nobody confident in their own abilities is panicking
-
@Viss Panic! At the Infosec?
-
nobody confident in their own abilities is panicking
Infosec community panics over Anthropic Claude Code Security
ai-pocalypse: Not the first of its kind
(www.theregister.com)
the people who are panicking are signaling.
@Viss getting supremely annoyed at that headline and how much bullshit it's carrying
-
if youve ever been burned because some asshole in HR shitcanned your resume because "you didnt go to the right college" or you couldnt score a gig because "you refused to get a cissp", or if youve ever ragequit a job because you were just "the token security person who was only there to fulfill a checkbox, and nobody listened to you and you felt like your job didnt matter" then you should want it to burn down too
Don't hold back Viss. Tell us how you really feel.
But seriously, to the point of the original article, yeah, no.
If I'm being very generous and allow that a "spicy linter" might be a halfway decent SAST (static application security testing) tool, that best case scenario would still be overwhelmed by the new and interesting security bugs introduced by their code generating brethren, "spicy autocomplete."
Full agree with Viss on the main point about folks with deep technical view.
-
nobody confident in their own abilities is panicking
Infosec community panics over Anthropic Claude Code Security
ai-pocalypse: Not the first of its kind
(www.theregister.com)
the people who are panicking are signaling.
@Viss on but I will panic, just not for the reasons they think.
-
nobody confident in their own abilities is panicking
Infosec community panics over Anthropic Claude Code Security
ai-pocalypse: Not the first of its kind
(www.theregister.com)
the people who are panicking are signaling.
@Viss the people who might be panicking for good reason are software maintainers at companies where thes agents are going to be given free range to fix usually inconsequential yellow flags by inserting reams of unreviewed code.
-
nobody confident in their own abilities is panicking
Infosec community panics over Anthropic Claude Code Security
ai-pocalypse: Not the first of its kind
(www.theregister.com)
the people who are panicking are signaling.
apropos
Shafik Yaghmour (@shafik@hachyderm.io)
@carnage4life@mas.to What does it mean to modernize COBOL? The problem of why we have COBOL has nothing to do w/ COBOL itself. It is because there is zero cost incentive to port these core but totally working systems. Changing any of these systems would create way more systematic risk than any value you would gain by replacing the systems themselves. It is the same reason why any legacy system is hard to replace. Same goes for FORTRAN in the science community. Could you replace, yes of course you could. Can you be sure it will replicate all the decades of papers that were written using that software ¯\_(ツ)_/¯ Does anyone have the incentive or money to figure it out, NO! Why are we listening to any of these people, they are talking nonsense.
Hachyderm.io (hachyderm.io)
-
@Viss the people who might be panicking for good reason are software maintainers at companies where thes agents are going to be given free range to fix usually inconsequential yellow flags by inserting reams of unreviewed code.
@kevingranade then the leadership of those companies are going to suffer quite largely when all their engieers quit, and their product catches fire, and all their customers leave.
-
apropos
Shafik Yaghmour (@shafik@hachyderm.io)
@carnage4life@mas.to What does it mean to modernize COBOL? The problem of why we have COBOL has nothing to do w/ COBOL itself. It is because there is zero cost incentive to port these core but totally working systems. Changing any of these systems would create way more systematic risk than any value you would gain by replacing the systems themselves. It is the same reason why any legacy system is hard to replace. Same goes for FORTRAN in the science community. Could you replace, yes of course you could. Can you be sure it will replicate all the decades of papers that were written using that software ¯\_(ツ)_/¯ Does anyone have the incentive or money to figure it out, NO! Why are we listening to any of these people, they are talking nonsense.
Hachyderm.io (hachyderm.io)
@shafik there will be, at some point, enough people willing to deal with the pain of moving off ancient stuff like that. it may suck at first, but it will basically have to happen at some point because nobody is exactly teaching fortran and cobol these days, so soon as those engineers age out, the shit becomes egyptian heiroglyphs
-
@cR0w @Viss @da_667 I've had that convo!
"We don't have resources to do it safely" is such a strange take for an organization that exists in the real world.
Timelines suck, vendors are charming, shareholders have crazy requests. It's a terrible cycle.
But cheating the cycle is lazy and just erodes the efforts of others.
@jackryder @Viss @da_667 Part of the problem is how many stakeholders are involved with every decision, including upstream and unaffiliated with your own org. It's maddening and difficult since it's gotten so out of hand.
-
@shafik there will be, at some point, enough people willing to deal with the pain of moving off ancient stuff like that. it may suck at first, but it will basically have to happen at some point because nobody is exactly teaching fortran and cobol these days, so soon as those engineers age out, the shit becomes egyptian heiroglyphs
It is basically already like that, I think Vernor Vinge got it right. If we are still around ages from now it will be layers and layers of legacy code no one understands all the way down.
It is a very interesting thought process for someone who is in the depths of software development in big tech to really plan out what such a long term migration would look like just for one company. Once you get it, it is very humbling to realize how hard it really is.
