I think I finally found out why it feels like CISA live on Alpha Centauri.
“It’s a myth,” she declared, “that software vulnerability is an inevitability. … It’s the same classes of defects we’ve known about for decades and known how to fix for years.”
This is both true and utterly wrong. It is true, we know how to detect and fix them for decades. In research.
But you know what we do not have? Industry tool that can be used in the industry based on this knowledge.
https://insideaipolicy.com/share/16704
=> More informations about this toot | More toots from Di4na@hachyderm.io
The only one we have is Rust. It took more than a decade to make it industry level for a niche. Will take another decade or two to reach industry level use. And it was written in large part by interns, and the whole team was fired the moment it seemed to work.
And it took decades to get one of these tools through.
It works though. Really well.
But when you say we know how to fix it. Fuck off and come back when you support building these tools with actions.
=> More informations about this toot | More toots from Di4na@hachyderm.io
I want these tools. I have tried building some. I keep trying to get some support to build some. There is a whole community of people that have tried, burned out and went into depression trying for decades.
But what you tell us is that it is our fault that we failed. While spending billions in useless Infosec crap that we need to fight everyday to keep you all safe and the digital infrastructure of this world running.
Well. That. That is why we don't listen to Infosec people.
=> More informations about this toot | More toots from Di4na@hachyderm.io
Come spend that money on us. Where are the CISA sponsored Rust Devs? Where are the CISA sponsored people writing tools fit for the software engineering process that detect and provide information to fix path traversal?
Where is the CISA money to build better error message for gcc?
Or to make llvm easier to use so that people can write Programming Language using this knowledge?
Or maybe spending money into serde ?
Oh. None. And Infosec money? Oh sorry, the OSSF can't find projects.
=> More informations about this toot | More toots from Di4na@hachyderm.io
So yeah. I am pissed. Pissed that we keep trying and failing alone. And still getting results as a community. Being spit on while we worked to make Rust a thing. Countless people supported Rust. Grew it. Fought for it to spread. <3 to my fellow RESF members.
All of that against the infosec community. And the result is to be told that we did not try hard enough, so now we will be put to court for not trying hard enough, while DefCon visitors party and drink like they defended the world.
=> More informations about this toot | More toots from Di4na@hachyderm.io
So kindly. Fuck off and come back when you want to help us fix it. I cannot stop you from making us liable.
Heck I want us to be liable.
But telling us we did not try hard enough? Maybe instead of dunking us deeper you could come chop some wood. Carry some water. And help.
But who am I kidding. You all did everything right. We are the one creating defects and not even trying. After all, only you care about users safety. That is known.
=> More informations about this toot | More toots from Di4na@hachyderm.io
@Di4na but they have a PLEDGE, Thomas. ;)
=> More informations about this toot | More toots from Wednesday@defcon.social
@Wednesday Ah yes. I feel so much better now. Definitely going to help me sleep at night. I mean, I knew I was searching for path traversal wrong. I should have pledged to some kind of deity my soul, and that would have given me the powers I needed.
I obviously did not sacrifice enough yet to be worthy of the job of developer.
=> More informations about this toot | More toots from Di4na@hachyderm.io
@Di4na @Wednesday Maybe if the pledge doesn't work they could try a pinky swear
=> More informations about this toot | More toots from joshbressers@infosec.exchange This content has been proxied by September (ba2dc).Proxy Information
text/gemini