"Assume OSS is compromised" - that is a very very deep hole indeed

sempf@infosec.exchange

@jerry Whelp. Everyone convert those Linux AWS containers to Windows.

jerry@infosec.exchange

@Sempf it's the only choice

fennix@infosec.space

@jerry @Sempf

I'm going to be moving forward with my very own bespoke vibecoded OS. No way the hackers can plant anything in it if even I have no clue what's in there!

hamishthepiper@ioc.exchange

@jerry Let’s see how long anything lasts after ripping out curl, ffmpeg, etc b/c it _might_ be an attack surface.

sundew@beige.party

@jerry "See, if you can read the source code, you should just assume it's compromised, but if you _can't_ read the source code, that's how you know it's good." 🤪

darkuncle@infosec.exchange

@jerry @Sempf given how much commercial software (from Palo Alto and Microsoft, among others) depends on OSS somewhere in the dev toolchain, assume *all software* is compromised

it's the only way to be sure.

lee_holmes@infosec.exchange

@jerry I should be in marketing. "In this new world of frontier AI, <copy and paste the same generic security advice that's been given for decades like zero-trust and inventory your assets>"

paul_ipv6@infosec.exchange

@darkuncle @jerry @Sempf

"I say we take off and nuke the entire site from orbit. It's the only way to be sure."

darkuncle@infosec.exchange

@paul_ipv6 @jerry @Sempf precisely

sempf@infosec.exchange

@darkuncle @paul_ipv6 @jerry I'm pretty sure that's what the rocketbois have in mind.