Explore every episode of the podcast Open Source Security Podcast
| Title | Pub. Date | Duration | |
|---|---|---|---|
| Episode 453 - Software Liability | 04 Nov 2024 | 00:36:28 | |
Josh and Kurt talk about three government activities happening around security. CISA has a request for comment, and an international strategic plan around cybersecurity. These are both good ideas, and hopefully will help drive change. But we also discuss an EU proposal that brings liability rules to software which sounds like a great way to force change to happen. Show Notes | |||
| Episode 452 - All about Meshtastic | 28 Oct 2024 | 00:39:29 | |
| Episode 443 - The Supply Chain Security Crisis | 26 Aug 2024 | 00:34:23 | |
Josh and Kurt talk about a story that discusses a story from Black Hat that references supply chains. There's a ton of doom and gloom around our software supply chains and much of the advice isn't realistic. If we want to take this seriously we need to stop obsessing over the little problems and focus on some big problems. Show Notes | |||
| Episode 353 - Jill Moné-Corallo on GitHub's bug bounty program | 12 Dec 2022 | 00:26:18 | |
| Episode 352 - Stylometry removes anonymity | 05 Dec 2022 | 00:32:46 | |
Josh and Kurt talk about a new tool that can do Stylometry analysis of Hacker News authors. The availability of such tools makes anonymity much harder on the Internet, but it's also not unexpected. The amount of power and tooling available now is incredible. We also discuss some of the future challenges we will see from all this technology. Show Notes | |||
| Episode 351 - Is security or usability a law of the universe? | 28 Nov 2022 | 00:33:29 | |
Josh and Kurt talk about end to end encrypted messages. This has been a popular topic lately due to the Mastodon popularity. Mastodon has a uniquely insecure messaging system, but they aren't the only one. The eternal debate of can security and usability exist together? We suspect it can't be, but it's a very complicated topic. Show Notes | |||
| Episode 350 - Spam, Email, Content Moderation, and Infrastructure Oh My | 21 Nov 2022 | 00:31:56 | |
Josh and Kurt talk about email security and the perils of trying to run your own mail infrastructure. We then get into discussing the value and danger of trying to run your own infrastructure, email, blogs, or most anything. There's a lot to juggle about all this these days, it's complicated. Show Notes | |||
| Episode 349 - The cyber is coming from inside the house - the UK is scanning itself | 14 Nov 2022 | 00:31:19 | |
Josh and Kurt talk about the UK plan to scan their country's IP space. The purpose and outcome of this isn't completely clear at this point, but we are hopeful the data can be used as a positive force. We are only going to see more programs like this as all the governments are told they have to cyber harder. Show Notes | |||
| Episode 348 - OpenSSL is the new lead paint | 07 Nov 2022 | 00:33:55 | |
Josh and Kurt talk about the recent OpenSSL nothingburger. OpenSSL got everyone whipped into a frenzy over a critical vulnerability, then changed the severity to high. The correct solution to this whole problem is to stop using a TLS library written in C, we need to be using memory safe languages. Don't migrate from OpenSSL 1 to 3, migrate from OpenSSL 1 to Rustls. Show Notes
| |||
| Episode 347 - Airtags in luggage and weasel security - two peas in a suitcase | 31 Oct 2022 | 00:33:03 | |
Josh and Kurt talk about Lufthansa trying to ban Airtags. This has a similar feel to all the security events where a company tries to hand waive away a security problem then having to walk back all their previous statements. There is almost always a massive imbalance between the large companies and consumers. Show Notes | |||
| Episode 346 - Security and working from home have terrible things in common | 24 Oct 2022 | 00:32:54 | |
| Episode 345 - Cheap hacking devices turn security upside down | 17 Oct 2022 | 00:30:14 | |
Josh and Kurt talk about ineffective security from the past we still use today. There has been a great deal of progress in the last few decades bringing us amazing products like the Flipper Zero, cameras that can peer inside locks, and even software defined radio. A great deal of security relies on people not having easy access to these cheap devices. What does this mean for the future of security? Show Notes | |||
| Episode 344 - Python tarfile - 2022 is nothing like 2007 | 10 Oct 2022 | 00:34:50 | |
| Episode 442 - The foundation of society, TLS certificates are a mess | 19 Aug 2024 | 00:40:35 | |
Josh and Kurt talk about a few stories around the TLS CA certificate world. It's all pretty dire sounding. There's not a lot of organization or process in the space, and the root CAs are literally the foundation of modern society, everything needs them to function. There's not a lot of positive ideas here, it's mostly a show where Kurt explains to Josh what's going on, because Josh doesn't want to care (and will continue to ignore all of this going forward). Show Notes | |||
| Episode 343 - Stop trying to fix the open source software supply chain | 03 Oct 2022 | 00:32:24 | |
