I'm a little concerned about the general tech attitude towards the Mozilla bug findings.
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w modern browsers are too complex (literally more so than some entire operating systems) and are becoming essentially unmaintainable and unsafe as they are pushing more and more features over security. browsers are generally the biggest attack surface for the vast majority of users, so security should be the number 1 priority and it isn't and hasn't been for a while.
-
@cR0w modern browsers are too complex (literally more so than some entire operating systems) and are becoming essentially unmaintainable and unsafe as they are pushing more and more features over security. browsers are generally the biggest attack surface for the vast majority of users, so security should be the number 1 priority and it isn't and hasn't been for a while.
@cR0w we don't need browsers to be the everything application with 50 million features and they should stop trying to be that. we also don't need operating systems to be as bloated and buggy as they are getting but that's another conversation.
-
@cR0w modern browsers are too complex (literally more so than some entire operating systems) and are becoming essentially unmaintainable and unsafe as they are pushing more and more features over security. browsers are generally the biggest attack surface for the vast majority of users, so security should be the number 1 priority and it isn't and hasn't been for a while.
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w Looking at *what* the LLM found, I think it shows they actually were on the right path already.
Many of these are memory corruption problems, which are eliminated by migrating to Rust, and can be mitigated by using established hardening techniques, both of which they have already been doing for a long time.
It's a codebase with a 30 year history and a limited set of people who dare understand it enough to do security audits. These LLMs are basically fresh eyes.
-
@cR0w Looking at *what* the LLM found, I think it shows they actually were on the right path already.
Many of these are memory corruption problems, which are eliminated by migrating to Rust, and can be mitigated by using established hardening techniques, both of which they have already been doing for a long time.
It's a codebase with a 30 year history and a limited set of people who dare understand it enough to do security audits. These LLMs are basically fresh eyes.
@cR0w Most old/large codebase will now get audits they didn't get before, resulting in a wave of bugs found by AI. But any code base can only contain a limited number of bugs.
-
@cR0w Looking at *what* the LLM found, I think it shows they actually were on the right path already.
Many of these are memory corruption problems, which are eliminated by migrating to Rust, and can be mitigated by using established hardening techniques, both of which they have already been doing for a long time.
It's a codebase with a 30 year history and a limited set of people who dare understand it enough to do security audits. These LLMs are basically fresh eyes.
These LLMs are basically fresh eyes.
That's my point. LLMs are no inherently better. The problem is that the "best practices" have been ignored and that is the shortcoming here.
-
These LLMs are basically fresh eyes.
That's my point. LLMs are no inherently better. The problem is that the "best practices" have been ignored and that is the shortcoming here.
@cR0w Parts of the codebase is older than those best practices though, I wouldn't hold that against them.
-
@cR0w Parts of the codebase is older than those best practices though, I wouldn't hold that against them.
@guenther I would. They've been working on the same project for how long? And they haven't kept up with best practices? Sounds to me like textbook tech debt and a security vulnerability by design.
-
@guenther I would. They've been working on the same project for how long? And they haven't kept up with best practices? Sounds to me like textbook tech debt and a security vulnerability by design.
@cR0w given Mozilla's state of funding, abysmal upper management and the sheer size of the project, it's a borderline miracle they actually built a browser capable of rendering most of the web.
-
@cR0w given Mozilla's state of funding, abysmal upper management and the sheer size of the project, it's a borderline miracle they actually built a browser capable of rendering most of the web.
@guenther Imagine if they still focused on that browser instead of all the shiny squirrels like AI.
-
R relay@relay.infosec.exchange shared this topic
