Archive

2025 ¹

January ¹

The Future of Open Source Security

January 1, 2025 · Josh Bressers

2024 ⁵⁶

December ⁵

Episode 461 - The new NIST password guidance

December 30, 2024

Episode 460 - Santa’s Supply Chain Security

December 23, 2024

Episode 459 - CWE Top 25 List

December 16, 2024

Episode 458 - FBI endorses E2E encryption

December 9, 2024

Episode 457 - The D-Link D-bacle

December 2, 2024

November ⁴

Episode 456 - What if XZ happened to a company? The openness of open source

November 25, 2024

Episode 455 - Wordpress plugin security

November 18, 2024

Episode 454 - The state of open source with Brian Fox from Sonatype and Donald Fischer from Tidelift

November 11, 2024

Episode 453 - Software Liability

November 4, 2024

October ⁵

Episode 452 - All about Meshtastic

October 28, 2024

Episode 451 - Python security with Seth Larson

October 21, 2024

The useful uselessness of SBOMs

October 15, 2024

Episode 450 - What’s Wrong With WordPress

October 14, 2024

Episode 449 - The CUPSpocalypse

October 7, 2024

September ⁵

Episode 448 - What’s wrong with CISA?

September 30, 2024

Episode 447 - The Tidelift 2024 open source maintainer report

September 23, 2024

Episode 446 - Researchers took over .MOBI TLD

September 16, 2024

Episode 445 - EPSS with Jay Jacobs

September 9, 2024

Episode 444 - Open Source and End of Life

September 2, 2024

August ⁴

Episode 443 - The Supply Chain Security Crisis

August 26, 2024

Episode 442 - The foundation of society, TLS certificates are a mess

August 19, 2024

Episode 441 - Is CWE useful?

August 12, 2024

Episode 440 - “What is open source” talk Josh gave

August 5, 2024

July ⁵

Episode 439 - Where are all the youth in open source?

July 29, 2024

Episode 438 - CISA’s bad OSS advice vs the Whitehouse good advice

July 22, 2024

Episode 437 - CocoPods and proper funding for open source

July 15, 2024

Episode 436 - OpenSSH and node-ip - it’s all exponential growth

July 8, 2024

Episode 435 - polyfill.io - open source is too big to fix

July 1, 2024

June ⁵

Episode 434 - Unreported vulnerabilities and everyone is getting hacked

June 24, 2024

Episode 433 - Should OpenSSH block misbehaving clients?

June 17, 2024

Episode 432 - Flipper Zero with Alex Kulagin

June 10, 2024

Why are vulnerabilities out of control in 2024?

June 3, 2024

Episode 431 - Redirecting HTTP to HTTPS

June 3, 2024

May ⁴

Episode 430 - Frozen kernel security

May 27, 2024

Episode 429 - The autonomy of open source developers

May 20, 2024

Episode 428 - GitHub artifact attestation

May 13, 2024

Episode 427 - Will run0 replace sudo?

May 6, 2024

April ⁶

Episode 426 - Automatically exploiting CVEs with AI

April 29, 2024

Episode 425 - Video game cheaters, also pretendo

April 22, 2024

Episode 424 - The Notepad++ Parasite Website

April 15, 2024

Episode 423 - FCC cybersecurity label for consumer devices

April 8, 2024

XZ Bonus Spectacular Episode

April 1, 2024

Episode 422 - Do you have a security.txt file?

April 1, 2024

March ⁴

Episode 421 - CISA’s new SSDF attestation form

March 25, 2024

Episode 420 - What’s going on at NVD

March 18, 2024

Episode 419 - Malicious GitHub repositories

March 11, 2024

Episode 418 - Being right all the time is hard

March 4, 2024

February ⁴

Episode 417 - Linux Kernel security with Greg K-H

February 26, 2024

Episode 416 - Thomas Depierre on open source in Europe

February 19, 2024

Episode 415 - Reducing attack surface for less security

February 12, 2024

Episode 414 - The exploited ecosystem of open source

February 5, 2024

January ⁵

Episode 413 - PyTorch and NPM get attacked, but it’s OK

January 29, 2024

Episode 412 - Blame the users for bad passwords!

January 22, 2024

Episode 411 - The security tools that started it all

January 15, 2024

Episode 410 - Package identifiers are really hard

January 8, 2024

Episode 409 - You wouldn’t hack a train?

January 1, 2024

2023 ⁵⁴

December ⁴

Episode 408 - Does Kubernetes need long term support?

December 25, 2023

Episode 407 - Should Santa use AI?

December 18, 2023

Episode 406 - The security of radio

December 11, 2023

Episode 405 - Modding games isn’t cheating and security isn’t fair

December 4, 2023

November ⁴

Episode 403 - Does the government banning apps work?

November 27, 2023

Episode 402 - The EU’s eIDAS regulation is a terrible idea

November 20, 2023

Episode 401 - Security skills shortage - We’ve tried nothing and the same thing keeps happening

November 13, 2023

Episode 400 - When can the government hack a victim?

November 6, 2023

October ⁵

Episode 399 - Curl, Security, and Daniel Stenberg

October 30, 2023

Episode 398 - Is only 11% of open source maintained?

October 23, 2023

Episode 397 - The curl and glibc vulnerabilities

October 16, 2023

Episode 396 - CLAs are bad, Mkay?

October 9, 2023

Episode 395 - Uncertainty, trust, and security

October 2, 2023

September ⁴

Episode 394 - The lie anyone can contribute to open source

September 25, 2023

Episode 393 - Can you secure something you don’t own?

September 18, 2023

Episode 392 - Curl and the calamity of CVE

September 11, 2023

Episode 391 - The Wordpress 100 year disaster recovery problem

September 4, 2023

August ⁴

Episode 390 - Rust shipping binaries doesn’t matter

August 28, 2023

Episode 389 - What would HashiCorp do?

August 21, 2023

Episode 388 - Video game vulnerabilities

August 14, 2023

Episode 387 - Enterprise open source is different

August 7, 2023

July ⁵

Episode 386 - We are watching web 2.0 burn

July 31, 2023

Episode 385 - Is open source an insider threat?

