HackerTrans
TopNewTrendsCommentsPastAskShowJobs

salsakran

no profile record

Submissions

Welcome to the Strip Mining Era of OSS Security

metabase.com
132 points·by salsakran·hace 2 meses·90 comments

comments

salsakran
·hace 2 meses·discuss
Stated differently -- the way OSS software is currently maintained and users are conditioned to behave, there is a capacity problem if the rate of discovery surges too sharply.

And if the capacity is overshot (which I believe is happening as we speak), users end up in extended states of being insecure.

I'm also one of the unwashed rabble who believes there is a large practical difference between a vulnerability that exists but isn't found and one that is widely known and exploitable.
salsakran
·hace 2 meses·discuss
Yeah ... this gets into the question of what exactly an OSS creator's responsibility is towards users that don't pay them.

In theory, nothing.

In practice, it's in our long term interest that bad things don't happen to them.

How sustainable all of this is, I have my doubts?
salsakran
·hace 2 meses·discuss
Thankfully we've historically had a fair amount of attention (and investment in our security) by both customers, our oss users and people our ecosystem.

The interesting thing is that the business model seems to have changed. Why collect a 10k bounty when you can advertise a 3k/month scanner?
salsakran
·hace 2 meses·discuss
In theory, the vulnerability was always there, and it's better to find out than not find out.

In practice, how much effort it is to find vulnerabilities matters a lot. We're in a time where things that used to be quite hard are now easy and the rate of discovery will change.

This rate of discovery matters a lot -- for OSS maintainer burnout if nothing else.
salsakran
·hace 2 meses·discuss
I dunno man ... I produced a few things that got a few github stars over the years.

At the risk of repeating myself -- this is targeted at other OSS maintainers, not random people who might have done a git pull of some random project a couple years ago.
salsakran
·hace 2 meses·discuss
If you're using unmaintained OSS projects in this day and age, I'm sorry to say you might deserve what happens next.
salsakran
·hace 2 meses·discuss
Perhaps -- but I think for most people, the vast majority of proprietary software they consume is over the network.

But yeah, if you're distributing binaries publicly, then you're going to have very similar problems.
salsakran
·hace 2 meses·discuss
With all respect to the Anthropic folks, that's just marketing. (If they're reading this: let us into the program so I can be proven wrong here.)

I'm sure what they have is awesome, but it's clear that there are people out there with some decent prompts that are getting results out of widely available models as well.

The big thing we're sharing is: bulk scanning by random people in random geographies got a _lot_ better around January, it's widely distributed, and it's going to get a lot better regardless of whether that specific version of Mythos becomes widely available or not.
salsakran
·hace 2 meses·discuss
That line was aimed at other OSS maintainers.

These alerts are absolutely not being shared publicly before we have a fix for them.
salsakran
·hace 2 meses·discuss
Side conversation -- This is all stuff we're seeing in white/grey hat land. What's going on in blackhat land?
salsakran
·hace 2 meses·discuss
That was true last year -- things changes.

Ignore (admittedly low-effort LLM generated) reports at your own peril.
salsakran
·hace 2 meses·discuss
I'm not sure that the benefit of many eyes helps here. So much of this bulk scanning is low-effort, and if you're a smart person developing closed source software you get the benefits of bulk scanning, but _at the time of your choosing_ .

OSS has always had tradeoffs and I sadly think this one is going straight to the "Cons" column. We still think the Pros outweigh the Cons, but this is NotGreat.