40-Year-Old Bug. Claude Found It Before the Author Did.

Microsoft Azure CTO Mark Russinovich gave Anthropic's Claude Opus 4.6 a raw 6502 machine-language binary he wrote as a teenager in 1986 for the Apple II, with no source code or documentation. The AI decompiled the binary, reconstructed the logic, and identified a 40-year-old bug: a missing carry flag check during GOTO execution that could silently advance the program past its end instead of raising an error. Russinovich concluded that the industry is entering an era of automated, AI-accelerated vulnerability discovery that will be leveraged by both defenders and attackers.

Mark Russinovich — Microsoft's Azure CTO — handed Claude Opus 4.6 a binary from 1986. Not source code. A binary. Raw 6502 machine language he'd written as a teenager for the Apple II. No comments. No variable names. No documentation. Just bytes. Claude decompiled it, reconstructed the logic, and flagged a silent error that had been sitting there, undetected, for forty years: if a destination BASIC line wasn't found during a GOTO, the program would silently advance to the next line — or march right past the end of the program — instead of raising an error. The fix was four instructions. Check the carry flag. Branch to the error handler. Done. Russinovich's conclusion: "We are entering an era of automated, AI-accelerated vulnerability discovery that will be leveraged by both defenders and attackers." 1 This exercise raises two points that I think are important -- one about security strategy, and one about where we're going. I wrote recently about write-only code — the coming era where AI generates software that no human ever reviews I linked the article below . The thesis was directional: we're moving toward machine-native code that AI writes, AI maintains, and AI debugs, with humans specifying intent in plain English and staying out of the middle. The human-readable layer exists for humans. Remove humans from the loop and you don't need it. Russinovich's experiment demonstrates the other side of that equation. AI doesn't just write code humans can't read. It reads code humans can't read either. A trained engineer can parse 6502 assembly with enough time and a reference manual I've done it with my own Vic-20 and Commodore-64 6502 code, at about the time Russinovich wrote the code in question . But nobody was going to sit down with Russinovich's 40-year-old Enhancer utility and do a security audit. That binary was archaeologically frozen: working, shipped, forgotten. The knowledge of what it did lived only in the mind of a teenager who is now one of the most senior technologists in the world — and even he apparently missed the carry flag bug. Claude read the binary in the time it takes to refresh a browser tab. This is the two-way mirror. The write-only code future says: AI writes machine code because humans don't need to read it . The Russinovich experiment says: AI can read machine code, whomever wrote it. Together, they describe a world where the human-readable middle layer — every programming language you have ever used — is optional infrastructure. We built it for us. We needed it because we were the ones doing the translating. The moment AI does both the writing and the reading, the translation layer becomes a legacy artifact maintained by sentiment and inertia, not necessity. Must a human remain in, on, or around the loop? I say yes, for now, but it's a window that will continue to close. As I pointed out in my article, many top devs are reading specs and reports, not code. And there is little doubt that trend will continue and will accelerate. The implications for security alone are staggering. Every compiled binary in production — closed-source, stripped, obfuscated — is now legible to a model with enough context. Firmware on network devices. Legacy financial systems running on 1990s-era compiled code nobody can find the source for. Embedded controllers in industrial equipment. The attack surface that "security through obscurity" has quietly protected for decades is eroding fast. It should be noted that security through obscurity was never great security it was analogous to "The Club" steering wheel lock, but for software...breakable, but less work to just move on to something without it . If Russinovich's experiment proves anything, it proves that the concept is now utterly defunct. A tireless AI can comfortably untangle any obscuration scheme to reveal underlying code logic. To be clear, defenders gain something too. Russinovich's carry flag bug caused silent incorrect behavior. In a firmware context, that same pattern could be a vulnerability. AI reading the binary finds it before the attacker does — if the defender moves first. We're not at Phase 4 yet. I described it as the longer-term future: natural language in, optimized binaries out, maintained entirely by models without a human-readable representation at any stage. We're still in the early phases — AI writing readable code, humans reviewing it less and less. But Russinovich's experiment is a signpost. The model doesn't need source code to understand software. It doesn't need variable names or comments or clean abstractions. It can work directly with what the machine actually executes. That's not a parlor trick. That's a capability shift. The programming languages we've spent sixty years building were translation layers between human thought and machine execution. AI is becoming fluent in both languages natively. The translation layer is still useful — but it's no longer strictly required. I explored the write-only code thesis and what it means for every programming language you've ever loved in my earlier piece: When AI Stops Writing Code for Humans. Russinovich's experiment is the live proof-of-concept for the read side of that argument. What's your take -- does this change how you think about legacy system security? About the future of code review? If this resonated, here are some related articles: Keith MacKay is a technology strategy consultant and CTO in EY-Parthenon's Software Strategy Group SSG , specializing in AI disruption and technology diligence for private equity and corporate clients. SSG's AI Disruption Lab conducts rapid assessments of how AI transforms and threatens existing business models and value chains. Keith teaches at Northeastern University and writes about strategy, management, and AI/technology.