Josh and Kurt talk about the Coinbase Super Bowl ad. It was a QR code, lots of security people were aghast at how many people scanned the QR code. The reality is scanning QR codes isn’t dangerous. What other security advice just won’t go away?
Josh and Kurt talk to Hayley Tsukayama from the EFF about privacy. We all know privacy in the modern age is very complicated and difficult. Normal people don’t have many allies when it comes to privacy. The EFF has been blazing the trail for digital rights for more than 30 years! This episode has a ton of amazing details, it’s easy to see how the EFF became the jewel of the Internet.
Josh and Kurt talk about NPM requiring 2FA for the top 100 packages. We discuss the new Alpha and Omega projects from the OpenSSF and what it could mean for the future of open source security. Then we end on a note about the new Samba critical vulnerability.
Josh and Kurt talk about how to get attention for security problems. Recent research around Twitter credentials checked into GitHub showed us how to get a lot of attention when compared to a problem like Log4Shell which took years before anyone really picked up on the problem. It’s hard to talk about security sometimes.
Josh and Kurt talk about the faker and colors NPM events. There is a lot of discussion around open source being broken or somehow failing because of these events. The real answer is open source is an experience. How we interact with our dependencies determines what the experience looks like.
Josh and Kurt talk about Norton creating an Ethereum mining pool. This is almost certainly a bad idea, we explain why. We then discuss the reality of NFTs and the case of stolen apes. NFTs can be very confusing. The whole world of cryptocurrency is very confusing for normal people. None of this is new, there have always been con artists, there will always be con artists.
Josh and Kurt talk about the question will we ever fix all the vulnerabilities? The question came from Reddit and is very reasonable, but it turns out this is REALLY hard to discuss. The answer is of course “no”, but why it is no is very complicated. Far more complicated than either of us thought it would be.
Josh and Kurt start the show with the reading of a security themed Christmas poem. We then discuss some of the new happenings around Log4j. The basic theme is that even if we were over-investing in Log4j, it probably wouldn’t have caught this. There are still a lot of things to unpack with this event. We are sure we’ll be talking about it well into the future.
Log before Christmas poem
‘Twas the night before Christmas, when all through the stack
Not a scanner was scanning, not even a rack,
The SBOMs were uploaded to the portal with care,
In hopes that next year would be boring and bare
The interns were nestled all snug at their beds;
While visions of dashboards danced in their heads;
The CISO in their ‘kerchief, and I in my cap,
Had just slept our laptops for a long winter’s nap,
When all of a sudden the pager went ack ack
I sprang to my laptop with worries of attack
Away to the browser I flew like a flash,
Tore open the window and cleared out the cache
The red of the dashboard the glow of the screen
Gave a lustre of disaster my eyes rarely seen
When what to my wondering eyes did we appear,
But a new advisory and eight vulnerabilities to fear,
Like a little old hacker all ready to play,
I knew in a moment it must be Log4j
More rapid than gigabit its coursers they came,
And it whistled, and shouted, and called them by name:
“Now, Log4Shell! now CVE! now ASF and NVD!
On, CISA! on, LunaSec! on, GossiTheDog!
To the top of the HackerNews! to the top of the wall!
Now hack away! hack away! hack away all!”
Like the bits that before the wild CDN fly by
When they meet with a firewall, they mount to the sky;
So up to the cloud like bastards they flew
With tweets full of vulns, and Log4j too—
And then, in a twinkling, I read in the slack
The wailing and screaming of each analyst called back
As I drew in my head, and was turning around,
Down the network Log4j came with a bound.
It was dressed in a hoodie, black and zipped tight,
The clothes were all swag from a conference one night
A bundle of vulns it had checked in its git
And it looked like a pedler just being a twit
The changelog—how it twinkled! its features, how merry!
Its versions were like roses, its logo like a cherry!
Its droll little mouth was drawn up like an at,
And the beard on its chin made it look stupid and fat
The stump of a diff it held tight in its teeth,
And the bits, they encircled the repo like a wreath;
It had a flashy readme an annoying little fad
That shook when it downloaded, like a disk drive gone bad
It was chubby and plump, an annoying old package,
And I laughed when I saw it, in spite of the hackage
A wink of its bits and a twist of its head
Soon gave me to know I had everything to dread
It spoke not a word, but went straight to its work,
And pwnt all the servers; then turned with a jerk,
And laying its patches aside of its nose,
And giving a nod, up the network it rose;
It sprang to its packet, to its team gave them more,
And away they all fled leaving behind a back door
But I heard it exclaim, ere it drove out of sight—
“Merry Christmas you nerds, Log4j won tonight!”
Josh and Kurt talk about the same topic everyone is talking about, Log4j. This episode was recorded on the Wednesday after the first Log4j issue. We point out all the gaps and difficulties for the defenders. The situation has gotten worse since then.
Good luck to everyone dealign with this thing