[Bender]

If AI can do mass exploitation then it can also do mass patching. Some malware in the past has been used to mass patch machines.

Get to it. Give the teams doing this presidential pardons and full immunity. Apply patches and mitigations on all the things. Impress us all. One big downtime, get 'er done.

[floxy]

That's pretty much the plot for one of the latter Terminator movies, right?

https://en.wikipedia.org/wiki/Terminator_3:_Rise_of_the_Mach...

[AnimalMuppet]

Do you trust the AI to build perfect patches? Do you trust it to not leave backdoors in the process?

If it's smart enough to do the first, I don't trust it to do the second.

[Bender]

I don't even believe that AI is real. To me it's just a predictive chat bot using LLM with big-data shoved up it's back-side. As for trust, I do not trust anyone or anything but if our choices are mass exploitation and mass patching, I will take the latter if people are not patching their own stuff especially if AI can gain access to it already. If AI can get to it so can spooks right now. There is a lot of hardware with state operated unofficial remote access and some of their companies are listed in In-Q-Tel's website. Worst case, the USA gets more control of the back-doors, lawful intercepts and such. I guess I will support that over other countries having control.

If there is a third option where companies drop everything, all hands on deck to patch all the things I would take that but it's just never been a priority. That's why I was always a big fan of ransomware separating customer data away from companies that should not have had it in the first place.

[joe_the_user]

How could some worm imposed patching work? If a piece of software is insecure and you switch the binary to secure, the insecure version would uploaded in the next update - and secure version likely treated like malware itself.

[Bender]

Turtles all the way down right? Well the way malware was used by the feds in the past was go get rid of the existing RAT and fix the vulnerability that the malware used in the first place so the machine could not be re-infected by the same vectors. These were not all inclusive patch processes, just enough to kill the RAT and its attack vectors to shut down a specific crime network so that another criminal group could not just move in and take over in it's place.

[joe_the_user]

It would be simpler require critical software to focus on security and quickly shift to secure approaches. I mean, there are was article about how small water districts are short on funds and so choose to allow remote access to water treatment machinery so their engineers can work weekends at home. Imposing regulation that stop such d--- f--- tradeoffs seems obvious. HOWEVER, the paradigm of cost-reduction via breakneck (and so insecure) development and lack of regulation on critical process is very, very entrenched. The proponents of "go fast and break things" would prefer powerful bug finders be treated like demons to be exercised rather than start requiring sane security practices.

[Bender]

Fundamentally I agree with everything you said but I think you also explained in your own response why this will not happen. If they don't have the funds to do it right then it will be done wrong. It's a pattern that never ends and why it's so easy to shut down utilities.