are being so alarmist I cannot understand, but I see this behavior a lot among the younger generation.
> We work in computing... scaling means small percentages are still big numbers
While I've also fallen into the trap of thinking "I'm so special because I work in computing" before, I can assure you we're not even close to the only industry that deals with scaling. The pencil manufacturer I mentioned before has a lot more scaling and also a lot more real-world consequences if they do something wrong.
What about people who have their online friends on Steam just to play together with someone else? Worst case, this could leak a child’s daily schedule to a predator.
By that logic, we should remove all friend-level privacy settings entirely. I don't think that would go over well with most of the userbase.
No, that is obviously not logical. A feature can be nice-to-have for most people, while still not needing to be perfectly secure against all sorts of far-fetched scenarios.
If you want to guess how most of the userbase would react, just imagine how much the average user would care when you told them about this "vulnerability".
People should also remember that scaling means very small percentages are still very big numbers. 0.01% of active steam users is still several thousand people. Which may seem small but it is probably 10x more people than you're friends with and more than every person you know. We get so used to seeing big numbers that we think they're small.
> I showed them how I could reconstruct a target's daily sleep cycles despite them being "Invisible" for weeks.
Yes, if the target gets on their PC every day after they wake up.
And have Steam auto-launch on startup.
What if the user keeps their PC on and never logs off?
Privacy shouldn't require leaving your PC running 24/7.
I think they were being sarcastic. It's too stupid a comment otherwise.
It’s not that stupid, I think many PC gamers do exactly this, including me.
Still, it’s a bug that should be fixed.
Yes in that case there would be no data transmitted, and no risk.
Another example: if the user turns off "Turn on when Windows starts up" or whatever equivalent, this would also be a non-issue.
Not true - if users want to play a game without appearing online, this would still out them.
If your Steam online status is your sleep and wakeup schedule you've got bigger problems to worry about.
If this is an issue to your friends on a gaming platform, you may want to relax more.
You better be good for goodness sake.
if you're tracking someone's sleep schedule, you need a life
It's a hobby for someone extreme stans on twitch.
> Their logic: You have to be friends with the user to receive this packet. Therefore, a "trust relationship" exists.
That logic is acceptable. You could also DM an offline friend a tracking pixel to reconstruct their activity, a lot of this endpoint security is entirely up to the user.
I dunno, the ground condition here is "You're invisible/office and no one can see your activity" but that turns out to not actually be fully true. Maybe if it said "You're invisible/offline to the public, but mostly invisible to your friends" it'd be more true and setting the correct expectations. But of course, that's not how that feature is being sold.
Disagree, that trust relationship implicitly includes a "I can opt out of you seeing my status if I set my status to offline" contract, because that is my expectation of Steam.
True, but a tracking pixel is an active attack that leaves a visible trail. This leak is passive surveillance; I can silently graph the sleep cycles of 200 friends without ever interacting with them. Trust shouldn't imply consent for invisible, automated logging.
Do you really need an LLM to talk on HN? Genuinely, this research seems cool but its hard to trust your findings when there's clearly AI being used heavily in writing the article and in your comments here.
But your friends have accepted your request for friendship and your friends are not expecting you to spy on them correct?
Exactly. The 'Offline' feature exists specifically to set that boundary, and the backend completely ignores it.
It's about when your friends were last signed-in in their account. From my understanding:
I mean the invisible status is supposed to hide all that, yeah. Why have a "show as offline" if it still shows activity like going online?
> Steam "Offline" status leaks exact login timestamps (Valve: Won't Fix)
On the profile of a friend you can see the last time they signed-in to their account:
https://preview.redd.it/can-anyone-beat-my-last-online-frien...
Before it was public, and now restricted (for a couple of years already) to friends only.
I guess this is why they won't change it, since it's a feature.
Incorrect. "Invisible" is a privacy control, not just a UI filter. While the official client freezes the text, the backend still broadcasts live last_logon and last_logoff Unix timestamps in the ClientPersonaState packet. This leaks exact real-time sleep/wake cycles via the socket, completely bypassing the privacy toggle.
But is it different from the "last signed-in" info that you see on the profile ? (genuinely asking)
Because from the fields in the protobuf I somewhat suspect it's the same, but I get your point of view as well
EDIT: If it's not, then my bad
How do you construct a sleep cycle out of login events? Does steam do one if the computer goes into standby etc?
Nope, going into standby is the same as logging off, since your client doesn't send keep alive packets anymore. (Not sure if macOS is an exception, because I think my MBP doesn't go into proper sleep if I keep Steam running)
MBP never goes into proper sleep.
I got one from work that I don't use much outside of travel and haven't changed in any way past initial setup. It stays connected to WiFi and continuously broadcasts various discovery packets for the past month and a half since I last opened it up.
