On Sun, Nov 16, 2025 at 10:16 AM Dave Aitel via Dailydave dailydave@lists.aitelfoundation.org wrote:
How would one actually move the actual bar in defense? A big part of me thinks that you're just not going to patch your way out of the problem. But the number of organizations that you can rely on to actually make a difference seems pretty small? Like even converting every Linux binary to rust would only make sense if you could find a team that could actually maintain and support that code base, which I don't know that you could.
Like in a sense, what you have to do is completely rebuild how you're building software and have the large language model be the intermediary for everything?
Imbalances in the skills and workforce are real. The gap remains hard to bridge also in the presence of greater degrees of automation that AI buys us, because, at this stage, we want humans to be in the loop – and for good reasons – and, also, cause we are not going to grow the skillset faster than the attack surface, I am afraid.
I hate to sound like a broken record, but I will take a bite regardless: those imbalances are a byproduct of the information asymmetries that, from an historical point of view, have been favouring offense. To actually move the bar in defense, devising clever tech is not enough. Rather it entails aligning the incentives – here we are, I said it again.
Now, those of you that know me may be familiar with the market approaches I had attempted in my past life. But, more substantially today, the bar is being moved by the regulatory framework that is eventually maturing. First we do rethink the accountability, and liability, model in place, then the technical work can be sorted out. To be clear, it is not going to be free. But, vulnerabilities have been inflicting us a price to pay, and for a long time now. Hence, it is time that a matter of concern becomes which stakeholders will bear 'the real cost of insecure software' in the future.
-- Alfonso