HackerTrans
TopNewTrendsCommentsPastAskShowJobs

salsakran

no profile record

Submissions

Welcome to the Strip Mining Era of OSS Security

metabase.com
132 points·by salsakran·2 месяца назад·90 comments

comments

salsakran
·2 месяца назад·discuss
Stated differently -- the way OSS software is currently maintained and users are conditioned to behave, there is a capacity problem if the rate of discovery surges too sharply.

And if the capacity is overshot (which I believe is happening as we speak), users end up in extended states of being insecure.

I'm also one of the unwashed rabble who believes there is a large practical difference between a vulnerability that exists but isn't found and one that is widely known and exploitable.
salsakran
·2 месяца назад·discuss
Yeah ... this gets into the question of what exactly an OSS creator's responsibility is towards users that don't pay them.

In theory, nothing.

In practice, it's in our long term interest that bad things don't happen to them.

How sustainable all of this is, I have my doubts?
salsakran
·2 месяца назад·discuss
Thankfully we've historically had a fair amount of attention (and investment in our security) by both customers, our oss users and people our ecosystem.

The interesting thing is that the business model seems to have changed. Why collect a 10k bounty when you can advertise a 3k/month scanner?
salsakran
·2 месяца назад·discuss
In theory, the vulnerability was always there, and it's better to find out than not find out.

In practice, how much effort it is to find vulnerabilities matters a lot. We're in a time where things that used to be quite hard are now easy and the rate of discovery will change.

This rate of discovery matters a lot -- for OSS maintainer burnout if nothing else.
salsakran
·2 месяца назад·discuss
I dunno man ... I produced a few things that got a few github stars over the years.

At the risk of repeating myself -- this is targeted at other OSS maintainers, not random people who might have done a git pull of some random project a couple years ago.
salsakran
·2 месяца назад·discuss
If you're using unmaintained OSS projects in this day and age, I'm sorry to say you might deserve what happens next.
salsakran
·2 месяца назад·discuss
Perhaps -- but I think for most people, the vast majority of proprietary software they consume is over the network.

But yeah, if you're distributing binaries publicly, then you're going to have very similar problems.
salsakran
·2 месяца назад·discuss
With all respect to the Anthropic folks, that's just marketing. (If they're reading this: let us into the program so I can be proven wrong here.)

I'm sure what they have is awesome, but it's clear that there are people out there with some decent prompts that are getting results out of widely available models as well.

The big thing we're sharing is: bulk scanning by random people in random geographies got a _lot_ better around January, it's widely distributed, and it's going to get a lot better regardless of whether that specific version of Mythos becomes widely available or not.
salsakran
·2 месяца назад·discuss
That line was aimed at other OSS maintainers.

These alerts are absolutely not being shared publicly before we have a fix for them.
salsakran
·2 месяца назад·discuss
Side conversation -- This is all stuff we're seeing in white/grey hat land. What's going on in blackhat land?
salsakran
·2 месяца назад·discuss
That was true last year -- things changes.

Ignore (admittedly low-effort LLM generated) reports at your own peril.
salsakran
·2 месяца назад·discuss
I'm not sure that the benefit of many eyes helps here. So much of this bulk scanning is low-effort, and if you're a smart person developing closed source software you get the benefits of bulk scanning, but _at the time of your choosing_ .

OSS has always had tradeoffs and I sadly think this one is going straight to the "Cons" column. We still think the Pros outweigh the Cons, but this is NotGreat.
salsakran
·4 года назад·discuss
Metabase | https://metabase.com | REMOTE | Full-time | Backend, Frontend, Full Stack, and DevOps engineers

Metabase is open source analytics software that lets anyone in your company rummage around in the databases you have. It connects to a number of databases / data warehouses (BigQuery, Redshift, Snowflake, Postgres, MySQL, etc).

People kinda like the product (metabase.com/love). We're a remote team full of people who care about user experience, making complicated things as simple as possible and building things. We have a deeply pragmatic engineering culture and value building things that people actually use vs whatever closes a deal or makes for a good press release.

Tech stack: Clojure, Javascript, React, Redux, AWS

Roles: Data Analysts, Frontend/DevOps/Backend Engineering, Success Engineer, and more.

See https://www.metabase.com/jobs/
salsakran
·4 года назад·discuss
Metabase | https://metabase.com | REMOTE | Full-time | Backend, Frontend, Full Stack, and DevOps engineers

We're hiring for multiple positions across the Engineering team (and in many other non-engineering roles).

Metabase is open source analytics software that makes it easy to ask questions of your data. It interfaces with a number of databases / data warehouses (BigQuery, Redshift, Snowflake, Postgres, MySQL, etc) and has a simple and powerful UI and UX that sits on top of it.

Tech stack: Clojure, Javascript, React, Redux, AWS (ECS, Autoscaling, Aurora, RDS, SecretsManager, S3)

Roles: Data Analyst, DevOps, Frontend and Backend Engineers, Growth, and many more roles.

See https://www.metabase.com/jobs/