Security

Josh and Kurt talk about how to get attention for security problems. Recent research around Twitter credentials checked into GitHub showed us how to get a lot of attention when compared to a problem like Log4Shell which took years before anyone really picked up on the problem. It’s hard to talk about security sometimes. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_308_Welcome_to_the_jungle_How_to_talk_about_open_source_security.mp3 Show Notes Josh’s computer vision code Twitter secrets Qualys pwnkit

Josh and Kurt talk about the Global Security Database (GSD) project. This is a Cloud Security Alliance (CSA) effort to build community around vulnerability identifiers. https://traffic.libsyn.com/secure/forcedn/opensourcesecuritypodcast/Episode_307_Got_vulnerabilities_Introducing_GSD.mp3 Show Notes We rate dogs Racoons that heal your sadness Global Security Database Episode 261 – DWF is back! Welcome to community powered CVE GSD mailing list GSD Circle group GSD Database GSD Project Plan

Josh and Kurt talk about the faker and colors NPM events. There is a lot of discussion around open source being broken or somehow failing because of these events. The real answer is open source is an experience. How we interact with our dependencies determines what the experience looks like. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_306_Open_source_isnt_broken_its_an_experience.mp3 Show Notes Developer corrupts colors and faker Will Wright Pee Internet Anonymity

Josh and Kurt talk about Norton creating an Ethereum mining pool. This is almost certainly a bad idea, we explain why. We then discuss the reality of NFTs and the case of stolen apes. NFTs can be very confusing. The whole world of cryptocurrency is very confusing for normal people. None of this is new, there have always been con artists, there will always be con artists. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_305_Norton_Ethereum_NFT_and_Apes.mp3 Show Notes Norton Crypto FAQ Stolen Ape Smart contract to buy the constitution YEAR token

Josh and Kurt talk about the question will we ever fix all the vulnerabilities? The question came from Reddit and is very reasonable, but it turns out this is REALLY hard to discuss. The answer is of course “no”, but why it is no is very complicated. Far more complicated than either of us thought it would be. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_304_Will_we_ever_fix_all_the_vulnerabilities.mp3 Show Notes Will cyber security vulnerabilities ever “stop existing” ?

Josh and Kurt start the show with the reading of a security themed Christmas poem. We then discuss some of the new happenings around Log4j. The basic theme is that even if we were over-investing in Log4j, it probably wouldn’t have caught this. There are still a lot of things to unpack with this event. We are sure we’ll be talking about it well into the future. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_303_Log4j_Christmas_Spectacular.mp3 Log before Christmas poem ‘Twas the night before Christmas, when all through the stack Not a scanner was scanning, not even a rack, ...

Josh and Kurt talk about the same topic everyone is talking about, Log4j. This episode was recorded on the Wednesday after the first Log4j issue. We point out all the gaps and difficulties for the defenders. The situation has gotten worse since then. Good luck to everyone dealign with this thing https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_302_Log4j_is_a_mess.mp3 Show Notes Log4j GSD entry Minecraft server discussion Log4j GitHub issue 608

Josh and Kurt talk about the epic failure that was episode 300. But this ties nicely into the topic of the day which is new ways to do things. The example is a new way to hold a controller when playing Tetris. There are always new tools and new ideas in security. Sometimes we have to abandon the old way because the new way to too good to ignore. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_301_Youre_holding_it_wrong_the_importance_of_unlearning.mp3 Show Notes Lawfare Apple NSO podcast New way to play Tetris

If you pay attention to tech news, you know what’s going on with log4j right now. It’s being called Log4Shell which is a great name. I’ll spare you repeating the details of the issue, there are many many stories about it at this point. What I’ve not seen is a good explanation about why knowing if you are using log4j is hard, and fixing it will be even harder than finding it. ...

This episode need a huge disclaimer: we got almost all of the details of this wrong, the lawsuit is based on CFAA, not on copyright. We apologize for this enormous oversight. Josh and Kurt talk about Apple suing NSO using a copyright claim as their vehicle. Copyright is often used as a reason to bring lawsuits, even when it doesn’t always make sense. Copyright has been used by open source to expand rights, and many companies to restrict rights. It’s a very odd law sometimes. At the end of the day it seems the only real path forward for a problem like NSO is up to governments to protect their citizens. ...