►
From YouTube: OSS-SIRT SIG - Part of BEST WG (March 7, 2023)
A
Those
worms
yep.
B
B
B
Hell
of
a
drive:
well,
you
know
it's
one
of
those
things
that
I
like
when
I
give
instructions
like
I
specifically
made
it
so
that
it
all
wouldn't
fall
back
on
one
person
and
guess
what
happened.
Everyone
went
back
and
reassigned
it
all
to
fuzzy.
So
now
it
all
falls
back
on
one
person
and
then
I'm
like
bro.
Why
do
you
accept
and
he's
like
I
can
do
it?
I
can
do
it?
I'm,
like
you're
gonna,
pull
off
two
presentations
in
eight
hours,
we'll
see
what
happens
heart.
B
A
Yeah,
unfortunately,
my
day,
job
commands
that
I
have
something
to
do.
B
No
no
worries
and
for
the
record
at
some
point
in
the
education
State,
we
might
want
to
sit
down
and
look
at
it.
What
we're
doing
is
we're
getting
all
of
Glenn's
presentations
which
are
currently
about
70
80
presentations
and
we're
completely
revamping
them
so
yeah.
A
A
All
right,
well,
I,
don't
see
any
additional
people
clamoring
to
get
in.
So
let's
get
started.
Gents.
A
So
as
a
reminder
to
you,
too,
we
are
holding
Tech
elections
in
order
to
vote
in
the
TAC
election.
You
need
to
fill
out
a
brief
survey
so
far
out
of
the
whole
Foundation.
You
want
to
guess
how
many
people
have
registered
to
vote.
C
A
So
spread
the
word
have
folks
if
they
want
to
participate
in
voting
either
for
the
attack
or
for
the
community.
Individual
representative,
please
fill
out
that
short
form
and
if
either
of
you
are
interested
in
running
for
the
tack,
there
is
a
nomination
process
for
that.
That's
a
little
bit
longer
than
30
seconds.
A
You'll
need
to
have
like
a
little
speech.
You
know
what
I
want
to
do
on
the
attack
to
make
things
better,
but
that
is
another
option.
A
To
be
on
the
tech
yeah,
it
is
a
I
feel
a
lot
of
responsibility.
It
is
not
a
ton
of
extra
work,
I
would
say
like
an
hour
or
two
a
week.
Okay,
so
not
too
too
much
is
the
voting
form
easy
to
find?
Well,
if
you
look
at
the
agenda,
art
there's
a
link
right
to
it,
so
you
register,
and
then
they
will
send
you
a
mail
with
the
they're
using
some
kind
of
tool
for
the
actual
voting.
B
For
what
it's
worth,
I
I
was
so
something
I
was
interested
in,
but
we,
then
we
kind
of
as
a
team
agreed
that
it
would
just
be
better
for
me
to
show
up
to
tax
meetings,
because
my
superiors
feel
like
it
would
be
too
much
responsibility
and
too
much
work
and
it's
like.
But
someone
has
to
do
it
and
yeah.
B
A
So
everyone's
welcome
to
show
up
to
the
tack
and
express
your
opinion
as
we
have
our
conversations,
so
it
when
you
get
to
a
computer
art
or
even
if
you
can
look
at
the
agenda
on
your
phone
there,
there
is
a
link
to
a
Google
form.
The
voter
registration
is
like
30
seconds.
You
have
to
put
your
GitHub
ID
in
basically
the
self-nomination
for
either
the
individual
representative
or
the
TAC
is
a
little
longer.
A
couple
minutes
can.
A
A
So
right
now
the
representative
is
Ian
Coldwater
and
they
help
speak
on
behalf
of
maintainers
and
Upstream.
So
that's
that's
kind
of
the
perspective
we
want
to
have
in
the
room
as
often
as
possible,
Fair,
okay
and
that
job
is
a
little
more
work
because
you
actually
have
to
go
to
governing
board
meetings
and
stuff
and
Tack
meetings.
Well,.
A
Right
well,
you're,
not
an
independent
representative,
so
like
back
in
days
of
your
that
could
have
been
something
that
Jonathan
might
have
been
able
to
do,
because
he
was
a
security
researcher
kind
of
out
there
in
the
wild,
no
Jonathan's
here,
but
now
Jonathan's
also
an
employee.
So
he
is
no
longer
an
independent
representative.
So
I
have
been
asked
not
or.
