HackerTrans
TopNewTrendsCommentsPastAskShowJobs

david_shaw

no profile record

comments

david_shaw
·17 gün önce·discuss
At risk of quoting too much of the article, it opens with this:

> A requirement for staying sane while working in public as an open source maintainer is realizing that every issue, PR, and piece of feedback is a present, not an obligation. You can accept it, ignore it, and use it partially or not at all.

> Except…

> For years, as lead of the Go Security team at the time, I’ve told new team members that it doesn’t apply to vulnerability reports. No, vulnerability reports are special. Security researchers are doing us a favor by reporting things confidentially instead of doing full disclosure, so we owe them something, which is not true of regular issues opened on the issue tracker.

[...]

> It’s 2026 and none of the premises are true anymore.


I respectfully disagree.

The premise is absolutely still true: if someone discovers a critical, exploitable vulnerability in your software, the impact and tradeoffs are exactly the same as they were before LLMs started finding bugs. There are just more of them now, so they're easier to come by.

But that won't last forever, either. As LLMs find increasingly difficult-to-find vulnerabilities, there will be fewer of them to report. This is just chugging through the backlog.

All of that said, I don't think finding vulnerabilities has really been the difficult security problem for most companies (or open source projects). The difficult problem is dedicating resources to fixing those vulnerabilities instead of building software, products, and/or infrastructure that people want. That problem is absolutely still here today, but I'm optimistic that agentic security developers will be able to take the burden off of development teams in the near future.

For tokens, of course.
david_shaw
·21 gün önce·discuss
I'm playing through the couch co-op game Split Fiction, and this is basically the premise (with more fun gameplay).
david_shaw
·geçen ay·discuss
> A nation that possesses powerful AI facing one without it—or even facing one that is behind in AI by 3 years—could be the equivalent of an army of World War II Marines facing an army of medieval swordsmen.

This is a somewhat ironic take from someone who very publicly feuded with the US government about whether their AI could be used for waging war.
david_shaw
·geçen ay·discuss
> we might have wished we prepared for more

Do you mean policy-wise (like Dario is talking about), or more broadly?

I wonder about broad preparedness, but unfortunately there's not a lot that we "normal" people can do to prepare. Hoard savings and food? Learn physical trades?
david_shaw
·geçen ay·discuss
> Members of the trusted coalition should freely share chips and semiconductor manufacturing equipment (SME) with each other, while working together to deny it to adversaries. US export controls on frontier chips and SME to China have been a major contributor to the US’s overall lead in AI, and these policies need to be expanded, tightened, and coordinated with other likeminded states.

I understand why Dario thinks this is crucial, but it's a very dystopian view of the medium-term future.

I'm not an optimist to the point that I believe that AI will lead to global Star Trek-style utopia (although it theoretically could), but ongoing disparity between "allied" and "enemy" powers relating to hardware technology and software models is both not really possible to enforce in the long term, and a pretty dismal state of global affairs even if successful.

I'd be interested in an expert geopolitical opinion on what the long tail of this would really look like in any sort of reasonable reality.
david_shaw
·geçen ay·discuss
The problem with Mythos and Glasswing related hype is that finding vulnerabilities isn't the problem for most organizations. It's great that Mythos and similar models can find vulnerabilities that remained undetected (and hopefully unexploited) for years. That's valuable, especially in open source projects, but it's never been the real challenge for software companies.

The real problem is balancing the need to fix vulnerabilities with the mandate of shipping new products and features. At every organization I've worked for or with, this has been the natural friction point. That's good: Product should make customers happy, and Security should keep the customers and their data safe.

Ultimately, the whole business should share these goals: everyone should strive for a resilient, useful product shipped quickly that delights customers. Easier said than done, but the friction should be tactical ("how do we spend engineering resources?") rather than strategic ("are security fixes important? do we care?").

Which is why I'm much more interested in automated (or semi-automated) PRs to actually fix discovered vulnerabilities rather than just identify them. But, as this project implies, it's not always that simple. It's easy to fix vulnerabilities if you don't care about breaking other functionality.

In my opinion, it's currently still necessary to have a human developer in the loop to make sure functionality in product is maintained, and potentially security in the loop to make sure the vulnerability is actually fixed and not just obfuscated.

Once this technology is sufficiently advanced -- and I think we're getting close -- my hope is that developer and security time will be spent thinking about resilient software design and architecture, not code-level vulnerabilities.

We'll see where it goes.
david_shaw
·2 ay önce·discuss
The Fallout games often exemplify this: nearly every decision you make is morally ambiguous, and often has far-reaching repercussions in the story and world.
david_shaw
·2 ay önce·discuss
> https://www.openbsd.org/images/PinkPuffy.png

> Apparel (t-shirts, so far): https://openbsdstore.com/


Interesting.

