Josh and Kurt talk about two documents from the US government that discuss open source in very different ways. The CISA document lays out a way to measure open source, but we take issue with the idea of trying to measure which open source projects are "good". The Whitehouse on the other hand takes an approach that is very open source, get involved. Trying to measure open source isn't producing anything actionable, but getting involved is very actionable, and very much how open source works. Show Notes CISA: Continued Progress Towards a Secure Open Source Ecosystem Whitehouse: Administration Cybersecurity Priorities for the FY 2026 Budget

Josh and Kurt talk about a pretty big bug found in CocoPods ownership. We also touch on a paper that discusses the technical debt that open source should have. We discuss what the long term sustainability of open source. There aren't any good solutions for open source today, but talking about these problems is important, we have to start to understand what's going on before we can plausibly discuss solutions. If you're an open source project that needs to put things on pause, or even walk way, that's OK. Show Notes CocoaPods Vulnerabilities Could Hit Apple, Microsoft, Facebook, TikTok, Snap and More The Expense of Unprotected Free Software Long-term maintenance of PCRE2 #426

Josh and Kurt talk about the recent OpenSSH vulnerability and the node-ip project owner taking their project private. They're quasi related in the context of two open source projects handled bugs very differently. The OpenSSH bug isn't really as serious as it seems, but you still want to patch. The node-ip bug is a very different story. The relationship between users and open source developers is one experiencing more strain now than we've ever seen. It's a weird conversation and we don't have good answers. Security in general is a collection of unsolvable problems. Show Notes Qualys security advisory Hacker News Discussion Security Cryptography Whatever Dev rejects CVE severity, makes his GitHub repo read-only

Josh and Kurt talk about the latest polyfill.io mess. Apparently someone took over a very popular project and started to serve malware. First XZ, now this. What does it mean for open source? We don't have any answers, and it's hard to even talk about this problem because it's so big. The thing is though, even if we can't fix open source, it's here to stay. Show Notes Polyfill supply chain attack hits 100K+ sites OpenSSF Scorecard

Josh and Kurt talk about three wangles of responsibility. We start with a story about a bike theft ring, bike theft doesn't usually get any attention, but this one is special. Then we ask why it seems like everyone is getting hacked, it's because they have to tell us now. And finally we have a story about the huge number of unreported vulnerabilities in open source projects. This statistic probably affects all software, but there's some numbers for open source specifically. Show Notes The West Coast’s Fanciest Stolen Bikes Are Getting Trafficked by One Mastermind in Jalisco, Mexico $5 million worth of stolen tools recovered thanks to Apple's AirTag — 12 secret storage facilities had around 15,000 construction tools Vulnerability fixes in plain sight: How your scanners are missing hundreds of vulnerabilities

Josh and Kurt talk about a new proposal from OpenSSH to add a timeout to penalize clients misbehaving. But this then brings up the typical security conversation of "if it's not perfect we shouldn't do it". Trying new things is a good thing, even if something fails, we learn a lesson that we can use in the future. Show Notes OpenSSH introduces options to penalize undesirable behavior Hacker News comments

Josh and Kurt talk to Alex Kulagin from Flipper about the Flipper Zero. It's one of the coolest hacker devices that exists on the market. We talk about what it is, how it started, what it can (and can't) do. It's a really fun conversation. Show Notes Flipper Zero Website Headphone jack radio capture Flipper Zero on Tik Tok

Josh and Kurt talk about a blog post titled "Your API Shouldn't Redirect HTTP to HTTPS". It's an interesting idea, and probably a good one. There is however a lot of baggage in this space as you'll hear in the discussion. There's no a simple solution, but this is certainly something to discuss. Show Notes Your API Shouldn't Redirect HTTP to HTTPS Hacker News discussion HSTS Section 5.1

Josh and Kurt talk about a blog post about frozen kernels being more secure. We cover some of the history and how a frozen kernel works and discuss why they would be less secure. A frozen kernel is from when things worked very differently. What sort of changes will we see in the future? Show Notes Kurt's strange coffee Why a 'frozen' distribution Linux kernel isn't the safest choice for security

Josh and Kurt talk about open source and autonomy. This is even related to some recent return to office news. The conversation weaves between a few threads, but fundamentally there's some questions about why do people do what they do, especially in the world of open source. This also is a problem we see in security, security people love to tell developers what to do. Developers don't like being told what to do. Show Notes pycurl issue Apple, SpaceX, Microsoft return-to-office mandates drove senior talent away RSA ANIMATE: Drive: The surprising truth about what motivates us Sudo-rs dependencies: when less is better phishing webcomic Debian OpenSSL Bug (16 years)

Josh and Kurt talk about a new to sign artifacts on GitHub. It's in beta, it's not going to be easy to use, it will have bugs. But that's all OK. This is how we start. We need infrastructure like this to enable easier to use features in the future. Someday, everything will be signed by default. Show Notes GitHub artifact attestation

Josh and Kurt talk about a sudo replacement going into systemd called run0. It sounds like it'll get a lot right, but systemd is a pretty big attack surface and not everyone is a fan. We shall have to see if this ends up replacing sudo. Show Notes Conan O'Brien on Hot Ones Lennart's Mastodon thread xkcd automation

Josh and Kurt talk about a paper describing using a LLM to automatically create exploits for CVEs. The idea is probably already happening in many spaces such as pen testing and intelligence services. We can't keep up with the number of vulnerabilities we have, there's no way we can possibly keep up with a glut of LLM generated vulnerabilities. We really need to rethink how we handle vulnerabilities. Show Notes OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories paper: LLM Agents can Autonomously Exploit One-day Vulnerabilities Cisco Fixes RV320/RV325 Vulnerability by Banning “curl” in User-Agent Episode 219 – Chat with Larry Cashdollar Cory Doctorow: What Kind of Bubble is AI?

Josh and Kurt talk about a database of game cheaters. Cheating in games has many similarities to security problems. Anti cheat rootkits are also terrible. The clever thing however is using statistics to identify cheaters. Statistics don't lie. Also, we discuss the Pretendo project sitting on a vulnerability for a year, is this ethical? Show Notes Hacker News searchable database Benford's law John Oliver Medicaid Mario64 invisible walls Pretendo Pretendo exploit

Josh and Kurt talk about a Notepad++ fake website. It's possibly not illegal, but it's certainly ethically wrong. We also end up discussing why it seems like all these weird and wild things keep happening. It's probably due to the massive size of open source (and everything) now. Things have gotten gigantic and we didn't really notice. Show Notes Help us to take down the parasite website Open Source is bigger than you can imagine Toronto Pearson International Airport heist

Josh and Kurt talk about a new FCC program to provide a cybersecurity certification mark. Similar to other consumer safety marks such as UL or CE. We also tie this conversation into GrapheneOS, and what trying to claim a consumer device is secure really means. Some of our compute devices have an infinite number of possible states. It's a really weird and hard problem. Show Notes GrapheneOS FCC approves cybersecurity label for consumer devices Cyber Trust Mark Logo

Josh and Kurt talk about the recent events around XZ. It's only been a few days, and it's amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these details will change quickly over the coming week. We can't fix this problem as it stands, we don't know where to start yet. But that's not a reason to lose hope. We can fix this if we want to, but it won't be flashy, it'll be hard work. Show Notes GossiTheDog's Blog Post fr0gger diagram OpenSSF Blog (archive) stb library

Josh and Kurt talk about the security.txt file. It's not new, but it's not something we've discussed before. It's a great idea, an easy format, and well defined. It's not high on many of our todo lists, but it's something worth doing. Show Notes RFC 9116

Josh and Kurt talk about the new SSDF attestation form from CISA. The current form isn't very complicated, and the SSDF has a lot of room for interpretation. But this is the start of something big. It's going to take a long time to see big changes in supply chain security, but we're confident they will come. Show Notes Secure Software Development Attestation Form The U.S. Military Is Missing Six Nuclear Weapons NIST 800-218

Josh and Kurt talk about what's going on at the National Vulnerability Database. NVD suddenly stopped enriching vulnerabilities, and it's sent shock-waves through the vulnerability management space. While there are many unknowns right now, the one thing we can count on is things won't go back to the way they were. Show Notes Anchore's Blog Grype Josh's Cyphercon Talk Ecosyste.ms Episode 266 – The future of security scanning with Debricked

Josh and Kurt talk about an attack against GitHub where attackers are creating malicious repositories then artificially inflating the number of stars and forks. This is really a discussion about how can we try to find signal in all the noise of a massive ecosystem like GitHub. Show Notes GitHub besieged by millions of malicious repositories in ongoing attack

Josh and Kurt talk about recent stories about data breaches, flipper zero banning, and realistic security. We have a lot of weird challenges in the world of security, but hard problems aren't impossible problems. Sometimes we forget that. Show Notes Mon Dieu! Nearly half the French population have data nabbed in massive breach Feds move to ban auto theft tech device ‘Flipper Zero’ Gmail and Yahoo’s 2024 inbox protections and what they mean for your email program Vending machine error reveals secret face image database of college students

Josh and Kurt talk to GregKH about Linux Kernel security. We most focus on the topic of vulnerabilities in the Linux Kernel, and what being a CNA will mean for the future of Linux Kernel security vulnerabilities. The future of Linux Kernel security vulnerabilities is going to be very interesting. Show Notes Greg K-H Linux Kernel is a CNA Machine learning and stable kernels Bug reporting for Linux

Josh and Kurt talk to Thomas Depierre about some of the European efforts to secure software. We touch on the CRA, MDA, FOSDEM, and more. As expected Thomas drops a huge amount of knowledge on what's happening in open source. We close the show with a lot of ideas around how to move the needle for open source. It's not easy, but it is possible. Show Notes Thomas Depierre I am not a supplier Open Source In The European Legislative Landscape devroom Cyber Resilience Act The 2023 Tidelift state of the open source maintainer report

Josh and Kurt talk about a blog post explaining how to create a very very small container image. Generally in the world of security less is more, but it's possible to remove too much. A lot of today's security tooling relies on certain things to exist in a container image, if we remove them we could actually result in worse security than leaving it in. It's a weird topic, but probably pretty important. Show Notes How I reduced the size of my very first published docker image by 40% - A lesson in dockerizing shell scripts Hacker News Discussion Episode 293 – Scoring OpenSSF Security Scoring

Josh and Kurt talk about open source projects proving builds, and things nobody wants to pay for in open source. It's easy to have unrealistic expectations for open source projects, but we have the open source capitalism demands. Show Notes Open Source Doesn't Require Providing Builds The things nobody wants to pay for Audacity privacy policy update has caused an outcry The History of X11

Josh and Kurt talk about an attack against PyTorch and NPM. The PyTorch attack shows the difficulty of trying to operate a large open source project. The NPM problem is one of the difficulty in trying to backdoor open source. A lot of people are watching and it only takes one person to notice a problem and we all benefit. Show Notes Peanut Butter the dog plays Gyromite The Wizard movie PyTorch supply chain attack npm Package Found Delivering Sophisticated RAT Deceptive Deprecation: The Truth About npm Deprecated Packages Changing a lightbulb Spelunking the Bitcoin Blockchain with Josh Bressers | CypherCon 4.0 Operation Triangulation - What You Get When Attack iPhones of Researchers 9th Annual State of the Software Supply Chain

Josh and Kurt talk about the 23andMe compromise and how they are blaming the users. It's obviously the the fault of the users, but there's still a lot of things to discuss on this one. Every company has to care about cybersecurity now, even if they don't want to. Show Notes Security leaders weigh in on 23andme hack Don't need a gun when you have a Donk - Crocodile Dundee 2 Hackers can infect network-connected wrenches to install ransomware My disappointment is immeasurable, and my day is ruined

Josh and Kurt talk about a grab bag of old technologies that defined the security industry. Technology like SELinux, SSH, Snort, ModSecurity and more all started with humble beginnings, and many of them created new security industries. Show Notes SELinux AppArmor SSH ModSecurity Snort Nmap Nessus What comes after open source

Josh and Kurt talk about package identifiers. We break this down in the context of an OpenSSF response to a CISA paper on software identifications. The identifiers that get all the air time are purl, CPE, SWID, and OmniBOR. This is a surprisingly complex problem space. It feels easy, but it's not. Show Notes OpenSSF CISA response purl CPE OmniBOR SWID

Josh and Kurt talk about how some hackers saved the day with a Polish train. We delve into a discussion about how we don't really own anything anymore if you look around. There's a great talk from the Blender Conference about this and how GPL makes a difference in the world of software ownership. It's sort of a dire conversation, but not all hope is lost. Show Notes Polish manufacturer accused of programming failures into its trains to gain more servicing business Polish Hackers Repaired Trains the Manufacturer Artificially Bricked. Now The Train Company Is Threatening Them Blender Conference Keynote Corey Doctorow Chicago has a problem until the year 2083 | Stand-up Maths Chicago Doesn’t Own Its Own Streets | Climate Town

Josh and Kurt talk about a story asking for a Kubernetes LTS. Should open source projects have LTS versions? What does LTS even mean? Why is maintaining software so hard? It's a lively discussion all about the past, present, and future of open source LTS. Show Notes Why Kubernetes needs an LTS Linux gives up on 6-year LTS kernels, says they’re too much work

It's the 2023 Christmas Spectacular! Josh and Kurt talk about what would happen if Santa starts using AI to judge which children are naughty and nice. There's some fun in this one, but it does get pretty real. While we tried to discuss Santa using AI, the reality is this sort of AI is coming for many of us. AI will be making decisions for all of us in the near future (if it isn't already). While less fun than we had hoped for, it's an important conversation. Show Notes Sea Elf Ollama UnitedHealth uses faulty AI to deny elderly patients medically necessary coverage, lawsuit claims Stephen Fry on AI Lawyer who cited cases concocted by AI asks judge to spare sanctions Hugging Face

Josh and Kurt talk about a few security stories about radio. The TETRA:BURST attack on police radios, spoofing GPS for airplanes near Iran, and Apple including cellular radios in the macbooks. The common thread between all these stories is looking at the return on investment for security. Sometimes good enough security is fine, sometimes it's not worth fixing certain security problems because the risk vs reward doesn't work out. Show Notes TETRA:BURST GPS spoofing attack Apple MacBooks cellular radio Mossad vs Not Mossad

Josh and Kurt talk about Capcom claiming modding a game is akin to cheating. The arguments used are fundamentally one of equity vs equality. Humans love to focus on equality instead of equity when we deal with most problems. This is especially true in the world of security. Rather than doing something that has a net positive, we ignore the details and focus on doing something that feels "right". Show Notes Why Capcom thinks PC game modding is akin to “cheating” Ben Heck

