I'm going to say something that's been festering in my mind for a while now.
-
It has always been the privilege of the corporations and the rich to define what responsibility is. I'm here to tell you don't give them what they aren't willing to give us.
At this point, given the LLM situation, I don't think there's much value in coordinated disclosure.
But from a different angle.
'cuz given Anthropic and other LLM hawkers' attitudes, plus the way in which LLM spam has basically killed off the bug bounty platforms' usefulness?
given how security departments are being gutted in favor of LLM-driven shit?
given how engaging with the companies is going to entail arguing with their pre-primed-as-defensive LLM instances?
There's no way to approach this with a healthy state of mind; all the avenues that we've worked to implement for the past couple decades have been systemically dismantled.
So fuck it. Do whatever.
-
I'm going to say something that's been festering in my mind for a while now. In my two decades of practice in information security, I have yet to see responsible disclosure result in measurably better security posture.
Code quality hasn't improved, patch management hasn't improved, minimum viable product hasn't improved, automated security updates, especially for IoT devices... Jesus Fucking Christ haven't improved. The cost of failure for organizations losing your data due to gross negligence has in no way improved, why should responsibility be the domain of the security researcher when nobody else is willing to share in that responsibility?
I'm half-tempted to say if you have 0-days you might as well get paid for them than be responsible. Because even with a tilted playing field, nothing has measurably improved since I've been here and I would argue with "vibe coding" and the tech industry's view of "Let the AI handle it" that software quality is the worst it has been since the 90s. I lived through windows millennium edition. I've seen shit you wouldn't believe.
"Hardware's fucked because we can't buy any, software is fucked because the LLMs trained by reddit and stack overflow are in charge now. You might as well fucking guess at this point."
@da_667 which is most likely ?
- you are the only person on the planet to have ever seen this vuln. after fighting the corpo's reporting system for a week, you finally manage to get the report in. the company gives you its thanks, and months later, you get a check for $2.53
- the nsa is using this vuln, discovers that it's being patched, and moves on to other vulns
- as 2) above except is told it's being patched
-
At this point, given the LLM situation, I don't think there's much value in coordinated disclosure.
But from a different angle.
'cuz given Anthropic and other LLM hawkers' attitudes, plus the way in which LLM spam has basically killed off the bug bounty platforms' usefulness?
given how security departments are being gutted in favor of LLM-driven shit?
given how engaging with the companies is going to entail arguing with their pre-primed-as-defensive LLM instances?
There's no way to approach this with a healthy state of mind; all the avenues that we've worked to implement for the past couple decades have been systemically dismantled.
So fuck it. Do whatever.
@munin I faced burnout a long time ago. The only thing I can be is a professional by measure of my peers. I do the best I can with the power I'm given. and if others choose to do nothing with it? I don't care anymore. Which is awful to say but here we are.
-
@munin I faced burnout a long time ago. The only thing I can be is a professional by measure of my peers. I do the best I can with the power I'm given. and if others choose to do nothing with it? I don't care anymore. Which is awful to say but here we are.
I mean, what else can you do? systemic problems require systemic solutions, which requires widespread adoption of the attitude that the systemic problem can be fixed and motivation towards fixing it.
so chill out in the meantime, let things collapse, and then hang out with those of us who remember how to build things after, and try to stay grounded in the meantime.
-
I mean, what else can you do? systemic problems require systemic solutions, which requires widespread adoption of the attitude that the systemic problem can be fixed and motivation towards fixing it.
so chill out in the meantime, let things collapse, and then hang out with those of us who remember how to build things after, and try to stay grounded in the meantime.
don't mean you can't complain about it tho. 's necessary as a way -to- stay grounded that "this shit is Not Helping".
-
don't mean you can't complain about it tho. 's necessary as a way -to- stay grounded that "this shit is Not Helping".
@munin if nothing else, the catharsis is nice, and its great to know that I'm not alone.
-
@munin if nothing else, the catharsis is nice, and its great to know that I'm not alone.
lately when I've been realizing that I'm getting angry, I go climbing.
because if this shit's driving me up the wall, I may as well make that metaphor literal.
I'm getting kinda ripped actually.
-
lately when I've been realizing that I'm getting angry, I go climbing.
because if this shit's driving me up the wall, I may as well make that metaphor literal.
I'm getting kinda ripped actually.
@munin since I've started getting my health in order, my cardio sessions have gotten longer and longer. I'm up to 60 minutes of cardio six days a week now, and I'm starting to add handweights to my workouts to get a bit of resistance training in with the cardio as well.
while still in awful shape, I'm the healthiest I've been in six years.
