Security

Josh and Kurt talk about the notion that open source is somehow dying. What’s actually happening is corporate open source is changing, which some are trying to deform into something wrong with open source. Open source is doing great, probably better than ever. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_383_Is_open_source_dying.mp3 Show Notes Open Source isn’t sustainable anymore VORON Design Video of the first lathe Plane Crazy Evernote layoffs

Josh and Kurt talk about Red Hat closing up the RHEL source code. Kurt and Josh both worked at Red Hat in the past. This isn’t a show that bashes Red Hat, and it’s not a show praising them. We take an honest look at the past, present, and future of Linux. There’s a lot to talk about in this one. TL;DR, Red Hat was the chosen on, and we all feel betrayed. ...

Josh and Kurt talk about the incredible Reddit debacle. At the center of it all is an API. What does it mean to be using an API and how does this relate itself back to our own risk. Many of us rely on APIs for countless things, and if a company decides to cut off that API somehow, it could create a mess. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_381_WTF_Reddit_APIs_and_risk.mp3 Show Notes Grimace’s Birthday Reddit’s new API pricing will kill off Apollo on June 30 Cory Doctorow enshitification Wal Mart pickle story Elon Musk and Mark Zuckerberg agree to hold cage fight

Josh and Kurt talk about a new program from the Sovereign Tech Fund to fund open source work. It’s a great looking program with an acceptable amount of money behind the program. We also talk about a story claiming millions of perfectly good hard drives are destroyed per year. They’re probably not OK at all. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_380_A_new_Sovereign_Tech_Fund_program_and_the_BBC_on_destroying_hard_drives.mp3 Show Notes Sovereign Tech Fund Challenges Why millions of usable hard drives are being destroyed LTT Buys Storage Array

Josh and Kurt talk about some new open source projects that aim to start taking back some of our privacy and rights. It’s a huge hill to climb, but it seems like there is some hope. Open source doesn’t care about growth, or numbers, or anything really, so it can’t ever lose. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_379_Will_open_source_save_the_world_again.mp3 Show Notes Codeberg Veilid Hawkins Cheezies Apollo’s Reddit API costs

There’s been something in the back of my brain that’s been bothering me about talks at the big conferences lately but I just couldn’t figure out how to talk about it. Until I listed to this episode of The Hacker Mind Podcast on Self Healing Operating Systems (it’s a great podcast, like and subscribe). The episode was all about this incredibly bizarre way to store operating system state in a SQL database (yeah, you read that right). The guest made no excuses that this is a pretty wild idea and it’s not going to happen anytime soon. But we need weird research like this, it’s part of the forward march of progress. ...

Josh and Kurt talk about namespaces. They were a topic in the last podcast, and resulted in a much much larger discussion for us. We decided to hash out some of our thinking in an episode. This is a much harder problem than either of us expected. We don’t have any great answers, but we do have a lot of questions. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_378_Naming_things_is_harder_than_security.mp3 Show Notes Not Red Hat NPM hash package Episode 129 – The EU bug bounty program

Josh and Kurt talk about PyPI suspending new accounts and packages for a day, and a 60 minutes story about deepfakes. The problems are mostly the same, but for very different reasons. The world is changing faster than we can keep up, so what is a human to do? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_377_The_world_is_changing_too_fast_for_humans_to_understand.mp3 Show Notes PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted]( https://thehackernews.com/2023/05/pypi-repository-under-attack-user-sign.html) 60 minutes reporter voice clone Cooridor Crew deepfakes Certificate bit flip Candy is delicious

Josh and Kurt talk about the Open Source Summit in Vancouver. Josh was there and we pick on two observations. Firstly that security keeps trying to use fear as a feature, except it doesn’t work. Secondly we discuss AI and how people are talking about it. It is changing things, how much is yet to be seen. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_376_Open_Source_Summit_who_built_your_open_source_and_AI.mp3 Show Notes SLSA FRSCA S2C2F MSI leak Intel microcode Tom Scott AI Video

Josh and Kurt finish up the leftpad discussion. We spent a lot of time talking about how the market will respond to these sort of events, and the market did indeed speak; very little has changed. There is an aspect of all these security events where we need to understand the cost vs benefit just isn’t there. it may never be there. Rather than whine and complain, we need to work with our constraints. ...