►
From YouTube: End Users Working Group (January 5, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
C
B
D
B
So,
first
week
of
the
year-
and
we
already
got
breach
reported
publicly-
is
that
the
case?
What
is
that,
with
with
circle
CI?
B
E
A
As
per
usual,
If
people
could
go
in
there
and
update
themselves
on
the
Rusty
dock.
I
appreciate
it.
B
A
Just
keep
the
same
dock
I
guess
because
then
we
can
have
some
sort
of
follow
up
from
the
previous
meeting.
Singers,
hey
Brian,.
E
A
We're
coming
in
now
so
yep.
If
my
Lego
game,
oh
wow,
wow,
that's
that's
Lego!.
F
B
A
Everyone,
so
if
people
can
jump
into
the
the
notes
and
update
themselves,
that'd
be
great.
Let
me
just
forward
it
to
everyone,
and
we
have
a
hat
if
normality
has
been
restored.
B
A
All
right,
so
the
agenda
is
fairly
light
today,
as
we're
just
starting
out,
but
I
think
it's
it's
good
to
pick
up
from
a
lot
of
the
things
that
we've
been
talking
about
last
year,
because
I
want
to
make
some
pretty
I
think
we
can
make
some
expedited
progress
now
been
a
lot
of
getting
things
set
up.
A
All
right,
so
anyone
any
offers
on
a
scribe,
phenomenal
van
as
always
appreciate
that
very
cool.
Any
new
people
joining
this
week.
A
Nope,
so
let's,
let's
move
right
on
so
the
main
update
for
me
on
the
agenda.
There
is
the
updating,
the
proposals
we
have
two
is
we
miracle
from
last
last
time,
I'd
had
a
conversation
with
a
number
of
people
at
the
tech
to
ensure
that
we
could
formally
propose
them.
A
We
are
on
the
agenda
for
the
10th,
which
is
the
next
attack,
which
is
next
week,
Wednesday
I
think
so
we
should
be
good
to
go
and
attack
I'll
I'll
join
and
represent
and
go
through
the
proposals.
I
think
we've
gone
through
enough
times,
I
think
they're
in
good
shape.
Certainly
socialized
it
enough
would
would
welcome
other
support
if
people
would
like
to
join
attack
and
also
contribute.
A
That
would
be
fantastic,
but
I
think
that's
kind
of
the
pivot
point
where
hopefully
we
get
some
some
traction
there,
and
then
we
can
go
off
and
Implement
those
proposals
we
put
together
as
a
group
so
looking
forward
to
that
any
feedback
on
that
any
anyone
want
to
come.
I
think
we
need
to
add
additional
things.
A
Next,
one
was
an
action
that
I
think
I
think
I
took,
unfortunately,
I
think
with
the
end
of
the
year,
I
wasn't
sure
if
someone
else
was
taking
those
well
or
differently,
but
either
way
it
hasn't
been
set
up.
So
I'll
I'll
take
the
blame
for
that,
but
we're
going
to
set
up
a
a
call
with
different
groups
to
discuss
the
repository
of
threats
that
we've
been
discussing.
A
I'd
raised
it
I
think
two
meetings
ago,
and
the
idea
just
of
refresh
plus
memories,
was
basically
a
repository
where
we
collate
threats
that
have
been
a
supply
chain.
Attacks
that
have
been
identified
collect
any
material.
We
can,
whether
that's
source
code,
binaries
metadata
and
such
and
then
provide
that
as
a
way
of
analyzing
what
we're
experiencing
in
the
in
the
industry.
We
can
then
feed
that
into
a
validating
our
taxonomy
and
our
threat
models
and
also
do
some
additional
analysis
as
well.
A
It
turned
out
multiple
different
groups
had
already
thought
about
that
already
I.
Think,
prime
one
being
the
securing
repository
group
and
correct
yep,
yep
and
I.
Think
Jack
you'd
also
talk
to
a
couple
of
other
people
there
and
elsewhere.
We
were
interested
in
this
group.
A
H
I'm
I'm
not
aware
of
a
specific
purpose
reading
for
it
at
the
last
securing
software
repos
call,
we
talked
about
it
again,
I
sort
of
brought
back
that
end
users
is
thinking
about
it
as
well
as
I
think
identifying
security
threats,
I'm
thinking
about
it
in
a
different
form
and
I
think
Zach
Newman
suggested
we
had
some
academics
on
the
call,
I
think
from
North
Carolina,
and
he
sort
of
you
know
hint
hint
said
this
would
be
a
like
setting.
H
The
infrastructure
up
would
be
a
great
project
for
a
grad
student,
because
you
know,
then
they
get
the
credit
for
creating
the
data
set
and
they
can
be
very
citable,
so
good,
good
way
to
get
some
cheap
flavor.
H
H
A
A
Cool
all
right,
so
action
on
John
2
really
do
it
this
time
and
set
up
a
meeting.
I
think
I'll
go
for
the
next
week
or
the
week
after
to
get
people
together,
because
I
think
we've
talked
about
this
a
couple
of
different
ways:
I
I
really
do
think.
There's
there's
some
some
benefit
in
doing
that.
All
right,
I
will
do
that
next
point
we
had
was
the
suggested
deliverables
from
the
last
meeting.
I
just
want
to
validate
those
just
so
we
kind
of
set
ourselves
up.
A
Maybe
for
this
group
and
I
I
think
we
should
have
an
open
conversation
about
what
are
the
deliverables.
We
think
we
should
progress
with
if
there's
ones
that
we
didn't
think
through
last
year
right,
but
the
ones
that
I
believe
I
noted
Dan
was
finish.
A
The
architecture's
work-
and
this
refers
to
the
work-
was
really
our
proposal,
which
was
to
set
aside
multiple
architectures
for
not
really
small,
medium
and
large,
but
multiple
I
could
just
maybe
one
regulatory
end
user,
one
end
user
that
doesn't
actually
create
software
Define,
an
architecture
for
what
that
looks,
like
threat
model
that
architecture
and
then
align
that
to
our
taxonomy.
So
we
need
to
continue
with
our
work
and
I.
Think
at
the
moment,
I
think
it's
fair
to
say.
A
G
Yeah
just
to
say
that
I
didn't
make
any
progress
in
the
last
months
also
due
to
vacation,
but
yeah
I
will
be
happy
continuing
this
work
and
would
welcome
anybody
joining
this.