July 24, 2023

Episode 384 - What’s next for open source?

July 17, 2023

Episode 383 - Is open source dying?

July 10, 2023

Episode 382 - Red Hat, you were the chosen one!

July 3, 2023

June ⁵

Episode 381 - WTF Reddit, APIs and risk

June 26, 2023

Episode 380 - A new Sovereign Tech Fund program and the BBC on destroying hard drives

June 19, 2023

Episode 379 - Will open source save the world, again?

June 12, 2023

Rocket ships and radishes

June 7, 2023

Episode 378 - Naming things is harder than security

June 5, 2023

May ⁵

Episode 377 - The world is changing too fast for humans to understand

May 29, 2023

Episode 376 - Open Source Summit, who built your open source, and AI

May 22, 2023

Episode 375 - The market forces of left-pad, Episode 77 remaster part 2

May 15, 2023

Episode 374 - The event we called left-pad, Episode 77 remaster part 1

May 8, 2023

Episode 373 – HHGG security, Episode 42 remaster part 2

May 1, 2023

April ⁴

Episode 372 - HHGG security, Episode 42 remaster part 1

April 24, 2023

Episode 371 - pip install is the tool we deserve but not the tool we need

April 17, 2023

Episode 370 - Open Source is bigger than you can imagine

April 10, 2023

Episode 369 - OpenAI broke ChatGPT then tried to blame open source

April 3, 2023

March ⁴

Episode 368 - The Sovereign Tech Fund with Fiona Krakenbürger

March 27, 2023

Episode 367 - Open source will never be the same

March 20, 2023

Episode 366 - Software liability is coming

March 13, 2023

Episode 365 - “I am not your supplier” with Thomas Depierre

March 6, 2023

February ⁴

Episode 364 - Using SBOMs is hard

February 27, 2023

Episode 363 - Joylynn Kirui from Microsoft on DevSecOps

February 20, 2023

Episode 362 - A lesson in Rust from Carol Nichols

February 13, 2023

Episode 361 - GitHub got pwnt, but it wasn’t very exciting

February 6, 2023

January ⁶

Episode 360 - Memory safety and the NSA

January 30, 2023

Episode 359 - The NOTAM outage and other legacy technology

January 23, 2023

Episode 358 - Furby vs Alexa

January 16, 2023

Episode 357 - Is open source being overexploited?

January 9, 2023

The perverse incentive of vulnerability counting

January 3, 2023

Episode 356 - LastPass ducked up, now what?

January 2, 2023

2022 ⁵⁵

December ⁴

Episode 355 - Security Boxing Day

December 26, 2022

Episode 354 - Jerry Bell tells us why Mastodon is awesome and MFA is hard

December 19, 2022

Episode 353 - Jill Moné-Corallo on GitHub’s bug bounty program

December 12, 2022

Episode 352 - Stylometry removes anonymity

December 5, 2022

November ⁴

Episode 351 - Is security or usability a law of the universe?

November 28, 2022

Episode 350 - Spam, Email, Content Moderation, and Infrastructure Oh My

November 21, 2022

Episode 349 - The cyber is coming from inside the house - the UK is scanning itself

November 14, 2022

Episode 348 - OpenSSL is the new lead paint

November 7, 2022

October ⁵

Episode 347 - Airtags in luggage and weasel security - two peas in a suitcase

October 31, 2022

Episode 346 - Security and working from home have terrible things in common

October 24, 2022

Episode 345 - Cheap hacking devices turn security upside down

October 17, 2022

Episode 344 - Python tarfile - 2022 is nothing like 2007

October 10, 2022

Episode 343 - Stop trying to fix the open source software supply chain

October 3, 2022

September ⁶

Episode 342 - Programming languages are the new operating system

September 26, 2022

Holding open source to a higher standard

September 25, 2022

Episode 341 - Time till open source alternative

September 19, 2022

Episode 340 - Let’s chat about Let’s Encrypt with Josh Aas

September 12, 2022

Why has software supply chain security exploded?

September 6, 2022

Episode 339 - Is a network problem a security vulnerability

September 5, 2022

August ⁵

Episode 338 - The government didn’t make vulnerabilities illegal. Yet.

August 29, 2022

Episode 337 - Security patches are getting worse - Dustin Childs from ZDI tells us why

August 22, 2022

Episode 336 - We don’t have data, we have security biases

August 15, 2022

Episode 335 - Bull*&$% security ideas

August 8, 2022

Episode 334 - Leap seconds break everything

August 1, 2022

July ⁴

Episode 333 - Open Source is unfair

July 25, 2022

Episode 332 - PyPI: 2FA or not 2FA, that is the question

July 18, 2022

Episode 331 - GPG, but nothing makes sense

July 11, 2022

Episode 330 - The sliding scale of risk: seeing the forest for the trees

July 4, 2022

June ⁴

Episode 329 - Signing (What is it good for)

June 27, 2022

Episode 328 - The Security of Jobs or Job Security

June 20, 2022

Episode 327 - The security of alert fatigue

June 13, 2022

Episode 326 - Big fat containers

June 6, 2022

May ⁵

Episode 325 - Is one open source maintainer enough?

May 30, 2022

Episode 324 - WTF is up with WFH

May 23, 2022

Episode 323 - The fake 7-Zip vulnerability and SBOM

May 16, 2022

Episode 322 - Adam Shostack on the security of Star Wars

May 9, 2022

Episode 321 - Relativistic Security: Project Zero on 0day

May 2, 2022

April ⁴

Episode 320 - Security Twitter is not the real world

April 25, 2022

Episode 319 - Patch Tuesday with a capital T

April 18, 2022

Episode 318 - Social engineering and why zlib got a 2018 CVE ID

April 11, 2022

Episode 317 - The lack of compromise in security

April 4, 2022

March ⁵

Episode 316 - You have to use open source

March 28, 2022

Facts vs Feelings

March 21, 2022

Episode 315 - Who even makes all these terrible decisions?

