upvote

points

by mayneack22 hours ago |
comments
upvoteby 3kahg22 hours ago|
[-]
It is the opposite. Security people focus on curl, sudo because they are code bases that contained a lot of features and unused code from the 1990s.

They don't focus on projects where they find nothing. They certainly don't advertise when they find nothing.

Getting a lot of scrutiny is not the recommendation that it appears to be. What is the new standard? Projects that never have bugs are deemed to be suspect because they "have not been scrutinized" (they have, but null results never go public)?

So Mythos only finding one issue after other tools have found 300 this year is embarrassing. Mythos was supposed to be better and novel.

reply
upvoteby tptacek21 hours ago|
parent|
[-]
It is definitely not the case that curl has been or is now a marquee vulnerability research target. It's a CLI HTTP fetcher. It's the same with sudo. It's a big deal if a sudo vulnerability gets found, because it's an extremely load-bearing piece of software, but sudo is itself not a prime target, because it doesn't do much.
reply
upvoteby 43ahg21 hours ago|
parent|
[-]
There is no claim that it is a "vulnerability research target". It is a bug finding magnet, and bugs can be found by anything from gcc warnings to AI tools.

No, it didn't attract a bluepill exploit research.

The fact that 300 bugs found in a year is not a recommendation as the pro-AI mafia suddenly claims ("because it has been analyzed!") still stands. Maybe the AI-mafia should sell "analyzed by Mythos" labels to impress people who don't write public software or find bugs for that matter.

reply
upvoteby tptacek21 hours ago|
parent|
[-]
What’s a “bluepill exploit”?
reply
upvoteby aSJH121 hours ago|
parent|
[-]
[flagged]
reply
upvoteby tptacek19 hours ago|
parent|
next
[-]
You are linking to a Wikipedia page in which I am literally cited (I presented a hypervisor malware detection scheme at the Black Hat conference where Joanna Rutkowska presented this; it was a whole thing). I'm telling you that the term makes no sense in this thread. I think you meant to use a different term.
reply
upvoteby hqt12418 hours ago|
parent|
next
[-]
[flagged]
reply
upvoteby junon8 hours ago|
parent|
next
[-]
Stop abusing the system with new accounts. You're not cool like that.
reply
upvoteby slater18 hours ago|
parent|
prev|
[-]
What's with the nonstop new accounts...?
reply
upvoteby 301quH18 hours ago|
parent|
prev|
[-]
[flagged]
reply
upvoteby enraged_camel20 hours ago|
parent|
prev|
[-]
Did you... create a new account just to be able to respond to Thomas?

Btw, he's a security researcher. You should be more respectful.

reply
upvoteby tptacek17 hours ago|
parent|
next
[-]
I don't care if they're respectful, but they should try to be less confusing. "Blue Pill" isn't a kind of exploit. I assumed they meant "blue hat".
reply
upvoteby 1248wu20 hours ago|
parent|
prev|
[-]
[flagged]
reply
upvoteby achierius19 hours ago|
parent|
[-]
What am I?
reply