Of
course,.
A
Absolutely
same
right,
so
that's
that
one
I
think
that,
as
the
proposal
gets
agreed,
we
can.
We
can
really
really
put
a
foot
down
on
that
one.
The
other
one
was
an
idea
around
a
space
for
others
to
share
experiences
experiences
and
how
they're
securing
their
supply
chain
leveraging
s-bombs
or
how
thinking
about
this
problem
I.
Think
Shaq.
You
proposed
that
one
if
I.
H
Possibly
I'm
just
just
waiting
for
the
fog
of
the
holiday
to
clear
and
tell
me
whether
or
not
I
did
that.
Yes,
oh
yes,
yes,
now
I
remember
it
was.
It
was
by
analogy
to
the
CNC
FN
user
working
group,
where
one
thing
they
do
very
regularly
is
folks
will
share
their
experiences
of
using
cncf
technology,
so
people
will
come
in
and
do
a
talk
about
Prometheus
and
how
they
use
it.
H
You
know
their
experiences
with
with
this
and
that
so
that
would
be
useful
for
them
for
end
users
to
come
in
and
say
we
tried
using
salsa
Providence
attestations
and
we
had
these
obstacles
and
people
can
ask
questions
or
say:
oh,
it
worked
really
well.
I
see
that
it's
it's
easier
than
I
thought
we
should
try.
It.
A
Maybe
we
can
reach
out
to
a
couple
of
Industries
or
Enterprises
that
we
we
know
are
focusing
on
this
and
seeing
if
they'll
give
a
presentation
back
to
this
group,
I
know
a
couple
Dan
you're
going
to
hand
up
you,
you
know
further
ideas.
E
Effectively,
you
know
where,
where
somebody
can
come
in
and
talk
about
their
I
I,
don't
is
it?
Are
we
interested
in
that
level
of
sharing
or
are
we
more
interested
in
the
sharing
from
Enterprises
to
this
group
or
or
what
yeah.
E
Them
to
what
level
of
public
are,
you
know
like
I'm,
always
I,
always
try
and
air
towards
things
being
more
public,
but
I
know.
In
some
cases
there
could
be
sensitivity
where
some
Enterprises
may
not
feel
some
people
in
Enterprises
may
not
feel
empowered
or
may
not
be
empowered
to
speak
publicly,
whereas
they
may
be
empowered
to
speak
on
a
on
a
you
know,
to
a
smaller
group.
A
Yep,
it's
got
my
vote.
Andrew
one
thing
I
was
thinking,
was
check,
marks,
you're,
right,
I,
think
they're
doing
some
great
great
Innovation,
but
but
also
getting
industry
literally
an
end
user
to
come
and
present
and
say
look.
This
is
what
we've
done
to
supplier.
This
is
how
we're
using
s-bombs
and
see
if
we
can
collect
some
data
on
that
I
like
the
idea
of
the
office
hours.
I,
guess
it's.
A
If,
if
we
get
the
best
practices-
and
we
understand
how
we
as
a
group
recommend
people
address
supply
chain
issues
as
we
mature
I
guess,
we
could
suddenly
provide
some
more
of
that
data,
even
as
it
stands
to
be
I.
Think.
Certainly,
we've
got
a
lot
of
experts
on
this
group
that
could
provide
some
feedback
to
those
individuals
as
it
stands.
Right
can
I
ask
how
people
got
participation
in
that
sort
of
office
hours
in
the
other
group.
Does
anyone
know?
I
I
could
take
an
action
to
go.
Talk
to
Marta
I,
think
she's
heading
up
some
of
the
efforts.
I
A
That'd
be
cool
because,
because
I
think
we
also
mentioned
Outreach
part
of
the
work
we
wanted
to
do
was
Outreach
and
I.
Think
this
nicely
fits
into
that
right.
A
All
right,
pretty
cool,
just
flipping
the
order
around
a
little
bit.
The
other
piece
of
Outreach
I
think
we
had
discussed
was
feedback
loop
with
Auditors
I
think
the
word
auditor
was
used.
H
Was
me
because
I'd
heard
an
anecdote
that
Auditors
were
already
starting
to
ask
about
questions
about
s-bombs
and,
and
so
yeah
like
it
would
be.
It
would
be
good
if
we
talked
to
Auditors
rather
than
the
feedback
loop
with
Auditors
being
it
takes
a
while
for
the
Auditors
to
pick
up
on
the
stuff,
and
then
they
show
up,
and
it
turns
out.
We
had
a
very
different
idea
of
what
how
the
Technologies
were
meant
to
be
applied
right.
A
Yep
I
think
this
so
again,
more
more
Outreach.
Does
anyone
have
any
connections
with
the
auditor
Community
or
the
communities
you
were
thinking
about
Jack
check.
D
Auditors,
are
we
including
commercial
third
party,
certifications,
because
those
folks
are
always
happy
to
find
new
things
to
be
told
everyone
else
to
certify,
but
I'm
not
sure
we
want
them
until
we
know
exactly
what
we're
looking
for
yeah.
H
It
was,
it
was
more
so.
My
concern
was
that,
like
the
anecdote-
and
it's
been
a
little
while
since
I
heard
it's
on
fuzzy,
but
the
anecdote
was
that
some
otters
has
had
already
started,
showing
up
at
places
and
saying
well,
where
are
your
s-bombs
and
this
sort
of
suggests
that
it
suggests
that,
like
the
possibility
that
the
things
that
we're
concerned
about
and
the
Technologies
we
want
to
promote,
we
want
to
make
sure
that
we
have
a
common
understanding
with
the
folks
who
will
be
relied
on
to
set
the
standard.
H
We
don't
want
them
to
sort
of
fly
off
in
a
direction
where
it's
very
onerous
and
but
not
effective.
Right,
like
we've
all
seen
that.
D
As
as
the
guy
who's
busy
working
with
the
far
team,
you're
very
much
on
the
same
team,
but
oh
gosh,
yeah
you're
wrong
very
quickly.
Thank.
E
Yeah,
just
to
say,
I
have
heard
this
in
the
context
of
TCI
compliance
where
some
company
that
is
doing
the
PCI
you
know
like
working
to
establish
whether
or
not
somebody
is
PGI
compliant
sends
them
a
bunch
of
questionnaire,
or
you
know,
questions
and
one
of
them
being.
