Podcast

Josh and Kurt talk about the recent GitHub breach. It wasn’t terribly exciting, but there are some interesting conversations to have around securing certificates, source code, and hardware security modules. In general GitHub did most things right on this one. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_361_GitHub_got_pwnt_but_it_wasnt_very_exciting.mp3 Show Notes GitHub blog post Hacker History Podcast episode with Robert Super Mario 64 decompile Mario 64 built without optimization Link to the Past source code

Josh and Kurt talk about the NSA guidance on using memory safety issues. The TL;DR is to stop using C. We discuss why C has so many problem, why we can’t fix C, and what some alternatives looks like. Even the alternatives have their own set of issues and there are many options, but the one thing we can agree on is we have to stop using C. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_360_Memory_safety_and_the_NSA.mp3 Show Notes NSA Releases Guidance on How to Protect Against Software Memory Safety Issues Drum memory and the story of Mel Netflix performance Discord Go vs Rust NVIDIA switch to Spark

Josh and Kurt talk about the recent FAA NOTAM outage. Keeping legacy things running for long periods of time is really hard to do, this system is no different. It’s also really hard to upgrade many of these due to corner cases and institutional knowledge. There aren’t any great answers here, but we do ask a lot of questions about long running tech. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_359_The_NOTAM_outage_and_other_legacy_technology.mp3 Show Notes NOTAM outage AIX is not dead IBM Linux commercial Apple A/UX How NOT To Implement the POSIX Standard, Featuring Windows NT iSH Hand Made Vacuum Tubes

Josh and Kurt talk about the Furby source code going public. This is an opportunity to discuss what’s changed in our attitude in devices that record our audio? Our devices today are vastly more powerful and dangerous than a Furby, what does your risk appetite look like? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_358_Furby_vs_Alexa.mp3 Show Notes Furby source code Talking Toy Or Spy? Adam Ruins Everything - Why Jaywalking Is a Crime

Josh and Kurt talk about how to think about open source in the context of society. Open source is more like a natural resource than a supplier. It’s common to think of open source projects as delivered to us, but it’s more like acquiring raw materials from the forest. The problem is we’re harvesting the raw materials in an unsustainable manner at the moment. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_357_Is_open_source_being_overexploited.mp3 Show Notes I am not a supplier Josh’s question about the environment sjvn Gorilla toolkit article Gorilla Web Toolkit Awesome Games Done Quick GeoGuessr Awesome Games Done Quick 2023

Josh and Kurt talk about the LastPass saga. There’s a lot of great explanations about what happened, but there hasn’t been a lot of info on how to start cleaning up this mess. We rehash some of the existing details then try to untangle what existing users can do to try to start recovering. The real problem is how LastPass is dealing with this, not the technical details. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_356_LastPass_ducked_up_now_what.mp3 Show Notes Great writeup of LastPass Jeremi M Gosney Mastodon explanation Tavis writeup on password managers Use a Passphrase

Josh and Kurt talk about some security gifts for boxing day. We start out with the idea of the security poverty line and discuss a few ideas for how a low resource group can make their open source more secure. There are no simple answers unfortunately. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_355_Security_Boxing_Day.mp3 Show Notes Wendy Nather Security Poverty Line Boots Theory

Josh and Kurt talk about how hard multi factor authentication is. This all starts from a Mastodon thread, and Jerry Bell, the administrator of infosec.exchange joins us to discuss password security and all things Mastodon. Infosec.exchange is an incredible story and Jerry weaves a thrilling tale. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_354_Jerry_Bell_tells_us_why_Mastodon_is_awesome_and_MFA_is_hard.mp3 Show Notes infosec.exchange MFA discussion Jerry’s 2FA advice MalwareTech retracts Mastodon statements

Josh and Kurt talk to Jill Moné-Corallo about GitHub’s bug bounty and product security team. It’s a treat to discuss bug bounties with someone who is managing a very large bug bounty for one of the most important web sites in the world of software today. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_353_Jill_Mone-Corallo_on_GitHubs_bug_bounty_program.mp3 Show Notes Jill’s Twitter Jill’s Mastodon GitHub Bug Bounty Bug bounty scope Eight years of the GitHub Security Bug Bounty program GitHub NPM bug bounty find

Josh and Kurt talk about a new tool that can do Stylometry analysis of Hacker News authors. The availability of such tools makes anonymity much harder on the Internet, but it’s also not unexpected. The amount of power and tooling available now is incredible. We also discuss some of the future challenges we will see from all this technology. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_352_Stylometry_removes_anonymity.mp3 Show Notes Hacker News Stylometry Analyzer FBI Profiler on the Unabomber Impersonate Eli Lilly for $8 Shakespeare Stylometry