Podcast

Josh and Kurt talk about the Google Project Zero blog post about 0day vulnerabilities in 2021. There were a lot more than ever before, but why? Part of the challenge is the whole industry is expanding while a lot of our security technologies are not. When the universe around you is expanding but you’re staying the same size, you are actually shrinking. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_321_Relativistic_Security_Project_Zero_on_0day.mp3 Show Notes Google Project Zero blog post Apple 0days Joint cyber advisory

Josh and Kurt talk about a survey about a TuxCare patch management and vulnerability detection. Sometimes our security bubble makes us forget what it’s like in the real world for the people who keep our infrastructure running. Patching isn’t always immediate, automation doesn’t fix everything, and accepting risk is very important. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_320_Security_Twitter_is_not_the_real_world.mp3 Show Notes State of Enterprise Vulnerability Detection and Patch Management CISA Known Exploited Vulnerabilities Catalog Google 0days

Josh and Kurt talk about a lot of security vulnerabilities in this month’s Patch Tuesday. There’s also a new Git vulnerability. This sparks the age old question of how fast to patch? The answer isn’t binary, the right answer is whatever works best for you, not what someone tells you is best. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_319_Patch_Tuesday_with_a_capital_T.mp3 Show Notes Patch Tuesday Git security update

Josh and Kurt talk about hackers using emergency data requests to gain access to sensitive data. The argument that somehow backdoors can be protected falls under this problem. We don’t yet have the technical or policy protections in place to actually protect this data. We also explain why this zlib issue got a 2018 CVE ID in 2022. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_318_Social_engineering_and_why_zlib_got_a_2018_CVE_ID.mp3 Show Notes Hackers using fake emergency data requests CVE-2018-25032 Global Security Database

Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there’s not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not to let security turn into your identity, it ends up making a mess. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_317_The_lack_of_compromise_in_security.mp3 Show Notes Josh’s Twitter thread How to install week old npm packages

Josh and Kurt talk about the latest NPM backdoored package. It feels like this keeps happening. We talk about why this is and why it’s probably OK. Kurt fixes Linus’ Law, in open source the superpower isn’t bugs are shallow (they’re not), the superpower is security bugs in open source can’t be ignored. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_316_You_have_to_use_open_source.mp3 Show Notes node-ipc protestware

Josh and Kurt talk about Microsoft accidentally letting us find out about ads in file explorer. Changing your clocks sucks. And touch on some of the security implications of the Russian invasion and sanctions. There are a lot of security lessons we can all learn. Mostly what not to do. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_315_Who_even_makes_all_these_terrible_decisions.mp3 Show Notes Ads in Windows Filemanager Russia running out of storage Russia threatens to nationalize industry Onagawa Nuclear Power Plant Cockcroft’s Follies German government advises citizens to uninstall Kaspersky

Josh and Kurt talk about the Linux Kernel Dirty Pipe security vulnerability. This bug is an amazing combination of amazing complexity, incredible simplicity, and a little bit of luck. The discovery is amazing, the analysis is enlightening. There’s almost no way a bug like this could be found outside of open source. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_314_The_Linux_Dirty_Pipe_vulnerability.mp3 Show Notes Dirty Pipe Writeup

Josh and Kurt talk about the challenges of security at scale. Specifically we focus on why a lot of security starts to fall apart once you have to do something more than a few times. There’s a lot of new thinking we need to push security forward. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_313_Insecurity_at_scale.mp3 Show Notes Stable Linux Kernel and Machine Learning

Josh and Kurt talk about SBOMs. Not what they are, there’s plenty about that. We talk about why everyone keeps claiming they’re super important, and why we’re starting to see some people question if we really need them. SBOMs are part of a future that’s still being invented. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_312_The_Legend_of_the_SBOM.mp3 Show Notes Questioning SBOMs Rezilion Log4j diagram David A Wheeler on CII Badges Using open source is communism