Although I’d spin the issue about host vs network security differently. I’ve found that engineering teams prioritize security a lot more if they don’t feel like they’re safe in a cocoon of local network bliss behind network firewalls. I love “beyond corp” or “zero trust” precisely because you’re making it explicit that they’re on the internet and they’re a target.
I don't know; I haven't really seen most of these things in the wild for a long time.
For "#4) Hacking is Cool" the zeitgeist has moved in the exact opposite direction with "white hat", bug bounties, etc. I think that section in particular is a pretty outdated view of things.
"#6) Action is Better Than Inaction" is probably the only one that still broadly applies today, and is actually a special case of "X exists, therefore, therefore we must use it ASAP, and any possible negativities are not our problem and inevitable anyway" attitude that seems the be prevalent among a certain types of people.
#1. This is still prolific absolutely everywhere. It's a good chance it is happening on your computer right now. It happens mobile app stores (application releases go through a very rudimentary set of checks and only end up thoroughly analysed by security researchers when the application becomes flagged). It's very common within internal networks and even more so when it comes to outgoing traffic.
#2. This is still sold by security consultancy firms as a service, it's again, incredibly prolific in a lot of places.
#3. Likewise, still a very popular service sold by security consultancy firms.
#5. Still common to this day, services such as vishing/phishing assessments test for user education.
Please tell me you have already thrown Firefox, Chrome, old Microsoft Edge and whatever browser out of window and are posting to HN with you rewritten-in-Rust lynx.
Not being able to rewrite the world or convincing people to stop using memory unsafe languages is entirely unrelated to what security researchers do.
I'd love to stop having to build complicated lifetime model in my mind to figure out whether there are hidden code paths for a UAF, but at the same time this is the best thing I can do to secure what we have today, now it's on you to rewrite the world.
Well, I'm unfortunately not in a place where doing so makes sense. Unless you mean only auditing Rust code.
> nag managers
I already do so. This doesn't change much. There are still too many must-be-evolved C++ projects (no easy incremental rewrite path forward), it is impractical to have engs put significant effort into rewriting in Rust. It's really difficult to convince someone to fix something ain't broken.
People coding in C++ are just as desperate as you, that's why someone bring up Carbon [1], a half-baked experimental project to the world last year, instead of just using Rust. Sure, they would like to use a memory safe language as possible. No, they still have to get their job done.
> refuse to by hardware that only supports C
If it supports C, we can make it support Rust, it's a very fun weekend project to bring-up some nostd Rust code on it.
Except there are at least 12 previous posts of this article. It was only posted once the year it came out, but it had a real renaissance about 6 years ago for some reason.
Although I’d spin the issue about host vs network security differently. I’ve found that engineering teams prioritize security a lot more if they don’t feel like they’re safe in a cocoon of local network bliss behind network firewalls. I love “beyond corp” or “zero trust” precisely because you’re making it explicit that they’re on the internet and they’re a target.