"Assume OSS is compromised" - that is a very very deep hole indeed
-
@jerry NOT THE OFFICE OF STRATEGIC SERVICES!
@krypt3ia I guess we knew about them already
-
"Assume OSS is compromised" - that is a very very deep hole indeed
@jerry Assume you will never now just how deeply all closed source software is compromised.
-
"Assume OSS is compromised" - that is a very very deep hole indeed
@jerry OSS can be audited. I think that scares these companies most of all.
-
"Assume OSS is compromised" - that is a very very deep hole indeed
@jerry it's not entirely out of line to simply "assume compromise" for any software (or the hardware it controls, Palo Alto) but it is indeed a deep hole. AI tools may actually make problems in open source "shallow" in ways not visible or verifiable in closed systems - and while the open source projects may not be able to buy expensive tooling people looking for things to brag about may spend their own money on those tools anyway.
-
@jerry Assume you will never now just how deeply all closed source software is compromised.
@exception @jerry only way to be secure is to code it yourself using punch cards. Make sure to punch the holes yourself using a lot of force. Don't want a hanging chad to introduce a hidden vulnerability!
-
"Assume OSS is compromised" - that is a very very deep hole indeed
@jerry Whelp. Everyone convert those Linux AWS containers to Windows.
-
@jerry Whelp. Everyone convert those Linux AWS containers to Windows.
@Sempf it's the only choice
-
@Sempf it's the only choice
-
"Assume OSS is compromised" - that is a very very deep hole indeed
@jerry Let’s see how long anything lasts after ripping out curl, ffmpeg, etc b/c it _might_ be an attack surface.
-
"Assume OSS is compromised" - that is a very very deep hole indeed
@jerry "See, if you can read the source code, you should just assume it's compromised, but if you _can't_ read the source code, that's how you know it's good." 🤪
-
@Sempf it's the only choice
-
"Assume OSS is compromised" - that is a very very deep hole indeed
@jerry I should be in marketing. "In this new world of frontier AI, <copy and paste the same generic security advice that's been given for decades like zero-trust and inventory your assets>"
-
"I say we take off and nuke the entire site from orbit. It's the only way to be sure."
-
"I say we take off and nuke the entire site from orbit. It's the only way to be sure."
@paul_ipv6 @jerry @Sempf precisely
-
@paul_ipv6 @jerry @Sempf precisely
@darkuncle @paul_ipv6 @jerry I'm pretty sure that's what the rocketbois have in mind.
-
R relay@relay.infosec.exchange shared this topic