Josh and Kurt talk about the Canadian Government banning WeChat and Kaspersky. There's a lot of weird little details in this conversation. It fundamentally comes down to a conversation about risk. It's easy to spout nonsense about risk, but having an honest discussion about it is REALLY complicated. But the government plays by a very different set of rules. Show Notes Canada bans WeChat, Kaspersky applications on government devices Fitness tracking app Strava gives away location of secret US army bases Phishing emails increase over 1,200 percent since ChatGPT launch FedRAMP Rev 5 FAIR Institute

Josh and Kurt talk about the new EU eIDAS regulation. This is a bill that will force web browsers to add root certificates based on law instead of technical merits, which is how it's currently done. This is concerning for a number of reasons that we discuss on the show. This proposal is not a good idea. Show Notes Mozilla site Root CA mailing list UK eIDAS regulation EFF statement on eIDAS Fixed XKCD comic

Josh and Kurt talk about security skills shortage. We start out on the topic of cybersecurity skills and weave our way around a number of human related problems in this space. The world of tech has a lot of weird problems and there's not a lot of movement to fix many of them. Tech is weird and hard, and with the almost complete lack of regulation creates some of these challenges. In the world of security we need a better talent pipeline, but that takes actual efforts, not just complaining on the internet. Show Notes Schneier on security skill shortage British Airways flight smoke The Password Game Tesla accidents Lawn darts

Josh and Kurt talk about a proposed Dutch proposal that would allow the intelligence services to hack victims of adversaries they are in the process of infiltrating. The purpose of this discussion isn't to focus on the Dutch specifically, but rather to discuss the larger topic of government oversight. These are all very new concepts and nobody knows how things should work. Show Notes Dutch hacking proposal Give Me Toilet Paper! by Asuka424 in 9:54 - Summer Games Done Quick 2023 Flipper Zero Smart Meter Frequency Hopping Teri Kanfield

Josh and Kurt talk to Daniel Stenberg about curl. Daniel is the creator of curl, we chat with him about the security of curl. Daniel tells us how curl is kept secure, we learn about some of the historical reasons curl works the way it does. We hear the story about the curl CVE situation firsthand. We also touch on the importance of curating the community of a popular open source project. Show Notes Daniel's Mastodon account Curl The curl CVE blog Broken curl on PowerShell wolfSSL

Josh and Kurt talk about Sonatype's 9th Annual State of the Software Supply Chain. There's a ton of data in the report, but the thing we want to talk about is the statistic that only 11% of open source is actually being maintained. Do we think that's true? Does it really matter? Show Notes Sonatype report ecosyste.ms GNOME libcue flaw Reality 2.0 supply chain episode

Josh and Kurt talk about a curl and glibc bug. The bugs themselves aren't super interesting, but there are other conversations around the bugs that are interesting. Why don't we just rewrite everything in Rust? Why can't we just train developers to stop writing insecure code. How can AI solve this problem? It's a marvelous conversation that ends on the very basic idea: we already have the security the market demands. Unless we change that demand, security won't change. Show Notes Curl vulnerability glibc vulnerability Josh's Badge Project Bob Lord's phishing message

Josh and Kurt talk about contributor license agreements (CLAs). CLAs used to be seen as a necessary evil, but they're almost certainly bad now. We're seeing CLAs being abused, it's clear now anything controlled by a CLA won't be open source forever. Show Notes A Theory of Joint Authorship for Free and Open Source Software Projects Bruce Perens: What Comes After Open Source

Josh and Kurt talk about uncertainty. There are a bunch of stories in the news lately that really just boil down to uncertainty. Uncertainty is incredibly dangerous for everyone. We are afraid of uncertainty, and often don't really understand why it is. Trust is like a currency and uncertainty erodes trust faster than almost anything else. Show Notes Unity's license mess Godot Meta and Salesforce want to re-hire people they fired earlier this year U.S. Debt Credit Rating Downgraded, Only Second Time In Nation’s History

Josh and Kurt talk about filing bugs for software. There's the old saying that anyone can file bugs and submit patches for open source, but the reality is most people can't. Filing bugs for both closed and open source is nearly impossible in many instances. Even if you want to file a bug for an open source project, there are a lot of hoops before it's something that can be actionable. Show Notes Linux is a nightmare Lodash just declared issue bankruptcy and closed every issue and open PR Linux Kernel Faces Reduction in Long-Term Support Due to Maintenance Challenges Curl NULL pointer dereference

Josh and Kurt talk about the weird world we live in how where we can't control a lot of our hardware. We don't really have control over most devices we interact with on a daily basis. The conversation shifts into a question of how can we decide what to trust and where. It's a very strange problem we experience now. Show Notes Boots theory MGM cybersecurity issue shuts down slot machines and ATMs in Las Vegas casinos New York Fire Department Forcible Entry Reference Guide Request for Information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization

Josh and Kurt talk about why CVE is making the news lately. Things are not well in the CVE program, and it's not looking like anything will get fixed anytime soon. Josh and Kurt have a unique set of knowledge around CVE. There's a lot of confusion and difficulty in understanding how CVE works. Show Notes Curl blog post Now it's PostgreSQL's turn to have a bogus CVE GitHub Advisory Database Josh's "CVE tried to get me fired" story

Josh and Kurt talk about wordpress selling web services with a 100 year lifespan. Will WordPress still be around in 100 years? What would 100 years of disaster recovery look like? Most of us will never need to think about 100 years of disaster recovery. Show Notes WordPress is now selling 100-year domains Danish ransomware 15-Minute City The Year Without Pants

Josh and Kurt talk about a blog post that explains how C and C++ compilers prioritize performance over correctness. This is the class story of security vs usability. Security is never the primary goal. If a security requirement doesn't also enable other business goals it will fail. We also touch on the news of a Rust package containing binary files. It doesn't really have anything to do with security, it's all about convenience. Show Notes C and C++ Prioritize Performance over Correctness Nisha's toot Barry Marshall Rust devs push back as Serde project ships precompiled binaries Why DARPA Hopes To 'Distill' Old Binaries Into Readable Code Mario 64 decompilation

Josh and Kurt talk about the HashiCorp license change and copyright problems in open source. This isn't the first and won't be the last time we see this, but it's very likely open source developers and communities will view any project that has a contributor license agreement as a problem moving forward. Show Notes Josh's BSidesLV talk Hacker News marked site as malware HashiCorp license change A Theory of Joint Authorship for Free and Open Source Software Projects

Josh and Kurt ask the question what is a vulnerability, but in the framing of video games. Security loves to categorize all bugs as security vulnerabilities or not security vulnerabilities. But the reality nothing is so simple. Everything is a question of risk, not vulnerability. The discussion about video games can help us to better have this discussion. Show Notes Colossus bug Minecraft Heist

Josh and Kurt talk about the difference between what we think of as traditional open source, and enterprise software projects that have an open source license. They are both technically open source, but how the projects work is very very different. Show Notes CentOS Stream PR The Most Prolific Packager For Alpine Linux Is Stepping Away

Josh and Kurt talk about a new Google proposal that would add DRM for the web. All the ad driven companies seem to be acting very strangely, there's probably a reason for this. The way ads used to pay for content is changing, but a lot of these giant companies don't know how to adapt. It's going to be very interesting times in the near future. Show Notes Web Environment Integrity Hacker News Thread Island Browser hunter2

Josh and Kurt talk about insider threats, but not quite in the way one would expect. The potential for insider threats is possibly higher than usual right now, but what about open source? Are open source developers insider threats for your organization? Have you ever thought about this before? Show Notes CISA insider threats hacks4pancakes toot Don’t Trust a Programmer Who Knows C++ CISA Insider Threat Mitigation

Josh and Kurt talk about some of the efforts to measure and understand open source. There are projects like the OpenSSF Scorecard. We want to measure open source for some idea of quality. Is AI generated code better than a random open source project found on GitHub? Can we track the countries contributors are from? These are all interesting problems that everyone will have to deal with soon. Show Notes OpenSSF Scorecard

Josh and Kurt talk about the notion that open source is somehow dying. What's actually happening is corporate open source is changing, which some are trying to deform into something wrong with open source. Open source is doing great, probably better than ever. Show Notes Open Source isn't sustainable anymore VORON Design Video of the first lathe Plane Crazy Evernote layoffs

Josh and Kurt talk about Red Hat closing up the RHEL source code. Kurt and Josh both worked at Red Hat in the past. This isn't a show that bashes Red Hat, and it's not a show praising them. We take an honest look at the past, present, and future of Linux. There's a lot to talk about in this one. TL;DR, Red Hat was the chosen on, and we all feel betrayed. Show Notes Red Hat's first blog post Red Hat's honest post DeWitt clause

Josh and Kurt talk about the incredible Reddit debacle. At the center of it all is an API. What does it mean to be using an API and how does this relate itself back to our own risk. Many of us rely on APIs for countless things, and if a company decides to cut off that API somehow, it could create a mess. Show Notes Grimace's Birthday Reddit’s new API pricing will kill off Apollo on June 30 Cory Doctorow enshitification Wal Mart pickle story Elon Musk and Mark Zuckerberg agree to hold cage fight

Josh and Kurt talk about a new program from the Sovereign Tech Fund to fund open source work. It's a great looking program with an acceptable amount of money behind the program. We also talk about a story claiming millions of perfectly good hard drives are destroyed per year. They're probably not OK at all. Show Notes Sovereign Tech Fund Challenges Why millions of usable hard drives are being destroyed LTT Buys Storage Array

Josh and Kurt talk about some new open source projects that aim to start taking back some of our privacy and rights. It's a huge hill to climb, but it seems like there is some hope. Open source doesn't care about growth, or numbers, or anything really, so it can't ever lose. Show Notes Codeberg Veilid Hawkins Cheezies Apollo's Reddit API costs

Josh and Kurt talk about namespaces. They were a topic in the last podcast, and resulted in a much much larger discussion for us. We decided to hash out some of our thinking in an episode. This is a much harder problem than either of us expected. We don't have any great answers, but we do have a lot of questions. Show Notes Not Red Hat NPM hash package Episode 129 – The EU bug bounty program

Josh and Kurt talk about PyPI suspending new accounts and packages for a day, and a 60 minutes story about deepfakes. The problems are mostly the same, but for very different reasons. The world is changing faster than we can keep up, so what is a human to do? Show Notes PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted](https://thehackernews.com/2023/05/pypi-repository-under-attack-user-sign.html) 60 minutes reporter voice clone Cooridor Crew deepfakes Certificate bit flip Candy is delicious

Josh and Kurt talk about the Open Source Summit in Vancouver. Josh was there and we pick on two observations. Firstly that security keeps trying to use fear as a feature, except it doesn't work. Secondly we discuss AI and how people are talking about it. It is changing things, how much is yet to be seen. Show Notes SLSA FRSCA S2C2F MSI leak Intel microcode Tom Scott AI Video

Josh and Kurt finish up the leftpad discussion. We spent a lot of time talking about how the market will respond to these sort of events, and the market did indeed speak; very little has changed. There is an aspect of all these security events where we need to understand the cost vs benefit just isn't there. it may never be there. Rather than whine and complain, we need to work with our constraints. Show Notes Episode 77 – npm and the supply chain

Josh and Kurt revisit Episode 77, which was named "npm and the supply chain" but was a discussion about the incident we all know now as "leftpad". We didn't understand what was happening at the time, but this would become an event we talk about for years to come. It's shocking how many of the things we discuss are still completely valid five years later. Show Notes Episode 77 – npm and the supply chain

This is the second part of remastering Episode 42 which is all about the security in the Hitchhiker’s Guide to the Galaxy movie. It's a fun show and it's shocking how many of these security themes are still relevant today. Show Notes Original Episode 42 Part 1

The podcast is on a hiatus for a little while due to some personal matters, but that creates an opportunity to remaster some fun old episodes. These shows are REALLY hard to listen to at the current quality (tools and talent has come a long way in the last few years). This is a remaster of Episode 42 which is all about the security in the Hitchhiker’s Guide to the Galaxy movie. It's a fun show and it's shocking how many of these security themes are still relevant today. Show Notes Original Episode 42

Josh and Kurt talk about a blog post about pip and virtual environments. This eventually turns into a larger conversation around packaging tools and how we see incremental changes over time. The package ecosystems were what we needed a few years ago, but our needs have changed. Show Notes One Does Not Simply 'pip install' Dag Wieers RPM Webfinger GitHub repo

Josh and Kurt talk about some data on the size of NPM. Josh wrote a blog post and a report about the amount of SEO spam in NPM was released. Open source is enormous, and it's mostly one person. It's hard to imagine how this all works sometimes and this lack of understanding can create challenges. Show Notes Josh's blog on the size of NPM One In Two New Npm Packages Is SEO Spam Right Now Linux Kernel power distribution graph

Josh and Kurt talk about OpenAI having a bug in ChatGPT, then they tried to blame open source. It didn't go very well. In this episode Josh and Kurt argue a lot, maybe someday we'll know who was the least wrong. Show Notes ChatGPT Tweet ChatGPT Blog redis bug

Josh and Kurt talk to Fiona Krakenbürger about the Sovereign Tech Fund. This is a fund created by Germany to fund important open source projects. Fiona has amazing insight into how this fund was created, what it's doing today to help fund open source. She discusses where we go from here and what the future will look like. The Sovereign Tech Fund is a forward thinking program to fund open source across the world. This episode is a window into the future. Show Notes Fiona on Mastodon Sovereign Tech Fund Sovereign Tech Fund Feasibility Study NJ Governor Requests Expertise of 6 People Who Still Know COBOL OpenSSF Criticality Score European critical open source software OSTIF critical open source projects Apply to the Sovereign Tech Fund

Josh and Kurt talk about GitHub enforcing sanctions against an open source developer and Docker changing how their registry works. There's a lot to unpack in this one. There's a lot of happenings going on in the world of open source. We are seeing governments paying attention to open source like never before, change is coming and everything is going to change. Show Notes ipmitool Repository Archived, Developer Suspended By GitHub Elixir: Docker now charges open source orgs $300

Josh and Kurt talk about the number of dependencies that is now normal. Keeping track of thousands of dependencies used to be impressive, now it's normal. In what instances should we know everything about our open source? The days of being able to ignore your software liability is looking like it's coming to an end. Show Notes LTT millenial pause The perverse incentive of vulnerability counting National Cybersecurity Strategy