You
know,
I
haven't
either
that's
bombs
right
and
so
that
raised
a
red
flag
to
me
because
not
necessarily
red
flag.
E
Maybe
it
is
the
right
thing
no,
but
but
it
struck
me
that
the
question
that
came
to
mind
was
obviously
is
this
being
asked
out
of
the
knowledge
of
what's
going
on,
because
there
was
an
executive
order
about
it,
because
s-bombs
are
hot
right,
basically,
so
so
that
so
I
I
do
think.
This
is
important.
A
Jason
can
can
you
go
and
meet
I
think
you're
background
noise
coming
from
you.
A
Thank
you.
What
are
we
already,
leaving
that
as
a
placeholder
for
now,
or
is
someone
want
to
take
the
lead
and
trying
to
address
that
one?
It
seems
to
me.
We've
got
leads
for
the
others
at
the
moment
we
haven't
really
got,
and
you
want
to
go
after
that,
one
which
I
think
could
be
fine.
A
Maybe
I'll
just
leave
it
on
the
list
for
for
now
and
come
back.
We
also
had
an
end
user
guide
for
s-bomb's
creation
and
usage
Alan
with
you
on
the
call.
Is
there
an
end
user
to
the
best
mom
guide
in
the
works
from
one
of
the
groups
that
you're
working
with
or
do
you
need
assistance.
D
D
This
is
an
nsa-driven
public-private
partnership
that
has
done
some
work
on
s-bomb
from
a
downstream
consumer
perspective,
but
it's
very
high
level
and
really
focuses
on
the
things
that
NSA
corporate
Partners
spend
their
time.
Thinking
about
I'll
paste
the
link
in
the
chat
because,
while
I
nominally
signed
off
on
it
for
my
agency,
it's
not
great
the
high
level
challenge
around
s-bomb
consumption
discussions
is
today.
D
No
one
has
piles
of
s-bombs
sitting
around
for
their
organization
with
a
few
exceptions,
and
so
we
don't
really
have
lots
and
lots
of
tools
or
indeed
standard
operating
procedures,
so
I
think
anyone
who
wants
to
start
that
and
say
Here's
a
broad
space.
We're
going
to
focus
on
this
chunk
would
be
very,
very
helpful
and
I
can
sort
of
loop
you
in
on
different
pieces,
so
I
put
further
down
on
the
agenda.
D
If
we
have
time
to
talk
about
it,
if
you
were
a
consumer
of
a
cloud
application,
what
do
you
want
from
your
service
provider
and
and
right?
The
difference
between
saying
I
need
BS
bomb
versus
I.
Need
you
to
show
I
need
you
to
attest
to
me
who
have
an
s-bomb
things
like
that.
So
all
of
that
is
to
say,
we
don't
have
anything
immediate
and
but
we
should
be.
D
It
is
tricky
if
we
set
out
a
very
ambitious
plan,
because
it
is
my
firm
hope
that
in
18
months,
s-bombs
will
be
integrated
into
standard
Vault
management
software.
Today
it
isn't,
and
so
what
kind
of
guidance
do
we
want
to
write
if
we're
hoping
that
that
the
world
looks
different
in
their
new
tools?
So
that's
oh
I'll
pause
there.
A
I
D
I
But
I
know
that
I
helped
them
stage
a
diagram
of
like
s-bomb,
the
universe
of
s-bomb
tools
that
they
were
going
to
kind
of
go
through.
So
this
may
be
a
use
case,
they're
interested
in
working
on
or
have
something
possibly
and
who
knows.
A
I
think
maybe
anecdotally.
Within
the
group
we
can
probably
start
to
collate
experience
on
what
people
are
doing
with
response
and
how
they're
leveraging
it
for
vulnerability
management
or
what
are
the
other
use
cases
I
mean
it.
It
kind
of
kind
of
seems
to
me
is
that
that's
the
tool
and
some
of
the
usages
we're
getting
out
of
that
capability,
and
we
also
have
the
the
major
problem
for
a
supply
chain
and
that's
how
we're
looking
at
the
threat
model,
the
different
attacks,
the
taxonomy
and
then
you
can
connect
well.
A
This
is
what's
going
on.
This
is
what
we're
getting
attacked
with,
and
this
particular
area
is
where
that
we're
help
we're
using
our
spawns
to
mitigate
some
of
those
controls,
and
maybe
it
gets
connected
to
that
way,
but
I
think
yeah
as
part
of
documentation
and
evidence.
That's
something
I'm
sure
we
can
look
at
any
other
major
pieces
of
work.
We
think
as
a
group
any
deliverables
for
for
the
next
next
short
time,
I've
added
one
in
the
chat,
but
I,
don't
wanna.
Thank
all
the
air.
A
All
right,
in
the
absence
of
anything
else,
I
will
take
only
and
then
I'll
start
to
you
know
please
chip
in,
but
one
of
the
things
that
I
wanted
to
do
was
was
really
raise.
The
awareness
from
an
end
user
perspective
on
this,
the
increasing
supply
chain
threat
and
the
the
increasing
amount
of
malicious
packages
and
software
that
we're
seeing
out
there
now
and
raising
awareness
that
as
end
users,
we
can
and
should
do
something
about
it.
A
Now
you
know
we're
talking
about
how
we
can
secure
our
cicd
pipelines,
which
is
fantastic,
we're
talking
about
how
we
can
distribute
s-bombs
and
understand
the
components
Within
other
vendor
software,
which
is
fantastic
and
how
we
do
vulnerability
management,
which
is
also
fantastic,
but
we're
getting
hammered
with
malicious
software
now
or
it's
really
starting
to
step
up
and
I,
don't
see
many
people
looking
at
literally
looking
at
ingestion
and
and
preventing
it
from
getting
into
different
Enterprises
anyone
seen
that
I
mean
that's
something
that
I
I've
got
a
bit
of
a
bug
in
my
ear
on
that
I'm
going
to
focus
on
or
I'd
like
to
suggest
we
focus
on.
E
What
what
do
you
mean
by
looking
at
I
mean
because
this
is
kind
of
like
one
of
the
areas
that
sneak
has?
Like
you
know
lots
of
product
space
in
I?
Don't
know
I'm,
not
not
advertising,
but
you
know,
like
definitely
that
scenario
like
I.
A
Right
so
to
it's,
it's
more
raising
awareness
that
it's
not
just
the
the
vulnerable
software,
it's
literally
the
malicious
software.