This is why Signal allows you to disable automatic previews and read-indicators. Because it does matter for privacy.
It's not acceptable. Nobody turns on invisible thinking "my friends can still see me".
I'm curious, in your logic, who else would you use the setting to go invisible for?
I have some workmates on Steam, and sometimes I come down with a cold right around game releases.
The tracking pixel still needs to be clicked on.
e.g. FB Messenger & WhatsApp have their own web scraping infrastructure to provide server side link previews & thereby mitigate tracking links.
Not sure if Steam does the same currently.
I'm not saying any tracking is great, but a couple of things here. I cant remember when if ever I logged out os steam and this is just shared with friends right? Not sure if this is a nothing burger or not.
In this context, 'Logoff' triggers whenever the socket disconnects. So every time you shut down your PC or put it to sleep, that timestamp is updated and broadcast, even if you never explicitly clicked 'Sign Out'.
The first thing I have to point out is that this entire article is clearly LLM-generated from start to finish.
The second thing I have to point out is that bug bounty programs are inundated with garbage from people who don't know anything about programming and just blindly trust whatever the LLM says. We even have the 'author' reproducing this blind reinforcement in the article: "Tested Jan 2026. Confirmed working."
The third thing I have to point out is that the response from Valve is not actually shown. We, the reader, are treated to an LLM-generated paraphrasal of something they may or may not have actually said.
Is it possible this issue is real and that Valve responded the way they did? Perhaps, but the article alone leaves me extremely skeptical based on past experiences with LLM-generated bug bounty reports.
Spending months dealing with folks attempting to blackmail us over ridiculous non-issues has pretty much killed any sympathy I had for bug bounty hunters.
>The first thing I have to point out is that this entire article is clearly LLM-generated from start to finish.
Is your LLM detector on a hairtrigger? At best the headings seem like LLM, but the rest don't look LLM generated.
You probably need to improve your internal LLM detector then. This obviously reads as LLM generated text.
- "This isn't just a "status" bug. It's a behavioral tracker."
- "It essentially xxxxx, making yyyyyy."
- As you mentioned, the headings
- A lack of compound sentences that don't use "x, but y" format.
This is clearly LLM generated text, maybe just lightly edited to remove some em dashes and stuff like that.
After you read code for a while, you start to figure out the "smell" of who wrote what code. It's the same for any other writing. I was literally reading a New Yorker article before this, and this is the first HN article I just opened today; the writing difference is jarring. It's very easy to smell LLM generated text after reading a few non-LLM articles.
What's frustrating is the author's comments here in this thread are clearly LLM text as well. Why even bother to have a conversation if our replies are just being piped into ChatGPT??
There have been a few times I've had interactions with people on other sites that have been clearly from LLMs. At least one of the times, it turned out to be a non-native English speaker who needed the help to be able to converse with me, and it turned out to be a worthwhile conversation that I don't think would have been possible otherwise. Sometimes the utility of the conversation can outweigh the awkwardness of how it's conveyed.
That can said, I do think it would be better to be up front about this sort of thing, and that means that it's not really suitable for use on a site like HN where it's against the rules.
>What's frustrating is the author's comments here in this thread are clearly LLM text as well
Again, clearly? I can see how people might be tipped off at the blog post because of the headings (and apparently the it's not x, it's y pattern), but I can't see anything in the comments that would make me think it was "clearly" LLM-generated.
Honestly, I can't point out some specific giveaway, but if you've interacted with LLMs enough you can simply tell. It's kinda like recognizing someones voice.
One way of describing it is that I've heard the exact same argument/paragraph structure and sentence structure many times with different words swapped in. When you see this in almost every sentence, it becomes a lot more obvious. Similar to how if you read a huge amount of one author, you will likely be able to pick their work out of a lineup. Having read hundreds of thousands of words of LLM generated text, I have a strong understanding of the ChatGPT style of writing.
Just stop already with the LLM witch-hunt. Your personal LLM vibes don't equate to "obviously LLM generated".
My "LLM witch-hunt" got the prompter to reveal the reply they received, which we now learn is neither from Valve nor says "Won't Fix" but rather deems it not a security exploit by HackerOne's definition. It is more important than ever before to be critical of the content you consume rather than blindly believing everything you read on the internet. Learning to detect LLM writing which represents a new, major channel of misinformation is one aspect of that.
Do you have any evidence that your witch hunt caused him to show that? It could have simply been your pointing out that Valve's response wasn't shown in the article. No witch-hunts needed.
It does for me too. Especially the short parts with headings, the bold sentences in their own paragraph and especially formulations like "X isn't just... it's Y".
