Episode 298 – David A Wheeler discusses the OpenSSF

Josh and Kurt talk to David A. Wheeler about everything OpenSSF. The Open Source Security Foundation is part of the Linux Foundation, and there are 6 OpenSSF working groups. David does a great job explaining how the OpenSSF works and what the 6 working groups are doing. The working group are (in no particular order): Identifying Security Threats, Security Tooling, Best Practices, Vulnerability Disclosures, Digital Identity Attestation, Securing Critical Projects.

Show Notes

Episode 297 – 25 years of smashing stacks, fun, and profit

Josh and Kurt talk about the famous Phrack 49 article “Smashing the Stack for Fun and Profit” turning 25 years old. This paper created a massive amount of change in the industry, possibly more than any other paper ever written. Everything from making exploiting stack overflows easier, to defenders creating technologies such as stack canaries are the direct result of this work.

Show Notes

Episode 296 – Is Trojan Source a vulnerability?

Josh and Kurt talk about the new Trojan Source bug. We don’t always agree on if this is a vulnerability (it’s not), but by the end we come to an agreement that ASCII is out, Unicode is in. We don’t live in a world where you can make a realistic suggestion to return to using only ASCII. There are a lot of weird moving parts with this one.

Show Notes

Episode 295 – Open source security isn’t free

Josh and Kurt talk about Josh’s electric car and new job. We then talk about the recent UAParser.js malware incident. There have been a lot of calls to do more to secure open source, but nobody seems to have any concrete proposals or suggestions to fund any of these activities.

Show Notes

Episode 294 – Chris Wysopal on the state of security education

Josh and Kurt talk to Chris Wysopal, AKA Weld Pond, about security education. We talk about the current state of how we are learning about security as students and developers. What the best way to get developers interested in learning more about security? We end the show with fantastic advice from Chris for anyone new to the field of technology or security.

Show Notes

Episode 293 – Scoring OpenSSF Security Scoring

Josh and Kurt talk about the release of OpenSSF Security Scorecards version 3. This is a great project that will probably make a huge difference. Most of the things the scorecards are measuring are no brainier activities. We go through the list of metrics being measured. There are only a few that we don’t think are fantastic.

Show Notes

Episode 292 – Apache RCE and Twitch epic pwn

Josh and Kurt talk about the recent Twitch hack and how in the modern age leaking source code almost certainly doesn’t matter. The leaked data however is a big deal. We also discuss a recent Apache httpd update. Some things went right, some things went wrong. Dealing with vulnerabilities is hard.

Show Notes

Episode 291 – Everyone sucks at vulnerability disclosure

Josh and Kurt talk about recent events around Apple and Microsoft disclosing security vulnerabilities. Microsoft usually does a good job, but Apple has a long history of not having a great bug bounty or vulnerability disclosure policy. None of this is simple, but hopefully you’ll have some fun and learn a bit about the whole vulnerability disclosure process.

Show Notes

Episode 290 – The security of the Matrix

Josh and Kurt talk about the security of the Matrix movie series. There was a new Matrix trailer that made us want to discuss some of the security themes. We talk about how the movie is very focused on computing in the 90s. How Neo probably ran Linux and they used a real ssh exploit. How a lot of the plot is a bit silly. It’s a really fun episode.

Show Notes

Episode 289 – Who left this 0day on the floor?

Josh and Kurt talk about an unusual number of really bad security updates. We even recorded this before the Azure OMIGOD vulnerability was disclosed. It’s certainly been a wild week with Apple and Chrome 0days, and a Travis CI secret leak. Maybe this is the new normal.

Show Notes