Winamp Logo
Open Source Security Podcast Cover
Open Source Security Podcast Profile

Open Source Security Podcast

English, Technology, 329 seasons, 434 episodes, 3 days, 10 hours, 9 minutes
About
A security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
Episode Artwork

Episode 433 - Should OpenSSH block misbehaving clients?

Josh and Kurt talk about a new proposal from OpenSSH to add a timeout to penalize clients misbehaving. But this then brings up the typical security conversation of "if it's not perfect we shouldn't do it". Trying new things is a good thing, even if something fails, we learn a lesson that we can use in the future. Show Notes OpenSSH introduces options to penalize undesirable behavior Hacker News comments
6/17/202431 minutes, 40 seconds
Episode Artwork

Episode 432 - Flipper Zero with Alex Kulagin

Josh and Kurt talk to Alex Kulagin from Flipper about the Flipper Zero. It's one of the coolest hacker devices that exists on the market. We talk about what it is, how it started, what it can (and can't) do. It's a really fun conversation. Show Notes Flipper Zero Website Headphone jack radio capture Flipper Zero on Tik Tok
6/10/202433 minutes, 8 seconds
Episode Artwork

Episode 431 - Redirecting HTTP to HTTPS

Josh and Kurt talk about a blog post titled "Your API Shouldn't Redirect HTTP to HTTPS". It's an interesting idea, and probably a good one. There is however a lot of baggage in this space as you'll hear in the discussion. There's no a simple solution, but this is certainly something to discuss. Show Notes Your API Shouldn't Redirect HTTP to HTTPS Hacker News discussion HSTS Section 5.1
6/3/202432 minutes, 52 seconds
Episode Artwork

Episode 430 - Frozen kernel security

Josh and Kurt talk about a blog post about frozen kernels being more secure. We cover some of the history and how a frozen kernel works and discuss why they would be less secure. A frozen kernel is from when things worked very differently. What sort of changes will we see in the future? Show Notes Kurt's strange coffee Why a 'frozen' distribution Linux kernel isn't the safest choice for security
5/27/202434 minutes, 18 seconds
Episode Artwork

Episode 429 - The autonomy of open source developers

Josh and Kurt talk about open source and autonomy. This is even related to some recent return to office news. The conversation weaves between a few threads, but fundamentally there's some questions about why do people do what they do, especially in the world of open source. This also is a problem we see in security, security people love to tell developers what to do. Developers don't like being told what to do. Show Notes pycurl issue Apple, SpaceX, Microsoft return-to-office mandates drove senior talent away RSA ANIMATE: Drive: The surprising truth about what motivates us Sudo-rs dependencies: when less is better phishing webcomic Debian OpenSSL Bug (16 years)
5/20/202432 minutes, 6 seconds
Episode Artwork

Episode 428 - GitHub artifact attestation

Josh and Kurt talk about a new to sign artifacts on GitHub. It's in beta, it's not going to be easy to use, it will have bugs. But that's all OK. This is how we start. We need infrastructure like this to enable easier to use features in the future. Someday, everything will be signed by default. Show Notes GitHub artifact attestation
5/13/202437 minutes, 25 seconds
Episode Artwork

Episode 427 - Will run0 replace sudo?

Josh and Kurt talk about a sudo replacement going into systemd called run0. It sounds like it'll get a lot right, but systemd is a pretty big attack surface and not everyone is a fan. We shall have to see if this ends up replacing sudo. Show Notes Conan O'Brien on Hot Ones Lennart's Mastodon thread xkcd automation
5/6/202430 minutes, 12 seconds
Episode Artwork

Episode 426 - Automatically exploiting CVEs with AI

Josh and Kurt talk about a paper describing using a LLM to automatically create exploits for CVEs. The idea is probably already happening in many spaces such as pen testing and intelligence services. We can't keep up with the number of vulnerabilities we have, there's no way we can possibly keep up with a glut of LLM generated vulnerabilities. We really need to rethink how we handle vulnerabilities. Show Notes OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories paper: LLM Agents can Autonomously Exploit One-day Vulnerabilities Cisco Fixes RV320/RV325 Vulnerability by Banning “curl” in User-Agent Episode 219 – Chat with Larry Cashdollar Cory Doctorow: What Kind of Bubble is AI?
4/29/202437 minutes, 31 seconds
Episode Artwork

Episode 425 - Video game cheaters, also pretendo

Josh and Kurt talk about a database of game cheaters. Cheating in games has many similarities to security problems. Anti cheat rootkits are also terrible. The clever thing however is using statistics to identify cheaters. Statistics don't lie. Also, we discuss the Pretendo project sitting on a vulnerability for a year, is this ethical? Show Notes Hacker News searchable database Benford's law John Oliver Medicaid Mario64 invisible walls Pretendo Pretendo exploit
4/22/202430 minutes, 36 seconds
Episode Artwork

Episode 424 - The Notepad++ Parasite Website

Josh and Kurt talk about a Notepad++ fake website. It's possibly not illegal, but it's certainly ethically wrong. We also end up discussing why it seems like all these weird and wild things keep happening. It's probably due to the massive size of open source (and everything) now. Things have gotten gigantic and we didn't really notice. Show Notes Help us to take down the parasite website Open Source is bigger than you can imagine Toronto Pearson International Airport heist
4/15/202435 minutes, 22 seconds
Episode Artwork

Episode 423 - FCC cybersecurity label for consumer devices

Josh and Kurt talk about a new FCC program to provide a cybersecurity certification mark. Similar to other consumer safety marks such as UL or CE. We also tie this conversation into GrapheneOS, and what trying to claim a consumer device is secure really means. Some of our compute devices have an infinite number of possible states. It's a really weird and hard problem. Show Notes GrapheneOS FCC approves cybersecurity label for consumer devices Cyber Trust Mark Logo
4/8/202432 minutes, 9 seconds
Episode Artwork

XZ Bonus Spectacular Episode

Josh and Kurt talk about the recent events around XZ. It's only been a few days, and it's amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these details will change quickly over the coming week. We can't fix this problem as it stands, we don't know where to start yet. But that's not a reason to lose hope. We can fix this if we want to, but it won't be flashy, it'll be hard work. Show Notes GossiTheDog's Blog Post fr0gger diagram OpenSSF Blog (archive) stb library
4/1/20241 hour, 1 minute, 4 seconds
Episode Artwork

Episode 422 - Do you have a security.txt file?

Josh and Kurt talk about the security.txt file. It's not new, but it's not something we've discussed before. It's a great idea, an easy format, and well defined. It's not high on many of our todo lists, but it's something worth doing. Show Notes RFC 9116
4/1/202430 minutes, 13 seconds
Episode Artwork

Episode 421 - CISA's new SSDF attestation form

Josh and Kurt talk about the new SSDF attestation form from CISA. The current form isn't very complicated, and the SSDF has a lot of room for interpretation. But this is the start of something big. It's going to take a long time to see big changes in supply chain security, but we're confident they will come. Show Notes Secure Software Development Attestation Form The U.S. Military Is Missing Six Nuclear Weapons NIST 800-218
3/25/202441 minutes, 3 seconds
Episode Artwork

Episode 420 - What's going on at NVD

Josh and Kurt talk about what's going on at the National Vulnerability Database. NVD suddenly stopped enriching vulnerabilities, and it's sent shock-waves through the vulnerability management space. While there are many unknowns right now, the one thing we can count on is things won't go back to the way they were. Show Notes Anchore's Blog Grype Josh's Cyphercon Talk Ecosyste.ms Episode 266 – The future of security scanning with Debricked
3/18/202439 minutes, 4 seconds
Episode Artwork

Episode 419 - Malicious GitHub repositories

Josh and Kurt talk about an attack against GitHub where attackers are creating malicious repositories then artificially inflating the number of stars and forks. This is really a discussion about how can we try to find signal in all the noise of a massive ecosystem like GitHub. Show Notes GitHub besieged by millions of malicious repositories in ongoing attack
3/11/202434 minutes, 6 seconds
Episode Artwork

Episode 418 - Being right all the time is hard

Josh and Kurt talk about recent stories about data breaches, flipper zero banning, and realistic security. We have a lot of weird challenges in the world of security, but hard problems aren't impossible problems. Sometimes we forget that. Show Notes Mon Dieu! Nearly half the French population have data nabbed in massive breach Feds move to ban auto theft tech device ‘Flipper Zero’ Gmail and Yahoo’s 2024 inbox protections and what they mean for your email program Vending machine error reveals secret face image database of college students
3/4/202430 minutes, 17 seconds
Episode Artwork

Episode 417 - Linux Kernel security with Greg K-H

Josh and Kurt talk to GregKH about Linux Kernel security. We most focus on the topic of vulnerabilities in the Linux Kernel, and what being a CNA will mean for the future of Linux Kernel security vulnerabilities. The future of Linux Kernel security vulnerabilities is going to be very interesting. Show Notes Greg K-H Linux Kernel is a CNA Machine learning and stable kernels Bug reporting for Linux
2/26/202442 minutes, 40 seconds
Episode Artwork

Episode 416 - Thomas Depierre on open source in Europe

Josh and Kurt talk to Thomas Depierre about some of the European efforts to secure software. We touch on the CRA, MDA, FOSDEM, and more. As expected Thomas drops a huge amount of knowledge on what's happening in open source. We close the show with a lot of ideas around how to move the needle for open source. It's not easy, but it is possible. Show Notes Thomas Depierre I am not a supplier Open Source In The European Legislative Landscape devroom Cyber Resilience Act The 2023 Tidelift state of the open source maintainer report
2/19/202442 minutes, 45 seconds
Episode Artwork

Episode 415 - Reducing attack surface for less security

Josh and Kurt talk about a blog post explaining how to create a very very small container image. Generally in the world of security less is more, but it's possible to remove too much. A lot of today's security tooling relies on certain things to exist in a container image, if we remove them we could actually result in worse security than leaving it in. It's a weird topic, but probably pretty important. Show Notes How I reduced the size of my very first published docker image by 40% - A lesson in dockerizing shell scripts Hacker News Discussion Episode 293 – Scoring OpenSSF Security Scoring
2/12/202431 minutes, 8 seconds
Episode Artwork

Episode 414 - The exploited ecosystem of open source

Josh and Kurt talk about open source projects proving builds, and things nobody wants to pay for in open source. It's easy to have unrealistic expectations for open source projects, but we have the open source capitalism demands. Show Notes Open Source Doesn't Require Providing Builds The things nobody wants to pay for Audacity privacy policy update has caused an outcry The History of X11
2/5/202432 minutes, 26 seconds
Episode Artwork

Episode 413 - PyTorch and NPM get attacked, but it's OK

Josh and Kurt talk about an attack against PyTorch and NPM. The PyTorch attack shows the difficulty of trying to operate a large open source project. The NPM problem is one of the difficulty in trying to backdoor open source. A lot of people are watching and it only takes one person to notice a problem and we all benefit. Show Notes Peanut Butter the dog plays Gyromite The Wizard movie PyTorch supply chain attack npm Package Found Delivering Sophisticated RAT Deceptive Deprecation: The Truth About npm Deprecated Packages Changing a lightbulb Spelunking the Bitcoin Blockchain with Josh Bressers | CypherCon 4.0 Operation Triangulation - What You Get When Attack iPhones of Researchers 9th Annual State of the Software Supply Chain
1/29/202435 minutes, 19 seconds
Episode Artwork

Episode 412 - Blame the users for bad passwords!

Josh and Kurt talk about the 23andMe compromise and how they are blaming the users. It's obviously the the fault of the users, but there's still a lot of things to discuss on this one. Every company has to care about cybersecurity now, even if they don't want to. Show Notes Security leaders weigh in on 23andme hack Don't need a gun when you have a Donk - Crocodile Dundee 2 Hackers can infect network-connected wrenches to install ransomware My disappointment is immeasurable, and my day is ruined
1/22/202433 minutes, 3 seconds
Episode Artwork

Episode 411 - The security tools that started it all

Josh and Kurt talk about a grab bag of old technologies that defined the security industry. Technology like SELinux, SSH, Snort, ModSecurity and more all started with humble beginnings, and many of them created new security industries. Show Notes SELinux AppArmor SSH ModSecurity Snort Nmap Nessus What comes after open source
1/15/202429 minutes, 27 seconds
Episode Artwork

Episode 410 - Package identifiers are really hard

Josh and Kurt talk about package identifiers. We break this down in the context of an OpenSSF response to a CISA paper on software identifications. The identifiers that get all the air time are purl, CPE, SWID, and OmniBOR. This is a surprisingly complex problem space. It feels easy, but it's not. Show Notes OpenSSF CISA response purl CPE OmniBOR SWID
1/8/202431 minutes, 52 seconds
Episode Artwork

Episode 409 - You wouldn't hack a train?

Josh and Kurt talk about how some hackers saved the day with a Polish train. We delve into a discussion about how we don't really own anything anymore if you look around. There's a great talk from the Blender Conference about this and how GPL makes a difference in the world of software ownership. It's sort of a dire conversation, but not all hope is lost. Show Notes Polish manufacturer accused of programming failures into its trains to gain more servicing business Polish Hackers Repaired Trains the Manufacturer Artificially Bricked. Now The Train Company Is Threatening Them Blender Conference Keynote Corey Doctorow Chicago has a problem until the year 2083 | Stand-up Maths Chicago Doesn’t Own Its Own Streets | Climate Town
1/1/202435 minutes, 35 seconds
Episode Artwork

Episode 408 - Does Kubernetes need long term support?

Josh and Kurt talk about a story asking for a Kubernetes LTS. Should open source projects have LTS versions? What does LTS even mean? Why is maintaining software so hard? It's a lively discussion all about the past, present, and future of open source LTS. Show Notes Why Kubernetes needs an LTS Linux gives up on 6-year LTS kernels, says they’re too much work
12/25/202332 minutes, 15 seconds
Episode Artwork

Episode 407 - Should Santa use AI?

It's the 2023 Christmas Spectacular! Josh and Kurt talk about what would happen if Santa starts using AI to judge which children are naughty and nice. There's some fun in this one, but it does get pretty real. While we tried to discuss Santa using AI, the reality is this sort of AI is coming for many of us. AI will be making decisions for all of us in the near future (if it isn't already). While less fun than we had hoped for, it's an important conversation. Show Notes Sea Elf Ollama UnitedHealth uses faulty AI to deny elderly patients medically necessary coverage, lawsuit claims Stephen Fry on AI Lawyer who cited cases concocted by AI asks judge to spare sanctions Hugging Face
12/18/202336 minutes, 23 seconds
Episode Artwork

Episode 406 - The security of radio

Josh and Kurt talk about a few security stories about radio. The TETRA:BURST attack on police radios, spoofing GPS for airplanes near Iran, and Apple including cellular radios in the macbooks. The common thread between all these stories is looking at the return on investment for security. Sometimes good enough security is fine, sometimes it's not worth fixing certain security problems because the risk vs reward doesn't work out. Show Notes TETRA:BURST GPS spoofing attack Apple MacBooks cellular radio Mossad vs Not Mossad
12/11/202334 minutes, 41 seconds
Episode Artwork

Episode 405 - Modding games isn't cheating and security isn't fair

Josh and Kurt talk about Capcom claiming modding a game is akin to cheating. The arguments used are fundamentally one of equity vs equality. Humans love to focus on equality instead of equity when we deal with most problems. This is especially true in the world of security. Rather than doing something that has a net positive, we ignore the details and focus on doing something that feels "right". Show Notes Why Capcom thinks PC game modding is akin to “cheating” Ben Heck
12/4/202331 minutes, 47 seconds
Episode Artwork

Episode 403 - Does the government banning apps work?

Josh and Kurt talk about the Canadian Government banning WeChat and Kaspersky. There's a lot of weird little details in this conversation. It fundamentally comes down to a conversation about risk. It's easy to spout nonsense about risk, but having an honest discussion about it is REALLY complicated. But the government plays by a very different set of rules. Show Notes Canada bans WeChat, Kaspersky applications on government devices Fitness tracking app Strava gives away location of secret US army bases Phishing emails increase over 1,200 percent since ChatGPT launch FedRAMP Rev 5 FAIR Institute
11/27/202335 minutes, 4 seconds
Episode Artwork

Episode 402 - The EU's eIDAS regulation is a terrible idea

Josh and Kurt talk about the new EU eIDAS regulation. This is a bill that will force web browsers to add root certificates based on law instead of technical merits, which is how it's currently done. This is concerning for a number of reasons that we discuss on the show. This proposal is not a good idea. Show Notes Mozilla site Root CA mailing list UK eIDAS regulation EFF statement on eIDAS Fixed XKCD comic
11/20/202330 minutes, 29 seconds
Episode Artwork

Episode 401 - Security skills shortage - We've tried nothing and the same thing keeps happening

Josh and Kurt talk about security skills shortage. We start out on the topic of cybersecurity skills and weave our way around a number of human related problems in this space. The world of tech has a lot of weird problems and there's not a lot of movement to fix many of them. Tech is weird and hard, and with the almost complete lack of regulation creates some of these challenges. In the world of security we need a better talent pipeline, but that takes actual efforts, not just complaining on the internet. Show Notes Schneier on security skill shortage British Airways flight smoke The Password Game Tesla accidents Lawn darts
11/13/202340 minutes, 9 seconds
Episode Artwork

Episode 400 - When can the government hack a victim?

Josh and Kurt talk about a proposed Dutch proposal that would allow the intelligence services to hack victims of adversaries they are in the process of infiltrating. The purpose of this discussion isn't to focus on the Dutch specifically, but rather to discuss the larger topic of government oversight. These are all very new concepts and nobody knows how things should work. Show Notes Dutch hacking proposal Give Me Toilet Paper! by Asuka424 in 9:54 - Summer Games Done Quick 2023 Flipper Zero Smart Meter Frequency Hopping Teri Kanfield
11/6/202332 minutes, 17 seconds
Episode Artwork

Episode 399 - Curl, Security, and Daniel Stenberg

Josh and Kurt talk to Daniel Stenberg about curl. Daniel is the creator of curl, we chat with him about the security of curl. Daniel tells us how curl is kept secure, we learn about some of the historical reasons curl works the way it does. We hear the story about the curl CVE situation firsthand. We also touch on the importance of curating the community of a popular open source project. Show Notes Daniel's Mastodon account Curl The curl CVE blog Broken curl on PowerShell wolfSSL
10/30/202337 minutes, 53 seconds
Episode Artwork

Episode 398 - Is only 11% of open source maintained?

Josh and Kurt talk about Sonatype's 9th Annual State of the Software Supply Chain. There's a ton of data in the report, but the thing we want to talk about is the statistic that only 11% of open source is actually being maintained. Do we think that's true? Does it really matter? Show Notes Sonatype report ecosyste.ms GNOME libcue flaw Reality 2.0 supply chain episode
10/23/202336 minutes, 49 seconds
Episode Artwork

Episode 397 - The curl and glibc vulnerabilities

Josh and Kurt talk about a curl and glibc bug. The bugs themselves aren't super interesting, but there are other conversations around the bugs that are interesting. Why don't we just rewrite everything in Rust? Why can't we just train developers to stop writing insecure code. How can AI solve this problem? It's a marvelous conversation that ends on the very basic idea: we already have the security the market demands. Unless we change that demand, security won't change. Show Notes Curl vulnerability glibc vulnerability Josh's Badge Project Bob Lord's phishing message
10/16/202334 minutes, 25 seconds
Episode Artwork

Episode 396 - CLAs are bad, Mkay?

