Josh and Kurt talk about how we talk about what we do in the context of life on Venus. We didn’t really discover life on Venus, we discovered a gas that could be created by life on Venus. The world didn’t hear that though. We have a similar communication problem in security. How often are your words misunderstood?Continue reading “Episode 216 – Security didn’t find life on Venus”
Author Archives: Josh Bressers
Episode 215 – Real security is boring
Josh and Kurt talk about attacking open source. How serious is the threat of developers being targeted or a git repo being watched for secret security fixes? The reality of it all is there are many layers in a security journey, the most important things you can do are also the least exciting. Show NotesContinue reading “Episode 215 – Real security is boring”
Episode 213 – Security Signals: What are you telling the world
Josh and Kurt talk about how your actions can tell the world if you actually take security seriously. We frame the discussion in the context of Slack paying a very low bug bounty and discover some ways we can look at Slack and decide if they do indeed take our security very seriously. Show Notes Reddit carbon monoxide PartContinue reading “Episode 213 – Security Signals: What are you telling the world”
We take security seriously, VERY SRSLY!
Every company tells you they take security seriously. Some even take it very seriously. But do they? I started to think about this because of a recent Slack bug. I think there are a lot of interesting things we can look at to decide if a company is taking security seriously or if the companyContinue reading “We take security seriously, VERY SRSLY!”
Episode 212 – Grab Bag: The Security We Deserve Edition
Josh and Kurt talk about Chromium sending traffic to root DNS servers. Telemetry watching what we do. Cryptocurrency scams and a few other random topics. Also pandas. Show Notes Blanket rack Chromium DNS traffic Ubuntu MOTD Microsoft telemetry YAM coin implodes Panda Cubs
2020 CWE Top 25 I mean 10 or maybe 4.5
A few days ago I ran across this report from MITRE. It’s titled “2020 CWE Top 25 Most Dangerous Software Weaknesses”. I found the report lacking the sort of details I was hoping for, so I’m going rogue and adding those details myself because it’s a topic I care about and I like seeing conclusions.Continue reading “2020 CWE Top 25 I mean 10 or maybe 4.5”
Episode 211 – The only thing harder than signing files is managing users
Josh and Kurt talk about the Microsoft 2 year old signature bug and GitLab no longer processing MFA resets for free users. Signing things is hard, but trying to manage users and infrastructure at scale is even harder. Show Notes Microsoft signed jar bug GitLab Support is no longer processing MFA resets for free users Someone Is HijackingContinue reading “Episode 211 – The only thing harder than signing files is managing users”
Episode 210 – Cult of Information Security
Josh and Kurt talk about the current state of information security. There are aspects that resemble a cult more than we would like. It’s not all bad though, there are some things we can do to help move things forward. This episode shouldn’t be taken too seriously. Show Notes “cult of information security” How to start a cult
Episode 209 – Secure Boot isn’t Secure
Josh and Kurt talk about Secure Boot. The conversation uses the recent “Boot Hole” vulnerability to frame a conversation about what Secure Boot is and isn’t. Why the Boot Hole flaw doesn’t really matter, and why Secure Boot was very scary for Linux users back when it came out. Show Notes Boot Hole
Episode 208 – Passwords are pollution
Josh and Kurt talk about some of the necessary evils of security. There are challenges we face like passwords and resource management. Sometimes the problem is old ideas, sometimes it’s we don’t have metrics. Can you measure not getting hacked? Show Notes Clearing checks FAIR Institute Factorio