Josh and Kurt talk to Thomas Depierre about his "I am not a supplier" blog post. We drink from the firehose on this one. Thomas describes the realities and challenges of being an open source maintainer. What open source and society owe each other. How safety can help describe what we see. There's too many topics to even list. The whole episode is an epic adventure through modern open source. Show Notes Thomas on Mastodon I am not a supplier The Treachery of Images (Ceci n'est pas une pipe) Atlantic Council report The Field Guide to Understanding 'Human Error' Google wants new rules for developers working on 'critical' projects Roads and Bridges:The Unseen Labor Behind Our Digital Infrastructure Sovereign Tech Fund

Josh and Kurt talk about SBOMs. Quite a bit has happened in the world of SBOMs in the last year or so. There are going to be different types of SBOMs, like build, source, or runtime. Each will tell us different things depending on what we need to know. We also cover some of the community efforts happening around SBOMs. They're still not easy to use, but it's better better. Show Notes SBOM Types draft SBOM Drift OpenSSF SBOM Everywhere

Josh and Kurt talk to Joylynn Kirui about DevSecOps in the Microsoft universe. Joylynn gives us an overview of the current state of devops and tells us about some of the tools Microsoft has made available to the open source universe. Show Notes Joylynn Kirui Joylynn on DVT Tech Insights Episode 174 - a chat with GitHub about CodeQL S2C2F Azure Open Source Day

Josh and Kurt talk to Carol Nichols about Rust. Carol is an authority on Rust and helps us understand how Rust works, why it's different. Why Rust doesn't have the same problems C and C++ have, and what the future of it all could look like. It's a really fun show with some great questions from Carol along the way. Show Notes Carol Nichols on Mastodon The Rust Programming Language, 2nd Edition Rust book online Netflix tech blog on Java performance Rust in the context of Railroad Brakes Kees Cook blog - Bounded Flexible Arrays in C Consumer Reports on memory safety OSS-Fuzz and Rust

Josh and Kurt talk about the recent GitHub breach. It wasn't terribly exciting, but there are some interesting conversations to have around securing certificates, source code, and hardware security modules. In general GitHub did most things right on this one. Show Notes GitHub blog post Hacker History Podcast episode with Robert Super Mario 64 decompile Mario 64 built without optimization Link to the Past source code

Josh and Kurt talk about the NSA guidance on using memory safety issues. The TL;DR is to stop using C. We discuss why C has so many problem, why we can't fix C, and what some alternatives looks like. Even the alternatives have their own set of issues and there are many options, but the one thing we can agree on is we have to stop using C. Show Notes NSA Releases Guidance on How to Protect Against Software Memory Safety Issues Drum memory and the story of Mel Netflix performance Discord Go vs Rust NVIDIA switch to Spark

Josh and Kurt talk about the recent FAA NOTAM outage. Keeping legacy things running for long periods of time is really hard to do, this system is no different. It's also really hard to upgrade many of these due to corner cases and institutional knowledge. There aren't any great answers here, but we do ask a lot of questions about long running tech. Show Notes NOTAM outage AIX is not dead IBM Linux commercial Apple A/UX How NOT To Implement the POSIX Standard, Featuring Windows NT iSH Hand Made Vacuum Tubes

Josh and Kurt talk about the Furby source code going public. This is an opportunity to discuss what's changed in our attitude in devices that record our audio? Our devices today are vastly more powerful and dangerous than a Furby, what does your risk appetite look like? Show Notes Furby source code Talking Toy Or Spy? Adam Ruins Everything - Why Jaywalking Is a Crime

Josh and Kurt talk about how to think about open source in the context of society. Open source is more like a natural resource than a supplier. It's common to think of open source projects as delivered to us, but it's more like acquiring raw materials from the forest. The problem is we're harvesting the raw materials in an unsustainable manner at the moment. Show Notes I am not a supplier Josh's question about the environment sjvn Gorilla toolkit article Gorilla Web Toolkit Awesome Games Done Quick GeoGuessr Awesome Games Done Quick 2023

Josh and Kurt talk about the LastPass saga. There's a lot of great explanations about what happened, but there hasn't been a lot of info on how to start cleaning up this mess. We rehash some of the existing details then try to untangle what existing users can do to try to start recovering. The real problem is how LastPass is dealing with this, not the technical details. Show Notes Great writeup of LastPass Jeremi M Gosney Mastodon explanation Tavis writeup on password managers Use a Passphrase

Josh and Kurt talk about some security gifts for boxing day. We start out with the idea of the security poverty line and discuss a few ideas for how a low resource group can make their open source more secure. There are no simple answers unfortunately. Show Notes Wendy Nather Security Poverty Line Boots Theory

Josh and Kurt talk about how hard multi factor authentication is. This all starts from a Mastodon thread, and Jerry Bell, the administrator of infosec.exchange joins us to discuss password security and all things Mastodon. Infosec.exchange is an incredible story and Jerry weaves a thrilling tale. Show Notes infosec.exchange MFA discussion Jerry's 2FA advice MalwareTech retracts Mastodon statements

Josh and Kurt talk to Jill Moné-Corallo about GitHub's bug bounty and product security team. It's a treat to discuss bug bounties with someone who is managing a very large bug bounty for one of the most important web sites in the world of software today. Show Notes Jill's Twitter Jill's Mastodon GitHub Bug Bounty Bug bounty scope Eight years of the GitHub Security Bug Bounty program GitHub NPM bug bounty find

Josh and Kurt talk about a new tool that can do Stylometry analysis of Hacker News authors. The availability of such tools makes anonymity much harder on the Internet, but it's also not unexpected. The amount of power and tooling available now is incredible. We also discuss some of the future challenges we will see from all this technology. Show Notes Hacker News Stylometry Analyzer FBI Profiler on the Unabomber Impersonate Eli Lilly for $8 Shakespeare Stylometry

Josh and Kurt talk about end to end encrypted messages. This has been a popular topic lately due to the Mastodon popularity. Mastodon has a uniquely insecure messaging system, but they aren't the only one. The eternal debate of can security and usability exist together? We suspect it can't be, but it's a very complicated topic. Show Notes EFF on Mastodon DM privacy Towards End-to-End Encryption for Direct Messages in the Fediverse Pluralistic: 14 Nov 2022 Even if you're paying for the product, you're still the product

Josh and Kurt talk about email security and the perils of trying to run your own mail infrastructure. We then get into discussing the value and danger of trying to run your own infrastructure, email, blogs, or most anything. There's a lot to juggle about all this these days, it's complicated. Show Notes PowerDMARC Will Dormann GossiTheDog upgrades Exchange lcamtuf's blog I like Ice Cream

Josh and Kurt talk about the UK plan to scan their country's IP space. The purpose and outcome of this isn't completely clear at this point, but we are hopeful the data can be used as a positive force. We are only going to see more programs like this as all the governments are told they have to cyber harder. Show Notes NCSC Scanning information Motherboard podcast about NCIS

Josh and Kurt talk about the recent OpenSSL nothingburger. OpenSSL got everyone whipped into a frenzy over a critical vulnerability, then changed the severity to high. The correct solution to this whole problem is to stop using a TLS library written in C, we need to be using memory safe languages. Don't migrate from OpenSSL 1 to 3, migrate from OpenSSL 1 to Rustls. Show Notes OpenSSL Blog Post OpenSSL pre-announcement Mark Cox Tweet 3.0 only affected GossiTheDog NDA Tweet Claims of a name and logo Rustls   Image Credit

Josh and Kurt talk about Lufthansa trying to ban Airtags. This has a similar feel to all the security events where a company tries to hand waive away a security problem then having to walk back all their previous statements. There is almost always a massive imbalance between the large companies and consumers. Show Notes Lufthansa bans airtags Airtag stalking problems Lufthansa unbans airtags Cult of the Dead Cow book TV Typewriter Andre the Giant on an airplane Poison Squad

Josh and Kurt talk about stories detailing tech working with multiple jobs. This raises some questions about fairness, accountability, and the future of work. As an industry we are very bad at measuring what we do, which is a problem shared with many jobs currently working from home. Show Notes Equifax surveilled 1,000 remote workers, fired 24 found juggling two jobs Business Insider 2 jobs story Ken Thompson lines of code

Josh and Kurt talk about ineffective security from the past we still use today. There has been a great deal of progress in the last few decades bringing us amazing products like the Flipper Zero, cameras that can peer inside locks, and even software defined radio. A great deal of security relies on people not having easy access to these cheap devices. What does this mean for the future of security? Show Notes Cloning a Rare ISA Card to Use a Rare CD Drive Vintage Tech YouTubers Discussion Panel | VCFMW 17 (2022) Flipper Zero Lock camera HackRF One The history of Hash Reddit post-it notes in apartment

Josh and Kurt talk about a newly rediscovered old python vulnerability. It raises a lot of questions about what was OK in 2007 vs what's OK in 2022. The issue is very complicated and has a wild story surrounding it. There is no reason to not fix this in 2022. Show Notes CVE-2007-4559 Red Hat Bug Register story Response from upstream Upstream patch ZippSlip Current upstream bug CSURF

Josh and Kurt talk about a blog post that explains there isn't really an open source software supply chain. The whole idea of open source being one thing is incorrect, open source is really a lot of little things put together. A lot of companies and organizations get this wrong. Show Notes Iliana's Twitter There is no “software supply chain” Google supply chain blog GitHub ansi_term advisory PyPI 2FA Dashboard tarfile issue rediscovered in 2022

Josh and Kurt talk about programming language ecosystems tracking and publishing security advisory details. We are at a point in the language ecosystems where they are giving us services that have historically been reserved for operating systems. Show Notes Kelsey Hightower tweet OSS-Fuzz

Josh and Kurt talk about the Time Till Open Source Alternative blog post. The numbers probably don't mean what we think they mean anymore. A lot of modern open source is really corporate controlled. Just because something carries an open source license doesn't mean you can contribute to it. Show Notes Time Till Open Source Alternative GitHub Desktop issue 78 The Reddit Safe

Josh and Kurt talk with Josh Aas from the Internet Security Research Group about Let's Encrypt, Prossimo, and Divvi Up. A lot has changed since the last time we spoke with Josh. Let's Encrypt won, and the ISG are working on some really cool new projects. Show Notes Josh Aas Internet Security Research Group (ISRG) Let's Encrypt Episode 87 – Chat with Let’s Encrypt co-founder Josh Aas New Major Funding from the Ford Foundation ISRG annual reports Peter Eckersley

Josh and Kurt talk about really weird networking bugs. Josh tells a story about his home network problems that made no sense. There was also a qt5 bug that affected wireless networks that made virtually no sense. What should count as a security vulnerability? Show Notes Resolving an unusual wifi issue Hacker News thread Global Security Database IdeaPad 5 14ARE05

Josh and Kurt talk about the recent National Defense Authorization Act that requires security vulnerabilities to be fixed. What does this mean for us, is it as bad as some people are claiming it is? It's actually not a huge deal, for most of us it's really just time to deal with product security. Show Notes The Hacker Mind The Untold Stories of Open Source H.R.7900 - National Defense Authorization Act for Fiscal Year 2023 Kurt's blog post

Josh and Kurt talk to Dustin Childs about the recent ZDI Black Hat talk where they discovered the current trend of security patches not actually fixing the security problem. We talk about what this problem means. Why is it happening, and what ZDI is doing to try nudge the industry in the right direction. Show Notes Dustin Childs ZDI Sloppy Software Patches Are a ‘Disturbing Trend’ Zero Day Initiative launches new bug disclosure timelines ISO 28147

Josh and Kurt talk about our lack of security and some of the data bias problems that can emerge. A lot of what we think is security data is really just biased data. This is OK as long as we understand the data is broken and know this is the first step in a longer journey. Show Notes Tweet about data The 6 most common types of bias when working with data Syft and Grype stars graph John Snow, Cholera, the Broad Street Pump Bob Lord tweet

Josh and Kurt talk about a tweet from @kmcquade3 asking the question "What's a concept in security that is generally accepted as true but is actually bull%$#*?" How many of the replies make sense? Most of them do. We go over some of the best replies as fast as we can. Show Notes The tweet that started it all Mark Loveless Mark Manning Richard (Dick) Brooks @ImbecillicusRex What Train Have We Got? Dan Alejo 🏳️‍🌈 postmodern 🇺🇸 Robert C. Seacord 🇺🇦 Yip Wai Peng Sachin Shahi

Josh and Kurt talk about leap seconds. Every time there's a leap second, things break. Facebook wants to get rid of them because they break computers, but Google found a clever way to keep leap seconds without breaking anything. Corner cases are hard, security is often just one huge corner case. There are lessons we can learn here. Show Notes How and why the leap second affected Cloudflare DNS Facebook wants to get rid of leap seconds Leap Smear Falsehoods programmers believe about time

Josh and Kurt talk about Microsoft creating a policy of not allowing anyone to charge for open source in their app store. This policy was walked back quickly, but it raises some questions about how fair or unfair open source really is. It's mostly unfair to developers if you look at the big picture. Show Notes Syft Grype Microsoft bans and unbans open source Tidelift survey Bruce Perens - What comes after open source

Josh and Kurt talk about PyPI mandating two factor authentication for the top 1% of projects. It feels like a simple idea, but it's not when you start to think about it. What problems does 2FA solve? How common are these attacks? What are the second and third order effects of mandating 2FA? This episode should have something for everyone on all sides of this discussion to violently disagree with. Show Notes PyPI announcement NPM expired domains Morten Linderud Tweet Congratulations: We Now Have Opinions on Your Open Source Contributions

Josh and Kurt talk about their very silly GPG key management from the past. This is sadly a very true story that details how both Kurt and Josh protected their GPG keys. Josh's setup is like something out of a very bad spy novel. It was very over the top for a key that really didn't matter. Show Notes XKCD signed email Shire calendar Guardian editors destroy Snowden laptop

Josh and Kurt talk about the challenge of dealing with vulnerabilities at a large scale. We tend to treat every vulnerability equally when they are not equal at all. Some are trees we have to pay very close attention to, and some are part of a larger forest that can't be treated as individual vulnerabilities. We often treat risk as a binary measurement instead of a sliding scale. Show Notes gsd.id The Register OpenSSL story OpenSSL bug

Josh and Kurt talk about the security of employees leaving jobs. Be it a voluntary departure or in the context of the current layoffs we see, what are the security implications of having to remove access for one or more people departing their job? Show Notes Tesla Layoffs Coinbase layoffs

Josh and Kurt talk about a funny GitHub reply that notified 400,000 people. It's fun to laugh at this, but it's an easy open to discussing alert fatigue and why it's important to be very mindful of our communications. Show Notes GitHub 400K notifications Hacker News thread Reddit user TV Bluetooth

