Open Source Security Podcast – Details, episodes & analysis

Josh and Kurt talk about three government activities happening around security. CISA has a request for comment, and an international strategic plan around cybersecurity. These are both good ideas, and hopefully will help drive change. But we also discuss an EU proposal that brings liability rules to software which sounds like a great way to force change to happen.

• Request for Comment on Product Security Bad Practices Guidance
• FY2025-2026 CISA International Strategic Plan
• EU brings product liability rules in line with digital age and circular economy
• CSA Cloud Controls Matrix

Josh and Kurt talk about the Meshtastic open source project. It's a really slick mesh radio system that runs on very cheap radio equipment. This episode isn't very security related (there are a few things), but it is very open source.

• Meshtastic
• Heltec LoRa 32(V3) Radio
• 465 Rutgers University Confirmed: Meshtastic and LoRa are dangerous
• Meshtastic Routing Issues & Deployment Scenarios
• TC2-BBS-mesh
• The Comms Channel
• Josh's BBS
• Heltec T114 bug

Josh and Kurt talk about a story that discusses a story from Black Hat that references supply chains. There's a ton of doom and gloom around our software supply chains and much of the advice isn't realistic. If we want to take this seriously we need to stop obsessing over the little problems and focus on some big problems.

• Black Hat USA 2024: Key Takeaways from the Premier Cybersecurity Event
• The Reason Train Design Changed After 1948

Josh and Kurt talk to Jill Moné-Corallo about GitHub's bug bounty and product security team. It's a treat to discuss bug bounties with someone who is managing a very large bug bounty for one of the most important web sites in the world of software today.

• Jill's Twitter
• Jill's Mastodon
• GitHub Bug Bounty
• Bug bounty scope
• Eight years of the GitHub Security Bug Bounty program
• GitHub NPM bug bounty find

Josh and Kurt talk about a new tool that can do Stylometry analysis of Hacker News authors. The availability of such tools makes anonymity much harder on the Internet, but it's also not unexpected. The amount of power and tooling available now is incredible. We also discuss some of the future challenges we will see from all this technology.

• Hacker News Stylometry Analyzer
• FBI Profiler on the Unabomber
• Impersonate Eli Lilly for $8
• Shakespeare Stylometry

Josh and Kurt talk about end to end encrypted messages. This has been a popular topic lately due to the Mastodon popularity. Mastodon has a uniquely insecure messaging system, but they aren't the only one. The eternal debate of can security and usability exist together? We suspect it can't be, but it's a very complicated topic.

• EFF on Mastodon DM privacy
• Towards End-to-End Encryption for Direct Messages in the Fediverse
• Pluralistic: 14 Nov 2022 Even if you're paying for the product, you're still the product

Josh and Kurt talk about email security and the perils of trying to run your own mail infrastructure. We then get into discussing the value and danger of trying to run your own infrastructure, email, blogs, or most anything. There's a lot to juggle about all this these days, it's complicated.

• PowerDMARC
• Will Dormann
• GossiTheDog upgrades Exchange
• lcamtuf's blog
• I like Ice Cream

Josh and Kurt talk about the UK plan to scan their country's IP space. The purpose and outcome of this isn't completely clear at this point, but we are hopeful the data can be used as a positive force. We are only going to see more programs like this as all the governments are told they have to cyber harder.

• NCSC Scanning information
• Motherboard podcast about NCIS

Josh and Kurt talk about the recent OpenSSL nothingburger. OpenSSL got everyone whipped into a frenzy over a critical vulnerability, then changed the severity to high. The correct solution to this whole problem is to stop using a TLS library written in C, we need to be using memory safe languages. Don't migrate from OpenSSL 1 to 3, migrate from OpenSSL 1 to Rustls.

• OpenSSL Blog Post
• OpenSSL pre-announcement
• Mark Cox Tweet 3.0 only affected
• GossiTheDog NDA Tweet
• Claims of a name and logo
• Rustls

Image Credit

Josh and Kurt talk about Lufthansa trying to ban Airtags. This has a similar feel to all the security events where a company tries to hand waive away a security problem then having to walk back all their previous statements. There is almost always a massive imbalance between the large companies and consumers.

• Lufthansa bans airtags
• Airtag stalking problems
• Lufthansa unbans airtags
• Cult of the Dead Cow book
• TV Typewriter
• Andre the Giant on an airplane
• Poison Squad