Josh and Kurt talk about the whole work from home debate. It seems like there are a lot of very silly excuses why working from home is bad. We’ve both been working from home for a long time and have a chat about the topic. There’s not much security in this one, but it is a fun discussion.
Josh and Kurt talk to Adam Shostack about his new book “Threats: What Every Engineer Should Learn From Star Wars”. We discuss some of the lessons and threats in the Star Wars universe, it’s an old code I hear. We also discuss if Star Wars is a better than Star Trek for teaching security (it probably is). It’s a fun conversation and sounds like an amazing book.
Josh and Kurt talk about the Google Project Zero blog post about 0day vulnerabilities in 2021. There were a lot more than ever before, but why? Part of the challenge is the whole industry is expanding while a lot of our security technologies are not. When the universe around you is expanding but you’re staying the same size, you are actually shrinking.
Josh and Kurt talk about a survey about a TuxCare patch management and vulnerability detection. Sometimes our security bubble makes us forget what it’s like in the real world for the people who keep our infrastructure running. Patching isn’t always immediate, automation doesn’t fix everything, and accepting risk is very important.
Josh and Kurt talk about a lot of security vulnerabilities in this month’s Patch Tuesday. There’s also a new Git vulnerability. This sparks the age old question of how fast to patch? The answer isn’t binary, the right answer is whatever works best for you, not what someone tells you is best.
Josh and Kurt talk about hackers using emergency data requests to gain access to sensitive data. The argument that somehow backdoors can be protected falls under this problem. We don’t yet have the technical or policy protections in place to actually protect this data. We also explain why this zlib issue got a 2018 CVE ID in 2022.
Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there’s not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not to let security turn into your identity, it ends up making a mess.
Josh and Kurt talk about the latest NPM backdoored package. It feels like this keeps happening. We talk about why this is and why it’s probably OK. Kurt fixes Linus’ Law, in open source the superpower isn’t bugs are shallow (they’re not), the superpower is security bugs in open source can’t be ignored.
Earlier today I asked a question on Twitter
Holy cow that thread took on a life of its own. The question is easy enough, do we have any security data on pinning vs not pinning dependencies? We don’t, I know this, but I was hoping someone was working on something (I don’t think they are). But during the thread I also think I figured how to be start collecting this data. That’s a post for the future.
Now, I should clarify, it think pinning dependencies is a fine idea. I imagine my question was misread by a number of people to be some secret attempt at pushing an agenda. Sadly it was not. I am a bit harsh in the thread on people trying to pass off opinion as fact. The whole point of the question was to find some data, then things got weird.
I want to address something I realized in this thread. There is no data on this point, yet there is quite a bit of guidance in that thread. Everyone just sort of talks past each other. Some people are horrified by the idea of not pinning your dependencies. Some think pinning dependencies is the worst thing ever. It’s all quite fascinating. Everyone has an opinion, nobody has data. How often do we make decisions based on how we feel about something, but then end up confusing our feelings for facts? I think all the random odd views we can see in that thread are the result of different opinions. Opinions based on how someone feels. Data is like a line in the sand you can always see, opinions are like waves washing back and forth. Sometimes weird things wash up.
It’s easy to get caught up things we want to believe to be true. I know people who still maintain changing your password on a regular basis is more secure. There is actual research that shows changing your passwords on a regular cadence is less secure than using one very long password, actual real research. But because it feels wrong, it must be wrong.
I find myself doing this all the time. I might have a certain opinion and it’s really hard to objectively unlearn something. My favorite example I use of this is I once thought PGP was the best possible form of secure messaging. The keys are generated locally, you can pass messages via any medium. You can send messages to nearly anyone. In theory it’s a great system! But in reality it’s terrible. It took me a long time to realize my love of PGP was mostly emotional. The data was clear, PGP has a lot of problems. I try not to use it now.
I’m not trying to make anyone feel bad for whatever view they may or may not have in this post. I wanted to scribble down some quick thoughts because the whole conversation reminded me that opinion is not fact. Facts need data. And sometimes we believe something for so long, we don’t even notice we are trying to pass off our opinions as facts.
There’s an old hacker saying “question everything”. It’s very relevant in this discussion.
It’s relevant in every discussion, especially this blog post.