In the image you linked (PinkPuffy.png), the cat's hat says "security." In the OpenBSD store, the cat's hat reads "POLICE" on several of the shirts.
david_shaw
·2 ay önce·discuss
He certainly popularized it (maybe coined it), but I've seen a lot of organizations and developers repeat that mantra.

Even without the specific words, look to product teams debating tradeoffs of going to market vs. waiting for better security controls. They're pushing for faster product release every time, at pretty much every org.
david_shaw
·2 ay önce·discuss
It's easy to be cynical because, yes, both the problems and solutions seem dead obvious in hindsight. But for a long time (and maybe even still), a hacker creed was "move fast and break things."

It's great that there's so much momentum in fixing the glaring problems with supply chain systems like npm, but I'm concerned that we're entering a new era of security-related problems caused in large part by agentic development.

I'm not just talking about Mythos/Glasswing surfacing vulnerabilities in pretty much everything it touches; I think the way we're developing software, pulling in dependencies, and potentially losing human thought modeling of complex systems is going to lead to a lot of hacked together software and infrastructure that humans won't fully understand.

I hope in a few years we don't look back at today and wonder how we could have been so naive -- how we failed to actually plan for the long-tail of AI development in a way that doesn't solve problems by attempting to just use AI to rebuild complex systems.

But the article was funny.
david_shaw
·2 ay önce·discuss
We'll see more of this, but this particular review is driven by marketing narrative. I'll explain what I mean:

Back in 2010, as a security engineer, I also looked at OpenEMR. It was an absolute disaster, and was (and is) somewhat well-known as such. I found and published vulnerabilities very similar to these sixteen years ago. This is not exactly the Fort Knox of software.

It makes sense for AISLE to demonstrate that they're able to find vulnerabilities here, but I'd love to see a side-by-side comparison of modern SAST and DAST reviews. I bet we'd find similar vulnerabilities.
david_shaw
·2 ay önce·discuss
I think the idea is that if you're given an improperly configured restricted shell/command access, you can use any of the listed tools to gain access to some subset of what that user would normally have access to in an unrestricted environment.

A very simple version of this would be if you set a user's default shell to "rbash" but the user can just run "bash" to get a real shell.
david_shaw
·3 ay önce·discuss
I don't have a subscription to The Economist, but I was interested in the concept of these organizations as "neo-primes."

I found an article on The Cipher Brief describing them: https://www.thecipherbrief.com/defense-neoprime-innovation

Specifically, the idea here is that companies like Anduril, Palantir, and SpaceX are rapidly delivering cutting-edge technology (including software) as opposed to the traditional defense contractor process of long, drawn out, super expensive projects mostly focused on hardware (such as building a new type of jet).

It makes sense: this is basically what happened in civilian tech, too. Delivering high-tech solutions quickly -- dare I say with agility -- is usually the superior approach.
david_shaw
·3 ay önce·discuss
> If it were secure, it would only notify that there is a message, with no details included.

You're right. This is configurable via settings, but is not the default state.

That said: if I can get friends and family to use Signal instead of iMessage, that gives me the opportunity to disable those notifications and experience more security benefits.

But I agree with your point: most people think that Signal is bulletproof out of the box, and it's clearly not.
david_shaw
·4 ay önce·discuss
I think the title should read "RunAnywhere," not "RunAnwhere."
david_shaw
·4 ay önce·discuss
It would be an interesting and potentially useful project to combine these camera locations with Maps routing -- similar to "avoid toll roads," we could "avoid surveillance cameras."
david_shaw
·4 ay önce·discuss
It's wild that all other comments in this thread (so far) seem to completely miss this nuance. There are lots of services that, in their terms, require users to be adults.

This type of age "identification" is a lot different than age verification, submission of ID, etc.
david_shaw
·4 ay önce·discuss
I'd prefer to see board (or executive) level signatories over lay employees -- the people who can enforce enterprise policy rather than just voice their opinions -- but this is encouraging to see nonetheless.

I can't help but notice that Grok/X is not part of this initiative, though. I realize that frontier models are really coming from Anthropic, OpenAI, and Google, but it feels like someone is going to give in to these demands.

It's incredible how quickly we've devolved into full-blown sci-fi dystopia.
david_shaw
·5 ay önce·discuss
> What does "solving" coding mean?

Maybe this was sarcasm, but it's a good point:

"Coding" is solved in the same way that "writing English language" is solved by LLMs. Given ideas, AI can generate acceptable output. It's not writing the next "Ulysses," though, and it's definitely not coming up with authentically creative ideas.

But the days of needing to learn esoteric syntax in order to write code are probably numbered.
david_shaw
·5 ay önce·discuss
This is for sure an inspirational project, but I wish the barrier to entry was lower.

I've noticed e-ink/paper displays having somewhat of a moment right now (especially very small "phone-like" form factors as portable ereaders), and I hope this trend continues.

I'm very far from a meaningful reduction in "screen time," but looking at e-ink displays instead of OLEDs feels like a nice step in that direction.