I'm a little concerned about the general tech attitude towards the Mozilla bug findings.
-
@cR0w Usual Disclaimer: IANAP (Programming hobbyist at best, not a pro or an expert)
1.) Stands to reason that if the prior technique of "fuzzing" (another automated way of discovering bugs) has false positives, so will AI. In fact, I'd be surprised that it isn't a statistically significant number of false positives.
2.) Since Mozilla is all-in for AI and no longer interested in customers (except as cattle), Firefox's days are likely.longer behind it than ahead before it becomes an AI client for them. The brand is all they care about, not the users.
@Tock Fuzzing is deterministic predictable, and reproducible. But yeah, I think there is a lot in tech ( and elsewhere ) that's about to come crumbling down.
-
@cR0w and burning down the engineering folks for the benefit of the sales and marketing folks.
in 2002 when i worked at websense, the sales department would often sell shit that didnt exist, and tech support got stuck being the folks to tell the people they were lied to, when they went searching for the features that didnt exist.
this is exactly the same thing, but a larger scale
-
@Tock Fuzzing is deterministic predictable, and reproducible. But yeah, I think there is a lot in tech ( and elsewhere ) that's about to come crumbling down.
@cR0w I'll testify.
-
@cR0w I'll testify.
@Tock I saw the URL and thought you were a chukar for a second. Treasure Valley Community College in OR uses the same acronym.
-
@Tock I saw the URL and thought you were a chukar for a second. Treasure Valley Community College in OR uses the same acronym.
@cR0w I wish. I'd love to be in Oregon.
-
@cR0w I wish. I'd love to be in Oregon.
@Tock Ontario isn't that different from Texas though. It's right on the ID border from Boise.
-
@Tock Ontario isn't that different from Texas though. It's right on the ID border from Boise.
@cR0w Ah, good point. I'd be trading mosquitoes for "insert local pest here", but because of Idaho, same MAGA neighbors, I'd take it?
-
@cR0w Ah, good point. I'd be trading mosquitoes for "insert local pest here", but because of Idaho, same MAGA neighbors, I'd take it?
@Tock That's the spirit. It's also home to Ore-Ida potatoes.
-
@troed The fact that they're tricky bugs to find supports my point that they should be using the findings to adjust engineering and dev efforts, not just bragging about their fancy new safety net.
@cR0w The only way to write software without security holes is to do formal proofs. When we design software that way, human coders will also be completely out of the loop.
I believe some industries will need to go in that direction, likely forced by laws, but the costs will be staggering compared to today.
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w And, of course, don't forget that bad actors have exactly the same access to exactly the same tools. To be secure, the devs need to find and patch every single bug. To perform bad actions, a blackhat only needs to discover one or two bugs. I consider the ability to quickly find a lot of bugs to be a net negative since patching them takes a lot longer than exploiting them.
-
R relay@relay.mycrowd.ca shared this topic
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w I see the analogy with road networks, and the cycle of building freeways to ease traffic followed by building far away developments causing more traffic. There is always a pressure to develop more software faster, tempered by the need to fix bugs and avoid catastrophic issues. If it becomes easier to root out bugs, more software gets done faster, for an increased supply of bug. Quasi-equilibrium.
-
@cR0w I see the analogy with road networks, and the cycle of building freeways to ease traffic followed by building far away developments causing more traffic. There is always a pressure to develop more software faster, tempered by the need to fix bugs and avoid catastrophic issues. If it becomes easier to root out bugs, more software gets done faster, for an increased supply of bug. Quasi-equilibrium.
@huitema Just like the road infra in the US, we're reaching the point where a lot of software is nearing a disaster in the near term.
-
@FritzAdalis @cR0w @en3py I can’t use Thunderbird (or any IMAP client) for email at work because Security hasn’t done an eval. But we can enable every MCP in sight.
-
@FritzAdalis @cR0w @en3py I can’t use Thunderbird (or any IMAP client) for email at work because Security hasn’t done an eval. But we can enable every MCP in sight.
-
@FritzAdalis @cR0w @en3py I love it, that’s terrible
-
R relay@relay.publicsquare.global shared this topic
-
@mahryekuh @cR0w this is also the canonical “trans women are so resilient!” picture btw
@crowbriarhexe @mahryekuh @cR0w Damn, this hit me hard.
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w LLM chatbots are not fit for this purpose, or any purpose; if this was being done with purpose-built ML tools thatd be a different story, but all i see is an overblowing of hype around a horribly unethical “tool” that ensnares developers that have no ethics and additionally voids their qualifications to use their brains
-
I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.
People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.
If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.
@cR0w Browsers are a bit interesting in terms of defining what actually is a security vulnerability. A modern browser's job is to download untrusted code from probably malicious people, run it, and not let them gain access to the host system. As a result, browsers (Firefox was late to the party by a very long time here, but they've done some very interesting work recently in this space) are some of the most aggressively compartmentalised software that exists. This means that most vulnerabilities in a browser are not exploitable by themselves, you need to chain a bunch of them together.
I suspect there's some psychological effect here, that when you're writing code that you know runs sandboxed, you aren't quite as careful as you would normally be. But there's also a real effect that a lot of the vulnerabilities matter only as step 1 in a chain of several to get to any real kind of compromise that a user would care about.
-
@cR0w Browsers are a bit interesting in terms of defining what actually is a security vulnerability. A modern browser's job is to download untrusted code from probably malicious people, run it, and not let them gain access to the host system. As a result, browsers (Firefox was late to the party by a very long time here, but they've done some very interesting work recently in this space) are some of the most aggressively compartmentalised software that exists. This means that most vulnerabilities in a browser are not exploitable by themselves, you need to chain a bunch of them together.
I suspect there's some psychological effect here, that when you're writing code that you know runs sandboxed, you aren't quite as careful as you would normally be. But there's also a real effect that a lot of the vulnerabilities matter only as step 1 in a chain of several to get to any real kind of compromise that a user would care about.
@david_chisnall That's fair, but to my point, it seems like if there is awareness of that whole idea that the main issue is dev attitude, finding out that a bunch of vulns made it to prod seems like the perfect opportunity to address that rather than just be happy there's a new bug finder that will very quickly hit a wall in its effectiveness.
-
@david_chisnall That's fair, but to my point, it seems like if there is awareness of that whole idea that the main issue is dev attitude, finding out that a bunch of vulns made it to prod seems like the perfect opportunity to address that rather than just be happy there's a new bug finder that will very quickly hit a wall in its effectiveness.
@cR0w For comparison, Chromium averages one vulnerability every 1.5 days. The Linux kernel is similar.
So, yes, I think this is a problem, but it's far from specific to Firefox. Most programming practices came from a time when most software never operated on untrusted data. People are still taught to program as if that were true today.
