Podcast

Josh and Kurt talk about the Time Till Open Source Alternative blog post. The numbers probably don’t mean what we think they mean anymore. A lot of modern open source is really corporate controlled. Just because something carries an open source license doesn’t mean you can contribute to it. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_341_Time_till_open_source_alternative.mp3 Show Notes Time Till Open Source Alternative GitHub Desktop issue 78 The Reddit Safe

Josh and Kurt talk with Josh Aas from the Internet Security Research Group about Let’s Encrypt, Prossimo, and Divvi Up. A lot has changed since the last time we spoke with Josh. Let’s Encrypt won, and the ISG are working on some really cool new projects. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_340_Lets_chat_about_Lets_Encrypt_with_Josh_Aas.mp3 Show Notes Josh Aas Internet Security Research Group (ISRG) Let’s Encrypt Let’s Encrypt stats Episode 87 – Chat with Let’s Encrypt co-founder Josh Aas New Major Funding from the Ford Foundation ISRG annual reports

Josh and Kurt talk about really weird networking bugs. Josh tells a story about his home network problems that made no sense. There was also a qt5 bug that affected wireless networks that made virtually no sense. What should count as a security vulnerability? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_339_Is_a_network_problem_a_security_vulnerability.mp3 Show Notes Resolving an unusual wifi issue Hacker News thread Global Security Database IdeaPad 5 14ARE05

Josh and Kurt talk about the recent National Defense Authorization Act that requires security vulnerabilities to be fixed. What does this mean for us, is it as bad as some people are claiming it is? It’s actually not a huge deal, for most of us it’s really just time to deal with product security. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_338_The_government_didnt_make_vulnerabilities_illegal_Yet.mp3 Show Notes The Hacker Mind The Untold Stories of Open Source H.R.7900 - National Defense Authorization Act for Fiscal Year 2023 Kurt’s blog post

Josh and Kurt talk to Dustin Childs about the recent ZDI Black Hat talk where they discovered the current trend of security patches not actually fixing the security problem. We talk about what this problem means. Why is it happening, and what ZDI is doing to try nudge the industry in the right direction. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_337_Security_patches_are_getting_worse_Dustin_Childs_from_ZDI_tells_us_why.mp3 Show Notes Dustin Childs ZDI Sloppy Software Patches Are a ‘Disturbing Trend’ Zero Day Initiative launches new bug disclosure timelines ISO 28147

Josh and Kurt talk about our lack of security and some of the data bias problems that can emerge. A lot of what we think is security data is really just biased data. This is OK as long as we understand the data is broken and know this is the first step in a longer journey. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_336_We_dont_have_data_data_we_have_security_biases.mp3 Show Notes Tweet about data The 6 most common types of bias when working with data Syft and Grype stars graph John Snow, Cholera, the Broad Street Pump Bob Lord tweet

Josh and Kurt talk about a tweet from @kmcquade3 asking the question “What’s a concept in security that is generally accepted as true but is actually bull%$#*?” How many of the replies make sense? Most of them do. We go over some of the best replies as fast as we can. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_335_Bull_security_ideas.mp3 Show Notes The tweet that started it all Mark Loveless Mark Manning Richard (Dick) Brooks @ImbecillicusRex What Train Have We Got? Dan Alejo 🏳️‍🌈 postmodern 🇺🇸 Robert C. Seacord 🇺🇦 Yip Wai Peng Sachin Shahi

Josh and Kurt talk about leap seconds. Every time there’s a leap second, things break. Facebook wants to get rid of them because they break computers, but Google found a clever way to keep leap seconds without breaking anything. Corner cases are hard, security is often just one huge corner case. There are lessons we can learn here. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_334_Leap_seconds_break_everything.mp3 Show Notes How and why the leap second affected Cloudflare DNS Facebook wants to get rid of leap seconds Leap Smear Falsehoods programmers believe about time

Josh and Kurt talk about Microsoft creating a policy of not allowing anyone to charge for open source in their app store. This policy was walked back quickly, but it raises some questions about how fair or unfair open source really is. It’s mostly unfair to developers if you look at the big picture. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_333_Open_Source_is_unfair.mp3 Show Notes Syft Grype Microsoft bans and unbans open source Tidelift survey Bruce Perens - What comes after open source

Josh and Kurt talk about PyPI mandating two factor authentication for the top 1% of projects. It feels like a simple idea, but it’s not when you start to think about it. What problems does 2FA solve? How common are these attacks? What are the second and third order effects of mandating 2FA? This episode should have something for everyone on all sides of this discussion to violently disagree with. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_332_PyPI_2FA_or_not_2FA_that_is_the_question.mp3 Show Notes PyPI announcement NPM expired domains Morten Linderud Tweet Congratulations: We Now Have Opinions on Your Open Source Contributions