Podcast

Josh and Kurt talk about their very silly GPG key management from the past. This is sadly a very true story that details how both Kurt and Josh protected their GPG keys. Josh’s setup is like something out of a very bad spy novel. It was very over the top for a key that really didn’t matter. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_331_GPG_but_nothing_makes_sense.mp3 Show Notes XKCD signed email Shire calendar Guardian editors destroy Snowden laptop

Josh and Kurt talk about the challenge of dealing with vulnerabilities at a large scale. We tend to treat every vulnerability equally when they are not equal at all. Some are trees we have to pay very close attention to, and some are part of a larger forest that can’t be treated as individual vulnerabilities. We often treat risk as a binary measurement instead of a sliding scale. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_330_The_sliding_scale_of_risk_seeing_the_forest_for_the_trees.mp3 Show Notes gsd.id The Register OpenSSL story OpenSSL bug

Josh and Kurt talk about what the actual purpose of signing artifacts is. This is one of those spaces where the chain of custody for signing content is a lot more complicated than it sometimes seems to be. Is delivering software over https just as good as using a detached signature? How did we end up here, what do we think the future looks like? This episode will have something for everyone to complain about! ...

Josh and Kurt talk about the security of employees leaving jobs. Be it a voluntary departure or in the context of the current layoffs we see, what are the security implications of having to remove access for one or more people departing their job? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_328_The_Security_of_Jobs_or_Job_Security.mp3 Show Notes Tesla Layoffs Coinbase layoffs

Josh and Kurt talk about a funny GitHub reply that notified 400,000 people. It’s fun to laugh at this, but it’s an easy open to discussing alert fatigue and why it’s important to be very mindful of our communications. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_327_The_security_of_alert_fatigue.mp3 Show Notes GitHub 400K notifications Hacker News thread Reddit user TV Bluetooth

Josh and Kurt talk about containers. There are a lot of opinions around what type of containers is best. Back when it all started there were only huge distro sized containers. Now we have a world with many different container types and sizes. Is one better? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_326_Big_fat_containers.mp3 Show Notes Programming in the Apocalypse Bob Diachenko Paranoids Podcast

Josh and Kurt talk about a recent OpenSSF issue that asks the question how many open source maintainers should a project have that’s “healthy”? Josh did some research that shows the overwhelming majority of packages have one maintainer. What does that mean? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_325_Is_one_open_source_maintainer_enough.mp3 Show Notes OpenSSF TAC Issue 101

Josh and Kurt talk about the whole work from home debate. It seems like there are a lot of very silly excuses why working from home is bad. We’ve both been working from home for a long time and have a chat about the topic. There’s not much security in this one, but it is a fun discussion. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_324_WTF_is_up_with_WFH.mp3 Show Notes Boris Johnson blames cheese Apple and WFH

Josh and Kurt talk about a fake 7-Zip security report. It’s pretty clear that everyone is running open source all the time. We end on some thoughts around what SBOM is good for, and who should be responsible for them. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_323_The_fake_7Zip_vulnerability_and_SBOM.mp3 Show Notes Probably fake 7-Zip

Josh and Kurt talk to Adam Shostack about his new book “Threats: What Every Engineer Should Learn From Star Wars”. We discuss some of the lessons and threats in the Star Wars universe, it’s an old code I hear. We also discuss if Star Wars is a better than Star Trek for teaching security (it probably is). It’s a fun conversation and sounds like an amazing book. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_322_Adam_Shostack_on_the_security_of_Star_Wars.mp3 Show Notes Adam Shostack Adam’s Website The book