-
@munin since I've started getting my health in order, my cardio sessions have gotten longer and longer. I'm up to 60 minutes of cardio six days a week now, and I'm starting to add handweights to my workouts to get a bit of resistance training in with the cardio as well.
while still in awful shape, I'm the healthiest I've been in six years.
tbh I'm probably the healthiest I've ever been at this point.
I don't really care for the treadmill thing, and weights don't do anything for me, but "get to the top of this wall by any means necessary, only touching that one color" is -incredibly fucking fun- for my brain and keeps me going until I literally cannot move.
it's pretty awesome.
-
tbh I'm probably the healthiest I've ever been at this point.
I don't really care for the treadmill thing, and weights don't do anything for me, but "get to the top of this wall by any means necessary, only touching that one color" is -incredibly fucking fun- for my brain and keeps me going until I literally cannot move.
it's pretty awesome.
@munin I'm doing cardio walking. slightly different from the treadmill. Not quite so intense, but it involves a lot more parts of the body, and by the end of it, I've worked up a healthy sweat.
I'm glad you're thriving or at least getting healthier
-
@munin if nothing else, the catharsis is nice, and its great to know that I'm not alone.
-
lately when I've been realizing that I'm getting angry, I go climbing.
because if this shit's driving me up the wall, I may as well make that metaphor literal.
I'm getting kinda ripped actually.
-
I'm going to say something that's been festering in my mind for a while now. In my two decades of practice in information security, I have yet to see responsible disclosure result in measurably better security posture.
Code quality hasn't improved, patch management hasn't improved, minimum viable product hasn't improved, automated security updates, especially for IoT devices... Jesus Fucking Christ haven't improved. The cost of failure for organizations losing your data due to gross negligence has in no way improved, why should responsibility be the domain of the security researcher when nobody else is willing to share in that responsibility?
I'm half-tempted to say if you have 0-days you might as well get paid for them than be responsible. Because even with a tilted playing field, nothing has measurably improved since I've been here and I would argue with "vibe coding" and the tech industry's view of "Let the AI handle it" that software quality is the worst it has been since the 90s. I lived through windows millennium edition. I've seen shit you wouldn't believe.
"Hardware's fucked because we can't buy any, software is fucked because the LLMs trained by reddit and stack overflow are in charge now. You might as well fucking guess at this point."
@da_667 I have always been in favor of responsible disclosure, not because it works but because it's the *right* thing to do.
However, in the current day and age of LLMs, should I find evidence of vibe-coded shit in whatever the next broken thing is, I wouldn't mind FD.
-
-
nobody is held liable when breaches occur and your PII gets stolen for the fifth time in a single year.
And then we read the inevitable report that it was a third-party managed system that was 6 months behind in patches that got popped. Or it was a risk assessment result that they said "they would get to that eventually" and never did.
You start throwing executives in cuffs for failing to do their duty and sure as shit things would start changing.
@da_667 been saying this for years
-
I'm going to say something that's been festering in my mind for a while now. In my two decades of practice in information security, I have yet to see responsible disclosure result in measurably better security posture.
Code quality hasn't improved, patch management hasn't improved, minimum viable product hasn't improved, automated security updates, especially for IoT devices... Jesus Fucking Christ haven't improved. The cost of failure for organizations losing your data due to gross negligence has in no way improved, why should responsibility be the domain of the security researcher when nobody else is willing to share in that responsibility?
I'm half-tempted to say if you have 0-days you might as well get paid for them than be responsible. Because even with a tilted playing field, nothing has measurably improved since I've been here and I would argue with "vibe coding" and the tech industry's view of "Let the AI handle it" that software quality is the worst it has been since the 90s. I lived through windows millennium edition. I've seen shit you wouldn't believe.
"Hardware's fucked because we can't buy any, software is fucked because the LLMs trained by reddit and stack overflow are in charge now. You might as well fucking guess at this point."
@da_667 As Dan Geer said in his 2014 Black Hat keynote ”For better or poorer, the only two products not covered by product liability today are religion and software, and software should not escape for much longer.” Yet here we are a decade+ later.
Browser security has taken some strides but it’s unclear if that’s due to responsible disclosure or just Google pouring money into securing it.
-
@da_667 As Dan Geer said in his 2014 Black Hat keynote ”For better or poorer, the only two products not covered by product liability today are religion and software, and software should not escape for much longer.” Yet here we are a decade+ later.
Browser security has taken some strides but it’s unclear if that’s due to responsible disclosure or just Google pouring money into securing it.
@da_667 the EU has regulations up to wazoo with GDPR and upcoming CRA (product security) and they do dish out fines, but it’s largely ineffective from security point of view and is always reactionary lagging behind. Big tech companies shrug off their fines and next week it’s a new zero day in your perimeter firewall.