March 21, 2022

Episode 314 - The Linux Dirty Pipe vulnerability

March 14, 2022

Episode 313 - Insecurity at scale

March 7, 2022

February ⁴

Episode 312 - The Legend of the SBOM

February 28, 2022

Episode 311 - Did you scan the QR code?

February 21, 2022

Episode 310 - Hayley Tsukayama from the EFF talks about privacy

February 14, 2022

Episode 309 - The bright future of open source secuirty

February 7, 2022

January ⁵

Episode 308 - Welcome to the jungle - How to talk about open source security

January 31, 2022

Episode 307 - Got vulnerabilities? Introducing GSD

January 24, 2022

Episode 306 - Open source isn’t broken, it’s an experience

January 17, 2022

Episode 305 - Norton, Ethereum, NFT, and Apes

January 10, 2022

Episode 304 - Will we ever fix all the vulnerabilities?

January 3, 2022

2021 ⁵⁸

December ⁵

Episode 303 - Log4j Christmas Spectacular!

December 27, 2021

Episode 302 - Log4j is a mess

December 20, 2021

Episode 301 - You’re holding it wrong: the importance of unlearning

December 13, 2021

log4j is hard to find and harder to fix

December 12, 2021

Episode 300 - Apple vs NSO: What can copyright do for you?

December 6, 2021

November ⁵

Episode 299 - Experts From A World That No Longer Exists

November 29, 2021

Episode 298 - David A Wheeler discusses the OpenSSF

November 22, 2021

Episode 297 - 25 years of smashing stacks, fun, and profit

November 15, 2021

Episode 296 - Is Trojan Source a vulnerability?

November 8, 2021

Episode 295 - Open source security isn’t free

November 1, 2021

October ⁴

Episode 294 - Chris Wysopal on the state of security education

October 25, 2021

Episode 293 - Scoring OpenSSF Security Scoring

October 18, 2021

Episode 292 - Apache RCE and Twitch epic pwn

October 11, 2021

Episode 291 - Everyone sucks at vulnerability disclosure

October 4, 2021

September ⁴

Episode 290 - The security of the Matrix

September 27, 2021

Episode 289 - Who left this 0day on the floor?

September 20, 2021

Episode 288 - Linux Kernel compiler warnings considered dangerous

September 13, 2021

Episode 287 - Is GitHub’s Copilot the new Clippy?

September 6, 2021

August ⁵

Episode 286 - Open source supply chain with Google’s Dan Lorenc

August 30, 2021

Episode 285 - Open source owes you nothing!

August 23, 2021

Episode 284 - What happens when we DRM power tools?

August 16, 2021

Episode 283 - When vulnerability disclosure becomes dangerous

August 8, 2021

Episode 282 - The security of Rust: who left all this awesome in here?

August 2, 2021

July ⁵

Episode 281 - If you spy on journalists, you’re the bad guys

July 26, 2021

Episode 280 - The perils of Single Sign On

July 19, 2021

The future of DWF

July 15, 2021 · kurtseifried

Episode 279 - The audacity of Audacity: When open source goes rogue

July 12, 2021

Episode 278 - Could SELinux have stopped SolarWinds?

July 5, 2021

June ⁴

Episode 277 - Privacy and activism with Chris Weiland

June 28, 2021

Episode 276 - Security, behavior, and the environment

June 21, 2021

Episode 275 - What in the @#$% is going on with ransomware?

June 14, 2021

Episode 274 - Mr. Amazon’s Neighborhood

June 7, 2021

May ⁵

Episode 273 - Can we stop the coming artificial unintelligence deluge?

May 31, 2021

Episode 272 - The Biden Cybersecurity Executive Order

May 24, 2021

Episode 271 - Pipeline security: There is no problem humans can’t make worse

May 17, 2021

Episode 270 - Hello dark patterns my old friend

May 10, 2021

Episode 269 - Do not experiment on the Linux Kernel

May 3, 2021

April ⁴

Episode 268 - Can we trust any 3rd parties?

April 26, 2021

Episode 267 - Does 0day still mean 0day?

April 19, 2021

Episode 266 - The future of security scanning with Debricked

April 12, 2021

Episode 265 - The lies closed source can tell, open source can’t

April 5, 2021

March ⁶

It’s time to fix CVE

March 30, 2021

Episode 264 - DevSecOps with GitLab’s Mark Loveless

March 29, 2021

Episode 263 - GitHub pulls exploits, LinuxFoundation sign all the things

March 22, 2021

Episode 262 - A discussion with Loris and Pop from Sysdig

March 15, 2021

Episode 261 - DWF is back! Welcome to community powered CVE

March 8, 2021

Episode 260 - Dave Jevans tells us what CipherTrace is up to

March 1, 2021

February ⁶

Episode 259 - What even is open source anymore?

February 22, 2021

The Titanic of security

February 15, 2021

Episode 258 - Stop using C

February 15, 2021

Episode 257 - The sudo and libgcrypt vulnerabilities

February 8, 2021

It’s the community, stupid

February 2, 2021

Episode 256 - 9 bits of podcast, 8 bits of computing

February 1, 2021

January ⁵

You cannot manage your supply chain

January 30, 2021

Episode 255 - What if security wasn’t joyless?

January 25, 2021

Episode 254 - Right to Repair Security

January 18, 2021

Episode 253 - Defenders only need to be right once

January 11, 2021

Episode 252 - Is open source dangerous? Open source won, who cares, shut up!

January 4, 2021

2020 ⁸⁹

December ²⁷

Episode 251 - Communication is hard, security communication is more hard

December 28, 2020

Episode 250 - Door 25: Why do we do the things we do? Question everything

December 25, 2020

Episode 249 - Door 24: Information wants to be free

December 24, 2020

Episode 248 - Door 23: How to report 1000 security flaws

December 23, 2020

Episode 247 - Door 22: How to report one security flaw

December 22, 2020

Episode 246 - Door 21: Bug bounties

December 21, 2020

Episode 245 - Door 20: Is SMS 2FA better than no 2FA?

