Nostr notes by Josh Bressers

It's the movie Ground Day Except with a penguin

2026-05-07T21:31:37Z

It's the movie Ground Day

Except with a penguin

This post got into my head. I think you're right, the days of ...

2026-05-03T00:58:51Z

In reply to nevent1q…tc83
_________________________

This post got into my head. I think you're right, the days of coordination are over

So I wrote it down
https://opensourcesecurity.io/2026/05-vulnerability-economics/

every AI vulnerability company wants to find something juicy, and ...

2026-05-01T01:43:00Z

In reply to nevent1q…8dx5
_________________________

every AI vulnerability company wants to find something juicy, and have no idea how to coordinate the findings

Remember Linus's Law? While it was never really true, there ...

2026-04-29T12:27:39Z

Remember Linus's Law? While it was never really true, there are now A LOT of people looking for vulnerabilities with LLMs, and they're finding vulnerabilities EVERYWHERE

While Linus's Law was clearly nonsense, this is creating an increase in vulnerabilities the world is completely unprepared to deal with

What happens if we have a million CVEs every year?

https://opensourcesecurity.io/2026/04-linus-law-vulns/

I wrote a blog post Open source was never about trust ...

2026-04-11T16:02:04Z

I wrote a blog post

Open source was never about trust

https://opensourcesecurity.io/2026/04-never-about-trust/

There's been a lot of really crazy events happening around open source for the last few months. But it's probably all going to be OK

Looks like all the cybersecurity stocks have recovered since the ...

2026-03-05T15:52:34Z

Looks like all the cybersecurity stocks have recovered since the "Claude is going to destroy every security company ever" news

Feels like an investing strategy :)

I had a chat with Frank Karlitschek from @npub1rk6…hv4q about ...

2026-02-09T15:43:55Z

I had a chat with Frank Karlitschek from Nextcloud 📱☁️💻 (npub1rk6…hv4q) about digital sovereignty

There's a lot of attention lately around digital sovereignty and often that conversation also includes Nextcloud. Frank tells us all about how Nextcloud works, how it can be used to free your data, and has some great insight into what decentralization already looks like and what it could look like soon

https://opensourcesecurity.io/2026/2026-02-nextcloud-frank-karlitschek/

It's always been hard for humans to find security bugs in ...

2026-02-06T21:31:25Z

In reply to nevent1q…snu0
_________________________

It's always been hard for humans to find security bugs in code, generally we had to focus on one specific area at a time

But the real challenge has always been writing and testing the patches, this is even harder than finding the vulns in many cases

We will of course see claims to "just use an LLM to write the patch", but I've not seen any evidence showing that's realistic yet (there might be something I've missed, goodness knows this space is hard to follow everything)

Thanks!

2026-01-12T15:32:31Z

In reply to nevent1q…9m48
_________________________

Thanks!

This week on #OpenSourceSecurity I have a chat with ...

2026-01-12T15:30:04Z

This week on #OpenSourceSecurity I have a chat with [@algernon](https://come-from.mad-scientist.club/@algernon ) about [@iocaine](https://come-from.mad-scientist.club/@iocaine )

Iocaine creates a maze of garbage to trap scraping bots. I love this idea, it has amazing chaotic good energy!

I learn all about how Iocaine works, and even got to see some dashboards showing off the size of the problem and how Iocaine handles it all.

https://opensourcesecurity.io/2026/2026-01-iocaine-algernon/

This week on #OpenSourceSecurity I have a chat with ...

2026-01-05T14:29:47Z

This week on #OpenSourceSecurity I have a chat with Xe :verified: (npub17mj…0mhx) about #Anubis, the tool that stops web AI scrapers

The scale of web scraping is way worse than I expected, and blocking things is also a lot harder than I expected

This is one of those conversations where I learned how little I know

https://opensourcesecurity.io/2026/2026-01-anubis-xe/

#OpenSourceSecurity has a chat with @npub1klc…sud3 about ...

2025-11-24T15:58:53Z

#OpenSourceSecurity has a chat with Seth Larson (npub1klc…sud3) about Python Software Foundation (npub1vv8…6fhk) security

Seth has a new whitepaper, there's a CFP open (which you should submit a paper to), and some discussion about the PSF grant situation

It's always fun to chat with Seth, I learn a ton every time!

https://opensourcesecurity.io/2025/2025-11-python-security-seth-larson/

I started using @npub1zq5…dlp2 as my search engine The biggest ...

2025-11-04T15:43:43Z

I started using Kagi HQ (npub1zq5…dlp2) as my search engine

The biggest surprise has been how jarring seeing a search page that isn't full of shit

I didn't realize my brain has come to expect a page of garbage when I search for things, and it doesn't know what to do now

This week on #OpenSourceSecurity I talk to @npub1uy3…kphj about ...

2025-11-03T15:11:58Z

This week on #OpenSourceSecurity I talk to Otto (npub1uy3…kphj) about his blog post about detecting an attack like xz in Debian

It's a fascinating conversation about a very complicated topic

There are things that could be detected, but this one would have been very very difficult

https://opensourcesecurity.io/2025/2025-11-xz-debian-otto/

New project idea Scream-o-pedia It's a clone of wikipedia, ...