Josh and Kurt talk about contributor license agreements (CLAs). CLAs used to be seen as a necessary evil, but they're almost certainly bad now. We're seeing CLAs being abused, it's clear now anything controlled by a CLA won't be open source forever. Show Notes A Theory of Joint Authorship for Free and Open Source Software Projects Bruce Perens: What Comes After Open Source
10/9/202335 minutes, 26 seconds
Episode Artwork

Episode 395 - Uncertainty, trust, and security

Josh and Kurt talk about uncertainty. There are a bunch of stories in the news lately that really just boil down to uncertainty. Uncertainty is incredibly dangerous for everyone. We are afraid of uncertainty, and often don't really understand why it is. Trust is like a currency and uncertainty erodes trust faster than almost anything else. Show Notes Unity's license mess Godot Meta and Salesforce want to re-hire people they fired earlier this year U.S. Debt Credit Rating Downgraded, Only Second Time In Nation’s History
10/2/202333 minutes, 47 seconds
Episode Artwork

Episode 394 - The lie anyone can contribute to open source

Josh and Kurt talk about filing bugs for software. There's the old saying that anyone can file bugs and submit patches for open source, but the reality is most people can't. Filing bugs for both closed and open source is nearly impossible in many instances. Even if you want to file a bug for an open source project, there are a lot of hoops before it's something that can be actionable. Show Notes Linux is a nightmare Lodash just declared issue bankruptcy and closed every issue and open PR Linux Kernel Faces Reduction in Long-Term Support Due to Maintenance Challenges Curl NULL pointer dereference
9/25/202335 minutes, 48 seconds
Episode Artwork

Episode 393 - Can you secure something you don't own?

Josh and Kurt talk about the weird world we live in how where we can't control a lot of our hardware. We don't really have control over most devices we interact with on a daily basis. The conversation shifts into a question of how can we decide what to trust and where. It's a very strange problem we experience now. Show Notes Boots theory MGM cybersecurity issue shuts down slot machines and ATMs in Las Vegas casinos New York Fire Department Forcible Entry Reference Guide Request for Information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization
9/18/202333 minutes, 47 seconds
Episode Artwork

Episode 392 - Curl and the calamity of CVE

Josh and Kurt talk about why CVE is making the news lately. Things are not well in the CVE program, and it's not looking like anything will get fixed anytime soon. Josh and Kurt have a unique set of knowledge around CVE. There's a lot of confusion and difficulty in understanding how CVE works. Show Notes Curl blog post Now it's PostgreSQL's turn to have a bogus CVE GitHub Advisory Database Josh's "CVE tried to get me fired" story
9/11/202346 minutes, 25 seconds
Episode Artwork

Episode 391 - The Wordpress 100 year disaster recovery problem

Josh and Kurt talk about wordpress selling web services with a 100 year lifespan. Will WordPress still be around in 100 years? What would 100 years of disaster recovery look like? Most of us will never need to think about 100 years of disaster recovery. Show Notes WordPress is now selling 100-year domains Danish ransomware 15-Minute City The Year Without Pants
9/4/202339 minutes, 11 seconds
Episode Artwork

Episode 390 - Rust shipping binaries doesn't matter

Josh and Kurt talk about a blog post that explains how C and C++ compilers prioritize performance over correctness. This is the class story of security vs usability. Security is never the primary goal. If a security requirement doesn't also enable other business goals it will fail. We also touch on the news of a Rust package containing binary files. It doesn't really have anything to do with security, it's all about convenience. Show Notes C and C++ Prioritize Performance over Correctness Nisha's toot Barry Marshall Rust devs push back as Serde project ships precompiled binaries Why DARPA Hopes To 'Distill' Old Binaries Into Readable Code Mario 64 decompilation
8/28/202339 minutes, 19 seconds
Episode Artwork

Episode 389 - What would HashiCorp do?

Josh and Kurt talk about the HashiCorp license change and copyright problems in open source. This isn't the first and won't be the last time we see this, but it's very likely open source developers and communities will view any project that has a contributor license agreement as a problem moving forward. Show Notes Josh's BSidesLV talk Hacker News marked site as malware HashiCorp license change A Theory of Joint Authorship for Free and Open Source Software Projects
8/21/202342 minutes, 16 seconds
Episode Artwork

Episode 388 - Video game vulnerabilities

Josh and Kurt ask the question what is a vulnerability, but in the framing of video games. Security loves to categorize all bugs as security vulnerabilities or not security vulnerabilities. But the reality nothing is so simple. Everything is a question of risk, not vulnerability. The discussion about video games can help us to better have this discussion. Show Notes Colossus bug Minecraft Heist
8/14/202332 minutes, 40 seconds
Episode Artwork

Episode 387 - Enterprise open source is different

Josh and Kurt talk about the difference between what we think of as traditional open source, and enterprise software projects that have an open source license. They are both technically open source, but how the projects work is very very different. Show Notes CentOS Stream PR The Most Prolific Packager For Alpine Linux Is Stepping Away
8/7/202334 minutes, 4 seconds
Episode Artwork

Episode 386 - We are watching web 2.0 burn

Josh and Kurt talk about a new Google proposal that would add DRM for the web. All the ad driven companies seem to be acting very strangely, there's probably a reason for this. The way ads used to pay for content is changing, but a lot of these giant companies don't know how to adapt. It's going to be very interesting times in the near future. Show Notes Web Environment Integrity Hacker News Thread Island Browser hunter2
7/31/202331 minutes, 41 seconds
Episode Artwork

Episode 385 - Is open source an insider threat?

Josh and Kurt talk about insider threats, but not quite in the way one would expect. The potential for insider threats is possibly higher than usual right now, but what about open source? Are open source developers insider threats for your organization? Have you ever thought about this before? Show Notes CISA insider threats hacks4pancakes toot Don’t Trust a Programmer Who Knows C++ CISA Insider Threat Mitigation
7/24/202333 minutes, 23 seconds
Episode Artwork

Episode 384 - What's next for open source?

Josh and Kurt talk about some of the efforts to measure and understand open source. There are projects like the OpenSSF Scorecard. We want to measure open source for some idea of quality. Is AI generated code better than a random open source project found on GitHub? Can we track the countries contributors are from? These are all interesting problems that everyone will have to deal with soon. Show Notes OpenSSF Scorecard
7/17/202341 minutes, 8 seconds
Episode Artwork

Episode 383 - Is open source dying?

Josh and Kurt talk about the notion that open source is somehow dying. What's actually happening is corporate open source is changing, which some are trying to deform into something wrong with open source. Open source is doing great, probably better than ever. Show Notes Open Source isn't sustainable anymore VORON Design Video of the first lathe Plane Crazy Evernote layoffs
7/10/202336 minutes, 40 seconds
Episode Artwork

Episode 382 - Red Hat, you were the chosen one!

Josh and Kurt talk about Red Hat closing up the RHEL source code. Kurt and Josh both worked at Red Hat in the past. This isn't a show that bashes Red Hat, and it's not a show praising them. We take an honest look at the past, present, and future of Linux. There's a lot to talk about in this one. TL;DR, Red Hat was the chosen on, and we all feel betrayed. Show Notes Red Hat's first blog post Red Hat's honest post DeWitt clause
7/3/202337 minutes, 58 seconds
Episode Artwork

Episode 381 - WTF Reddit, APIs and risk

Josh and Kurt talk about the incredible Reddit debacle. At the center of it all is an API. What does it mean to be using an API and how does this relate itself back to our own risk. Many of us rely on APIs for countless things, and if a company decides to cut off that API somehow, it could create a mess. Show Notes Grimace's Birthday Reddit’s new API pricing will kill off Apollo on June 30 Cory Doctorow enshitification Wal Mart pickle story Elon Musk and Mark Zuckerberg agree to hold cage fight
6/26/202336 minutes, 55 seconds
Episode Artwork

Episode 380 - A new Sovereign Tech Fund program and the BBC on destroying hard drives

Josh and Kurt talk about a new program from the Sovereign Tech Fund to fund open source work. It's a great looking program with an acceptable amount of money behind the program. We also talk about a story claiming millions of perfectly good hard drives are destroyed per year. They're probably not OK at all. Show Notes Sovereign Tech Fund Challenges Why millions of usable hard drives are being destroyed LTT Buys Storage Array
6/19/202332 minutes, 50 seconds
Episode Artwork

Episode 379 - Will open source save the world, again?

Josh and Kurt talk about some new open source projects that aim to start taking back some of our privacy and rights. It's a huge hill to climb, but it seems like there is some hope. Open source doesn't care about growth, or numbers, or anything really, so it can't ever lose. Show Notes Codeberg Veilid Hawkins Cheezies Apollo's Reddit API costs
6/12/202334 minutes, 40 seconds
Episode Artwork

Episode 378 - Naming things is harder than security

Josh and Kurt talk about namespaces. They were a topic in the last podcast, and resulted in a much much larger discussion for us. We decided to hash out some of our thinking in an episode. This is a much harder problem than either of us expected. We don't have any great answers, but we do have a lot of questions. Show Notes Not Red Hat NPM hash package Episode 129 – The EU bug bounty program
6/5/202331 minutes, 33 seconds
Episode Artwork

Episode 377 - The world is changing too fast for humans to understand

Josh and Kurt talk about PyPI suspending new accounts and packages for a day, and a 60 minutes story about deepfakes. The problems are mostly the same, but for very different reasons. The world is changing faster than we can keep up, so what is a human to do? Show Notes PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted](https://thehackernews.com/2023/05/pypi-repository-under-attack-user-sign.html) 60 minutes reporter voice clone Cooridor Crew deepfakes Certificate bit flip Candy is delicious
5/29/202337 minutes, 42 seconds
Episode Artwork

Episode 376 - Open Source Summit, who built your open source, and AI

Josh and Kurt talk about the Open Source Summit in Vancouver. Josh was there and we pick on two observations. Firstly that security keeps trying to use fear as a feature, except it doesn't work. Secondly we discuss AI and how people are talking about it. It is changing things, how much is yet to be seen. Show Notes SLSA FRSCA S2C2F MSI leak Intel microcode Tom Scott AI Video
5/22/202336 minutes, 17 seconds
Episode Artwork

Episode 375 - The market forces of left-pad, Episode 77 remaster part 2

Josh and Kurt finish up the leftpad discussion. We spent a lot of time talking about how the market will respond to these sort of events, and the market did indeed speak; very little has changed. There is an aspect of all these security events where we need to understand the cost vs benefit just isn't there. it may never be there. Rather than whine and complain, we need to work with our constraints. Show Notes Episode 77 – npm and the supply chain
5/15/202329 minutes, 35 seconds
Episode Artwork

Episode 374 - The event we called left-pad, Episode 77 remaster part 1

Josh and Kurt revisit Episode 77, which was named "npm and the supply chain" but was a discussion about the incident we all know now as "leftpad". We didn't understand what was happening at the time, but this would become an event we talk about for years to come. It's shocking how many of the things we discuss are still completely valid five years later. Show Notes Episode 77 – npm and the supply chain
5/8/202329 minutes, 24 seconds
Episode Artwork

Episode 373 – HHGG security, Episode 42 remaster part 2

This is the second part of remastering Episode 42 which is all about the security in the Hitchhiker’s Guide to the Galaxy movie. It's a fun show and it's shocking how many of these security themes are still relevant today. Show Notes Original Episode 42 Part 1
5/1/202334 minutes, 9 seconds
Episode Artwork

Episode 372 - HHGG security, Episode 42 remaster part 1

The podcast is on a hiatus for a little while due to some personal matters, but that creates an opportunity to remaster some fun old episodes. These shows are REALLY hard to listen to at the current quality (tools and talent has come a long way in the last few years). This is a remaster of Episode 42 which is all about the security in the Hitchhiker’s Guide to the Galaxy movie. It's a fun show and it's shocking how many of these security themes are still relevant today. Show Notes Original Episode 42
4/24/202330 minutes, 58 seconds
Episode Artwork

Episode 371 - pip install is the tool we deserve but not the tool we need

Josh and Kurt talk about a blog post about pip and virtual environments. This eventually turns into a larger conversation around packaging tools and how we see incremental changes over time. The package ecosystems were what we needed a few years ago, but our needs have changed. Show Notes One Does Not Simply 'pip install' Dag Wieers RPM Webfinger GitHub repo
4/17/202334 minutes, 52 seconds
Episode Artwork

Episode 370 - Open Source is bigger than you can imagine

Josh and Kurt talk about some data on the size of NPM. Josh wrote a blog post and a report about the amount of SEO spam in NPM was released. Open source is enormous, and it's mostly one person. It's hard to imagine how this all works sometimes and this lack of understanding can create challenges. Show Notes Josh's blog on the size of NPM One In Two New Npm Packages Is SEO Spam Right Now Linux Kernel power distribution graph
4/10/202334 minutes
Episode Artwork

Episode 369 - OpenAI broke ChatGPT then tried to blame open source

Josh and Kurt talk about OpenAI having a bug in ChatGPT, then they tried to blame open source. It didn't go very well. In this episode Josh and Kurt argue a lot, maybe someday we'll know who was the least wrong. Show Notes ChatGPT Tweet ChatGPT Blog redis bug
4/3/202330 minutes, 47 seconds
Episode Artwork

Episode 368 - The Sovereign Tech Fund with Fiona Krakenbürger

Josh and Kurt talk to Fiona Krakenbürger about the Sovereign Tech Fund. This is a fund created by Germany to fund important open source projects. Fiona has amazing insight into how this fund was created, what it's doing today to help fund open source. She discusses where we go from here and what the future will look like. The Sovereign Tech Fund is a forward thinking program to fund open source across the world. This episode is a window into the future. Show Notes Fiona on Mastodon Sovereign Tech Fund Sovereign Tech Fund Feasibility Study NJ Governor Requests Expertise of 6 People Who Still Know COBOL OpenSSF Criticality Score European critical open source software OSTIF critical open source projects Apply to the Sovereign Tech Fund
3/27/202339 minutes, 38 seconds
Episode Artwork

Episode 367 - Open source will never be the same

Josh and Kurt talk about GitHub enforcing sanctions against an open source developer and Docker changing how their registry works. There's a lot to unpack in this one. There's a lot of happenings going on in the world of open source. We are seeing governments paying attention to open source like never before, change is coming and everything is going to change. Show Notes ipmitool Repository Archived, Developer Suspended By GitHub Elixir: Docker now charges open source orgs $300
3/20/202332 minutes, 56 seconds
Episode Artwork

Episode 366 - Software liability is coming

Josh and Kurt talk about the number of dependencies that is now normal. Keeping track of thousands of dependencies used to be impressive, now it's normal. In what instances should we know everything about our open source? The days of being able to ignore your software liability is looking like it's coming to an end. Show Notes LTT millenial pause The perverse incentive of vulnerability counting National Cybersecurity Strategy
3/13/202334 minutes, 20 seconds
Episode Artwork

Episode 365 - "I am not your supplier" with Thomas Depierre

Josh and Kurt talk to Thomas Depierre about his "I am not a supplier" blog post. We drink from the firehose on this one. Thomas describes the realities and challenges of being an open source maintainer. What open source and society owe each other. How safety can help describe what we see. There's too many topics to even list. The whole episode is an epic adventure through modern open source. Show Notes Thomas on Mastodon I am not a supplier The Treachery of Images (Ceci n'est pas une pipe) Atlantic Council report The Field Guide to Understanding 'Human Error' Google wants new rules for developers working on 'critical' projects Roads and Bridges:The Unseen Labor Behind Our Digital Infrastructure Sovereign Tech Fund
3/6/202352 minutes, 3 seconds
Episode Artwork

Episode 364 - Using SBOMs is hard

Josh and Kurt talk about SBOMs. Quite a bit has happened in the world of SBOMs in the last year or so. There are going to be different types of SBOMs, like build, source, or runtime. Each will tell us different things depending on what we need to know. We also cover some of the community efforts happening around SBOMs. They're still not easy to use, but it's better better. Show Notes SBOM Types draft SBOM Drift OpenSSF SBOM Everywhere
2/27/202336 minutes, 17 seconds
Episode Artwork

Episode 363 - Joylynn Kirui from Microsoft on DevSecOps

Josh and Kurt talk to Joylynn Kirui about DevSecOps in the Microsoft universe. Joylynn gives us an overview of the current state of devops and tells us about some of the tools Microsoft has made available to the open source universe. Show Notes Joylynn Kirui Joylynn on DVT Tech Insights Episode 174 - a chat with GitHub about CodeQL S2C2F Azure Open Source Day
2/20/202331 minutes, 2 seconds
Episode Artwork

Episode 362 - A lesson in Rust from Carol Nichols

Josh and Kurt talk to Carol Nichols about Rust. Carol is an authority on Rust and helps us understand how Rust works, why it's different. Why Rust doesn't have the same problems C and C++ have, and what the future of it all could look like. It's a really fun show with some great questions from Carol along the way. Show Notes Carol Nichols on Mastodon The Rust Programming Language, 2nd Edition Rust book online Netflix tech blog on Java performance Rust in the context of Railroad Brakes Kees Cook blog - Bounded Flexible Arrays in C Consumer Reports on memory safety OSS-Fuzz and Rust
2/13/202341 minutes, 15 seconds
Episode Artwork

Episode 361 - GitHub got pwnt, but it wasn't very exciting

Josh and Kurt talk about the recent GitHub breach. It wasn't terribly exciting, but there are some interesting conversations to have around securing certificates, source code, and hardware security modules. In general GitHub did most things right on this one. Show Notes GitHub blog post Hacker History Podcast episode with Robert Super Mario 64 decompile Mario 64 built without optimization Link to the Past source code
2/6/202333 minutes, 12 seconds
Episode Artwork

Episode 360 - Memory safety and the NSA

Josh and Kurt talk about the NSA guidance on using memory safety issues. The TL;DR is to stop using C. We discuss why C has so many problem, why we can't fix C, and what some alternatives looks like. Even the alternatives have their own set of issues and there are many options, but the one thing we can agree on is we have to stop using C. Show Notes NSA Releases Guidance on How to Protect Against Software Memory Safety Issues Drum memory and the story of Mel Netflix performance Discord Go vs Rust NVIDIA switch to Spark
1/30/202334 minutes, 58 seconds
Episode Artwork

Episode 359 - The NOTAM outage and other legacy technology

Josh and Kurt talk about the recent FAA NOTAM outage. Keeping legacy things running for long periods of time is really hard to do, this system is no different. It's also really hard to upgrade many of these due to corner cases and institutional knowledge. There aren't any great answers here, but we do ask a lot of questions about long running tech. Show Notes NOTAM outage AIX is not dead IBM Linux commercial Apple A/UX How NOT To Implement the POSIX Standard, Featuring Windows NT iSH Hand Made Vacuum Tubes
1/23/202334 minutes, 37 seconds
Episode Artwork

Episode 358 - Furby vs Alexa

Josh and Kurt talk about the Furby source code going public. This is an opportunity to discuss what's changed in our attitude in devices that record our audio? Our devices today are vastly more powerful and dangerous than a Furby, what does your risk appetite look like? Show Notes Furby source code Talking Toy Or Spy? Adam Ruins Everything - Why Jaywalking Is a Crime
1/16/202331 minutes, 33 seconds
Episode Artwork

Episode 357 - Is open source being overexploited?

Josh and Kurt talk about how to think about open source in the context of society. Open source is more like a natural resource than a supplier. It's common to think of open source projects as delivered to us, but it's more like acquiring raw materials from the forest. The problem is we're harvesting the raw materials in an unsustainable manner at the moment. Show Notes I am not a supplier Josh's question about the environment sjvn Gorilla toolkit article Gorilla Web Toolkit Awesome Games Done Quick GeoGuessr Awesome Games Done Quick 2023
1/9/202334 minutes
Episode Artwork

Episode 356 - LastPass ducked up, now what?

