this post was submitted on 21 Sep 2024
73 points (97.4% liked)
Cybersecurity
5687 readers
49 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
That seems like a myopic view. Service misconfiguration is not always a vendor's fault, and demanding software vendors to patch their products is not going to fix OSS vulnerabilities. In fact, we've seen examples this year of increased pressure to fix "issues" leading to developers unwittingly accepting malicious commits.
Mind you, I'm not contesting that some vendors produce dogshit products (looking at you, CrowdStrike), but calling all vendors villains is a bit of a stretch.
In addition, a lot of cybercrime involves social engineering as part of the attack vector. You can't roll out a security patch for Karen from HR.
I'm not sure I fully agree with you, partly because she's not talking about OSS alone. Let's look at a recent but important example.
Yubikeys manufactured before firmware version 5.7 (before May 2024), are vulnerable to a specific type of attack that is not novel, due to a faulty IC via its code. It's something that should have been caught during QA. Who is to blame?
Yubikey didn't make the faulty IC, so obviously the IC maker should bear at least a good chunk of it, but I think it's Yubikey's responsibility to verify their work, especially since they're the ones making the ultimate promise of cryptographic suitability that businesses and governments rely upon.
I don't know if it's right to call companies like this "villains," but I think "lazy or lax" might be appropriate. Additionally, I like the idea of calling cybercrime groups funny names.