I'm going to say something that's been festering in my mind for a while now. In my two decades of practice in information security, I have yet to see responsible disclosure result in measurably better security posture.

Code quality hasn't improved, patch management hasn't improved, minimum viable product hasn't improved, automated security updates, especially for IoT devices... ^{Jesus Fucking Christ} haven't improved. The cost of failure for organizations losing your data due to gross negligence has in no way improved, why should responsibility be the domain of the security researcher when nobody else is willing to share in that responsibility?

I'm half-tempted to say if you have 0-days you might as well get paid for them than be responsible. Because even with a tilted playing field, nothing has measurably improved since I've been here and I would argue with "vibe coding" and the tech industry's view of "Let the AI handle it" that software quality is the worst it has been since the 90s. I lived through windows millennium edition. I've seen shit you wouldn't believe.

"Hardware's fucked because we can't buy any, software is fucked because the LLMs trained by reddit and stack overflow are in charge now. You might as well fucking guess at this point."

Is what I said right? am I a fucking loon for having said it? I don't care. I haven't seen any improvements over the past 20 years I've been here and I'm fresh out of fucks to give when so-called professionals telling me that the way we've been doing things for so long, which has produced nothing positive so far as I have seen, should be maintained, stop questioning it.

nobody is held liable when breaches occur and your PII gets stolen for the fifth time in a single year.

And then we read the inevitable report that it was a third-party managed system that was 6 months behind in patches that got popped. Or it was a risk assessment result that they said "they would get to that eventually" and never did.

You start throwing executives in cuffs for failing to do their duty and sure as shit things would start changing.

nobody is held liable when breaches occur and your PII gets stolen for the fifth time in a single year.

And then we read the inevitable report that it was a third-party managed system that was 6 months behind in patches that got popped. Or it was a risk assessment result that they said "they would get to that eventually" and never did.

You start throwing executives in cuffs for failing to do their duty and sure as shit things would start changing.

@da_667 This right here, actually, is the thing that really pisses me off. Having everybody on a system where one set of 9 numbers that is effectively (1) immutable and (2) 100% dictates your financial life so therefore (3) must be kept secret, and yet nothing serious happens to anyone who is trusted to safeguard this information and completely fails in their duty to do so. I get shit happens but when the consequences are that dire for those harmed, maybe the consequences should also be dire for those that allowed and even arguably facilitated that harm after a certain point of negligence?

And then more and more businesses start to treat it as a requirement for doing business while *still* failing to secure it in any meaningful, reasonable way. It's fuckin' disgusting. The credit reporting bureaus themselves should have lost all credibility themselves the first ***Two*** fucking times.

@da_667 This right here, actually, is the thing that really pisses me off. Having everybody on a system where one set of 9 numbers that is effectively (1) immutable and (2) 100% dictates your financial life so therefore (3) must be kept secret, and yet nothing serious happens to anyone who is trusted to safeguard this information and completely fails in their duty to do so. I get shit happens but when the consequences are that dire for those harmed, maybe the consequences should also be dire for those that allowed and even arguably facilitated that harm after a certain point of negligence?

And then more and more businesses start to treat it as a requirement for doing business while *still* failing to secure it in any meaningful, reasonable way. It's fuckin' disgusting. The credit reporting bureaus themselves should have lost all credibility themselves the first ***Two*** fucking times.

@da_667 "congratulations on your free year of credit monitoring!" the fuck does *monitoring* do when I can't fucking *stop* what's happening

@fxchip don't fucking get me started about equifax breach and credit scores. Man, credit scores never existed before the 80s. Just another case of the boomers having fucked us all yet again.

It has always been the privilege of the corporations and the rich to define what responsibility is. I'm here to tell you don't give them what they aren't willing to give us.

I'm going to say something that's been festering in my mind for a while now. In my two decades of practice in information security, I have yet to see responsible disclosure result in measurably better security posture.

Code quality hasn't improved, patch management hasn't improved, minimum viable product hasn't improved, automated security updates, especially for IoT devices... ^{Jesus Fucking Christ} haven't improved. The cost of failure for organizations losing your data due to gross negligence has in no way improved, why should responsibility be the domain of the security researcher when nobody else is willing to share in that responsibility?

I'm half-tempted to say if you have 0-days you might as well get paid for them than be responsible. Because even with a tilted playing field, nothing has measurably improved since I've been here and I would argue with "vibe coding" and the tech industry's view of "Let the AI handle it" that software quality is the worst it has been since the 90s. I lived through windows millennium edition. I've seen shit you wouldn't believe.

"Hardware's fucked because we can't buy any, software is fucked because the LLMs trained by reddit and stack overflow are in charge now. You might as well fucking guess at this point."

@da_667

At this point, given the LLM situation, I don't think there's much value in coordinated disclosure.

But from a different angle.

'cuz given Anthropic and other LLM hawkers' attitudes, plus the way in which LLM spam has basically killed off the bug bounty platforms' usefulness?

given how security departments are being gutted in favor of LLM-driven shit?

given how engaging with the companies is going to entail arguing with their pre-primed-as-defensive LLM instances?

There's no way to approach this with a healthy state of mind; all the avenues that we've worked to implement for the past couple decades have been systemically dismantled.

So fuck it. Do whatever.

@munin I faced burnout a long time ago. The only thing I can be is a professional by measure of my peers. I do the best I can with the power I'm given. and if others choose to do nothing with it? I don't care anymore. Which is awful to say but here we are.

@da_667

I mean, what else can you do? systemic problems require systemic solutions, which requires widespread adoption of the attitude that the systemic problem can be fixed and motivation towards fixing it.

so chill out in the meantime, let things collapse, and then hang out with those of us who remember how to build things after, and try to stay grounded in the meantime.

@da_667

don't mean you can't complain about it tho. 's necessary as a way -to- stay grounded that "this shit is Not Helping".

@munin if nothing else, the catharsis is nice, and its great to know that I'm not alone.

@da_667

lately when I've been realizing that I'm getting angry, I go climbing.

because if this shit's driving me up the wall, I may as well make that metaphor literal.

I'm getting kinda ripped actually.

@munin since I've started getting my health in order, my cardio sessions have gotten longer and longer. I'm up to 60 minutes of cardio six days a week now, and I'm starting to add handweights to my workouts to get a bit of resistance training in with the cardio as well.

while still in awful shape, I'm the healthiest I've been in six years.

@da_667

tbh I'm probably the healthiest I've ever been at this point.

I don't really care for the treadmill thing, and weights don't do anything for me, but "get to the top of this wall by any means necessary, only touching that one color" is -incredibly fucking fun- for my brain and keeps me going until I literally cannot move.

it's pretty awesome.

@munin if nothing else, the catharsis is nice, and its great to know that I'm not alone.