Josh and Kurt talk about the current state of information security. There are aspects that resemble a cult more than we would like. It’s not all bad though, there are some things we can do to help move things forward. This episode shouldn’t be taken too seriously. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_210_Cult_of_Information_Security.mp3 Show Notes “cult of information security” How to start a cult
Josh and Kurt talk about Secure Boot. The conversation uses the recent “Boot Hole” vulnerability to frame a conversation about what Secure Boot is and isn’t. Why the Boot Hole flaw doesn’t really matter, and why Secure Boot was very scary for Linux users back when it came out. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_209_Secure_Boot_isnt_Secure.mp3 Show Notes Boot Hole
Josh and Kurt talk about some of the necessary evils of security. There are challenges we face like passwords and resource management. Sometimes the problem is old ideas, sometimes it’s we don’t have metrics. Can you measure not getting hacked? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_208_Passwords_are_pollution.mp3 Show Notes Clearing checks FAIR Institute Factorio
Josh and Kurt start this one by explaining how the Twitter hacker was just a dumb criminal (most criminals are dumb). We then discuss the new GPT-3 AI that can create text. How we create, and how social media is doing everything it can to weaponize our attention. It’s not a fight humanity is winning. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_207_Weaponized_attention.mp3 Show Notes GPT-3 AI Blipverts Show Tags #weaponizedattention #GPT-3 #GPT3
Josh and Kurt talk about Google’s new confidential VMs. The AMD Secure Encrypted Virtualization is the technology that makes it all possible. What is SEV, how does it work, and why should you care? This technology is going to be the future of the cloud. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_206_Confidential_Virtual_Machines_The_future_of_cloud_computing.mp3 Show Notes Google confidential VMs AMD SEV SEV vs SGX Show Tags #confidentialcomputing
Josh and Kurt talk to Alyssa Miller from Snyk about the State of Open Source Security 2020 report. Alyssa was the report author and has some great insight into the current trends we’re seeing in open source security. Some of the challenges developers face. We discuss the difficulty static and composition analysis scanners face. It’s a great conversation! https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_205_The_State_of_Open_Source_Security_with_Alyssa_Miller_from_Snyk.mp3 Show Notes The State of Open Source Security 2020 Alyssa’s Twitter Show Tags #opensourcesecurity
Josh and Kurt talk about some recent security actions Apple has taken. Not all are good, but in general Apple is doing things to benefit their customers (their customers are not advertisers). We also discuss some of the challenges when your customers are advertisers. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_204_What_Would_Apple_Do.mp3 Show Notes Apple one year certificates Apple declines to implement 16 new APIs Apple is tracking unsigned executables
Josh and Kurt talk about human behavior. The conversation makes its way to conferences and the perpetual question of if a conference is useful or not. We come to the agreement the big shows aren’t what they used to be, but things like BSides are great experiences. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_203_Humans_conferences_and_security_let_me_think_and_get_back_to_you_in_a_bit.mp3 Show Notes Security and Human Behaviour Josh’s blog post Mudge’s Twitter thread
Josh and Kurt talk about the security of applications. We talk about the security of infrastructure all the time, but what happens when we combine infrastructure into an application or solution? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_202_The_convergence_of_application_security.mp3 Show Notes Picture of Kurt’s security check-up Dragon controls
Josh and Kurt talk about CVSSv3 and how it’s broken. We started with a blog post to explain why the NVD CVSS scores are so wrong, and we ended up researching CVSSv3 and found out it’s far more broken than any of us expected in ways we didn’t expect. NVD isn’t broken, CVSSv3 is. How did we get here? Are there any options that work today? Where should we go next? ...