Josh and Kurt talk about containers. There are a lot of opinions around what type of containers is best. Back when it all started there were only huge distro sized containers. Now we have a world with many different container types and sizes. Is one better? Show Notes Programming in the Apocalypse Bob Diachenko Paranoids Podcast

Josh and Kurt talk about a recent OpenSSF issue that asks the question how many open source maintainers should a project have that's "healthy"? Josh did some research that shows the overwhelming majority of packages have one maintainer. What does that mean? Show Notes OpenSSF TAC Issue 101

Josh and Kurt talk about the whole work from home debate. It seems like there are a lot of very silly excuses why working from home is bad. We've both been working from home for a long time and have a chat about the topic. There's not much security in this one, but it is a fun discussion. Show Notes Boris Johnson blames cheese Apple and WFH

Josh and Kurt talk about a fake 7-Zip security report. It's pretty clear that everyone is running open source all the time. We end on some thoughts around what SBOM is good for, and who should be responsible for them. Show Notes Probably fake 7-Zip

Josh and Kurt talk to Adam Shostack about his new book "Threats: What Every Engineer Should Learn From Star Wars". We discuss some of the lessons and threats in the Star Wars universe, it's an old code I hear. We also discuss if Star Wars is a better than Star Trek for teaching security (it probably is). It's a fun conversation and sounds like an amazing book. Show Notes Adam Shostack Adam's Website The book

Josh and Kurt talk about the Google Project Zero blog post about 0day vulnerabilities in 2021. There were a lot more than ever before, but why? Part of the challenge is the whole industry is expanding while a lot of our security technologies are not. When the universe around you is expanding but you're staying the same size, you are actually shrinking. Show Notes Google Project Zero blog post Apple 0days Joint cyber advisory

Josh and Kurt talk about a survey about a TuxCare patch management and vulnerability detection. Sometimes our security bubble makes us forget what it's like in the real world for the people who keep our infrastructure running. Patching isn't always immediate, automation doesn't fix everything, and accepting risk is very important. Show Notes State of Enterprise Vulnerability Detection and Patch Management CISA Known Exploited Vulnerabilities Catalog Google 0days

Josh and Kurt talk about a lot of security vulnerabilities in this month's Patch Tuesday. There's also a new Git vulnerability. This sparks the age old question of how fast to patch? The answer isn't binary, the right answer is whatever works best for you, not what someone tells you is best. Show Notes Patch Tuesday Git security update

Josh and Kurt talk about hackers using emergency data requests to gain access to sensitive data. The argument that somehow backdoors can be protected falls under this problem. We don't yet have the technical or policy protections in place to actually protect this data. We also explain why this zlib issue got a 2018 CVE ID in 2022. Show Notes Hackers using fake emergency data requests CVE-2018-25032 Global Security Database

  Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there's not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not to let security turn into your identity, it ends up making a mess. Show Notes Josh's Twitter thread How to install week old npm packages

  Josh and Kurt talk about the latest NPM backdoored package. It feels like this keeps happening. We talk about why this is and why it's probably OK. Kurt fixes Linus' Law, in open source the superpower isn't bugs are shallow (they're not), the superpower is security bugs in open source can't be ignored. Show Notes node-ipc protestware

Josh and Kurt talk about Microsoft accidentally letting us find out about ads in file explorer. Changing your clocks sucks. And touch on some of the security implications of the Russian invasion and sanctions. There are a lot of security lessons we can all learn. Mostly what not to do. Show Notes Ads in Windows Filemanager Russia running out of storage Russia threatens to nationalize industry Onagawa Nuclear Power Plant Cockcroft's Follies German government advises citizens to uninstall Kaspersky

Josh and Kurt talk about the Linux Kernel Dirty Pipe security vulnerability. This bug is an amazing combination of amazing complexity, incredible simplicity, and a little bit of luck. The discovery is amazing, the analysis is enlightening. There's almost no way a bug like this could be found outside of open source. Show Notes Dirty Pipe Writeup

Josh and Kurt talk about the challenges of security at scale. Specifically we focus on why a lot of security starts to fall apart once you have to do something more than a few times. There's a lot of new thinking we need to push security forward. Show Notes Stable Linux Kernel and Machine Learning

Josh and Kurt talk about SBOMs. Not what they are, there's plenty about that. We talk about why everyone keeps claiming they're super important, and why we're starting to see some people question if we really need them. SBOMs are part of a future that's still being invented. Show Notes Questioning SBOMs Rezilion Log4j diagram David A Wheeler on CII Badges Using open source is communism

Josh and Kurt talk about the Coinbase Super Bowl ad. It was a QR code, lots of security people were aghast at how many people scanned the QR code. The reality is scanning QR codes isn't dangerous. What other security advice just won't go away? Show Notes Coinbase Ad Kurt's Twitter question QR code parking scam Mossad or not Mossad Kurt's talk

Josh and Kurt talk to Hayley Tsukayama from the EFF about privacy. We all know privacy in the modern age is very complicated and difficult. Normal people don't have many allies when it comes to privacy. The EFF has been blazing the trail for digital rights for more than 30 years! This episode has a ton of amazing details, it's easy to see how the EFF became the jewel of the Internet. Show Notes Hayley's Twitter EFF How to Fix the Internet Episode 277 – Privacy and activism with Chris Weiland Washington State privacy bill Join the EFF (seriously, do this!)

Josh and Kurt talk about NPM requiring 2FA for the top 100 packages. We discuss the new Alpha and Omega projects from the OpenSSF and what it could mean for the future of open source security. Then we end on a note about the new Samba critical vulnerability. Show Notes NPM requires 2FA OpenSSF Alpha and Omega David A. Wheeler episode Linux Foundation LFX Samba Advisory

Josh and Kurt talk about how to get attention for security problems. Recent research around Twitter credentials checked into GitHub showed us how to get a lot of attention when compared to a problem like Log4Shell which took years before anyone really picked up on the problem. It's hard to talk about security sometimes. Show Notes Josh's computer vision code Twitter secrets Qualys pwnkit

Josh and Kurt talk about the Global Security Database (GSD) project. This is a Cloud Security Alliance (CSA) effort to build community around vulnerability identifiers. Show Notes We rate dogs Racoons that heal your sadness Global Security Database Episode 261 – DWF is back! Welcome to community powered CVE GSD mailing list GSD Circle group GSD Database GSD Project Plan

Josh and Kurt talk about the faker and colors NPM events. There is a lot of discussion around open source being broken or somehow failing because of these events. The real answer is open source is an experience. How we interact with our dependencies determines what the experience looks like. Show Notes Developer corrupts colors and faker Will Wright Pee Internet Anonymity

Josh and Kurt talk about Norton creating an Ethereum mining pool. This is almost certainly a bad idea, we explain why. We then discuss the reality of NFTs and the case of stolen apes. NFTs can be very confusing. The whole world of cryptocurrency is very confusing for normal people. None of this is new, there have always been con artists, there will always be con artists. Show Notes Norton Crypto FAQ Stolen Ape Smart contract to buy the constitution YEAR token

Josh and Kurt talk about the question will we ever fix all the vulnerabilities? The question came from Reddit and is very reasonable, but it turns out this is REALLY hard to discuss. The answer is of course "no", but why it is no is very complicated. Far more complicated than either of us thought it would be. Show Notes Will cyber security vulnerabilities ever "stop existing" ?

Josh and Kurt start the show with the reading of a security themed Christmas poem. We then discuss some of the new happenings around Log4j. The basic theme is that even if we were over-investing in Log4j, it probably wouldn't have caught this. There are still a lot of things to unpack with this event, I'm sure we'll be talking about it well into the future. Log before Christmas poem 'Twas the night before Christmas, when all through the stack Not a scanner was scanning, not even a rack, The SBOMs were uploaded to the portal with care, In hopes that next year would be boring and bare The interns were nestled all snug at their beds; While visions of dashboards danced in their heads; The CISO in their 'kerchief, and I in my cap, Had just slept our laptops for a long winter's nap, When all of a sudden the pager went ack ack I sprang to my laptop with worries of attack Away to the browser I flew like a flash, Tore open the window and cleared out the cache The red of the dashboard the glow of the screen Gave a lustre of disaster my eyes rarely seen When what to my wondering eyes did we appear, But a new advisory and eight vulnerabilities to fear, Like a little old hacker all ready to play, I knew in a moment it must be Log4j More rapid than gigabit its coursers they came, And it whistled, and shouted, and called them by name: "Now, Log4Shell! now CVE! now ASF and NVD! On, CISA! on, LunaSec! on, GossiTheDog! To the top of the HackerNews! to the top of the wall! Now hack away! hack away! hack away all!" Like the bits that before the wild CDN fly by When they meet with a firewall, they mount to the sky; So up to the cloud like bastards they flew With tweets full of vulns, and Log4j too— And then, in a twinkling, I read in the slack The wailing and screaming of each analyst called back As I drew in my head, and was turning around, Down the network Log4j came with a bound. It was dressed in a hoodie, black and zipped tight, The clothes were all swag from a conference one night A bundle of vulns it had checked in its git And it looked like a pedler just being a twit The changelog—how it twinkled! its features, how merry! Its versions were like roses, its logo like a cherry! Its droll little mouth was drawn up like an at, And the beard on its chin made it look stupid and fat The stump of a diff it held tight in its teeth, And the bits, they encircled the repo like a wreath; It had a flashy readme an annoying little fad That shook when it downloaded, like a disk drive gone bad It was chubby and plump, an annoying old package, And I laughed when I saw it, in spite of the hackage A wink of its bits and a twist of its head Soon gave me to know I had everything to dread It spoke not a word, but went straight to its work, And pwnt all the servers; then turned with a jerk, And laying its patches aside of its nose, And giving a nod, up the network it rose; It sprang to its packet, to its team gave them more, And away they all fled leaving behind a back door But I heard it exclaim, ere it drove out of sight— “Merry Christmas you nerds, Log4j won tonight!”

Josh and Kurt talk about the same topic everyone is talking about, Log4j. This episode was recorded on the Wednesday after the first Log4j issue. We point out all the gaps and difficulties for the defenders. The situation has gotten worse since then. Good luck to everyone dealign with this thing Show Notes Log4j GSD entry Minecraft server discussion Log4j GitHub issue 608

Josh and Kurt talk about the epic failure that was episode 300. But this ties nicely into the topic of the day which is new ways to do things. The example is a new way to hold a controller when playing Tetris. There are always new tools and new ideas in security. Sometimes we have to abandon the old way because the new way to too good to ignore. Show Notes Lawfare Apple NSO podcast New way to play Tetris

the lawsuit is based on CFAA, not on copyright. We apologize for this enormous oversight. Josh and Kurt talk about Apple suing NSO using a copyright claim as their vehicle. Copyright is often used as a reason to bring lawsuits, even when it doesn't always make sense. Copyright has been used by open source to expand rights, and many companies to restrict rights. It's a very odd law sometimes. At the end of the day it seems the only real path forward for a problem like NSO is up to governments to protect their citizens. Show Notes Apple sues NSO group VMWare EULA

Josh and Kurt talk about an article about how expertise has a limited lifetime. We are all experts in something, but some of us will find our expert knowledge to be outdated eventually. We discuss what that means in the context of security and tech and disagree about how to best keep your skills up to date. Show Notes Experts From A World That No Longer Exists Neuroplasticity Scotty and the mouse Git 2.34 4H Public Speaking

Josh and Kurt talk to David A. Wheeler about everything OpenSSF. The Open Source Security Foundation is part of the Linux Foundation, and there are 6 OpenSSF working groups. David does a great job explaining how the OpenSSF works and what the 6 working groups are doing. The working group are (in no particular order): Identifying Security Threats, Security Tooling, Best Practices, Vulnerability Disclosures, Digital Identity Attestation, Securing Critical Projects. Show Notes David A Wheeler Episode 14 – David A Wheeler: CII Badges Sigstore joins the OpenSSF OpenSSF Technical Working Groups NPM requires MFA LISH Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks

Josh and Kurt talk about the famous Phrack 49 article "Smashing the Stack for Fun and Profit" turning 25 years old. This paper created a massive amount of change in the industry, possibly more than any other paper ever written. Everything from making exploiting stack overflows easier, to defenders creating technologies such as stack canaries are the direct result of this work. Show Notes Phrack 49 Kurt's Interview with Elias Levi aka Aleph One

Josh and Kurt talk about the new Trojan Source bug. We don't always agree on if this is a vulnerability (it's not), but by the end we come to an agreement that ASCII is out, Unicode is in. We don't live in a world where you can make a realistic suggestion to return to using only ASCII. There are a lot of weird moving parts with this one. Show Notes Trojan Source oss-security message GitHub example

Josh and Kurt talk about Josh's electric car and new job. We then talk about the recent UAParser.js malware incident. There have been a lot of calls to do more to secure open source, but nobody seems to have any concrete proposals or suggestions to fund any of these activities. Show Notes UAParser.js CISA announcement

Josh and Kurt talk to Chris Wysopal, AKA Weld Pond, about security education. We talk about the current state of how we are learning about security as students and developers. What the best way to get developers interested in learning more about security? We end the show with fantastic advice from Chris for anyone new to the field of technology or security. Show Notes Chris Wysopal Veracode l0phtcrack

Josh and Kurt talk about the release of OpenSSF Security Scorecards version 3. This is a great project that will probably make a huge difference. Most of the things the scorecards are measuring are no brainier activities. We go through the list of metrics being measured. There are only a few that we don't think are fantastic. Show Notes 4 of spades OpenSSF Chris Montgomery audio explanation Scorecard 3.0.0 Scoring criteria Python Skeleton

Josh and Kurt talk about the recent Twitch hack and how in the modern age leaking source code almost certainly doesn't matter. The leaked data however is a big deal. We also discuss a recent Apache httpd update. Some things went right, some things went wrong. Dealing with vulnerabilities is hard. Show Notes Parasocial Relationship Twitch Hack Soviet B-29 Clone Apache CVE Apache Advisory GossiTheDog Tweet Hacker Fantastic exploit

Josh and Kurt talk about recent events around Apple and Microsoft disclosing security vulnerabilities. Microsoft usually does a good job, but Apple has a long history of not having a great bug bounty or vulnerability disclosure policy. None of this is simple, but hopefully you'll have some fun and learn a bit about the whole vulnerability disclosure process. Show Notes Apple 0days Microsoft Exchange flaw THIS IS HOW THEY TELL ME THE WORLD ENDS Linux Foundation Vulnerability Disclosure Timezone problem