-
It is basically already like that, I think Vernor Vinge got it right. If we are still around ages from now it will be layers and layers of legacy code no one understands all the way down.
It is a very interesting thought process for someone who is in the depths of software development in big tech to really plan out what such a long term migration would look like just for one company. Once you get it, it is very humbling to realize how hard it really is.
I am also read "Thinking in Systems" and it is a good book to read if you are thinking about this kind of stuff:
Shafik Yaghmour (@shafik@hachyderm.io)
Reading “Thinking in Systems” “Purposes are deduced from behavior, not from rhetoric or stated goals” We often get stuck on what is said and forget to look at results. If the results never match what is said then you need to realize maybe what is said is meant to mislead. It could also be lack of skills but that is not much better.
Hachyderm.io (hachyderm.io)
-
@cR0w @jackryder @Viss @da_667 Because it’s easier to support if everything is installed and turned on by default. You don’t get pesky users calling saying, “Why isn’t this working?” Fewer support calls saves money.
We were fighting this battle in the OS during my Center for Internet Security days back in the early 2000s and made some progress as far as default installs. But entropy is gonna entropy.
@hal_pomeranz @jackryder @Viss @da_667 Fair. We're so far into it that it's almost impossible to fight that one with a reasonable amount of resources. But it's still frustrating. It's the part of the whole "microservices" or "serverless" that I like. You don't have to inherit a bunch of dependencies and vulnerabilities the same way you would if you had to spin up a Windows or RHEL or Ubuntu machine just for your simple needs.
-
nobody confident in their own abilities is panicking
Infosec community panics over Anthropic Claude Code Security
ai-pocalypse: Not the first of its kind
(www.theregister.com)
the people who are panicking are signaling.
@Viss oh great, so this hyperactive, severely ADHD, junior intern who requires very detailed instructions to do anything useful and still promptly forgets their own name and what they were doing every 15 minutes is going to replace me?
I'm not panicking. I'm laughing. A lot.
-
nobody confident in their own abilities is panicking
Infosec community panics over Anthropic Claude Code Security
ai-pocalypse: Not the first of its kind
(www.theregister.com)
the people who are panicking are signaling.
@Viss Yeah, as a security-minded devops engineer, this is dope. (Well, y'know, aside from all the general ethical/environmental/etc. concerns about LLM use.) Having more "eyes" out looking for security vulnerabilities is a good thing, and especially so when one set of "eyes" is biased in a different way than typical human reviewers and thus is well placed to notice some subset of problems that humans would probably miss.
Of course, that only applies as long as it's used sensibly. Which means using LLMs to report issues for human review and validation, not letting an agent loose on a code base with the ability to automatically file security reports for anything it finds. (I have little confidence that the tool will actually be used sensibly in most cases.)
-
nobody confident in their own abilities is panicking
Infosec community panics over Anthropic Claude Code Security
ai-pocalypse: Not the first of its kind
(www.theregister.com)
the people who are panicking are signaling.
@Viss Not looking forward to someone running this, thinking everything is all kosher to load, and then taking down a quarter of the internet.
-
@Viss oh great, so this hyperactive, severely ADHD, junior intern who requires very detailed instructions to do anything useful and still promptly forgets their own name and what they were doing every 15 minutes is going to replace me?
I'm not panicking. I'm laughing. A lot.
@0xtero in the spirit of laughing a lot, i just spent like two hours swapping gpus with my desktop and gaming rig so that i can run ollama with some decent model, so that i can light up some incus containers and fuck around with weird agentic bullshit and fake mcp servers in order to do the research for the talk i submit to securityfest
soon you will be laughing at me too!
-
@Viss Not looking forward to someone running this, thinking everything is all kosher to load, and then taking down a quarter of the internet.
@catscatscats time to selfhost everything you possibly can
-
@Viss oh great, so this hyperactive, severely ADHD, junior intern who requires very detailed instructions to do anything useful and still promptly forgets their own name and what they were doing every 15 minutes is going to replace me?
I'm not panicking. I'm laughing. A lot.
-
@Viss Yeah, as a security-minded devops engineer, this is dope. (Well, y'know, aside from all the general ethical/environmental/etc. concerns about LLM use.) Having more "eyes" out looking for security vulnerabilities is a good thing, and especially so when one set of "eyes" is biased in a different way than typical human reviewers and thus is well placed to notice some subset of problems that humans would probably miss.
Of course, that only applies as long as it's used sensibly. Which means using LLMs to report issues for human review and validation, not letting an agent loose on a code base with the ability to automatically file security reports for anything it finds. (I have little confidence that the tool will actually be used sensibly in most cases.)
@diazona you should be aware that i am actively working on research that intends to measure just how often llms lie about shit, even when using skills and mcp servers, because at the end of the day, no matter what layers you put on top of an llm, it still fucking lies and hallucinates - even when its told to use skills and mcp servers
so.. your sentiment, while optimistic, makes the assumption "that this shit works"
but .. it doesnt.
at least not with enough precision to be relied upon -
