Podcast

gas-station-1688175_1280

Episode 271 - Pipeline security: There is no problem humans can't make worse

Josh and Kurt talk about how people handle problems. We open with the story of the Colonial Pipeline hack, but then go into some of the ways people tend to make problems worse. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_271_Pipeline_security_There_is_no_problem_humans_cant_make_worse.mp3 Show Notes Male vs Female trees Pipeline hack XKCD Pipelines TSA Pipeline Security

May 17, 2021
cloudy-1869753_1920

Episode 270 - Hello dark patterns my old friend

Josh and Kurt talk about dark patterns. A dark pattern is when a service tries to confuse a user into doing something they don’t want to, like unknowingly purchasing a monthly subscription to something you don’t need or want. The US Federal Trade Commission is starting to discuss dark patterns in webs sites and apps. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_270_Hello_dark_patterns_my_old_friend.mp3 Show Notes Dark Patterns Types of Dark Patterns FTC Bringing Dark Patterns to Light LTT Dell Warranty

May 10, 2021
chemistry-3533039_1920

Episode 269 - Do not experiment on the Linux Kernel

Josh and Kurt talk about the University of Minnesota experimenting on the Linux Kernel. There’s a lot to unpack in this one, but the TL;DR is you probably don’t want to experiment on the kernel. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_269_Do_not_experiment_on_the_Linux_Kernel.mp3 Show Notes Linux Bans University of Minnesota for Sending Buggy Patches in the Name of Research University of Minnesota security researchers apologize for deliberately buggy Linux patches The International Obfuscated C Code Contest

May 3, 2021
pipes-5146458_1920

Episode 268 - Can we trust any 3rd parties?

Josh and Kurt talk about what 3rd party means in the current world. From 5G suppliers, to the Codecov and Solarwinds breaches. Is there anyone we can trust? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_268_Can_we_trust_any_3rd_parties.mp3 Show Notes Europe and 5G Codecov Codecov Reuters story Red Hat OpenSSH advisory

April 26, 2021
cornwall-540462_1920

Episode 267 - Does 0day still mean 0day?

Josh and Kurt talk about 0day security vulnerabilities. What are they? What were they? And why the name has taken on a new meaning, and that’s OK. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_267_Does_0day_still_mean_0day.mp3 Show Notes Hacker History Podcast Chrome 0day NTFS Documentation

April 19, 2021
antenna-parables-3546647_1920

Episode 266 - The future of security scanning with Debricked

Josh and Kurt talk to Emil Wåreus from Debricked about the future of security scanners. Debricked is doing some incredibly cool things to avoid relying on humans for vulnerability identification and cataloging. Learn what the future of security scanning is going to look like. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_266_The_future_of_security_scanning_with_Debricked.mp3 Show Notes Debricked Emil’s Linkedin

April 12, 2021
statue-2393168_1920

Episode 265 - The lies closed source can tell, open source can't

Josh and Kurt talk about the PHP backdoor and the Ubiquity whistleblower. The key takeaway is to note how an open source project cannot cover up an incident, but closed source can and will cover up damaging information. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_265_The_lies_closed_source_can_tell_open_source_cant.mp3 Show Notes PHP backdoor Ubiquity coverup 3D printed TSA keys LockPickingLaywer Determining Key Shape from Sound Lock camera

April 5, 2021
gun-2423391_1920

Episode 264 - DevSecOps with GitLab's Mark Loveless

Josh and Kurt talk to Mark Loveless from GitLab. We touch on DevSecOps, what GitLab is doing, threat modeling, and the time Mark tested positive for TNT at the airport. It’s a great conversation. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_264_DevSecOps_with_GitLabs_Mark_Loveless.mp3 Show Notes Mark Loveless Twitter GitLab GitLab Handbook How we approach open source security PASTA threat modeling GitLab security features Tales from the Past - “You Tested Positive for TNT”

March 29, 2021
signs-2799416_1920

Episode 263 - GitHub pulls exploits, LinuxFoundation sign all the things

Josh and Kurt talk about how terrible daylight savings is. GitHub yanking some exploit code. And the Linux Foundation new project to sign all the things. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_263_GitHub_pulls_exploits_LinuxFoundation_sign_all_the_things.mp3 Show Notes Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github GitHub content restrictions Reproducing the Microsoft Exchange Proxylogon Exploit Chain

March 22, 2021
sysdig_Horz_Color_Logo_RGB_lrg

Episode 262 - A discussion with Loris and Pop from Sysdig

Josh and Kurt talk to Loris Degioanni and Dan from Sysdig. Sysdig are the minds behind Falco, an amazing open source runtime security engine. We talk about where their technology came from, they huge code donation to the CNCF and what securing a modern infrastructure looks like today. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_262_A_discussion_with_Loris_and_Pop_from_Sysdig.mp3 Show Notes Sysdig Falco Loris’ Twitter Dan “Pop” Popandrea’s Twitter Sysdig contributes Falco’s kernel module, eBPF probe, and libraries to the CNCF pdig Sysdig 2021 container security and usage report: Shifting left is not enough

March 15, 2021