Josh and Kurt talk about the security of the Matrix movie series. There was a new Matrix trailer that made us want to discuss some of the security themes. We talk about how the movie is very focused on computing in the 90s. How Neo probably ran Linux and they used a real ssh exploit. How a lot of the plot is a bit silly. It's a really fun episode. Show Notes Matrix 4 trailer nmap in the Matrix VFX Artists react to the Mandalorian Glasshouse Universal Paperclips

Josh and Kurt talk about an unusual number of really bad security updates. We even recorded this before the Azure OMIGOD vulnerability was disclosed. It's certainly been a wild week with Apple and Chrome 0days, and a Travis CI secret leak. Maybe this is the new normal. Show Notes Matrix 4 trailer Travis CI issue Apple 0day patches Chrome 0day patches CGP Grey Where is the European Union

Josh and Kurt talk about some happenings in the Linux Kernel. There are some new rules around how to submit patches that goes against how GitHub works. They're also turning all compiler warnings into errors. It's really interesting to understand what these steps mean today, and what they could mean in the future. Show Notes The Register Linux story OpenSSL Release Notes

Josh and Kurt talk about GitHub Copilot. What can we learn from a report claiming 40% of code generated by Copilot has security vulnerabilities? Is this the future or just some sort of strange new thing that will be gone as fast as it came? Show Notes GitHub Copilot Copilot research paper

Josh and Kurt talk to Dan Lorenc from Google about supply chain security. What's currently going on in this space and what sort of new thing scan we look forward to? We discuss Google's open source use, Project Sigstore, the SLSA framework and more. Show Notes Dan's Twitter Sigstore SLSA Framework

Josh and Kurt talk about open source bugs. What happens if a project decides to close most of their bugs? Nothing really. Bug trackers aren't a help desk. Show Notes Emacs closes 45% of bugs UVI Tesla investigation UK COVID spreadsheet

Josh and Kurt talk about a Home Depot plan to put DRM on power tools. Anyone can add a computer to anything for a few dollars now. How secure is any of this. What does it mean when the things we buy start to acquire DRM? There are a lot of new questions we don't have any real answers for. Show Notes Home Depot power tools Ray Ozzie's IoT board First-sale doctrine

Josh and Kurt talk about a very difficult disclosure problem. What happens when you have to report a vulnerability to an ethically questionable company? It's less simple than it sounds, many of the choices could end up harming victims. Show Notes Disclosure Dilemmas @evacide Bob Diachenko This Is How They Tell Me The World Ends

Josh and Kurt talk about a story from Microsoft declaring Rust the future of safe programming, replacing C and C++. We discuss how tooling affects progress and why this isn't always obvious when you're in the middle of progress. Show Notes Microsoft: Rust Is the Industry’s ‘Best Chance’ at Safe Systems Programming Josh's devopsdays talk Microsoft moved font handling out of the kernel Atari 2600 emulator in Minecraft Rate of technology adoption

Josh and Kurt talk about the news that the NSO Group is widely distributing spyware onto a large number of devices. This news should be a wake up call for anyone creating devices and systems that could be attacked, it's time to segment services. There's not a lot individuals can do at this point, but we have some ideas at the end of the episode. Show Notes NSO Group spying Technical details Twitter thread Are we the Baddies?

Josh and Kurt talk about what happens when you lose access to your Single Sign On provider. These providers have become critical to many of us, if we lose access to our SSO account we will lose access to many services. Show Notes Postbank

Josh and Kurt talk about the events happening to the Audacity audio editor. What happens if a popular open source application is acquired by an unknown entity? Can this happen to other open source projects? What can we do about it? Show Notes SGDQ Paper Mario Paper Mario Arbitrary Code Execution explained Freenode Audacity acquired by Muse Group Audacity fork

Josh and Kurt talk about a listener provided question. Could SELinux have stopped the SolarWinds attack? Given what we know, the answer is technically yes, but practically no. SELinux is awesome, but it's very difficult to sandbox something like a build system. Show Notes Gone in 60 milliseconds

Josh and Kurt talk to Chris Weiland from Restore the Fourth Minnesota. Restore The Fourth Minnesota is nonprofit dedicated to restoring the Fourth Amendment to the U.S. Constitution and ending unconstitutional mass government surveillance. Chris drops a ton of knowledge about how to be an effective tech activist, what his group is doing, and most importantly we get actionable advice! Show Notes Restore the Fourth Minnesota Restore the Fourth Minnesota on Twitter Writ of assistance Carpenter vs United States How many US federal laws are there? Restore the Fourth Episode 114 – Review of "Click Here to Kill Everybody" EFF EFA ACLU affiliates Glenn Greenwald TED talk

Josh and Kurt talk about how our environment affects our behavior, and in turn our level of security. We often ignore what's happening around us when everything is related. Show Notes Judges more lenient after a break Dungeons and Data Poverty changes your DNA

Josh and Kurt talk about why it seems like the world of ransomware has gotten out of control in the last few weeks. Every day there's some new and more bizarre ransomware story than we had yesterday. Show Notes Spurious Correlations Ransom recovered Adam Shostack Ransomware is not the problem Latvian Woman charged for writing ransomware

Josh and Kurt talk about Amazon sidewalk. There is a lot of attention, but how is this any different than the surveillance networks Apple and Google have built? Show Notes Amazon Sidewalk Ads and toothpaste Airtags and stalking

Josh and Kurt talk about AI driven comments. We live in a world of massive confusion and disruption where what is true and false, real and fake, are often widely debated. As AI grows and evolves what does it mean for this future? We don't really have any answers, but we ask a lot of questions. This isn't easy, nor will it be solved quickly, but solving it is not optional. Show Notes AIs and Fake Comments ACLU AMA Cloudflare Cryptographic Attestation of Personhood Evil bit Boris Johnson Painting Buses

Josh and Kurt talk about the Biden Administration new cybersecurity executive order. There are some good ideas in there, but at the end of the day it's an unfunded mandate. Unfunded mandates are difficult to implement. Show Notes Biden Executive Order Fact Sheet Obama's cyber EO

Josh and Kurt talk about how people handle problems. We open with the story of the Colonial Pipeline hack, but then go into some of the ways people tend to make problems worse. Show Notes Male vs Female trees Pipeline hack XKCD Pipelines TSA Pipeline Security

Josh and Kurt talk about dark patterns. A dark pattern is when a service tries to confuse a user into doing something they don't want to, like unknowingly purchasing a monthly subscription to something you don't need or want. The US Federal Trade Commission is starting to discuss dark patterns in webs sites and apps. Show Notes Dark Patterns Types of Dark Patterns FTC Bringing Dark Patterns to Light LTT Dell Warranty

Josh and Kurt talk about the University of Minnesota experimenting on the Linux Kernel. There's a lot to unpack in this one, but the TL;DR is you probably don't want to experiment on the kernel. Show Notes Linux Bans University of Minnesota for Sending Buggy Patches in the Name of Research University of Minnesota security researchers apologize for deliberately buggy Linux patches The International Obfuscated C Code Contest

Josh and Kurt talk about what 3rd party means in the current world. From 5G suppliers, to the Codecov and Solarwinds breaches. Is there anyone we can trust? Show Notes Europe and 5G Codecov Codecov Reuters story Red Hat OpenSSH advisory

Josh and Kurt talk about 0day security vulnerabilities. What are they? What were they? And why the name has taken on a new meaning, and that's OK. Show Notes Hacker History Podcast Chrome 0day NTFS Documentation

Josh and Kurt talk to Emil Wåreus from Debricked about the future of security scanners. Debricked is doing some incredibly cool things to avoid relying on humans for vulnerability identification and cataloging. Learn what the future of security scanning is going to look like. Show Notes Debricked Emil's Linkedin

Josh and Kurt talk about the PHP backdoor and the Ubiquity whistleblower. The key takeaway is to note how an open source project cannot cover up an incident, but closed source can and will cover up damaging information. Show Notes PHP backdoor Ubiquity coverup 3D printed TSA keys LockPickingLaywer Determining Key Shape from Sound Lock camera

Josh and Kurt talk to Mark Loveless from GitLab. We touch on DevSecOps, what GitLab is doing, threat modeling, and the time Mark tested positive for TNT at the airport. It's a great conversation. Show Notes Mark Loveless Twitter GitLab GitLab Handbook How we approach open source security PASTA threat modeling GitLab security features Tales from the Past - "You Tested Positive for TNT"

Josh and Kurt talk about how terrible daylight savings is. GitHub yanking some exploit code. And the Linux Foundation new project to sign all the things. Show Notes Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github GitHub content restrictions Reproducing the Microsoft Exchange Proxylogon Exploit Chain

Josh and Kurt talk to Loris Degioanni and Dan from Sysdig. Sysdig are the minds behind Falco, an amazing open source runtime security engine. We talk about where their technology came from, they huge code donation to the CNCF and what securing a modern infrastructure looks like today. Show Notes Sysdig Falco Loris' Twitter Dan "Pop" Popandrea's Twitter Sysdig contributes Falco’s kernel module, eBPF probe, and libraries to the CNCF pdig Sysdig 2021 container security and usage report: Shifting left is not enough

Josh and Kurt talk about DWF. It's back and the intention is to have real community driven security identifiers! Show Notes Committee vs Community dwflist repo dwf-request tooling repo dwf-workflow policy repo CVE plateua graph iwantacve.org

Josh and Kurt talk with Dave Jevans CEO of CipherTrace and chairman of the anti-phishing working group about the challenges of keeping track of cryptocurrency in the modern age. Show Notes Dave's Twitter CipherTrace Anti Phishing Working Group

Josh and Kurt talk about the question "what is open source?" Why do we think it's broken today, and what sort of ideas about what should come next. Show Notes OSI Bruce Perens Post Open Source Josh's community blog post Corey Doctorow Uber Twitter thread

Josh and Kurt talk about the Google Project Zero report titled "A Year in Review of 0-days Exploited In-The-Wild in 2020". It's a cool report but we don't agree on the conclusion. The answer isn't to security harder, it's to stop using C. Show Notes Google Project Zero Year of 0-days Kurt's CUPS tweet

Josh and Kurt talk about the recent sudo and libgcrypt security vulnerabilities. What's the deal with these buffer overflows and TOCTU bugs? Show Notes Sudo buffer overflow Sudo SELinux bug libgcrypt buffer overflow

Josh and Kurt talk about 8 bit computing. What sort of security lessons can we learn from the 8 bit world? More than you think. Show Notes Legend of Zelda Random Number Generation Green rocket flame SR71 leaked fuel How do Namibian Himbas see colour? Suptuple meter music

Josh and Kurt talk about what we can stop doing. We take a position of asking "does it spark joy" for tools and infrastructure. Everyone is doing something they should stop. Show Notes Does it spark joy?

Josh and Kurt talk about the new right to repair rules in the EU. There's a strange line between loving the idea of right to repair, but also being horrified as security people at the idea of a device being on the Internet for 30 years. Show Notes EU right to repair repair.eu

Josh and Kurt talk about this idea that seems to exist in security of "attackers only need to be right once" which is silly. The reality is attackers have to get everything right, defenders really only need to get it right once. But "defenders only need to be right once" isn't going to sell any products. Show Notes Richard Feynman and manhole covers Richard Feynman on Why He Can't Tell You How Magnets Work Israeli airport security FAA stolen sweater XKCD Is it worth the time CGP Grey The trouble with transporters

Josh and Kurt talk about a report on open source security from the Canadian Centre for Cyber Security. The title pretty much sums it up. Show Notes Security Considerations for Open Source Build an 8 bit computer from scratch

Josh and Kurt talk about communication. It's really hard to talk about a lot of what we do. How do we know if a device is secure? How do we know our knowledge is correct? Show Notes 90 percent of U.S. bills carry traces of cocaine Is the moon a star or planet? A mole of moles New homeowner 'freaked out' when stranger took control of her security system Coffee maker ransomware NIST Phish Scale The metric system Operation Paperclip

Josh and Kurt talk about why we do the things we do. Sometimes we have to question everything. Links SLAM missile

Josh and Kurt talk about the idea of information wanting to be free. It's Christmas, we should give it what it wants! Links Hacker Manifesto

Josh and Kurt talk about how to file 1000 security flaws. One is easy, scale is hard.

Josh and Kurt talk about how to report one security flaw

Josh and Kurt talk about bug bounties

Josh and Kurt talk about if SMS 2 factor auth is better than no 2FA Links Cyber deepfaked their host

Josh and Kurt talk about modern TLS certificate trust

Josh and Kurt talk about why it's a horrible idea to roll your own crypto or auth

Josh and Kurt talk about vulnerability response. What is it, what does it mean, how does it work

Josh and Kurt talk about the switch from 16 to 32 to 64 bit and even the changes from Intel to ARM

Josh and Kurt talk about supplier compliance Links Annex A.15.1 of ISO 27001:2013 Episode 162 – SBOM with Allan Friedman

Josh and Kurt talk about backdoors in open source software

Josh and Kurt talk about the unluckiest man in the world and survivor bias Links Unluckiest man in the world

Josh and Kurt talk about video game hacking. The speedrunners are doing the best security research today Links Super Mario World RCE

Josh and Kurt talk about the safety of a 737 Links FAA says 737 is safe

Josh and Kurt talk about Apple leaking internal IP addresses. Sometimes we create our own emergencies over things that don't matter. Links Apple's internal IP addresses

Josh and Kurt talk about public key cryptography

Josh and Kurt talk about the OpenBSD security(8) man page and the importance of automating security Links OpenBSD security(8) page

Josh and Kurt talk about prime numbers

Josh and Kurt talk about the non problems with public wifi we love to pretend matter Links The Half Dozen Risks of Using Dirty Public Wi-Fi Networks

Josh and Kurt talk about why you need 24/7 monitoring of all the things Links Swiss air force office hours DC-10 cargo door

Josh and Kurt talk about how the EFF is helping us prevent Internet tracking Links EFF Cover Your Tracks

Josh and Kurt talk about how many security vulnerabilities matter enough to fix? Links A Third of Known Computer Security Flaws Have No Solution Episode 162 – SBOM with Allan Friedman

Josh and Kurt talk about cybersecurity statistics and the value of the data we have. Links 24 Cybersecurity Statistics That Matter In 2020

Josh and Kurt talk about advent calendars. We are publishing 25 5 minute episodes in 25 days. Also portable X-ray machines.