December 20, 2020

Episode 244 - Door 19: TLS certificate trust

December 19, 2020

Episode 243 - Door 18: Don’t roll your own crypto or auth

December 18, 2020

Episode 242 - Door 17: Vulnerability response

December 17, 2020

Episode 241 - Door 16: 16 bits of change

December 16, 2020

Episode 240 - Door 15: Supplier compliance

December 15, 2020

Committee or Community: Slowing down the future

December 14, 2020

Episode 239 - Door 14: Backdoors

December 14, 2020

Episode 238 - Door 13: Unlucky or survivor bias?

December 13, 2020

Episode 237 - Door 12: Video game hacking

December 12, 2020

Episode 236 - Door 11: Should you get on a 737?

December 11, 2020

Episode 235 - Door 10: Deciding what information matters

December 10, 2020

Episode 234 - Door 09: public key cryptography

December 9, 2020

Episode 233 - Door 08: man 8 security

December 8, 2020

Episode 232 - Door 07: 7 is the best prime, 2 is the dumbest

December 7, 2020

Episode 231 - Door 06: 6 wifi risks … that don’t actually matter

December 6, 2020

Episode 230 - Door 05: 5 reasons you need 24/7 robot monitoring

December 5, 2020

Episode 229 - Door 04: EFF’s Cover Your Tracks

December 4, 2020

Episode 228 - Door 03: Do all vulnerabilities matter equally?

December 3, 2020

Episode 227 - Door 02: Marketing department or selection bias?

December 2, 2020

Episode 226 - Door 01: Advent calendars

December 1, 2020

November ⁵

Episode 225 - Who is responsible if IoT burns down your house?

November 23, 2020

We can’t move forward by looking back

November 19, 2020

Episode 224 - Are old Android devices dangerous?

November 16, 2020

Episode 223 - Full disclosure won, deal with it

November 9, 2020

Episode 222 - HashiCorp Boundary with Jeff Mitchell

November 2, 2020

October ⁵

Episode 221 - Security, magic, and FaceID

October 26, 2020

Episode 220 - Securing network time and IoT

October 19, 2020

Episode 219 - Chat with Larry Cashdollar

October 12, 2020

Episode 218 - The past was a terrible place

October 5, 2020

A bug by any other name

October 1, 2020

September ⁴

Episode 217 - How to tell your story with Travis Murdock

September 28, 2020

Episode 216 - Security didn’t find life on Venus

September 21, 2020

Episode 215 - Real security is boring

September 14, 2020

Episode 213 - Security Signals: What are you telling the world

September 7, 2020

August ⁷

We take security seriously, VERY SRSLY!

August 31, 2020

Episode 212 - Grab Bag: The Security We Deserve Edition

August 31, 2020

2020 CWE Top 25 I mean 10 or maybe 4.5

August 24, 2020

Episode 211 - The only thing harder than signing files is managing users

August 24, 2020

Episode 210 - Cult of Information Security

August 17, 2020

Episode 209 - Secure Boot isn’t Secure

August 10, 2020

Episode 208 - Passwords are pollution

August 3, 2020

July ⁴

Episode 207 - Weaponized attention

July 27, 2020

Episode 206 - Confidential Virtual Machines; The future of cloud computing

July 20, 2020

Episode 205 - The State of Open Source Security with Alyssa Miller from Snyk

July 13, 2020

Episode 204 - What Would Apple Do?

July 6, 2020

June ⁶

Episode 203 - Humans, conferences, and security: let me think and get back to you in a bit

June 29, 2020

The ineffective CISO

June 23, 2020

Episode 202 - The convergence of application security

June 22, 2020

Episode 201 - We broke CVSSv3, now how do we fix it?

June 15, 2020

Episode 200 - Talking Container Security with Liz Rice

June 8, 2020

Episode 199 - Special cases are special: DNS, Websockets, and CSV

June 1, 2020

May ⁵

Broken vulnerability severities

May 27, 2020

Episode 198 - Good advice or bad advice? Hang up, look up, and call back

May 25, 2020

Episode 197 - Beer, security, and consistency; the newer, better, triad

May 17, 2020

Episode 196 - Pounding square solutions into round holes: forced updates from Ubuntu

May 11, 2020

Episode 195 - Is BGP actually insecure?

May 4, 2020

April ⁶

Episode 194 - Working from home security: resistance is futile

April 27, 2020

Episode 193 - Security lessons from space: Apollo 13 edition

April 20, 2020

Episode 192 - Work without progress - what Infosec can learn from treadmills

April 13, 2020

Episode 191 - Security scanners are all terrible

April 8, 2020

Who are the experts

April 7, 2020

Episode 190 - Building a talent "ecosystem"

April 5, 2020

March ¹²

Episode 189 - Video game hackers - speedrunning

March 30, 2020

Part 6: What do we do now?

March 26, 2020

Part 5: Which of these security problems do I need to care about?

March 25, 2020

Part 4: Application scanning

March 24, 2020

Episode 188 - Depressing news sucks, we’re talking about cheating in video games

March 23, 2020

Episode 187 - Wireguard vs IPsec: the OK Boomer of security

March 15, 2020

Part 3: Composition scanning

March 12, 2020

Part 2: Scanning the code

March 11, 2020

Part 1: Is your security scanner running? You better go catch it!

March 10, 2020

The Security Scanner Problem

March 10, 2020

Episode 186 - Endpoint security with Tony Meehan

March 8, 2020

Episode 185 - Is it even possible to fix open source security?

March 2, 2020

February ⁴

Episode 184 - It’s DNS. It’s always DNS

February 24, 2020

Episode 183 - The great working from home experiment

February 17, 2020

Episode 182 - Does open source owe us anything?

February 10, 2020

Episode 181 - The security of SIM swapping

February 3, 2020

January ⁴

Episode 180 - A Tale of Two Vulnerabilities

January 27, 2020

Episode 179 - Google Project Zero and the 90 day clock

January 20, 2020

Episode 178 - Are CVEs important and will ransomware put you out of business?

