Episode 289 – Who left this 0day on the floor?

Josh and Kurt talk about an unusual number of really bad security updates. We even recorded this before the Azure OMIGOD vulnerability was disclosed. It’s certainly been a wild week with Apple and Chrome 0days, and a Travis CI secret leak. Maybe this is the new normal.

Show Notes

Episode 288 – Linux Kernel compiler warnings considered dangerous

Josh and Kurt talk about some happenings in the Linux Kernel. There are some new rules around how to submit patches that goes against how GitHub works. They’re also turning all compiler warnings into errors. It’s really interesting to understand what these steps mean today, and what they could mean in the future.

Show Notes

Episode 287 – Is GitHub’s Copilot the new Clippy?

Josh and Kurt talk about GitHub Copilot. What can we learn from a report claiming 40% of code generated by Copilot has security vulnerabilities? Is this the future or just some sort of strange new thing that will be gone as fast as it came?

Show Notes

Episode 286 – Open source supply chain with Google’s Dan Lorenc

Josh and Kurt talk to Dan Lorenc from Google about supply chain security. What’s currently going on in this space and what sort of new thing scan we look forward to? We discuss Google’s open source use, Project Sigstore, the SLSA framework and more.

Show Notes

Episode 285 – Open source owes you nothing!

Josh and Kurt talk about open source bugs. What happens if a project decides to close most of their bugs? Nothing really. Bug trackers aren’t a help desk.

Show Notes

Episode 284 – What happens when we DRM power tools?

Josh and Kurt talk about a Home Depot plan to put DRM on power tools. Anyone can add a computer to anything for a few dollars now. How secure is any of this. What does it mean when the things we buy start to acquire DRM? There are a lot of new questions we don’t have any real answers for.

Show Notes

Episode 283 – When vulnerability disclosure becomes dangerous

Josh and Kurt talk about a very difficult disclosure problem. What happens when you have to report a vulnerability to an ethically questionable company? It’s less simple than it sounds, many of the choices could end up harming victims.

Show Notes

Episode 282 – The security of Rust: who left all this awesome in here?

Josh and Kurt talk about a story from Microsoft declaring Rust the future of safe programming, replacing C and C++. We discuss how tooling affects progress and why this isn’t always obvious when you’re in the middle of progress.

Show Notes

Episode 281 – If you spy on journalists, you’re the bad guys

Josh and Kurt talk about the news that the NSO Group is widely distributing spyware onto a large number of devices. This news should be a wake up call for anyone creating devices and systems that could be attacked, it’s time to segment services. There’s not a lot individuals can do at this point, but we have some ideas at the end of the episode.

Show Notes

Episode 280 – The perils of Single Sign On

Josh and Kurt talk about what happens when you lose access to your Single Sign On provider. These providers have become critical to many of us, if we lose access to our SSO account we will lose access to many services.

Show Notes