[insanitybit]

A lot of social engineering attacks die the second you have domain bound 2FA. Not everything, but a lot.

But the idea that we'll squash all of the critical vulns is simply nonsense, despite the weird Firefox blog posts that indicate otherwise.

[MostlyStable]

We don't need to squash all of them, we need to squash all of them that are practically findable by current and very near term frontier models.

[insanitybit]

Also impossible imo so it's moot.

[MostlyStable]

Because you think that current models can, in a practical sense, find an infinite number of vulnerabilities, or you think that they can find so many that it isn't possible to fix them?

In other words: do you think that the impossibility lines in exhausting the number finds or does the impossibility lie in fixing them?

In either case, do you think that this was also true pre-AI? That is to say: it was not possible to, given some set of practical resource constraints, find and fix all the vulnerabilities that a similarly-resourced group would find?

If so, then would you say that you just fundamentally don't believe in secure software and the only defense is lack of attention?

[insanitybit]

I think that there are, practically, infinite vulnerabilities in common and critical software - browsers, operating systems, etc. So discovering all of them is not tractable, and even if we 100x our rate of discovery it won't matter.

> In either case, do you think that this was also true pre-AI? That is to say: it was not possible to, given some set of practical resource constraints, find and fix all the vulnerabilities that a similarly-resourced group would find?

Yes.

> If so, then would you say that you just fundamentally don't believe in secure software and the only defense is lack of attention?

I believe in security software, few people are building it though and the majority of relevant attack surface is dogshit for security.

Squashing vulns via discovery is irrelevant to security. If we want safer software it has to be built to be safer.