"Assume OSS is compromised" - that is a very very deep hole indeed

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 20:45:19 GMT

sempf@infosec.exchange — Fri, 24 Apr 2026 20:45:19 GMT

@darkuncle @paul_ipv6 @jerry I'm pretty sure that's what the rocketbois have in mind.

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 20:03:42 GMT

darkuncle@infosec.exchange — Fri, 24 Apr 2026 20:03:42 GMT

@paul_ipv6 @jerry @Sempf precisely

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 20:00:48 GMT

paul_ipv6@infosec.exchange — Fri, 24 Apr 2026 20:00:48 GMT

@darkuncle @jerry @Sempf

"I say we take off and nuke the entire site from orbit. It's the only way to be sure."

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 20:00:36 GMT

lee_holmes@infosec.exchange — Fri, 24 Apr 2026 20:00:36 GMT

@jerry I should be in marketing. "In this new world of frontier AI, "

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 19:58:33 GMT

darkuncle@infosec.exchange — Fri, 24 Apr 2026 19:58:33 GMT

@jerry @Sempf given how much commercial software (from Palo Alto and Microsoft, among others) depends on OSS somewhere in the dev toolchain, assume *all software* is compromised

it's the only way to be sure.

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 19:57:19 GMT

sundew@beige.party — Fri, 24 Apr 2026 19:57:19 GMT

@jerry "See, if you can read the source code, you should just assume it's compromised, but if you _can't_ read the source code, that's how you know it's good." 🤪

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 19:35:36 GMT

hamishthepiper@ioc.exchange — Fri, 24 Apr 2026 19:35:36 GMT

@jerry Let’s see how long anything lasts after ripping out curl, ffmpeg, etc b/c it _might_ be an attack surface.

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 19:34:54 GMT

fennix@infosec.space — Fri, 24 Apr 2026 19:34:54 GMT

@jerry @Sempf

I'm going to be moving forward with my very own bespoke vibecoded OS. No way the hackers can plant anything in it if even I have no clue what's in there!

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 19:28:53 GMT

jerry@infosec.exchange — Fri, 24 Apr 2026 19:28:53 GMT

@Sempf it's the only choice

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 19:28:21 GMT

sempf@infosec.exchange — Fri, 24 Apr 2026 19:28:21 GMT

@jerry Whelp. Everyone convert those Linux AWS containers to Windows.

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 19:11:55 GMT

varx@defcon.social — Fri, 24 Apr 2026 19:11:55 GMT

@exception @jerry only way to be secure is to code it yourself using punch cards. Make sure to punch the holes yourself using a lot of force. Don't want a hanging chad to introduce a hidden vulnerability!

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 19:11:02 GMT

fencepost@infosec.exchange — Fri, 24 Apr 2026 19:11:02 GMT

@jerry it's not entirely out of line to simply "assume compromise" for any software (or the hardware it controls, Palo Alto) but it is indeed a deep hole. AI tools may actually make problems in open source "shallow" in ways not visible or verifiable in closed systems - and while the open source projects may not be able to buy expensive tooling people looking for things to brag about may spend their own money on those tools anyway.

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 19:10:06 GMT

epic_null@infosec.exchange — Fri, 24 Apr 2026 19:10:06 GMT

@jerry OSS can be audited. I think that scares these companies most of all.

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 19:07:10 GMT

exception@mastodon.savvy.ch — Fri, 24 Apr 2026 19:07:10 GMT

@jerry Assume you will never now just how deeply all closed source software is compromised.

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 19:04:51 GMT

jerry@infosec.exchange — Fri, 24 Apr 2026 19:04:51 GMT

@krypt3ia I guess we knew about them already

Reply to "Assume OSS is compromised" - that is a very very deep hole indeed on Fri, 24 Apr 2026 19:04:23 GMT

krypt3ia@infosec.exchange — Fri, 24 Apr 2026 19:04:23 GMT

@jerry NOT THE OFFICE OF STRATEGIC SERVICES!