That's
coming
in
and
there's
a
difference
between
malicious
and
vulnerable.
H
I
have
a
diagram
that
I
used
when
we
were
standing
up
our
strategy
at
Shopify,
where
I
basically
showed
you
know
like
three
boxes
and
there's
production
and
then
there's
like
software,
that's
accidentally
vulnerable
and
software.
That's
deliberately
vulnerable
and
I
said
all
of
our
systems
are
currently
tuned
to
the
accidentally
vulnerable,
but
the
deliberately
vulnerable
is
something
we
need
to
think
about.
H
So,
yes,
I
think
that's
a
useful
distinction.
That's
what's
sort
of
led
to
all
the
work
that
we've
been
doing
focused
in
the
Ruby
ecosystem.
Obviously,
because
that's
our
bread
and
butter,
yeah
I,
think
I
I
want
to
sort
of
like
grasp
at
what
or
try
to
understand
where
you're
driving
at
Jonathan
like.
Is
it
that
you're
thinking
about
the
problem
of
raising
awareness
that
this
can
happen
and
that
you
need
to
prepare
for
it
or
is
it
around
specific
countermeasures?
A
It's
it's,
it's
definitely
well,
it's
both
obviously,
but
I
think
raising
awareness
to
start
with,
because
when
I
talk
to
other
end
users,
whether
I
talk
to
even
if
within
it's
the
ossf
or
different
conferences,
people
just
don't
seem
to
be
that
aware
of
that.
As
a
problem,
people
are
more
looking
at
hardening
a
Ci
or
asking
people
for
s-bombs
or
looking
at
vulnerabilities
in
software
they're,
not
looking
at
the
malicious
software
that
you
and
I
are
looking
at
Jack,
and
perhaps
people
in
school
are
looking
at.
A
It
really
isn't
on
it,
surprisingly,
not
but
doesn't
seem
to
be
on
as
many
pills
right
or
as
I
thought
it
would
be
and
I'm
seeing
you
know
with
some
of
the
reports
I
mean
from
the
from
the
sonotype
report.
You
can
see
the
the
increase
in
the
amount
of
malicious
software,
but
I
I'm
just
concerned
that
it's
not
being
discussed
for
some
reason
might
get
there
for
you.
It's
not
been
discussed
as
widely
as
it
should
be.
H
So
yeah
that's
interesting
because
I'm
sorry
I'll
just
quickly
finish,
it's
interesting,
I
think
yes,
I
obviously
have
a
biased,
View
and
I
I
hadn't
thought
of
it
that
perspective.
You
know
everyone
in
my
universe
knows
about
it,
but
I'm
on
the
universe.
That's
why
we
have
an
end
users
group
right.
B
So
John
on
that
note
right
I
mean
that's
the
part
of
awareness
and
then
the
other
part
would
be
kind
of
like
towards
a
procurement
process
right
and
how
that
actually
is
consistently
implemented
across
the
company
right,
because
at
the
end
of
the
day,
some
people
would
just
bypass
it
and
yeah.
A
Yeah,
absolutely
absolutely,
but
but
and
I
think
exactly
your
point.
I
I
know
a
lot
of
us
know
about
that
and
a
lot
of
people
I
talk
to
in
supply
chain
know
that's
the
case,
but
when
I
talk
to
people
accidentally
I
haven't
looked
at
supply
chain,
yet
they
really
don't
see
again.
I
might
be
in
a
different
bubble,
but
they
don't
seem
to
notice
it
yeah
yeah,
Croke
I,
think
you
were
next.
I
Yeah,
so
I
have
four
points
and
I'll
start
with
the
one
Daniel
just
echoed.
First
and
foremost,
we
have
a
platform
through
the
openssf
blog
that
if
we
wanted
to
put
something
together,
we
have
a
great
panel
of
experts
here
that
had
a
lot
of
insight,
both
from
the
end
user
and
the
commercial
tooling
space
we
potentially
could
put
together
a
really
nice
kind
of
Kickstart
blog
talking
about
the
topic
0.2,
which
relates
to
one
of
the
items
I
put
on
the
agenda.
I
There
is
the
open,
ssf,
North,
America
conference
call
for
papers,
that's
open
another
opportunity
to
raise
awareness
and
get
out
and
engage
with
the
developer
and
consumer
Community
would
be
going
to
conferences,
so
we
might
want
to
think
about
putting
together
a
panel
or
education
sessions
for
that
conference.
It'll
be
in
Vancouver,
British
Columbia
in
May
and
I
expect
we'll
get
the
Europe
and
Japan
or
APAC
dates,
probably
in
some
time
in
the
spring.
I
So
if
we
do
something
for
North
America,
we
could
essentially
reuse
that
around
the
globe,
potentially
a
tactic
I've
used
in
other
working
groups
is
this
feels
like
something
that
would
be
a
very
useful
best
practices
guide.
So
maybe
we
also
in
concert
with
the
blog
and
these
other
activities.
I
We
put
together
a
guide
as
a
work
product
of
this
group,
so
maybe
an
initiative
that
this
working
group
might
want
to
adopt,
and
then,
lastly,
you
know
once
we
have
some
actual
Guidance,
the
education
Sig
is
working
on,
putting
together
a
plan
to
kind
of
address,
developer
and
cyber
security
concerns.
So
this
very
definitely
could
be
a
module
or
maybe
it
gets
baked
into
part
of
the
formal
training.
Maybe
it
becomes
a
podcast
or
a
webinar
that
the
education
Sig
helps
put
out
so
I
think
you
have
a
lot
of
outputs.
A
K
Yeah
thanks
I
I,
wanted
just
to
share
a
bit
of
reflection
on
this
topic
of
the
malware
detection,
malware
packages,
I
think,
at
least
from
from
scientific
point
of
view.
K
There
started
being
a
bit
of
interest
on
this
topic,
and
people
started,
proposing
very
cool
and
interesting
works
on
on
these
and
proposal
about
approaches
and
I
was
wondering
about
the
capabilities
that
we
have
so
far
of
of
what
we
have
as
malicious
samples,
because
it
could
be
just
an
impression
but
I
tend
to
see
often
malware
samples
or
malicious
packages
that
have
somehow
the
same
shape.
Somehow
low
effort
attacks
with
just
basic
obfuscation.
