Josh and Kurt talk about the recent GitHub breach. It wasn’t terribly exciting, but there are some interesting conversations to have around securing certificates, source code, and hardware security modules. In general GitHub did most things right on this one. Show Notes
Category Archives: Security
Episode 360 – Memory safety and the NSA
Josh and Kurt talk about the NSA guidance on using memory safety issues. The TL;DR is to stop using C. We discuss why C has so many problem, why we can’t fix C, and what some alternatives looks like. Even the alternatives have their own set of issues and there are many options, but theContinue reading “Episode 360 – Memory safety and the NSA”
Episode 359 – The NOTAM outage and other legacy technology
Josh and Kurt talk about the recent FAA NOTAM outage. Keeping legacy things running for long periods of time is really hard to do, this system is no different. It’s also really hard to upgrade many of these due to corner cases and institutional knowledge. There aren’t any great answers here, but we do askContinue reading “Episode 359 – The NOTAM outage and other legacy technology”
Episode 358 – Furby vs Alexa
Josh and Kurt talk about the Furby source code going public. This is an opportunity to discuss what’s changed in our attitude in devices that record our audio? Our devices today are vastly more powerful and dangerous than a Furby, what does your risk appetite look like? Show Notes
Episode 357 – Is open source being overexploited?
Josh and Kurt talk about how to think about open source in the context of society. Open source is more like a natural resource than a supplier. It’s common to think of open source projects as delivered to us, but it’s more like acquiring raw materials from the forest. The problem is we’re harvesting theContinue reading “Episode 357 – Is open source being overexploited?”
The perverse incentive of vulnerability counting
It seems like every few years the topic of counting vulnerabilities in products shows up. Last time the focus seemed to be around vulnerabilities in Linux distributions, which made distroless and very small container images popular. Today it seems to be around the vulnerabilities in open source dependencies. The general idea is you want toContinue reading “The perverse incentive of vulnerability counting”
Episode 356 – LastPass ducked up, now what?
Josh and Kurt talk about the LastPass saga. There’s a lot of great explanations about what happened, but there hasn’t been a lot of info on how to start cleaning up this mess. We rehash some of the existing details then try to untangle what existing users can do to try to start recovering. TheContinue reading “Episode 356 – LastPass ducked up, now what?”
Episode 355 – Security Boxing Day
Josh and Kurt talk about some security gifts for boxing day. We start out with the idea of the security poverty line and discuss a few ideas for how a low resource group can make their open source more secure. There are no simple answers unfortunately. Show Notes
Episode 354 – Jerry Bell tells us why Mastodon is awesome and MFA is hard
Josh and Kurt talk about how hard multi factor authentication is. This all starts from a Mastodon thread, and Jerry Bell, the administrator of infosec.exchange joins us to discuss password security and all things Mastodon. Infosec.exchange is an incredible story and Jerry weaves a thrilling tale. Show Notes
Episode 353 – Jill MonĂ©-Corallo on GitHub’s bug bounty program
Josh and Kurt talk to Jill MonĂ©-Corallo about GitHub’s bug bounty and product security team. It’s a treat to discuss bug bounties with someone who is managing a very large bug bounty for one of the most important web sites in the world of software today. Show Notes
Open Source Security 