Security Eng here.
The whole thing is an absolute mess.
I’ve been (and still am) on both sides of the fence.
I currently have two reports (one RCE on a famous OSS ML platform, one cluster take over on a k8s related projects), both are more than 2 months old without as much as an “F you, get lost”. Just got ignored and ghosted, which hurts a lot, because I spent a lot of time finding, and verifying these (all reports with poc and patch).
BUT I understand why it’s happening, because I’m also on the receiving end.
security@ and VDPs have always received BS reports and beg-bounties, but boy oh boy, these days we have two people spending 3-4 days a week sifting through this constant flood of garbage compared to 2-3 tears ago where 1 person could triage the inbox and VDP in a day’s work max, which would’ve been considered very busy. Unfortunately we can’t just shutdown the programs or the mailbox because 1. We do occasionally get important and great stuff that actually matters, and 2. We’re a critical infra company and can’t ignore anything really.
The signal to noise ratio is almost zero, but the “what if” is keeping us swimming through this unending river of garbage and burning us out.
Overall, chaotic mess on both sides.
Ending on a doom-and-gloom note: there will be a reckoning.
(Don’t take the note too seriously though, I’m a SecEng, so I have a built-in doom multiplier lol)
So it's essentially saying we can train models that put your jobs at risk (not saying it's correct or not), but you're not allowed to threaten our perceived moat?
> The flow of data was so hard to follow, it seemed like someone was trying to cover up a murder.
> Just getting the code to run on your laptop took a week.
I always thought I’m the only one having problem understanding the data flow, or setting up a proper dev environment. Impostor syndrome (and sometimes toxic environments that pushed for “velocity”) didn’t help either.
I've seen it make the codebase vulnerable by changing the source, then claiming it found a vuln, or finding a well-defended and secure exec function, write a unit test that shows what exec does (which is running commands), then claiming a critical finding.
I wasn’t paying for the code tbh, I could always self-host (VaultWarden) at home behind Tailscale, it was all about the management, uptime, and most importantly, supporting a good software I used and loved for years.
Sad, really.
I’ll either move to self-hosting it at home behind TS, or going back to keepass tbh, anyway, I’m not staying on a sinking ship.
P.S: VaultWarden had a few bad CVEs this year (like an Auth Bypass), but when I looked deeper, it wouldn’t have much of a negative effect on me as a self-hosted home user that shares everything with family.
> The concept itself doesn’t even make sense if you fully understand the intersectional scope of technology and society
Societies demands are the things that are unsafe not the technologies themselves
It's a good test, however, I wouldn't ask it in a public setting lol, you have to ask them in a more private chat - at least for me, I'm not gonna talk bad about a massive org (ISC2) knowing that tons of managers and execs swear by them, but if you ask for my personal opinion in a more relaxed setting (and I do trust you to some extent), then you'll get a more nuanced and different answer.
Same test works for CEH. If they felt insulted and angry, they get an A+ (joking...?).
A bit crude, maybe a bit hurt and angry, but has some truth in it.
A few things help a lot (for BOTH sides - which is weird to say as the two sides should be US vs Threat Actors, but anyway):
1. Detach your identity from your ideas or work. You're not your work. An idea is just a passerby thought that you grabbed out of thin air, you can let it go the same way you grabbed it.
2. Always look for opportunities to create a dialogue. Learn from anyone and anything. Elevate everyone around you.
3. Instead of constantly looking for reasons why you're right, go with "why am I wrong?", It breaks tunnel vision faster than anything else.
Asking questions isn't an attack. Criticizing a design or implementation isn't criticizing you.
It started with agreeable cases, then ended up on a holier than thou attitude.