Josh and Kurt talk about a survey about a TuxCare patch management and vulnerability detection. Sometimes our security bubble makes us forget what it’s like in the real world for the people who keep our infrastructure running. Patching isn’t always immediate, automation doesn’t fix everything, and accepting risk is very important.
Josh and Kurt talk about a lot of security vulnerabilities in this month’s Patch Tuesday. There’s also a new Git vulnerability. This sparks the age old question of how fast to patch? The answer isn’t binary, the right answer is whatever works best for you, not what someone tells you is best.
Josh and Kurt talk about hackers using emergency data requests to gain access to sensitive data. The argument that somehow backdoors can be protected falls under this problem. We don’t yet have the technical or policy protections in place to actually protect this data. We also explain why this zlib issue got a 2018 CVE ID in 2022.
Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there’s not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not to let security turn into your identity, it ends up making a mess.
Josh and Kurt talk about the latest NPM backdoored package. It feels like this keeps happening. We talk about why this is and why it’s probably OK. Kurt fixes Linus’ Law, in open source the superpower isn’t bugs are shallow (they’re not), the superpower is security bugs in open source can’t be ignored.
Earlier today I asked a question on Twitter
Holy cow that thread took on a life of its own. The question is easy enough, do we have any security data on pinning vs not pinning dependencies? We don’t, I know this, but I was hoping someone was working on something (I don’t think they are). But during the thread I also think I figured how to be start collecting this data. That’s a post for the future.
Now, I should clarify, it think pinning dependencies is a fine idea. I imagine my question was misread by a number of people to be some secret attempt at pushing an agenda. Sadly it was not. I am a bit harsh in the thread on people trying to pass off opinion as fact. The whole point of the question was to find some data, then things got weird.
I want to address something I realized in this thread. There is no data on this point, yet there is quite a bit of guidance in that thread. Everyone just sort of talks past each other. Some people are horrified by the idea of not pinning your dependencies. Some think pinning dependencies is the worst thing ever. It’s all quite fascinating. Everyone has an opinion, nobody has data. How often do we make decisions based on how we feel about something, but then end up confusing our feelings for facts? I think all the random odd views we can see in that thread are the result of different opinions. Opinions based on how someone feels. Data is like a line in the sand you can always see, opinions are like waves washing back and forth. Sometimes weird things wash up.
It’s easy to get caught up things we want to believe to be true. I know people who still maintain changing your password on a regular basis is more secure. There is actual research that shows changing your passwords on a regular cadence is less secure than using one very long password, actual real research. But because it feels wrong, it must be wrong.
I find myself doing this all the time. I might have a certain opinion and it’s really hard to objectively unlearn something. My favorite example I use of this is I once thought PGP was the best possible form of secure messaging. The keys are generated locally, you can pass messages via any medium. You can send messages to nearly anyone. In theory it’s a great system! But in reality it’s terrible. It took me a long time to realize my love of PGP was mostly emotional. The data was clear, PGP has a lot of problems. I try not to use it now.
I’m not trying to make anyone feel bad for whatever view they may or may not have in this post. I wanted to scribble down some quick thoughts because the whole conversation reminded me that opinion is not fact. Facts need data. And sometimes we believe something for so long, we don’t even notice we are trying to pass off our opinions as facts.
There’s an old hacker saying “question everything”. It’s very relevant in this discussion.
It’s relevant in every discussion, especially this blog post.
Josh and Kurt talk about Microsoft accidentally letting us find out about ads in file explorer. Changing your clocks sucks. And touch on some of the security implications of the Russian invasion and sanctions. There are a lot of security lessons we can all learn. Mostly what not to do.
Josh and Kurt talk about the Linux Kernel Dirty Pipe security vulnerability. This bug is an amazing combination of amazing complexity, incredible simplicity, and a little bit of luck. The discovery is amazing, the analysis is enlightening. There’s almost no way a bug like this could be found outside of open source.
Josh and Kurt talk about SBOMs. Not what they are, there’s plenty about that. We talk about why everyone keeps claiming they’re super important, and why we’re starting to see some people question if we really need them. SBOMs are part of a future that’s still being invented.