I'm a little concerned about the general tech attitude towards the Mozilla bug findings.
-
@Viss Yeah, that's definitely an ongoing thing in plenty of security orgs even. Some of them you may have heard of. In fact, they may even be on Mastodon right meow.
-
@FuturisticRobert @cR0w yes - they post on twitter, and the content here is one-way. they post here, but are unconcerned with replies or any audience here
-
@cR0w This reminds me of the story about the plane that returned with bullet holes in a war, and survivorship bias.
Edit: To my surprise, this example features prominently on the related Wikipedia page:
@mahryekuh @cR0w trying this one someone who's never seen it before is an eye opener for sure.
-
@FuturisticRobert @cR0w yes - they post on twitter, and the content here is one-way. they post here, but are unconcerned with replies or any audience here
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w tbf some of those bugs seems to be really tricky to find. Impressive.
-
R relay@relay.infosec.exchange shared this topic
-
@cR0w tbf some of those bugs seems to be really tricky to find. Impressive.
@troed The fact that they're tricky bugs to find supports my point that they should be using the findings to adjust engineering and dev efforts, not just bragging about their fancy new safety net.
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w you being an AI hater is an admirable trait
all these chatbots pretending to be Artificial General Intelligence to milk us for profit are a blight on our lives
-
@cR0w This reminds me of the story about the plane that returned with bullet holes in a war, and survivorship bias.
Edit: To my surprise, this example features prominently on the related Wikipedia page:
@mahryekuh @cR0w this is also the canonical “trans women are so resilient!” picture btw
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w that doesn't even address the elephant in the room that they didn't test firefox. They tested a javascript engine harness with no security hardening features enabled whatsoever, and that out of the hundreds of the bugs found, like 99% of them used the same two exploit primatives. I'm so fucking tired of AI.
-
@cR0w that doesn't even address the elephant in the room that they didn't test firefox. They tested a javascript engine harness with no security hardening features enabled whatsoever, and that out of the hundreds of the bugs found, like 99% of them used the same two exploit primatives. I'm so fucking tired of AI.
@da_667 You're correct. I avoided that whole line of thought this time because I think that my point was valid for AI lovers and haters alike so I didn't want people to ignore it as just more hate or something.
-
@mahryekuh @cR0w this is also the canonical “trans women are so resilient!” picture btw
@crowbriarhexe @cR0w I didn’t know that
-
@cR0w because people dont fact check. people are lazy. if someone popular says a thing, people dont think twice, they just write that shit to disk in their brain and it becomes fact to them.
and its fucking horrible. and ive seen it before, on a bunch of topics.
@Viss @cR0w But finding bugs is like 1% of the job right? turning them into something you can use on the other hand... Did they do any of that? I've yet to see it. I'll bet not. Surely if there was even one decent one we'd be sick by now hearing about it. I honestly don't think it is bias. It's that learned gut feeling you got from reading irc logs: PoC||GTFO right?
I'm sure the mozdevs are delighted about the "make work day" shit rolling down their hill.
-
@Viss @cR0w But finding bugs is like 1% of the job right? turning them into something you can use on the other hand... Did they do any of that? I've yet to see it. I'll bet not. Surely if there was even one decent one we'd be sick by now hearing about it. I honestly don't think it is bias. It's that learned gut feeling you got from reading irc logs: PoC||GTFO right?
I'm sure the mozdevs are delighted about the "make work day" shit rolling down their hill.
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w well said.
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w everyone should be an 'AI' hater.
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
My hunch is that most of the bugs are/were only possible via specially crafted HTML that confused the parser.
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w The same thing is happening in the non-code space, with documents at work. People are generating reams of text and throwing it at colleagues, and a lot of it is wrong, but it takes more time to mark it wrong than it did to conjure up.
...and a lot of people are having trouble seeing why it's a problem.
It's allowing some people to pour champagne on themselves while externalizing the hard work to others.
-
@cR0w The same thing is happening in the non-code space, with documents at work. People are generating reams of text and throwing it at colleagues, and a lot of it is wrong, but it takes more time to mark it wrong than it did to conjure up.
...and a lot of people are having trouble seeing why it's a problem.
It's allowing some people to pour champagne on themselves while externalizing the hard work to others.
@DarcMoughty Yes! That's so maddening.
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w Usual Disclaimer: IANAP (Programming hobbyist at best, not a pro or an expert)
1.) Stands to reason that if the prior technique of "fuzzing" (another automated way of discovering bugs) has false positives, so will AI. In fact, I'd be surprised that it isn't a statistically significant number of false positives.
2.) Since Mozilla is all-in for AI and no longer interested in customers (except as cattle), Firefox's days are likely.longer behind it than ahead before it becomes an AI client for them. The brand is all they care about, not the users.
-
@cR0w Usual Disclaimer: IANAP (Programming hobbyist at best, not a pro or an expert)
1.) Stands to reason that if the prior technique of "fuzzing" (another automated way of discovering bugs) has false positives, so will AI. In fact, I'd be surprised that it isn't a statistically significant number of false positives.
2.) Since Mozilla is all-in for AI and no longer interested in customers (except as cattle), Firefox's days are likely.longer behind it than ahead before it becomes an AI client for them. The brand is all they care about, not the users.
@Tock Fuzzing is deterministic predictable, and reproducible. But yeah, I think there is a lot in tech ( and elsewhere ) that's about to come crumbling down.
