upvote

points

by ceejayoz8 hours ago |
comments
upvoteby brookst7 hours ago|
next
[-]
Can we retire the “seatbelts are useless because they can’t prevent every loss of life” approach to risk mitigation please?

If the acceptance criteria is “would prevent every single past instance and every imaginable future instance”, then yes, no mitigation is every sufficient to address any problem in the world, so we might as well give up.

But I don’t think that’s the right lens to use.

reply
upvoteby pjc506 hours ago|
parent|
next
[-]
That depends on whether it's a issue of accidents or a "you have to get lucky every time, we only have to get lucky once" issue.
reply
upvoteby ceejayoz7 hours ago|
parent|
prev|
[-]
I'm onboard with this! I just object to the term "fixable".
reply
upvoteby dist-epoch8 hours ago|
prev|
[-]
sure. how many cases like these we had so far? 1, 2? and how long did they work to get commit access?
reply
upvoteby ceejayoz8 hours ago|
parent|
next
[-]
> how many cases like these we had so far?

As with clever, careful serial killers, it's tough to count the ones we haven't caught.

reply
upvoteby applfanboysbgon5 hours ago|
parent|
[-]
It's not that tough. You can get an idea by how many people are being murdered. A successful serial killer results in dead people, and a successful infiltration results in malware being executed. If there are no murdered people with unattributed causes of death, or there are no open-source projects with unattributed causes of malware being shipped, you can conclude there are roughly 0 active serial killers / infiltrators.

It's possible there are infiltrators who are still working on long-term infiltration and haven't yet attempted to add any malicious code anywhere, but the point is that in terms of actual attempts, we've seen a single one and it wasn't even successful despite years of prep.

reply
upvoteby ceejayoz5 hours ago|
parent|
[-]
> You can get an idea by how many people are being murdered.

No, we can't, as that happens a lot via non-serial killers.

A truly successful serial killer is likely one who hides in that noise. No taunting the cops, distributed geographic locations, random methods, avoiding calling cards, and careful not to leave too many traces.

It seems likely that some of the 350k unsolved homicides in the US can be explained this way.

> It's possible there are infiltrators who are still working on long-term infiltration and haven't yet attempted to add any malicious code anywhere…

Or the code's already there, latent, as it would've been in the XZ case, which got discovered by chance and someone very dedicated to looking into a performance glitch.

reply
upvoteby 5 hours ago|
parent|
[-]
deleted
reply
upvoteby virtualritz7 hours ago|
parent|
prev|
[-]
We only know how many were discovered.

Since we do not know the ratio to undiscovered this "1-2" is meaningless to assess the risk of this sort of attack.

reply