Podcast

Josh and Kurt talk about a blog post titled “Your API Shouldn’t Redirect HTTP to HTTPS”. It’s an interesting idea, and probably a good one. There is however a lot of baggage in this space as you’ll hear in the discussion. There’s no a simple solution, but this is certainly something to discuss. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_431_Redirecting_HTTP_to_HTTPS.mp3 Show Notes Your API Shouldn’t Redirect HTTP to HTTPS Hacker News discussion HSTS Section 5.1

Josh and Kurt talk about a blog post about frozen kernels being more secure. We cover some of the history and how a frozen kernel works and discuss why they would be less secure. A frozen kernel is from when things worked very differently. What sort of changes will we see in the future? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_430_Frozen_kernel_security.mp3 Show Notes Kurt’s strange coffee Why a ‘frozen’ distribution Linux kernel isn’t the safest choice for security

Josh and Kurt talk about open source and autonomy. This is even related to some recent return to office news. The conversation weaves between a few threads, but fundamentally there’s some questions about why do people do what they do, especially in the world of open source. This also is a problem we see in security, security people love to tell developers what to do. Developers don’t like being told what to do. ...

Josh and Kurt talk about a new to sign artifacts on GitHub. It’s in beta, it’s not going to be easy to use, it will have bugs. But that’s all OK. This is how we start. We need infrastructure like this to enable easier to use features in the future. Someday, everything will be signed by default. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_428_GitHub_artifact_attestation.mp3 Show Notes GitHub artifact attestation

Josh and Kurt talk about a sudo replacement going into systemd called run0. It sounds like it’ll get a lot right, but systemd is a pretty big attack surface and not everyone is a fan. We shall have to see if this ends up replacing sudo. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_427_Will_run0_replace_sudo.mp3 Show Notes Conan O’Brien on Hot Ones Lennart’s Mastodon thread xkcd automation

Josh and Kurt talk about a paper describing using a LLM to automatically create exploits for CVEs. The idea is probably already happening in many spaces such as pen testing and intelligence services. We can’t keep up with the number of vulnerabilities we have, there’s no way we can possibly keep up with a glut of LLM generated vulnerabilities. We really need to rethink how we handle vulnerabilities. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_426_Automatically_exploiting_CVEs_with_AI.mp3 Show Notes OpenAI’s GPT-4 can exploit real vulnerabilities by reading security advisories paper: LLM Agents can Autonomously Exploit One-day Vulnerabilities Cisco Fixes RV320/RV325 Vulnerability by Banning “curl” in User-Agent Episode 219 – Chat with Larry Cashdollar Cory Doctorow: What Kind of Bubble is AI?

Josh and Kurt talk about a database of game cheaters. Cheating in games has many similarities to security problems. Anti cheat rootkits are also terrible. The clever thing however is using statistics to identify cheaters. Statistics don’t lie. Also, we discuss the Pretendo project sitting on a vulnerability for a year, is this ethical? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_425_Video_game_cheaters_also_pretendo.mp3 Show Notes Hacker News searchable database Benford’s law John Oliver Medicaid Mario64 invisible walls Pretendo Pretendo exploit

Josh and Kurt talk about a Notepad++ fake website. It’s possibly not illegal, but it’s certainly ethically wrong. We also end up discussing why it seems like all these weird and wild things keep happening. It’s probably due to the massive size of open source (and everything) now. Things have gotten gigantic and we didn’t really notice. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_424_The_Notepad_Parasite_Website.mp3 Show Notes Help us to take down the parasite website Open Source is bigger than you can imagine Toronto Pearson International Airport heist

Josh and Kurt talk about a new FCC program to provide a cybersecurity certification mark. Similar to other consumer safety marks such as UL or CE. We also tie this conversation into GrapheneOS, and what trying to claim a consumer device is secure really means. Some of our compute devices have an infinite number of possible states. It’s a really weird and hard problem. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_423_FCC_cybersecurity_label_for_consumer_devices.mp3 Show Notes GrapheneOS FCC approves cybersecurity label for consumer devices Cyber Trust Mark Logo

Josh and Kurt talk about the recent events around XZ. It’s only been a few days, and it’s amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these details will change quickly over the coming week. We can’t fix this problem as it stands, we don’t know where to start yet. But that’s not a reason to lose hope. We can fix this if we want to, but it won’t be flashy, it’ll be hard work. ...