January 13, 2020

Episode 177 - Fake or real? The security of counterfeit goods

January 6, 2020

2019 ⁵⁶

December ⁵

Episode 176 - The ‘predictions are stupid’ prediction episode

December 30, 2019

Episode 175 - Defenders will always be one step behind

December 23, 2019

Episode 174 - GitHub turns security up to 11; A discussion with Rob Schultheis

December 16, 2019

Episode 173 - Ho Ho Homeland Security

December 9, 2019

Episode 172 - The security of planned obsolescence

December 2, 2019

November ⁴

Episode 171 - Measuring cybersecurity with Kathryn Waldron

November 25, 2019

Episode 170 - Until that quantum computer is cracking RSA keys, go sit back down!

November 18, 2019

Episode 169 - What happens when leadership doesn’t care about security?

November 11, 2019

Episode 168 - The draconian draconians of DRM

November 4, 2019

October ⁴

Episode 167 - Security is terrible because digital literacy is terrible

October 28, 2019

Episode 166 - Every day should be cybersecurity awareness month!

October 21, 2019

Episode 165 - Grab Bag of Microsoft Security News

October 13, 2019

Episode 164 - DNS over HTTPS: Probably not the end of the world

October 7, 2019

September ⁵

Episode 163 - Death to Python 2

September 30, 2019

Episode 162 - SBOM with Allan Friedman

September 23, 2019

Episode 161 - Human nature and ad powered open source

September 16, 2019

Episode 160 - Disclosing security issues is insanely complicated: Part 2

September 9, 2019

Episode 159 - Disclosing security issues is insanely complicated: Part 1

September 2, 2019

August ⁴

Backdoors in open source are here to stay

August 28, 2019

Episode 158 - The mess that we call credit agencies in the US

August 26, 2019

Episode 157 - Backdoors and snake oil in our cryptography

August 19, 2019

Appsec isn’t people

August 13, 2019

July ⁶

Episode 156 - What if we MitM a whole country?

July 29, 2019

Why you can’t backdoor cryptography

July 26, 2019

Episode 155 - Stealing cars and ransomware

July 22, 2019

Episode 154 - Chat with the authors of the book "The Fifth Domain"

July 16, 2019

Episode 153 - The unexpected security of AI, photographs, and VPN

July 8, 2019

Episode 152 - Tavis breaks the world … again

July 1, 2019

June ⁴

Episode 151 - The DARPA Cyber Grand Challenge with David Brumley

June 24, 2019

Episode 150 - Our ad funded dystopian present

June 17, 2019

Episode 149 - Chat with Michael Coates about data security

June 10, 2019

Episode 148 - You just got pwnt, what now?

June 3, 2019

May ⁴

Episode 147 - Scams and operations as part of the supply chain

May 27, 2019

Episode 146 - What the @#$% happened to Microsoft?

May 20, 2019

Episode 145 - What do security and fire have in common?

May 13, 2019

Episode 144 - The security of money, which one is best?

May 6, 2019

April ⁷

Episode 143 - Security lessons from the phone book

April 29, 2019

Episode 142 - Hypothetical security: what if you find a USB flash drive?

April 21, 2019

Episode 141 - Timezones are hard, security is harder

April 15, 2019

The security of dependencies

April 10, 2019

Episode 140 - Good enough security is a pretty high bar

April 8, 2019

Supplying the supply chain

April 2, 2019

Episode 139 - Secure voting, firefox send, and toxic comments on the internet

April 1, 2019

March ⁴

Episode 138 - Information wants to be free

March 25, 2019

Episode 137.5 - Holy cow Beto was in the cDc, this is awesome!

March 18, 2019

Episode 137 - When the IoT attacks!

March 11, 2019

Episode 136 - How people feel is more important than being right

March 4, 2019

February ⁴

Episode 135 - Passwords, AI, and cloud strategy

February 25, 2019

Episode 134 - What’s up with the container runc security flaw?

February 18, 2019

Episode 133 - Smart locks and the government hacking devices

February 11, 2019

Episode 132 - Bird Scooter: 0, Cory Doctorow: 1

February 4, 2019

January ⁵

Episode 131 - Windows micropatches, Google’s privacy fine, and Mastercard fixes trial abuse

January 28, 2019

Episode 130 - Chat with Snyk co-founder Danny Grander

January 21, 2019

Security isn’t a feature

January 15, 2019

Episode 129 - The EU bug bounty program

January 14, 2019

Episode 128 - Australia’s encryption backdoor bill

January 7, 2019

2018 ⁶⁶

December ⁵

Misguided misguidings over the EU bug bounty

December 30, 2018

2018 Christmas Special - Is Santa GDPR compliant?

December 24, 2018

Episode 127 - Walled gardens, appstores, and more

December 17, 2018

Episode 126 - The not so dire future of supply chain security

December 10, 2018

Episode 125 - Open Source, supply chains, npm, and you

December 3, 2018

November ⁶

What’s up with backdoored npm packages?

November 27, 2018

Episode 124 - Cloudflare’s service workers and the economics of security

November 26, 2018

Dependencies in open source

November 19, 2018

Episode 123 - Talking about Kubernetes and container security with Liz Rice

November 19, 2018

Episode 122 - What will Apple’s T2 chip mean for the rest of us?

November 12, 2018

Episode 121 - All about the security of voting

November 5, 2018

October ⁷

Episode 120 - Bloomberg and hardware backdoors - it’s already happening

October 29, 2018

Targeted vs General purpose security

October 23, 2018

Episode 119 - The Google+ and Facebook incidents, it’s not your data anymore

October 22, 2018

Episode 118 - Cloudflare’s IPFS and onion service

October 15, 2018

Episode 117 - Will security follow Linus’ lead on being nice?

