Posts by joshbressers@infosec.exchange
(DIR) Post #Asr5eFdd5QiQPJ1UnY by joshbressers@infosec.exchange
2025-04-07T13:37:46Z
0 likes, 1 repeats
This episode of #OpenSourceSecurity talks to @predrag about cargo-semver-checksit's a #Rust tool that can help you figure out if you broke #semver, it's pretty awesomeWe also touch on the difficulty of detecting breaking changes, sustainable open source, and what's to come for semver checkingIt's a fun chat and you'll learn a lothttps://opensourcesecurity.io/2025/2025-04-cargo-semver-checks-predrag-gruevski/
(DIR) Post #At8n7CThVvVMiikS36 by joshbressers@infosec.exchange
2025-04-15T19:17:14Z
0 likes, 1 repeats
There's a discord server a bunch of vulnerability nerds hang out in I run. We'll be talking about what's happening with #CVE for the foreseeable future (good, bad, and ugly)Everyone is welcome to join, feel free to lurk, ask questions, or suggest ideashttps://discord.gg/gSCrXxMuPx
(DIR) Post #AwaoMp7JaghuPwjpdg by joshbressers@infosec.exchange
2025-07-28T12:52:11Z
0 likes, 0 repeats
I'm starting to think any random number generator that doesn't generate cryptographically secure values is a security vulnerability
(DIR) Post #AwauQQcLDlFlJhLvXs by joshbressers@infosec.exchange
2025-07-28T14:06:26Z
0 likes, 0 repeats
@simplenomad Yeah, I get that, but there's also a difference between the current default RNG vs "this isn't the worst thing we could think of" :)
(DIR) Post #AxTSswRWIT75kkzNuS by joshbressers@infosec.exchange
2025-08-23T20:38:10Z
0 likes, 0 repeats
While thinking about a C programming problem this morning, my brain filled inChekhov's FootgunI feel like there are many layers to this one
(DIR) Post #AxcRPc7gPpvanonksy by joshbressers@infosec.exchange
2025-08-28T01:38:32Z
1 likes, 1 repeats
The Register wrote a story about a single maintainer open source project, I think it's shameful and upsetting. So I wrote a blog post about itAn absolutely ridiculous amount of open source is one person projects. I have the data to prove ithttps://opensourcesecurity.io/2025/08-oss-one-person/
(DIR) Post #AzFxrdTijyfmG6wrXU by joshbressers@infosec.exchange
2025-10-08T23:44:08Z
2 likes, 1 repeats
OK open source security nerds, I need your helpI have a podcast youtube show thing called Open Source Securityhttps://opensourcesecurity.io/I'm always looking for guests. Back when I changed formats in January I had a pretty large list of people sent to me as suggestions. I've made it through the list (it took me 10 months)If you know someone (or are someone) doing open source security work I would love a suggestion. DMs are open and there are other contact things on the websiteI especially like guests who are unsung heroes
(DIR) Post #AznpT8jPJDNQousyUy by joshbressers@infosec.exchange
2025-11-01T13:18:21Z
0 likes, 0 repeats
@kyle @whack My folks used to have a cabin in the woods. I would buy tons of extra things "just in case" and return whatever was unusedI still always ended up making at least 2 extra trips :)
(DIR) Post #B1JFZi8HLBVzcHCQKG by joshbressers@infosec.exchange
2025-12-16T14:53:13Z
0 likes, 0 repeats
If there was en editor called "vimacs" how would it work?