| Episode 342 - Programming languages are the new operating system | 26 Sep 2022 | 00:29:56 | |
| Episode 341 - Time till open source alternative | 19 Sep 2022 | 00:35:40 | |
Josh and Kurt talk about the Time Till Open Source Alternative blog post. The numbers probably don't mean what we think they mean anymore. A lot of modern open source is really corporate controlled. Just because something carries an open source license doesn't mean you can contribute to it. Show Notes | |||
| Episode 340 - Let's chat about Let's Encrypt with Josh Aas | 12 Sep 2022 | 00:33:54 | |
| Episode 339 - Is a network problem a security vulnerability | 05 Sep 2022 | 00:38:12 | |
| Episode 338 - The government didn't make vulnerabilities illegal. Yet. | 29 Aug 2022 | 00:36:20 | |
Josh and Kurt talk about the recent National Defense Authorization Act that requires security vulnerabilities to be fixed. What does this mean for us, is it as bad as some people are claiming it is? It's actually not a huge deal, for most of us it's really just time to deal with product security. Show Notes | |||
| Episode 337 - Security patches are getting worse - Dustin Childs from ZDI tells us why | 22 Aug 2022 | 00:31:06 | |
Josh and Kurt talk to Dustin Childs about the recent ZDI Black Hat talk where they discovered the current trend of security patches not actually fixing the security problem. We talk about what this problem means. Why is it happening, and what ZDI is doing to try nudge the industry in the right direction. Show Notes | |||
| Episode 336 - We don't have data, we have security biases | 15 Aug 2022 | 00:33:31 | |
| Episode 335 - Bull*&$% security ideas | 08 Aug 2022 | 00:38:47 | |
Josh and Kurt talk about a tweet from @kmcquade3 asking the question "What's a concept in security that is generally accepted as true but is actually bull%$#*?" How many of the replies make sense? Most of them do. We go over some of the best replies as fast as we can. Show Notes | |||
| Episode 334 - Leap seconds break everything | 01 Aug 2022 | 00:32:31 | |
Josh and Kurt talk about leap seconds. Every time there's a leap second, things break. Facebook wants to get rid of them because they break computers, but Google found a clever way to keep leap seconds without breaking anything. Corner cases are hard, security is often just one huge corner case. There are lessons we can learn here. Show Notes | |||
| Episode 441 - Is CWE useful? | 12 Aug 2024 | 00:33:23 | |
Josh and Kurt talk about CWE. What is it, and why does it matter. We cover some history, some shortcomings, and some ideas on how CWE could be used to make security a lot better. We frame the future discussion around the OWASP top 10 list. We should be putting more effort into removing removing entire classes of vulnerabilities. Show Notes | |||
| Episode 333 - Open Source is unfair | 25 Jul 2022 | 00:34:39 | |
Josh and Kurt talk about Microsoft creating a policy of not allowing anyone to charge for open source in their app store. This policy was walked back quickly, but it raises some questions about how fair or unfair open source really is. It's mostly unfair to developers if you look at the big picture. Show Notes | |||
| Episode 332 - PyPI: 2FA or not 2FA, that is the question | 18 Jul 2022 | 00:39:01 | |
Josh and Kurt talk about PyPI mandating two factor authentication for the top 1% of projects. It feels like a simple idea, but it's not when you start to think about it. What problems does 2FA solve? How common are these attacks? What are the second and third order effects of mandating 2FA? This episode should have something for everyone on all sides of this discussion to violently disagree with. Show Notes | |||
| Episode 331 - GPG, but nothing makes sense | 11 Jul 2022 | 00:35:38 | |
Josh and Kurt talk about their very silly GPG key management from the past. This is sadly a very true story that details how both Kurt and Josh protected their GPG keys. Josh's setup is like something out of a very bad spy novel. It was very over the top for a key that really didn't matter. Show Notes | |||
| Episode 330 - The sliding scale of risk: seeing the forest for the trees | 04 Jul 2022 | 00:38:22 | |
Josh and Kurt talk about the challenge of dealing with vulnerabilities at a large scale. We tend to treat every vulnerability equally when they are not equal at all. Some are trees we have to pay very close attention to, and some are part of a larger forest that can't be treated as individual vulnerabilities. We often treat risk as a binary measurement instead of a sliding scale. Show Notes | |||
| Episode 329 - Signing (What is it good for) | 27 Jun 2022 | 00:30:54 | |
Josh and Kurt talk about what the actual purpose of signing artifacts is. This is one of those spaces where the chain of custody for signing content is a lot more complicated than it sometimes seems to be. Is delivering software over https just as good as using a detached signature? How did we end up here, what do we think the future looks like? This episode will have something for everyone to complain about! Show Notes | |||
| Episode 328 - The Security of Jobs or Job Security | 20 Jun 2022 | 00:29:57 | |
