Josh and Kurt talk to David A. Wheeler about everything OpenSSF. The Open Source Security Foundation is part of the Linux Foundation, and there are 6 OpenSSF working groups. David does a great job explaining how the OpenSSF works and what the 6 working groups are doing. The working group are (in no particular order): Identifying Security Threats,Continue reading “Episode 298 – David A Wheeler discusses the OpenSSF”
Author Archives: Josh Bressers
Episode 297 – 25 years of smashing stacks, fun, and profit
Josh and Kurt talk about the famous Phrack 49 article “Smashing the Stack for Fun and Profit” turning 25 years old. This paper created a massive amount of change in the industry, possibly more than any other paper ever written. Everything from making exploiting stack overflows easier, to defenders creating technologies such as stack canaries are the directContinue reading “Episode 297 – 25 years of smashing stacks, fun, and profit”
Episode 296 – Is Trojan Source a vulnerability?
Josh and Kurt talk about the new Trojan Source bug. We don’t always agree on if this is a vulnerability (it’s not), but by the end we come to an agreement that ASCII is out, Unicode is in. We don’t live in a world where you can make a realistic suggestion to return to using only ASCII. ThereContinue reading “Episode 296 – Is Trojan Source a vulnerability?”
Episode 295 – Open source security isn’t free
Josh and Kurt talk about Josh’s electric car and new job. We then talk about the recent UAParser.js malware incident. There have been a lot of calls to do more to secure open source, but nobody seems to have any concrete proposals or suggestions to fund any of these activities. Show Notes UAParser.js CISA announcement
Episode 294 – Chris Wysopal on the state of security education
Josh and Kurt talk to Chris Wysopal, AKA Weld Pond, about security education. We talk about the current state of how we are learning about security as students and developers. What the best way to get developers interested in learning more about security? We end the show with fantastic advice from Chris for anyone newContinue reading “Episode 294 – Chris Wysopal on the state of security education”
Episode 293 – Scoring OpenSSF Security Scoring
Josh and Kurt talk about the release of OpenSSF Security Scorecards version 3. This is a great project that will probably make a huge difference. Most of the things the scorecards are measuring are no brainier activities. We go through the list of metrics being measured. There are only a few that we don’t thinkContinue reading “Episode 293 – Scoring OpenSSF Security Scoring”
Episode 292 – Apache RCE and Twitch epic pwn
Josh and Kurt talk about the recent Twitch hack and how in the modern age leaking source code almost certainly doesn’t matter. The leaked data however is a big deal. We also discuss a recent Apache httpd update. Some things went right, some things went wrong. Dealing with vulnerabilities is hard. Show Notes Parasocial RelationshipContinue reading “Episode 292 – Apache RCE and Twitch epic pwn”
Episode 291 – Everyone sucks at vulnerability disclosure
Josh and Kurt talk about recent events around Apple and Microsoft disclosing security vulnerabilities. Microsoft usually does a good job, but Apple has a long history of not having a great bug bounty or vulnerability disclosure policy. None of this is simple, but hopefully you’ll have some fun and learn a bit about the wholeContinue reading “Episode 291 – Everyone sucks at vulnerability disclosure”
Episode 290 – The security of the Matrix
Josh and Kurt talk about the security of the Matrix movie series. There was a new Matrix trailer that made us want to discuss some of the security themes. We talk about how the movie is very focused on computing in the 90s. How Neo probably ran Linux and they used a real ssh exploit.Continue reading “Episode 290 – The security of the Matrix”
Episode 289 – Who left this 0day on the floor?
Josh and Kurt talk about an unusual number of really bad security updates. We even recorded this before the Azure OMIGOD vulnerability was disclosed. It’s certainly been a wild week with Apple and Chrome 0days, and a Travis CI secret leak. Maybe this is the new normal. Show Notes Matrix 4 trailer Travis CI issueContinue reading “Episode 289 – Who left this 0day on the floor?”
Open Source Security 