joshbressers

@joshbressers@infosec.exchange

VP of Security at Anchore - Podcaster (http://opensourcesecuritypodcast.com http://hackerhistory.com) - Blogger (http://opensourcesecurity.io) - He/Him

This profile is from a federated server and may be incomplete. Browse more on the original instance.

jacob, to random
@jacob@jacobian.org avatar

“We believe that open source should be sustainable and open source maintainers should get paid!”

Maintainer: introduces commercial features
“Not like that”

Maintainer: works for a large tech co
“Not like that”

Maintainer: takes investment
“Not like that”

joshbressers,

@jacob while I understand this is a bit tongue in cheek, you should keep an eye on @sovtechfund

I have a suspicion they’re on the right path

rolle, (edited ) to Eurovision
@rolle@mementomori.social avatar

Windows95man won UMK and will represent Finland at Eurovision 2024. Congrats.

joshbressers,

@rolle I'm pretty sure this is the video

https://www.youtube.com/watch?v=byI2jM_xcjU

it's better than I could have imagined :)

joshbressers, to random

I'm not sure anything will ever disappoint me more than learning there was no toothbrush botnet

luis_in_brief, to random
@luis_in_brief@social.coop avatar

Speaker #1: every major interoperability initiative has failed
Speaker #2: we should do interoperability for AI

🤔

joshbressers,

@Di4na @luis_in_brief This is why all the current attempts to "score" open source projects amuses me

Even if your project scored a 0, it's not really going to go away

If there are multiple options, it's not like you can just change a few lines of code

joshbressers,

@Di4na @luis_in_brief Hahahahaha, that's true

I imagine the solution will end up being change the scoring system

goodness knows actually fixing any of this isn't going to be something the very serious people consider

joshbressers,

@Di4na @luis_in_brief If you really want to cook your brain

That report is from the ASCE, which appears to have about $4 million in yearly revenue

The Linux Foundation has $243 million in 2022 revenue according to their yearly report

joshbressers,

@boblord @federicomena @luis_in_brief @sethmlarson @Di4na

I would love to see some research about this (hey students - if you're looking for a thesis idea, you could probably build an amazing career on this topic)

Even if developers don't move faster with the newer environments ...

Removing all the safety equipment from the factory could let the workers go faster too, except we tried that already, it didn't go great

joshbressers,

@Di4na @federicomena @boblord @luis_in_brief @sethmlarson Yes!

I’ll send you a DM in my morning and we can figure something out

joshbressers,

@Di4na @federicomena @boblord @luis_in_brief @sethmlarson @gnome

While I would love to read this, I don't think it will change much as facts rarely change human behavior

A huge amount of the guidance is rooted in standards and policy documents, which take years to change, if they even want to change (which I bet a lot don't)

I'm unsure there is a good way to incite change in the application security space right now, I think there's too much friction

I wonder how and if other industries had similar challenges to overcome in the past

I fear it was mostly personal injury in the courts, which we don't really have today because we're not yet killing and maiming enough people for anyone to notice

hacks4pancakes, to random

Everyone keeps sending me that news article about the German railway trying to hire a DOS and Windows 3.1 expert. You don’t understand- that is my whole job. That’s literally my normal day to day cybersecurity career.

joshbressers,

@hacks4pancakes But according to all the comments on hacker news everyone but me has a fully patched environment!!!

jerry, to random

There is a noticeable decline in the number of active users on Infosec.exchange lately. Where are the cool kids hanging out these days?

joshbressers,

@jerry @eljefedsecurit your work is amazing and appreciated

You just need to build an outrage bot to maximize engagement and synergy ;)

postmodern, to random

Me: trying to convince InfoSec celebrities who apparently do not fully understand CS, language design, or certain programming language ecosystems, from going down the same predictable HackerNews arguments that have been thoroughly debunked a dozen of times.
https://youtu.be/AFj0qmBMBa4?t=81

joshbressers,

@postmodern maybe the skills needed to become a “celebrity” and actual security skills are very different ;)

joshbressers,

@kurtseifried @postmodern read the thread yo

https://infosec.exchange/@postmodern/111864787359361814

securingdev, to random

@jerry not sure if you’re aware but it appears that maybe Bookmarks are broken..??

