open source and cybersecurity news

May 1, 2023

TACOS, ChatGPT Outperforms Doctors, End to End Encryption

In this Episode:

Episode Transcription:

Pokie Huang: 

Hey, it’s 5:05 on Monday, May 1st, 2023. From The Sourced Podcast Network in New York City, this is your host, Pokie Huang. Stories in today’s episode come from Trac Bannon in San Francisco, California, Katy Craig in San Diego, California, Edwin Kwan in Sydney, Australia and Marcel Brown in St. Louis, Missouri. Let’s get to it.

Tracy Bannon: 

Hey, it’s Trace Bannon coming to you from RSAC. Actually, I’m here with my friend, Matthew Arnow. He’s from Tidelift and we’ve been talking about a couple of different things that we’ve noticed on the expo floor and with a number of the sessions. 

Hey Matthew, you brought up to me that there’s a new open source effort that you’re actually a part of. Can you tell me a little bit about it? 

Matthew Arnow: 

Yeah, sure. Thanks Tracy. There’s a lot of discussion these days around open source attestation. This is basically, as an organization, the liability is shifting from the consumer, the end customer, being liable for the software they’re using to the producers of the software.

 Part of the national cybersecurity strategy is along with the OMB M 2218 guidance, is talking a lot about attestations and that’s great. attesting to the extent possible where this stuff comes from is very important. One of the things we noticed, is that there’s not a really, great framework out there for businesses to follow, to be able to attest to that extent possible.

Tracy Bannon: 

Is that for the generation of the attestation? Is that what the framework is about, is for me as a firm being able to generate that attestation? 

Matthew Arnow: 

Correct, yeah. It is what inputs you would need to essentially self attest to that “extent possible”, that you’ve done the due diligence around understanding, not only where this stuff’s coming from, but does it have certain CVEs open? Does it have licensing requirements? Is there maintenance? Is there ongoing support, happening for those projects? Those are all the things that the s SSDF framework from NIST lays out.

But again, there hasn’t been a framework that we’ve seen that businesses can quickly fall into, so we’ve released something called TACOS, which, as the name suggests, falls in line with some of the other open source projects out there. some known as SLSA, and another one from Google called GUAC.

 We’ve themed it, in the TexMex, style and TACOS stands for , Trusted at Attestation and Compliance for Open Source Software.

Tracy Bannon: 

Fantastic. And so folks can go out and look that up. They can join in, they can participate in this, right? This is absolutely, this is absolutely an open source effort.

Matthew Arnow: 

This is an open source effort. It’s brand new, so we don’t know if it’s going to work. We just had some ideas and saw, a kind of a gap in the, ecosystem here with all of this discussion. We just put, about two weeks ago out on GitHub. so if you go to GitHub and search TACOS, as it’s spelled, you should find the framework. We’re looking for people to give us feedback and to help us evangelize perhaps the use of it or perhaps give us, feedback that this isn’t a good idea or tell us that there’s already a framework out there that we don’t know about.

But, our product team, saw a gap here and, thought it would be, helpful to the community to start having this conversation more broadly

Tracy Bannon: 

This is the perfect time for people to get involved because this is at its infancy. This is when things will either, succeed or fail as it starts out, but let’s get as, as many people involved as we can, as early on as possible.

Hey, I appreciate you taking a couple of minutes today. Thank you. 

Matthew Arnow: 

Yeah, thanks Tracy.

Katy Craig: 

A new study published in the JAMA Internal Medicine Journal put the spotlight on ChatGPT’s abilities to respond to patient questions with both quality and empathy. 

This is Katy Craig in San Diego, California. 

Independent licensed healthcare professionals evaluated the AI’s responses alongside those of actual doctors. And here’s the fantastic part: ChatGPT’s responses were preferred nearly 80% of the time. This breakthrough in AI showcases the potential of ChatGPT to positively impact the healthcare industry. 

While it’s important to remember that AI will never replace human doctors, the results of this study indicate that ChatGPT can be a valuable tool in assisting healthcare professionals, streamlining processes and improving patient experiences.

It’s worth noting that ChatGPT’s strong performance in the study doesn’t diminish the importance of human doctors. Rather, it highlights the potential for collaboration between AI and healthcare professionals to enhance the overall quality of care. So let’s stay optimistic about the incredible advancements AI is making in healthcare, including diagnosing cancer, and look forward to a future where technology and human expertise join forces to create better experiences for patients and medical staff alike.

This is Katy Craig. Stay safe out there.

Edwin Kwan: 

This is Edwin Kwan from Sydney, Australia.

Is end-to-end encryption, good or bad? There was the recent event where the new synchronization feature to Google Authenticator was criticized by security researchers as not secure for use due to its lack of end to end encryption. Google responded the very next day saying that they have heard users’ concerns and will add the feature in a future release. 

This has got me thinking about end-to-end encryption and whether it is good or bad, and I found that the ABC big ideas had recently investigated this dilemma. They say that it depends on what is more important to you… that authorities can monitor online messages for crime and child abuse, or that your messages are always completely private. 

It provides both privacy and secrecy, and whether that’s a good thing or a bad thing, very much depends on your perspective. 

Any parent of a child in a democratic country or rule of law may understandably want their child’s safety to be prioritized above all else. But a journalist who risked their life to report the truth under a repressive regime may the pen on the privacy and security of their application to survive. Because end-to-end encryption is either on for everyone or off for everyone. It’s not possible for companies to decide that they may want to turn it on for journalists, but off for criminals. 

You can’t have it both ways, and that’s the problem with end-to-end encryption. 

Marcel Brown: 

This is Marcel Brown, the most trusted name in technology with your technology history for April 30th and May 1st. 

April 30th, 1993. At the urging of Tim Berners-Lee, the creator of the Worldwide Web protocols, the directors of cern release the source code of the worldwide web into the public domain, making it freely available to anyone without licensing fees.

The decision to make the Worldwide web software and protocols freely available is considered by some as possibly the single most important moment in the history of the internet. In fact, some historians mark this day as the birth of the web. 

May 1st, 2000. The US government removes selective availability from its global positioning system, improving the accuracy of civilian GPS devices from 100 meters to 20 meters originally created to impede hostile forces from taking advantage of the GPS system, pressure mounted from many areas to make GPS more accurate for civilian purposes. Initially set to be disabled in 2006, it happened earlier in 2000 when the US military developed a new method of denying GPS to hostile forces in specific areas without affecting the rest of the world or its own systems.

This action paved the way for the proliferation of GPS usage for accurate navigation functions such as the turn by turn apps we use today on our smartphones. 

That’s your tech history for today. For more, tune in tomorrow and visit my website

Pokie Huang: 

That’s it for today’s open source and cybersecurity updates. For direct links to all stories and resources mentioned in today’s episode, go to, where you can listen to our growing library of over 100 episodes. You can also download the transcript of all episodes for easy reference.

5:05 is a Sourced Networks Production with updates available Monday through Friday on your favorite audio streaming platform. Just search for “It’s 5:05!”. And please consider subscribing while you’re there. 

Thank you to Trac Bannon, Katy Craig, Edwin Kwan and Marcel Brown for today’s contributions.

The Executive Producer is Mark Miller. The editor and the sound engineer is Pokie Huang. Music for today’s episode is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by This is Pokie Huang. See you tomorrow… at 5:05.




  • Julie Chatman

    This was a great episode. I am looking forward to more

    • A
      Senior Storyteller

      Thank, Julie. We’re proud to have over 130 episodes without missing a day! All credit goes to the contributors. A great bunch to work with. — Mark

Leave your comment