Vulns are getting packed up

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-36wm-hprc-mcf5

#iykyk #cybersecurity #opensourcesoftware

Mee-thos? Meye-thos? Mi-thos?

A month in, I still couldn't tell you.

The loudest opinions on AI vulnerability research almost never come from the people actually using it or contributing to making the world more secure.

Since Anthropic shipped Mythos and OpenAI Codex Cyber, my feed has been wall-to-wall thought leadership. Sage wisdom. Whitepapers. Panels. Frameworks for "AI-augmented vulnerability discovery." Panels about the frameworks. And one framework about panels

Meanwhile, the engineers I know, the ones helping secure the internet, have gone quiet. There's usually a reason for that.

The actual work is unglamorous. You read code. You read more code. You look upstream at the open source the whole world depends on. You find things. You report them carefully. You wait. And hopefully you've made the world a little more secure.

That's what our team at LinkedIn has been doing, inside our own stack and across the dependencies we all share. I'll share more when I can.

One thing I won't wait to say:

To the open source maintainers who've fielded our reports, triaged with patience, and shipped fixes through what has genuinely been an unprecedented stretch, thank you. I owe you many coffees/beers/waters. Much love.

Wu-Tang said it in '93: protect ya neck. You've been doing it for the rest of us ever since. No royalties, no panels, no merch.

Just the work.

Back to research and helping fix upstream.

#opensourcesoftware #cybersecurity

“I went from negative to positive.” - Biggie Smalls, BedStuy Motivational Speaker

That came up near the end of my conversation with Cameron on The Defender’s Journal, and it probably says more about my career than any title ever has.

I started in factory work, DJing, and ThinkPad tech support. I somehow ended up working on security, software, and systems at global scale.

Over a long enough story arc, I’m not sure any of the “dead ends” were actually dead ends.

A few things we got into:

* Humans have context windows too. At billions-with-a-B scale, you can’t keep making people the load-bearing control.

* The industry will continue to underestimate fundamentals. We’ll talk about nation-state actors on panels and still get burned by sketchy remote-control software on a work laptop.

* Coding agents are not autocomplete with a better haircut. They are creative, persistent, and occasionally behave like mini red teams. Correctness, provenance, test harnesses, and mutation testing matter more now, not less.

* Mentorship is not doing someone’s job for them. It’s giving enough scaffolding that they can pick up the hard thing themselves.

The thread through all of it: I’m still happiest building things at scale, with smart people, where security, software engineering, and productivity are treated as one system.

The correct step is a step. When you come to a fork in the road, take it.

Thanks Cameron for the conversation. Link in below.

What did your “dead end” teach you later?

https://www.linkedin.com/posts/ep-35-the-defenders-journal-omkhar-arasaratnam-ugcPost-7457359175199830016-AJpa

"Do you know the ledge?" Rakim - Long Island 0-day Researcher

The last 10 days, everyone's had an opinion on Mythos and GPT 5.4-Cyber.

Having spent time with both, I can tell you the biggest security vulnerability they've exposed isn't technical.

It's people who haven't touched either one confidently telling you what it all means.

Unsurprisingly, the best defense right now for most people is the same as it's always been: patch your stuff, and keep it up to date.

The basics aren't sexy, but they work.

Know the ledge before you step to it. Some things never change.

Most security tools slow you down. Most fast tools ignore security.
We wanted both. So we built Workcell.

It started with a few co-conspirators asking:

"How do we vibe code at yolo speed and not get owned?"

It works. But it's not done yet, and I'd rather build what YOU need than guess.

The roadmap is open. Go add to it:
github.com/omkhar/workcell/blob/main/ROADMAP.md

What would make Workcell indispensable for you?

Pull requests are welcome!

Coding agents are powerful. They’re also one bad boundary away from self-compromising your machine.

I wanted the speed of “YOLO mode” without giving up isolation, so I built Workcell.

With a lot of help from Codex, Claude, Gemini, and Rick, it’s now out:
https://github.com/omkhar/workcell

Try it. Break it. Tell me what holds up.

Patches welcome.

#cybersecurity #codingagents #security #opensource