One of my coworkers listened in and had some interesting takeaways:
1. The practicality of the Android team in tackling a problem: working incrementally right away without trying to solve for everything, and how that's almost always the right approach when you're doing big changes like this.
2. The shift away from being attacker focused: how that's applicable to more of security than just memory safety. I.e., don't focus on making the attacker's life harder by constraining yourself to their playing field, but rather focus on making the defender's life easier by focusing on the things that we control
3. It's more expensive to clean up a mess than to prevent the mess: It doesn't follow directly from the blogpost, but it's essentially the difference between "build something in a MSL" (developer-focused) or "build something in an unsafe language, and go and tack on a bunch of mitigations afterwards" (attacker-focused)
jeffvanderstoep
npub1aw…lz2wr
2024-10-17 15:10:28 UTC
in reply to nevent1q…md93
Author Public Key
npub1aw8l0s85w9mhef4kv7hxzkc9dcfuhc8526egseldka5hr72clm3qqlz2wrSeen on
wss://relay.momostr.pinkPublished at
2024-10-17 15:10:28 UTCEvent JSON
{
"id": "2e1822adac0c8751763e677d9ff32d9973651ce59dec84b5466899d94a9be096",
"pubkey": "eb8ff7c0f471777ca6b667ae615b056e13cbe0f456b28867edb76971f958fee2",
"created_at": 1729177828,
"kind": 1,
"tags": [
[
"p",
"81540706346e051fa2dd7bec0baf9a16d0c403595df00e64041ca7f18c88ca12"
],
[
"p",
"eb8ff7c0f471777ca6b667ae615b056e13cbe0f456b28867edb76971f958fee2"
],
[
"proxy",
"https://infosec.exchange/@jeffvanderstoep/113323398146460275",
"web"
],
[
"e",
"9846aa0a92cdad3d1d44991359776f2bfaba1a207d4c0919de3450db882cf040",
"",
"root",
"eb8ff7c0f471777ca6b667ae615b056e13cbe0f456b28867edb76971f958fee2"
],
[
"p",
"3d35aa8bf9af9992893d4eb46ad155a70ec2b907d7928bc54b5112efa8727566"
],
[
"proxy",
"https://infosec.exchange/users/jeffvanderstoep/statuses/113323398146460275",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/jeffvanderstoep/statuses/113323398146460275",
"pink.momostr"
],
[
"-"
]
],
"content": "One of my coworkers listened in and had some interesting takeaways:\n\n1. The practicality of the Android team in tackling a problem: working incrementally right away without trying to solve for everything, and how that's almost always the right approach when you're doing big changes like this.\n2. The shift away from being attacker focused: how that's applicable to more of security than just memory safety. I.e., don't focus on making the attacker's life harder by constraining yourself to their playing field, but rather focus on making the defender's life easier by focusing on the things that we control\n3. It's more expensive to clean up a mess than to prevent the mess: It doesn't follow directly from the blogpost, but it's essentially the difference between \"build something in a MSL\" (developer-focused) or \"build something in an unsafe language, and go and tack on a bunch of mitigations afterwards\" (attacker-focused)",
"sig": "ca0aded699baf7eb7c88b460ec5da4cca2d6d17e3b63c745c16d6bcbc997f6af2b7b5c99f677875c14c3a2bb4ea0f869fa93091212ce397f915038f17819569c"
}