Josh and Kurt talk about the safety and liability of new devices. What happens when your doorbell can burn down your house? What if it's your fault the doorbell burned down your house? There isn't really any prior art for where our devices are taking us, who knows what the future will look like. Show Notes Ring Doorbell recall Ring incorrect screw diagram Punctured battery Episode 145 – What do security and fire have in common? Phillips vs Robertson screws wendy knox everette Wendy's presentation on legal liability Tim Burners-Lee privacy company

Josh and Kurt talk about what happens when important root certificates expire on old Android devices? Who should be responsible? How can we fix this? Is this even something we can or should fix? How devices should age is a really hard problem that needs a lot of discussion. Show Notes Unboxing coins Old Android devices certificate store Steve1989MREInfo

Josh and Kurt talk about the idea behind the full disclosure of security vulnerability details. There have been discussions about this topic for decades with many people on all sides of the issue. The reality is however, if you look at the current state of things, this discussion is settled, full disclosure won. Show Notes Hacker One 100 million payout Project Zero bug Remington gun trigger class action lawsuit Square windows on a plane

Josh and Kurt talk to Jeff Mitchell about the new HashiCorp project Boundary. We discuss what Boundary is, why it's cooler than a VPN, and how you can get involved. Show Notes Jeff Mitchell HashiCorp Boundary announcement Discuss forum Boundary Project Boundary GitHub

Josh and Kurt talk about how to get started in security. It's like the hero's journey, but with security instead of magic. We then talk about what Webkit bringing Face ID and Touch ID to the browsers will mean. Show Notes Hero's Journey Mudge's Tweet L0pht at Congress Bob Ross Webkit Face ID and Touch ID for the Web

Josh and Kurt talk about Network Time Security (NTS) how it works and what it means for the world (probably not very much). We also talk about Singapore's Cybersecurity Labelling Scheme (CLS). It probably won't do a lot in the short term, but we hope it's a beacon of hope for the future. Show Notes Network Time Security NTP and the University of Wisconsin Cybersecurity Labelling Scheme (CLS)

Josh and Kurt have a chat with Larry Cashdollar. The three of us go way back. Larry has done some amazing things and he tells us all about it! Show Notes Akamai Larry's website Larry's First CVE

Josh and Kurt talk about change. Specifically we discuss how the past was a terrible place. Never believe anyone who tells you it was better. Part of a career now is learning how to learn. The things you learn today won't be useful skills in a few years. The future is is always better than the past. Even in 2020. Show Notes I no longer build software Temple OS Top Gear electric car 1959 Bel Air crash test

Josh and Kurt talk to Travis Murdock about how to tell your story. Travis explains how to talk to the press and how to tell our story in a way that helps get our message across and lets the reporter do their job better. Show Notes Ruder Finn CVE-2009-3555 Heartbleed

Josh and Kurt talk about how we talk about what we do in the context of life on Venus. We didn't really discover life on Venus, we discovered a gas that could be created by life on Venus. The world didn't hear that though. We have a similar communication problem in security. How often are your words misunderstood? Show Notes Phosphine on Venus GPS and relativity

Josh and Kurt talk about attacking open source. How serious is the threat of developers being targeted or a git repo being watched for secret security fixes? The reality of it all is there are many layers in a security journey, the most important things you can do are also the least exciting. Show Notes Targeting developers XKCD Infrastructure comic Hiding security flaws in git Mossad vs Not-Mossad (PDF warning)

Josh and Kurt talk about how your actions can tell the world if you actually take security seriously. We frame the discussion in the context of Slack paying a very low bug bounty and discover some ways we can look at Slack and decide if they do indeed take our security very seriously. Show Notes Reddit carbon monoxide Part 1 Part 2 GCP Grey minus infinity Josh's blog post

Josh and Kurt talk about Chromium sending traffic to root DNS servers. Telemetry watching what we do. Cryptocurrency scams and a few other random topics. Also pandas. Show Notes Blanket rack Chromium DNS traffic Ubuntu MOTD Microsoft telemetry YAM coin implodes Panda Cubs

Josh and Kurt talk about the Microsoft 2 year old signature bug and Github no longer processing MFA resets for free users. Signing things is hard, but trying to manage users and infrastructure at scale is even harder. Show Notes Microsoft signed jar bug GitLab Support is no longer processing MFA resets for free users Someone Is Hijacking Tor Exit Nodes to Conduct MITM Attacks

Josh and Kurt talk about the current state of information security. There are aspects that resemble a cult more than we would like. It's not all bad though, there are some things we can do to help move things forward. This episode shouldn't be taken too seriously. Show Notes "cult of information security" How to start a cult

Josh and Kurt talk about Secure Boot. The conversation uses the recent "Boot Hole" vulnerability to frame a conversation about what Secure Boot is and isn't. Why the Boot Hole flaw doesn't really matter, and why Secure Boot was very scary for Linux users back when it came out. Show Notes Boot Hole

Josh and Kurt talk about some of the necessary evils of security. There are challenges we face like passwords and resource management. Sometimes the problem is old ideas, sometimes it's we don't have metrics. Can you measure not getting hacked? Show Notes Clearing checks FAIR Institute Factorio

Josh and Kurt start this one by explaining how the Twitter hacker was just a dumb criminal (most criminals are dumb). We then discuss the new GPT-3 AI that can create text. How we create, and how social media is doing everything it can to weaponize our attention. It's not a fight humanity is winning. Show Notes GPT-3 AI Blipverts

Josh and Kurt talk about Google's new confidential VMs. The AMD Secure Encrypted Virtualization is the technology that makes it all possible. What is SEV, how does it work, and why should you care? This technology is going to be the future of the cloud. Show Notes Google confidential VMs AMD SEV SEV vs SGX

Josh and Kurt talk to Alyssa Miller from Snyk about the State of Open Source Security 2020 report. Alyssa was the report author and has some great insight into the current trends we're seeing in open source security. Some of the challenges developers face. We discuss the difficulty static and composition analysis scanners face. It's a great conversation! Show Notes The State of Open Source Security 2020 Alyssa's Twitter

Josh and Kurt talk about some recent security actions Apple has taken. Not all are good, but in general Apple is doing things to benefit their customers (their customers are not advertisers). We also discuss some of the challenges when your customers are advertisers. Show Notes Apple one year certificates Apple declines to implement 16 new APIs Apple is tracking unsigned executables

Josh and Kurt talk about human behavior. The conversation makes its way to conferences and the perpetual question of if a conference is useful or not. We come to the agreement the big shows aren't what they used to be, but things like BSides are great experiences. Show Notes Security and Human Behaviour Josh's blog post Mudge's Twitter thread

Josh and Kurt talk about the security of applications. We talk about the security of infrastructure all the time, but what happens when we combine infrastructure into an application or solution? Show Notes Picture of Kurt's security check-up Dragon controls

Josh and Kurt talk about CVSSv3 and how it's broken. We started with a blog post to explain why the NVD CVSS scores are so wrong, and we ended up researching CVSSv3 and found out it's far more broken than any of us expected in ways we didn't expect. NVD isn't broken, CVSSv3 is. How did we get here? Are there any options that work today? Where should we go next? Show Notes Josh's blog post NVD Red Hat security data Josh's CVE data project Microsoft security ratings scale

Josh and Kurt talk to Liz Rice from Aqua Security about container security and her new book on the same topic. What does container security look like today? What are some things you can do now? What will container security look like in the future? Show Notes Container Security download Pictures of elephants Kubernetes Security book Starboard project Dynamic threat analysis

Josh and Kurt talk about a grab bag of topics. A DNS security flaw, port scanning your machine from a web browser, and CSV files running arbitrary code. All of these things end up being the result of corner cases. Letting a corner case be part of a default setup is always a mistake. Yes always, not even that one time. Show Notes Bind advisory Robustness Principal eBay port scanning localhost OWASP CSV injection

Josh and Kurt talk about the Krebs blog post titled "When in Doubt: Hang Up, Look Up, & Call Back". In the world of security there isn't a lot of actionable advice, it's worth discussing if something like this will work, or ever if it's the right way to handle these situations. Show notes When in Doubt: Hang Up, Look Up, & Call Back Tech Support Scam podcast: Part 1, Part 2 STIR/SHAKEN Drill the wrong safe deposit box 2009 Bank of Ireland robbery

Josh and Kurt talk about what beer and reproducible builds have in common. It's a lot more than you think, and it mostly comes down to quality control. If you can't reproduce what you do, you're not a mature organization and you need maturity to have quality. Show Notes Reinheitsgebot Josh's Blog Post Ken Thompson's reflections on trusting trust Tor Browser Deterministic Builds One line package broke npm create Donkey Kong 64 memory leak

Josh and Kurt talk about automatic updates. Specifically we discuss a recent decision by Ubuntu to enable forced automatic updates. There are lessons here for the security community. We have a history of jumping to solutions rather than defining and understanding problems. Sometimes our solutions aren't the best. Also murder bees. Show Notes The Oatmeal giant bee comic Honeybees cook giant hornet Ubuntu 20.04 LTS’ snap obsession has snapped me off of it Forum discussion

Josh and Kurt talk about the uproar around Cloudflare's "Is BGP safe yet" site. It's always interesting watching how much people will push back on new things, even if the new things is probably a step in the right direction. The clever thing Cloudflare is doing in this instance is they are making the BGP problem something anyone can understand. Also send us your funny dog stories. Show Notes Is BGP safe yet? Reddit BGP conversation Hacker News BGP conversation Stealing cryptocurrency with BGP

Josh and Kurt talk about the new normal that's working away from an office. It's not exactly working from home as there are some unforeseen challenges that we just took for granted in the past. There are a lot of new and strange security problems we have to adapt to, everyone is doing amazing work with very little right now. Show Notes Microsoft buys corp.com Hijack computer network traffic with a Pi Zero

Josh and Kurt talk about space. We intended to focus on Apollo 13 but as usual we have no ability to stay on topic. There is a lot of fun space discussions in this one though. Do you think you can hack Voyager 1? Only if you have a big enough satellite dish. Show Notes Eavesdropping on Apollo 11 Apollo 11 classified weather satellite The pen that saved Apollo 11

Josh and Kurt talk about Kurt's recent treadmill purchase and the lessons we can lean in security from the consumer market. The consumer market has learned a lot about how to interact with their customers in the last few decades, the security industry is certainly behind in this space today. Once again we display our ability to tie even the seemingly mundane things back to a discussion about security. Show Notes Eating goldfish off the treadmill

Josh and Kurt talk about security scanners. They're all pretty bad today, but there are some things we can do to make them better. Step one is to understand the problem. Do you know why you're running the scanner and what the reports mean? Show Notes Edmonton freeze thaw cycles Josh's security scanner blog series

Josh and Kurt talk about building a talent ecosystem. What starts out as an attempt by Kurt to talk about Canada evolves into a discussion about how talent can evolve, or be purposely grown. Canada's entertainment industry and Unit 8200 are good examples of this. Show Notes SCTV Red Team Project Moon Shot book  AvE channel  Turning a tree root into a bowl  Mailing the Hope Diamond The Ecosystem

Josh and Kurt talk about video games and hacking. Specifically how speed runners are really just video game hackers. Show Notes Developer speedrun commentary Super Mario World end credits glitch explained Mario 3 RCE Breath of the Wild speedrun Super Metroid reverse boss order TMR beats every NES game

Josh and Kurt talk about video games. Yeah, video games. Specifically about cheating in video games. There's a lot of other security themes in the discussion. With the news being horrible these days, we needed to talk about something fun. Show Notes Penny Arcade Banned from Fortnite Apollo Robbins, world's best pickpocket

Josh and Kurt talk about Wireguard. There have been a lot of recent conversations about it and if it's better or worse than other VPN solutions. It's safe to say in our modern age, less is usually more, especially when it comes to security. Wireguard has a lot going for it, it can't be ignored. Show Notes Replacing a Nintendo Switch fan WireGuard Hacker News discussion

Josh and Kurt talk to Tony Meehan from Elastic (formerly Endgame) about endpoint detection, response, protection, and even SIEM. Tony has a great history coming from the NSA and has a number of great stories to help understand the topics. Show Notes Tony Meehan  Rob Joyce on Disrupting Nation State Hackers Bobby Filar living off the land blog Dwell time graph  Snowboarder vs Tree

Josh and Kurt talk about the Linux Foundation Census 2. There is a lot of talk around how to fix open source security, but the reality is we can't fix it. We need to stop trying to fix what isn't broken and engineering around the system we have, not the system we want. Show Notes Linux Foundation Census 2 Core Infrastructure Initiative

Josh and Kurt talk about the sale of the corp.com domain. Is it going to be the end of the world, or a non event? We disagree on what should happen with it. Josh hopes an evildoer buys it, Kurt hopes for Microsoft. We also briefly discuss the CIA owning Crypto AG. Show Notes corp.com is for sale CIA owned Crypto AG

Josh and Kurt talk about a huge working from home experiment because of the the Coronavirus. We also discuss some of the advice going on around the outbreak, as well as how humans are incredibly good at ignoring good advice, often to their own peril. Also an airplane wheel falls off. Show Notes Work from home Hacker News discussion CDC advice How to wash your hands Air Canada flight without running wather Airplane wheel falling off

Josh and Kurt talk about open source maintainers and building communities. While an open source maintainer doesn't owe anyone anything, there are some difficult conversations around holding back a community rather than letting it flourish. Show Notes Actix-web story Lodash Possible Lodash security issue  Javascript libraries are almost never updated Ularn

Josh and Kurt talk about SIM swapping. What is it, how does it work. Why should you care? There's not a ton you can do to protect yourself, but we go over some of the basic concepts and what to watch out for. It's unfortunate this is still a problem. Show Notes Five Major US Wireless Carriers Are Vulnerable to SIM Swapping Edmonton Police SIM swap website

Josh and Kurt talk about two recent vulnerabilities that have had very different outcomes. One was the Citrix remote code execution flaw. While the flaw is bad, the handling of the flaw was possibly worse than the flaw itself. The other was the Microsoft ECC encryption flaw. It was well handled even though it was hard to understand and it is a pretty big deal. As all these things go, fixing and disclosing vulnerabilities is hard. Show Notes Microsoft flaw CVE-2020-0601 Citrix flaw CVE-2019-19781 Citrix mitigation instructions

Josh and Kurt talk about the updated Google Project Zero disclosure policy. What's the new policy, what does it mean, and will it really matter? We suspect it will improve some things, but won't drastically change much. Show Notes Google and 90 day patch disclosure Upgrading all Windows versions

