Back

Explore every episode of the podcast Open Source Security Podcast

Dive into the complete episode list for Open Source Security Podcast. Each episode is cataloged with detailed descriptions, making it easy to find and explore specific topics. Keep track of all episodes from your favorite podcast and never miss a moment of insightful content.

Rows per page:

1–50 of 454

TitlePub. DateDuration
Episode 453 - Software Liability04 Nov 202400:36:28

Josh and Kurt talk about three government activities happening around security. CISA has a request for comment, and an international strategic plan around cybersecurity. These are both good ideas, and hopefully will help drive change. But we also discuss an EU proposal that brings liability rules to software which sounds like a great way to force change to happen.

Show Notes
Episode 452 - All about Meshtastic28 Oct 202400:39:29

Josh and Kurt talk about the Meshtastic open source project. It's a really slick mesh radio system that runs on very cheap radio equipment. This episode isn't very security related (there are a few things), but it is very open source.

Show Notes
Episode 443 - The Supply Chain Security Crisis26 Aug 202400:34:23

Josh and Kurt talk about a story that discusses a story from Black Hat that references supply chains. There's a ton of doom and gloom around our software supply chains and much of the advice isn't realistic. If we want to take this seriously we need to stop obsessing over the little problems and focus on some big problems.

Show Notes
Episode 353 - Jill Moné-Corallo on GitHub's bug bounty program12 Dec 202200:26:18

Josh and Kurt talk to Jill Moné-Corallo about GitHub's bug bounty and product security team. It's a treat to discuss bug bounties with someone who is managing a very large bug bounty for one of the most important web sites in the world of software today.

Show Notes
Episode 352 - Stylometry removes anonymity05 Dec 202200:32:46

Josh and Kurt talk about a new tool that can do Stylometry analysis of Hacker News authors. The availability of such tools makes anonymity much harder on the Internet, but it's also not unexpected. The amount of power and tooling available now is incredible. We also discuss some of the future challenges we will see from all this technology.

Show Notes
Episode 351 - Is security or usability a law of the universe?28 Nov 202200:33:29

Josh and Kurt talk about end to end encrypted messages. This has been a popular topic lately due to the Mastodon popularity. Mastodon has a uniquely insecure messaging system, but they aren't the only one. The eternal debate of can security and usability exist together? We suspect it can't be, but it's a very complicated topic.

Show Notes
Episode 350 - Spam, Email, Content Moderation, and Infrastructure Oh My21 Nov 202200:31:56

Josh and Kurt talk about email security and the perils of trying to run your own mail infrastructure. We then get into discussing the value and danger of trying to run your own infrastructure, email, blogs, or most anything. There's a lot to juggle about all this these days, it's complicated.

Show Notes
Episode 349 - The cyber is coming from inside the house - the UK is scanning itself14 Nov 202200:31:19

Josh and Kurt talk about the UK plan to scan their country's IP space. The purpose and outcome of this isn't completely clear at this point, but we are hopeful the data can be used as a positive force. We are only going to see more programs like this as all the governments are told they have to cyber harder.

Show Notes
Episode 348 - OpenSSL is the new lead paint07 Nov 202200:33:55

Josh and Kurt talk about the recent OpenSSL nothingburger. OpenSSL got everyone whipped into a frenzy over a critical vulnerability, then changed the severity to high. The correct solution to this whole problem is to stop using a TLS library written in C, we need to be using memory safe languages. Don't migrate from OpenSSL 1 to 3, migrate from OpenSSL 1 to Rustls.

Show Notes

 

Image Credit

Episode 347 - Airtags in luggage and weasel security - two peas in a suitcase31 Oct 202200:33:03

Josh and Kurt talk about Lufthansa trying to ban Airtags. This has a similar feel to all the security events where a company tries to hand waive away a security problem then having to walk back all their previous statements. There is almost always a massive imbalance between the large companies and consumers.

Show Notes
Episode 346 - Security and working from home have terrible things in common24 Oct 202200:32:54

Josh and Kurt talk about stories detailing tech working with multiple jobs. This raises some questions about fairness, accountability, and the future of work. As an industry we are very bad at measuring what we do, which is a problem shared with many jobs currently working from home.