(DIR) Post #B2aR0PNiHUQLWKo6Wu by joshbressers@infosec.exchange
2026-01-20T00:48:56Z
1 likes, 0 repeats
I am a prompt engineerI almost never show up late to things
(DIR) Post #B2s0djkkzRTrObwHMe by joshbressers@infosec.exchange
2026-02-01T00:35:52Z
1 likes, 0 repeats
Everything you’re hearing about AI is completely true and not at all made up by sycophantsThe only thing that is real is your FOMOAlso ducks. Ducks are real
(DIR) Post #B33krmIR42gPy4stO4 by joshbressers@infosec.exchange
2026-02-06T21:31:25Z
0 likes, 0 repeats
@briankrebs It's always been hard for humans to find security bugs in code, generally we had to focus on one specific area at a timeBut the real challenge has always been writing and testing the patches, this is even harder than finding the vulns in many casesWe will of course see claims to "just use an LLM to write the patch", but I've not seen any evidence showing that's realistic yet (there might be something I've missed, goodness knows this space is hard to follow everything)
(DIR) Post #B3BJhm87gVdz3gkJbk by joshbressers@infosec.exchange
2026-02-10T13:36:13Z
0 likes, 0 repeats
I keep seeing stories about LLMs finding vulnerabilities. Finding vulnerabilities was never the hard part, the hard part is coordinating the disclosureIt looks like LLMs can find vulnerabilities at an alarming pace. Humans aren't great at this sort of thing, it's hard to wade through huge codebases, but there are people who have a talent for vulnerability hunting.This sort of reminds me of the early days of fuzzing. I remember fuzzing libraries and just giving up because they found too many things to actually handle. Eventually things got better and fuzzing became a lot harder. This will probably happen here too, but it will take years.What about this coordinating thing?When you find a security vulnerability, you don't open a bug and move on. You're expected to handle it differently. Even before you report it, you need at a minimum a good reproducer and explanation of the problem. It's also polite to write a patch. These steps are difficult, maybe LLMs can help, we shall see.Then you contact a project, every project will have a slightly different way they like to have security vulnerabilities reported. You present your evidence and see what happens. It's very common for some discussion to ensue and patch ideas to evolve. This can take days or even weeks. Per vulnerability.So when you hear about some service finding hundreds of vulnerabilities with their super new AI security tool, that's impressive, but the actually impressive part is if they are coordinating the findings. Because the tool probably took an hour or two but the coordination is going to take 10 to 100 times that much time.
(DIR) Post #B4UdlilyviDMPgRhNQ by joshbressers@infosec.exchange
2026-03-21T20:28:19Z
0 likes, 0 repeats
@simplenomad @jerry I just make all my prompts end with “and be sure you make it secure” and everything is fine
(DIR) Post #B4WM7UKtsOg19Nvbm4 by joshbressers@infosec.exchange
2026-03-22T16:19:58Z
0 likes, 0 repeats
@simplenomad @jerry it’s amusing to me that LLMs are better then the average security bug hunterBut they also can’t write secure code
(DIR) Post #B5BoCCw8l2QUpgk6RE by joshbressers@infosec.exchange
2026-04-11T16:02:04Z
0 likes, 0 repeats
I wrote a blog postOpen source was never about trusthttps://opensourcesecurity.io/2026/04-never-about-trust/There's been a lot of really crazy events happening around open source for the last few months. But it's probably all going to be OK
(DIR) Post #B5CEAR5vkHsCyJ8b8C by joshbressers@infosec.exchange
2026-04-11T21:08:43Z
0 likes, 0 repeats
@kyle I'm not very optimistic the existing foundation want to do thisWhat you describe is a very new and different model from how any foundations work today. I don't think any of them have the fortitude or forsesight
(DIR) Post #B5ZXfaYuxjf74oLJtg by joshbressers@infosec.exchange
2026-04-22T17:50:16Z
2 likes, 0 repeats
The year is 2050. The Onion is the only news company leftThey have been printing true stories for over ten years, but everyone thinks it's still parody
(DIR) Post #B5rP2IWUnNsn31F5Qe by joshbressers@infosec.exchange
2026-05-01T01:43:00Z
0 likes, 0 repeats
@Viss @wdormann every AI vulnerability company wants to find something juicy, and have no idea how to coordinate the findings
(DIR) Post #B5ul478MtMX4ln6keO by joshbressers@infosec.exchange
2026-05-03T00:58:51Z
0 likes, 0 repeats
@gregkh @wdormann @Viss This post got into my head. I think you're right, the days of coordination are overSo I wrote it downhttps://opensourcesecurity.io/2026/05-vulnerability-economics/