Josh and Kurt talk about the LastPass saga. There's a lot of great explanations about what happened, but there hasn't been a lot of info on how to start cleaning up this mess. We rehash some of the existing details then try to untangle what existing users can do to try to start recovering. The real problem is how LastPass is dealing with this, not the technical details. Show Notes Great writeup of LastPass Jeremi M Gosney Mastodon explanation Tavis writeup on password managers Use a Passphrase
1/2/202335 minutes, 12 seconds
Episode Artwork

Episode 355 - Security Boxing Day

Josh and Kurt talk about some security gifts for boxing day. We start out with the idea of the security poverty line and discuss a few ideas for how a low resource group can make their open source more secure. There are no simple answers unfortunately. Show Notes Wendy Nather Security Poverty Line Boots Theory
12/26/202231 minutes, 42 seconds
Episode Artwork

Episode 354 - Jerry Bell tells us why Mastodon is awesome and MFA is hard

Josh and Kurt talk about how hard multi factor authentication is. This all starts from a Mastodon thread, and Jerry Bell, the administrator of infosec.exchange joins us to discuss password security and all things Mastodon. Infosec.exchange is an incredible story and Jerry weaves a thrilling tale. Show Notes infosec.exchange MFA discussion Jerry's 2FA advice MalwareTech retracts Mastodon statements
12/19/202231 minutes, 49 seconds
Episode Artwork

Episode 353 - Jill Moné-Corallo on GitHub's bug bounty program

Josh and Kurt talk to Jill Moné-Corallo about GitHub's bug bounty and product security team. It's a treat to discuss bug bounties with someone who is managing a very large bug bounty for one of the most important web sites in the world of software today. Show Notes Jill's Twitter Jill's Mastodon GitHub Bug Bounty Bug bounty scope Eight years of the GitHub Security Bug Bounty program GitHub NPM bug bounty find
12/12/202226 minutes, 18 seconds
Episode Artwork

Episode 352 - Stylometry removes anonymity

Josh and Kurt talk about a new tool that can do Stylometry analysis of Hacker News authors. The availability of such tools makes anonymity much harder on the Internet, but it's also not unexpected. The amount of power and tooling available now is incredible. We also discuss some of the future challenges we will see from all this technology. Show Notes Hacker News Stylometry Analyzer FBI Profiler on the Unabomber Impersonate Eli Lilly for $8 Shakespeare Stylometry
12/5/202232 minutes, 46 seconds
Episode Artwork

Episode 351 - Is security or usability a law of the universe?

Josh and Kurt talk about end to end encrypted messages. This has been a popular topic lately due to the Mastodon popularity. Mastodon has a uniquely insecure messaging system, but they aren't the only one. The eternal debate of can security and usability exist together? We suspect it can't be, but it's a very complicated topic. Show Notes EFF on Mastodon DM privacy Towards End-to-End Encryption for Direct Messages in the Fediverse Pluralistic: 14 Nov 2022 Even if you're paying for the product, you're still the product
11/28/202233 minutes, 29 seconds
Episode Artwork

Episode 350 - Spam, Email, Content Moderation, and Infrastructure Oh My

Josh and Kurt talk about email security and the perils of trying to run your own mail infrastructure. We then get into discussing the value and danger of trying to run your own infrastructure, email, blogs, or most anything. There's a lot to juggle about all this these days, it's complicated. Show Notes PowerDMARC Will Dormann GossiTheDog upgrades Exchange lcamtuf's blog I like Ice Cream
11/21/202231 minutes, 56 seconds
Episode Artwork

Episode 349 - The cyber is coming from inside the house - the UK is scanning itself

Josh and Kurt talk about the UK plan to scan their country's IP space. The purpose and outcome of this isn't completely clear at this point, but we are hopeful the data can be used as a positive force. We are only going to see more programs like this as all the governments are told they have to cyber harder. Show Notes NCSC Scanning information Motherboard podcast about NCIS
11/14/202231 minutes, 19 seconds
Episode Artwork

Episode 348 - OpenSSL is the new lead paint

Josh and Kurt talk about the recent OpenSSL nothingburger. OpenSSL got everyone whipped into a frenzy over a critical vulnerability, then changed the severity to high. The correct solution to this whole problem is to stop using a TLS library written in C, we need to be using memory safe languages. Don't migrate from OpenSSL 1 to 3, migrate from OpenSSL 1 to Rustls. Show Notes OpenSSL Blog Post OpenSSL pre-announcement Mark Cox Tweet 3.0 only affected GossiTheDog NDA Tweet Claims of a name and logo Rustls   Image Credit
11/7/202233 minutes, 55 seconds
Episode Artwork

Episode 347 - Airtags in luggage and weasel security - two peas in a suitcase

Josh and Kurt talk about Lufthansa trying to ban Airtags. This has a similar feel to all the security events where a company tries to hand waive away a security problem then having to walk back all their previous statements. There is almost always a massive imbalance between the large companies and consumers. Show Notes Lufthansa bans airtags Airtag stalking problems Lufthansa unbans airtags Cult of the Dead Cow book TV Typewriter Andre the Giant on an airplane Poison Squad
10/31/202233 minutes, 3 seconds
Episode Artwork

Episode 346 - Security and working from home have terrible things in common

Josh and Kurt talk about stories detailing tech working with multiple jobs. This raises some questions about fairness, accountability, and the future of work. As an industry we are very bad at measuring what we do, which is a problem shared with many jobs currently working from home. Show Notes Equifax surveilled 1,000 remote workers, fired 24 found juggling two jobs Business Insider 2 jobs story Ken Thompson lines of code
10/24/202232 minutes, 54 seconds
Episode Artwork

Episode 345 - Cheap hacking devices turn security upside down

Josh and Kurt talk about ineffective security from the past we still use today. There has been a great deal of progress in the last few decades bringing us amazing products like the Flipper Zero, cameras that can peer inside locks, and even software defined radio. A great deal of security relies on people not having easy access to these cheap devices. What does this mean for the future of security? Show Notes Cloning a Rare ISA Card to Use a Rare CD Drive Vintage Tech YouTubers Discussion Panel | VCFMW 17 (2022) Flipper Zero Lock camera HackRF One The history of Hash Reddit post-it notes in apartment
10/17/202230 minutes, 14 seconds
Episode Artwork

Episode 344 - Python tarfile - 2022 is nothing like 2007

Josh and Kurt talk about a newly rediscovered old python vulnerability. It raises a lot of questions about what was OK in 2007 vs what's OK in 2022. The issue is very complicated and has a wild story surrounding it. There is no reason to not fix this in 2022. Show Notes CVE-2007-4559 Red Hat Bug Register story Response from upstream Upstream patch ZippSlip Current upstream bug CSURF
10/10/202234 minutes, 50 seconds
Episode Artwork

Episode 343 - Stop trying to fix the open source software supply chain

Josh and Kurt talk about a blog post that explains there isn't really an open source software supply chain. The whole idea of open source being one thing is incorrect, open source is really a lot of little things put together. A lot of companies and organizations get this wrong. Show Notes Iliana's Twitter There is no “software supply chain” Google supply chain blog GitHub ansi_term advisory PyPI 2FA Dashboard tarfile issue rediscovered in 2022
10/3/202232 minutes, 24 seconds
Episode Artwork

Episode 342 - Programming languages are the new operating system

Josh and Kurt talk about programming language ecosystems tracking and publishing security advisory details. We are at a point in the language ecosystems where they are giving us services that have historically been reserved for operating systems. Show Notes Kelsey Hightower tweet OSS-Fuzz
9/26/202229 minutes, 56 seconds
Episode Artwork

Episode 341 - Time till open source alternative

Josh and Kurt talk about the Time Till Open Source Alternative blog post. The numbers probably don't mean what we think they mean anymore. A lot of modern open source is really corporate controlled. Just because something carries an open source license doesn't mean you can contribute to it. Show Notes Time Till Open Source Alternative GitHub Desktop issue 78 The Reddit Safe
9/19/202235 minutes, 40 seconds
Episode Artwork

Episode 340 - Let's chat about Let's Encrypt with Josh Aas

Josh and Kurt talk with Josh Aas from the Internet Security Research Group about Let's Encrypt, Prossimo, and Divvi Up. A lot has changed since the last time we spoke with Josh. Let's Encrypt won, and the ISG are working on some really cool new projects. Show Notes Josh Aas Internet Security Research Group (ISRG) Let's Encrypt Episode 87 – Chat with Let’s Encrypt co-founder Josh Aas New Major Funding from the Ford Foundation ISRG annual reports Peter Eckersley
9/12/202233 minutes, 54 seconds
Episode Artwork

Episode 339 - Is a network problem a security vulnerability

Josh and Kurt talk about really weird networking bugs. Josh tells a story about his home network problems that made no sense. There was also a qt5 bug that affected wireless networks that made virtually no sense. What should count as a security vulnerability? Show Notes Resolving an unusual wifi issue Hacker News thread Global Security Database IdeaPad 5 14ARE05
9/5/202238 minutes, 12 seconds
Episode Artwork

Episode 338 - The government didn't make vulnerabilities illegal. Yet.

Josh and Kurt talk about the recent National Defense Authorization Act that requires security vulnerabilities to be fixed. What does this mean for us, is it as bad as some people are claiming it is? It's actually not a huge deal, for most of us it's really just time to deal with product security. Show Notes The Hacker Mind The Untold Stories of Open Source H.R.7900 - National Defense Authorization Act for Fiscal Year 2023 Kurt's blog post
8/29/202236 minutes, 20 seconds
Episode Artwork

Episode 337 - Security patches are getting worse - Dustin Childs from ZDI tells us why

Josh and Kurt talk to Dustin Childs about the recent ZDI Black Hat talk where they discovered the current trend of security patches not actually fixing the security problem. We talk about what this problem means. Why is it happening, and what ZDI is doing to try nudge the industry in the right direction. Show Notes Dustin Childs ZDI Sloppy Software Patches Are a ‘Disturbing Trend’ Zero Day Initiative launches new bug disclosure timelines ISO 28147
8/22/202231 minutes, 6 seconds
Episode Artwork

Episode 336 - We don't have data, we have security biases

Josh and Kurt talk about our lack of security and some of the data bias problems that can emerge. A lot of what we think is security data is really just biased data. This is OK as long as we understand the data is broken and know this is the first step in a longer journey. Show Notes Tweet about data The 6 most common types of bias when working with data Syft and Grype stars graph John Snow, Cholera, the Broad Street Pump Bob Lord tweet
8/15/202233 minutes, 31 seconds
Episode Artwork

Episode 335 - Bull*&$% security ideas

Josh and Kurt talk about a tweet from @kmcquade3 asking the question "What's a concept in security that is generally accepted as true but is actually bull%$#*?" How many of the replies make sense? Most of them do. We go over some of the best replies as fast as we can. Show Notes The tweet that started it all Mark Loveless Mark Manning Richard (Dick) Brooks @ImbecillicusRex What Train Have We Got? Dan Alejo 🏳️‍🌈 postmodern 🇺🇸 Robert C. Seacord 🇺🇦 Yip Wai Peng Sachin Shahi
8/8/202238 minutes, 47 seconds
Episode Artwork

Episode 334 - Leap seconds break everything

Josh and Kurt talk about leap seconds. Every time there's a leap second, things break. Facebook wants to get rid of them because they break computers, but Google found a clever way to keep leap seconds without breaking anything. Corner cases are hard, security is often just one huge corner case. There are lessons we can learn here. Show Notes How and why the leap second affected Cloudflare DNS Facebook wants to get rid of leap seconds Leap Smear Falsehoods programmers believe about time
8/1/202232 minutes, 31 seconds
Episode Artwork

Episode 333 - Open Source is unfair

Josh and Kurt talk about Microsoft creating a policy of not allowing anyone to charge for open source in their app store. This policy was walked back quickly, but it raises some questions about how fair or unfair open source really is. It's mostly unfair to developers if you look at the big picture. Show Notes Syft Grype Microsoft bans and unbans open source Tidelift survey Bruce Perens - What comes after open source
7/25/202234 minutes, 39 seconds
Episode Artwork

Episode 332 - PyPI: 2FA or not 2FA, that is the question

Josh and Kurt talk about PyPI mandating two factor authentication for the top 1% of projects. It feels like a simple idea, but it's not when you start to think about it. What problems does 2FA solve? How common are these attacks? What are the second and third order effects of mandating 2FA? This episode should have something for everyone on all sides of this discussion to violently disagree with. Show Notes PyPI announcement NPM expired domains Morten Linderud Tweet Congratulations: We Now Have Opinions on Your Open Source Contributions
7/18/202239 minutes, 1 second
Episode Artwork

Episode 331 - GPG, but nothing makes sense

Josh and Kurt talk about their very silly GPG key management from the past. This is sadly a very true story that details how both Kurt and Josh protected their GPG keys. Josh's setup is like something out of a very bad spy novel. It was very over the top for a key that really didn't matter. Show Notes XKCD signed email Shire calendar Guardian editors destroy Snowden laptop
7/11/202235 minutes, 38 seconds
Episode Artwork

Episode 330 - The sliding scale of risk: seeing the forest for the trees

Josh and Kurt talk about the challenge of dealing with vulnerabilities at a large scale. We tend to treat every vulnerability equally when they are not equal at all. Some are trees we have to pay very close attention to, and some are part of a larger forest that can't be treated as individual vulnerabilities. We often treat risk as a binary measurement instead of a sliding scale. Show Notes gsd.id The Register OpenSSL story OpenSSL bug
7/4/202238 minutes, 22 seconds
Episode Artwork

Episode 328 - The Security of Jobs or Job Security

Josh and Kurt talk about the security of employees leaving jobs. Be it a voluntary departure or in the context of the current layoffs we see, what are the security implications of having to remove access for one or more people departing their job? Show Notes Tesla Layoffs Coinbase layoffs
6/20/202229 minutes, 57 seconds
Episode Artwork

Episode 327 - The security of alert fatigue

Josh and Kurt talk about a funny GitHub reply that notified 400,000 people. It's fun to laugh at this, but it's an easy open to discussing alert fatigue and why it's important to be very mindful of our communications. Show Notes GitHub 400K notifications Hacker News thread Reddit user TV Bluetooth
6/13/202234 minutes, 4 seconds
Episode Artwork

Episode 326 - Big fat containers

Josh and Kurt talk about containers. There are a lot of opinions around what type of containers is best. Back when it all started there were only huge distro sized containers. Now we have a world with many different container types and sizes. Is one better? Show Notes Programming in the Apocalypse Bob Diachenko Paranoids Podcast
6/6/202237 minutes, 13 seconds
Episode Artwork

Episode 325 - Is one open source maintainer enough?

Josh and Kurt talk about a recent OpenSSF issue that asks the question how many open source maintainers should a project have that's "healthy"? Josh did some research that shows the overwhelming majority of packages have one maintainer. What does that mean? Show Notes OpenSSF TAC Issue 101
5/30/202235 minutes, 22 seconds
Episode Artwork

Episode 324 - WTF is up with WFH

Josh and Kurt talk about the whole work from home debate. It seems like there are a lot of very silly excuses why working from home is bad. We've both been working from home for a long time and have a chat about the topic. There's not much security in this one, but it is a fun discussion. Show Notes Boris Johnson blames cheese Apple and WFH
5/23/202235 minutes, 21 seconds
Episode Artwork

Episode 323 - The fake 7-Zip vulnerability and SBOM

Josh and Kurt talk about a fake 7-Zip security report. It's pretty clear that everyone is running open source all the time. We end on some thoughts around what SBOM is good for, and who should be responsible for them. Show Notes Probably fake 7-Zip
5/16/202238 minutes, 13 seconds
Episode Artwork

Episode 322 - Adam Shostack on the security of Star Wars

Josh and Kurt talk to Adam Shostack about his new book "Threats: What Every Engineer Should Learn From Star Wars". We discuss some of the lessons and threats in the Star Wars universe, it's an old code I hear. We also discuss if Star Wars is a better than Star Trek for teaching security (it probably is). It's a fun conversation and sounds like an amazing book. Show Notes Adam Shostack Adam's Website The book
5/9/202233 minutes, 41 seconds
Episode Artwork

Episode 321 - Relativistic Security: Project Zero on 0day

Josh and Kurt talk about the Google Project Zero blog post about 0day vulnerabilities in 2021. There were a lot more than ever before, but why? Part of the challenge is the whole industry is expanding while a lot of our security technologies are not. When the universe around you is expanding but you're staying the same size, you are actually shrinking. Show Notes Google Project Zero blog post Apple 0days Joint cyber advisory
5/2/202234 minutes, 11 seconds
Episode Artwork

Episode 320 - Security Twitter is not the real world

Josh and Kurt talk about a survey about a TuxCare patch management and vulnerability detection. Sometimes our security bubble makes us forget what it's like in the real world for the people who keep our infrastructure running. Patching isn't always immediate, automation doesn't fix everything, and accepting risk is very important. Show Notes State of Enterprise Vulnerability Detection and Patch Management CISA Known Exploited Vulnerabilities Catalog Google 0days
4/25/202232 minutes, 4 seconds
Episode Artwork

Episode 319 - Patch Tuesday with a capital T

Josh and Kurt talk about a lot of security vulnerabilities in this month's Patch Tuesday. There's also a new Git vulnerability. This sparks the age old question of how fast to patch? The answer isn't binary, the right answer is whatever works best for you, not what someone tells you is best. Show Notes Patch Tuesday Git security update
4/18/202230 minutes, 41 seconds
Episode Artwork

Episode 318 - Social engineering and why zlib got a 2018 CVE ID

Josh and Kurt talk about hackers using emergency data requests to gain access to sensitive data. The argument that somehow backdoors can be protected falls under this problem. We don't yet have the technical or policy protections in place to actually protect this data. We also explain why this zlib issue got a 2018 CVE ID in 2022. Show Notes Hackers using fake emergency data requests CVE-2018-25032 Global Security Database
4/11/202230 minutes, 10 seconds
Episode Artwork

Episode 317 - The lack of compromise in security

  Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there's not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not to let security turn into your identity, it ends up making a mess. Show Notes Josh's Twitter thread How to install week old npm packages
4/4/202232 minutes, 54 seconds
Episode Artwork

Episode 316 - You have to use open source

  Josh and Kurt talk about the latest NPM backdoored package. It feels like this keeps happening. We talk about why this is and why it's probably OK. Kurt fixes Linus' Law, in open source the superpower isn't bugs are shallow (they're not), the superpower is security bugs in open source can't be ignored. Show Notes node-ipc protestware
3/28/202230 minutes, 44 seconds
Episode Artwork

Episode 315 - Who even makes all these terrible decisions?

Josh and Kurt talk about Microsoft accidentally letting us find out about ads in file explorer. Changing your clocks sucks. And touch on some of the security implications of the Russian invasion and sanctions. There are a lot of security lessons we can all learn. Mostly what not to do. Show Notes Ads in Windows Filemanager Russia running out of storage Russia threatens to nationalize industry Onagawa Nuclear Power Plant Cockcroft's Follies German government advises citizens to uninstall Kaspersky
3/21/202233 minutes, 22 seconds
Episode Artwork

Episode 314 - The Linux Dirty Pipe vulnerability

Josh and Kurt talk about the Linux Kernel Dirty Pipe security vulnerability. This bug is an amazing combination of amazing complexity, incredible simplicity, and a little bit of luck. The discovery is amazing, the analysis is enlightening. There's almost no way a bug like this could be found outside of open source. Show Notes Dirty Pipe Writeup
3/14/202226 minutes, 4 seconds
Episode Artwork

Episode 313 - Insecurity at scale

Josh and Kurt talk about the challenges of security at scale. Specifically we focus on why a lot of security starts to fall apart once you have to do something more than a few times. There's a lot of new thinking we need to push security forward. Show Notes Stable Linux Kernel and Machine Learning
3/7/202231 minutes, 12 seconds
Episode Artwork

Episode 312 - The Legend of the SBOM

Josh and Kurt talk about SBOMs. Not what they are, there's plenty about that. We talk about why everyone keeps claiming they're super important, and why we're starting to see some people question if we really need them. SBOMs are part of a future that's still being invented. Show Notes Questioning SBOMs Rezilion Log4j diagram David A Wheeler on CII Badges Using open source is communism
2/28/202234 minutes, 17 seconds
Episode Artwork

Episode 311 - Did you scan the QR code?