Josh and Kurt talk about a discussion on Twitter about if discovering CVE IDs is important for a resume? We don't think it is. We also discuss the idea of ransomware putting a company out of business. Did it really? Possibly but it probably won't create any substantial change in the industry. Show Notes Games Done Quick  Ransomware puts company out of business 1 in 5 companies shut down due to ransomware  Laura Shin SIM Swap Podcast

Josh and Kurt talk about marketplace safety and security. Will we ever see an end to the constant flow of counterfeit goods? The security industry has the same problem the marketplace industry has, without substantial injury we don't see movement towards meaningful change. Show Notes BrickLink Cars in Canada lighting on fire  President Roosevelt used Al Capone's Limo Dangerous car seats Fake external hard drive

Josh and Kurt talk about security predictions for 2020. None of the predictions are even a bit controversial or unexpected. We're in a state of slow change, without disruptive technology next year will look a lot like this year. Show Notes The Rising Speed of Technological Adoption Slack Certified GDPR Fines and Notices

Josh and Kurt talk about the opportunistic nature of crime. Defenders have to defend, which means the adversaries are by definition always a step ahead. We use the context of automobile crimes to frame the discussion. Show Notes Stealing cars with radio relays RTL Software Defined Radio Canada most stolen car

Josh and Kurt talk to Rob Schultheis from GitHub about some of the amazing projects GitHub is working on. We discuss GitHub security advisories, getting a CVE from GitHub, and what the new GitHub Security Lab is doing. It's a great conversation about how GitHub is working to make security better for all of us. Show Notes GitHub Security Advisories GitHub CVE requests GitHub Security Lab GitHub Security Lab Slack GitHub Security Lab Twitter

Josh Santa and Kurt talk the border nightmare Santa Clause has to deal with as he traverses the globe. Questions we explore include: Are the reindeer farm animals? Is the North Pole a farm? Is Santa an intellectual property thief? Does Krampus eat politicians? Does Santa have a passport? Does Santa have an emergency radio? Show Notes Pirate Joes

Josh and Kurt talk about the security implications of planned obsolescence. We use Intel's recent decision to remove old drivers from their website as the start of the conversation. By the end we realize this is more of a decision society needs to understand and make more than anything. Is constantly throwing out technology OK? Show Notes Intel removes old drivers Upgrading all versions of Windows Sniffing your Smart TV

  Josh and Kurt talk to Kathryn Waldron of the R Street Institute about a paper she recently published that collects a number of cybersecurity measuring devices in one place. Show Notes Kathryn Waldron Kathryn's Twitter account Resources for Measuring Cybersecurity There are 14 standards

Josh and Kurt talk about banking and privacy. It's very likely nothing will get better anytime soon, humans will continue to be terrible at understanding certain risks. We also discuss what quantum supremacy means (or doesn't  mean) for security. Show Notes National Bank Privacy Issues Quantum Supremecy Claims Hype Cycle Scottish person talking to Siri SMBC Quantum Comic

Josh and Kurt talk about government security incidents. The security concerns at the government level often have real life and death consequences. What happens when the leadership knowingly disregards security policy? Show Notes Breaking into a SCIF Whitehouse cybersecurity team Bugged typewriter

Josh and Kurt talk about the social norms of security. We also discuss security coprocessors and the reasons behind adding them to hardware. Is DRM a draconian security measure or do we need it to secure the future? We also touch on the story of NordVPN getting hacked. The real story isn't they got hacked, the story is they responded like clowns. The actual problem was one of leadership, there are certain leadership skills you can't be taught, you can only learn. Show Notes Before Windows boots protections

Josh and Kurt talk about the horrid state of digital literacy in the US. We start out talking about broken Phillips Hue light bulbs, then discuss research from Pew on the digital literacy of Americans. We may have accidentally discovered a use for all the cookie warnings every web site has. Show Notes Pew Research on American's Digitcal Literacy

Josh and Kurt about cybersecurity awareness month. What's our actionable advice we can give out? There isn't much which is a fundamental part of the problem. Show Notes Cybersecurity awareness month Polar bear sized pigs

Josh and Kurt about a number of Microsoft security news items. They've changed how they are handling encrypted disks and are now forcing cloud logins on Windows users. Show Notes Microsoft KB 4516071 A Security Market for Lemons Kurt's file wiping advisory Lock Picking Lawyer vs Consumer Reports Sun Ray Linux Gamers: 20% of auto reported crashes

Josh and Kurt about DNS over HTTPS and how it may or may not destroy civilization. We also discuss the disruption of cloud in the context of security and touch on the news that GitHub is now a CVE CNA! Show Notes DNS over HTTPS California Privacy Law Defensive Security Podcast GitHub is a CNA

Josh and Kurt about the upcoming Python 2 EOL. What does it mean, why does it matter, and what you can you do? Show Notes Python Clock Python's statement about sunsetting Python 2 wifi 6

Josh and Kurt speak with Allan Friedman of the US National Telecommunications and Information Administration about Software Bill of Materials. Where are we today, where are things going, and how you can help.  Show Notes Allan Friedman NTIA NTIA Software Component Transparency 

Josh and Kurt start out discussing human nature and how it affects how we view security. A lot of things that look easy are actually really hard. We also talk about the npm library Standard showing command line ads. Are ads part of the future of open source? Show Notes thegrugq secure android DoD JEDI program Firefox privacy settings Standard ads Max Headroom

Josh and Kurt talk about disclosing security flaws in open source. This is part two of a discussion around how to disclose security issues. This episode focuses on some expectations and behaviors for open source projects as well as researchers trying to disclose a problem to a project. Show Notes webmin backdoor Github security advisories

Josh and Kurt talk about disclosing security flaws. It's a topic that's come up a few times in the last few weeks and it's more complicated than it's ever been. We certainly ask more questions than we answer in this episode, there will be a part 2 that focuses on open source disclosure. Show Notes Lock Picking Lawyer Tavis' Windows flaw 

Josh and Kurt talk about the current state of credit security freezes in the US. We recount a thrilling tale of all the things Josh had to do to get new Internet service. It was all quite silly really. Show Notes Weak security freeze pins 'null' license plate

Josh and Kurt talk about snakeoil cryptography at Black Hat and the new backdoored cryptography fight. Both of these problems will be with us for a very long time. These are fights worth fighting because it's the right thing to do. Show Notes Time AI video  Kurt's Tweet about technical explanations  Josh's blog post about bug training Schneier on Barr's encryption discussion

Josh and Kurt talk about Kazakhstan requiring citizens to place a government controlled root CA certificate on their computers. How does this work. What does it mean for the citizens of Kazakhstan, and why we all should be paying attention. Show Notes Kazakhstan MitM all TLS traffic Mozilla bug

Josh and Kurt talk about a new way to steal cars because a service didn't do proper background checks. We also discuss how this relates to working with criminals, such as ransomware, and what it means for the future of the ransomware industry. Show Notes Car2go theft Alberta driver's license security Albertosaurus  Las Vegas won't pay a ransom

Josh and Kurt talk to the authors of a new book The Fifth Domain. Dick Clarke and Rob Knake join us to discuss the book, cybersecurity, US policy, how we got where we are today and what the future holds for cybersecurity. Show Notes The Fifth Domain Dick Clarke Rob Knake Future State Podcast

Josh and Kurt talk about user expectations around Facebook's AI. Normal people are starting to see the capabilities and potential risk with all these services. We also cover the topic of China owning a number of VPN services.

Josh and Kurt talk about the disclosure of security vulnerabilities. It's still not a settled topic, we frame the conversation around a recent disclosure from Tavis Ormandy of Google Project Zero.

Josh and Kurt talk to David Brumley. The CEO of ForAllSecure and professor at CMU. We discuss when David's team won the Cyber Grand Challenge, what the future of automated security looks like, and what ForAllSecure is doing. It's a fascinating window into the future of the industry.

Josh and Kurt talk about the future Chrome and ad blockers. There is a lot of nuance to unpack around this one. There are two versions of the Internet today. One with an ad blocker and one without. The Internet without an ad blocker is a dystopian nightmare. The actionable advice at the end of this one is to use Firefox.

Josh and Kurt have a chat with Michael Coates from Altitude Networks. We cover what Altitude is up to as well as general trends we're seeing around data security in the cloud. Michael lays out his vision for "data first security".

Josh and Kurt talk about public disclosure. We start out with a story about Canva, then discuss what do you do if you have a security incident? Who do you tell, what do you tell them. How do you tell your story? It's a really hard problem even if it's something you've done many times in the past.

Josh and Kurt talk about a new type of lockbox scams. We also discuss Slack being a target for nation state attacks. Do you consider your operations part of your supply chain?It's totally part of your supply chain.

Josh and Kurt talk about Microsoft. They're probably not the bad guys anymore, which is pretty wild. They're adding a Linux kernel to Window. Can we declare open source the unquestionable winner now?

Josh and Kurt talk about fire. We discuss the history of fire prevention and how it mirrors many of things we see in security. There are lessons there for us, we just hope it doesn't take 2000 years like it did for proper fire prevention to catch on.

Josh and Kurt talk about the security of money. Not how to keep it secure, but the security issues around using cash, credit, and bitcoin. We also talk about Banksy's clever method for proving something is original.

Josh and Kurt talk about the phone book (yeah, the big paper book people used to use). Kurt got one in the mail. While it's certainly a relic from another time, there were security tips in it among other wild things.

Josh and Kurt talk about what one could do if you find a USB drive. The context is based on the story where the Secret Service was rumored to have plugged a malicious USB drive into a computer. The purpose of discussion is to explore how to handle a situation like this in the real world. We end the episode with a fantastic comparison of swim safety and security.

Josh and Kurt talk about the difficulty of security. We look at the difficulty of the EU not observing daylight savings time, which is probably magnitudes easier than getting security right. We also hit on a discussion on Reddit about U2F that shows the difficulty. Security today is too hard, even for the experts.

Josh and Kurt talk about identity. It's a nice example we can generally understand in the context of how much security is enough security? When we deal with identity the idea of good enough is often acceptable for the vast majority of uses. Perfect identity tracking isn't really a thing nor is it practical.

Josh and Kurt talk about Brexit, voting, Firefox send, and toxic comments. Is there anything we can do to slow the current trend of conversation on the Internet always seeming to spiral out of control? The answer is maybe with a lot of asterisks.

Josh and Kurt talk about a prank gone wrong, the reality of when your data ends up public. Once it's public you can't ever put it back. We also discuss Notepad++ no longer signing releases and what signing releases means for the world in general.

Josh and Kurt talk about Beto being in the Cult of the Dead Cow (cDc). This is a pretty big deal in a very good way. We hit on some history, why it's a great thing, what we can probably expect from opponents. There's even some advice at the end how we can all help. We need more politicians with backgrounds like this.

Josh and Kurt talk about when devices attack! It's not quite that exciting, but there have been a slew of news about physical devices causing problems for humans. We end on the note that we're getting closer to a point when lawyers and regulators will start to pay attention. We're not there yet, so we still have a horrible insecure future on the horizon.

Josh and Kurt talk about github blocking the Deepfakes repository. There's a far bigger discussion about how people feel, and sometimes security fails to understand that making people feel happy or safer is more important than being right.

Josh and Kurt talk about change your password day (what a terrible day). Google's password checkup (not a terrible idea), an AI finding new spice flavors we expect will one day take over the world, and we finish up on a new DoD cloud strategy. Also Josh burnt his finger, but is going to be OK.

Josh and Kurt talk about the new runc container security flaw. How does the flaw work, what can you do about it, what should you do about it, and what the future of container security may look like.

Josh and Kurt talk about the fiasco hacks4pancakes described on Twitter and what the future of smart locks will look like. We then discuss what it means if the Japanese government starts hacking consumer IoT gear, is it ethical? Will it make anything better?

Josh and Kurt talk about the Bird Scooter vs Corey Doctorow incident. We then get into some of the social norms around new technology and what lessons the security industry can take from something new like shared scooters.

Josh and Kurt talk about non-Microsoft Windows micropatches. The days of pretending closed source matters are long gone. Google gets hit with a privacy fine, that probably won't matter. And Mastercard makes it easier for consumers to not accidentally sign up for services they don't want.

Josh and Kurt talk to Danny Grander one of the co-founders of Snyk about Zip Slip, what it is, how to fix it, and how they disclosed everything. We also touch on plenty of other open source security topics as Danny is involved in many aspects of open source security.

Josh and Kurt talk about the EU bug bounty program. There have been a fair number of people complaining it's solving the wrong problem, but it's the only way the EU has to spend money on open source today. If that doesn't change this program will fail.

Josh and Kurt talk about Australia's recently passed encryption bill. What is the law that was passed, what does it mean, and what are the possible outcomes? The show notes contain a flow chart of possible outcomes.

Josh and Kurt talk about which articles of the GDPR apply to Santa, and if he's following the rules the way he should be (spoiler, he's probably not). Should Santa be on his own naughty list? We also create a new holiday character - George the DPO Elf!

Josh and Kurt talk about Mozilla pulling a paywall bypassing extension. We then turn our attention to talking about walled gardens. Are they good, are they bad? Something in the middle? There is a lot of prior art to draw on here, everything from Windows, Android, iOS, even Linux distributions.

Josh and Kurt continue the discussion from episode 125. We look at the possible future of software supply chains. It's far less dire than previously expected. It's likely there will be some change in the

Josh and Kurt talk about how open source deals with malicious events. It's probably impossible to stop these from happening, but the open source universe deals with it in its own unique way. We start to discuss what you can do, since everyone is using open source everywhere now. There will be a second part to this episode where we discuss what the future holds for these sort of problems.

Josh and Kurt talk about Cloudflare's new Workers service. We spend a lot of time discussing how economics drives technology, not security. It's quite likely this new service is less secure than existing alternatives, but it will be cheaper and faster which will matter more than security.

Josh and Kurt talk to Liz Rice about Kubernetes and container security. How did we get where we are today, what's new and exciting today, and where do we think things are going.

Josh and Kurt talk about Apple's new T2 security chip. It's not open source but we expect it to change the security landscape in the coming years.

Josh and Kurt talk about voting security. What does it mean, how does it work. What works, what doesn't work, and most importantly why we may not see secure electronic voting anytime soon.

Josh and Kurt talk about Bloomberg's story about backdoors and motherboards. The story is probably false, but this is almost certainly happening already with hardware. What does it mean if your hardware is already backdoored by one or more countries?

Josh and Kurt talk about the Google+ and Facebook data incidents. We don't have any control over this data anymore. The incidents didn't really affect the users because we have no idea who has access to it. We also touch on GDPR and what it could mean in this context.

Josh and Kurt talk about Cloudflare's new IPFS and Onion services. One brings distributed blockchain files to the masses, the other lets you host your site on tor easily.

