Dr. Anton Chuvakin

After almost twenty years on the platform, EFF is logging off of X. This isn’t a decision we made lightly, but it might be overdue. 🧵(1/5)

I love hearing about how the security field has changed from folks who’ve been in it forever. Hearing about how somethings were such a concern back then compared to what their concern is now is cool to see how things have evolved.

I would probably rant less if I didn't have to deal with "The sky is falling what should our strategy be for all this impending 0day..." Well you might want to finish rolling out MFA and finish that EDR deployment first...

Soon, every piece of software in the world will have their vulnerabilities exposed. And then shortly after, no software will have vulnerabilities.

The market is still underrating the gap between finding bugs and actually proving exploitability. A lot of companies argue that vulnerability discovery is becoming commoditized, that multiple models can now spot bug patterns, and that results like Anthropic Mythos are reproducible. That misses the real technical bottleneck. Finding the bug is not the hard part anymore. In many cases, that’s close to a solved problem. What matters is whether a model can turn that finding into a real exploit: chaining primitives, building a working test case, and demonstrating that the issue is actually exploitable without a human carrying it across the finish line. That capability matters on both sides: - offensively, because exploitability is what separates signal from noise - defensively, because you need a credible proof case to build the right fix We’re probably heading into another market correction where a lot of “AI companies” that are really just UI wrappers get washed out. The next winners won’t be the ones with the nicest interface. They’ll be the ones with real underlying capability.

Y'all know there is a middle ground between people saying it's still BS, and people who are pilled and thinking everything is cooked overnight...