HackerTrans
トップ新着トレンドコメント過去質問紹介求人

salsakran

no profile record

投稿

Welcome to the Strip Mining Era of OSS Security

metabase.com
132 ポイント·投稿者 salsakran·2 か月前·90 コメント

コメント

salsakran
·2 か月前·議論
Stated differently -- the way OSS software is currently maintained and users are conditioned to behave, there is a capacity problem if the rate of discovery surges too sharply.

And if the capacity is overshot (which I believe is happening as we speak), users end up in extended states of being insecure.

I'm also one of the unwashed rabble who believes there is a large practical difference between a vulnerability that exists but isn't found and one that is widely known and exploitable.
salsakran
·2 か月前·議論
Yeah ... this gets into the question of what exactly an OSS creator's responsibility is towards users that don't pay them.

In theory, nothing.

In practice, it's in our long term interest that bad things don't happen to them.

How sustainable all of this is, I have my doubts?
salsakran
·2 か月前·議論
Thankfully we've historically had a fair amount of attention (and investment in our security) by both customers, our oss users and people our ecosystem.

The interesting thing is that the business model seems to have changed. Why collect a 10k bounty when you can advertise a 3k/month scanner?
salsakran
·2 か月前·議論
In theory, the vulnerability was always there, and it's better to find out than not find out.

In practice, how much effort it is to find vulnerabilities matters a lot. We're in a time where things that used to be quite hard are now easy and the rate of discovery will change.

This rate of discovery matters a lot -- for OSS maintainer burnout if nothing else.
salsakran
·2 か月前·議論
I dunno man ... I produced a few things that got a few github stars over the years.

At the risk of repeating myself -- this is targeted at other OSS maintainers, not random people who might have done a git pull of some random project a couple years ago.
salsakran
·2 か月前·議論
If you're using unmaintained OSS projects in this day and age, I'm sorry to say you might deserve what happens next.
salsakran
·2 か月前·議論
Perhaps -- but I think for most people, the vast majority of proprietary software they consume is over the network.

But yeah, if you're distributing binaries publicly, then you're going to have very similar problems.
salsakran
·2 か月前·議論
With all respect to the Anthropic folks, that's just marketing. (If they're reading this: let us into the program so I can be proven wrong here.)

I'm sure what they have is awesome, but it's clear that there are people out there with some decent prompts that are getting results out of widely available models as well.

The big thing we're sharing is: bulk scanning by random people in random geographies got a _lot_ better around January, it's widely distributed, and it's going to get a lot better regardless of whether that specific version of Mythos becomes widely available or not.
salsakran
·2 か月前·議論
That line was aimed at other OSS maintainers.

These alerts are absolutely not being shared publicly before we have a fix for them.
salsakran
·2 か月前·議論
Side conversation -- This is all stuff we're seeing in white/grey hat land. What's going on in blackhat land?
salsakran
·2 か月前·議論
That was true last year -- things changes.

Ignore (admittedly low-effort LLM generated) reports at your own peril.
salsakran
·2 か月前·議論
I'm not sure that the benefit of many eyes helps here. So much of this bulk scanning is low-effort, and if you're a smart person developing closed source software you get the benefits of bulk scanning, but _at the time of your choosing_ .

OSS has always had tradeoffs and I sadly think this one is going straight to the "Cons" column. We still think the Pros outweigh the Cons, but this is NotGreat.