-
It has always been the privilege of the corporations and the rich to define what responsibility is. I'm here to tell you don't give them what they aren't willing to give us.
@da_667 i get the impression there are very few companies / people who work at said companies who still care about code quality. you don't get different pay for writing trash than you do writing high quality maintainable code, so why bother?
and it's probably closed source so it's not like anyone in the future is going to attribute the trash you wrote to you anyway, except for the future suckers at the company stuck with it. but people switch jobs every few years for actual raises, so there's no consequences.
//
-
I'm going to say something that's been festering in my mind for a while now. In my two decades of practice in information security, I have yet to see responsible disclosure result in measurably better security posture.
Code quality hasn't improved, patch management hasn't improved, minimum viable product hasn't improved, automated security updates, especially for IoT devices... Jesus Fucking Christ haven't improved. The cost of failure for organizations losing your data due to gross negligence has in no way improved, why should responsibility be the domain of the security researcher when nobody else is willing to share in that responsibility?
I'm half-tempted to say if you have 0-days you might as well get paid for them than be responsible. Because even with a tilted playing field, nothing has measurably improved since I've been here and I would argue with "vibe coding" and the tech industry's view of "Let the AI handle it" that software quality is the worst it has been since the 90s. I lived through windows millennium edition. I've seen shit you wouldn't believe.
"Hardware's fucked because we can't buy any, software is fucked because the LLMs trained by reddit and stack overflow are in charge now. You might as well fucking guess at this point."
@da_667 Wow, I was arguing basically that exact thing at work last Friday. We’re still dealing with the same stuff aren’t we? And attackers get more mileage out of detailed bug disclosures than defenders, definitely, that’s an uncomfortable truth for sure. So, prepare to be called a heretic.
-
I'm going to say something that's been festering in my mind for a while now. In my two decades of practice in information security, I have yet to see responsible disclosure result in measurably better security posture.
Code quality hasn't improved, patch management hasn't improved, minimum viable product hasn't improved, automated security updates, especially for IoT devices... Jesus Fucking Christ haven't improved. The cost of failure for organizations losing your data due to gross negligence has in no way improved, why should responsibility be the domain of the security researcher when nobody else is willing to share in that responsibility?
I'm half-tempted to say if you have 0-days you might as well get paid for them than be responsible. Because even with a tilted playing field, nothing has measurably improved since I've been here and I would argue with "vibe coding" and the tech industry's view of "Let the AI handle it" that software quality is the worst it has been since the 90s. I lived through windows millennium edition. I've seen shit you wouldn't believe.
"Hardware's fucked because we can't buy any, software is fucked because the LLMs trained by reddit and stack overflow are in charge now. You might as well fucking guess at this point."
@da_667 Ok, so, some thoughts, I was uncertain if I should post it as a reply or a standalone post as its more "my own thoughts than a reply" but ...
I srsly dislike the term "responsible disclosure", most cold take, I know - framing all other methods as irresponsible while only creating one-sided responsibility, yadda yadda yadda. This is in addition to the discussion of financial incentives/bug bounties - morality & work often do not combine well in our current economic system.
The responsible thing to do with a detected vulnerability absolutely depends on the vendor (or as a stand-in the industry), on the downstream impacts of the vulnerability, exploitation status, ... - full disclosure can absolutely be the morally right thing to do. Unfortunately, without pressure (be it economic or legal - rip social pressure/shame as a functional tool...) for software & service providers to clean up their shit (be it with actual functional CVD programs or proactively not putting customers/users at risk by actually writing reliable software) there is absolutely no incentive to do so. Repeated painful full disclosures might actually be a positive as it can contribute to such pressures. If you, however, were to drop a RCE in curl on 4chan I would feel the need to slap you
Things get a lot more complicated imo when it comes to using/selling/non-publicly distributing vulnerabilities with impact potential. While I said that morality & work don't combine well this doesn't mean you get a blank check if you do it for paying your bills - amoral & immoral are very much different things. I am young, naive, and privilege-maxxing, but I believe there is a duty to, at least, not make the world worse.
None of this precludes it from being the right thing - hi, the thing that got me into political action (non-digital!) was the Phineas Fisher texts. Ignoring the particulars I still believe the basics hold true: We need to make the world better & hacktivism or distribution of secrets can be a tool in this toolbox. For me, as your local non-ideologically-committed certified left wing extremist this precludes support for states (in most situations) & a universal objections to private sector sales (as you srsly cant control it at that point), but my framework isn't your framework.
Anyway, too many words, tldr: Fuck responsible disclosure, do a case-by-case assessment & please try not to make the world worse, thats all I am asking for
