Re: Defense ?

[Conan Dooley via Dailydave <dailydave () lists aitelfoundation org>]

Reduce complexity, duplication, and scope in your infrastructure. Your
developers and infrastructure staff would need to agree on standardized
libraries, frameworks, etc, and you'd need skilled technical staff to
validate when people said doing something wasn't possible within that
scope, and make them accountable for making sure adding that level of
complexity led to business value that was greater than that overhead (vs,
say, just getting them promoted for rolling out *cool new framework)*. Once
you have done that, you can then start evaluating infrastructure growth
rate vs security evaluation rate to consistently maintain your defensive bar

Unfortunately, society's incentives broadly agree that reducing scope or
investing in security is unacceptable because it interferes with rocketship
growth. Please accept these 2 years of free credit monitoring in exchange.

As to fixing it by putting an LLM in as the intermediary for your software
development process - well, LLMs are complex and opaque and any security
practitioner should know that in complex and opaque systems there is always
interesting exploitable behavior. It also has the bonus of enabling people
with less expertise to commit more code faster, which probably interferes
"improving your comprehension of what your infrastructure is doing" and
"reducing the scope of evaluation space you need to address". There's also
that little pesky question of  "What value did that LLM intermediary
provide? Does it cost more to secure it than value it provides?". Most of
the industry seems to have a very tenuous grasp on the first one, the
second one? No one knows and it's a sin to ask.

On Sat, Nov 15, 2025 at 11:56 PM Dave Aitel via Dailydave <
dailydave () lists aitelfoundation org> wrote:

> How would one actually move the actual bar in defense? A big part of me
> thinks that you're just not going to patch your way out of the problem. But
> the number of organizations that you can rely on to actually make a
> difference seems pretty small? Like even converting every Linux binary to
> rust would only make sense if you could find a team that could actually
> maintain and support that code base, which I don't know that you could.
>
> Like in a sense, what you have to do is completely rebuild how you're
> building software and have the large language model be the intermediary for
> everything?
>
> Dave
> _______________________________________________
> Dailydave mailing list -- dailydave () lists aitelfoundation org
> To unsubscribe send an email to dailydave-leave () lists aitelfoundation org
_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org