Hello and welcome to the Wednesday, May 20th, 2006 edition of the Sands Inlet Storm Center's Stormcast. My name is Johannes Ulrich, recorded today from Jacksonville, Florida. And this episode is brought you by the Sands.edu bachelor's degree program in applied cyber security.

Today's podcast, if everything goes to plan, and it's not that I'm starting to writing down everything,

but I'm hoping to do something a little bit more focused because there are a couple real important things that I want to talk about.

And, well, with that, maybe spend a little bit less time on it. But we'll see how

it goes. So really, what is all about is Ken Hartman put together a real good summary of what

recently happened with the team PCP and all of these supply chain campaigns. I mentioned some

in podcasts over the last couple of weeks, for example,

checkmarks getting compromised a couple of times, and with that also some of their products.

I think this sort of has reached your new quality, and Kenpo also points that out is with the Tan Stack compromise. Now TanStack actually

had SLSA level three verified components. So what this means is the software they produced was

not only digitally signed, but also the systems being used to compile and basically run

the build process were verified and were audited. So that's what SLSA level three means.

And, well, it's sort of one of these software supply chain verification procedures.

It used to be that you could say, hey, you know, if software is really verified to that level,

well, you should probably trust it.

But I think, and that's sort of really where my soapbox today a little bit starts is,

you must assume compromise.

We're living sort of with that on the network security level for quite a while

that we try to encrypt all of our data even on internal networks

because we assume compromise.

That has been sort of introduced years ago.

But I think developers and when it comes to software components, we also at this

...