B
A
Speaking
of
the
tech,
any
questions
about
the
election,
no
I'm
good
speaking
about
the
tack
I
have
some
news
about
the
open
source,
cert
mobilization
plan
proposal.
A
A
So
it
has
done
such
and
I
am
currently
in
conversations
with
the
LF
and
open
ssf
people
on
what
else
we
need
to
prepare
for
that
presentation.
A
So
at
some
point
in
the
very
near
future,
we'll
probably
need
to
make
like
two
or
three
slide
deck
to
kind
of
tldr
the
plan
and
show
like
the
numbers
and
timelines
and
stuff.
A
And
then,
but
once
I
get
a
template,
I'll
be
glad
to
delegate
that
and
then
we'll
need
to
present
to
the
governing
board
and
if
they
feel
it
is
worthy,
people
will
propose,
will
potentially
provide
money
to
fund
such
an
effort
or
resources
like
people
or
tools.
A
A
Well
speaking
about
the
plan,
since
we
don't
have
any
tangible
Direction
at
this
time,
would
we
like
to
actually
start
working
on
some
of
the
things
we
can
do
that
are
low-cost
and
low
risk?
If
we
don't
get
funded,
it's
still,
I
think
valuable
information
to
have
around
and
share
so
I
put
a
suggestion
for
three
possible
areas.
We
could
collaborate
on
first
off,
we
have.
We
were
thinking
about
making
two
questionnaires.
The
first
questionnaire
would
be
to
kind
of
upstream
maintainers
and
security
teams.
What
do
you
want?
A
A
We
could
make
our
walking
around
deck
at
some
point.
If
we
get
funded,
we
will
need
to
be
able
to
articulate
to
people
in
two
slides
or
less
what
the
hell
we're
doing
and
what
we
want
to
what
services
are
going
to
provide.
So
we
could
work
on
that
recruiting
deck
or
we
could
work
on
processes
and
workflow.
A
B
B
B
There
are
lots
of
computers,
yep
I'll,
find
it
and
I'll
I'll
put
it
in
slack.
Okay,.
A
That
sounds
great
while
Randall
does
this,
do
we
have
anything
we
would
like
to
chat
about.
C
I
know
a
little
bit
about
the
initial
report
and
then
without
my
out
of
my
view
at
that
point,
there
was
a
small
personal
amount
of
personal
contact
to
get
that
to
a
good
place
which
I
may
have
had
something
to
do
with,
but
I
didn't
have
the
details.
I
was
just
sort
of
making
introductions
yeah.
That's
a
doozy,
though
I
think
it's
in
the
spec.
If
I
read
that
correctly,
yeah.
C
Yeah
I
I
get
it
I
read
pretty
carefully,
but
I
I'm,
still
a
little
bit
struggling
with
the
the
spec
was
detailed
enough
that
the
buffer,
the
memory
corruption
issues
were
in
the
spec
I'm
gonna
have
to
read
that
part
again
but
yeah
anyway.
It's
great
when
we
have
I,
don't
know,
crub
knows
stuff
about
your
boot
and
UEFI
and
it's
an
interesting
environment.
C
You
know
you
have
a
computer
in
your
computer
and
it
has
all
the
problems
your
computer
has
and
did
we
I
don't
even
know
if
we
need
U
AFI
still
to
this
day,
I
mean
secure.
Boot
I
understand
the
neat,
the
desire
for.
C
Yada
yada
complexity,
Security
benefits
trade-offs,
just
an
interesting
messy
World
overall,
but
I
got
to
figure
out
if
the
spec
literally
says
that
the
buffer
must
be
this
long
and
don't
check
it
or
something
like
that.
Yeah.
C
Again,
I
it's
very,
very
common
to
spec,
but
have
some
problem,
but
it's
rarely
like
you
know
a
c
implementation
problem.
B
B
C
B
The
record
for
the
record,
the
article
read
DP
DPM,
cannot
be
trusted
or.
C
Some
well
okay,
of
course,
right
yeah
I
mean
I
was
yeah.
Dj
I
was
reading,
I'm
gonna,
read
quarks
lab,
says:
Yvonne
R
says
OG
ball
researcher
and
DJ
at
cert
wrote
the
cert
one
and
I
I
pretty
much
trust
him.
So
I'll
read
more
carefully
but
yeah
curious
stuff.
A
Yeah
I
have
had
the
great
opportunity,
as
part
of
my
day,
job
to
actually
do
some
work
on
UEFI.
