Security

Josh and Kurt talk about SBOMs. Quite a bit has happened in the world of SBOMs in the last year or so. There are going to be different types of SBOMs, like build, source, or runtime. Each will tell us different things depending on what we need to know. We also cover some of the community efforts happening around SBOMs. They’re still not easy to use, but it’s better better. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_364_Using_SBOMs_is_hard.mp3 Show Notes SBOM Types draft SBOM Drift OpenSSF SBOM Everywhere

Josh and Kurt talk to Joylynn Kirui about DevSecOps in the Microsoft universe. Joylynn gives us an overview of the current state of devops and tells us about some of the tools Microsoft has made available to the open source universe. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_363_Joylynn_Kirui_from_Microsoft_on_De_SecOps.mp3 Show Notes Joylynn Kirui Joylynn on DVT Tech Insights Episode 174 - a chat with GitHub about CodeQL S2C2F Azure Open Source Day

Josh and Kurt talk to Carol Nichols about Rust. Carol is an authority on Rust and helps us understand how Rust works, why it’s different. Why Rust doesn’t have the same problems C and C++ have, and what the future of it all could look like. It’s a really fun show with some great questions from Carol along the way. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_362_A_lesson_in_Rust_from_Carol_Nichols.mp3 Show Notes Carol Nichols on Mastodon The Rust Programming Language, 2nd Edition Rust book online Netflix tech blog on Java performance Rust in the context of Railroad Brakes Kees Cook blog - Bounded Flexible Arrays in C Consumer Reports on memory safety OSS-Fuzz and Rust

Josh and Kurt talk about the recent GitHub breach. It wasn’t terribly exciting, but there are some interesting conversations to have around securing certificates, source code, and hardware security modules. In general GitHub did most things right on this one. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_361_GitHub_got_pwnt_but_it_wasnt_very_exciting.mp3 Show Notes GitHub blog post Hacker History Podcast episode with Robert Super Mario 64 decompile Mario 64 built without optimization Link to the Past source code

Josh and Kurt talk about the NSA guidance on using memory safety issues. The TL;DR is to stop using C. We discuss why C has so many problem, why we can’t fix C, and what some alternatives looks like. Even the alternatives have their own set of issues and there are many options, but the one thing we can agree on is we have to stop using C. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_360_Memory_safety_and_the_NSA.mp3 Show Notes NSA Releases Guidance on How to Protect Against Software Memory Safety Issues Drum memory and the story of Mel Netflix performance Discord Go vs Rust NVIDIA switch to Spark

Josh and Kurt talk about the recent FAA NOTAM outage. Keeping legacy things running for long periods of time is really hard to do, this system is no different. It’s also really hard to upgrade many of these due to corner cases and institutional knowledge. There aren’t any great answers here, but we do ask a lot of questions about long running tech. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_359_The_NOTAM_outage_and_other_legacy_technology.mp3 Show Notes NOTAM outage AIX is not dead IBM Linux commercial Apple A/UX How NOT To Implement the POSIX Standard, Featuring Windows NT iSH Hand Made Vacuum Tubes

Josh and Kurt talk about the Furby source code going public. This is an opportunity to discuss what’s changed in our attitude in devices that record our audio? Our devices today are vastly more powerful and dangerous than a Furby, what does your risk appetite look like? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_358_Furby_vs_Alexa.mp3 Show Notes Furby source code Talking Toy Or Spy? Adam Ruins Everything - Why Jaywalking Is a Crime

Josh and Kurt talk about how to think about open source in the context of society. Open source is more like a natural resource than a supplier. It’s common to think of open source projects as delivered to us, but it’s more like acquiring raw materials from the forest. The problem is we’re harvesting the raw materials in an unsustainable manner at the moment. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_357_Is_open_source_being_overexploited.mp3 Show Notes I am not a supplier Josh’s question about the environment sjvn Gorilla toolkit article Gorilla Web Toolkit Awesome Games Done Quick GeoGuessr Awesome Games Done Quick 2023

It seems like every few years the topic of counting vulnerabilities in products shows up. Last time the focus seemed to be around vulnerabilities in Linux distributions, which made distroless and very small container images popular. Today it seems to be around the vulnerabilities in open source dependencies. The general idea is you want to have as few vulnerabilities in the open source you’re using, so logically zero is the goal. ...

Josh and Kurt talk about the LastPass saga. There’s a lot of great explanations about what happened, but there hasn’t been a lot of info on how to start cleaning up this mess. We rehash some of the existing details then try to untangle what existing users can do to try to start recovering. The real problem is how LastPass is dealing with this, not the technical details. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_356_LastPass_ducked_up_now_what.mp3 Show Notes Great writeup of LastPass Jeremi M Gosney Mastodon explanation Tavis writeup on password managers Use a Passphrase