Josh and Kurt talk about PyPI mandating two factor authentication for the top 1% of projects. It feels like a simple idea, but it’s not when you start to think about it. What problems does 2FA solve? How common are these attacks? What are the second and third order effects of mandating 2FA? This episodeContinue reading “Episode 332 – PyPI: 2FA or not 2FA, that is the question”
Category Archives: Podcast
Episode 331 – GPG, but nothing makes sense
Josh and Kurt talk about their very silly GPG key management from the past. This is sadly a very true story that details how both Kurt and Josh protected their GPG keys. Josh’s setup is like something out of a very bad spy novel. It was very over the top for a key that reallyContinue reading “Episode 331 – GPG, but nothing makes sense”
Episode 330 – The sliding scale of risk: seeing the forest for the trees
Josh and Kurt talk about the challenge of dealing with vulnerabilities at a large scale. We tend to treat every vulnerability equally when they are not equal at all. Some are trees we have to pay very close attention to, and some are part of a larger forest that can’t be treated as individual vulnerabilities.Continue reading “Episode 330 – The sliding scale of risk: seeing the forest for the trees”
Episode 329 – Signing (What is it good for)
Josh and Kurt talk about what the actual purpose of signing artifacts is. This is one of those spaces where the chain of custody for signing content is a lot more complicated than it sometimes seems to be. Is delivering software over https just as good as using a detached signature? How did we endContinue reading “Episode 329 – Signing (What is it good for)”
Episode 328 – The Security of Jobs or Job Security
Josh and Kurt talk about the security of employees leaving jobs. Be it a voluntary departure or in the context of the current layoffs we see, what are the security implications of having to remove access for one or more people departing their job? Show Notes Tesla Layoffs Coinbase layoffs
Episode 327 – The security of alert fatigue
Josh and Kurt talk about a funny GitHub reply that notified 400,000 people. It’s fun to laugh at this, but it’s an easy open to discussing alert fatigue and why it’s important to be very mindful of our communications. Show Notes GitHub 400K notifications Hacker News thread Reddit user TV Bluetooth
Episode 326 – Big fat containers
Josh and Kurt talk about containers. There are a lot of opinions around what type of containers is best. Back when it all started there were only huge distro sized containers. Now we have a world with many different container types and sizes. Is one better? Show Notes Programming in the Apocalypse Bob Diachenko Paranoids Podcast
Episode 325 – Is one open source maintainer enough?
Josh and Kurt talk about a recent OpenSSF issue that asks the question how many open source maintainers should a project have that’s “healthy”? Josh did some research that shows the overwhelming majority of packages have one maintainer. What does that mean? Show Notes OpenSSF TAC Issue 101
Episode 324 – WTF is up with WFH
Josh and Kurt talk about the whole work from home debate. It seems like there are a lot of very silly excuses why working from home is bad. We’ve both been working from home for a long time and have a chat about the topic. There’s not much security in this one, but it isContinue reading “Episode 324 – WTF is up with WFH”
Episode 323 – The fake 7-Zip vulnerability and SBOM
Josh and Kurt talk about a fake 7-Zip security report. It’s pretty clear that everyone is running open source all the time. We end on some thoughts around what SBOM is good for, and who should be responsible for them. Show Notes Probably fake 7-Zip
Open Source Security 