Security

Josh and Kurt discuss their involvement in the upcoming 2017 RSA conference: Open Source, CVEs, and Open Source CVE. Of course IoT and encryption manage to come up as topics. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/303432626-opensourcesecuritypodcast-episode-28-rsa-conference-2017.mp3 Show Notes Kurt’s talk - Saving CVE wtih open source Josh’s P2P session - Managing Your Open Source Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

I’ve decided to create yet another security analogy! You can’t tell, but I’m very excited to do this. One of my long standing complaints about security is there are basically no good analogies that make sense. We always try to talk about auto safety, or food safety, or maybe building security, how about pollution. There’s always some sort of existing real world scenario we try warp and twist in a way so we can tell a security story that makes sense. So far they’ve all failed. The analogy always starts out strong, then something happens that makes everything fall apart. I imagine a big part of this is because security is really new, but it’s also really hard to understand. It’s just not something humans are good at understanding. ...

Josh and Kurt discuss NTP, authentication issues, network security, airplane security, AI, and Minecraft. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/302981179-opensourcesecuritypodcast-episode-27-prove-to-me-you-are-human.mp3 Show Notes NTP “Attack” U2F Tokens Paying ransoms with iTunes giftcards Cloudflare Porcupine Google Security Design Overview Drone collides with a plane Israeli Security Harvest.ai Minecraft Mod installer Skyblock Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Josh and Kurt end up discussing video game speed running, which is really just hacking. We also end up discussing the pitfalls of the modern world where you don’t own your software or services. Stallman was right! https://traffic.libsyn.com/secure/opensourcesecuritypodcast/302260581-opensourcesecuritypodcast-episode-26-tell-your-sister-stallman-was-right.mp3 Show Notes Games Done Quick Super Mario Brother Speedrun Super Mario Brother Minus World Explanation speedrun.com Legend of Zelda Ghost Buffer Overflow Double Free Chris Evans NES audio exploit pwsafe Bad Ham Review Richard Stallman ...

Josh and Kurt end up discussing CES, IoT, WiFi everywhere, and the future. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/301707567-opensourcesecuritypodcast-episode-25-the-future-is-now.mp3 Show Notes CES WiFi Everywhere WiFi Hairbrush Ketchup QR Code Expired Domain Shodan uses NTP to gain IPv6 addresses FTC prize for securing IoT Antivirus MITM problems Rootshell Consumer Reports MacBook Pro Comment on Twitter with the #osspodcast hashtag

As an industry, we suck at giving advice. I don’t mean this in some negative hateful way, it’s just the way it is. It’s human nature really. As a species most of us aren’t very good at giving or receiving advice. There’s always that vision of the wise old person dropping wisdom on the youth like it’s candy. But in reality they don’t like the young people much more than the young people like them. Ever notice the contempt the young and old have for each other? It’s just sort of how things work. If you find someone older and wiser than you who is willing to hand out good advice, stick close to that person. You won’t find many more like that. ...

A long time ago pretty much every application and library carried around its own copy of zlib. zlib is a library that does really fast and really good compression and decompression. If you’re storing data or transmitting data, it’s very likely this library is in use. It’s easy to use and is public domain. It’s no surprise it became the industry standard. Then one day, CVE-2002-0059 happened. CVE-2002-0059 was a security flaw that was easy to trigger and easy to exploit. It affected network listening applications that used zlib (which was most of them). Today if this came out, it would make heartbleed look like a joke. This was long long ago though, most people didn’t know anything about security (or care in many instances). If you look at the updates that came out because of this flaw, they were huge because literally hundreds of software applications and libraries had to be patched. This affected Windows and Linux, which was most everything back then. Today it would affect every device on the planet. This isn’t an exaggeration. Every. Single. Device. ...

Josh and Kurt discuss 2016 predictions in 2017, what they got right, what they got wrong, and a bunch of other random things. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/300679437-opensourcesecuritypodcast-episode-24-the-2016-prediction-edition.mp3 Show Notes CSO Online - Top 15 security predictions for 2016 Gartner 2016 predictions Trend Micro 2016 predictions Dark Reading 2016 predictions Comment on Twitter with the #osspodcast hashtag

If you’ve ever written code, even a few lines of it, you know there is always some sort of tradeoff between doing it “right” and doing it “now”. This is basically the reality of any industry, there is always the right way, and then there’s the way it’s going to get done. If you’ve ever done any sort of home remodeling project you’re well aware of uncovering the sins of the past as soon as that wall gets opened up. ...

Josh and Kurt talk about scareware, malware, and how hard this stuff is to stop, and how the answer isn’t fixing people. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/299913768-opensourcesecuritypodcast-episode-23-we-cant-patch-people.mp3 Show Notes Bitsquatting Typosquatting L.A. Phishing Uber Email IDS Infomercial subreddit (Where did the soda go?) Super Mario Run Malware Booba Methbot Sumitomo copper affair Comment on Twitter with the #osspodcast hashtag