Podcast

Josh and Kurt talk about the release of OpenSSF Security Scorecards version 3. This is a great project that will probably make a huge difference. Most of the things the scorecards are measuring are no brainier activities. We go through the list of metrics being measured. There are only a few that we don’t think are fantastic. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_293_Scoring_OpenSSF_Security_Scoring.mp3 Show Notes 4 of spades OpenSSF Chris Montgomery audio explanation Scorecard 3.0.0 Scoring criteria Python Skeleton

Josh and Kurt talk about the recent Twitch hack and how in the modern age leaking source code almost certainly doesn’t matter. The leaked data however is a big deal. We also discuss a recent Apache httpd update. Some things went right, some things went wrong. Dealing with vulnerabilities is hard. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_292_Apache_RCE_and_Twitch_epic_pwn.mp3 Show Notes Parasocial Relationship Twitch Hack Soviet B-29 Clone Apache CVE Apache Advisory GossiTheDog Tweet Hacker Fantastic exploit

Josh and Kurt talk about recent events around Apple and Microsoft disclosing security vulnerabilities. Microsoft usually does a good job, but Apple has a long history of not having a great bug bounty or vulnerability disclosure policy. None of this is simple, but hopefully you’ll have some fun and learn a bit about the whole vulnerability disclosure process. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_291_Everyone_sucks_at_vulnerability_disclosure.mp3 Show Notes Apple 0days Microsoft Exchange flaw THIS IS HOW THEY TELL ME THE WORLD ENDS Linux Foundation Vulnerability Disclosure Timezone problem

Josh and Kurt talk about the security of the Matrix movie series. There was a new Matrix trailer that made us want to discuss some of the security themes. We talk about how the movie is very focused on computing in the 90s. How Neo probably ran Linux and they used a real ssh exploit. How a lot of the plot is a bit silly. It’s a really fun episode. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_290_The_security_of_the_Matrix.mp3 Show Notes Matrix 4 trailer nmap in the Matrix VFX Artists react to the Mandalorian Glasshouse Universal Paperclips

Josh and Kurt talk about an unusual number of really bad security updates. We even recorded this before the Azure OMIGOD vulnerability was disclosed. It’s certainly been a wild week with Apple and Chrome 0days, and a Travis CI secret leak. Maybe this is the new normal. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_289_Who_left_this_0day_on_the_floor.mp3 Show Notes Matrix 4 trailer Travis CI issue Apple 0day patches Chrome 0day patches CGP Grey Where is the European Union

Josh and Kurt talk about some happenings in the Linux Kernel. There are some new rules around how to submit patches that goes against how GitHub works. They’re also turning all compiler warnings into errors. It’s really interesting to understand what these steps mean today, and what they could mean in the future. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_288_Linux_Kernel_compiler_warnings_considered_dangerous.mp3 Show Notes The Register Linux story OpenSSL Release Notes

Josh and Kurt talk about GitHub Copilot. What can we learn from a report claiming 40% of code generated by Copilot has security vulnerabilities? Is this the future or just some sort of strange new thing that will be gone as fast as it came? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_287_Is_GitHubs_Copilot_the_new_Clippy.mp3 Show Notes GitHub Copilot Copilot research paper

Josh and Kurt talk to Dan Lorenc from Google about supply chain security. What’s currently going on in this space and what sort of new thing scan we look forward to? We discuss Google’s open source use, Project Sigstore, the SLSA framework and more. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_286_Open_source_supply_chain_with_Googles_Dan_Lorenc.mp3 Show Notes Dan’s Twitter Sigstore SLSA Framework

Josh and Kurt talk about open source bugs. What happens if a project decides to close most of their bugs? Nothing really. Bug trackers aren’t a help desk. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_285_Open_source_owes_you_nothing.mp3 Show Notes Emacs closes 45% of bugs UVI Tesla investigation UK COVID spreadsheet

Josh and Kurt talk about a Home Depot plan to put DRM on power tools. Anyone can add a computer to anything for a few dollars now. How secure is any of this. What does it mean when the things we buy start to acquire DRM? There are a lot of new questions we don’t have any real answers for. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_284_What_happens_when_we_DRM_power_tools.mp3 Show Notes Home Depot power tools Ray Ozzie’s IoT board First-sale doctrine