Hacker News new | ask | show | jobs
by _alternator_ 35 days ago
To address this framing directly: "a bug exists" is a different truth/state of the world than "the bug is known to exist", and that's also very different from "this bug exists and an exploit is readily available". So the transmission of information about the bugs does change the state of the world, and requires action.
3 comments
graceful6800 35 days ago
There are actually three states:

- A bug exists and nobody knows

- A bug exists and some people know

- A bug exists and everyone knows

As an outside observer, there is no way for you to determine if a bug is in state one or two, you only know once it's in the third state.

Which is the entire problem here. Having the bug be known to everyone is a vastly improved state over being known to a few. Yes, the bug being completely unknown is better than being known to a few, but there is no way to ever know if that's the case.

From the outside, known to none and known to a few are indistinguishable, and thus both states are the worst possible case. The only remedy is to make the bug known to everyone such that it cannot be covertly exploited.

link
psychoslave 35 days ago
That's not the whole picture though. Bugs exist anyway. The only practical concern is, which are practically most likely going to be used among all these bugs that yes exist and included in production.
link
graceful6800 35 days ago
You've described states one and two as outlined above.

Whether a bug is exploitable is an entirely separate category of unknowable, because seemingly-innocuous bugs quite often have very deep and very subtle implications that when combined with another innocuous bug, result in an RCE or PE.

Therefore, it's sensible to treat all bugs as potential threat vectors unless and until proven otherwise. Which brings us full circle: state 3, all bugs being public, is probably the safest thing because nobody can know if a bug is in state 1 or 2.

link
psychoslave 34 days ago
It's sensible just as it's sensible to have invulnerable immune system.

Sure, who wouldn't like to have that? Such a thing is impossible to reach starting with the same reason as Gödel's incompleteness theorem is a thing, plus a gazillion of more practical constraints.

link
ctoth 35 days ago
A bug existing or not for a person is a statement about that person's knowledge of the bug.

Is your assertion that, since you specifically didn't know about the bugs that nobody, not in Russia or anywhere else did?

Obviously if bugs are out there existing in software and you don't know about them, or the CVE system doesn't know about them, or whatever ... this does not preclude bad guys from knowing about them. In the era of agents, knowing the bug exists is equivalent to having a PoC, so the distinction completely collapses.

link
bawolff 35 days ago
Arguably, the transition goes from - this bug exists but vendors ignore it because only criminals and intelligence agencies know about it to, this bug is publicly embarassing lets fix it right away.

Sweeping things under the rug is how we get insecurity. Sunshine is the best disinfectant.

link