is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues

tef@mastodon.social

@fugueish @joe this was true of fuzzing before but i admit it is far more subsidized now

tef@mastodon.social

@fugueish @joe i'm not saying "it doesn't work" but "beware the low hanging fruit giving you false estimates about success rate"

sayrer@mastodon.social

@joe https://gist.github.com/sayrer/659bd4098045164ad9a003df449b6a81

fugueish@wandering.shop

@tef @joe I get you, and it's a reasonable note! But also, fuzzers do keep working (and we keep getting surprised all over again when someone makes a fuzzer that can reach a previously unreachable area).

tef@mastodon.social

@fugueish @joe alas "they only have to get lucky once, we have to get lucky every time" is as true as it ever was

fugueish@wandering.shop

@tef @joe Which is: not fully true! Defenders get to define the territory, including audit and observability. Finding a vuln, developing an exploit — way too easy. Making it operational and maintaining the capability over time: somewhat to substantially more fraught. (Still way, way too easy, of course)

fay59@tech.lgbt

@joe it’s finding real issues. Anything that finds real issues and costs money will feel like an “engage with us Or Else” situation

pozorvlak@mathstodon.xyz

@tef @joe sure, but *every* new analysis technique finds a whole bunch of bugs at first and then levels off after a while. That said, I'm genuinely impressed at some of the things they've found - a 27yo 0day in OpenBSD? Wild.

tef@mastodon.social

@pozorvlak @joe alas, "secure programing in C" turns out to be more than just yelling at linux developers

tef@mastodon.social

@pozorvlak @joe

to be clear, if you believe openbsd has a lower defect rather than any other of the bsds, you're absolutely being taken for a ride