I don't know enough about the distribution side of the world to understand why, but there are books (sometimes not particularly niche books!) that my local bookstore doesn't seem to know exist and can't order but are in print.
Is this because Amazon is hooked up to more distribution networks?
I mean, I've gotten down to rice, salt, water, and distilled vinegar before. My kid calls it scurvy-core
I almost got to the point of trying the prescription version of basically this and it sounds so handy. And *portable*, though honestly I spend enough time explaining to airport security that the bags of white powder are potato I swear
... If this works for you, I know you're having A Lot but it would be amazing if you could pass that knowledge on. No one's the same, but still...
This is covering the general sorts of things like security, privacy, trust&safety, AI safety, etc. Would love a better title if you have an idea.
A few of us are (finally!) in the last stages of editing a new book ๐ and the tentative title is "Creating Safety: How to build with new technologies without shooting yourself (and others) in the foot"
Good title? Have a better one?
I grew up with a tech exec parent and "owns a boat and an island" is not middle class to me, either. ๐คฏ
Did you ask some agents to break out yet? ๐
Yep. But "chaff" doesn't need to be functional.
I don't *like* this plan for multiple reasons, it may just be *less bad* in some cases
Yep. So maybe we need to break (on the public side) good software engineering practice by adding chaff and flattening the release.
I'm not thrilled with it for a number of reasons (if nothing else because I've spent a bunch of time debugging low-level infra) but it's worth considering.
I've been joking that this is the full-employment act for security engineers. We're talking about the patches, but this is also showing we need the type of security protections we always did, plus some more.
Yep. It's going to be a rough few years getting there, though.
Add a bunch of chaff in the form of non functional but potentially-interesting changes to slow things down and hopefully people have more time to, say, update iOS or Linux before the exploits are out there.
Just a thought.
Security folks: have we considered *not* releasing security patches for the avalanche of bugs we're about to deal with? Hear me out.
Given how much faster it's getting to reverse engineer an exploit from a patch and that we're expecting to fix *so* many bugs at once, maybe do a full release.
Oh sorry one more thing: it's common to introduce *new* bugs when you fix the old bugs. I expect this to happen even with the new scanner improvements because so many things will be patched at the same time and security holes often appear where multiple systems interact. So that's fun.
Sorry for the long threads; I'm trying to be clear and not get too far into the details.
There is a *lot* of software out there. So much. It's basically all vulnerable. For example, do you know who's terrible at patching even when patches exist? Hospitals. Medical devices are even worse. Cars have been notoriously insecure.
The most ironic part is what's going to happen once these patches are available: the attackers look at the patches, figure out what security hole they're patching, and then exploit it. So everyone is effectively in a race to apply the patches before the attackers get you.
But we're facing a situation where we don't even *have* patches to apply. LLMs can suggest patches as well, but they have to be evaluated. A selected group of people are starting to work on this, but that will only address the very start of the problem.
Trying to patch a zillion things at once is even harder; there's only so much time in the day and changing a lot of things at once has an unfortunate tendency to cause unexpected breakage.
However, this is going to be very, very nasty. One of the hardest issues for security folks is actually getting a security patch applied once you have it. It's annoyingly hard when you own the systems, but it's exponentially harder when there are end users involved.
Security is always a struggle between the attackers and the defenders. This is a very significant shift in power for the attackers, which is why this model isn't public; they're trying to let the defenders get ahead.
2. This model is also particularly good at exploiting these vulnerabilities. You can say "find a security vulnerability in X web browser that would let me Y" and it builds the whole chain itself.
It's just not about this model -- I've been expecting this shift in capabilities. Mythos is just first.
There are two things which are scary -- esp. the implications:
1. This particular model is coming up with a very large number of real, critical security vulnerabilities in widely-used code. Many of these vulnerabilities have been there for a long time and are in code that we've looked at a *lot*.
Now I'm going to go back to worrying both about this and that the agent someone's using to code is going to do something stupid. Again.
We're always trying to outrun the Internet. This is the latest and scariest form, but security isn't going to just *stop* after this. If we're lucky we will end up in a better place in a few years and will need to do less by hand... but we're still going to have things to do.
The whole security profession is in the middle of a research problem and that's not something you can handle without people. It shifts what skills are important -- dealing with research problems requires flexibility and comfort with a *lot* of ambiguity -- but I promise you we are very busy.
Hi! I am a security engineer.
a) yes, this is very scary and very real. I've been expecting it and planning for it and it's still scary.
b) all this AI stuff makes security engineers more, not less important. This is an important tool, but it's a *tool*.
Are you saying I should blame you for this because I think that's maybe what you're saying here
It has code! I want to use the code! I swear I'll use it for good!