I'm a little concerned about the general tech attitude towards the Mozilla bug findings.
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w I think it's a problem deeply rooted in the industry. In a corporate environment security is an obstacle. SolarWinds was a massive red flag for everyone: gone with the wind. I've seen applications deployed near banking systems and abandoned, unpatched, nothing. "Data scientists" collecting data without consideration of security: "nobody will notice among C-levels". Self inflicted wounds, willingly.
-
@Viss But even away from Firefox or any other specific project, the idea that only impacts future work rather than understanding that it's pointing out flaws in the existing engineering processes to begin with is going to lead to so many bad vulns. It's just going to exacerbate the existing issues that maintainers may not even realize they have.
@cR0w and burning down the engineering folks for the benefit of the sales and marketing folks.
in 2002 when i worked at websense, the sales department would often sell shit that didnt exist, and tech support got stuck being the folks to tell the people they were lied to, when they went searching for the features that didnt exist.
this is exactly the same thing, but a larger scale
-
@cR0w and burning down the engineering folks for the benefit of the sales and marketing folks.
in 2002 when i worked at websense, the sales department would often sell shit that didnt exist, and tech support got stuck being the folks to tell the people they were lied to, when they went searching for the features that didnt exist.
this is exactly the same thing, but a larger scale
@Viss Yeah, that's definitely an ongoing thing in plenty of security orgs even. Some of them you may have heard of. In fact, they may even be on Mastodon right meow.
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w creating 10x the amount of bugs with AI to farm AI found CVEs or something
I don't like the future of software ;_; -
@cR0w creating 10x the amount of bugs with AI to farm AI found CVEs or something
I don't like the future of software ;_;@sharkfie Software was a mistake.
-
@cR0w turning off all the defensive measures in the browser and its sandbox so that mythos could rack up a bunch of wins seems deeply disingenuous to me.
and mozilla going all ai-pilled, this survey that ddg did: https://voteyesornoai.com/ and a mountain of public sentiment all saying 'stop horking ai shit into browsers', then the browsers all just ignoring them gives me reason to believe that this is all smoke and mirror bullshit to hammer ai shit into more places people dont want it
@Viss @cR0w that's exactly what it is. DDG's search results now PRIORITIZE LLM-generated slop sites above all others. And they refuse to remove any of them. Apparently every report that it's a slop site gets it moved UP in the rankings so that now if you search an error message, all you get is slop-generated nonsense for 3+ pages of results.
-
@Viss @cR0w that's exactly what it is. DDG's search results now PRIORITIZE LLM-generated slop sites above all others. And they refuse to remove any of them. Apparently every report that it's a slop site gets it moved UP in the rankings so that now if you search an error message, all you get is slop-generated nonsense for 3+ pages of results.
-
@cR0w I think it's a problem deeply rooted in the industry. In a corporate environment security is an obstacle. SolarWinds was a massive red flag for everyone: gone with the wind. I've seen applications deployed near banking systems and abandoned, unpatched, nothing. "Data scientists" collecting data without consideration of security: "nobody will notice among C-levels". Self inflicted wounds, willingly.
-
@cR0w and burning down the engineering folks for the benefit of the sales and marketing folks.
in 2002 when i worked at websense, the sales department would often sell shit that didnt exist, and tech support got stuck being the folks to tell the people they were lied to, when they went searching for the features that didnt exist.
this is exactly the same thing, but a larger scale
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w This reminds me of the story about the plane that returned with bullet holes in a war, and survivorship bias.
Edit: To my surprise, this example features prominently on the related Wikipedia page:
-
@FritzAdalis @cR0w sure but having lived through it several times makes it easier to spot the next time it comes around
-
@cR0w and burning down the engineering folks for the benefit of the sales and marketing folks.
in 2002 when i worked at websense, the sales department would often sell shit that didnt exist, and tech support got stuck being the folks to tell the people they were lied to, when they went searching for the features that didnt exist.
this is exactly the same thing, but a larger scale
-
@JessTheUnstill @cR0w this all seems to me like ai propoganda to try to sell ai to people who dont want it, and despite people saying 'fuck this, no', they ignore people and just do their thing
-
@JessTheUnstill @cR0w this all seems to me like ai propoganda to try to sell ai to people who dont want it, and despite people saying 'fuck this, no', they ignore people and just do their thing
-
@JessTheUnstill @cR0w im pretty sure thats intentional. everyone recently learned about the 'flood the zone' tactic and is now just buttonmashing it and rubberstamping it everywhere
-
@JessTheUnstill @cR0w im pretty sure thats intentional. everyone recently learned about the 'flood the zone' tactic and is now just buttonmashing it and rubberstamping it everywhere
-
@Viss Yeah, that's definitely an ongoing thing in plenty of security orgs even. Some of them you may have heard of. In fact, they may even be on Mastodon right meow.
-
@FuturisticRobert @cR0w yes - they post on twitter, and the content here is one-way. they post here, but are unconcerned with replies or any audience here
-
@cR0w This reminds me of the story about the plane that returned with bullet holes in a war, and survivorship bias.
Edit: To my surprise, this example features prominently on the related Wikipedia page:
@mahryekuh @cR0w trying this one someone who's never seen it before is an eye opener for sure.
-
@FuturisticRobert @cR0w yes - they post on twitter, and the content here is one-way. they post here, but are unconcerned with replies or any audience here