Josh and Kurt talk about the Coinbase Super Bowl ad. It was a QR code, lots of security people were aghast at how many people scanned the QR code. The reality is scanning QR codes isn't dangerous. What other security advice just won't go away? Show Notes Coinbase Ad Kurt's Twitter question QR code parking scam Mossad or not Mossad Kurt's talk
2/21/202232 minutes, 1 second
Episode Artwork

Episode 310 - Hayley Tsukayama from the EFF talks about privacy

Josh and Kurt talk to Hayley Tsukayama from the EFF about privacy. We all know privacy in the modern age is very complicated and difficult. Normal people don't have many allies when it comes to privacy. The EFF has been blazing the trail for digital rights for more than 30 years! This episode has a ton of amazing details, it's easy to see how the EFF became the jewel of the Internet. Show Notes Hayley's Twitter EFF How to Fix the Internet Episode 277 – Privacy and activism with Chris Weiland Washington State privacy bill Join the EFF (seriously, do this!)
2/14/202237 minutes, 18 seconds
Episode Artwork

Episode 309 - The bright future of open source security

Josh and Kurt talk about NPM requiring 2FA for the top 100 packages. We discuss the new Alpha and Omega projects from the OpenSSF and what it could mean for the future of open source security. Then we end on a note about the new Samba critical vulnerability. Show Notes NPM requires 2FA OpenSSF Alpha and Omega David A. Wheeler episode Linux Foundation LFX Samba Advisory
2/7/202231 minutes, 56 seconds
Episode Artwork

Episode 308 - Welcome to the jungle - How to talk about open source security

Josh and Kurt talk about how to get attention for security problems. Recent research around Twitter credentials checked into GitHub showed us how to get a lot of attention when compared to a problem like Log4Shell which took years before anyone really picked up on the problem. It's hard to talk about security sometimes. Show Notes Josh's computer vision code Twitter secrets Qualys pwnkit
1/31/202231 minutes, 19 seconds
Episode Artwork

Episode 307 - Got vulnerabilities? Introducing GSD

Josh and Kurt talk about the Global Security Database (GSD) project. This is a Cloud Security Alliance (CSA) effort to build community around vulnerability identifiers. Show Notes We rate dogs Racoons that heal your sadness Global Security Database Episode 261 – DWF is back! Welcome to community powered CVE GSD mailing list GSD Circle group GSD Database GSD Project Plan
1/24/202230 minutes, 34 seconds
Episode Artwork

Episode 306 - Open source isn't broken, it's an experience

Josh and Kurt talk about the faker and colors NPM events. There is a lot of discussion around open source being broken or somehow failing because of these events. The real answer is open source is an experience. How we interact with our dependencies determines what the experience looks like. Show Notes Developer corrupts colors and faker Will Wright Pee Internet Anonymity
1/17/202235 minutes, 19 seconds
Episode Artwork

Episode 305 - Norton, Ethereum, NFT, and Apes

Josh and Kurt talk about Norton creating an Ethereum mining pool. This is almost certainly a bad idea, we explain why. We then discuss the reality of NFTs and the case of stolen apes. NFTs can be very confusing. The whole world of cryptocurrency is very confusing for normal people. None of this is new, there have always been con artists, there will always be con artists. Show Notes Norton Crypto FAQ Stolen Ape Smart contract to buy the constitution YEAR token
1/10/202231 minutes, 14 seconds
Episode Artwork

Episode 304 - Will we ever fix all the vulnerabilities?

Josh and Kurt talk about the question will we ever fix all the vulnerabilities? The question came from Reddit and is very reasonable, but it turns out this is REALLY hard to discuss. The answer is of course "no", but why it is no is very complicated. Far more complicated than either of us thought it would be. Show Notes Will cyber security vulnerabilities ever "stop existing" ?
1/3/202234 minutes, 11 seconds
Episode Artwork

Episode 303 - Log4j Christmas Spectacular!

Josh and Kurt start the show with the reading of a security themed Christmas poem. We then discuss some of the new happenings around Log4j. The basic theme is that even if we were over-investing in Log4j, it probably wouldn't have caught this. There are still a lot of things to unpack with this event, I'm sure we'll be talking about it well into the future. Log before Christmas poem 'Twas the night before Christmas, when all through the stack Not a scanner was scanning, not even a rack, The SBOMs were uploaded to the portal with care, In hopes that next year would be boring and bare The interns were nestled all snug at their beds; While visions of dashboards danced in their heads; The CISO in their 'kerchief, and I in my cap, Had just slept our laptops for a long winter's nap, When all of a sudden the pager went ack ack I sprang to my laptop with worries of attack Away to the browser I flew like a flash, Tore open the window and cleared out the cache The red of the dashboard the glow of the screen Gave a lustre of disaster my eyes rarely seen When what to my wondering eyes did we appear, But a new advisory and eight vulnerabilities to fear, Like a little old hacker all ready to play, I knew in a moment it must be Log4j More rapid than gigabit its coursers they came, And it whistled, and shouted, and called them by name: "Now, Log4Shell! now CVE! now ASF and NVD! On, CISA! on, LunaSec! on, GossiTheDog! To the top of the HackerNews! to the top of the wall! Now hack away! hack away! hack away all!" Like the bits that before the wild CDN fly by When they meet with a firewall, they mount to the sky; So up to the cloud like bastards they flew With tweets full of vulns, and Log4j too— And then, in a twinkling, I read in the slack The wailing and screaming of each analyst called back As I drew in my head, and was turning around, Down the network Log4j came with a bound. It was dressed in a hoodie, black and zipped tight, The clothes were all swag from a conference one night A bundle of vulns it had checked in its git And it looked like a pedler just being a twit The changelog—how it twinkled! its features, how merry! Its versions were like roses, its logo like a cherry! Its droll little mouth was drawn up like an at, And the beard on its chin made it look stupid and fat The stump of a diff it held tight in its teeth, And the bits, they encircled the repo like a wreath; It had a flashy readme an annoying little fad That shook when it downloaded, like a disk drive gone bad It was chubby and plump, an annoying old package, And I laughed when I saw it, in spite of the hackage A wink of its bits and a twist of its head Soon gave me to know I had everything to dread It spoke not a word, but went straight to its work, And pwnt all the servers; then turned with a jerk, And laying its patches aside of its nose, And giving a nod, up the network it rose; It sprang to its packet, to its team gave them more, And away they all fled leaving behind a back door But I heard it exclaim, ere it drove out of sight— “Merry Christmas you nerds, Log4j won tonight!”
12/27/202134 minutes, 37 seconds
Episode Artwork

Episode 302 - Log4j is a mess

Josh and Kurt talk about the same topic everyone is talking about, Log4j. This episode was recorded on the Wednesday after the first Log4j issue. We point out all the gaps and difficulties for the defenders. The situation has gotten worse since then. Good luck to everyone dealign with this thing Show Notes Log4j GSD entry Minecraft server discussion Log4j GitHub issue 608
12/20/202133 minutes, 49 seconds
Episode Artwork

Episode 301 - You're holding it wrong: the importance of unlearning

Josh and Kurt talk about the epic failure that was episode 300. But this ties nicely into the topic of the day which is new ways to do things. The example is a new way to hold a controller when playing Tetris. There are always new tools and new ideas in security. Sometimes we have to abandon the old way because the new way to too good to ignore. Show Notes Lawfare Apple NSO podcast New way to play Tetris
12/13/202131 minutes, 52 seconds
Episode Artwork

Episode 300 - Apple vs NSO: What can copyright do for you?

the lawsuit is based on CFAA, not on copyright. We apologize for this enormous oversight. Josh and Kurt talk about Apple suing NSO using a copyright claim as their vehicle. Copyright is often used as a reason to bring lawsuits, even when it doesn't always make sense. Copyright has been used by open source to expand rights, and many companies to restrict rights. It's a very odd law sometimes. At the end of the day it seems the only real path forward for a problem like NSO is up to governments to protect their citizens. Show Notes Apple sues NSO group VMWare EULA
12/6/202131 minutes, 41 seconds
Episode Artwork

Episode 299 - Experts From A World That No Longer Exists

Josh and Kurt talk about an article about how expertise has a limited lifetime. We are all experts in something, but some of us will find our expert knowledge to be outdated eventually. We discuss what that means in the context of security and tech and disagree about how to best keep your skills up to date. Show Notes Experts From A World That No Longer Exists Neuroplasticity Scotty and the mouse Git 2.34 4H Public Speaking
11/29/202134 minutes, 54 seconds
Episode Artwork

Episode 298 - David A Wheeler discusses the OpenSSF

Josh and Kurt talk to David A. Wheeler about everything OpenSSF. The Open Source Security Foundation is part of the Linux Foundation, and there are 6 OpenSSF working groups. David does a great job explaining how the OpenSSF works and what the 6 working groups are doing. The working group are (in no particular order): Identifying Security Threats, Security Tooling, Best Practices, Vulnerability Disclosures, Digital Identity Attestation, Securing Critical Projects. Show Notes David A Wheeler Episode 14 – David A Wheeler: CII Badges Sigstore joins the OpenSSF OpenSSF Technical Working Groups NPM requires MFA LISH Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks
11/22/202138 minutes, 26 seconds
Episode Artwork

Episode 297 - 25 years of smashing stacks, fun, and profit

Josh and Kurt talk about the famous Phrack 49 article "Smashing the Stack for Fun and Profit" turning 25 years old. This paper created a massive amount of change in the industry, possibly more than any other paper ever written. Everything from making exploiting stack overflows easier, to defenders creating technologies such as stack canaries are the direct result of this work. Show Notes Phrack 49 Kurt's Interview with Elias Levi aka Aleph One
11/15/202133 minutes, 35 seconds
Episode Artwork

Episode 296 - Is Trojan Source a vulnerability?

Josh and Kurt talk about the new Trojan Source bug. We don't always agree on if this is a vulnerability (it's not), but by the end we come to an agreement that ASCII is out, Unicode is in. We don't live in a world where you can make a realistic suggestion to return to using only ASCII. There are a lot of weird moving parts with this one. Show Notes Trojan Source oss-security message GitHub example
11/8/202133 minutes, 58 seconds
Episode Artwork

Episode 295 - Open source security isn't free

Josh and Kurt talk about Josh's electric car and new job. We then talk about the recent UAParser.js malware incident. There have been a lot of calls to do more to secure open source, but nobody seems to have any concrete proposals or suggestions to fund any of these activities. Show Notes UAParser.js CISA announcement
11/1/202133 minutes, 22 seconds
Episode Artwork

Episode 294 - Chris Wysopal on the state of security education

Josh and Kurt talk to Chris Wysopal, AKA Weld Pond, about security education. We talk about the current state of how we are learning about security as students and developers. What the best way to get developers interested in learning more about security? We end the show with fantastic advice from Chris for anyone new to the field of technology or security. Show Notes Chris Wysopal Veracode l0phtcrack
10/25/202132 minutes, 19 seconds
Episode Artwork

Episode 293 - Scoring OpenSSF Security Scoring

Josh and Kurt talk about the release of OpenSSF Security Scorecards version 3. This is a great project that will probably make a huge difference. Most of the things the scorecards are measuring are no brainier activities. We go through the list of metrics being measured. There are only a few that we don't think are fantastic. Show Notes 4 of spades OpenSSF Chris Montgomery audio explanation Scorecard 3.0.0 Scoring criteria Python Skeleton
10/18/202134 minutes, 15 seconds
Episode Artwork

Episode 292 - Apache RCE and Twitch epic pwn

Josh and Kurt talk about the recent Twitch hack and how in the modern age leaking source code almost certainly doesn't matter. The leaked data however is a big deal. We also discuss a recent Apache httpd update. Some things went right, some things went wrong. Dealing with vulnerabilities is hard. Show Notes Parasocial Relationship Twitch Hack Soviet B-29 Clone Apache CVE Apache Advisory GossiTheDog Tweet Hacker Fantastic exploit
10/11/202130 minutes, 5 seconds
Episode Artwork

Episode 291 - Everyone sucks at vulnerability disclosure

Josh and Kurt talk about recent events around Apple and Microsoft disclosing security vulnerabilities. Microsoft usually does a good job, but Apple has a long history of not having a great bug bounty or vulnerability disclosure policy. None of this is simple, but hopefully you'll have some fun and learn a bit about the whole vulnerability disclosure process. Show Notes Apple 0days Microsoft Exchange flaw THIS IS HOW THEY TELL ME THE WORLD ENDS Linux Foundation Vulnerability Disclosure Timezone problem
10/4/202135 minutes, 26 seconds
Episode Artwork

Episode 290 - The security of the Matrix

Josh and Kurt talk about the security of the Matrix movie series. There was a new Matrix trailer that made us want to discuss some of the security themes. We talk about how the movie is very focused on computing in the 90s. How Neo probably ran Linux and they used a real ssh exploit. How a lot of the plot is a bit silly. It's a really fun episode. Show Notes Matrix 4 trailer nmap in the Matrix VFX Artists react to the Mandalorian Glasshouse Universal Paperclips
9/27/202135 minutes, 19 seconds
Episode Artwork

Episode 289 - Who left this 0day on the floor?

Josh and Kurt talk about an unusual number of really bad security updates. We even recorded this before the Azure OMIGOD vulnerability was disclosed. It's certainly been a wild week with Apple and Chrome 0days, and a Travis CI secret leak. Maybe this is the new normal. Show Notes Matrix 4 trailer Travis CI issue Apple 0day patches Chrome 0day patches CGP Grey Where is the European Union
9/20/202133 minutes, 15 seconds
Episode Artwork

Episode 288 - Linux Kernel compiler warnings considered dangerous

Josh and Kurt talk about some happenings in the Linux Kernel. There are some new rules around how to submit patches that goes against how GitHub works. They're also turning all compiler warnings into errors. It's really interesting to understand what these steps mean today, and what they could mean in the future. Show Notes The Register Linux story OpenSSL Release Notes
9/13/202136 minutes
Episode Artwork

Episode 287 - Is GitHub's Copilot the new Clippy?

Josh and Kurt talk about GitHub Copilot. What can we learn from a report claiming 40% of code generated by Copilot has security vulnerabilities? Is this the future or just some sort of strange new thing that will be gone as fast as it came? Show Notes GitHub Copilot Copilot research paper
9/6/202131 minutes, 53 seconds
Episode Artwork

Episode 286 - Open source supply chain with Google's Dan Lorenc

Josh and Kurt talk to Dan Lorenc from Google about supply chain security. What's currently going on in this space and what sort of new thing scan we look forward to? We discuss Google's open source use, Project Sigstore, the SLSA framework and more. Show Notes Dan's Twitter Sigstore SLSA Framework
8/30/202137 minutes, 32 seconds
Episode Artwork

Episode 285 - Open source owes you nothing!

Josh and Kurt talk about open source bugs. What happens if a project decides to close most of their bugs? Nothing really. Bug trackers aren't a help desk. Show Notes Emacs closes 45% of bugs UVI Tesla investigation UK COVID spreadsheet
8/23/202132 minutes, 5 seconds
Episode Artwork

Episode 284 - What happens when we DRM power tools?

Josh and Kurt talk about a Home Depot plan to put DRM on power tools. Anyone can add a computer to anything for a few dollars now. How secure is any of this. What does it mean when the things we buy start to acquire DRM? There are a lot of new questions we don't have any real answers for. Show Notes Home Depot power tools Ray Ozzie's IoT board First-sale doctrine
8/16/202135 minutes, 4 seconds
Episode Artwork

Episode 283 - When vulnerability disclosure becomes dangerous

Josh and Kurt talk about a very difficult disclosure problem. What happens when you have to report a vulnerability to an ethically questionable company? It's less simple than it sounds, many of the choices could end up harming victims. Show Notes Disclosure Dilemmas @evacide Bob Diachenko This Is How They Tell Me The World Ends
8/9/202134 minutes, 46 seconds
Episode Artwork

Episode 282 - The security of Rust: who left all this awesome in here?

Josh and Kurt talk about a story from Microsoft declaring Rust the future of safe programming, replacing C and C++. We discuss how tooling affects progress and why this isn't always obvious when you're in the middle of progress. Show Notes Microsoft: Rust Is the Industry’s ‘Best Chance’ at Safe Systems Programming Josh's devopsdays talk Microsoft moved font handling out of the kernel Atari 2600 emulator in Minecraft Rate of technology adoption
8/2/202130 minutes, 36 seconds
Episode Artwork

Episode 281 - If you spy on journalists, you're the bad guys

Josh and Kurt talk about the news that the NSO Group is widely distributing spyware onto a large number of devices. This news should be a wake up call for anyone creating devices and systems that could be attacked, it's time to segment services. There's not a lot individuals can do at this point, but we have some ideas at the end of the episode. Show Notes NSO Group spying Technical details Twitter thread Are we the Baddies?
7/26/202132 minutes, 56 seconds
Episode Artwork

Episode 280 - The perils of Single Sign On

Josh and Kurt talk about what happens when you lose access to your Single Sign On provider. These providers have become critical to many of us, if we lose access to our SSO account we will lose access to many services. Show Notes Postbank
7/19/202130 minutes, 55 seconds
Episode Artwork

Episode 279 - The audacity of Audacity: When open source goes rogue

Josh and Kurt talk about the events happening to the Audacity audio editor. What happens if a popular open source application is acquired by an unknown entity? Can this happen to other open source projects? What can we do about it? Show Notes SGDQ Paper Mario Paper Mario Arbitrary Code Execution explained Freenode Audacity acquired by Muse Group Audacity fork
7/12/202131 minutes, 5 seconds
Episode Artwork

Episode 278 - Could SELinux have stopped SolarWinds?

Josh and Kurt talk about a listener provided question. Could SELinux have stopped the SolarWinds attack? Given what we know, the answer is technically yes, but practically no. SELinux is awesome, but it's very difficult to sandbox something like a build system. Show Notes Gone in 60 milliseconds
7/5/202130 minutes, 12 seconds
Episode Artwork

Episode 277 - Privacy and activism with Chris Weiland

Josh and Kurt talk to Chris Weiland from Restore the Fourth Minnesota. Restore The Fourth Minnesota is nonprofit dedicated to restoring the Fourth Amendment to the U.S. Constitution and ending unconstitutional mass government surveillance. Chris drops a ton of knowledge about how to be an effective tech activist, what his group is doing, and most importantly we get actionable advice! Show Notes Restore the Fourth Minnesota Restore the Fourth Minnesota on Twitter Writ of assistance Carpenter vs United States How many US federal laws are there? Restore the Fourth Episode 114 – Review of "Click Here to Kill Everybody" EFF EFA ACLU affiliates Glenn Greenwald TED talk
6/28/202131 minutes, 18 seconds
Episode Artwork

Episode 276 - Security, behavior, and the environment

Josh and Kurt talk about how our environment affects our behavior, and in turn our level of security. We often ignore what's happening around us when everything is related. Show Notes Judges more lenient after a break Dungeons and Data Poverty changes your DNA
6/21/202128 minutes, 12 seconds
Episode Artwork

Episode 275 - What in the @#$% is going on with ransomware?

Josh and Kurt talk about why it seems like the world of ransomware has gotten out of control in the last few weeks. Every day there's some new and more bizarre ransomware story than we had yesterday. Show Notes Spurious Correlations Ransom recovered Adam Shostack Ransomware is not the problem Latvian Woman charged for writing ransomware
6/14/202128 minutes, 1 second
Episode Artwork

Episode 274 - Mr. Amazon's Neighborhood

Josh and Kurt talk about Amazon sidewalk. There is a lot of attention, but how is this any different than the surveillance networks Apple and Google have built? Show Notes Amazon Sidewalk Ads and toothpaste Airtags and stalking
6/7/202128 minutes, 49 seconds
Episode Artwork

Episode 273 - Can we stop the coming artificial unintelligence deluge?

