Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
ioc.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
INDICATORS OF COMPROMISE (IOC) InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.

Administered by:

Server stats:

1.3K
active users

ioc.exchange: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Public
Poul-Henning Kamp

I understand why the "security industry" which feeds of the CVE register is upset about it's potential demise.

But let's face it: MITRE's CVE register was a prototype, built in a world where there were (only!) 231 known security vulnerabilities in total.

We have learned a lot from that prototype.

It has shown us how big the problem is, that the IT-industry will not and can not solve the problem, and how to accidentally create fertile ground for organized crime with good intentions.

1/2

Public
Poul-Henning Kamp

Now is the time to throw away the prototype and implement changes which will work.

1. Full and unconditional product liability for all software.
2. Mandatory recalls of unsafe software products.
3. Mandatory open sourcing of all systemically important software. ("OS", not "FOSS")
4. Mandatory independent 3rd party review of all systemically important software.
5. Mandatory reporting to independent accident investigation authority, with law-given full access to all aspects.

2/2

Public *
Phil M0OFX

@bsdphk The first one alone would be great. My worry about the second is that it could be misused and twisted in an anti-consumer way.
For instance, a plausibility shield for companies to remove non-enshittified software from the market. 'All software must have a kill switch'

Public
Poul-Henning Kamp

@philpem

I think all connected software/hardware needs to have a timer and detach themselves from the net, if it is not reset by periodic software updates.

Mind you: "Detach from the net" not "stop functioning".

Andrew Zonenberg

@bsdphk @philpem That's like Signal's kill switch which I strongly disagree with.

Software should be patched because someone found a bug, not to create change for change's sake. This sort of thing encourages a constant flood of unnecessary updates where they have to reset the kill switch and then add more stuff too.

All software should aspire to the level of stability of e.g. GNU coreutils, where the "stat" command has received eight commits in the past year including two that only changed comments and several that were code refectorings that renamed things to be more internally consistent without any binary modifications.

It should be possible for a piece of code to be *finished*. Last planned release has happened, it's feature complete and in active use, bugs will be fixed if found, but otherwise there's no reason to change it.

Apr 16, 2025, 10:24 AM·Public·Mastodon for Android
3boosts·13favorites
ExploreLive feeds
About