upvote

points

by 0xbadcafebee13 hours ago |
comments
upvoteby Gigachad11 hours ago|
next
[-]
On the other hand, automated fast rollouts leads to a crowdstrike type situation where you brick all the computers of the world immediately.

Imo we are going to have to rely on more layers of security. Systems that are designed to be secure even in the presence of individual vulnerabilities. This has already been happening for a while on mobile platforms and game consoles. Even physical hardware designed to keep particular secrets /keys even from the kernel.

reply
upvoteby 0xbadcafebee8 hours ago|
parent|
next
[-]
The crowdstrike situation wasn't due to fast rollouts, it was due to a total lack of testing. You can do fast rollouts, with testing, and a mandatory QA signoff. It's called 'continuous delivery' rather than 'continuous deployment'.

I actually don't think more layers of security will fix this. It would be nice if our systems were more secure... but people are, if nothing else, lazy af. Even when adding security isn't a lot of work, people resist it if it "sounds complicated". So I think we're stuck with the status quo. But the big issue now isn't novel bug types, it's the speed in which they're found. Therefore we need to speed up our response.

reply
upvoteby Gigachad7 hours ago|
parent|
[-]
Lack of care, slip ups, and bugs are basically a constant that will always exist. But we can architect systems which are secure even in the face of bugs. Multiple layers of security mean that even the most critical kernel bug in iOS can never extract your faceid data or encryption key because the hardware physically isn’t capable of it. OSs like Qubes utilise multiple VMs so any kernel bugs have limited reach.

When you look at consoles, they have built software that is resistant to outright glitching the CPU.

reply
upvoteby 8 hours ago|
parent|
prev|
[-]
deleted
reply
upvoteby jfk1312 hours ago|
prev|
next
[-]
Sounds like you're expecting the AI-based tools that are finding bugs to also provide fixes.

I've been dealing with a bunch of AI-generated (or at least -assisted) vulnerability reports lately. In many cases the reports include proposed patches to fix the issues.

It's been..... interesting. In many cases, the analysis provided in the report has been accurate and helpful. In some cases, the proposed patches have also been good, and we've accepted them with minimal or no changes.

In other cases, despite finding a valid issue, and even providing a good analysis of the problem, the AI tool's suggested patch has been, quite simply, wrong.

Careful review from somebody who really _understands_ the code -- and the wider context in which it is operating -- is still absolutely necessary. That's not always going to happen in an hour.

reply
upvoteby 0xbadcafebee8 hours ago|
parent|
[-]
Yes, that's why I specified "patched product ready for QA testing". It speeds up the development cycle by making a first pass and ensuring it basically works before passing it to a developer for manual review and a QA tester to ensure the fix doesn't break anything else. Both dev and QA are still in the feedback loop and can make changes until it's ready for release
reply
upvoteby lofaszvanitt1 hours ago|
prev|
[-]
what could go wrong? :DDD

imagine patching everything up automatically and it's a malware

everything cooked

reply