October 8, 2018

Millions of unfixed security flaws is a lie

October 1, 2018

Episode 116 - The future of the CISO with Michael Piacente

October 1, 2018

September ⁴

Episode 115 - Discussion with Brian Hajost from SteelCloud

September 24, 2018

Episode 114 - Review of "Click Here to Kill Everybody"

September 17, 2018

Episode 113 - Actual real security advice

September 10, 2018

Episode 112 - Google’s Titan Key and the latest Struts issue

September 3, 2018

August ⁶

Security reviews and microservices

August 28, 2018

Episode 111 - The TLS 1.3 and DNS episode

August 27, 2018

Actionable Advice

August 22, 2018

Episode 110 - Review of Black Hat, Defcon, and the effect of security policies

August 20, 2018

Episode 109 - OSCon and actionable advice

August 13, 2018

Episode 108 - Bluetooth, phishing, airgaps, and eating soup off the floor

August 6, 2018

July ⁶

Episode 107 - The year of the Linux Desktop and other hardware stories

July 30, 2018

Episode 106 - Data isn’t oil, it’s nuclear waste

July 23, 2018

Episode 105 - More backdoors in open source

July 16, 2018

The father of modern security: B. F. Skinner

July 11, 2018

Episode 104 - The Gentoo security incident

July 9, 2018

Episode 103 - The Seven Properties of Highly Secure Devices

July 2, 2018

June ⁵

Episode 102 - Michael Feiertag from tCell

June 25, 2018

Episode 101 - Our unregulated future is here to stay

June 17, 2018

Episode 100 - You’re bad at buying security, we can help!

June 11, 2018

Security ROI isn’t impossible, we suck at measuring

June 5, 2018

Episode 99 - Consumer security is too broken to fix, and it doesn’t matter

June 4, 2018

May ⁵

Episode 98 - When IT decisions kill people

May 28, 2018

Episode 97 - Automation: Humans are slow and dumb

May 20, 2018

Helicopter security

May 17, 2018

Episode 96 - Are legal backdoors a good idea?

May 14, 2018

Episode 95 - Twitter passwords and npm backdoors

May 7, 2018

April ⁶

Episode 94 - DNSSEC, BGP, and reality

April 30, 2018

Episode 93 - Security flaws in beep and patch, how did we get here?

April 23, 2018

Episode 92 - Chat with Rami Saas the CEO of WhiteSource

April 15, 2018

Episode 91 - Security lessons from a 7 year old

April 8, 2018

Spend until you’re secure

April 5, 2018

Episode 90 - Humans and misinformation

April 2, 2018

March ⁵

Episode 89 - Short selling AMD security flaws

March 25, 2018

Episode 88 - Chat with Chris Rosen from IBM about Container Security

March 18, 2018

Episode 87 - Chat with Let’s Encrypt co-founder Josh Aas

March 11, 2018

But that’s not my job!

March 7, 2018

Episode 86 - What happens when 23 thousand certificates leak?

March 5, 2018

February ⁵

Episode 85 - NPM ate my files

February 28, 2018

Episode 84 - Have I been pwned?

February 25, 2018

Episode 83 - XKCD + CVE = XKCVE

February 21, 2018

Episode 82 - RSA, TLS, Chrome HTTP, and PCI

February 13, 2018

Episode 81 - Autosploit, bug bounties, and the future of security

February 7, 2018

January ⁶

Episode 80 - GPS tracking and jamming

January 31, 2018

Episode 79 - Skyfall: please don’t yell ‘fire’

January 24, 2018

Episode 78 - Risk lessons from Hawaii

January 16, 2018

Episode 77 - npm and the supply chain

January 11, 2018

Episode 76 - Meltdown aftermath

January 7, 2018

Security and privacy are the same thing

January 3, 2018

2017 ⁷⁸

December ³

Episode 75 - Security Planner review

December 19, 2017

Episode 74 - Facial recognition and physical security

December 13, 2017

Episode 73 - Security from Santa

December 6, 2017

November ⁵

Episode 72 - Bitcoin: It’s over 9000

November 28, 2017

Episode 71 - GitHub’s Security Scanner

November 21, 2017

Episode 70 - The security of Intel ME

November 14, 2017

Episode 69 - Actionable security advice

November 7, 2017

Episode 68 - Ruining the Internet

November 1, 2017

October ⁴

Episode 67 - Cyber won

October 24, 2017

Episode 66 - Objects in mirror are less terrible than they appear

October 16, 2017

Episode 65 - Will aliens overthrow us before AI?

October 9, 2017

Episode 64 - Networks and Dnsmasq and IoT oh my

October 3, 2017

September ³

Episode 63 - Shoot, Shovel, and Bury

September 26, 2017

Episode 62 - All about the Equifax hack

September 11, 2017

Episode 61 - Market driven security

September 5, 2017

August ⁴

Episode 60 - The official blockchain episode

August 30, 2017

Episode 59 - The VPN Episode

August 15, 2017

Episode 58 - Backwards compatibility to the point of insanity

August 9, 2017

Episode 57 - We may never see amazing security research ever again

August 1, 2017

July ⁵

Summer is coming

July 20, 2017

Episode 56 - Devil’s Advocate and other fuzzy topics

July 18, 2017

Episode 55 - Good docs ruin my story

July 12, 2017

Who’s got your hack back?

July 9, 2017

Episode 54 - Turning into an old person

July 4, 2017

June ⁸

Episode 53 - A plane isn’t like a car

June 28, 2017

When in doubt, blame open source

June 26, 2017

Episode 52 - You could have done it right, but you didn’t

June 20, 2017

Thought leaders aren’t leaders

June 18, 2017

Episode 51 - All about CVE

June 12, 2017

Humanity isn’t proactive

June 11, 2017

Episode 50 - This is a security podcast after all

June 6, 2017

Free Market Security

June 4, 2017

May ⁸

Episode 49 - Testing software is impossible

May 30, 2017

Stealing from customers

May 29, 2017

You know how to fix enterprise patching? Please tell me more!!!

May 22, 2017

Episode 48 - Machine Learning: Not actually magic

May 21, 2017

Episode 47 - WannaCry: Everything is basically broken

May 14, 2017

Episode 46 - Turns out I’m not a bad guy

May 4, 2017

Security like it’s 2005!