Josh and Kurt talk about AI driven comments. We live in a world of massive confusion and disruption where what is true and false, real and fake, are often widely debated. As AI grows and evolves what does it mean for this future? We don't really have any answers, but we ask a lot of questions. This isn't easy, nor will it be solved quickly, but solving it is not optional. Show Notes AIs and Fake Comments ACLU AMA Cloudflare Cryptographic Attestation of Personhood Evil bit Boris Johnson Painting Buses
5/31/202131 minutes, 4 seconds
Episode Artwork

Episode 272 - The Biden Cybersecurity Executive Order

Josh and Kurt talk about the Biden Administration new cybersecurity executive order. There are some good ideas in there, but at the end of the day it's an unfunded mandate. Unfunded mandates are difficult to implement. Show Notes Biden Executive Order Fact Sheet Obama's cyber EO
5/24/202131 minutes, 12 seconds
Episode Artwork

Episode 271 - Pipeline security: There is no problem humans can't make worse

Josh and Kurt talk about how people handle problems. We open with the story of the Colonial Pipeline hack, but then go into some of the ways people tend to make problems worse. Show Notes Male vs Female trees Pipeline hack XKCD Pipelines TSA Pipeline Security
5/17/202131 minutes, 22 seconds
Episode Artwork

Episode 270 - Hello dark patterns my old friend

Josh and Kurt talk about dark patterns. A dark pattern is when a service tries to confuse a user into doing something they don't want to, like unknowingly purchasing a monthly subscription to something you don't need or want. The US Federal Trade Commission is starting to discuss dark patterns in webs sites and apps. Show Notes Dark Patterns Types of Dark Patterns FTC Bringing Dark Patterns to Light LTT Dell Warranty
5/10/202132 minutes, 27 seconds
Episode Artwork

Episode 269 - Do not experiment on the Linux Kernel

Josh and Kurt talk about the University of Minnesota experimenting on the Linux Kernel. There's a lot to unpack in this one, but the TL;DR is you probably don't want to experiment on the kernel. Show Notes Linux Bans University of Minnesota for Sending Buggy Patches in the Name of Research University of Minnesota security researchers apologize for deliberately buggy Linux patches The International Obfuscated C Code Contest
5/3/202129 minutes, 5 seconds
Episode Artwork

Episode 268 - Can we trust any 3rd parties?

Josh and Kurt talk about what 3rd party means in the current world. From 5G suppliers, to the Codecov and Solarwinds breaches. Is there anyone we can trust? Show Notes Europe and 5G Codecov Codecov Reuters story Red Hat OpenSSH advisory
4/26/202130 minutes, 4 seconds
Episode Artwork

Episode 267 - Does 0day still mean 0day?

Josh and Kurt talk about 0day security vulnerabilities. What are they? What were they? And why the name has taken on a new meaning, and that's OK. Show Notes Hacker History Podcast Chrome 0day NTFS Documentation
4/19/202128 minutes, 28 seconds
Episode Artwork

Episode 266 - The future of security scanning with Debricked

Josh and Kurt talk to Emil Wåreus from Debricked about the future of security scanners. Debricked is doing some incredibly cool things to avoid relying on humans for vulnerability identification and cataloging. Learn what the future of security scanning is going to look like. Show Notes Debricked Emil's Linkedin
4/12/202128 minutes, 49 seconds
Episode Artwork

Episode 265 - The lies closed source can tell, open source can't

Josh and Kurt talk about the PHP backdoor and the Ubiquity whistleblower. The key takeaway is to note how an open source project cannot cover up an incident, but closed source can and will cover up damaging information. Show Notes PHP backdoor Ubiquity coverup 3D printed TSA keys LockPickingLaywer Determining Key Shape from Sound Lock camera
4/5/202131 minutes, 12 seconds
Episode Artwork

Episode 264 - DevSecOps with GitLab's Mark Loveless

Josh and Kurt talk to Mark Loveless from GitLab. We touch on DevSecOps, what GitLab is doing, threat modeling, and the time Mark tested positive for TNT at the airport. It's a great conversation. Show Notes Mark Loveless Twitter GitLab GitLab Handbook How we approach open source security PASTA threat modeling GitLab security features Tales from the Past - "You Tested Positive for TNT"
3/29/202133 minutes, 9 seconds
Episode Artwork

Episode 263 - GitHub pulls exploits, LinuxFoundation sign all the things

Josh and Kurt talk about how terrible daylight savings is. GitHub yanking some exploit code. And the Linux Foundation new project to sign all the things. Show Notes Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github GitHub content restrictions Reproducing the Microsoft Exchange Proxylogon Exploit Chain
3/22/202132 minutes, 23 seconds
Episode Artwork

Episode 262 - A discussion with Loris and Pop from Sysdig

Josh and Kurt talk to Loris Degioanni and Dan from Sysdig. Sysdig are the minds behind Falco, an amazing open source runtime security engine. We talk about where their technology came from, they huge code donation to the CNCF and what securing a modern infrastructure looks like today. Show Notes Sysdig Falco Loris' Twitter Dan "Pop" Popandrea's Twitter Sysdig contributes Falco’s kernel module, eBPF probe, and libraries to the CNCF pdig Sysdig 2021 container security and usage report: Shifting left is not enough
3/15/202131 minutes, 19 seconds
Episode Artwork

Episode 261 - DWF is back! Welcome to community powered CVE

Josh and Kurt talk about DWF. It's back and the intention is to have real community driven security identifiers! Show Notes Committee vs Community dwflist repo dwf-request tooling repo dwf-workflow policy repo CVE plateua graph iwantacve.org
3/8/202132 minutes, 9 seconds
Episode Artwork

Episode 260 - Dave Jevans tells us what CipherTrace is up to

Josh and Kurt talk with Dave Jevans CEO of CipherTrace and chairman of the anti-phishing working group about the challenges of keeping track of cryptocurrency in the modern age. Show Notes Dave's Twitter CipherTrace Anti Phishing Working Group
3/1/202129 minutes, 20 seconds
Episode Artwork

Episode 259 - What even is open source anymore?

Josh and Kurt talk about the question "what is open source?" Why do we think it's broken today, and what sort of ideas about what should come next. Show Notes OSI Bruce Perens Post Open Source Josh's community blog post Corey Doctorow Uber Twitter thread
2/22/202133 minutes, 10 seconds
Episode Artwork

Episode 258 - Stop using C

Josh and Kurt talk about the Google Project Zero report titled "A Year in Review of 0-days Exploited In-The-Wild in 2020". It's a cool report but we don't agree on the conclusion. The answer isn't to security harder, it's to stop using C. Show Notes Google Project Zero Year of 0-days Kurt's CUPS tweet
2/15/202130 minutes, 21 seconds
Episode Artwork

Episode 257 - The sudo and libgcrypt vulnerabilities

Josh and Kurt talk about the recent sudo and libgcrypt security vulnerabilities. What's the deal with these buffer overflows and TOCTU bugs? Show Notes Sudo buffer overflow Sudo SELinux bug libgcrypt buffer overflow
2/8/202131 minutes, 42 seconds
Episode Artwork

Episode 256 - 9 bits of podcast, 8 bits of computing

Josh and Kurt talk about 8 bit computing. What sort of security lessons can we learn from the 8 bit world? More than you think. Show Notes Legend of Zelda Random Number Generation Green rocket flame SR71 leaked fuel How do Namibian Himbas see colour? Suptuple meter music
2/1/202131 minutes, 47 seconds
Episode Artwork

Episode 255 - What if security wasn't joyless?

Josh and Kurt talk about what we can stop doing. We take a position of asking "does it spark joy" for tools and infrastructure. Everyone is doing something they should stop. Show Notes Does it spark joy?
1/25/202130 minutes, 19 seconds
Episode Artwork

Episode 254 - Right to Repair Security

Josh and Kurt talk about the new right to repair rules in the EU. There's a strange line between loving the idea of right to repair, but also being horrified as security people at the idea of a device being on the Internet for 30 years. Show Notes EU right to repair repair.eu
1/18/202130 minutes, 56 seconds
Episode Artwork

Episode 253 - Defenders only need to be right once

Josh and Kurt talk about this idea that seems to exist in security of "attackers only need to be right once" which is silly. The reality is attackers have to get everything right, defenders really only need to get it right once. But "defenders only need to be right once" isn't going to sell any products. Show Notes Richard Feynman and manhole covers Richard Feynman on Why He Can't Tell You How Magnets Work Israeli airport security FAA stolen sweater XKCD Is it worth the time CGP Grey The trouble with transporters
1/11/202132 minutes, 22 seconds
Episode Artwork

Episode 252 - Is open source dangerous? Open source won, who cares, shut up!

Josh and Kurt talk about a report on open source security from the Canadian Centre for Cyber Security. The title pretty much sums it up. Show Notes Security Considerations for Open Source Build an 8 bit computer from scratch
1/4/202128 minutes, 56 seconds
Episode Artwork

Episode 251 - Communication is hard, security communication is more hard

Josh and Kurt talk about communication. It's really hard to talk about a lot of what we do. How do we know if a device is secure? How do we know our knowledge is correct? Show Notes 90 percent of U.S. bills carry traces of cocaine Is the moon a star or planet? A mole of moles New homeowner 'freaked out' when stranger took control of her security system Coffee maker ransomware NIST Phish Scale The metric system Operation Paperclip
12/28/202031 minutes, 26 seconds
Episode Artwork

Episode 250 - Door 25: Why do we do the things we do? Question everything

Josh and Kurt talk about why we do the things we do. Sometimes we have to question everything. Links SLAM missile
12/25/20206 minutes, 54 seconds
Episode Artwork

Episode 249 - Door 24: Information wants to be free

Josh and Kurt talk about the idea of information wanting to be free. It's Christmas, we should give it what it wants! Links Hacker Manifesto
12/24/20205 minutes, 44 seconds
Episode Artwork

Episode 248 - Door 23: How to report 1000 security flaws

Josh and Kurt talk about how to file 1000 security flaws. One is easy, scale is hard.
12/23/20205 minutes, 25 seconds
Episode Artwork

Episode 247 - Door 22: How to report one security flaw

Josh and Kurt talk about how to report one security flaw
12/22/20205 minutes, 14 seconds
Episode Artwork

Episode 246 - Door 21: Bug bounties

Josh and Kurt talk about bug bounties
12/21/20205 minutes
Episode Artwork

Episode 245 - Door 20: Is SMS 2FA better than no 2FA?

Josh and Kurt talk about if SMS 2 factor auth is better than no 2FA Links Cyber deepfaked their host
12/20/20205 minutes, 8 seconds
Episode Artwork

Episode 244 - Door 19: TLS certificate trust

Josh and Kurt talk about modern TLS certificate trust
12/19/20205 minutes, 23 seconds
Episode Artwork

Episode 243 - Door 18: Don't roll your own crypto or auth

Josh and Kurt talk about why it's a horrible idea to roll your own crypto or auth
12/18/20205 minutes, 1 second
Episode Artwork

Episode 242 - Door 17: Vulnerability response

Josh and Kurt talk about vulnerability response. What is it, what does it mean, how does it work
12/17/20205 minutes
Episode Artwork

Episode 241 - Door 16: 16 bits of change

Josh and Kurt talk about the switch from 16 to 32 to 64 bit and even the changes from Intel to ARM
12/16/20205 minutes, 4 seconds
Episode Artwork

Episode 240 - Door 15: Supplier compliance

Josh and Kurt talk about supplier compliance Links Annex A.15.1 of ISO 27001:2013 Episode 162 – SBOM with Allan Friedman
12/15/20205 minutes, 10 seconds
Episode Artwork

Episode 239 - Door 14: Backdoors

Josh and Kurt talk about backdoors in open source software
12/14/20205 minutes, 6 seconds
Episode Artwork

Episode 238 - Door 13: Unlucky or survivor bias?

Josh and Kurt talk about the unluckiest man in the world and survivor bias Links Unluckiest man in the world
12/13/20204 minutes, 59 seconds
Episode Artwork

Episode 237 - Door 12: Video game hacking

Josh and Kurt talk about video game hacking. The speedrunners are doing the best security research today Links Super Mario World RCE
12/12/20204 minutes, 54 seconds
Episode Artwork

Episode 236 - Door 11: Should you get on a 737?

Josh and Kurt talk about the safety of a 737 Links FAA says 737 is safe
12/11/20205 minutes, 4 seconds
Episode Artwork

Episode 235 - Door 10: Deciding what information matters

Josh and Kurt talk about Apple leaking internal IP addresses. Sometimes we create our own emergencies over things that don't matter. Links Apple's internal IP addresses
12/10/20205 minutes, 10 seconds
Episode Artwork

Episode 234 - Door 09: public key cryptography

Josh and Kurt talk about public key cryptography
12/9/20205 minutes, 19 seconds
Episode Artwork

Episode 233 - Door 08: man 8 security

Josh and Kurt talk about the OpenBSD security(8) man page and the importance of automating security Links OpenBSD security(8) page
12/8/20205 minutes, 26 seconds
Episode Artwork

Episode 232 - Door 07: 7 is the best prime, 2 is the dumbest

Josh and Kurt talk about prime numbers
12/7/20205 minutes, 20 seconds
Episode Artwork

Episode 231 - Door 06: 6 wifi risks ... that don't actually matter

Josh and Kurt talk about the non problems with public wifi we love to pretend matter Links The Half Dozen Risks of Using Dirty Public Wi-Fi Networks
12/6/20205 minutes, 9 seconds
Episode Artwork

Episode 230 - Door 05: 5 reasons you need 24/7 robot monitoring

Josh and Kurt talk about why you need 24/7 monitoring of all the things Links Swiss air force office hours DC-10 cargo door
12/5/20204 minutes, 33 seconds
Episode Artwork

Episode 229 - Door 04: EFF's Cover Your Tracks

Josh and Kurt talk about how the EFF is helping us prevent Internet tracking Links EFF Cover Your Tracks
12/4/20205 minutes, 3 seconds
Episode Artwork

Episode 228 - Door 03: Do all vulnerabilities matter equally?

Josh and Kurt talk about how many security vulnerabilities matter enough to fix? Links A Third of Known Computer Security Flaws Have No Solution Episode 162 – SBOM with Allan Friedman
12/3/20205 minutes
Episode Artwork

Episode 227 - Door 02: Marketing department or selection bias?

Josh and Kurt talk about cybersecurity statistics and the value of the data we have. Links 24 Cybersecurity Statistics That Matter In 2020
12/2/20204 minutes, 26 seconds
Episode Artwork

Episode 226 - Door 01: Advent calendars

Josh and Kurt talk about advent calendars. We are publishing 25 5 minute episodes in 25 days. Also portable X-ray machines.
12/1/20204 minutes, 58 seconds
Episode Artwork

Episode 225 - Who is responsible if IoT burns down your house?

Josh and Kurt talk about the safety and liability of new devices. What happens when your doorbell can burn down your house? What if it's your fault the doorbell burned down your house? There isn't really any prior art for where our devices are taking us, who knows what the future will look like. Show Notes Ring Doorbell recall Ring incorrect screw diagram Punctured battery Episode 145 – What do security and fire have in common? Phillips vs Robertson screws wendy knox everette Wendy's presentation on legal liability Tim Burners-Lee privacy company
11/23/202030 minutes, 40 seconds
Episode Artwork

Episode 224 - Are old Android devices dangerous?

Josh and Kurt talk about what happens when important root certificates expire on old Android devices? Who should be responsible? How can we fix this? Is this even something we can or should fix? How devices should age is a really hard problem that needs a lot of discussion. Show Notes Unboxing coins Old Android devices certificate store Steve1989MREInfo
11/16/202031 minutes, 38 seconds
Episode Artwork

Episode 223 - Full disclosure won, deal with it

Josh and Kurt talk about the idea behind the full disclosure of security vulnerability details. There have been discussions about this topic for decades with many people on all sides of the issue. The reality is however, if you look at the current state of things, this discussion is settled, full disclosure won. Show Notes Hacker One 100 million payout Project Zero bug Remington gun trigger class action lawsuit Square windows on a plane
11/9/202030 minutes, 49 seconds
Episode Artwork

Episode 222 - HashiCorp Boundary with Jeff Mitchell

Josh and Kurt talk to Jeff Mitchell about the new HashiCorp project Boundary. We discuss what Boundary is, why it's cooler than a VPN, and how you can get involved. Show Notes Jeff Mitchell HashiCorp Boundary announcement Discuss forum Boundary Project Boundary GitHub
11/2/202029 minutes, 54 seconds
Episode Artwork

Episode 221 - Security, magic, and FaceID

Josh and Kurt talk about how to get started in security. It's like the hero's journey, but with security instead of magic. We then talk about what Webkit bringing Face ID and Touch ID to the browsers will mean. Show Notes Hero's Journey Mudge's Tweet L0pht at Congress Bob Ross Webkit Face ID and Touch ID for the Web
10/26/202030 minutes, 43 seconds
Episode Artwork

Episode 220 - Securing network time and IoT

Josh and Kurt talk about Network Time Security (NTS) how it works and what it means for the world (probably not very much). We also talk about Singapore's Cybersecurity Labelling Scheme (CLS). It probably won't do a lot in the short term, but we hope it's a beacon of hope for the future. Show Notes Network Time Security NTP and the University of Wisconsin Cybersecurity Labelling Scheme (CLS)
10/19/202030 minutes, 48 seconds
Episode Artwork

Episode 219 - Chat with Larry Cashdollar

Josh and Kurt have a chat with Larry Cashdollar. The three of us go way back. Larry has done some amazing things and he tells us all about it! Show Notes Akamai Larry's website Larry's First CVE
10/12/202032 minutes, 14 seconds
Episode Artwork

Episode 218 - The past was a terrible place

Josh and Kurt talk about change. Specifically we discuss how the past was a terrible place. Never believe anyone who tells you it was better. Part of a career now is learning how to learn. The things you learn today won't be useful skills in a few years. The future is is always better than the past. Even in 2020. Show Notes I no longer build software Temple OS Top Gear electric car 1959 Bel Air crash test
10/5/202029 minutes, 35 seconds
Episode Artwork

Episode 217 - How to tell your story with Travis Murdock

Josh and Kurt talk to Travis Murdock about how to tell your story. Travis explains how to talk to the press and how to tell our story in a way that helps get our message across and lets the reporter do their job better. Show Notes Ruder Finn CVE-2009-3555 Heartbleed
9/28/202029 minutes, 53 seconds
Episode Artwork

Episode 216 - Security didn't find life on Venus

Josh and Kurt talk about how we talk about what we do in the context of life on Venus. We didn't really discover life on Venus, we discovered a gas that could be created by life on Venus. The world didn't hear that though. We have a similar communication problem in security. How often are your words misunderstood? Show Notes Phosphine on Venus GPS and relativity
9/21/202031 minutes, 33 seconds
Episode Artwork

Episode 215 - Real security is boring

Josh and Kurt talk about attacking open source. How serious is the threat of developers being targeted or a git repo being watched for secret security fixes? The reality of it all is there are many layers in a security journey, the most important things you can do are also the least exciting. Show Notes Targeting developers XKCD Infrastructure comic Hiding security flaws in git Mossad vs Not-Mossad (PDF warning)
9/14/202030 minutes, 8 seconds
Episode Artwork

Episode 213 - Security Signals: What are you telling the world

Josh and Kurt talk about how your actions can tell the world if you actually take security seriously. We frame the discussion in the context of Slack paying a very low bug bounty and discover some ways we can look at Slack and decide if they do indeed take our security very seriously. Show Notes Reddit carbon monoxide Part 1 Part 2 GCP Grey minus infinity Josh's blog post
9/7/202032 minutes, 29 seconds
Episode Artwork

Episode 212 - Grab Bag: The Security We Deserve Edition

Josh and Kurt talk about Chromium sending traffic to root DNS servers. Telemetry watching what we do. Cryptocurrency scams and a few other random topics. Also pandas. Show Notes Blanket rack Chromium DNS traffic Ubuntu MOTD Microsoft telemetry YAM coin implodes Panda Cubs
8/31/202029 minutes, 35 seconds
Episode Artwork

Episode 211 - The only thing harder than signing files is managing users

Josh and Kurt talk about the Microsoft 2 year old signature bug and Github no longer processing MFA resets for free users. Signing things is hard, but trying to manage users and infrastructure at scale is even harder. Show Notes Microsoft signed jar bug GitLab Support is no longer processing MFA resets for free users Someone Is Hijacking Tor Exit Nodes to Conduct MITM Attacks
8/24/202029 minutes, 58 seconds
Episode Artwork

Episode 210 - Cult of Information Security

Josh and Kurt talk about the current state of information security. There are aspects that resemble a cult more than we would like. It's not all bad though, there are some things we can do to help move things forward. This episode shouldn't be taken too seriously. Show Notes "cult of information security" How to start a cult
8/17/202028 minutes, 27 seconds
Episode Artwork

Episode 209 - Secure Boot isn't Secure

Josh and Kurt talk about Secure Boot. The conversation uses the recent "Boot Hole" vulnerability to frame a conversation about what Secure Boot is and isn't. Why the Boot Hole flaw doesn't really matter, and why Secure Boot was very scary for Linux users back when it came out. Show Notes Boot Hole
8/10/202033 minutes, 54 seconds
Episode Artwork

Episode 208 - Passwords are pollution

Josh and Kurt talk about some of the necessary evils of security. There are challenges we face like passwords and resource management. Sometimes the problem is old ideas, sometimes it's we don't have metrics. Can you measure not getting hacked? Show Notes Clearing checks FAIR Institute Factorio
8/3/202032 minutes, 28 seconds
Episode Artwork

Episode 207 - Weaponized attention

Josh and Kurt start this one by explaining how the Twitter hacker was just a dumb criminal (most criminals are dumb). We then discuss the new GPT-3 AI that can create text. How we create, and how social media is doing everything it can to weaponize our attention. It's not a fight humanity is winning. Show Notes GPT-3 AI Blipverts
7/27/202033 minutes, 2 seconds
Episode Artwork

Episode 206 - Confidential Virtual Machines; The future of cloud computing

Josh and Kurt talk about Google's new confidential VMs. The AMD Secure Encrypted Virtualization is the technology that makes it all possible. What is SEV, how does it work, and why should you care? This technology is going to be the future of the cloud. Show Notes Google confidential VMs AMD SEV SEV vs SGX
7/20/202031 minutes, 9 seconds
Episode Artwork

Episode 205 - The State of Open Source Security with Alyssa Miller from Snyk

Josh and Kurt talk to Alyssa Miller from Snyk about the State of Open Source Security 2020 report. Alyssa was the report author and has some great insight into the current trends we're seeing in open source security. Some of the challenges developers face. We discuss the difficulty static and composition analysis scanners face. It's a great conversation! Show Notes The State of Open Source Security 2020 Alyssa's Twitter
7/13/202031 minutes, 37 seconds
Episode Artwork

Episode 204 - What Would Apple Do?