K
K
We
are
really
capable
to
detect
that
and
so
I
think
it's
a
Pity
to
lose
a
bit
of
the
big
picture
and
on
that
and
start
the
reasoning
on
the
possible
evasion
techniques
that
attackers
can
can
exploit
to
to
evade
the
possible
and
the
current
approaches
that
have
been
proposed
or
the
current
proposed
solution.
Just
just
that.
G
A
F
That
last
point
I
think
you're
right
and
for
that
reason,
when
we
built
a
model
at
sonotype
to
detect
these
things,
we
took
the
approach
not
of
trying
to
recognize
the
existing
known
malware
because
it's
constantly
changing
but
to
try
to
build
a
model
that
could
predict
what
is
normal
for
projects,
and
we
took
a
page
from
credit
card
fraud
detection,
in
that
you
know
where
you
can't
always
know
where
somebody's
gonna
Shop,
but
you
can
tell
it's
not
normal
for
Brian
to
be
on
a
different
continent
and
buy
a
bunch
of
TVs
like
normal,
would
be
going
to
hotels.
F
You
know
those
kinds
of
things,
and
so
we
we've
pretty
successfully
built
the
model,
understanding
what's
normal
and
then
flagging
the
things
that
are
abnormal.
That's
how
we've
chosen
to
do
it
and
the
the
best
use
case
that
happened.
We
were
launching
this
live
I,
didn't
know
how
well
it
was
going
to
work.
We
launched
it
at
the
same
time
that
I
forget
his
name,
the
guy
that
was
doing
the
dependency,
confusion,
research,
the
white
hat
stuff.
In
the
summer
he
launched
he
announced
it
like
in
but
February
March.
F
Something
like
that,
the
summer
preceding
that
he
was
doing
the
work
and
our
system
was
flagging.
Every
single
one
of
his
white
hat
attacks
before
the
world
knew
that
that
was
a
new
type
of
attack,
which
was
which
was
pretty
awesome.
So
that's
the
approach
that
we've
taken
to
do
that.
It's
unfortunately
not
easy
and
requires
massive
amounts
of
data
set
to
train
the
model
on
to
be
able
to
do
so.
I
just
figured
I'd
throw
that
out
there.
K
Just
just
a
question
on
this
point
because
I
mean
it's
also
true,
that
we
also
see
I,
think
two
types
of
malicious
packages,
the
one
that
only
contains
the
malicious
code
and
other
one
that,
let's
say,
have
are
a
pure
clone
of
an
existing
project
and
they
have
just
a
one
liner
inside
and
so
to
what
extent,
for
example,
than
trying
to
track
what
is
normal
will
detect.
You
know
just
this
needle
in
the
high
stack
inside
the
a
big
amount
of
code.
It.
F
C
F
That
required
higher
than
normal
version
numbers.
The
system
was
ultimately
recognizing
again
before
we
knew
a
heuristic
made
sense
here.
Projects
don't
start
out
publishing
things
with
super
high
version
numbers
as
their
first
release.
That
turns
out
that's
an
abnormal
behavior,
but
now
in
2023
it's
easy
to
write
a
heuristic
for
that,
because
we
recognize
it.
Why
I
think
it's
interesting
is
because
the
mlai
told
us
this
was
interesting.
You
know
almost
a
six
months,
nine
months
before
that
guy
published
his
research.
F
Pretty
infrequently
are
the
first
ones
to
use
a
very
unpopular
dependency
turns
out
things
like
that
tend
to
be
Hallmark
works
of
somebody
that
buried
their
malware
and
a
dependency
and
then
somehow
slipped
it
into
a
tree
somewhere
else
like
that
pie,
torch
thing
right,
it's
exactly
those
kinds
of
things,
and
so
the
problem
is
there's
so
many
different
ways
that
that
it
it
this
cat
and
mouse
game
will
play
out
it's
hard
to
know
what
the
new
thing
they're
going
to
do,
but
normal
mature
projects
tend
to
have
similar
behaviors
when
they
release,
and
so,
if,
if
you
use
that
as
the
Baseline,
then
these
things
pop
out,
but
to
your
point,
that
many
of
these
projects
are
just
like
one-liners
with
the
payload
I
use
that
as
evidence
of
why
what
Jonathan
is
talking
about
needs
to
happen,
that
the
attacks
are
low
sophistication
because
we're
so
terrible
at
blocking
them
as
an
industry
right.
F
They
literally
just
won
a
typo
squat,
get
it
downloaded
and
run
their
back
door,
and-
and
you
know
when
I
when
I
talk
about
this
with
prospects,
I
remind
them
that,
like
okay,
if
you've
built
an
application
security
portfolio
around
scanning
things
before
you
put
it
into
production
or
you
release
it,
you
miss
that
this
happened
and
and
I
like
to
relate
it
back
to
the
90s
when
browsers
were
inherently
vulnerable
because
back
then
you
go
to
a
website,
you
get
hacked,
nobody
paid
attention
and
they
just
go
whoops.
That's
not
the
site.
F
I
meant
and
they'd
go
to
the
right
one,
and
in
these
instances
that's
exactly
what's
happening.
The
developers
get
the
wrong
thing,
their
build
blows
up,
they
figure
out.
Oh,
it's
an
underscore,
not
a
dash
and
they
move
on
and
and
then
the
the
supply
chain
tools
that
weren't
looking
at
what
was
happening
in
ingestion,
never
see
that
this
fact
happened
because
that
bad
component
never
got
checked
in
the
source,
control
never
ran
through
CI,
so
they're
completely
blind
to
it.
A
Yeah
look
I
I.
This
is
great,
I
I!
Think
there's
the
two
parts
right
there's
the
one
is:
let's
raise
awareness
and
there's
a
two
is
figure
out
how
to
get
even
better
at
mitigating
and
identifying
it,
and
you
know
I
think
the
the
landscape's
gonna
we
can
see
the
landscape
changing
a
lot
actually
quite
quickly
where
people
are
moving
to
different
attack,
pass
and
attack
approaches
at
the
moment
it
for
the
majority.
A
Perhaps
thankfully,
it's
fairly
basic
low
level
attacks,
but
you
know,
as
people
get
more
aware
of
them,
they
will
change
and
move
so
I
think
there's
a
two-pronged
approach
there,
but
it
sounds
like
there's
a
lot
of
interest
in
in
raising
Awareness
on
that,
so
that
that's
definitely
something
I
want
to
see
as
a
group
if
we
really
push
forwards
on
so
great,
it
sounds
like
we've
got
the
right
people
involved
in
that
one
very
good,
so
any
other
major
deliverables
I
mean
there's
quite
a
few.