Show Notes
Episode 345 - Cheap hacking devices turn security upside down17 Oct 202200:30:14

Josh and Kurt talk about ineffective security from the past we still use today. There has been a great deal of progress in the last few decades bringing us amazing products like the Flipper Zero, cameras that can peer inside locks, and even software defined radio. A great deal of security relies on people not having easy access to these cheap devices. What does this mean for the future of security?

Show Notes
Episode 344 - Python tarfile - 2022 is nothing like 200710 Oct 202200:34:50

Josh and Kurt talk about a newly rediscovered old python vulnerability. It raises a lot of questions about what was OK in 2007 vs what's OK in 2022. The issue is very complicated and has a wild story surrounding it. There is no reason to not fix this in 2022.

Show Notes
Episode 442 - The foundation of society, TLS certificates are a mess19 Aug 202400:40:35

Josh and Kurt talk about a few stories around the TLS CA certificate world. It's all pretty dire sounding. There's not a lot of organization or process in the space, and the root CAs are literally the foundation of modern society, everything needs them to function. There's not a lot of positive ideas here, it's mostly a show where Kurt explains to Josh what's going on, because Josh doesn't want to care (and will continue to ignore all of this going forward).

Show Notes
Episode 343 - Stop trying to fix the open source software supply chain03 Oct 202200:32:24

Josh and Kurt talk about a blog post that explains there isn't really an open source software supply chain. The whole idea of open source being one thing is incorrect, open source is really a lot of little things put together. A lot of companies and organizations get this wrong.

Show Notes
Episode 342 - Programming languages are the new operating system26 Sep 202200:29:56

Josh and Kurt talk about programming language ecosystems tracking and publishing security advisory details. We are at a point in the language ecosystems where they are giving us services that have historically been reserved for operating systems.

Show Notes
Episode 341 - Time till open source alternative19 Sep 202200:35:40

Josh and Kurt talk about the Time Till Open Source Alternative blog post. The numbers probably don't mean what we think they mean anymore. A lot of modern open source is really corporate controlled. Just because something carries an open source license doesn't mean you can contribute to it.

Show Notes
Episode 340 - Let's chat about Let's Encrypt with Josh Aas12 Sep 202200:33:54

Josh and Kurt talk with Josh Aas from the Internet Security Research Group about Let's Encrypt, Prossimo, and Divvi Up. A lot has changed since the last time we spoke with Josh. Let's Encrypt won, and the ISG are working on some really cool new projects.

Show Notes
Episode 339 - Is a network problem a security vulnerability05 Sep 202200:38:12

Josh and Kurt talk about really weird networking bugs. Josh tells a story about his home network problems that made no sense. There was also a qt5 bug that affected wireless networks that made virtually no sense. What should count as a security vulnerability?

Show Notes
Episode 338 - The government didn't make vulnerabilities illegal. Yet.29 Aug 202200:36:20

Josh and Kurt talk about the recent National Defense Authorization Act that requires security vulnerabilities to be fixed. What does this mean for us, is it as bad as some people are claiming it is? It's actually not a huge deal, for most of us it's really just time to deal with product security.

Show Notes
Episode 337 - Security patches are getting worse - Dustin Childs from ZDI tells us why22 Aug 202200:31:06

Josh and Kurt talk to Dustin Childs about the recent ZDI Black Hat talk where they discovered the current trend of security patches not actually fixing the security problem. We talk about what this problem means. Why is it happening, and what ZDI is doing to try nudge the industry in the right direction.

Show Notes
Episode 336 - We don't have data, we have security biases15 Aug 202200:33:31

Josh and Kurt talk about our lack of security and some of the data bias problems that can emerge. A lot of what we think is security data is really just biased data. This is OK as long as we understand the data is broken and know this is the first step in a longer journey.

Show Notes
Episode 335 - Bull*&$% security ideas08 Aug 202200:38:47

Josh and Kurt talk about a tweet from @kmcquade3 asking the question "What's a concept in security that is generally accepted as true but is actually bull%$#*?" How many of the replies make sense? Most of them do. We go over some of the best replies as fast as we can.

Show Notes
Episode 334 - Leap seconds break everything01 Aug 202200:32:31

Josh and Kurt talk about leap seconds. Every time there's a leap second, things break. Facebook wants to get rid of them because they break computers, but Google found a clever way to keep leap seconds without breaking anything. Corner cases are hard, security is often just one huge corner case. There are lessons we can learn here.

