Podcast

Josh and Kurt talk about some recent security actions Apple has taken. Not all are good, but in general Apple is doing things to benefit their customers (their customers are not advertisers). We also discuss some of the challenges when your customers are advertisers. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_204_What_Would_Apple_Do.mp3 Show Notes Apple one year certificates Apple declines to implement 16 new APIs Apple is tracking unsigned executables

Josh and Kurt talk about human behavior. The conversation makes its way to conferences and the perpetual question of if a conference is useful or not. We come to the agreement the big shows aren’t what they used to be, but things like BSides are great experiences. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_203_Humans_conferences_and_security_let_me_think_and_get_back_to_you_in_a_bit.mp3 Show Notes Security and Human Behaviour Josh’s blog post Mudge’s Twitter thread

Josh and Kurt talk about the security of applications. We talk about the security of infrastructure all the time, but what happens when we combine infrastructure into an application or solution? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_202_The_convergence_of_application_security.mp3 Show Notes Picture of Kurt’s security check-up Dragon controls

Josh and Kurt talk about CVSSv3 and how it’s broken. We started with a blog post to explain why the NVD CVSS scores are so wrong, and we ended up researching CVSSv3 and found out it’s far more broken than any of us expected in ways we didn’t expect. NVD isn’t broken, CVSSv3 is. How did we get here? Are there any options that work today? Where should we go next? ...

Josh and Kurt talk to Liz Rice from Aqua Security about container security and her new book on the same topic. What does container security look like today? What are some things you can do now? What will container security look like in the future? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_200_Talking_Container_Security_with_Liz_Rice.mp3 Show Notes Container Security download Pictures of elephants Kubernetes Security book Starboard project Dynamic threat analysis

Josh and Kurt talk about a grab bag of topics. A DNS security flaw, port scanning your machine from a web browser, and CSV files running arbitrary code. All of these things end up being the result of corner cases. Letting a corner case be part of a default setup is always a mistake. Yes always, not even that one time. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_199_Special_cases_are_special_DNS_Websockets_and_CSV.mp3 Show Notes Bind advisory Robustness Principal eBay port scanning localhost OWASP CSV injection

Josh and Kurt talk about the Krebs blog post titled “When in Doubt: Hang Up, Look Up, & Call Back”. In the world of security there isn’t a lot of actionable advice, it’s worth discussing if something like this will work, or ever if it’s the right way to handle these situations. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_198_-_Good_advice_or_bad_advice_Hang_up_look_up_and_call_back.mp3 Show Notes When in Doubt: Hang Up, Look Up, & Call Back Tech Support Scam podcast: Part 1, Part 2 STIR/SHAKEN Drill the wrong safe deposit box 2009 Bank of Ireland robbery Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about what beer and reproducible builds have in common. It’s a lot more than you think, and it mostly comes down to quality control. If you can’t reproduce what you do, you’re not a mature organization and you need maturity to have quality. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_197_Beer_security_and_consistency_the_newer_better_triad.mp3 Show Notes Reinheitsgebot Josh’s Blog Post Ken Thompson’s reflections on trusting trust Tor Browser Deterministic Builds One line package broke npm create Donkey Kong 64 memory leak Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about automatic updates. Specifically we discuss a recent decision by Ubuntu to enable forced automatic updates. There are lessons here for the security community. We have a history of jumping to solutions rather than defining and understanding problems. Sometimes our solutions aren’t the best. Also murder bees. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_196_Pounding_square_solutions_into_round_holes_forced_updates_from_Ubuntu.mp3 Show Notes The Oatmeal giant bee comic Honeybees cook giant hornet Ubuntu 20.04 LTS’ snap obsession has snapped me off of it Forum discussion Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about the uproar around Cloudflare’s “Is BGP safe yet” site. It’s always interesting watching how much people will push back on new things, even if the new things is probably a step in the right direction. The clever thing Cloudflare is doing in this instance is they are making the BGP problem something anyone can understand. Also send us your funny dog stories. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_195_Is_BGP_actually_insecure.mp3 Show Notes Is BGP safe yet? Reddit BGP conversation Hacker News BGP conversation Stealing cryptocurrency with BGP Show Tags #BGP Comment on Twitter with the #osspodcast hashtag ...