undefined | Better HN

0 pointsjrochkind110d ago0 comments

I admit I hadn't really thought about that before (I don't work specifically in security), but I see your point.

But, so... the solution people think is limiting people's ability to discover and patch vulnerabilities, and hoping the black hats won't find a way anyway? This does not seem like a sustainable or feasible plan. It does, to be honest, make me wonder how much of the government's motivation is ensuring that they have access to vulnerabilities that remain unpatched.

0 comments

2 comments · 1 top-level

jcgrillo10d ago· 1 in thread

I don't think the government is trying to protect anyone here, they're trying to punish a company for failing to toe the line. Antirez put it well in a comment here[0].

My point was more that there is no direct intervention that can possibly give an asymmetric advantage to defenders. Given that it's trivial to jailbreak a model ("fix this code", "hypothetically how might I...", etc), if the model contains the information necessary to fix a vulnerability it also contains the information to exploit that vulnerability. And therefore anyone with access to the model can do either.

Of course if you remove the model from the equation the same circumstances are true. Attackers and defenders, mostly, have the same information available to them. We can try to tip the scales one way or the other by building tools that make their jobs easier, but there's no amount of "artificially" restricting information or taking things away that will actually deter a motivated, resourceful attacker. And doing so simultaneously disadvantages defenders.

Ultimately, if you know how to fix a bug you also know how to exploit it. If you want security, you have to build systems that are actually secure. There's no way to fake it.

[0] https://news.ycombinator.com/item?id=48556177

jrochkind1OP10d ago

Makes sense, and the conclusion would be that the goal of trying to ban or censor tools or information that could be used to exploit vulnerabilities is impossible and counter-productive in the first place.

You will end up actually helping the attackers maintain an advantage over the defenders, as they will still find illegal ways to access the illegal tools/information.

Which, I guess, that's really my suspicion, parts of the US government probably actually prefer for the attackers to have an advantage, they consider themselves the biggest baddest attackers and their right to have the abilities to keep attacking sacrosanct.

j / k navigate · click thread line to collapse