We
did
a
couple
podcasts
with
the
binary
folks,
oh
yeah,
and
some
of
our
Intel
folks
talking
about
UEFI.
C
See
I
like
all
three
of
your
ideas:
krobe,
even
even
the
processed
one,
but
it
could
be
a
bit
early
for
that,
but
yeah,
maybe
not
maybe
not
for
some
parts
or
you
know
some
rough,
some
more
rough
block
process,
charts
I,
don't
have
any
strong
preference.
I'll
I'll
help
with
whatever
pops
up.
A
C
Yeah,
that
was
it,
it
tickled
me
there,
but
I
stole
my
resist
a
bit
and
see
anyway.
Yeah
all
looks
good.
I
have
no
strong
preference.
B
A
I
agree,
and
that's
also,
we
want
to
try
to
schedule.
Potentially
internet
go
talk
to
the
kubernetes
security
team.
You
know
what
works
well
for
you
all.
Where
would
you
yeah,
like
assistance,
talk
to
solar
designer
a
lot
of
different
opportunities
there
to
to
interview
people
that
are
doing
the
work
today
and
kind
of
absorb
those
best
practices.
A
I
made
a
mistake
and
plugged
my
Google
Drive
into
my
photo
stream
so
now
I'm
out
of
Google
Drive
space.
Oh
because
apparently
I
can't
like
mass,
delete
everything.
A
A
B
A
So
would
we
be
interested
in
doing
some
homework
for
the
next
two
weeks
to
kind
of
poke
at
that
survey
and
then
come
back
and
actually
make
Corrections
and
plans
on
who
start
reaching
out
to
yeah.
B
A
Great
so
that'll
be
our
homework
over
the
next
two
weeks.
Look
at
the
document
that
Randall's
going
to
share
in
a
little
bit
and
we
will
start
to
strategize
on
how
we
want
to
get
those
rolled
out.
A
C
B
A
C
Great
I
Am
tracking
that
one
I've
run
into
the
open,
Vex
presentation,
at
least
for
other
place,
probably
like
four,
which
is
awesome
and
I
so
Roger
that
all
I'm
planning
on
being
here.
A
Yeah
I
think
there's
great
potential
for
collaboration
on
that
and
I
think
if
we
were
able
to
figure
out
a
solution
to
automatically
generate
those
advisories
part
of
a
GitHub
action
or
something
similar,
yeah
yep
I
think
there
could
be
a
substantial
amount
of
value
to.
Oh,
you
know,
give
that
to
Upstream
developers
and
then
Downstream
could
start
to
benefit
from
that
analysis.
C
Yes,
I
will
say,
despite
a
wide
variety
of
ideas
as
to
what
Vex
is
and
what
it
can
or
can't
do.
C
C
It
does
not
tell
you
what
your
status
is.
You
got
to
go
figure
that
out.
You
might
be
able
to
automate
that
you
might
not.
That
does
not
bex's
job.
So
we,
if
we
can
at
least
just
standardize
on
this
thing,
has
affected.
That
thing
is
not
this
thing.
Is
this
part
of
this
thing?
Is
that's
not
a
bad
idea
and
I'm
trying
to
head
off
a
discussion
about?
C
When,
should
you
issue
one?
The
answer
is
anytime
you're
talking
about
the
vulnerability
and
you're
going
to
publish
whatever
on
osv
a
cve
csaf,
your
own
personal
advisory
flavor?
If
you
have
a
mind
towards
automation,
please
put
this:
please
provide
the
status
index
format
the
end
of
story.
We
don't
need
to
write
a
paper,
for
instance.
That's
it
so
sorry,
other
other
work,
work
stream
issues
open
Vex
can
do
this
two
thumbs
up
great
I'm
sold
so
yeah.
A
And
then,
depending
on
how
this
work
stream
goes,
if
we
actually
get
funded,
that's
something
we
can
integrate
into
the
search
practices.
We
had
talked
about
the
siren
service
that
potentially
is
an
a
stream
to
provide
some
of
that
information.
B
I
actually
was
exploring
this
before
yeah
I
have
some
ideas
later
on
that
I'll
show
you
guys,
because
I
was
exploring
this
like
a
couple
weeks
ago.
A
All
right,
we
will
adjourn.
Thank
you
for
your
time.
The
TAC
call
is
in
an
hour
and
a
half.
If
you
want
to
watch
bureaucracy
and
exciting
action
pop
in
there.