Josh and Kurt talk about Linus' effort to work on his attitude. What will this mean for security and IT in general?

Josh and Kurt talk to Michael Piacente from Hitch Partners about the past, present, and future role of the CISO in the industry.

Josh and Kurt talk to Brian Hajost from SteelCloud about public sector compliance. The world of public sector compliance can be confusing and strange, but it's not that bad when it's explained by someone with experience.

Josh and Kurt review Bruce Schneier's new book Click Here to Kill Everybody. It's a book everyone could benefit from reading. It does a nice job explaining many existing security problems in a simple manner.

Josh and Kurt talk about actual real world advice. Based on a story about trying to secure political campaigns, if we had to give some security help what should it look like, who should we give it to?

Josh and Kurt talk about the new Google Titan security key. There are some in the industry uneasy about the supply chain for the devices. We also discuss the latest Struts security issue. Struts is old and scary now, stop using it.

Josh and Kurt talk about TLS 1.3 and DNS. What can we expect from the future for these, how are they related (or not related). We touch on DNSSEC and why it probably won't matter. DNS over TLS is looking pretty great though. There is also a guest appearance from quantum crypto.

Josh and Kurt talk about Black Hat and Defcon and how unexciting they have become. What happened with hotels at Defcon, and more importantly how many security policies have 2nd and 3rd level effects we often can't foresee. We end with important information about pizzza, bananas, and can openers.

Josh and Kurt talk about phishing training and how it doesn't really matter. Josh spoke at OSCon and comes back with some fun observations and advice. People want practical actionable advice and we're not good at that.

Josh and Kurt talk about the latest attack on bluetooth and discuss phishing in the modern world. U2F is a great way to stop phishing, training is not. We also discuss airgaps in response to attacks on airgapped power utilities.

Josh and Kurt talk about modern hardware, how security relates to devices and actions. Everything from secure devices, to the cables we use, to thermal cameras and coat hangers. We end the conversation discussing the words we use and how they affect the way people see us and themselves.

Josh and Kurt talk about Cory Doctorow's piece on Facebook data privacy. It's common to call data the new oil but it's more like nuclear waste. How we fix the data problem in the future is going to require solutions we can't yet imagine as well as new ways of thinking about the problems.

Josh and Kurt talk about some recent backdoor problems in open source packages. We touch on is open source secure, how that security works, and what it should look like in the future. This problem is never going to go away or get better, and that's probably OK.

Josh and Kurt talk about the Gentoo security incident. Gentoo did a really good job being open and dealing with the incident quickly. The basic takeaway from all this is make sure your organization is forcing users to use 2 factor authentication. The long term solution is going to be all identity providers forcing everyone to use 2FA.

Josh and Kurt talk about a Microsoft Research paper titled "The Seven Properties of Highly Secure Devices". We take a real world view into how to secure our devices. What works, what doesn't work, and why this list is actually really good.

Josh and Kurt talk to Michael Feiertag, the CEO of tCell. We talk about what a Web Application Firewall is, what it does and doesn't do, and what the future of this technology looks like. We touch on how this affects a DevOps environment. Security has to fit into the existing model, not try to change it. 

Josh and Kurt talk about Bird scooters. The implications of the scooters on the city, segways, bicycles. The topic of how these vehicles interact with pedestrians on the road and trails. It's an example of humans not wanting to follow the rules and generally making the situation annoying for everyone. It's the old security story of new technology without clear rules. The show ends with some horrifying numbers behind how bad things can get before people really care.

Josh and Kurt talk about how to be a smart security buyer. We have guest Steve Mayzak walk us through how a the buying process works as well as giving out a ton of great advice. Even if you're experienced with how to buy security technology you should give this a listen.

Josh and Kurt talk about a number of consumer security issues. The FBI told everyone to reboot their routers which they won't do. The .app top level domain is a cesspool of malware. Everyone has a cell phone and won't update them properly. None of this probably matters though. Unless there are real measurable tragedies caused by this tech, people tend not to really care.

Josh and Kurt talk about the NTSB report from the fatal Uber crash and what happened with Amazon's Alexa recording then emailing a private conversation. IT decisions now have real world consequences like never before.

Josh and Kurt talk about the security of automation as well as automating security. The only way automation will really work long term is full automation. Humans can't be trusted enough to rely on them to do things right.

Josh and Kurt talk about backdoors in code and products that have been put there on purpose. We talk about unlocking phones. Encryption backdoors with a focus on why they won't work.

Josh and Kurt talk about Twitter doing the right thing when they logged a lot of passwords and the npm malicious getcookies package and how backdoors work in code.

Josh and Kurt talk about the Amazon Route 53 incident and what it really means for the modern infrastructure. Complaining nobody is using DNSSEC or securing BGP aren't the right conversations to be having. Reality must be considered in any honest conversation about these topics.

Josh and Kurt talk about security flaws in beep and patch. How on earth were there security flaws in beep and patch?

Josh and Kurt talk to Rami Saas, the CEO of WhiteSource about 3rd party open source security as well as open source licensing.

Josh and Kurt talk to a 7 year old about security. We cover Minecraft security, passwords, hacking, and many many other nuggets of wisdom.

Josh and Kurt talk about all the current misinformation, how humans react to it, and what it means for security.

Josh and Kurt talk about the recent AMD flaws and the events surrounding the disclosure.

Josh and Kurt talk about container security with IBM's Chris Rosen.

Josh and Kurt talk about Let's Encrypt with co-founder Josh Aas. We discuss the past, present, and future of the project.

Josh and Kurt talk about the Trustico certificate incident and Let's Encrypt.  

Josh and Kurt talk about the npm 5.7.0 debacle.

Josh and Kurt talk about the new password data dump from Have I been pwned?

Josh and Kurt talk about the XKCD CVE comic and a flight simulator stealing credentials.

Josh and Kurt talk about problems of textbook RSA implementations, the upcoming TLS changes in TLS, and the insecurity of http in Chrome.

Josh and Kurt talk about AutoSploit, bug bounties and fixing flaws, market forces in security, future expectations, and how humans perceive threats.

Josh and Kurt talk about GPS metadata giving away military bases and GPS jamming as part of testing.

Josh and Kurt talk about Skyfall, fake reports, risk, logging, and how a civilized society functions.

Josh and Kurt talk about the accidental missile warning in Hawaii. We also discuss general preparedness and risk.

Josh and Kurt talk about the recent npm happenings. What it means for the supply chain, and we end with some thoughts on how maybe none of this matters.

Josh and Kurt talk about the aftermath of Meltdown. The details of the flaw are probably less interesting than what happens now.

Josh and Kurt talk about the Security Planner website. It's pretty good all things considered.

Josh and Kurt talk about facial recognition, physical security, banking, and Amazon Alexa.

Josh and Kurt talk about basic security metrics and security from Santa. Is Santa GDPR compliant?

Josh and Kurt talk about Bitcoin, blockchain, and other cryptocurrencies.

Josh and Kurt talk about GitHub's security scanner and Linus' security email. We clarify the esoteric difference between security bugs and non security bugs. 

Josh and Kurt talk about Intel ME, Equifax salary history, and IoT.

Josh and Kurt talk about Amazon Key and actionable advice.

Josh and Kurt talk about Facebook listening to your microphone, Google Chrome certificate pinning, CAs, 152 ways to stay safe, and Kubernetes.

Josh and Kurt talk about hacking back, passwords, honeypots, and conspiracies.

Josh and Kurt talk about Equifax again, Kaspersky, TLS CAs, coming change, social security numbers, and Minecraft.

Josh and Kurt talk about Apple, Equifax, passwords, AI, and aliens.

Josh and Kurt talk about networks, Dnsmasq, IoT, and our coming security dystopian future.

Josh and Kurt talk about the Equifax breach (again) and what it will mean for all of us. Blueborne comes up, as well as #TrevorForget.

Josh and Kurt talk about the Equifax breach and what it will mean for all of us.

Josh and Kurt talk about our lack of progress in security, economics, and how to interact with peers.

Josh and Kurt talk about the eclipse and blockchain.

Josh and Kurt talk about VPNs and the upcoming eclipse.

Josh and Kurt talk about MalwareTech, Debian killing off TLS 1.0 and 1.1, auto safety, HBO, and npm not typo squatting.

Josh and Kurt talk about Black Hat and Defcon, safes, banks, voting machines, SMBv1 DoS attack, Flash, liability, and password masking.

Josh and Kurt talk about forest fires, fuzzing, old time Internet, and Net Neutrality. Listen to Kurt play the Devil's Advocate and manage to change Josh's mind about net neutrality.

Josh and Kurt talk about Let's Encrypt, certificates, Kaspersky, A/V, code signing, Not Petya, self driving cars, and failures that become security problems.

Josh and Kurt talk about Canada Day, Not Petya, Interac goes down, Minecraft, airport security and books, then GDPR.

Josh and Kurt talk about security through obscurity, airplanes, the FAA, the Windows source code leak, and chicken sandwiches.

Josh and Kurt talk about the new StackClash flaw, Grenfell Tower, risk management, and backwards compatibility.

Josh and Kurt talk to Dan Adinolfi about CVE. Most anything you ever wanted to know about CVE is discussed.

Josh and Kurt discuss Futurama, tornadoes, sudo, encryption, hacking back, and something called an ombudsman. Also episode 50!

Josh and Kurt discuss Samba, FTP sites, MSDOS, regulation, and the airplane laptop travel ban.

Josh and Kurt have a guest! Mike Paquette from Elastic discusses the fundamentals and basics of Machine Learning. We also discuss how ML could have helped with WannaCry.

Josh and Kurt discuss the WannaCry worm.

Josh and Kurt discuss the recent Google phish attack.

Josh and Kurt discuss not-counterfeit MTG cards, antivirus, squirrelmail, unroll.me, grsecurity, baby monitors, and trust.

Josh and Kurt discuss Lego, bug bounties, pen testing, thought leadership, cars, lemons, entropy, and CVE.

Josh and Kurt discuss Shadow Brokers, pronouncing GIF, Atlanta's road problems, browser phishing, warning sirens, IoT, and fake Magic the Gathering cards.

Josh and Kurt discuss the security themes and events in the context of the HHGG movie.

Josh and Kurt discuss airplane laptop bans, ATM hacking, pointing at things, and Certificate Authorities.

Josh and Kurt discuss Verizon spyware, FCC privacy, Smart TVs, Tor's rewrite, Google's new operating system, bitcoin, and NanoCore.

Josh and Kurt discuss certificates, OpenSSL, dishwashers, Flash, and laptop travel bans.

Josh and Kurt discuss disclosing your password, pwn2own, wikileaks, Back Orifice, HTTPS inspection, and antivirus.

Josh and Kurt discuss how the Vault 7 leaks shows we live in the Neuromancer world, and this is likely the new normal.

Josh and Kurt discuss an IoT bear, Alexa and Siri, Google's E2Email and S/MIME.

Josh and Kurt discuss SHA-1 and cloudbleed. Bug bounties come up, and we compare security to the Higgs boson. We also discuss IPv6 at the end.

Josh and Kurt discuss RSA, the cryptographer's panel and of course, AI.

Josh and Kurt are at the same place at the same time! We discuss our RSA sessions and how things went. Talk of CVE IDs, open source libraries, Wordpress, and early morning sessions.

Josh and Kurt discuss random numbers, a lot. Also slot machines, gambling, and dice.

Josh and Kurt discuss door locks, Ikea, chair testing sounds, electrical safety, autonomous cars, and XML vs JSON.

Josh and Kurt discuss security automation. Machine learning, AI, and a bunch of moral and philosophical boundaries that new future will bring. You've been warned.

Josh and Kurt discuss the security of the movie Rogue One! Spoiler: Security in the Star Wars universe is worse than security in our universe.

Josh and Kurt discuss their involvement in the upcoming 2017 RSA conference: Open Source, CVEs, and Open Source CVE. Of course IoT and encryption manage to come up as topics.

Josh and Kurt discuss NTP, authentication issues, network security, airplane security, AI, and Minecraft.

Josh and Kurt end up discussing video game speed running, which is really just hacking. We also end up discussing the pitfalls of the modern world, you don't own your software or services. Stallman was right!

Josh and Kurt end up discussing CES, IoT, WiFi everywhere, and the future.

Josh and Kurt discuss 2016 predictions in 2017, what they got right, what they got wrong, and a bunch of other random things.

Josh and Kurt talk about scareware, malware, and how hard this stuff is to stop, and how the answer isn't fixing people.

Josh and Kurt talk about planned obsolescence and IoT devices. Should manufacturers brick devices? We also have a crazy discussion about the ethics of hacking back.

Josh and Kurt talk about CVE 10K. CVE IDs have finally crossed the line, we need 5 digits to display them. This has never happened before now.

Josh and Kurt talk about the death of PGP, and how it's not actually dead at all. It's still really hard to use though.

Josh and Kurt talk about the bricking devices (on purpose).

Josh and Kurt talk about the security concerns and logistics of Santa, elves, and the North Pole.

Josh and Kurt talk to Michael Goetzman about Cyphercon

Josh and Kurt talk about cybercrime and regulation.

Josh and Kurt talk about Cyber Monday security tips.

Josh and Kurt have a guest! David A. Wheeler talks about open source security and the CII Badges project.

Josh and Kurt talk about CVE, DWF, and the future of flaw reporting.

Josh and special guest host Dave Sirrine talk about feedback, OpenSSL, OAuth2, Let's Encrypt, disclosure, and locks.

Josh and special guest host Dave Sirrine talk about Halloween, passwords, hardware timing attacks, chip and pin, security economics, SSL/TLS, and Mozilla enabling TLS 1.3 by default.

Kurt and Josh discuss Dirty COW, the big IoT DDoS, and Josh can't pronounce Mirai or Dyn.

Kurt and Josh discuss responsible disclosure, irresponsible disclosure, bug bounties, measuring security, usability AND security, as well as quality of life.

Kurt and Josh discuss prime numbers (probably getting a lot of it wrong), Samsung, passwords, National Cyber Security Awareness Month, and bathroom scales.

Kurt and Josh discuss the ORWL computer, crashing systemd with one line, NIST, and a security journal.

Kurt and Josh discuss interesting news stories

Kurt and Josh discuss the recent OpenSSL update(s)

Josh and Kurt discuss news of the day, shipping, and container security

Josh and Kurt discuss news of the day, banks, 3D printing, and lockpicking.

Episode 2 of the Open Source Security Podcast

Episode 1 of the Open Source Security Podcast