> The concept itself doesn’t even make sense if you fully understand the intersectional scope of technology and society
Societies demands are the things that are unsafe not the technologies themselves
Always look at conferences and associated workshops. You can start with NeurIPs and ICML. From there, you will figure out some papers on safety. Then, you can see some patterns of labs which work on it full time.
It's a good test, however, I wouldn't ask it in a public setting lol, you have to ask them in a more private chat - at least for me, I'm not gonna talk bad about a massive org (ISC2) knowing that tons of managers and execs swear by them, but if you ask for my personal opinion in a more relaxed setting (and I do trust you to some extent), then you'll get a more nuanced and different answer.
Same test works for CEH. If they felt insulted and angry, they get an A+ (joking...?).
A bit crude, maybe a bit hurt and angry, but has some truth in it.
A few things help a lot (for BOTH sides - which is weird to say as the two sides should be US vs Threat Actors, but anyway):
1. Detach your identity from your ideas or work. You're not your work. An idea is just a passerby thought that you grabbed out of thin air, you can let it go the same way you grabbed it.
2. Always look for opportunities to create a dialogue. Learn from anyone and anything. Elevate everyone around you.
3. Instead of constantly looking for reasons why you're right, go with "why am I wrong?", It breaks tunnel vision faster than anything else.
Asking questions isn't an attack. Criticizing a design or implementation isn't criticizing you.
A simple HN-like web app that indexes security (and security adjacent) write-ups.
Imagine you, as a security researcher (or any other persona in the security field), wanted to see what prior works are available around bypassing v8 sandbox using webasm, or if what’s been done or found targeting deserialization in Go.
Using this web app, you can search the indexed and tagged write ups.
Also adding MCP support to it so your agents can search too.
Hopefully going live soon.
P.S: I said HN-like, but tbh it’s just the UI that looks a bit like HN (I’m not a good designer, so got heavy inspiration from HN listing style), otherwise there’s no other overlap in functionality yet.
Amazing idea - absolutely loving vouch.
However, as a security person, this comment immediately caught my attention.
A few things come to mind (it's late here, so apologies in advance if they're trivial and not thought through):
- Threat Actors compromising an account and use it to Vouch for another account. I have a "hunch" it could fly under the radar, though admittedly I can't see how it would be different from another rogue commit by the compromised account (hence the hunch).
- Threat actors creating fake chains of trust, working the human factor by creating fake personas and inflating stats on Github to create (fake) credibility (like how number of likes on a video can cause other people to like or not, I've noticed I may not like a video if it has a low count which I would've if it had millions - could this be applied here somehow with the threat actor's inflated repo stats?)
- Can I use this to perform a Contribution-DDOS against a specific person?
The idea is sound, and we definitely need something to address the surge in low-effort PRs, especially in the post-LLM era.
Regarding your points:
"Threat Actors compromising an account..." You're spot on. A vouch-based system inevitably puts a huge target on high-reputation accounts. They become high-value assets for account takeovers.
"Threat actors creating fake chains of trust..." This is already prevalent in the crypto landscape... we saw similar dynamics play out recently with OpenClaw. If there is a metric for trust, it will be gamed.
From my experience, you cannot successfully layer a centralized reputation system over a decentralized (open contribution) ecosystem. The reputation mechanism itself needs to be decentralized, evolving, and heuristics-based rather than static.
I actually proposed a similar heuristic approach (on a smaller scale) for the expressjs repo a few months back when they were the first to get hit by mass low-quality PRs: https://gist.github.com/freakynit/c351872e4e8f2d73e3f21c4678... (sorry, couldn;t link to original comment due to some github UI issue.. was not showing me the link)
This is a strange comment because, this is literally the world that we live in now? We just assume that everyone is vouched by someone (perhaps Github/Gitlab). Adding this layer of vouching will basically cull all of that very cheap and meaningless vouches. Now you have to work to earn the trust. And if you lose that trust, you actually lose something.
I belong to a community that uses a chain of trust like this with regards to inviting new people. The process for avoiding the bad actor chain problem is pretty trivial: If someone catches a ban, everyone downstream of them loses access pending review, and everyone upstream of them loses invite permissions, pending review. Typically, some or most of the downstream people end up quickly getting vouched for by existing members of the community, and it tends to be pretty easy to find who messed up with a poorly-vetted invite (most often, it was the person who got banned's inviter). Person with poor judgement loses their invite permissions for a bit, everyone upstream from them gets their invite permissions back.
Same thoughts here.
I gave it the benefit of the doubt, thought it might be an adoption for a specific field, or an extension of thought, or maybe a fun twist or something.
reply