Show Notes
Episode 441 - Is CWE useful?12 Aug 202400:33:23

Josh and Kurt talk about CWE. What is it, and why does it matter. We cover some history, some shortcomings, and some ideas on how CWE could be used to make security a lot better. We frame the future discussion around the OWASP top 10 list. We should be putting more effort into removing removing entire classes of vulnerabilities.

Show Notes
Episode 333 - Open Source is unfair25 Jul 202200:34:39

Josh and Kurt talk about Microsoft creating a policy of not allowing anyone to charge for open source in their app store. This policy was walked back quickly, but it raises some questions about how fair or unfair open source really is. It's mostly unfair to developers if you look at the big picture.

Show Notes
Episode 332 - PyPI: 2FA or not 2FA, that is the question18 Jul 202200:39:01

Josh and Kurt talk about PyPI mandating two factor authentication for the top 1% of projects. It feels like a simple idea, but it's not when you start to think about it. What problems does 2FA solve? How common are these attacks? What are the second and third order effects of mandating 2FA? This episode should have something for everyone on all sides of this discussion to violently disagree with.

Show Notes
Episode 331 - GPG, but nothing makes sense11 Jul 202200:35:38

Josh and Kurt talk about their very silly GPG key management from the past. This is sadly a very true story that details how both Kurt and Josh protected their GPG keys. Josh's setup is like something out of a very bad spy novel. It was very over the top for a key that really didn't matter.

Show Notes
Episode 330 - The sliding scale of risk: seeing the forest for the trees04 Jul 202200:38:22

Josh and Kurt talk about the challenge of dealing with vulnerabilities at a large scale. We tend to treat every vulnerability equally when they are not equal at all. Some are trees we have to pay very close attention to, and some are part of a larger forest that can't be treated as individual vulnerabilities. We often treat risk as a binary measurement instead of a sliding scale.

Show Notes
Episode 329 - Signing (What is it good for)27 Jun 202200:30:54

Josh and Kurt talk about what the actual purpose of signing artifacts is. This is one of those spaces where the chain of custody for signing content is a lot more complicated than it sometimes seems to be. Is delivering software over https just as good as using a detached signature? How did we end up here, what do we think the future looks like? This episode will have something for everyone to complain about!

Show Notes
Episode 328 - The Security of Jobs or Job Security20 Jun 202200:29:57

Josh and Kurt talk about the security of employees leaving jobs. Be it a voluntary departure or in the context of the current layoffs we see, what are the security implications of having to remove access for one or more people departing their job?

Show Notes
Episode 327 - The security of alert fatigue13 Jun 202200:34:04

Josh and Kurt talk about a funny GitHub reply that notified 400,000 people. It's fun to laugh at this, but it's an easy open to discussing alert fatigue and why it's important to be very mindful of our communications.

Show Notes
Episode 326 - Big fat containers06 Jun 202200:37:13

Josh and Kurt talk about containers. There are a lot of opinions around what type of containers is best. Back when it all started there were only huge distro sized containers. Now we have a world with many different container types and sizes. Is one better?

Show Notes
Episode 325 - Is one open source maintainer enough?30 May 202200:35:22

Josh and Kurt talk about a recent OpenSSF issue that asks the question how many open source maintainers should a project have that's "healthy"? Josh did some research that shows the overwhelming majority of packages have one maintainer. What does that mean?

Show Notes
Episode 324 - WTF is up with WFH23 May 202200:35:21

Josh and Kurt talk about the whole work from home debate. It seems like there are a lot of very silly excuses why working from home is bad. We've both been working from home for a long time and have a chat about the topic. There's not much security in this one, but it is a fun discussion.

Show Notes
Episode 440 - "What is open source" talk Josh gave05 Aug 202400:34:36

Josh and Kurt talk about a presentation Josh recently gave that was supposed to be about how open source works. The talk was the wrong topic for a security crowd, but there's a lot of interesting details in the questions and comments that emerged. It's clear a lot of security people don't really care about the fine details about what open source is, their primary goal is to help keep development secure.

Show Notes
Episode 323 - The fake 7-Zip vulnerability and SBOM16 May 202200:38:13

Josh and Kurt talk about a fake 7-Zip security report. It's pretty clear that everyone is running open source all the time. We end on some thoughts around what SBOM is good for, and who should be responsible for them.

