Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/dymaxion/statuses/113866188896227828">Eleanor Saitta (dymaxion@infosec.exchange)'s status on Tuesday, 21-Jan-2025 21:27:06 JST</a><a href="https://infosec.exchange/@dymaxion" title="dymaxion@infosec.exchange"><img src="https://gnusocial.jp/avatar/92115-48-20240110063025.webp" width="48" height="48" alt="Eleanor Saitta" style="position: absolute; left: 0; top: 0;">Eleanor Saitta</a><div><a href="https://gnusocial.jp/notice/8641181" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://provably.online/@ktemkin">@ktemkin</a><br>We talk about these things because we have spent literally the last twenty years looking at threat models and at the failure of overworked dev teams to build good code with bad tools. It will be an amazing victory for the community when developers have to actually design the bugs that fuck them over. And no, the correct way to fix these issues has never been to write bad code and then try to audit it, obviously. </p><p>Yes, in the context of each individual program, the threat model wins. In the context of the entire industry, this is not how progress is made.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4409293#notice-8641182">In conversation</a><time datetime="2025-01-21T21:27:06+09:00" title="Tuesday, 21-Jan-2025 21:27:06 JST">about 2 months ago</time> <span>from <span><a href="https://infosec.exchange/@dymaxion/113866188896227828" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@dymaxion/113866188896227828">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Eleanor Saitta (dymaxion@infosec.exchange)'s status on Tuesday, 21-Jan-2025 21:27:06 JSTEleanor Saitta
in reply to
- Kate Temkin
@ktemkin
We talk about these things because we have spent literally the last twenty years looking at threat models and at the failure of overworked dev teams to build good code with bad tools. It will be an amazing victory for the community when developers have to actually design the bugs that fuck them over. And no, the correct way to fix these issues has never been to write bad code and then try to audit it, obviously.
Yes, in the context of each individual program, the threat model wins. In the context of the entire industry, this is not how progress is made.
In conversationabout 2 months ago from infosec.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice