Summarizer

So what materializes now is basically tech debt returns on the "move fast and break things" paradigm?

You’re obviously one of the most knowledgeable people on this topic around here. What would the best solution be? And where do you believe the industry is headed (which may very well be something other than the best solution) ? I can’t think about anything other than improving operations, but given the state of the industry, this seems like a pipe dream.

You have moved from "We know" to "We have an educated guess" which is the right way to couch things. However I wanted to also point out that relying only on educated guesses can lead us into a position where we are "papering over the cracks" or "addressing the symptoms", not the "underlying cause" Yes, sometimes that's all that can be done, but, also, sometimes it can be more damaging than the cause itself (thinking in terms of the cause continuing to fester away, whilst we think it's 'solved')

Downplaying security has now real coencequences for everyone.

Bulk rewrites of everything into Rust with AI assistance?

I am looking at the results of a mass vulnerability scan as I type this. Half of the bugs in one case are in fact (binary) parser errors for hand-written parsers. These really should not exist in any language - but in C it's particularly bad. Kaitai Struct or something similar would broadly have prevented these. Rust would help here, but less than a parser generator (because it could automate error checking insertion for things that aren't just out of bound access). However, half of the vulnerabilities are logic errors in terms of what I would call RBAC enforcement, incorrect access permissions, and so on. Rust won't help at all with any of these.

I was just working on a system best thought of as a “dinosaur”: written almost entirely in C (and a bit of PERL) and running on an appliance with BSD as the kernel. It’s full of bugs and has had a string of RCE vulnerabilities published recently, probably because of Mythos. Working with it day to day I get this feeling that the tech stack used results in a system that’s… clumsy and constrained. Little things give me that impression, and I can’t quite put it in words, but it’s thirty years of experience working with dozens of languages and platforms speaking here. Using C makes you clumsy. It makes you trip over things other languages don’t. It makes it obscenely difficult to do even simple things. It’s like trying to put a delicate ship into a bottle while wearing oven mitts. Switching to a better language isn’t just about the specific capabilities of its compiler, it’s also about what it enables in the humans using it.

I don't disagree with that, but my point is that Rust will not really solve vulnerabilities.

Rust is overly complex and difficult, Go is simpler and easier and has the memory protection people are obsessed with

I must admit I'm rather enjoying this particular form of shit show, mostly because it was a predication I made in 2023 in the early days of LLMs. It wasn't really a problem related to LLMs but a glaring hole in the thinking of current computing which is the "frustratingly over-connected" and "over-trust" approach to everything. After reading Liu Cixin's "three body problem" and noting the Dark Forest, I applied that to risk vectors and came to the conclusion that our over-connected nature plus some form of acceleration plus some form of negative impact will fuck us big time. Turns out it did. Thus we should probably start treating our thinking model of computing as a Dark Forest, not a friendly community. That mitigates these risks to some degree.

We are now paying for the sins of our fathers (well and mostly ourselves). We've just kept building more complex things with more exposure with no recognition that the day of reckoning was coming. And now we are in an untenable situation. With governments spending billions on AI with the big providers it's likely they've found many of these already.