In other words, this website uses headings for sections, doesn't ramble, and has a single line of emphasis where you'd expect it. I wonder what style we'll have to adopt soon to avoid LLM witchhunt - live stream of consciousness ranting with transcript and typos?
"In other words" means paraphrasing, not simply changing the words to something completely different.
To me this kind of use of AI (generating the whole article) is equivalent to a low-effort post. I also personally don't like this kind of writing, regardless of whether or not an AI generated it.
Imagine being a person like me who has always been expressing himself like that. Using em dash, too.
LLMs didn’t randomly invent their own unique style, they learned it from books. This is just how people write when they get slightly more literate than nowadays texting-era kids.
And these suspicions are in vain even if happen to be right this one time. LLMs are champions of copying styles, there is no problem asking one to slap Gen Z slang all over and finish the post with the phrase “I literally can’t! <sad-smiley>”. “Detecting LLMs” doesn’t get you ahead of LLMs, it only gets you ahead of the person using them. Why not appreciate example of concise and on-point self-expression and focus on usefulness of content?
My comment was not really meant as a criticism (of AI) but more of an agreement that I am also confident in the fact that the post is AI-generated (while the parent comment does not seem to be so confident).
But to add a personal comment or criticism, I don't like this style of writing. If you like prompt your AI to write in a better style which is easier on the eyes (and it works) then please, go ahead.
The most jarring point that they mentioned, having sudden one-off boldfaced sentences in their own paragraphs, is not something I had ever seen before LLMs. It's possible that this could be a habit humans have picked up from them and started adding it the middle of other text that similarly evokes all of the other LLM tropes, but it doesn't seem particularly likely.
Your point about being able to prompt LLMs to sound different is valid, but I'd argue that it somewhat misses the point (although largely because the point isn't being made precisely). If an LLM-generated blog post was actually crafted with care and intent, it would certainly be possible to make less obvious, but what people are likely actually criticizing is content that's produced in I'll call "default ChatGPT" style that overuses the stylistic elements that get brought up. The extreme density of certain patterns is a signal that the content might have been generated and published without much attention to detail. There's was already a huge amount of content out there even before generating it with LLMs became mainstream, so people will necessarily use heuristics to figure out if something is worth their time. The heuristic "heavy use of default ChatGPT style" is useful if it correlates with the more fundamental issues that the top-level comment of this thread points out, and it's clear that there's a sizable contingent of people who have experienced that this is the case.
> although largely because the point isn't being made precisely
I agree. I wasn't really trying to make a point. But yes, what I am implying is that posts that you can immediately recognize as AI are low effort posts, which are not worth my time.
I see a lot of these "this is LLM" comments; but they rarely add value, side track the discussion, and appear to come into direct conflict with several of HN's comment guidelines (at least my reading).
I think raising that the raw Valve response wasn't provided is a valid, and correct, point to raise.
The problem is that that valid point is surrounding by what seems to be a character attack, based on little evidence, and that seemingly mirrors many of these "LLM witch-hunt" comments.
Should HN's guidelines be updated to directly call out this stuff as unconstructive? Pointing out the quality/facts of an article is one thing, calling out suspected tool usage without even evidence is quite another.
Counterproposal: Let's update HN's guidelines to ban blatant misinformation generated by a narrative storyteller spambot. My experience using HN would be significantly better if these threads were killed and repeat offenders banned.
>Counterproposal: Let's update HN's guidelines to ban blatant misinformation generated by a narrative storyteller spambot.
This will inevitably get abused to shut down dissent. When there's something people vehemently disagree with, detractors come out of the woodwork to nitpick every single flaw. Find one inconsistency in a blog post about Gaza/ICE/covid? Well all you need to do is also find a LLM tell, like "it's not x, it's y", or an out of place emoji and you can invoke the "misinformation generated by a narrative storyteller spambot" excuse. It's like the fishing expedition for Lisa Cook, but for HN posts.
The constant accusations that everything is written by bots is itself a type of abuse and misinformation.
LLM generated comments aren't allowed on HN[0]. Period.
If any of the other instances whereby HN users have quoted the guidelines or tone policed each other are allowed then calling out generated content should be allowed.
It's constructive to do so because there is obvious and constant pressure to normalize the use of LLM generated content on this forum as there is everywhere else in our society. For all its faults and to its credit Hacker News is and should remain a place where human beings talk to other human beings. If we don't push back against this then HN will become nothing but bots posting and talking to other bots.
[0]https://news.ycombinator.com/item?id=45077654
The problem is that people cannot prove one way or the other that things are LLM generated, so it is just a baseless witch hunt.
Things should be judged for their quality, and comments should try to contribute positively to the discussion.
"I suspect they're a witch" isn't constructive nor makes HN a better place.
It isn't a baseless witch hunt if the witches are real.