A
That
we've
got
up
front
at
the
moment.
Should
we
leave
it
there?
There's
a
cup
just
want
to
take
out
a
couple
of
actions
from
that
already
right.
So
one
action
is,
is
for
me
to
set
up
the
the
group
looking
at
the
repository
of
threats.
I'll
take
that
one
two
is
I'm
going
to
take
on
the
the
raising
awareness
of
the
the
different
malicious
attacks.
A
Were
there
any
other
actions
that
we
pulled
out
of
that
sort
of
media?
Oh
architectures,
we
need
another
working
session
on
architectures
as
well.
J
Just
a
note
on
malicious
packages,
the
pharaohs
is
got
what's
the
name
of
his
company.
Do
you
Brian?
Do
you
remember
the
name
of
pharaohs
this
company
that
he
started
to
do
to
detect
this
sort
of
stuff.
J
All
right,
let
me
give
me
a
second
and
I'll,
pull
out
his
Twitter
profile,
so
he's
got
a
company
that
he's
started
around
this
basic
idea
of
like
flagging.
This,
in
you
know,
developer
machines
that
also
flagging.
It
is
checking
that,
like
hey,
this
is
probably
a
typo,
squat
or
hey
this.
This
package
is
doing
this
weird
thing
in
their
pre-install
script
or
whatever,
whatever
so
and
and
yeah
there
we
go.
He
is
oh
socket,
security,
socket.dev.
A
Cool,
so
definitely
two
prongs
right.
One
is
the
raising
awareness
into
his
howl
and,
if
that's
in
the,
how
section
nowhere
that
one,
particularly
oh
well
I'll,
dig
into
that
thanks
a
lot
any
other
actions
we
had
from
from
the
little
little
session
there
there's
the
architectures.
We
need
a
session
on
that
I'm,
looking
like
the
next
week
or
two
to
start
moving
forward
with
this
stuff.
I
I
As
a
contributor
to
this
group
and
as
a
Tac
member
looking
at
the
end
users,
git
repo
I,
don't
know
what
this
group
is
about.
So
it
might
be
awesome
to
start
to
complete
this
and
get
this
in
order,
so
that
members
and
prospective
members
can
see
what
we're
doing
and
potentially
get
collaborating
on.
Some
of
these
awesome
ideas.
A
Great
cool
Chrome
we
we
actually
had
a
mitch
who's
doing
that,
for
us,
Mitch
doesn't
seem
to
be
on
the
call
right
now.
I
will
reach
back
out
to
him
and
see
if
he
can.
J
I
think
this
is
in
relation
to
probe's
question.
What
what
is
the
scope
of
the
end
users
like
I,
guess
end
users
is
a
very
large
term.
Is
it
end
users
of
software,
or
is
it
end
users
of
like
the
software
when
it
gets
chipped
and
delivered
to,
like
your,
you
know,
true
end
users
that
are
like
you
know
normal
people
that
don't
know
how
to
don't
don't
know
anything
about
software
at
all.
A
Yeah
I
think
we
we
do
have
a
charter,
that's
on
the
top
of
the
our
slack
group,
with
the
missions
and
goals
and
the
missions
and
goals.
I
think
does
speak
to
that
from
a
scope,
perspective,
Jonathan
but
I
think
to
try
and
recall
what
it's
at.
It's,
basically,
not
the
end
user
in
terms
of
someone
actually
holding
a
phone
that
has
software
within
it,
but
you
know
kind
of
at
the
sort
of
Enterprise
level
or
someone
creating
something
and
selling
something
like
a
hospital,
maybe
or
a
a
company
building
things.
A
B
A
A
Okay,
now
down
to
any
other
notes
from
working
groups,
this
is
the
standing
entry
we
have
that
we
go
through
each
time
now
the
reality
is
I.
Think
most
people
are
going
to
have
been
away
about
the
Christmas
Vacation,
but
is
there
any
I
think
from
the
notes
that
looks
like
it
was?
You
know
I
copied
from
the
previous
one,
but
any
additional
notes
from
any
user
groups.
Since
we
last
met.
I
I
added
a
couple
things
in
addition
to
the
call
for
papers
which
I
strongly
encourage
this
group
to
put
some
things
together
for
on
the
vulnerability
disclosures
working
group
is
working
on
a
CBD
guide
for
OSS
consumers.
We've
mentioned
it
here
before,
but
I'll
be
setting
up
a
doodle
to
try
to
find
a
time
to
collaborate.
So
if
anyone's
interested
I
will
also
tag
this
working
group's
mailing
list
when
I
get
the
doodle
set
up,
so
please
feel
free
to
contribute
to
that.
I
The
vulnerability
disclosures
working
group
also
put
forth
a
open
source
security
security
incident
Response
Team
plan.
It
is
now
sitting
with
attack
for
review.
This
is
creating
a
dedicated
group
of
Upstream
security
people
that
help
open
source
maintainers
on
coordinating
vulnerabilities.
So
if
this
group
has
any
requirements
of
how
they
think
end,
users
would
like
to
benefit
from
such
a
team.
You
can
get
that
information
to
me
or
put
a
comment
on
that
issue.
I
I
So
if
anyone's
interested
in
either
contributing
or
ingesting
the
output
of
those
things,
you
know
keep
an
eye
on
those
issues
and
then
finally,
the
diagrammer
society
has
created
several
pictures
of
how
the
foundation
is
laid
out
and
all
the
different
activities
most
recently
we've
working
with
a
mind
map
format
and
there's
actually
the
issue.
One
actually
has
the
attachment
to
the
Mind
map
file.
So
if
anyone's
curious,
you
can
open
that
up
and
kind
of
see
the
breadth
of
activities
that
are
currently
going
on
throughout
the
foundation.
I
We're
going
to
be
sharing
that
with
the
TAC
and
starting
to
you
know,
help
make
some
strategic
choices
for
the
foundation
based
off
on
some
of
this
output.
So
that's
a
nice
group
to
keep
an
eye
on
any
questions
on
those
topics.
A
I
Especially
with
the
international
constituents,
we
have
participating
that
the
like
the
diagrammers
group.
