Josh and Kurt talk about DWF. It’s back and the intention is to have real community driven security identifiers! https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_261_DWF_is_back_Welcome_to_community_powered_CVE.mp3 Show Notes Committee vs Community dwflist repo dwf-request tooling repo dwf-workflow policy repo CVE plateua graph iwantacve.org
Josh and Kurt talk with Dave Jevans CEO of CipherTrace and chairman of the anti-phishing working group about the challenges of keeping track of cryptocurrency in the modern age. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_260_Dave_Jevans_tells_us_what_CipherTrace_is_up_to.mp3 Show Notes Dave’s Twitter CipherTrace Anti Phishing Working Group
Josh and Kurt talk about the question “what is open source?” Why do we think it’s broken today, and what sort of ideas about what should come next. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_259_What_even_is_open_source_anymore.mp3 Show Notes OSI Bruce Perens Post Open Source Josh’s community blog post Corey Doctorow Uber Twitter thread
Josh and Kurt talk about the Google Project Zero report titled “A Year in Review of 0-days Exploited In-The-Wild in 2020”. It’s a cool report but we don’t agree on the conclusion. The answer isn’t to security harder, it’s to stop using C. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_258_Stop_using_C.mp3 Show Notes Google Project Zero Year of 0-days Kurt’s CUPS tweet
Josh and Kurt talk about the recent sudo and libgcrypt security vulnerabilities. What’s the deal with these buffer overflows and TOCTU bugs? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_257_The_sudo_and_libgcrypt_vulnerabilities.mp3 Show Notes Sudo buffer overflow Sudo SELinux bug libgcrypt buffer overflow
Josh and Kurt talk about 8 bit computing. What sort of security lessons can we learn from the 8 bit world? More than you think. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_256_9_bits_of_podcast_8_bits_of_computing.mp3 Show Notes Legend of Zelda Random Number Generation Green rocket flame SR71 leaked fuel How do Namibian Himbas see colour? Suptuple meter music
Josh and Kurt talk about what we can stop doing. We take a position of asking “does it spark joy” for tools and infrastructure. Everyone is doing something they should stop. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_255_What_if_security_wasnt_joyless.mp3 Show Notes Does it spark joy?
Josh and Kurt talk about the new right to repair rules in the EU. There’s a strange line between loving the idea of right to repair, but also being horrified as security people at the idea of a device being on the Internet for 30 years. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_254_Right_to_Repair_Security.mp3 Show Notes EU right to repair repair.eu
Josh and Kurt talk about this idea that seems to exist in security of “attackers only need to be right once” which is silly. The reality is attackers have to get everything right, defenders really only need to get it right once. But “defenders only need to be right once” isn’t going to sell any products. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_253_Defenders_only_need_to_be_right_once.mp3 Show Notes Richard Feynman and manhole covers Richard Feynman on Why He Can’t Tell You How Magnets Work Israeli airport security FAA stolen sweater XKCD Is it worth the time CGP Grey The trouble with transporters
Josh and Kurt talk about a report on open source security from the Canadian Centre for Cyber Security. The title pretty much sums it up. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_252_Is_open_source_dangerous_Open_source_won_who_cares_shut_up.mp3 Show Notes Security Considerations for Open Source Build an 8 bit computer from scratch