joshbressers,

@jerry @securingdev Bookmarks work for me

That's two rocks to one scissors

bagder, to random
@bagder@mastodon.social avatar

Another bogus is now in the wild: https://www.cve.org/CVERecord?id=CVE-2023-52071

joshbressers,

@bagder @hanno I thought the purpose of becoming a CNA was so they would send these requests to you instead of blindly filing them

joshbressers, to random

Allowing '..' (dot dot) in a path was a mistake and removing it would solve more security problems than using memory safe languages

Now that I have your attention

In security we keep hearing about memory safety and how we just need to stop using C and how it fill fix a lot of problems

This is true, but next time read about getting rid of C, I want you to think about removing .. from being supported. It's an easier problem to wrap our heads around, possibly more useful, and probably easier to do

I'll explain why below
1/6

joshbressers,

If you've ever spoken with a red teamer, they're going to tell you about a time they used path traversal to break into or out of something. Path traversal bugs can affect anything working with a path on the filesystem and we tend to not treat them as being high priority, so they don't get fixed quickly

Red teamers (and attackers) know this
2/6

joshbressers,

So let's say one day the filesystems stop supporting .. what happens? Anything that relies on using .. would break, seems simple enough, use the absolute path, no big deal!

How many times do you type 'cd ..' in a day? There's probably plenty of other times we rely on .. but we don't think about it.

And best of all, as soon as an idea like this would be officially suggested the "don't break backwards compatibility" people will come out of the woodwork.
3/6

joshbressers,

The conversation will go something like this

A: "If you stop supporting .. I'm going to have to rewrite all my software!"

B: "I'm happy to help, where are you doing path traversal in this code?"

A: "That's not the point, THIS WILL BREAK EVERYTHING!!!"

B: "Do you know if you're even using path traversal at all?"

A: "DOOOOOOMMMMMMMMMM"
4/6

joshbressers,

There's another aspect of path traversal that mirrors memory safety problems.

Let's say you write your application to only ever use absolute paths. Due to the nature of how paths work, if an adversary can insert .. into your absolute paths, you have a vulnerability.

Memory safety bugs works like this also. You can do everything 100% right, and still end up with a buffer overflow in the code.
5/6

joshbressers,

So what's the point of all this? I think there's value in thinking about some of these problems differently. I don't think we'll get rid of path traversal or memory safety bugs anytime soon. There's just too much infrastructure that relies on these outdated systems.

That statement doesn't give anyone a free pass, what I really mean is assuming we can't easily or quickly get rid of memory safety bugs, or path traversal, what other things can we do? How can we discuss and think about these problems?

Shouting "STOP USING C" isn't a solution
6/6

joshbressers,

@mjg59 Holy cow epic!

joshbressers, to random

I can't tell if it's already Wednesday, or only Wednesday

kurtseifried, to random

Do you know who is to blame for bad passwords in the 23andme hack? Find out with @joshbressers and me on the #osspodcast https://opensourcesecurity.io/2024/01/21/episode-412-blame-the-users-for-bad-passwords/ TL;DR: It's complicated.

joshbressers,

@carol @kurtseifried It did seem like a word not safe for work :)

I imagine all the Australians working on Crocodile Dundee 2 knew about this and were like "nobody tell them!"

joshbressers,

@conductiveinsulation @kurtseifried Agreed!

I wish my car would just turn on the light anytime the car is on

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • thenastyranch
  • magazineikmin
  • ethstaker
  • khanakhh
  • rosin
  • Youngstown
  • everett
  • slotface
  • ngwrru68w68
  • mdbf
  • GTA5RPClips
  • kavyap
  • DreamBathrooms
  • provamag3
  • cisconetworking
  • cubers
  • Leos
  • InstantRegret
  • Durango
  • tacticalgear
  • tester
  • osvaldo12
  • normalnudes
  • anitta
  • modclub
  • megavids
  • lostlight
  • All magazines
    •