| Episode 327 - The security of alert fatigue | 13 Jun 2022 | 00:34:04 | |
| Episode 326 - Big fat containers | 06 Jun 2022 | 00:37:13 | |
| Episode 325 - Is one open source maintainer enough? | 30 May 2022 | 00:35:22 | |
| Episode 324 - WTF is up with WFH | 23 May 2022 | 00:35:21 | |
Josh and Kurt talk about the whole work from home debate. It seems like there are a lot of very silly excuses why working from home is bad. We've both been working from home for a long time and have a chat about the topic. There's not much security in this one, but it is a fun discussion. Show Notes | |||
| Episode 440 - "What is open source" talk Josh gave | 05 Aug 2024 | 00:34:36 | |
Josh and Kurt talk about a presentation Josh recently gave that was supposed to be about how open source works. The talk was the wrong topic for a security crowd, but there's a lot of interesting details in the questions and comments that emerged. It's clear a lot of security people don't really care about the fine details about what open source is, their primary goal is to help keep development secure. Show Notes | |||
| Episode 323 - The fake 7-Zip vulnerability and SBOM | 16 May 2022 | 00:38:13 | |
| Episode 322 - Adam Shostack on the security of Star Wars | 09 May 2022 | 00:33:41 | |
Josh and Kurt talk to Adam Shostack about his new book "Threats: What Every Engineer Should Learn From Star Wars". We discuss some of the lessons and threats in the Star Wars universe, it's an old code I hear. We also discuss if Star Wars is a better than Star Trek for teaching security (it probably is). It's a fun conversation and sounds like an amazing book. Show Notes | |||
| Episode 321 - Relativistic Security: Project Zero on 0day | 02 May 2022 | 00:34:11 | |
Josh and Kurt talk about the Google Project Zero blog post about 0day vulnerabilities in 2021. There were a lot more than ever before, but why? Part of the challenge is the whole industry is expanding while a lot of our security technologies are not. When the universe around you is expanding but you're staying the same size, you are actually shrinking. Show Notes | |||
| Episode 320 - Security Twitter is not the real world | 25 Apr 2022 | 00:32:04 | |
Josh and Kurt talk about a survey about a TuxCare patch management and vulnerability detection. Sometimes our security bubble makes us forget what it's like in the real world for the people who keep our infrastructure running. Patching isn't always immediate, automation doesn't fix everything, and accepting risk is very important. Show Notes | |||
| Episode 319 - Patch Tuesday with a capital T | 18 Apr 2022 | 00:30:41 | |
Josh and Kurt talk about a lot of security vulnerabilities in this month's Patch Tuesday. There's also a new Git vulnerability. This sparks the age old question of how fast to patch? The answer isn't binary, the right answer is whatever works best for you, not what someone tells you is best. Show Notes | |||
| Episode 318 - Social engineering and why zlib got a 2018 CVE ID | 11 Apr 2022 | 00:30:10 | |
Josh and Kurt talk about hackers using emergency data requests to gain access to sensitive data. The argument that somehow backdoors can be protected falls under this problem. We don't yet have the technical or policy protections in place to actually protect this data. We also explain why this zlib issue got a 2018 CVE ID in 2022. Show Notes | |||
| Episode 317 - The lack of compromise in security | 04 Apr 2022 | 00:32:54 | |
Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there's not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not to let security turn into your identity, it ends up making a mess. Show Notes | |||
| Episode 316 - You have to use open source | 28 Mar 2022 | 00:30:44 | |
Josh and Kurt talk about the latest NPM backdoored package. It feels like this keeps happening. We talk about why this is and why it's probably OK. Kurt fixes Linus' Law, in open source the superpower isn't bugs are shallow (they're not), the superpower is security bugs in open source can't be ignored. Show Notes | |||
| Episode 315 - Who even makes all these terrible decisions? | 21 Mar 2022 | 00:33:22 | |
| Episode 314 - The Linux Dirty Pipe vulnerability | 14 Mar 2022 | 00:26:04 | |
Josh and Kurt talk about the Linux Kernel Dirty Pipe security vulnerability. This bug is an amazing combination of amazing complexity, incredible simplicity, and a little bit of luck. The discovery is amazing, the analysis is enlightening. There's almost no way a bug like this could be found outside of open source. Show Notes | |||
| Episode 439 - Where are all the youth in open source? | 29 Jul 2024 | 00:29:27 | |
Josh and Kurt talk about a story talking about the "graying" of open source. There doesn't seem to be many young people working on open source, but we don't really know why that is. There are many thoughts, but a better question is why should anyone get involved in open source anymore? The world has changed quite a lot since open source was created. Show Notes | |||
| Episode 313 - Insecurity at scale | 07 Mar 2022 | 00:31:12 | |
| Episode 312 - The Legend of the SBOM | 28 Feb 2022 | 00:34:17 | |
| Episode 311 - Did you scan the QR code? | 21 Feb 2022 | 00:32:01 | |