nobody confident in their own abilities is panicking

viss@mastodon.social

@krypt3ia @acdha i refer to it as 'the bureaucratic plumbing', but yep

krypt3ia@infosec.exchange

@Viss @acdha It burns for those who got into this as an avocation.

jackryder@infosec.exchange

@cR0w @Viss @da_667

"The requirements.txt is 1267 lines?"

We want to be sure...

cr0w@infosec.exchange

@jackryder @Viss @da_667 Even the fact that everything runs on GPOSs like Windows because it's easy is bad. Keep it fucking simple. Why should orgs have to mitigate so many vulns in services they don't want and don't need? Because it's easier for "engineers?" GTFO.

jackryder@infosec.exchange

@cR0w @Viss @da_667 I've had that convo!

"We don't have resources to do it safely" is such a strange take for an organization that exists in the real world.

Timelines suck, vendors are charming, shareholders have crazy requests. It's a terrible cycle.

But cheating the cycle is lazy and just erodes the efforts of others.

hal_pomeranz@infosec.exchange

@cR0w @jackryder @Viss @da_667 Because it’s easier to support if everything is installed and turned on by default. You don’t get pesky users calling saying, “Why isn’t this working?” Fewer support calls saves money.

We were fighting this battle in the OS during my Center for Internet Security days back in the early 2000s and made some progress as far as default installs. But entropy is gonna entropy.

rrb@infosec.exchange

@Viss What I am not confident in is the ability of tech CEOs to prioritize delivering products that are not pure shit.

Delivering quality vs. delivering pure crap at a much lower cost?

drahardja@sfba.social

@Viss The real victims here are the juniors and people recently entering a new field. LLMs teach you nothing (you have to do the learning yourself, like you always do), yet they give the illusion of productivity. The game is rigged so that junior devs are rewarded for pretending to gain understanding, when all they do is lean on the LLMs and hope they don’t fuck up.

deedasmi@mastodon.online

@Viss Hey now, Claude found an SQL injection in my code and I like to think I have a pretty good practice of secure coding.

It thinks the statically typed i32 is an injection vulnerability and wants to fix it with more than a hundred lines of crud because it doesn’t understand how to make parameterized statements in my SQL library. It also made all of that crud public API in ways it could easily be called out of order and make new state issues. But that’s exactly the point.

thomasareed@infosec.exchange

@Viss When I got into security something like 15 years ago, it was so different. At that time, in the Mac community, I could make a difference, and do meaningful things. That’s so much harder to do now, with so many stupid, bureaucratic roadblocks, and I’m glad I’m looking at a career in the security industry in the rear view mirror.

theorangetheme@en.osm.town

@Viss @cR0w @da_667 People who have contempt for everything outside of their overengineered virtual machine really grind my gears, because when their abstraction inevitably leaks, this sclerotic industry will prevent them from suffering the consequences of their actions. But I ran into people like this ten years ago. LLMs just kicked the dilettantism into hyperdrive.

catsalad@infosec.exchange

@Viss "Oh you know IOS? Which one–the fruit or the trash fire?"

jackeric@beige.party

@catsalad @Viss @jackryder
obligatory https://www.youtube.com/watch?v=LWFrgjFb56E

rayendumeldust@sueden.social

@catsalad @Viss what's my uptime again?

neurovagrant@masto.deoan.org

@Viss getting supremely annoyed at that headline and how much bullshit it's carrying

pseudonym@mastodon.online

@Viss

Don't hold back Viss. Tell us how you really feel.

But seriously, to the point of the original article, yeah, no.

If I'm being very generous and allow that a "spicy linter" might be a halfway decent SAST (static application security testing) tool, that best case scenario would still be overwhelmed by the new and interesting security bugs introduced by their code generating brethren, "spicy autocomplete."

Full agree with Viss on the main point about folks with deep technical view.

spinnyspinlock@infosec.exchange

@Viss on but I will panic, just not for the reasons they think.

kevingranade@mastodon.gamedev.place

@Viss the people who might be panicking for good reason are software maintainers at companies where thes agents are going to be given free range to fix usually inconsequential yellow flags by inserting reams of unreviewed code.

shafik@hachyderm.io

@Viss

apropos

Shafik Yaghmour (@shafik@hachyderm.io)

@carnage4life@mas.to What does it mean to modernize COBOL? The problem of why we have COBOL has nothing to do w/ COBOL itself. It is because there is zero cost incentive to port these core but totally working systems. Changing any of these systems would create way more systematic risk than any value you would gain by replacing the systems themselves. It is the same reason why any legacy system is hard to replace. Same goes for FORTRAN in the science community. Could you replace, yes of course you could. Can you be sure it will replicate all the decades of papers that were written using that software ¯\_(ツ)_/¯ Does anyone have the incentive or money to figure it out, NO! Why are we listening to any of these people, they are talking nonsense.

Hachyderm.io (hachyderm.io)

viss@mastodon.social

@kevingranade then the leadership of those companies are going to suffer quite largely when all their engieers quit, and their product catches fire, and all their customers leave.