Episode 311 – Did you scan the QR code?

Josh and Kurt talk about the Coinbase Super Bowl ad. It was a QR code, lots of security people were aghast at how many people scanned the QR code. The reality is scanning QR codes isn’t dangerous. What other security advice just won’t go away?

Show Notes

Episode 310 – Hayley Tsukayama from the EFF talks about privacy

Josh and Kurt talk to Hayley Tsukayama from the EFF about privacy. We all know privacy in the modern age is very complicated and difficult. Normal people don’t have many allies when it comes to privacy. The EFF has been blazing the trail for digital rights for more than 30 years! This episode has a ton of amazing details, it’s easy to see how the EFF became the jewel of the Internet.

Show Notes

Episode 309 – The bright future of open source secuirty

Josh and Kurt talk about NPM requiring 2FA for the top 100 packages. We discuss the new Alpha and Omega projects from the OpenSSF and what it could mean for the future of open source security. Then we end on a note about the new Samba critical vulnerability.

Show Notes

Episode 308 – Welcome to the jungle – How to talk about open source security

Josh and Kurt talk about how to get attention for security problems. Recent research around Twitter credentials checked into GitHub showed us how to get a lot of attention when compared to a problem like Log4Shell which took years before anyone really picked up on the problem. It’s hard to talk about security sometimes.

Show Notes

Episode 307 – Got vulnerabilities? Introducing GSD

Josh and Kurt talk about the Global Security Database (GSD) project. This is a Cloud Security Alliance (CSA) effort to build community around vulnerability identifiers.

Show Notes

Episode 306 – Open source isn’t broken, it’s an experience

Josh and Kurt talk about the faker and colors NPM events. There is a lot of discussion around open source being broken or somehow failing because of these events. The real answer is open source is an experience. How we interact with our dependencies determines what the experience looks like.

Show Notes

Episode 305 – Norton, Ethereum, NFT, and Apes

Josh and Kurt talk about Norton creating an Ethereum mining pool. This is almost certainly a bad idea, we explain why. We then discuss the reality of NFTs and the case of stolen apes. NFTs can be very confusing. The whole world of cryptocurrency is very confusing for normal people. None of this is new, there have always been con artists, there will always be con artists.

Show Notes

Episode 304 – Will we ever fix all the vulnerabilities?

Josh and Kurt talk about the question will we ever fix all the vulnerabilities? The question came from Reddit and is very reasonable, but it turns out this is REALLY hard to discuss. The answer is of course “no”, but why it is no is very complicated. Far more complicated than either of us thought it would be.

Show Notes

Episode 303 – Log4j Christmas Spectacular!

Josh and Kurt start the show with the reading of a security themed Christmas poem. We then discuss some of the new happenings around Log4j. The basic theme is that even if we were over-investing in Log4j, it probably wouldn’t have caught this. There are still a lot of things to unpack with this event. We are sure we’ll be talking about it well into the future.

Log before Christmas poem

‘Twas the night before Christmas, when all through the stack
Not a scanner was scanning, not even a rack,

The SBOMs were uploaded to the portal with care,
In hopes that next year would be boring and bare

The interns were nestled all snug at their beds;
While visions of dashboards danced in their heads;

The CISO in their ‘kerchief, and I in my cap,
Had just slept our laptops for a long winter’s nap,

When all of a sudden the pager went ack ack
I sprang to my laptop with worries of attack

Away to the browser I flew like a flash,
Tore open the window and cleared out the cache

The red of the dashboard the glow of the screen
Gave a lustre of disaster my eyes rarely seen

When what to my wondering eyes did we appear,
But a new advisory and eight vulnerabilities to fear,

Like a little old hacker all ready to play,
I knew in a moment it must be Log4j

More rapid than gigabit its coursers they came,
And it whistled, and shouted, and called them by name:

“Now, Log4Shell! now CVE! now ASF and NVD!
On, CISA! on, LunaSec! on, GossiTheDog!

To the top of the HackerNews! to the top of the wall!
Now hack away! hack away! hack away all!”

Like the bits that before the wild CDN fly by
When they meet with a firewall, they mount to the sky;

So up to the cloud like bastards they flew
With tweets full of vulns, and Log4j too—

And then, in a twinkling, I read in the slack
The wailing and screaming of each analyst called back

As I drew in my head, and was turning around,
Down the network Log4j came with a bound.

It was dressed in a hoodie, black and zipped tight,
The clothes were all swag from a conference one night

A bundle of vulns it had checked in its git
And it looked like a pedler just being a twit

The changelog—how it twinkled! its features, how merry!
Its versions were like roses, its logo like a cherry!

Its droll little mouth was drawn up like an at,
And the beard on its chin made it look stupid and fat

The stump of a diff it held tight in its teeth,
And the bits, they encircled the repo like a wreath;

It had a flashy readme an annoying little fad
That shook when it downloaded, like a disk drive gone bad

It was chubby and plump, an annoying old package,
And I laughed when I saw it, in spite of the hackage

A wink of its bits and a twist of its head
Soon gave me to know I had everything to dread

It spoke not a word, but went straight to its work,
And pwnt all the servers; then turned with a jerk,

And laying its patches aside of its nose,
And giving a nod, up the network it rose;

It sprang to its packet, to its team gave them more,
And away they all fled leaving behind a back door

But I heard it exclaim, ere it drove out of sight—
“Merry Christmas you nerds, Log4j won tonight!”

Episode 302 – Log4j is a mess

Josh and Kurt talk about the same topic everyone is talking about, Log4j. This episode was recorded on the Wednesday after the first Log4j issue. We point out all the gaps and difficulties for the defenders. The situation has gotten worse since then.

Good luck to everyone dealign with this thing

Show Notes