Episode 283 – When vulnerability disclosure becomes dangerous

Josh and Kurt talk about a very difficult disclosure problem. What happens when you have to report a vulnerability to an ethically questionable company? It’s less simple than it sounds, many of the choices could end up harming victims.

Show Notes

Episode 282 – The security of Rust: who left all this awesome in here?

Josh and Kurt talk about a story from Microsoft declaring Rust the future of safe programming, replacing C and C++. We discuss how tooling affects progress and why this isn’t always obvious when you’re in the middle of progress.

Show Notes

Episode 281 – If you spy on journalists, you’re the bad guys

Josh and Kurt talk about the news that the NSO Group is widely distributing spyware onto a large number of devices. This news should be a wake up call for anyone creating devices and systems that could be attacked, it’s time to segment services. There’s not a lot individuals can do at this point, but we have some ideas at the end of the episode.

Show Notes

Episode 280 – The perils of Single Sign On

Josh and Kurt talk about what happens when you lose access to your Single Sign On provider. These providers have become critical to many of us, if we lose access to our SSO account we will lose access to many services.

Show Notes

The future of DWF

TL;DR – The future of community identifier is going to be the Cloud Security Alliance. See this blog post for more details.

A few months ago the Distributed Weakness Filing project (DWF), announced it was coming back to work with some new ideas around how we work with vulnerability identifiers. The initial blog post defines some of the reasons, we won’t rehash them here.

It should surprise nobody that the DWF project did not grow to an enormous size in a few short months. Vulnerability identification is a complex and hard problem. We were looking to try out some new ideas and see which were effective and which were not effective. It was to start to build the structure to deal with a future community. Most importantly it was to help figure out what we don’t know we don’t know.

One group that has become interested in what we were doing was the CloudSecurityAlliance (CSA). The CSA is focused on, well, security and the cloud, as well as other new and emerging technologies and problems. Traditional vulnerability identifiers have been heavily focused on software as it existed in the past rather than current software and services. The CSA has an interest in helping to define the next generation of vulnerability classification. There are a huge number of potential vulnerabilities and weaknesses that are going untracked, which means they are largely unseen. If we expect the future to be more secure than the past, having a community driven vulnerability classification and freely available databases will be critical.

To make a long story short, the DWF is dissolving and is directing people and organizations interested in participating in this towards the CSA community where a new working group and other efforts are being started. The group is tentatively called the “Universal Vulnerability Identifier (UVI) working group”. This is a working group with open membership and an initial goal of helping define the future of vulnerability identification. The target audience is anyone looking to understand, use, and define vulnerability identifiers. Closed source, open source, services, security researchers, IoT developers, individuals, companies, projects; we want to work with everyone. For more information please see https://universalvulnerabilityidentifier.org/

The DWF was founded on the idea of bringing community, openness, and transparency to vulnerability identifiers. These are also principals that the CSA values and has consistently exhibited for over a decade. There will be a few changes to the DWF and DWF data happening in the short term to support these long term goals:

  1. The UVI IDs will all start with the prefix “UVI”. All DWF IDs will have the prefix upgraded to UVI
  2. The iwantacve.org domain is being transferred to the MITRE Corporation. We do hope that the MITRE Corporation continues to run a service that makes acquiring a CVE Identifier quick and painless
  3. The DWF project is dissolved effective immediately

We are extremely excited for what the future holds. The CSA is a very forward thinking organization that understands and appreciates the past work of the DWF. We all expect this working group will have a great impact on the future of vulnerability identification and management.

Episode 279 – The audacity of Audacity: When open source goes rogue

Josh and Kurt talk about the events happening to the Audacity audio editor. What happens if a popular open source application is acquired by an unknown entity? Can this happen to other open source projects? What can we do about it?

Show Notes

Episode 278 – Could SELinux have stopped SolarWinds?

Josh and Kurt talk about a listener provided question. Could SELinux have stopped the SolarWinds attack? Given what we know, the answer is technically yes, but practically no. SELinux is awesome, but it’s very difficult to sandbox something like a build system.

Show Notes

Episode 277 – Privacy and activism with Chris Weiland

Josh and Kurt talk to Chris Weiland from Restore the Fourth Minnesota. Restore The Fourth Minnesota is nonprofit dedicated to restoring the Fourth Amendment to the U.S. Constitution and ending unconstitutional mass government surveillance. Chris drops a ton of knowledge about how to be an effective tech activist, what his group is doing, and most importantly we get actionable advice!

Show Notes

Episode 276 – Security, behavior, and the environment

Josh and Kurt talk about how our environment affects our behavior, and in turn our level of security. We often ignore what’s happening around us when everything is related.

Show Notes

Episode 275 – What in the @#$% is going on with ransomware?

Josh and Kurt talk about why it seems like the world of ransomware has gotten out of control in the last few weeks. Every day there’s some new and more bizarre ransomware story than we had yesterday.

Show Notes