joshbressers

jacob, 4 months ago to random

“We believe that open source should be sustainable and open source maintainers should get paid!”

Maintainer: introduces commercial features
“Not like that”

Maintainer: works for a large tech co
“Not like that”

Maintainer: takes investment
“Not like that”

joshbressers, 11 months ago to random

For anyone who lacks the advanced level of age I mean experience some of us have, you should read this Wikipedia page on Embrace, Extend, and Extinguish

I guarantee this is the goal of Meta joining the fediverse

https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguish

joshbressers, 8 months ago to random

I fixed the XKCD open source cartoon to be more accurate

rolle, 4 months ago (edited 1 month ago) to Eurovision

Windows95man won UMK and will represent Finland at Eurovision 2024. Congrats.

#umk #umk2024 #umk24 #euroviisut #eurovision #eurovision2024 #Windows95Man

joshbressers, 1 year ago to random

Yes OneDrive, I know I'm not logged in

No, I don't want to

Yes, I'm sure

Very sure

...

I SEE YOU OVER THERE EDGE, DON'T EVEN THINK ABOUT IT

joshbressers, 5 months ago to github

I was in a meeting today and I realized something profound

We are currently in a post #CVE world

That probably don’t make sense to a lot of people, and I need to think about it more

But here’s the basics of it

The CVE data is so comically bad, nobody actually doing #vulnerability work can use it. The ID is all we use. We have to look in other databases and collect or own facts

Automated tools rely on sources like #GitHub, #GitLab, and #OSV. Other than the ID, CVE doesn’t really matter anymore

joshbressers, 6 months ago to random

A lot of folks are going to have a bad time with this

https://nvd.nist.gov/vuln/detail/CVE-2023-45853

It’s a critical #CVE in zlib

Except it’s not critical

And doesn’t affect zlib

The whole CVE system is too broken to fix

joshbressers, 4 months ago to random

Allowing '..' (dot dot) in a path was a mistake and removing it would solve more security problems than using memory safe languages

Now that I have your attention

In security we keep hearing about memory safety and how we just need to stop using C and how it fill fix a lot of problems

This is true, but next time read about getting rid of C, I want you to think about removing .. from being supported. It's an easier problem to wrap our heads around, possibly more useful, and probably easier to do

I'll explain why below
1/6

joshbressers, 4 months ago to random

I'm not sure anything will ever disappoint me more than learning there was no toothbrush botnet

joshbressers, 6 months ago to random

I’m starting to suspect 2024 will be the year we are introduced to the ten hour unskippable ad

joshbressers, 6 months ago to random

The fact that WhatsApp is considered one of the top secure messengers is all you need to know about the state of secure messaging apps

Please support @signalapp
It's important

joshbressers, 11 months ago to security

OK gang. I'm looking for some new #security #podcast

By new I don't mean "send me a list of the top 50 security podcasts you listen to"

I want NEW, like less than a year old type of new

It's nearly impossible to find new podcasts now, especially niche topics like security

#cybersecurity

joshbressers, 8 months ago to random

It’s now an almost certainty that 2023 will be the worst year for 0day vulnerabilities ever

Until 2024

joshbressers, 7 months ago to random

Something I think about a lot is how we deal with #vulnerabilities

If you're in this space, you understand the data is terrible, everyone is doing their best and we can't keep up

This week a site called !CVE popped up
https://notcve.org/

It's certainly a stunt, but it also shows one of the many problems our current data has, lots of things that should get IDs don't

I like to poke at data and I have a graph that I think helps how the state of things. This graph is the number of cumulative CVE IDs over time vs the number of PyPI packages over time

I picked PyPI because the scale is reasonable. If I use NPM you can't even see the CVE graph

The reality is the whole software universe (especially open source) is growing exponentially while our vulnerability data is not

If it was growing exponentially it would crush us all today because we already can't keep up because the data is terrible and unactionable

While I am fairly certain CVE can't be fixed, the solution isn't more IDs, it's better data. More IDs will be the result of better data

joshbressers, 9 months ago to random

I've been working on a response to the Whitehouse RFI on open source security, and I feel like there's a trend starting to emerge

There are foundations, companies, universities, governments, think tanks ... It feels like everyone is trying to do something to fix open source security

And it also feels like nobody is talking to the open source developers. The people who are actually doing the work

This goes back to @Di4na "I am not a supplier" blog post I think

I'm also starting to wonder if this is turning into "YOU SHOULD BE GRATEFUL FOR THE SCRAPS I'M GIVING YOU!"

joshbressers, 6 months ago to random

joshbressers, 1 year ago to random

There's been something bugging me about a lot of conference talks lately. They feel like research projects being dressed up as product ideas

I finally found a way to write this down without just using a very long string of obscenities

https://opensourcesecurity.io/2023/06/06/rocket-ships-and-radishes/

joshbressers, 7 months ago to random

This time on @CypherCon #HackerHistory we talk to @CmdrTaco about his early days

We hear about his college days that led up to the creation of Slashdot, and some awesome stories from those early days of tech

It was a very different time and an absolutely fantastic story!

https://hackerhistory.com/podcast/the-history-of-rob-cmdrtaco-malda/

joshbressers, 5 months ago to random

Only one more day until year of the linux desktop!!!

joshbressers, 8 months ago to Cybersecurity

This #cybersecurity awareness month you should buy everyone in your family a FIDO2 token

One is fine because they’re just going to put it in a drawer and never use it

But at least you can say you tried

joshbressers, 6 months ago to random

The word "Christmas" is said one time in the movie #Hackers

I think this qualifies it as a Christmas movie

joshbressers, 6 months ago to random

I'm pretty sure some of this supply chain security guidance is just a smart person making up a problem that doesn't exist then solving it in a the most out of touch way possible

joshbressers, 5 months ago to random

Did you ever wonder where all the young #hackers are?

They make video game videos on YouTube now. And they’re smarter than you can imagine

https://youtu.be/5HSjJU562e8?si=NzicPSCjmggPIPw-

kurtseifried, 5 months ago (edited 5 months ago) to random

Also I forgot the content warning, this holiday spectacular episode gets kind of real, especially around healthcare and houselessness/unhoused people and a bunch of other topics.

What happens when Santa uses AI to manage the naughty and nice list? As we all learned from "The good place" the points based system no longer works. Find out on the #osspodcast with @joshbressers at https://opensourcesecurity.io/2023/12/17/episode-407-should_santa-use-ai/ Also are elves people? What species are they? Are Santa's elves aquatic elves? Does everyone live on top of water? What about volcanoes? Also what's the maintenance cycle like for Santas sleigh? Is there a log book for this somewhere?