Josh and Kurt talk about some recent security actions Apple has taken. Not all are good, but in general Apple is doing things to benefit their customers (their customers are not advertisers). We also discuss some of the challenges when your customers are advertisers. Show Notes Apple one year certificates Apple declines to implement 16 new APIs Apple is tracking unsigned executables
7/6/202032 minutes, 53 seconds
Episode Artwork

Episode 203 - Humans, conferences, and security: let me think and get back to you in a bit

Josh and Kurt talk about human behavior. The conversation makes its way to conferences and the perpetual question of if a conference is useful or not. We come to the agreement the big shows aren't what they used to be, but things like BSides are great experiences. Show Notes Security and Human Behaviour Josh's blog post Mudge's Twitter thread
6/29/202032 minutes, 37 seconds
Episode Artwork

Episode 202 - The convergence of application security

Josh and Kurt talk about the security of applications. We talk about the security of infrastructure all the time, but what happens when we combine infrastructure into an application or solution? Show Notes Picture of Kurt's security check-up Dragon controls
6/22/202029 minutes, 18 seconds
Episode Artwork

Episode 201 - We broke CVSSv3, now how do we fix it?

Josh and Kurt talk about CVSSv3 and how it's broken. We started with a blog post to explain why the NVD CVSS scores are so wrong, and we ended up researching CVSSv3 and found out it's far more broken than any of us expected in ways we didn't expect. NVD isn't broken, CVSSv3 is. How did we get here? Are there any options that work today? Where should we go next? Show Notes Josh's blog post NVD Red Hat security data Josh's CVE data project Microsoft security ratings scale
6/15/202031 minutes, 20 seconds
Episode Artwork

Episode 200 - Talking Container Security with Liz Rice

Josh and Kurt talk to Liz Rice from Aqua Security about container security and her new book on the same topic. What does container security look like today? What are some things you can do now? What will container security look like in the future? Show Notes Container Security download Pictures of elephants Kubernetes Security book Starboard project Dynamic threat analysis
6/8/202028 minutes, 44 seconds
Episode Artwork

Episode 199 - Special cases are special: DNS, Websockets, and CSV

Josh and Kurt talk about a grab bag of topics. A DNS security flaw, port scanning your machine from a web browser, and CSV files running arbitrary code. All of these things end up being the result of corner cases. Letting a corner case be part of a default setup is always a mistake. Yes always, not even that one time. Show Notes Bind advisory Robustness Principal eBay port scanning localhost OWASP CSV injection
6/1/202029 minutes, 16 seconds
Episode Artwork

Episode 198 - Good advice or bad advice? Hang up, look up, and call back

Josh and Kurt talk about the Krebs blog post titled "When in Doubt: Hang Up, Look Up, & Call Back". In the world of security there isn't a lot of actionable advice, it's worth discussing if something like this will work, or ever if it's the right way to handle these situations. Show notes When in Doubt: Hang Up, Look Up, & Call Back Tech Support Scam podcast: Part 1, Part 2 STIR/SHAKEN Drill the wrong safe deposit box 2009 Bank of Ireland robbery
5/25/202033 minutes, 32 seconds
Episode Artwork

Episode 197 - Beer, security, and consistency; the newer, better, triad

Josh and Kurt talk about what beer and reproducible builds have in common. It's a lot more than you think, and it mostly comes down to quality control. If you can't reproduce what you do, you're not a mature organization and you need maturity to have quality. Show Notes Reinheitsgebot Josh's Blog Post Ken Thompson's reflections on trusting trust Tor Browser Deterministic Builds One line package broke npm create Donkey Kong 64 memory leak
5/17/202029 minutes, 47 seconds
Episode Artwork

Episode 196 - Pounding square solutions into round holes: forced updates from Ubuntu

Josh and Kurt talk about automatic updates. Specifically we discuss a recent decision by Ubuntu to enable forced automatic updates. There are lessons here for the security community. We have a history of jumping to solutions rather than defining and understanding problems. Sometimes our solutions aren't the best. Also murder bees. Show Notes The Oatmeal giant bee comic Honeybees cook giant hornet Ubuntu 20.04 LTS’ snap obsession has snapped me off of it Forum discussion
5/11/202032 minutes, 24 seconds
Episode Artwork

Episode 195 - Is BGP actually insecure?

Josh and Kurt talk about the uproar around Cloudflare's "Is BGP safe yet" site. It's always interesting watching how much people will push back on new things, even if the new things is probably a step in the right direction. The clever thing Cloudflare is doing in this instance is they are making the BGP problem something anyone can understand. Also send us your funny dog stories. Show Notes Is BGP safe yet? Reddit BGP conversation Hacker News BGP conversation Stealing cryptocurrency with BGP
5/4/202031 minutes, 3 seconds
Episode Artwork

Episode 194 - Working from home security: resistance is futile

Josh and Kurt talk about the new normal that's working away from an office. It's not exactly working from home as there are some unforeseen challenges that we just took for granted in the past. There are a lot of new and strange security problems we have to adapt to, everyone is doing amazing work with very little right now. Show Notes Microsoft buys corp.com Hijack computer network traffic with a Pi Zero
4/27/202031 minutes
Episode Artwork

Episode 193 - Security lessons from space: Apollo 13 edition

Josh and Kurt talk about space. We intended to focus on Apollo 13 but as usual we have no ability to stay on topic. There is a lot of fun space discussions in this one though. Do you think you can hack Voyager 1? Only if you have a big enough satellite dish. Show Notes Eavesdropping on Apollo 11 Apollo 11 classified weather satellite The pen that saved Apollo 11
4/20/202035 minutes, 8 seconds
Episode Artwork

Episode 192 - Work without progress - what Infosec can learn from treadmills

Josh and Kurt talk about Kurt's recent treadmill purchase and the lessons we can lean in security from the consumer market. The consumer market has learned a lot about how to interact with their customers in the last few decades, the security industry is certainly behind in this space today. Once again we display our ability to tie even the seemingly mundane things back to a discussion about security. Show Notes Eating goldfish off the treadmill
4/13/202033 minutes, 16 seconds
Episode Artwork

Episode 191 - Security scanners are all terrible

Josh and Kurt talk about security scanners. They're all pretty bad today, but there are some things we can do to make them better. Step one is to understand the problem. Do you know why you're running the scanner and what the reports mean? Show Notes Edmonton freeze thaw cycles Josh's security scanner blog series
4/6/202035 minutes, 18 seconds
Episode Artwork

Episode 190 - Building a talent "ecosystem"

Josh and Kurt talk about building a talent ecosystem. What starts out as an attempt by Kurt to talk about Canada evolves into a discussion about how talent can evolve, or be purposely grown. Canada's entertainment industry and Unit 8200 are good examples of this. Show Notes SCTV Red Team Project Moon Shot book  AvE channel  Turning a tree root into a bowl  Mailing the Hope Diamond The Ecosystem
4/5/202032 minutes, 3 seconds
Episode Artwork

Episode 189 - Video game hackers - speedrunning

Josh and Kurt talk about video games and hacking. Specifically how speed runners are really just video game hackers. Show Notes Developer speedrun commentary Super Mario World end credits glitch explained Mario 3 RCE Breath of the Wild speedrun Super Metroid reverse boss order TMR beats every NES game
3/30/202033 minutes, 43 seconds
Episode Artwork

Episode 188 - Depressing news sucks, we're talking about cheating in video games

Josh and Kurt talk about video games. Yeah, video games. Specifically about cheating in video games. There's a lot of other security themes in the discussion. With the news being horrible these days, we needed to talk about something fun. Show Notes Penny Arcade Banned from Fortnite Apollo Robbins, world's best pickpocket
3/23/202031 minutes, 1 second
Episode Artwork

Episode 187 - Wireguard vs IPsec: the OK Boomer of security

Josh and Kurt talk about Wireguard. There have been a lot of recent conversations about it and if it's better or worse than other VPN solutions. It's safe to say in our modern age, less is usually more, especially when it comes to security. Wireguard has a lot going for it, it can't be ignored. Show Notes Replacing a Nintendo Switch fan WireGuard Hacker News discussion
3/15/202030 minutes, 7 seconds
Episode Artwork

Episode 186 - Endpoint security with Tony Meehan

Josh and Kurt talk to Tony Meehan from Elastic (formerly Endgame) about endpoint detection, response, protection, and even SIEM. Tony has a great history coming from the NSA and has a number of great stories to help understand the topics. Show Notes Tony Meehan  Rob Joyce on Disrupting Nation State Hackers Bobby Filar living off the land blog Dwell time graph  Snowboarder vs Tree
3/8/202030 minutes, 23 seconds
Episode Artwork

Episode 185 - Is it even possible to fix open source security?

Josh and Kurt talk about the Linux Foundation Census 2. There is a lot of talk around how to fix open source security, but the reality is we can't fix it. We need to stop trying to fix what isn't broken and engineering around the system we have, not the system we want. Show Notes Linux Foundation Census 2 Core Infrastructure Initiative
3/2/202031 minutes, 55 seconds
Episode Artwork

Episode 184 - It’s DNS. It's always DNS

Josh and Kurt talk about the sale of the corp.com domain. Is it going to be the end of the world, or a non event? We disagree on what should happen with it. Josh hopes an evildoer buys it, Kurt hopes for Microsoft. We also briefly discuss the CIA owning Crypto AG. Show Notes corp.com is for sale CIA owned Crypto AG
2/24/202033 minutes, 3 seconds
Episode Artwork

Episode 183 - The great working from home experiment

Josh and Kurt talk about a huge working from home experiment because of the the Coronavirus. We also discuss some of the advice going on around the outbreak, as well as how humans are incredibly good at ignoring good advice, often to their own peril. Also an airplane wheel falls off. Show Notes Work from home Hacker News discussion CDC advice How to wash your hands Air Canada flight without running wather Airplane wheel falling off
2/17/202032 minutes, 32 seconds
Episode Artwork

Episode 182 - Does open source owe us anything?

Josh and Kurt talk about open source maintainers and building communities. While an open source maintainer doesn't owe anyone anything, there are some difficult conversations around holding back a community rather than letting it flourish. Show Notes Actix-web story Lodash Possible Lodash security issue  Javascript libraries are almost never updated Ularn
2/10/202028 minutes, 42 seconds
Episode Artwork

Episode 181 - The security of SIM swapping

Josh and Kurt talk about SIM swapping. What is it, how does it work. Why should you care? There's not a ton you can do to protect yourself, but we go over some of the basic concepts and what to watch out for. It's unfortunate this is still a problem. Show Notes Five Major US Wireless Carriers Are Vulnerable to SIM Swapping Edmonton Police SIM swap website
2/3/202032 minutes, 28 seconds
Episode Artwork

Episode 180 - A Tale of Two Vulnerabilities

Josh and Kurt talk about two recent vulnerabilities that have had very different outcomes. One was the Citrix remote code execution flaw. While the flaw is bad, the handling of the flaw was possibly worse than the flaw itself. The other was the Microsoft ECC encryption flaw. It was well handled even though it was hard to understand and it is a pretty big deal. As all these things go, fixing and disclosing vulnerabilities is hard. Show Notes Microsoft flaw CVE-2020-0601 Citrix flaw CVE-2019-19781 Citrix mitigation instructions
1/27/202031 minutes, 7 seconds
Episode Artwork

Episode 179 - Google Project Zero and the 90 day clock

Josh and Kurt talk about the updated Google Project Zero disclosure policy. What's the new policy, what does it mean, and will it really matter? We suspect it will improve some things, but won't drastically change much. Show Notes Google and 90 day patch disclosure Upgrading all Windows versions
1/20/202031 minutes, 25 seconds
Episode Artwork

Episode 178 - Are CVEs important and will ransomware put you out of business?

Josh and Kurt talk about a discussion on Twitter about if discovering CVE IDs is important for a resume? We don't think it is. We also discuss the idea of ransomware putting a company out of business. Did it really? Possibly but it probably won't create any substantial change in the industry. Show Notes Games Done Quick  Ransomware puts company out of business 1 in 5 companies shut down due to ransomware  Laura Shin SIM Swap Podcast
1/13/202032 minutes, 36 seconds
Episode Artwork

Episode 177 - Fake or real? The security of counterfeit goods

Josh and Kurt talk about marketplace safety and security. Will we ever see an end to the constant flow of counterfeit goods? The security industry has the same problem the marketplace industry has, without substantial injury we don't see movement towards meaningful change. Show Notes BrickLink Cars in Canada lighting on fire  President Roosevelt used Al Capone's Limo Dangerous car seats Fake external hard drive
1/6/202029 minutes, 58 seconds
Episode Artwork

Episode 176 - The 'predictions are stupid' prediction episode

Josh and Kurt talk about security predictions for 2020. None of the predictions are even a bit controversial or unexpected. We're in a state of slow change, without disruptive technology next year will look a lot like this year. Show Notes The Rising Speed of Technological Adoption Slack Certified GDPR Fines and Notices
12/30/201932 minutes, 13 seconds
Episode Artwork

Episode 175 - Defenders will always be one step behind

Josh and Kurt talk about the opportunistic nature of crime. Defenders have to defend, which means the adversaries are by definition always a step ahead. We use the context of automobile crimes to frame the discussion. Show Notes Stealing cars with radio relays RTL Software Defined Radio Canada most stolen car
12/23/201930 minutes, 27 seconds
Episode Artwork

Episode 174 - GitHub turns security up to 11; A discussion with Rob Schultheis

Josh and Kurt talk to Rob Schultheis from GitHub about some of the amazing projects GitHub is working on. We discuss GitHub security advisories, getting a CVE from GitHub, and what the new GitHub Security Lab is doing. It's a great conversation about how GitHub is working to make security better for all of us. Show Notes GitHub Security Advisories GitHub CVE requests GitHub Security Lab GitHub Security Lab Slack GitHub Security Lab Twitter
12/16/201929 minutes, 41 seconds
Episode Artwork

Episode 173 - Ho Ho Homeland Security

Josh Santa and Kurt talk the border nightmare Santa Clause has to deal with as he traverses the globe. Questions we explore include: Are the reindeer farm animals? Is the North Pole a farm? Is Santa an intellectual property thief? Does Krampus eat politicians? Does Santa have a passport? Does Santa have an emergency radio? Show Notes Pirate Joes
12/9/201934 minutes, 52 seconds
Episode Artwork

Episode 172 - The security of planned obsolescence

Josh and Kurt talk about the security implications of planned obsolescence. We use Intel's recent decision to remove old drivers from their website as the start of the conversation. By the end we realize this is more of a decision society needs to understand and make more than anything. Is constantly throwing out technology OK? Show Notes Intel removes old drivers Upgrading all versions of Windows Sniffing your Smart TV
12/2/201932 minutes, 8 seconds
Episode Artwork

Episode 171 - Measuring cybersecurity with Kathryn Waldron

  Josh and Kurt talk to Kathryn Waldron of the R Street Institute about a paper she recently published that collects a number of cybersecurity measuring devices in one place. Show Notes Kathryn Waldron Kathryn's Twitter account Resources for Measuring Cybersecurity There are 14 standards
11/25/201930 minutes, 52 seconds
Episode Artwork

Episode 170 - Until that quantum computer is cracking RSA keys, go sit back down!

Josh and Kurt talk about banking and privacy. It's very likely nothing will get better anytime soon, humans will continue to be terrible at understanding certain risks. We also discuss what quantum supremacy means (or doesn't  mean) for security. Show Notes National Bank Privacy Issues Quantum Supremecy Claims Hype Cycle Scottish person talking to Siri SMBC Quantum Comic
11/17/201931 minutes, 57 seconds
Episode Artwork

Episode 169 - What happens when leadership doesn't care about security?

Josh and Kurt talk about government security incidents. The security concerns at the government level often have real life and death consequences. What happens when the leadership knowingly disregards security policy? Show Notes Breaking into a SCIF Whitehouse cybersecurity team Bugged typewriter
11/11/201931 minutes, 20 seconds
Episode Artwork

Episode 168 - The draconian draconians of DRM

Josh and Kurt talk about the social norms of security. We also discuss security coprocessors and the reasons behind adding them to hardware. Is DRM a draconian security measure or do we need it to secure the future? We also touch on the story of NordVPN getting hacked. The real story isn't they got hacked, the story is they responded like clowns. The actual problem was one of leadership, there are certain leadership skills you can't be taught, you can only learn. Show Notes Before Windows boots protections
11/3/201930 minutes, 55 seconds
Episode Artwork

Episode 167 - Security is terrible because digital literacy is terrible

Josh and Kurt talk about the horrid state of digital literacy in the US. We start out talking about broken Phillips Hue light bulbs, then discuss research from Pew on the digital literacy of Americans. We may have accidentally discovered a use for all the cookie warnings every web site has. Show Notes Pew Research on American's Digitcal Literacy
10/28/201935 minutes, 19 seconds
Episode Artwork

Episode 166 - Every day should be cybersecurity awareness month!