May 3, 2017

Episode 45 - Trust is more important now than the truth

May 2, 2017

April ¹⁰

Security fail is people

April 30, 2017

Episode 44 - Bug Bounties vs Pen Testing

April 25, 2017

I have seen the future, and it is bug bounties

April 24, 2017

Episode 43 - We are totally immature

April 19, 2017

Crawl, Walk, Drive

April 17, 2017

Episode 42 - Hitchhiker’s Guide to Security

April 13, 2017

The obvious answer is never the secure answer

April 10, 2017

Episode 41 - All your money are belong to us

April 10, 2017

The expectation of security

April 2, 2017

Episode 40 - Let’s fork bitcoin, again

April 2, 2017

March ⁸

Remember kids, if you’re going to disclose, disclose responsibly!

March 28, 2017

Episode 39 - Flash on your dishwasher

March 28, 2017

Inverse Law of CVEs

March 23, 2017

Episode 38 - We Ruin Everything

March 22, 2017

Security, Consumer Reports, and Failure

March 12, 2017

Episode 37 - Your bathtub is more dangerous than a shark

March 9, 2017

Episode 36 - A Good Enough Podcast

March 5, 2017

What the Oscars can teach us about security

March 2, 2017

February ⁷

Episode 35 - Crazy Cosmic Accident

February 28, 2017

SHA-1 is dead, long live SHA-1!

February 24, 2017

Episode 34 - Bathing in Ebola Virus

February 22, 2017

Episode 33 - Everybody who went to the circus is in the circus (RSA 2017)

February 15, 2017

Reality Based Security

February 12, 2017

Episode 32 - Gambling as a Service

February 8, 2017

Episode 31 - XML is never the solution

February 1, 2017

January ¹³

Everything you know about security is wrong, stop protecting your empire!

January 30, 2017

Episode 30 - I’m not an expert but I’ve been yelled at by experts

January 26, 2017

Return on Risk Investment

January 23, 2017

Episode 29 - The Security of Rogue One

January 22, 2017

Episode 28 - RSA Conference 2017

January 19, 2017

What does security and USB-C have in common?

January 16, 2017

Episode 27 - Prove to me you are human

January 16, 2017

Episode 26 - Tell your sister, Stallman was right

January 12, 2017

Episode 25 - The future is now

January 10, 2017

Security Advice: Bad, Terrible, or Awful

January 9, 2017

Looks like you have a bad case of embedded libraries

January 3, 2017

Episode 24 - The 2016 prediction edition! (yeah, that’s right, 2016)

January 3, 2017

Future Proof Security

January 2, 2017

2016 ⁷⁷

December ¹¹

Episode 23 - We can’t patch people

December 28, 2016

The art of cutting edge, Doom 2 vs the modern Security Industry

December 25, 2016

Episode 22 - IoT Wild West

December 25, 2016

Episode 21 - CVE 10K Extravaganza

December 21, 2016

Does "real" security matter?

December 19, 2016

Episode 20 - The Death of PGP

December 19, 2016

Episode 19 - A field full of razor blades and monsters

December 14, 2016

Episode 18 - The Security of Santa

December 11, 2016

Episode 17 - Cyphercon Interview with Korgo

December 6, 2016

Airports, Goats, Computers, and Users

December 4, 2016

Episode 16 - Cat and mouse

December 2, 2016

November ⁸

Episode 15 - Cyber Black Monday

November 29, 2016

The Economics of stealing a Tesla with a phone

November 28, 2016

Episode 14 - David A Wheeler: CII Badges

November 22, 2016

Fast security is the best security

November 21, 2016

Episode 13 - CVE: The metric system of security

November 18, 2016

Who cares if someone hacks my driveway camera?

November 14, 2016

Episode 12 - Security Trebuchet

November 10, 2016

Free security is the only security that really works

November 6, 2016

October ¹¹

Stop being the monkey’s paw

October 31, 2016

Episode 11 - The Poison Candy Episode

October 31, 2016

Security is in the same leaky boat as the sysadmins

October 31, 2016

Episode 10 - The super botnet that nobody can stop

October 24, 2016

Everything you know about security is wrong

October 23, 2016

IoT Can Never Be Fixed

October 22, 2016

Episode 9 - Are bug bounties measuring the wrong things?

October 18, 2016

Can I interest you in talking about Security?

October 17, 2016

Episode 8 - The primality of prime numbers

October 11, 2016

Episode 7 - More Powerful than root!

October 3, 2016

Impossible is impossible!

October 3, 2016

September ¹¹

Episode 6 - Foundational Knowledge of Security

September 29, 2016

Episode 5 - OpenSSL: The library we deserve

September 29, 2016

Who left all this fire everywhere?

September 26, 2016

Episode 4 - Dead squirrel in a box

September 21, 2016

Is dialup still an option?

September 20, 2016

Why do we do security?

September 18, 2016

Episode 3 - The Lockpicking Sewing Circle

September 13, 2016

On Experts

September 12, 2016

Episode 2 - Instills the proper amount of fear

September 7, 2016

Episode 1 - Rich History of Security Flaws

September 7, 2016

You can’t weigh risk if you don’t know what you don’t know

September 6, 2016

August ⁵

How do we explain email to an "expert"?

August 29, 2016

The cost of mentoring, or why we need heroes

August 21, 2016

Can’t Trust This!

August 15, 2016

We’re figuring out the security problem (finally)

August 8, 2016

Everyone has been hacked

August 1, 2016

July ³

Using a HooToo Nano as a magic VPN box

July 18, 2016

Entry level AI

July 11, 2016

But I have work to do!

July 5, 2016

June ⁴

The future of security

June 27, 2016

Decentralized Security

June 20, 2016

Ready to form Voltron! why security is like a giant robot make of lions

June 13, 2016

Is there a future view that isn’t a security dystopia?

June 6, 2016

May ⁵

Regulation can fix security, except you can’t regulate security

May 29, 2016

Thoughts on our security bubble

May 23, 2016

Security will fix itself, eventually

May 15, 2016

Security isn’t a feature, it’s a part of everything

May 8, 2016

Trusting, Trusting Trust

May 1, 2016

April ⁵

Can we train our way out of security flaws?