We
have
some
people.
We
ended
up
like
with
a
California
friendly
time,
but
I'm
setting
up
calls
with
all
my
working
groups
to
do
like
APAC
friendly
times
and
we're
going
to
try
to
shove.
The
actual
standing
calls
to
a
more
European
friendly
just
so
we
can
kind
of
capture
more
contributions,
but
you'll
see
that
across
the
foundation
folks
trying
to
adjust.
But
it's
challenging
when
you're
a
global
organization.
A
D
I
think
I
already
touched
off
of
it
yeah
Cloud
side
of
things
we
don't
really
know
or
have
a
good
global
vision
of
what
s-bomb
means
for
Services
or
Cloud
defined
broadly.
If
that's
on
anyone's
radar
would
love
your
thoughts
and
input.
D
We
have
a
few
end
users
from
the
healthcare
space,
but
having
some
folks
from
here
would
be
helpful
and
John
I'll
follow
up
with
you
about
the
getting
some
votes
from
FSA
sack
involved
as
well.
Great.
D
Yes,
the
challenge
is,
of
course,
those
organizations
are
very
complicated
in
how
they
approach
U.S
government
level-
things.
That's
one
two.
We
we're
trying
to
draw
three
distinctions.
D
One
is
just
software
dependencies
right,
here's
a
component,
it's
in
there.
How
do
we
think
about
that?
And
even
that's
hard,
because
you've
got
infrastructure
as
code
you've
got
microservices.
You've
got
dynamically
generated
code,
so
we
we
want
to
start
out
by
like
at
least
saying.
This
part
is
easy.
This
part
is
tricky
two.
D
Then
we
have
a
desire
to
have
greater
transparency
in
the
full
stack,
and
this,
of
course,
is
going
to
raise
a
lot
of
red
flags
for
the
people
that
are
delivering
all
of
the
infrastructure
and
by
the
way,
if
anyone
has
had
to
sit
through
the
true
hell
that
is
fed
ramp,
that's
something
that
is
slightly
worked
on
as
well.
D
The
last
piece
that
may
be
of
interest
is
the
idea
that
hey,
if
it's
a
service
I
may
worry
not
just
about
the
component
dependencies
but
third-party
services
that
my
service
is
using
or
that
some
of
the
contracts
are
so
right.
I
use,
Chrome
service,
Chrome
service.
In
turn,
uses
Brian's
service
can
I
get
visibility
about
that
because
it
might
be
sensitive.
Data
I
may
worry
about
the
political
jurisdiction
that
Brian's
in
right
there's
a
lot
of
things
to
the
best
of
my
knowledge.
D
So
that's
going
to
be
one
of
the
bigger
picture
things
that
we're
gonna
be
trying
to
tackle,
but
I
don't
know
of
anyone.
Who's
got
anything
that
looks
remotely
like
a
scalable
solution
today,
so
didn't
mean
to
take
up
too
much
time,
but
those
are
the
different
moving
pieces.
I
want
to
start
with
a
and
that's
the
plan
for
this
year
is
to
sort
of
start
with
a
five-pager
saying
what
does
s-bomb
mean?
This
is
the
stuff
that
ports
easily.
D
This
is
the
stuff
that
we
need
to
sort
of
think
through
and
and
but
we
don't
know,
we
all
agree
that
we
don't
know
how
to
do
this
today.
D
Is
the
Wednesday
meeting
at
three
to
four
Eastern
I'll
paste
a
link
to
Google
doc?
That
has
the
notes
from
it
and
if
anyone
wants
to
learn
more,
please
I
will
s-bomb
at
ciso.dhs.gov.
Is
the
easiest
to
make
sure
you're
on
my
mailing
lists?
Oops!
Sorry,
thank
you.
A
E
Yeah,
it's
just
something
that
came
across
my
desk,
so
to
speak
over
the
holidays
and
I
just
thought
it
would
be
interesting
to
raise
here.
There's
I've
included
two
links.
One
is
a
link
to
a
post
which
links
to
a
blog
post,
which
is
from
an
open
source,
maintainer
who's,
talking
about
I'm,
not
a
supplier,
and
how
they
don't
really
see
themselves
as
a
supplier.
They
don't
really
like,
and
they
don't
really
agree
with
that
nomenclature.
The
whole
the
whole.
E
You
know,
framework
of
ideas,
that's
around
the
idea
of
software
supply
chain
and
and
there
and
by
extension,
s-bombs
and
like
we
built
a
kind
of
conceptual
framework
around
the
idea
of
software
supply
chain.
S-Bomb
is
one
example
where
we're
using
the
terminology
of
economics
and
supply
chain
in
you
know
as
a
way
to
communicate
how
software
dependencies
work
to
people
that
may
not
be
familiar
with
how
to
open
source
suffers
dependencies
work
and
it's
great,
and
it
really
does
it's.
It's
we've
all
latched
onto
it.
It's
really
great.
Here's.
E
E
Upstream
who's
using
my
thing,
there's
no
contractual
Arrangement
here
so
like
and
and
then
that
twigged
a
memory
rate
from
earlier
this
year
when
Daniel
Stenberg
who's,
somebody
who
is
the
maintainer
of
a
very
well-known
package,
the
curl
open
source
package
got
hit
by
letters
from
procurement
team
of
some
Fortune
500
company.
That
said,
you
know
like.
Can
you
immediately
tell
me
within
the
next
24
hours,
if,
if
your
code
has
log4j
in
it
and
blah
blah
blah,
it's
all
documented
in
the
blog
post
that
he
wrote
in
January,
which
is
great.
E
It's
actually
like
a
question
of
how
Enterprises
deal
with
open
source
suppliers
or
open
source
dependencies,
and
it
struck
me
that
maybe
it
could
be
a
outcome
of
this
group
or
an
output
of
this
group
kind
of
guidance
for
procurement
teams,
like
don't
do
that
or
here's
how
to
engage
with
the
open
source
Community
or
with
open
source
Community
developers
or
here
are
the
different
types
of
Open
Source
projects,
some
of
which
do
fit
into
a
kind
of
more
of
a
supplier
mentality
and
some
of
which
do
not
fit
into
a
supplier
mentality.
E
That
I
don't
know.