Josh and Kurt about cybersecurity awareness month. What's our actionable advice we can give out? There isn't much which is a fundamental part of the problem. Show Notes Cybersecurity awareness month Polar bear sized pigs
10/21/201924 minutes, 39 seconds
Episode Artwork

Episode 165 - Grab Bag of Microsoft Security News

Josh and Kurt about a number of Microsoft security news items. They've changed how they are handling encrypted disks and are now forcing cloud logins on Windows users. Show Notes Microsoft KB 4516071 A Security Market for Lemons Kurt's file wiping advisory Lock Picking Lawyer vs Consumer Reports Sun Ray Linux Gamers: 20% of auto reported crashes
10/13/201927 minutes, 45 seconds
Episode Artwork

Episode 164 - DNS over HTTPS: Probably not the end of the world

Josh and Kurt about DNS over HTTPS and how it may or may not destroy civilization. We also discuss the disruption of cloud in the context of security and touch on the news that GitHub is now a CVE CNA! Show Notes DNS over HTTPS California Privacy Law Defensive Security Podcast GitHub is a CNA
10/7/201930 minutes, 3 seconds
Episode Artwork

Episode 163 - Death to Python 2

Josh and Kurt about the upcoming Python 2 EOL. What does it mean, why does it matter, and what you can you do? Show Notes Python Clock Python's statement about sunsetting Python 2 wifi 6
9/30/201933 minutes, 22 seconds
Episode Artwork

Episode 162 - SBOM with Allan Friedman

Josh and Kurt speak with Allan Friedman of the US National Telecommunications and Information Administration about Software Bill of Materials. Where are we today, where are things going, and how you can help.  Show Notes Allan Friedman NTIA NTIA Software Component Transparency 
9/23/201930 minutes, 35 seconds
Episode Artwork

Episode 161 - Human nature and ad powered open source

Josh and Kurt start out discussing human nature and how it affects how we view security. A lot of things that look easy are actually really hard. We also talk about the npm library Standard showing command line ads. Are ads part of the future of open source? Show Notes thegrugq secure android DoD JEDI program Firefox privacy settings Standard ads Max Headroom
9/16/201929 minutes, 19 seconds
Episode Artwork

Episode 160 - Disclosing security issues is insanely complicated: Part 2

Josh and Kurt talk about disclosing security flaws in open source. This is part two of a discussion around how to disclose security issues. This episode focuses on some expectations and behaviors for open source projects as well as researchers trying to disclose a problem to a project. Show Notes webmin backdoor Github security advisories
9/9/201931 minutes, 11 seconds
Episode Artwork

Episode 159 - Disclosing security issues is insanely complicated: Part 1

Josh and Kurt talk about disclosing security flaws. It's a topic that's come up a few times in the last few weeks and it's more complicated than it's ever been. We certainly ask more questions than we answer in this episode, there will be a part 2 that focuses on open source disclosure. Show Notes Lock Picking Lawyer Tavis' Windows flaw 
9/2/201929 minutes, 23 seconds
Episode Artwork

Episode 158 - The mess that we call credit agencies in the US

Josh and Kurt talk about the current state of credit security freezes in the US. We recount a thrilling tale of all the things Josh had to do to get new Internet service. It was all quite silly really. Show Notes Weak security freeze pins 'null' license plate
8/26/201927 minutes, 48 seconds
Episode Artwork

Episode 157 - Backdoors and snake oil in our cryptography

Josh and Kurt talk about snakeoil cryptography at Black Hat and the new backdoored cryptography fight. Both of these problems will be with us for a very long time. These are fights worth fighting because it's the right thing to do. Show Notes Time AI video  Kurt's Tweet about technical explanations  Josh's blog post about bug training Schneier on Barr's encryption discussion
8/19/201930 minutes, 58 seconds
Episode Artwork

Episode 156 - What if we MitM a whole country?

Josh and Kurt talk about Kazakhstan requiring citizens to place a government controlled root CA certificate on their computers. How does this work. What does it mean for the citizens of Kazakhstan, and why we all should be paying attention. Show Notes Kazakhstan MitM all TLS traffic Mozilla bug
7/29/201929 minutes, 57 seconds
Episode Artwork

Episode 155 - Stealing cars and ransomware

Josh and Kurt talk about a new way to steal cars because a service didn't do proper background checks. We also discuss how this relates to working with criminals, such as ransomware, and what it means for the future of the ransomware industry. Show Notes Car2go theft Alberta driver's license security Albertosaurus  Las Vegas won't pay a ransom
7/22/201927 minutes, 22 seconds
Episode Artwork

Episode 154 - Chat with the authors of the book "The Fifth Domain"

Josh and Kurt talk to the authors of a new book The Fifth Domain. Dick Clarke and Rob Knake join us to discuss the book, cybersecurity, US policy, how we got where we are today and what the future holds for cybersecurity. Show Notes The Fifth Domain Dick Clarke Rob Knake Future State Podcast
7/16/201931 minutes, 17 seconds
Episode Artwork

Episode 153 - The unexpected security of AI, photographs, and VPN

Josh and Kurt talk about user expectations around Facebook's AI. Normal people are starting to see the capabilities and potential risk with all these services. We also cover the topic of China owning a number of VPN services.
7/8/201934 minutes, 33 seconds
Episode Artwork

Episode 152 - Tavis breaks the world ... again

Josh and Kurt talk about the disclosure of security vulnerabilities. It's still not a settled topic, we frame the conversation around a recent disclosure from Tavis Ormandy of Google Project Zero.
7/1/201930 minutes, 40 seconds
Episode Artwork

Episode 151 - The DARPA Cyber Grand Challenge with David Brumley

Josh and Kurt talk to David Brumley. The CEO of ForAllSecure and professor at CMU. We discuss when David's team won the Cyber Grand Challenge, what the future of automated security looks like, and what ForAllSecure is doing. It's a fascinating window into the future of the industry.
6/24/201930 minutes, 12 seconds
Episode Artwork

Episode 150 - Our ad funded dystopian present

Josh and Kurt talk about the future Chrome and ad blockers. There is a lot of nuance to unpack around this one. There are two versions of the Internet today. One with an ad blocker and one without. The Internet without an ad blocker is a dystopian nightmare. The actionable advice at the end of this one is to use Firefox.
6/17/201930 minutes, 9 seconds
Episode Artwork

Episode 149 - Chat with Michael Coates about data security

Josh and Kurt have a chat with Michael Coates from Altitude Networks. We cover what Altitude is up to as well as general trends we're seeing around data security in the cloud. Michael lays out his vision for "data first security".
6/10/201926 minutes, 27 seconds
Episode Artwork

Episode 148 - You just got pwnt, what now?

Josh and Kurt talk about public disclosure. We start out with a story about Canva, then discuss what do you do if you have a security incident? Who do you tell, what do you tell them. How do you tell your story? It's a really hard problem even if it's something you've done many times in the past.
6/3/201929 minutes, 21 seconds
Episode Artwork

Episode 147 - Scams and operations as part of the supply chain

Josh and Kurt talk about a new type of lockbox scams. We also discuss Slack being a target for nation state attacks. Do you consider your operations part of your supply chain?It's totally part of your supply chain.
5/27/201930 minutes, 27 seconds
Episode Artwork

Episode 146 - What the @#$% happened to Microsoft?

Josh and Kurt talk about Microsoft. They're probably not the bad guys anymore, which is pretty wild. They're adding a Linux kernel to Window. Can we declare open source the unquestionable winner now?
5/20/201932 minutes, 24 seconds
Episode Artwork

Episode 145 - What do security and fire have in common?

Josh and Kurt talk about fire. We discuss the history of fire prevention and how it mirrors many of things we see in security. There are lessons there for us, we just hope it doesn't take 2000 years like it did for proper fire prevention to catch on.
5/13/201934 minutes, 20 seconds
Episode Artwork

Episode 144 - The security of money, which one is best?

Josh and Kurt talk about the security of money. Not how to keep it secure, but the security issues around using cash, credit, and bitcoin. We also talk about Banksy's clever method for proving something is original.
5/6/201933 minutes, 34 seconds
Episode Artwork

Episode 143 - Security lessons from the phone book

Josh and Kurt talk about the phone book (yeah, the big paper book people used to use). Kurt got one in the mail. While it's certainly a relic from another time, there were security tips in it among other wild things.
4/29/201934 minutes, 40 seconds
Episode Artwork

Episode 142 - Hypothetical security: what if you find a USB flash drive?

Josh and Kurt talk about what one could do if you find a USB drive. The context is based on the story where the Secret Service was rumored to have plugged a malicious USB drive into a computer. The purpose of discussion is to explore how to handle a situation like this in the real world. We end the episode with a fantastic comparison of swim safety and security.
4/21/201931 minutes, 27 seconds
Episode Artwork

Episode 141 - Timezones are hard, security is harder

Josh and Kurt talk about the difficulty of security. We look at the difficulty of the EU not observing daylight savings time, which is probably magnitudes easier than getting security right. We also hit on a discussion on Reddit about U2F that shows the difficulty. Security today is too hard, even for the experts.
4/15/201936 minutes, 14 seconds
Episode Artwork

Episode 140 - Good enough security is a pretty high bar

Josh and Kurt talk about identity. It's a nice example we can generally understand in the context of how much security is enough security? When we deal with identity the idea of good enough is often acceptable for the vast majority of uses. Perfect identity tracking isn't really a thing nor is it practical.
4/8/201934 minutes, 20 seconds
Episode Artwork

Episode 139 - Secure voting, firefox send, and toxic comments on the internet

Josh and Kurt talk about Brexit, voting, Firefox send, and toxic comments. Is there anything we can do to slow the current trend of conversation on the Internet always seeming to spiral out of control? The answer is maybe with a lot of asterisks.
4/1/201930 minutes, 57 seconds
Episode Artwork

Episode 138 - Information wants to be free

Josh and Kurt talk about a prank gone wrong, the reality of when your data ends up public. Once it's public you can't ever put it back. We also discuss Notepad++ no longer signing releases and what signing releases means for the world in general.
3/25/201932 minutes, 19 seconds
Episode Artwork

Episode 137.5 - Holy cow Beto was in the cDc, this is awesome!

Josh and Kurt talk about Beto being in the Cult of the Dead Cow (cDc). This is a pretty big deal in a very good way. We hit on some history, why it's a great thing, what we can probably expect from opponents. There's even some advice at the end how we can all help. We need more politicians with backgrounds like this.
3/18/201935 minutes, 17 seconds
Episode Artwork

Episode 137 - When the IoT attacks!

Josh and Kurt talk about when devices attack! It's not quite that exciting, but there have been a slew of news about physical devices causing problems for humans. We end on the note that we're getting closer to a point when lawyers and regulators will start to pay attention. We're not there yet, so we still have a horrible insecure future on the horizon.
3/11/201930 minutes, 34 seconds
Episode Artwork

Episode 136 - How people feel is more important than being right

Josh and Kurt talk about github blocking the Deepfakes repository. There's a far bigger discussion about how people feel, and sometimes security fails to understand that making people feel happy or safer is more important than being right.
3/4/201931 minutes, 35 seconds
Episode Artwork

Episode 135 - Passwords, AI, and cloud strategy

Josh and Kurt talk about change your password day (what a terrible day). Google's password checkup (not a terrible idea), an AI finding new spice flavors we expect will one day take over the world, and we finish up on a new DoD cloud strategy. Also Josh burnt his finger, but is going to be OK.
2/25/201930 minutes, 38 seconds
Episode Artwork

Episode 134 - What's up with the container runc security flaw?

Josh and Kurt talk about the new runc container security flaw. How does the flaw work, what can you do about it, what should you do about it, and what the future of container security may look like.
2/18/201928 minutes, 58 seconds
Episode Artwork

Episode 133 - Smart locks and the government hacking devices

Josh and Kurt talk about the fiasco hacks4pancakes described on Twitter and what the future of smart locks will look like. We then discuss what it means if the Japanese government starts hacking consumer IoT gear, is it ethical? Will it make anything better?
2/11/201931 minutes, 10 seconds
Episode Artwork

Episode 132 - Bird Scooter: 0, Cory Doctorow: 1

Josh and Kurt talk about the Bird Scooter vs Corey Doctorow incident. We then get into some of the social norms around new technology and what lessons the security industry can take from something new like shared scooters.
2/4/201930 minutes, 11 seconds
Episode Artwork

Episode 131 - Windows micropatches, Google's privacy fine, and Mastercard fixes trial abuse

Josh and Kurt talk about non-Microsoft Windows micropatches. The days of pretending closed source matters are long gone. Google gets hit with a privacy fine, that probably won't matter. And Mastercard makes it easier for consumers to not accidentally sign up for services they don't want.
1/28/201933 minutes, 26 seconds
Episode Artwork

Episode 130 - Chat with Snyk co-founder Danny Grander

Josh and Kurt talk to Danny Grander one of the co-founders of Snyk about Zip Slip, what it is, how to fix it, and how they disclosed everything. We also touch on plenty of other open source security topics as Danny is involved in many aspects of open source security.
1/21/201934 minutes, 3 seconds
Episode Artwork

Episode 129 - The EU bug bounty program

Josh and Kurt talk about the EU bug bounty program. There have been a fair number of people complaining it's solving the wrong problem, but it's the only way the EU has to spend money on open source today. If that doesn't change this program will fail.
1/14/201933 minutes, 15 seconds
Episode Artwork

Episode 128 - Australia's encryption backdoor bill

Josh and Kurt talk about Australia's recently passed encryption bill. What is the law that was passed, what does it mean, and what are the possible outcomes? The show notes contain a flow chart of possible outcomes.
1/7/201932 minutes, 59 seconds
Episode Artwork

2018 Christmas Special - Is Santa GDPR compliant?

Josh and Kurt talk about which articles of the GDPR apply to Santa, and if he's following the rules the way he should be (spoiler, he's probably not). Should Santa be on his own naughty list? We also create a new holiday character - George the DPO Elf!
12/24/201837 minutes, 37 seconds
Episode Artwork

Episode 127 - Walled gardens, appstores, and more

Josh and Kurt talk about Mozilla pulling a paywall bypassing extension. We then turn our attention to talking about walled gardens. Are they good, are they bad? Something in the middle? There is a lot of prior art to draw on here, everything from Windows, Android, iOS, even Linux distributions.
12/17/201835 minutes
Episode Artwork

Episode 126 - The not so dire future of supply chain security

Josh and Kurt continue the discussion from episode 125. We look at the possible future of software supply chains. It's far less dire than previously expected. It's likely there will be some change in the
12/10/201833 minutes, 13 seconds
Episode Artwork

Episode 125 - Open Source, supply chains, npm, and you

Josh and Kurt talk about how open source deals with malicious events. It's probably impossible to stop these from happening, but the open source universe deals with it in its own unique way. We start to discuss what you can do, since everyone is using open source everywhere now. There will be a second part to this episode where we discuss what the future holds for these sort of problems.
12/3/201831 minutes, 4 seconds
Episode Artwork

Episode 124 - Cloudflare's service workers and the economics of security

Josh and Kurt talk about Cloudflare's new Workers service. We spend a lot of time discussing how economics drives technology, not security. It's quite likely this new service is less secure than existing alternatives, but it will be cheaper and faster which will matter more than security.
11/26/201834 minutes, 4 seconds
Episode Artwork

Episode 123 - Talking about Kubernetes and container security with Liz Rice

Josh and Kurt talk to Liz Rice about Kubernetes and container security. How did we get where we are today, what's new and exciting today, and where do we think things are going.
11/19/201827 minutes, 52 seconds
Episode Artwork

Episode 122 - What will Apple's T2 chip mean for the rest of us?

Josh and Kurt talk about Apple's new T2 security chip. It's not open source but we expect it to change the security landscape in the coming years.
11/12/201833 minutes, 4 seconds
Episode Artwork

Episode 121 - All about the security of voting

Josh and Kurt talk about voting security. What does it mean, how does it work. What works, what doesn't work, and most importantly why we may not see secure electronic voting anytime soon.
11/5/201836 minutes, 48 seconds
Episode Artwork

Episode 120 - Bloomberg and hardware backdoors - it's already happening

Josh and Kurt talk about Bloomberg's story about backdoors and motherboards. The story is probably false, but this is almost certainly happening already with hardware. What does it mean if your hardware is already backdoored by one or more countries?
10/29/201830 minutes, 56 seconds
Episode Artwork

Episode 119 - The Google+ and Facebook incidents, it's not your data anymore

Josh and Kurt talk about the Google+ and Facebook data incidents. We don't have any control over this data anymore. The incidents didn't really affect the users because we have no idea who has access to it. We also touch on GDPR and what it could mean in this context.
10/22/201831 minutes, 38 seconds
Episode Artwork

Episode 118 - Cloudflare's IPFS and onion service

Josh and Kurt talk about Cloudflare's new IPFS and Onion services. One brings distributed blockchain files to the masses, the other lets you host your site on tor easily.
10/15/201830 minutes, 49 seconds
Episode Artwork

Episode 117 - Will security follow Linus' lead on being nice?

Josh and Kurt talk about Linus' effort to work on his attitude. What will this mean for security and IT in general?
10/8/201831 minutes, 2 seconds
Episode Artwork

Episode 116 - The future of the CISO with Michael Piacente

Josh and Kurt talk to Michael Piacente from Hitch Partners about the past, present, and future role of the CISO in the industry.
10/1/201830 minutes, 31 seconds
Episode Artwork

Episode 115 - Discussion with Brian Hajost from SteelCloud

Josh and Kurt talk to Brian Hajost from SteelCloud about public sector compliance. The world of public sector compliance can be confusing and strange, but it's not that bad when it's explained by someone with experience.
9/24/201830 minutes, 16 seconds
Episode Artwork

Episode 114 - Review of "Click Here to Kill Everybody"

Josh and Kurt review Bruce Schneier's new book Click Here to Kill Everybody. It's a book everyone could benefit from reading. It does a nice job explaining many existing security problems in a simple manner.
9/17/201830 minutes, 50 seconds
Episode Artwork

Episode 113 - Actual real security advice

Josh and Kurt talk about actual real world advice. Based on a story about trying to secure political campaigns, if we had to give some security help what should it look like, who should we give it to?
9/10/201830 minutes, 38 seconds
Episode Artwork

Episode 112 - Google's Titan Key and the latest Struts issue

Josh and Kurt talk about the new Google Titan security key. There are some in the industry uneasy about the supply chain for the devices. We also discuss the latest Struts security issue. Struts is old and scary now, stop using it.
9/3/201829 minutes, 6 seconds
Episode Artwork

Episode 111 - The TLS 1.3 and DNS episode

Josh and Kurt talk about TLS 1.3 and DNS. What can we expect from the future for these, how are they related (or not related). We touch on DNSSEC and why it probably won't matter. DNS over TLS is looking pretty great though. There is also a guest appearance from quantum crypto.
8/27/201832 minutes, 39 seconds
Episode Artwork

Episode 110 - Review of Black Hat, Defcon, and the effect of security policies

Josh and Kurt talk about Black Hat and Defcon and how unexciting they have become. What happened with hotels at Defcon, and more importantly how many security policies have 2nd and 3rd level effects we often can't foresee. We end with important information about pizzza, bananas, and can openers.
8/19/201834 minutes, 49 seconds
Episode Artwork

Episode 109 - OSCon and actionable advice

Josh and Kurt talk about phishing training and how it doesn't really matter. Josh spoke at OSCon and comes back with some fun observations and advice. People want practical actionable advice and we're not good at that.
8/13/201834 minutes, 18 seconds
Episode Artwork

Episode 108 - Bluetooth, phishing, airgaps, and eating soup off the floor

Josh and Kurt talk about the latest attack on bluetooth and discuss phishing in the modern world. U2F is a great way to stop phishing, training is not. We also discuss airgaps in response to attacks on airgapped power utilities.
8/6/201830 minutes, 35 seconds
Episode Artwork

Episode 107 - The year of the Linux Desktop and other hardware stories

Josh and Kurt talk about modern hardware, how security relates to devices and actions. Everything from secure devices, to the cables we use, to thermal cameras and coat hangers. We end the conversation discussing the words we use and how they affect the way people see us and themselves.
7/30/201829 minutes, 4 seconds
Episode Artwork

Episode 106 - Data isn't oil, it's nuclear waste

Josh and Kurt talk about Cory Doctorow's piece on Facebook data privacy. It's common to call data the new oil but it's more like nuclear waste. How we fix the data problem in the future is going to require solutions we can't yet imagine as well as new ways of thinking about the problems.
7/23/201829 minutes, 54 seconds
Episode Artwork

Episode 105 - More backdoors in open source

Josh and Kurt talk about some recent backdoor problems in open source packages. We touch on is open source secure, how that security works, and what it should look like in the future. This problem is never going to go away or get better, and that's probably OK.
7/16/201831 minutes, 45 seconds
Episode Artwork

Episode 104 - The Gentoo security incident

Josh and Kurt talk about the Gentoo security incident. Gentoo did a really good job being open and dealing with the incident quickly. The basic takeaway from all this is make sure your organization is forcing users to use 2 factor authentication. The long term solution is going to be all identity providers forcing everyone to use 2FA.
7/9/201833 minutes, 14 seconds
Episode Artwork

Episode 103 - The Seven Properties of Highly Secure Devices

Josh and Kurt talk about a Microsoft Research paper titled "The Seven Properties of Highly Secure Devices". We take a real world view into how to secure our devices. What works, what doesn't work, and why this list is actually really good.
7/2/201833 minutes, 23 seconds
Episode Artwork

Episode 102 - Michael Feiertag from tCell

Josh and Kurt talk to Michael Feiertag, the CEO of tCell. We talk about what a Web Application Firewall is, what it does and doesn't do, and what the future of this technology looks like. We touch on how this affects a DevOps environment. Security has to fit into the existing model, not try to change it. 
6/25/201830 minutes, 50 seconds
Episode Artwork

Episode 101 - Our unregulated future is here to stay

Josh and Kurt talk about Bird scooters. The implications of the scooters on the city, segways, bicycles. The topic of how these vehicles interact with pedestrians on the road and trails. It's an example of humans not wanting to follow the rules and generally making the situation annoying for everyone. It's the old security story of new technology without clear rules. The show ends with some horrifying numbers behind how bad things can get before people really care.
6/17/201832 minutes, 46 seconds
Episode Artwork

Episode 100 - You're bad at buying security, we can help!