April 24, 2016

Software end of life matters!

April 17, 2016

What happened with Badlock?

April 12, 2016

Cybersecurity education isn’t good, nobody is shocked

April 10, 2016

Security is really about Risk vs Reward

April 3, 2016

March ⁵

Ransomware is scary, but not for the reasons you think it is

March 29, 2016

I’m going to do something really cool in 3 weeks! … Probably.

March 23, 2016

Everything is fine, nothing to see here!

March 20, 2016

Containers are like sandwiches

March 13, 2016

The interesting things from RSA are what didn’t happen, and containers are sandwiches

March 7, 2016

February ⁴

Let’s talk about soft skills at RSA, plus some other things

February 29, 2016

Thinking about glibc and Heartbleed, how do fix things

February 23, 2016

Change direction, increase speed! (or why glibc changes nothing)

February 21, 2016

glibc for humans

February 19, 2016

January ⁵

Does the market care about security?

January 31, 2016

Security and Tribal Knowledge

January 25, 2016

OpenSSH, security, and everyone else

January 18, 2016

What the lottery and security have in common

January 10, 2016

A security analogy that works

January 4, 2016

2015 ¹⁸

December ⁴

Security reminds me of the gym on January 2

December 29, 2015

A Christmas Cyber

December 21, 2015

Security is the new paperless office!

December 14, 2015

Security lacks patience

December 7, 2015

November ⁴

Where is the physical trust boundary?

November 30, 2015

If your outcome is perfect or nothing, nothing always wins

November 20, 2015

Your containers were built in some guy’s barn!

November 16, 2015

Is the Linux ransomware the first of many?

November 11, 2015

October ⁴

The Third Group

October 27, 2015

How do we talk to normal people?

October 20, 2015

How do we talk to business?

October 13, 2015

What’s filling the vacuum?

October 6, 2015

September ⁶

We’re losing the battle for security

September 29, 2015

How to build trust

September 22, 2015

How can we describe a buffer overflow in common terms?

September 13, 2015

Being a nice security person

September 8, 2015

Everyone is afraid of us

September 3, 2015

You are bad at talking to people

September 2, 2015

2025 1

January 1

The Future of Open Source Security

2024 56

December 5

Episode 461 - The new NIST password guidance

Episode 460 - Santa’s Supply Chain Security

Episode 459 - CWE Top 25 List

Episode 458 - FBI endorses E2E encryption

Episode 457 - The D-Link D-bacle

November 4

Episode 456 - What if XZ happened to a company? The openness of open source

Episode 455 - Wordpress plugin security

Episode 454 - The state of open source with Brian Fox from Sonatype and Donald Fischer from Tidelift

Episode 453 - Software Liability

October 5

Episode 452 - All about Meshtastic

Episode 451 - Python security with Seth Larson

The useful uselessness of SBOMs

Episode 450 - What’s Wrong With WordPress

Episode 449 - The CUPSpocalypse

September 5

Episode 448 - What’s wrong with CISA?

Episode 447 - The Tidelift 2024 open source maintainer report

Episode 446 - Researchers took over .MOBI TLD

Episode 445 - EPSS with Jay Jacobs

Episode 444 - Open Source and End of Life

August 4

Episode 443 - The Supply Chain Security Crisis

Episode 442 - The foundation of society, TLS certificates are a mess

Episode 441 - Is CWE useful?

Episode 440 - “What is open source” talk Josh gave

July 5

Episode 439 - Where are all the youth in open source?

Episode 438 - CISA’s bad OSS advice vs the Whitehouse good advice

Episode 437 - CocoPods and proper funding for open source

Episode 436 - OpenSSH and node-ip - it’s all exponential growth

Episode 435 - polyfill.io - open source is too big to fix

June 5

Episode 434 - Unreported vulnerabilities and everyone is getting hacked

Episode 433 - Should OpenSSH block misbehaving clients?

Episode 432 - Flipper Zero with Alex Kulagin

Why are vulnerabilities out of control in 2024?

Episode 431 - Redirecting HTTP to HTTPS

May 4

Episode 430 - Frozen kernel security

Episode 429 - The autonomy of open source developers

Episode 428 - GitHub artifact attestation

Episode 427 - Will run0 replace sudo?

April 6

Episode 426 - Automatically exploiting CVEs with AI

Episode 425 - Video game cheaters, also pretendo

Episode 424 - The Notepad++ Parasite Website

Episode 423 - FCC cybersecurity label for consumer devices

XZ Bonus Spectacular Episode

Episode 422 - Do you have a security.txt file?

March 4

Episode 421 - CISA’s new SSDF attestation form

Episode 420 - What’s going on at NVD

Episode 419 - Malicious GitHub repositories

Episode 418 - Being right all the time is hard

February 4

Episode 417 - Linux Kernel security with Greg K-H

Episode 416 - Thomas Depierre on open source in Europe

Episode 415 - Reducing attack surface for less security

Episode 414 - The exploited ecosystem of open source

January 5

Episode 413 - PyTorch and NPM get attacked, but it’s OK

Episode 412 - Blame the users for bad passwords!

Episode 411 - The security tools that started it all

Episode 410 - Package identifiers are really hard

Episode 409 - You wouldn’t hack a train?

2023 54

December 4

Episode 408 - Does Kubernetes need long term support?

Episode 407 - Should Santa use AI?

Episode 406 - The security of radio

Episode 405 - Modding games isn’t cheating and security isn’t fair

November 4

Episode 403 - Does the government banning apps work?

2025 ¹

January ¹

2024 ⁵⁶

December ⁵

November ⁴

October ⁵

September ⁵

August ⁴

July ⁵

June ⁵

May ⁴

April ⁶

March ⁴

February ⁴

January ⁵

2023 ⁵⁴

December ⁴

November ⁴

October ⁵

September ⁴

August ⁴

July ⁵

June ⁵

May ⁵

April ⁴

March ⁴

February ⁴

January ⁶

2022 ⁵⁵

December ⁴

November ⁴