Podcast

Josh and Kurt talk about the epic failure that was episode 300. But this ties nicely into the topic of the day which is new ways to do things. The example is a new way to hold a controller when playing Tetris. There are always new tools and new ideas in security. Sometimes we have to abandon the old way because the new way to too good to ignore. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_301_Youre_holding_it_wrong_the_importance_of_unlearning.mp3 Show Notes Lawfare Apple NSO podcast New way to play Tetris

This episode need a huge disclaimer: we got almost all of the details of this wrong, the lawsuit is based on CFAA, not on copyright. We apologize for this enormous oversight. Josh and Kurt talk about Apple suing NSO using a copyright claim as their vehicle. Copyright is often used as a reason to bring lawsuits, even when it doesn’t always make sense. Copyright has been used by open source to expand rights, and many companies to restrict rights. It’s a very odd law sometimes. At the end of the day it seems the only real path forward for a problem like NSO is up to governments to protect their citizens. ...

Josh and Kurt talk about an article about how expertise has a limited lifetime. We are all experts in something, but some of us will find our expert knowledge to be outdated eventually. We discuss what that means in the context of security and tech and disagree about how to best keep your skills up to date. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_299_Experts_From_A_World_That_No_Longer_Exists.mp3 Show Notes Experts From A World That No Longer Exists Neuroplasticity Scotty and the mouse Git 2.34 4H Public Speaking

Josh and Kurt talk to David A. Wheeler about everything OpenSSF. The Open Source Security Foundation is part of the Linux Foundation, and there are 6 OpenSSF working groups. David does a great job explaining how the OpenSSF works and what the 6 working groups are doing. The working group are (in no particular order): Identifying Security Threats, Security Tooling, Best Practices, Vulnerability Disclosures, Digital Identity Attestation, Securing Critical Projects. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_298_David_A_Wheeler_discusses_the_OpenSSF.mp3 Show Notes David A Wheeler Episode 14 – David A Wheeler: CII Badges Sigstore joins the OpenSSF OpenSSF Technical Working Groups NPM requires MFA LISH Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks

Josh and Kurt talk about the famous Phrack 49 article “Smashing the Stack for Fun and Profit” turning 25 years old. This paper created a massive amount of change in the industry, possibly more than any other paper ever written. Everything from making exploiting stack overflows easier, to defenders creating technologies such as stack canaries are the direct result of this work. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_297_25_years_of_smashing_stacks_fun_and_profit.mp3 Show Notes Phrack 49 Kurt’s Interview with Elias Levi aka Aleph One

Josh and Kurt talk about the new Trojan Source bug. We don’t always agree on if this is a vulnerability (it’s not), but by the end we come to an agreement that ASCII is out, Unicode is in. We don’t live in a world where you can make a realistic suggestion to return to using only ASCII. There are a lot of weird moving parts with this one. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_296_Is_Trojan_Source_a_vulnerability.mp3 Show Notes Trojan Source oss-security message GitHub example

Josh and Kurt talk about Josh’s electric car and new job. We then talk about the recent UAParser.js malware incident. There have been a lot of calls to do more to secure open source, but nobody seems to have any concrete proposals or suggestions to fund any of these activities. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_295_Open_source_security_isnt_free.mp3 Show Notes UAParser.js CISA announcement

Josh and Kurt talk to Chris Wysopal, AKA Weld Pond, about security education. We talk about the current state of how we are learning about security as students and developers. What the best way to get developers interested in learning more about security? We end the show with fantastic advice from Chris for anyone new to the field of technology or security. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_294_Chris_Wysopal_on_the_state_of_security_education.mp3 Show Notes Chris Wysopal Veracode l0phtcrack

Josh and Kurt talk about the release of OpenSSF Security Scorecards version 3. This is a great project that will probably make a huge difference. Most of the things the scorecards are measuring are no brainier activities. We go through the list of metrics being measured. There are only a few that we don’t think are fantastic. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_293_Scoring_OpenSSF_Security_Scoring.mp3 Show Notes 4 of spades OpenSSF Chris Montgomery audio explanation Scorecard 3.0.0 Scoring criteria Python Skeleton

Josh and Kurt talk about the recent Twitch hack and how in the modern age leaking source code almost certainly doesn’t matter. The leaked data however is a big deal. We also discuss a recent Apache httpd update. Some things went right, some things went wrong. Dealing with vulnerabilities is hard. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_292_Apache_RCE_and_Twitch_epic_pwn.mp3 Show Notes Parasocial Relationship Twitch Hack Soviet B-29 Clone Apache CVE Apache Advisory GossiTheDog Tweet Hacker Fantastic exploit