"Assume OSS is compromised" - that is a very very deep hole indeed

jerry@infosec.exchange

"Assume OSS is compromised" - that is a very very deep hole indeed

https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/datasheets/defenders-guide-to-frontier-ai-checklist-for-cisos

krypt3ia@infosec.exchange

@jerry NOT THE OFFICE OF STRATEGIC SERVICES!

jerry@infosec.exchange

@krypt3ia I guess we knew about them already

exception@mastodon.savvy.ch

@jerry Assume you will never now just how deeply all closed source software is compromised.

epic_null@infosec.exchange

@jerry OSS can be audited. I think that scares these companies most of all.

fencepost@infosec.exchange

@jerry it's not entirely out of line to simply "assume compromise" for any software (or the hardware it controls, Palo Alto) but it is indeed a deep hole. AI tools may actually make problems in open source "shallow" in ways not visible or verifiable in closed systems - and while the open source projects may not be able to buy expensive tooling people looking for things to brag about may spend their own money on those tools anyway.

varx@defcon.social

@exception @jerry only way to be secure is to code it yourself using punch cards. Make sure to punch the holes yourself using a lot of force. Don't want a hanging chad to introduce a hidden vulnerability!

sempf@infosec.exchange

@jerry Whelp. Everyone convert those Linux AWS containers to Windows.

jerry@infosec.exchange

@Sempf it's the only choice

fennix@infosec.space

@jerry @Sempf

I'm going to be moving forward with my very own bespoke vibecoded OS. No way the hackers can plant anything in it if even I have no clue what's in there!

hamishthepiper@ioc.exchange

@jerry Let’s see how long anything lasts after ripping out curl, ffmpeg, etc b/c it _might_ be an attack surface.

sundew@beige.party

@jerry "See, if you can read the source code, you should just assume it's compromised, but if you _can't_ read the source code, that's how you know it's good." 🤪

darkuncle@infosec.exchange

@jerry @Sempf given how much commercial software (from Palo Alto and Microsoft, among others) depends on OSS somewhere in the dev toolchain, assume *all software* is compromised

it's the only way to be sure.

lee_holmes@infosec.exchange

@jerry I should be in marketing. "In this new world of frontier AI, <copy and paste the same generic security advice that's been given for decades like zero-trust and inventory your assets>"

paul_ipv6@infosec.exchange

@darkuncle @jerry @Sempf

"I say we take off and nuke the entire site from orbit. It's the only way to be sure."

darkuncle@infosec.exchange

@paul_ipv6 @jerry @Sempf precisely

sempf@infosec.exchange

@darkuncle @paul_ipv6 @jerry I'm pretty sure that's what the rocketbois have in mind.