Josh and Kurt talk about how to be a smart security buyer. We have guest Steve Mayzak walk us through how a the buying process works as well as giving out a ton of great advice. Even if you're experienced with how to buy security technology you should give this a listen.
6/11/201835 minutes, 54 seconds
Episode Artwork

Episode 99 - Consumer security is too broken to fix, and it doesn't matter

Josh and Kurt talk about a number of consumer security issues. The FBI told everyone to reboot their routers which they won't do. The .app top level domain is a cesspool of malware. Everyone has a cell phone and won't update them properly. None of this probably matters though. Unless there are real measurable tragedies caused by this tech, people tend not to really care.
6/4/201834 minutes, 20 seconds
Episode Artwork

Episode 98 - When IT decisions kill people

Josh and Kurt talk about the NTSB report from the fatal Uber crash and what happened with Amazon's Alexa recording then emailing a private conversation. IT decisions now have real world consequences like never before.
5/28/201834 minutes, 24 seconds
Episode Artwork

Episode 97 - Automation: Humans are slow and dumb

Josh and Kurt talk about the security of automation as well as automating security. The only way automation will really work long term is full automation. Humans can't be trusted enough to rely on them to do things right.
5/20/201833 minutes, 8 seconds
Episode Artwork

Episode 96 - Are legal backdoors a good idea?

Josh and Kurt talk about backdoors in code and products that have been put there on purpose. We talk about unlocking phones. Encryption backdoors with a focus on why they won't work.
5/11/201832 minutes, 54 seconds
Episode Artwork

Episode 95 - Twitter passwords and npm backdoors

Josh and Kurt talk about Twitter doing the right thing when they logged a lot of passwords and the npm malicious getcookies package and how backdoors work in code.
5/7/201829 minutes, 32 seconds
Episode Artwork

Episode 94 - DNSSEC, BGP, and reality

Josh and Kurt talk about the Amazon Route 53 incident and what it really means for the modern infrastructure. Complaining nobody is using DNSSEC or securing BGP aren't the right conversations to be having. Reality must be considered in any honest conversation about these topics.
4/30/201828 minutes, 18 seconds
Episode Artwork

Episode 93 - Security flaws in beep and patch, how did we get here?

Josh and Kurt talk about security flaws in beep and patch. How on earth were there security flaws in beep and patch?
4/15/201836 minutes, 4 seconds
Episode Artwork

Episode 92 - Chat with Rami Saas the CEO of WhiteSource

Josh and Kurt talk to Rami Saas, the CEO of WhiteSource about 3rd party open source security as well as open source licensing.
4/15/201833 minutes, 34 seconds
Episode Artwork

Episode 91 - Security lessons from a 7 year old

Josh and Kurt talk to a 7 year old about security. We cover Minecraft security, passwords, hacking, and many many other nuggets of wisdom.
4/8/201819 minutes, 4 seconds
Episode Artwork

Episode 90 - Humans and misinformation

Josh and Kurt talk about all the current misinformation, how humans react to it, and what it means for security.
4/2/201836 minutes, 26 seconds
Episode Artwork

Episode 89 - Short selling AMD security flaws

Josh and Kurt talk about the recent AMD flaws and the events surrounding the disclosure.
3/25/201834 minutes
Episode Artwork

Episode 88 - Chat with Chris Rosen from IBM about Container Security

Josh and Kurt talk about container security with IBM's Chris Rosen.
3/18/201832 minutes, 59 seconds
Episode Artwork

Episode 87 - Chat with Let's Encrypt co-founder Josh Aas

Josh and Kurt talk about Let's Encrypt with co-founder Josh Aas. We discuss the past, present, and future of the project.
3/11/201838 minutes, 33 seconds
Episode Artwork

Episode 86 - What happens when 23 thousand certificates leak?

Josh and Kurt talk about the Trustico certificate incident and Let's Encrypt.  
3/3/201834 minutes, 24 seconds
Episode Artwork

Episode 85 - NPM ate my files

Josh and Kurt talk about the npm 5.7.0 debacle.
2/23/201832 minutes, 17 seconds
Episode Artwork

Episode 84 - Have I been pwned?

Josh and Kurt talk about the new password data dump from Have I been pwned?
2/23/201831 minutes, 55 seconds
Episode Artwork

Episode 83 - XKCD + CVE = XKCVE

Josh and Kurt talk about the XKCD CVE comic and a flight simulator stealing credentials.
2/21/201831 minutes, 12 seconds
Episode Artwork

Episode 82 - RSA, TLS, Chrome HTTP, and PCI

Josh and Kurt talk about problems of textbook RSA implementations, the upcoming TLS changes in TLS, and the insecurity of http in Chrome.
2/13/201829 minutes, 53 seconds
Episode Artwork

Episode 81 - Autosploit, bug bounties, and the future of security

Josh and Kurt talk about AutoSploit, bug bounties and fixing flaws, market forces in security, future expectations, and how humans perceive threats.
2/7/201831 minutes, 37 seconds
Episode Artwork

Episode 80 - GPS tracking and jamming

Josh and Kurt talk about GPS metadata giving away military bases and GPS jamming as part of testing.
1/31/201833 minutes, 42 seconds
Episode Artwork

Episode 79 - Skyfall: please don't yell 'fire'

Josh and Kurt talk about Skyfall, fake reports, risk, logging, and how a civilized society functions.
1/24/201855 minutes, 46 seconds
Episode Artwork

Episode 78 - Risk lessons from Hawaii

Josh and Kurt talk about the accidental missile warning in Hawaii. We also discuss general preparedness and risk.
1/16/201852 minutes, 59 seconds
Episode Artwork

Episode 77 - npm and the supply chain

Josh and Kurt talk about the recent npm happenings. What it means for the supply chain, and we end with some thoughts on how maybe none of this matters.
1/10/20181 hour, 10 seconds
Episode Artwork

Episode 76 - Meltdown aftermath

Josh and Kurt talk about the aftermath of Meltdown. The details of the flaw are probably less interesting than what happens now.
1/7/201850 minutes, 34 seconds
Episode Artwork

Episode 75 - Security Planner review

Josh and Kurt talk about the Security Planner website. It's pretty good all things considered.
12/19/20171 hour, 3 minutes, 9 seconds
Episode Artwork

Episode 74 - Facial recognition and physical security

Josh and Kurt talk about facial recognition, physical security, banking, and Amazon Alexa.
12/13/201742 minutes, 56 seconds
Episode Artwork

Episode 73 - Security from Santa

Josh and Kurt talk about basic security metrics and security from Santa. Is Santa GDPR compliant?
12/6/20171 hour, 49 seconds
Episode Artwork

Episode 72 - Bitcoin: It's over 9000

Josh and Kurt talk about Bitcoin, blockchain, and other cryptocurrencies.
11/28/201752 minutes, 40 seconds
Episode Artwork

Episode 71 - GitHub's Security Scanner

Josh and Kurt talk about GitHub's security scanner and Linus' security email. We clarify the esoteric difference between security bugs and non security bugs. 
11/21/201746 minutes, 37 seconds
Episode Artwork

Episode 70 - The security of Intel ME

Josh and Kurt talk about Intel ME, Equifax salary history, and IoT.
11/14/201749 minutes, 19 seconds
Episode Artwork

Episode 69 - Actionable security advice

Josh and Kurt talk about Amazon Key and actionable advice.
11/7/201746 minutes, 52 seconds
Episode Artwork

Episode 68 - Ruining the Internet

Josh and Kurt talk about Facebook listening to your microphone, Google Chrome certificate pinning, CAs, 152 ways to stay safe, and Kubernetes.
11/1/201751 minutes, 47 seconds
Episode Artwork

Episode 67 - Cyber won

Josh and Kurt talk about hacking back, passwords, honeypots, and conspiracies.
10/24/201738 minutes, 4 seconds
Episode Artwork

Episode 66 - Objects in mirror are less terrible than they appear

Josh and Kurt talk about Equifax again, Kaspersky, TLS CAs, coming change, social security numbers, and Minecraft.
10/15/201745 minutes, 14 seconds
Episode Artwork

Episode 65 - Will aliens overthrow us before AI?

Josh and Kurt talk about Apple, Equifax, passwords, AI, and aliens.
10/9/201749 minutes, 39 seconds
Episode Artwork

Episode 64 - Networks and Dnsmasq and IoT oh my

Josh and Kurt talk about networks, Dnsmasq, IoT, and our coming security dystopian future.
10/3/201752 minutes, 3 seconds
Episode Artwork

Episode 63 - Shoot, Shovel, and Bury

Josh and Kurt talk about the Equifax breach (again) and what it will mean for all of us. Blueborne comes up, as well as #TrevorForget.
9/26/201758 minutes, 58 seconds
Episode Artwork

Episode 62 - All about the Equifax hack

Josh and Kurt talk about the Equifax breach and what it will mean for all of us.
9/11/20171 hour, 5 minutes, 34 seconds
Episode Artwork

Episode 61 - Market driven security

Josh and Kurt talk about our lack of progress in security, economics, and how to interact with peers.
9/5/201751 minutes, 47 seconds
Episode Artwork

Episode 60 - The official blockchain episode

Josh and Kurt talk about the eclipse and blockchain.
8/30/201746 minutes, 20 seconds
Episode Artwork

Episode 59 - The VPN Episode

Josh and Kurt talk about VPNs and the upcoming eclipse.
8/15/201756 minutes, 12 seconds
Episode Artwork

Episode 58 - Backwards compatibility to the point of insanity

Josh and Kurt talk about MalwareTech, Debian killing off TLS 1.0 and 1.1, auto safety, HBO, and npm not typo squatting.
8/9/201755 minutes, 27 seconds
Episode Artwork

Episode 57 - We may never see amazing security research ever again

Josh and Kurt talk about Black Hat and Defcon, safes, banks, voting machines, SMBv1 DoS attack, Flash, liability, and password masking.
8/1/201753 minutes, 12 seconds
Episode Artwork

Episode 56 - Devil's Advocate and other fuzzy topics

Josh and Kurt talk about forest fires, fuzzing, old time Internet, and Net Neutrality. Listen to Kurt play the Devil's Advocate and manage to change Josh's mind about net neutrality.
7/18/201758 minutes, 57 seconds
Episode Artwork

Episode 55 - Good Docs Ruin My Story

Josh and Kurt talk about Let's Encrypt, certificates, Kaspersky, A/V, code signing, Not Petya, self driving cars, and failures that become security problems.
7/12/201750 minutes, 51 seconds
Episode Artwork

Episode 54 - Turning Into An Old Person

Josh and Kurt talk about Canada Day, Not Petya, Interac goes down, Minecraft, airport security and books, then GDPR.
7/4/201756 minutes, 31 seconds
Episode Artwork

Episode 53 - A Plane Isn't Like A Car

Josh and Kurt talk about security through obscurity, airplanes, the FAA, the Windows source code leak, and chicken sandwiches.
6/28/201748 minutes, 59 seconds
Episode Artwork

Episode 52 - You Could Have Done It Right, But You Didn't

Josh and Kurt talk about the new StackClash flaw, Grenfell Tower, risk management, and backwards compatibility.
6/20/201752 minutes, 23 seconds
Episode Artwork

Episode 51 - All About CVE

Josh and Kurt talk to Dan Adinolfi about CVE. Most anything you ever wanted to know about CVE is discussed.
6/12/201754 minutes, 14 seconds
Episode Artwork

Episode 50 - This Is A Security Podcast After All

Josh and Kurt discuss Futurama, tornadoes, sudo, encryption, hacking back, and something called an ombudsman. Also episode 50!
6/6/201749 minutes, 1 second
Episode Artwork

Episode 49 - Testing Software Is Impossible

Josh and Kurt discuss Samba, FTP sites, MSDOS, regulation, and the airplane laptop travel ban.
5/30/201743 minutes, 5 seconds
Episode Artwork

Episode 48 - Machine Learning: Not Actually Magic

Josh and Kurt have a guest! Mike Paquette from Elastic discusses the fundamentals and basics of Machine Learning. We also discuss how ML could have helped with WannaCry.
5/21/201747 minutes, 37 seconds
Episode Artwork

Episode 47 - WannaCry: Everything Is Basically Broken

Josh and Kurt discuss the WannaCry worm.
5/14/201748 minutes, 10 seconds
Episode Artwork

Episode 46 - Turns Out I'm Not A Bad Guy

Josh and Kurt discuss the recent Google phish attack.
5/4/201749 minutes, 12 seconds
Episode Artwork

Episode 45 - Trust Is More Important Now Than The Truth

Josh and Kurt discuss not-counterfeit MTG cards, antivirus, squirrelmail, unroll.me, grsecurity, baby monitors, and trust.
5/2/201752 minutes, 20 seconds
Episode Artwork

Episode 44 - Bug Bounties Vs Pen Testing

Josh and Kurt discuss Lego, bug bounties, pen testing, thought leadership, cars, lemons, entropy, and CVE.
4/25/201750 minutes, 3 seconds
Episode Artwork

Episode 43 - We Are Totally Immature

Josh and Kurt discuss Shadow Brokers, pronouncing GIF, Atlanta's road problems, browser phishing, warning sirens, IoT, and fake Magic the Gathering cards.
4/19/20171 hour, 35 seconds
Episode Artwork

Episode 42 - Hitchhiker's Guide To Security

Josh and Kurt discuss the security themes and events in the context of the HHGG movie.
4/13/20171 hour, 7 minutes, 1 second
Episode Artwork

Episode 41 - All Your Money Are Belong To Us

Josh and Kurt discuss airplane laptop bans, ATM hacking, pointing at things, and Certificate Authorities.
4/10/201756 minutes, 4 seconds
Episode Artwork

Episode 40 - Let's Fork Bitcoin, Again

Josh and Kurt discuss Verizon spyware, FCC privacy, Smart TVs, Tor's rewrite, Google's new operating system, bitcoin, and NanoCore.
4/2/20171 hour, 28 seconds
Episode Artwork

Episode 39 - Flash On Your Dishwasher

Josh and Kurt discuss certificates, OpenSSL, dishwashers, Flash, and laptop travel bans.
3/28/201758 minutes, 30 seconds
Episode Artwork

Episode 38 - We Ruin Everything

Josh and Kurt discuss disclosing your password, pwn2own, wikileaks, Back Orifice, HTTPS inspection, and antivirus.
3/22/201758 minutes, 19 seconds
Episode Artwork

Episode 37 - Your Bathtub Is More Dangerous Than A Shark

Josh and Kurt discuss how the Vault 7 leaks shows we live in the Neuromancer world, and this is likely the new normal.
3/9/201752 minutes, 16 seconds
Episode Artwork

Episode 36 - A Good Enough Podcast

Josh and Kurt discuss an IoT bear, Alexa and Siri, Google's E2Email and S/MIME.
3/5/201747 minutes, 45 seconds
Episode Artwork

Episode 35 - Crazy Cosmic Accident

Josh and Kurt discuss SHA-1 and cloudbleed. Bug bounties come up, and we compare security to the Higgs boson. We also discuss IPv6 at the end.
2/28/201750 minutes, 3 seconds
Episode Artwork

Episode 34 - Bathing In Ebola Virus

Josh and Kurt discuss RSA, the cryptographer's panel and of course, AI.
2/22/201754 minutes
Episode Artwork

Episode 33 - Everybody Who Went To The Circus Is In The Circus (RSA 2017)

Josh and Kurt are at the same place at the same time! We discuss our RSA sessions and how things went. Talk of CVE IDs, open source libraries, Wordpress, and early morning sessions.
2/15/201736 minutes, 11 seconds
Episode Artwork

Episode 32 - Gambling As A Service

Josh and Kurt discuss random numbers, a lot. Also slot machines, gambling, and dice.
2/8/201751 minutes, 24 seconds
Episode Artwork

Episode 31 - XML Is Never The Solution

Josh and Kurt discuss door locks, Ikea, chair testing sounds, electrical safety, autonomous cars, and XML vs JSON.
2/1/201753 minutes, 28 seconds
Episode Artwork

Episode 30 - I'm Not An Expert But I've Been Yelled At By Experts

Josh and Kurt discuss security automation. Machine learning, AI, and a bunch of moral and philosophical boundaries that new future will bring. You've been warned.
1/25/201758 minutes, 45 seconds
Episode Artwork

Episode 29 - The Security Of Rogue One

Josh and Kurt discuss the security of the movie Rogue One! Spoiler: Security in the Star Wars universe is worse than security in our universe.
1/22/20171 hour, 2 minutes, 16 seconds
Episode Artwork

Episode 28 - RSA Conference 2017

Josh and Kurt discuss their involvement in the upcoming 2017 RSA conference: Open Source, CVEs, and Open Source CVE. Of course IoT and encryption manage to come up as topics.
1/19/201755 minutes, 47 seconds
Episode Artwork

Episode 27 - Prove To Me You Are Human

Josh and Kurt discuss NTP, authentication issues, network security, airplane security, AI, and Minecraft.
1/16/201755 minutes, 4 seconds
Episode Artwork

Episode 26 - Tell Your Sister, Stallman Was Right

Josh and Kurt end up discussing video game speed running, which is really just hacking. We also end up discussing the pitfalls of the modern world, you don't own your software or services. Stallman was right!
1/12/201754 minutes, 14 seconds
Episode Artwork

Episode 25 - The Future Is Now

Josh and Kurt end up discussing CES, IoT, WiFi everywhere, and the future.
1/9/201755 minutes, 15 seconds
Episode Artwork

Episode 24 - The 2016 Prediction Edition

Josh and Kurt discuss 2016 predictions in 2017, what they got right, what they got wrong, and a bunch of other random things.
1/3/201756 minutes, 22 seconds
Episode Artwork

Episode 23 - We Can't Patch People

Josh and Kurt talk about scareware, malware, and how hard this stuff is to stop, and how the answer isn't fixing people.
12/28/201653 minutes, 7 seconds
Episode Artwork

Episode 22 - IoT Wild West

Josh and Kurt talk about planned obsolescence and IoT devices. Should manufacturers brick devices? We also have a crazy discussion about the ethics of hacking back.
12/24/201646 minutes, 46 seconds
Episode Artwork

Episode 21 - CVE 10K Extravaganza

Josh and Kurt talk about CVE 10K. CVE IDs have finally crossed the line, we need 5 digits to display them. This has never happened before now.
12/21/201646 minutes, 25 seconds
Episode Artwork

Episode 20 - The Death Of PGP

Josh and Kurt talk about the death of PGP, and how it's not actually dead at all. It's still really hard to use though.
12/19/201649 minutes, 45 seconds
Episode Artwork

Episode 19 - A Field Full Of Razor Blades And Monsters

Josh and Kurt talk about the bricking devices (on purpose).
12/13/201651 minutes, 56 seconds
Episode Artwork

Episode 18 - The Security Of Santa

Josh and Kurt talk about the security concerns and logistics of Santa, elves, and the North Pole.
12/9/201648 minutes, 5 seconds
Episode Artwork

Episode 17 - Cyphercon Interview With Korgo

Josh and Kurt talk to Michael Goetzman about Cyphercon
12/6/201655 minutes, 46 seconds
Episode Artwork

Episode 16 - Cat And Mouse

Josh and Kurt talk about cybercrime and regulation.