Show Notes
Episode 322 - Adam Shostack on the security of Star Wars09 May 202200:33:41

Josh and Kurt talk to Adam Shostack about his new book "Threats: What Every Engineer Should Learn From Star Wars". We discuss some of the lessons and threats in the Star Wars universe, it's an old code I hear. We also discuss if Star Wars is a better than Star Trek for teaching security (it probably is). It's a fun conversation and sounds like an amazing book.

Show Notes
Episode 321 - Relativistic Security: Project Zero on 0day02 May 202200:34:11

Josh and Kurt talk about the Google Project Zero blog post about 0day vulnerabilities in 2021. There were a lot more than ever before, but why? Part of the challenge is the whole industry is expanding while a lot of our security technologies are not. When the universe around you is expanding but you're staying the same size, you are actually shrinking.

Show Notes
Episode 320 - Security Twitter is not the real world25 Apr 202200:32:04

Josh and Kurt talk about a survey about a TuxCare patch management and vulnerability detection. Sometimes our security bubble makes us forget what it's like in the real world for the people who keep our infrastructure running. Patching isn't always immediate, automation doesn't fix everything, and accepting risk is very important.

Show Notes
Episode 319 - Patch Tuesday with a capital T18 Apr 202200:30:41

Josh and Kurt talk about a lot of security vulnerabilities in this month's Patch Tuesday. There's also a new Git vulnerability. This sparks the age old question of how fast to patch? The answer isn't binary, the right answer is whatever works best for you, not what someone tells you is best.

Show Notes
Episode 318 - Social engineering and why zlib got a 2018 CVE ID11 Apr 202200:30:10

Josh and Kurt talk about hackers using emergency data requests to gain access to sensitive data. The argument that somehow backdoors can be protected falls under this problem. We don't yet have the technical or policy protections in place to actually protect this data. We also explain why this zlib issue got a 2018 CVE ID in 2022.

Show Notes
Episode 317 - The lack of compromise in security04 Apr 202200:32:54
 

Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there's not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not to let security turn into your identity, it ends up making a mess.

Show Notes
Episode 316 - You have to use open source28 Mar 202200:30:44
 

Josh and Kurt talk about the latest NPM backdoored package. It feels like this keeps happening. We talk about why this is and why it's probably OK. Kurt fixes Linus' Law, in open source the superpower isn't bugs are shallow (they're not), the superpower is security bugs in open source can't be ignored.

Show Notes
Episode 315 - Who even makes all these terrible decisions?21 Mar 202200:33:22

Josh and Kurt talk about Microsoft accidentally letting us find out about ads in file explorer. Changing your clocks sucks. And touch on some of the security implications of the Russian invasion and sanctions. There are a lot of security lessons we can all learn. Mostly what not to do.

Show Notes
Episode 314 - The Linux Dirty Pipe vulnerability14 Mar 202200:26:04

Josh and Kurt talk about the Linux Kernel Dirty Pipe security vulnerability. This bug is an amazing combination of amazing complexity, incredible simplicity, and a little bit of luck. The discovery is amazing, the analysis is enlightening. There's almost no way a bug like this could be found outside of open source.

Show Notes
Episode 439 - Where are all the youth in open source?29 Jul 202400:29:27

Josh and Kurt talk about a story talking about the "graying" of open source. There doesn't seem to be many young people working on open source, but we don't really know why that is. There are many thoughts, but a better question is why should anyone get involved in open source anymore? The world has changed quite a lot since open source was created.

Show Notes
Episode 313 - Insecurity at scale07 Mar 202200:31:12

Josh and Kurt talk about the challenges of security at scale. Specifically we focus on why a lot of security starts to fall apart once you have to do something more than a few times. There's a lot of new thinking we need to push security forward.

Show Notes
Episode 312 - The Legend of the SBOM28 Feb 202200:34:17

Josh and Kurt talk about SBOMs. Not what they are, there's plenty about that. We talk about why everyone keeps claiming they're super important, and why we're starting to see some people question if we really need them. SBOMs are part of a future that's still being invented.

Show Notes
Episode 311 - Did you scan the QR code?21 Feb 202200:32:01

Josh and Kurt talk about the Coinbase Super Bowl ad. It was a QR code, lots of security people were aghast at how many people scanned the QR code. The reality is scanning QR codes isn't dangerous. What other security advice just won't go away?

Show Notes
© My Podcast Data
Podcast Open Source Security Podcast by Josh Bressers & Kurt Seifried Episodes | My Podcast Data