Episode 203 – Humans, conferences, and security: let me think and get back to you in a bit

Josh and Kurt talk about human behavior. The conversation makes its way to conferences and the perpetual question of if a conference is useful or not. We come to the agreement the big shows aren’t what they used to be, but things like BSides are great experiences. Show Notes Security and Human Behaviour Josh’s blogContinue reading “Episode 203 – Humans, conferences, and security: let me think and get back to you in a bit”

Episode 201 – We broke CVSSv3, now how do we fix it?

Josh and Kurt talk about CVSSv3 and how it’s broken. We started with a blog post to explain why the NVD CVSS scores are so wrong, and we ended up researching CVSSv3 and found out it’s far more broken than any of us expected in ways we didn’t expect. NVD isn’t broken, CVSSv3 is. HowContinue reading “Episode 201 – We broke CVSSv3, now how do we fix it?”

Episode 200 – Talking Container Security with Liz Rice

Josh and Kurt talk to Liz Rice from Aqua Security about container security and her new book on the same topic. What does container security look like today? What are some things you can do now? What will container security look like in the future? Show Notes Container Security download Pictures of elephants Kubernetes SecurityContinue reading “Episode 200 – Talking Container Security with Liz Rice”

Episode 199 – Special cases are special: DNS, Websockets, and CSV

Josh and Kurt talk about a grab bag of topics. A DNS security flaw, port scanning your machine from a web browser, and CSV files running arbitrary code. All of these things end up being the result of corner cases. Letting a corner case be part of a default setup is always a mistake. YesContinue reading “Episode 199 – Special cases are special: DNS, Websockets, and CSV”

Episode 198 – Good advice or bad advice? Hang up, look up, and call back

Josh and Kurt talk about the Krebs blog post titled “When in Doubt: Hang Up, Look Up, & Call Back”. In the world of security there isn’t a lot of actionable advice, it’s worth discussing if something like this will work, or ever if it’s the right way to handle these situations. Show Notes When in Doubt:Continue reading “Episode 198 – Good advice or bad advice? Hang up, look up, and call back”

Episode 197 – Beer, security, and consistency; the newer, better, triad

Josh and Kurt talk about what beer and reproducible builds have in common. It’s a lot more than you think, and it mostly comes down to quality control. If you can’t reproduce what you do, you’re not a mature organization and you need maturity to have quality. Show Notes Reinheitsgebot Josh’s Blog Post Ken Thompson’s reflections onContinue reading “Episode 197 – Beer, security, and consistency; the newer, better, triad”

Episode 196 – Pounding square solutions into round holes: forced updates from Ubuntu

Josh and Kurt talk about automatic updates. Specifically we discuss a recent decision by Ubuntu to enable forced automatic updates. There are lessons here for the security community. We have a history of jumping to solutions rather than defining and understanding problems. Sometimes our solutions aren’t the best. Also murder bees. Show Notes The Oatmeal giant beeContinue reading “Episode 196 – Pounding square solutions into round holes: forced updates from Ubuntu”