| ▲ | pier25 5 hours ago |
| > before it gets better How is it going to get better? |
|
| ▲ | idopmstuff 4 hours ago | parent | next [-] |
| If we assume that there will be an AI that is perfect in terms of ability to find vulnerabilities, cheap to run and widely available to everyone, then anyone can run it on any piece of software before deploying it. All vulnerabilities get found before they can be exploited. One of the big challenges with cybersecurity is that attackers only need to find one exploit, while defenders need to stop everything. When you have a large surface area and limited resources, it's much easier to be the side that only has to succeed once. AI eliminates the limited resources problem. |
| |
| ▲ | apnorton 4 hours ago | parent [-] | | > If we assume that there will be an AI that is perfect in terms of ability to find vulnerabilities ...so if we assume a halting oracle? |
|
|
| ▲ | jefftk 5 hours ago | parent | prev | next [-] |
| I'd speculate that at this point Linux etc are probably having vulnerabilities discovered and patched faster than created. |
| |
| ▲ | pier25 2 hours ago | parent [-] | | It's not only Linux though and many projects don't have the funding to perpetually use something like Mythos. |
|
|
| ▲ | Sarky 5 hours ago | parent | prev | next [-] |
| Right now we are at a point in time when AI can find bugs for attackers and defenders, but defenders did not fix/find those bugs yet. In time most of the bugs AI can find will be fixed, and things will calm down. Some bugs will be left, but will be too complex to find and weaponise (or rarely). Alin short, attackers have advantage for a brief time now, but ultimately defenders will win. I guess this "fight" might be over before the end of the year. |
|
| ▲ | 0xbadcafebee 4 hours ago | parent | prev | next [-] |
| 1) Make it a law that companies have to vet their code for security holes before release, 2) Make it a law that companies have to apply operational security best practice on their software products/services, 3) Industry standard automation for improvements to patch lifecycle management, 4) Auditing for critical businesses and industries to ensure safety (both as a national security thing and general safety/reliability/privacy/etc) Right now all that stuff is optional, so most companies don't do it, which makes more security holes and it takes longer to patch. |
| |
| ▲ | chuckadams 3 hours ago | parent [-] | | Basically make software development so legally risky that only multi-billion dollar corporations will ever engage in it. |
|
|
| ▲ | nicce 5 hours ago | parent | prev | next [-] |
| Downplaying security has now real coencequences for everyone. |
|
| ▲ | jiggawatts 5 hours ago | parent | prev [-] |
| Bulk rewrites of everything into Rust with AI assistance? |
| |
| ▲ | foobiekr 4 hours ago | parent | next [-] | | I am looking at the results of a mass vulnerability scan as I type this. Half of the bugs in one case are in fact (binary) parser errors for hand-written parsers. These really should not exist in any language - but in C it's particularly bad. Kaitai Struct or something similar would broadly have prevented these. Rust would help here, but less than a parser generator (because it could automate error checking insertion for things that aren't just out of bound access). However, half of the vulnerabilities are logic errors in terms of what I would call RBAC enforcement, incorrect access permissions, and so on. Rust won't help at all with any of these. | | |
| ▲ | jiggawatts 4 hours ago | parent [-] | | I was just working on a system best thought of as a “dinosaur”: written almost entirely in C (and a bit of PERL) and running on an appliance with BSD as the kernel. It’s full of bugs and has had a string of RCE vulnerabilities published recently, probably because of Mythos. Working with it day to day I get this feeling that the tech stack used results in a system that’s… clumsy and constrained. Little things give me that impression, and I can’t quite put it in words, but it’s thirty years of experience working with dozens of languages and platforms speaking here. Using C makes you clumsy. It makes you trip over things other languages don’t. It makes it obscenely difficult to do even simple things. It’s like trying to put a delicate ship into a bottle while wearing oven mitts. Switching to a better language isn’t just about the specific capabilities of its compiler, it’s also about what it enables in the humans using it. | | |
| ▲ | foobiekr 4 hours ago | parent [-] | | I don't disagree with that, but my point is that Rust will not really solve vulnerabilities. |
|
| |
| ▲ | 0xbadcafebee 4 hours ago | parent | prev [-] | | Rust is overly complex and difficult, Go is simpler and easier and has the memory protection people are obsessed with |
|
