Security

Josh and Kurt talk about public disclosure of a security incident. We start out with a story about Canva, then discuss what do you do if you have a security incident? Who do you tell, what do you tell them. How do you tell your story? It’s a really hard problem even if it’s something you’ve done many times in the past. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_148_You_just_got_pwnt_what_now.mp3 Show Notes Dave Hall First Canva message Second Canva message Forklift safety Pixar Toy Story 2 Non financial database Eating Crow Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about a new type of lockbox scams. We also discuss Slack being a target for nation state attacks. Do you consider your operations part of your supply chain?It’s totally part of your supply chain. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_147_Scams_and_operations_as_part_of_the_supply_chain.mp3 Show Notes Lock Box Scam Slack nation state hacker target Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about Microsoft. They’re probably not the bad guys anymore, which is pretty wild. They’re adding a Linux kernel to Window. Can we declare open source the unquestionable winner now? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_146_What_the_happened_to_Microsoft.mp3 Show Notes Github contribution report Are we the baddies? Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about fire. We discuss the history of fire prevention and how it mirrors many of things we see in security. There are lessons there for us, we just hope it doesn’t take 2000 years like it did for proper fire prevention to catch on. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_145_What_do_security_and_fire_have_in_common.mp3 Show Notes History of firefighting Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about the security of money. Not how to keep it secure, but the security issues around using cash, credit, and bitcoin. We also talk about Banksy’s clever method for proving something is original. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_144_The_security_of_money_which_one_is_best.mp3 Show Notes Banksy ten pound note Ethereum bad wallets Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about the phone book (yeah, the big paper book people used to use). Kurt got one in the mail. While it’s certainly a relic from another time, there were security tips in it among other wild things. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_143_Security_lessons_from_the_phone_book.mp3 Show Notes Chad Loder’s Twitter Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about what one could do if you find a USB drive. The context is based on the story where the Secret Service was rumored to have plugged a malicious USB drive into a computer. The purpose of discussion is to explore how to handle a situation like this in the real world. We end the episode with a fantastic comparison of swim safety and security. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_142_Hypothetical_security_what_if_you_find_a_USB_flash_drive.mp3 Show Notes Secret service flash drive story Syncstop Show Tags #ImpossibleSecurity Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about the difficulty of security. We look at the difficulty of the EU not observing daylight savings time, which is probably magnitudes easier than getting security right. We also hit on a discussion on Reddit about U2F that shows the difficulty. Security today is too hard, even for the experts. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_141_Timezones_are_hard_security_is_harder.mp3 Show Notes Storing time in UTC is hard How strong are nails and screws? Reddit U2F comments Comment on Twitter with the #osspodcast hashtag ...

So you’ve written some software. It’s full of open source dependencies. These days all software is full of open source, there’s no way around it at this point. I explain the background in my previous post. Now that we have all this open source, how do we keep up with it? If you’re using a lot of open source in your code there could be one or more updated dependencies per day! ...

Josh and Kurt talk about identity. It’s a nice example we can generally understand in the context of how much security is enough security? When we deal with identity the idea of good enough is often acceptable for the vast majority of uses. Perfect identity tracking isn’t really a thing nor is it practical. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_140_Good_enough_security_is_a_pretty_high_bar.mp3 Show Notes Firefighters breaking through a door Fake engineer at the Berlin Airport Comment on Twitter with the #osspodcast hashtag ...