I,
don't
have
anything
more
sophisticated
in
my
mind
or
or
well
thought
through
in
my
mind
other
than
what
I've
just
said
other
than
I'm,
probably
going
to
write
a
blog
post
about
this
at
some
point,
but
I
just
kind
of
wanted
to
raise
it
here
and
get
the
bug
in
people's
ear.
I
see
some
some
nodding
from
grub
and
others.
So
maybe
this
is
a
good
thing
to
think
about.
D
It's
pretty
short,
but
the
takeaway
and
I
don't
think
it'll
be
new
to
anyone
in
the
open
source
world,
but
it
basically
it
just
says
your
software
is
given
to
you
as
is
off
and
and
it's
it's
exactly
the
sort
of
thing
that
I
in
my
role
of
thinking
about
it's
from
a
you
know,
public
policy
perspective
we
we
need
to
read
it
and
take
it
seriously,
even
if
we
disagree
with
it
right,
even
if
we,
because
what
he
doesn't
do
is
say
well
what?
D
Now,
because
the
status
quo
is
unsustainable,
and
so
are
we
just
going
to
find
alternatives?
Are
we
going
to
create
a
new
license
that
says
no
more,
as
is
right,
and
but
it's
not
his
job
to
find
the
solution.
E
Or
or
may,
or
maybe
we
we
need
to
think
about
things
as
a
spectrum
right
because
there
are
some
like
I
said
there
are
some
open
source
projects
that
that
do
fit
into
the
more
like.
Then
there
are
also
open
source
projects
that
are
produced
by
organizations
that
that
have
an
SLA
around
them
and
where
there
is
a
contractual
agreement
and
there,
and
then
there
there's
a
whole
risk
assessment
where
you
can
say:
okay
well,
this
particular
open
source
project
is
not
I.
E
Do
not
have
a
contractual
agreement
with
them,
however
they're
so
well
used
and
they're,
and
they
have
such
a
strong
track
record,
and
you
know
that
all
these
other
factors
are
are
in
place.
So
therefore,
it's
a
low
risk,
you
know
or
I
I
mean
I,
don't
know
what
what
and
I
it's
it.
It
kind
of
goes
beyond
the
security
aspects.
A
little
bit.
E
H
It
yeah
I
think
one
thing
that
stood
up
a
lot
of
the
mud
in
the
water
here
was
the
introduction
of
mandatory
MFA
by
npn,
Pi,
Pi
and
ruby
gems
for
top
maintainers.
There
was
a
line
of
argument
which
I'm
not
sympathetic
to
that
since
the
software
is
as
is,
then,
the
package
repositories
can't
impose
these
kinds
of
terms
that
you,
you
are
stealing
their
work.
Somehow
I'm
of
the
view
that
the
package
repository
is
providing
a
free
service.
H
Thank
you
very
much,
it's
private
property
and
they
can
do
whatever
they
like
with
it
or
not
do
with
it
whatever
they
like.
And
if
you
don't
like
it,
you
can
host
it
on
your
own
website
under
any
rules.
You
like,
but
I,
think
it's
that
event
that
started
people
down
the
road
of
like
what
are
the
obligations
on
package
maintainers.
H
In
this
case,
the
obligations
are
not
imposed
by
end
users
that
are
imposed
by
the
package
repositories,
acting
as
custodians
of
the
interests
of
the
end
users,
as
well
as
the
package
maintainers,
and
that's
the
argument
I
made
when
when
we
were
doing
it
for
ruby
gems,
which
is
that,
yes,
it
imposes
drag
and
inconvenience
on
the
package
maintainers,
but
for
a
package
maintainer
a
compromise
is
embarrassing
and
distressing
for
end
users.
It
is
potentially
catastrophic
and
there
are
far
more
of
them.
H
So,
just
on
a
very
brutal
you
know,
a
brutalist
concrete
poured
into
place
kind
of
utilitarian
calculus.
It
just
comes
out
for
the
users
I'm.
Sorry
we
have
to
do
it
so
I
think
that's
where
some
of
this
came
from,
like
that.
That's
that's
how
it
got
to
be
in
the
air
that
was
the
meteorite
impacted,
got
all
the
dust
up
and
it's
going
to
get
it's
going
to
get
much
bigger
this
year
because
of
GitHub
imposing
2fa
on
everybody.
H
I
I
think
this
group
could
provide
guidance
on
how
consumers
can
manage
the
risk
of
it
using
third-party
components
that
I
am
extremely
sympathetic
to
the
maintainer
developer.
That's
most
of
my
work
in
the
open
ssf
is
focused
on
providing
services
for
that
those
communities,
but
we
can
do
things,
provide
education
and
support,
and
you
know
things
like
the
great
MFA
distribution
where
a
couple
two
years
ago,
the
foundation
gave
away
multi-factor
tokens
to
maintainers
to
help
prevent
some
of
these
supply
chain
things.
So
we
can.
H
Sorry
I
think
the
place
where
we
can.
We
can
give
the
input.
There
is
the
S2
c2f,
which
should
have
been
called
Saba,
I'm
still
grumpy
about
that,
but
that
that
seems
like
a
good
place
for
for
that
input.
A
Yeah
excellent,
well
I
joined
to
close
a
little
bit
at
any
other
business,
any
any
thing
anyone
else
wants
to
race
before
we
close
the
call,
no
okay,
so
good
discussion
as
always
good
to
get
back
back
to
the
table.
I
think
there's
a
lot
of
actions
as
always
and
I.
Think
really,
you
know
one
of
the
things
I
was
thinking
about.
Was
this?
A
This
meeting
isn't
just
let's
report
back
on
how
we're
getting
things
done,
we're
doing
a
lot
of
work
within
this
meeting
and
and
I
think
there's
a
lot
of
work
and
a
lot
of
working
standing
meetings,
we're
trying
to
do
outside
of
it,
because
I
think
there's
just
so
much
work
going
on.
A
We
can't
just
Constantino
the
whole
thing
into
a
one
hour.
So
apologies.
If
there's
like
actions
coming
out
of
this
thing-
and
it
sounds
all
sort
of
formal
but
the
reality
is
this-
we're
doing
more
work,
I
think
as
a
group
than
one
hour
every
two
weeks,
which
is
which
I
think
is
really
beneficial,
so
great
work,
great
work,
everyone
I'm
looking
forward
to
a
pretty
awesome,
2023
and
you
know
we'll
work
from
the
group
thanks
very
much.
Everyone
talk
to
everyone
soon,
bye.