2025-10-30T13:14:26Z

New project idea

Scream-o-pedia

It's a clone of wikipedia, but filled with endless screaming

OK open source security nerds, I need your help I have a podcast ...

2025-10-08T23:44:08Z

OK open source security nerds, I need your help

I have a podcast youtube show thing called Open Source Security

https://opensourcesecurity.io/

I'm always looking for guests. Back when I changed formats in January I had a pretty large list of people sent to me as suggestions. I've made it through the list (it took me 10 months)

If you know someone (or are someone) doing open source security work I would love a suggestion. DMs are open and there are other contact things on the website

I especially like guests who are unsung heroes

The Register wrote a story about a single maintainer open source ...

2025-08-28T01:38:32Z

The Register wrote a story about a single maintainer open source project, I think it's shameful and upsetting. So I wrote a blog post about it

An absolutely ridiculous amount of open source is one person projects. I have the data to prove it

https://opensourcesecurity.io/2025/08-oss-one-person/

Nostr event nevent1qqsyv0zx2ughfkj5dhx5tp2mcgkydapz09gnnfqe0zc3v8fjdf07dyszyrfrtrvjy8l57vr2r5xm023aek02q2v5ulslcsg6rf2gtt7gj37zg30wjxs

2025-08-18T01:16:01Z

A bunch of vulnerability nerds are collecting in a discord server ...

2025-04-15T21:08:51Z

In reply to nevent1q…x6kt
_________________________

A bunch of vulnerability nerds are collecting in a discord server to coordinate whatever will need coordinating for this

https://discord.gg/gSCrXxMuPx

All are welcome, even if it's just to lurk

Now imagine how much value it would be if they were using AI!!!!! ...

2025-04-08T14:00:34Z

In reply to nevent1q…tepn
_________________________

Now imagine how much value it would be if they were using AI!!!!!

It would be at least NaN dollars!!!!!!!!

Is there a web browser that won’t try to shiv me in my sleep? ...

2025-02-27T02:21:15Z

Is there a web browser that won’t try to shiv me in my sleep?

#askingforafriend

This episode #OpenSourceSecurity talks to @npub1frk…5a27 about ...

2025-02-24T15:33:34Z

This episode #OpenSourceSecurity talks to Sheogorath (npub1frk…5a27) about forking open source projects

It's a lot more complicated than you think it is, and Sheogorath has some first hand experience from one of the most complicated forks I've ever seen in HedgeDoc

It's a fun chat filled with lessons

https://opensourcesecurity.io/2025/2025-02-fork_open_source_sheogorath/

Now that 2025 is here, it's time to wind down the #osspodcast ...

2025-01-01T14:34:03Z

Now that 2025 is here, it's time to wind down the #osspodcast

It was a fun run, but it was time to be done.

I have a new project I'm calling "Open Source Security" (the domain is too good to not do something with it)

I want to chat with people securing the use and creating of open source. I explain a lot more in the blog post (which also has audio)

If you're one of these people, let me know! There are a lot of lessons for us all, and the people doing the best work aren't being listened to

https://opensourcesecurity.io/posts/2025-01-the_future_of_open_source_security/

Looks like #NVD has stopped enriching #CVE again. So that's ...

2024-11-12T16:07:13Z

Looks like #NVD has stopped enriching #CVE again. So that's neat

Hungry for McRib!!!

2024-10-15T13:18:04Z

In reply to nevent1q…xcew
_________________________

Hungry for McRib!!!

I wrote a blog post about the #SBOM complaining that seems to pop ...

2024-10-15T12:51:21Z

I wrote a blog post about the #SBOM complaining that seems to pop up every few months

https://opensourcesecurity.io/2024/10/15/the-useful-uselessness-of-sboms/

SBOMs are used all over the place, they're just not always called SBOMs

[@jwildeboer](https://social.wildeboer.net/@jwildeboer ) I ...

2024-10-07T15:47:33Z

[@jwildeboer](https://social.wildeboer.net/@jwildeboer ) I printed the meshtastic case you've been showing off here, HOLY COW it's awesome. I can fit a massive battery in it that gets me over 25 hours of life, and it still fits in my pocket

OK #meshtastic nerds I've been working on a Meshtastic BBS ...

2024-10-05T01:02:54Z

OK #meshtastic nerds

I've been working on a Meshtastic BBS that communicates through a meshtastic node (I took the TC2-BBS code and change it ... a lot)

https://github.com/joshbressers/meshbbs

The goal here is to make something that's REALLY easy to hack on (this was my complaint about TC2-BBS, it was hard to change)

It's still very much a prototype, but I think I'm at a point where feedback and ideas would be good

And of course patches :)

Nostr event nevent1qqs0rh9fxmrl4tyxyka9zd80657fugfl2h4qdauukgesp6pn5fqas0qzyrfrtrvjy8l57vr2r5xm023aek02q2v5ulslcsg6rf2gtt7gj37zg02sssf

2024-09-26T18:29:27Z

Bambu built on top of all the open work the community. I’m glad ...

2024-09-14T12:29:17Z

In reply to nevent1q…szc6
_________________________

Bambu built on top of all the open work the community. I’m glad something easy to use exists, but I think the work of the community is a very important part of the story

You almost certainly don’t intend to come off that way, but it reads like it