You’re right that this is definitely not “security mindset”. Iceman is distorting the point of the original post. But also, the reason Mozilla’s developers can do that and get public credit for it is partially because the infosec community has developed tens of thousands of catastrophic RCE’s from very similar exploit primitives, and so there is loads of historical evidence that those particular kinds of crashes lead to exploitable bugs. Alignment researchers lack the same shared understanding—they’re mostly philosopher-mathematicians with no consensus even among themselves about what the real issues are, and so if one tries to claim credit for averting catastrophe in a similar situation it’s impossible to tell if they’re right.
This is exactly right. To put it more succinctly: Memory corruption is a known vector for exploitation, therefore any bug that potentially leads to memory corruption also has the potential to be a security vulnerability. Thus memory corruption should be treated with similar care as a security vulnerability.
You’re right that this is definitely not “security mindset”. Iceman is distorting the point of the original post. But also, the reason Mozilla’s developers can do that and get public credit for it is partially because the infosec community has developed tens of thousands of catastrophic RCE’s from very similar exploit primitives, and so there is loads of historical evidence that those particular kinds of crashes lead to exploitable bugs. Alignment researchers lack the same shared understanding—they’re mostly philosopher-mathematicians with no consensus even among themselves about what the real issues are, and so if one tries to claim credit for averting catastrophe in a similar situation it’s impossible to tell if they’re right.
This is exactly right. To put it more succinctly: Memory corruption is a known vector for exploitation, therefore any bug that potentially leads to memory corruption also has the potential to be a security vulnerability. Thus memory corruption should be treated with similar care as a security vulnerability.