Creating a social stigma against the use of LLMs is constructive and necessary. It's no different than HN tone policing humor, because allowing humor would turn HN into Reddit.
How is randomly branding people without knowing "constructive and necessary?" Seems like it is completely self-defeating; you're going to make the accusations meaningless because if everything is "LLM" then nothing is.
I get the point you're trying to make, but it's worth pointing out that the entire point is that it's not people getting branded but nebulous online entities that may or may not be people. It's a valid criticism that the accuracy of these claims is not measurable, but I think it's equally true that we no longer are in a world where we can be be sure that no content like this is from an LLM either. It's not at all obvious to me that the assumption that everything is from a human is more accurate than the aggregate set of claims of LLMs, so describing it as "branding people" seems like it's jumping to co me conclusions in the same way.
Stop worrying about whether articles are written by LLM or not and judge them by their content or provenance to sources that you can justifiably trust. If you weren't doing that before LLMs then you were getting fooled by humans writing incompetent or deceptive articles too. People have good reasons for using LLMs to write for them. If they wrote it themselves, it might cause you to judge them as being a teenager, uneducated, foreign, or whatever other unreliable proxies you use for trust.
You point about Valve's response is valid though.
here you go https://i.ibb.co/39GRMySs/png.png
Do I misunderstand that to be HackerOne staff - not Valve staff - marking it as "not a security vulnerability" - not "won't fix"?
You're right, but in this case I think some narrative liberty was justified, especially since Valve basically delegated triaging bug reports to HackerOne, but this relationship might not be immediately obvious to some readers. Suppose a nightclub contracts its bouncers from some security security firm. You get kicked out by the contract security guard. I think most people would think it's fair to characterize this situation as "the nightclub kicked me out" on a review or whatever.
It doesn't look to me like Valve delegated triaging bug reports though, rather triaging security reports. It seems fair to me that the security reporter vendor triaged this as not a security report. It feels like saying "the wedding venue kicked me out" when actually the third party bartender just cut you off.
>It doesn't look to me like Valve delegated triaging bug reports though, rather triaging security reports.
That was a typo on my side, should be "security".
>It seems fair to me that the security reporter vendor triaged this as not a security report. It feels like saying "the wedding venue kicked me out" when actually the third party bartender just cut you off.
For all intents and purposes getting your report marked as "informative" or whatever is the same as your report being rejected. To claim otherwise is just playing word games, like "it's not a bug, it's a feature". That's not to say that the OP is objectively correct that it's a security issue, but for the purposes of this argument what OP wrote (ie. 'Valve: "WontFix"' and Valve closed it as "Informative.") is approximately correct. If you contact a company to report a bug, and that company routes it to some third party support contractor (microsoft does this, I think), and the support contractor replies "not a bug, won't fix", it's fair to characterize that as "[company] rejected my bug report!", even if the person who did it was some third party contractor.
> If you contact a company to report a bug, and that company routes it to some third party support contractor
That is not what happened, though. You can contact Valve/Steam directly. They specifically went to the third-party vendor, because the third-party vendor offers a platform to give them credit and pay them for finding security exploits. It is not the responsibility of the third-party vendor to manage all bug reports.
>They specifically went to the third-party vendor, because the third-party vendor offers a platform to give them credit and pay them for finding security exploits. It is not the responsibility of the third-party vendor to manage all bug reports.
I don't know, the wording on their site suggests hackerone is the primary place to report security issues, not "if you want to get paid use hackerone, otherwise email us directly".
>For issues with Steam or with Valve hardware products, please visit HackerOne — https://hackerone.com/valve. Our guidelines for responsible disclosure are also available through that program.
https://www.valvesoftware.com/en/security
No, you are correct, that is a HackerOne employee filtering the report before someone at Valve looks at it, a lot of companies have this set up and it's not great.
I would be surprised if responsible Valve staff would agree that this is not something they should fix at some point.
It's still on Valve though. They chose to delegate this and H1 basically becomes their voice here. I wish it was made more clear, but I don't think it's wrong.
That sounds to me like they're acknowledging that the feature doesn't work as advertised ("may not align with user expectations"), but also that it was reported as a exploit/security vulnerability, while it's actually a privacy leak. Maybe HackerOne isn't the right channel for reporting those issues?
Certainly, public pressure is another way :)
[dead]
You do know that you don't have to have Steam turn on on boot, right? You can launch Steam only when you want to play video games.
But then you may have to wait for an update to download and install before playing.
Offline status means "don't bother me".
If Offline meant "don't bother me", it would be called "Don't bother me", or "do not disturb", and not "Offline"
OMG, some of you guys are so paranoia with privacy. No one gives a &$#$ when you sleep. Get over it