BeyondMachines 
The naked truth of #cybersecurity
Leo Bistmans@beyondmachines1 only 30 years ago the concept of firewalls was introduced.
The saying back then it was a temporally complexity needed until the software would be fixed.
Considering that firewalls these days are only marginally useful at stopping cyberattacks, we can agree that software has evolved past firewalls.
Not in the direction we hoped for, but hey... đ€·ââïž
Andreas K@LeoBistmans @beyondmachines1
That was a good one.
Considering that, we know from theoretical computer science that we cannot even prove whether an algorithm will terminate or not.
So how exactly are we supposed to make sure that software is âbullet-proofâ against attacks? Especially as what was benign yesterday can be considered an attack tomorrow.
@LeoBistmans @beyondmachines1 And then there is OWASP LLM. LLM01 reads perfect.
Prompt injection might make you think SQL injection.
But the story is way sadder: they basically admit that presently they do not expect that this will ever be fully solvable, as LLMs fundamentally cannot recognize code/data as different things; thus, there is no solution like âquote your data correctly, problem solved.â
I'm more optimistic as there are ways to make LLMs learn code/data distinction, but still.
Paul Armstrong@beyondmachines1 Unfortunately, there's also "who'll install a vendor solution which ticks various boxes but in actuality reduces overall security within the organisation?"
I've seen a lot of "install vendor X $$$$$ virtual platform solution which ticks off boxes A, B and C in our consultant supplied checklist of buzzword compliance" followed by "we don't have money to do basics such as setting up certificate management or enabling HTTPS on our website".
@psa @beyondmachines1
But LEGALLY you are more secure.
Sadly, the legal department has not yet grasped that the bad guys don't honour contracts.
So yes, you might have a great contract with a 3rd party to keep you secure, but it's irrelevant if the 3rd party is incapable of keeping itself secure. (And having 100 Fortune 500 customers depend on them for their IT security puts basically targets on their backs for state backed bad boys. Oops.)
@yacc143 @psa here's the pinnacle of useless legalism:
Australian law form HWL Ebsworth obtained a court injunction to stop anyone touching the stolen client and employee data.
The criminals don't really care whether there's an injunction or not - they have already committed to being criminals.
The legal injunction just hampered the investigation of the event and transparency of learning more about it.
But, the lawyers did the lawyering!
Troed SĂ„ngberg@beyondmachines1 In a previous life where I was the SaaS boss I have indeed hired pentesters _only_ because I had a potential customer that needed that box ticked.
No money for continous security work or training up our own competence. Or making sure the pentesters actually had what they needed to do a good job.
Nowadays I'm the one trying to get others to pay me to do real evaluations, not just for box ticking ...
Krupo@troed @beyondmachines1 it's so much fun when you can actually do real testing.
Cysio 
â@beyondmachines1 oh, they will eagerly pay for the newest security snake oil
I am talking about the cybersecurity equivalent of Skoda - reasonable, broadly applicable, useful, sensible, not terribly comfortable but good quality.
I'm not talking about cybersecurity equivalent of Ferrari - shiny, expensive and in essence useless for anything except one very specific use case.
William Robison@beyondmachines1 this actually applies to so many things, not just tech.
@William_Robison Absolutely.
Just each of us feels a different pain...
Just each of us feels a different pain...
@William_Robison @beyondmachines1
Actually, it's easy to nail down:
Sensible measures but that imply pain when implemented. Especially permanent changes. Triggers instant NIMBYism.
E.g. climate measures. Most of the Western population is for climate protection measures. It's just that it would be so much better if they would be applied first in other countries? What did you want to make petrol 1% pricier? Climate terrorist!!!
Toni Aittoniemi@beyondmachines1 Who trusts Meta & Alphabet will do cybersecurity for all of us & for free? đ
@gimulnautti the same people that post declarations on Facebook that they do not consent with their data being processed/sold/abused.
why-not @why-not?@beyondmachines1 Who is able to pay fĂŒr cybersecurity?
@why_not
apparently fëw and fÀr between
apparently fëw and fÀr between
Alanweiss
Cyuh... no
Götz Hoffart@beyondmachines1 @leyrer âAnd whoâs okay with less functionality and complexity to gain security?â ⊠⊠âŠ
Schoenix@beyondmachines1 The truth about nearly everything.
@schoenix probably, but each one of us rants about their specific pain.
Hence...
@beyondmachines1
Unfortunately I dontât have Money!
Unfortunately I dontât have Money!
@why_not even people with boatloads of money don't have the money.
Because cybersecurity is about personal discipline and a little less comfort. Not about money.
Because cybersecurity is about personal discipline and a little less comfort. Not about money.
withoutclass@beyondmachines1 I've been asked a few times at work now if I was interested in being the go-to person for security related development and I refused with the reason that it's basically a career dead end. No business wants to pay for proper security.
@withoutclass the go-to person is not a formal function, you get all the blame and no authority (however marginal) to drive change.
And in the long run chasing features will always trump any security concerns.
RRB@beyondmachines1 We will all pay for cybersecurity.
FLOSSbOxIN@rrb @beyondmachines1
You mean to say "we all will "pay" "for" the "cyber""non security" and not the real security behind it / underlying security.
You mean to say "we all will "pay" "for" the "cyber""non security" and not the real security behind it / underlying security.
@fbinin @beyondmachines1 we are all paying now for the lack.
@fbinin @beyondmachines1 Individuals are being forced to adapt to systems built negligently, because the laws in place shield tech companies from the consequences of their actions
@rrb @beyondmachines1
Unfortunately, the cycle of this greed and their species is becoming unstoppable. The time abound lost to greedy vultures with deserts created in turn.
Unfortunately, the cycle of this greed and their species is becoming unstoppable. The time abound lost to greedy vultures with deserts created in turn.
@fbinin @beyondmachines1 It will collapse eventually. After about 8 centuries of dark ages, we may recover.
I am an incurable optimist.