Open Source Security

Open Source Malware with Paul McCarty

Mon, 13 Apr 2026 00:00:00 +0000

Josh talks to Paul McCarty of Open Source Malware about … open source malware. Paul explains why there aren’t many good open source malware datasets. We discuss why the existing data is lacking for many use cases. We of course touch on AI and the malware in skills problems and challenges. It’s a fun discussion with a lot of new and interesting problems we all have to deal with.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Open source was never about trust

Sat, 11 Apr 2026 00:00:00 +0000

It’s been a rough couple of weeks for open source

There have been some high profile attacks like the TeamPCP events. Anthropic has a new model that’s going to create more security vulnerabilities than anyone can count. The number of security bug reports is going through the roof. AI slop is running rampant through GitHub. And let’s not even try to count all the hot takes from the LinkedInIstas.

It’s clear we should never trust open source again, but we should trust someone on linkedin whose company is built on top of all open source and uses AI to do everything. This feels like animal farm but the animals have all been replaced with frozen burritos. All burritos are equal, but some burritos like my linkedin posts!

Package management challenges with Andrew Nesbitt

Mon, 06 Apr 2026 00:00:00 +0000

Josh welcomes back Andrew Nesbitt to discuss some recent blog posts he wrote about the challenges of new ecosystems as well as challenges of no ecosystems like C. There aren’t very many people who look at multiple ecosystems in the way Andrew does. He has thoughts on why it’s so hard to create a new ecosystem as well as some of the reasons we don’t see a C language ecosystem. Andrew has a ton of interesting ideas and insight for us about both existing, new, and nonexistent ecosystems.

Open Source Security at scale with Michael Winser

Mon, 30 Mar 2026 00:00:00 +0000

Josh talks to Michael Winser about a talk he gave at FOSDEM as well as his work on Alpha Omega at the Linux Foundation. Michael is approaching open source security in a way that nobody has ever tried before. What if we could fund some really big, really hard projects? It’s not cheap or easy, but he’s getting it done. We spend a lot of the time discussing package registries, which are a huge topic. Michael is doing some amazing work helping package registries which is the first step in a very long journey.

Eulogy for open source

Wed, 25 Mar 2026 00:00:00 +0000

Thank you for clicking on the clickbait!

What a year it’s been. It seems like open source is under constant attack. The security people don’t know what’s going on anymore. What day is it? It doesn’t matter.

The latest open source mess is the popular open source scanner Trivy being compromised, for a month, then other open source projects downstream in the “chain” getting compromised, which will probably lead to more things getting compromised until we get back to Trivy someday. Then I think we have to call it a supply wheel. I’m not sure how these rules work.

2026 State of the Software Supply Chain with Brian Fox

Mon, 23 Mar 2026 00:00:00 +0000

Josh chats with Brian Fox from Sonatype about their 2026 State of the Software Supply Chain report. Most of the number continue to grow at alarming rates, but there’s some new interesting findings in this one. We discuss end of life and open source which is tough to define. We touch on what using AI with open source dependencies looks like (and why it’s broken), and we discuss the challenge of upgrading your open source dependencies in a way that doesn’t break everything. It’s a great report and great discussion.

MCP and Agent security with Luke Hinds

Mon, 16 Mar 2026 00:00:00 +0000

Josh talks to Luke Hinds, CEO of Always Further, about MCP and agent security. We start out talking about Luke’s new tool, nono which is a sandboxing tool that has AI agents in mind as a use case. We explain what MCP and agents are doing as well as why it’s so hard to secure them. It’s not impossible, but it’s not simple either. We end the show by discussing some of the more human aspects to security and how history may be repeating itself with security folks laughing at new users who don’t know any better.

The State of OpenSSL for pyca/cryptography with Alex Gaynor and Paul Kehrer

Mon, 09 Mar 2026 00:00:00 +0000

Josh talks to Paul Kehrer and Alex Gaynor, from the Python Cryptographic Authority. Alex and Paul recently published a statement discuss the challenges posed by modern OpenSSL. We discuss the statement and their relationship with OpenSSL. We chat about some of the current features in cryptography, as well as some of what’s coming in the future. It’s a fun conversation that hits on a lot of great points.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Rust coreutils with Sylvestre Ledru

Mon, 02 Mar 2026 00:00:00 +0000

Josh talks to Sylvestre Ledru about the Rust coreutils project. We’ve been using GNU coreutils for decades now, and the goal of Rust coreutils is to rewrite these utilities in Rust. The primary reason isn’t security, it’s to modernize the code and attract new contributors. Sylvestre discusses with quite pleasant relationship with the GNU coreutils developers, some of the challenges in the project. What Ubuntu using this by default meant, and also gives us some things to watch for in the future. It’s a super fun discussion about why Rust is not only awesome, but also the future.

Goose and the Agentic AI Foundation with Brad Axen

Mon, 23 Feb 2026 00:00:00 +0000

Josh chats with Brad Axen from Block about his creation Goose as well as the Agentic AI Foundation (AAIF). I am quite skeptical of many AI claims, but Brad has a very pragmatic view about where things are today and where we might see them head. Donating Goose to the AAIF is great news as well as seeing MCP and AGENTS.MD in the foundation. We discuss how to deal with the problem of raising up junior developers, challenges of AI PRs, and some thoughts on how to get started if you’re interested in AI development.

The Global Vulnerability Intelligence Platform with Olle E. Johansson

Mon, 16 Feb 2026 00:00:00 +0000

Josh chats with Olle E. Johansson about the Global Vulnerability Intelligence Platform (GVIP). It’s no secret the current vulnerability systems are reaching a breaking point. Olle is one of the few people with a long term vision instead of trying to just fix the short term problems. His GVIP ideas are very good, but it’s a community effort and needs our help. Give it a listen and if it sounds interesting, come help us out!

Digital Sovereignty and Nextcloud with Frank Karlitschek

Mon, 09 Feb 2026 00:00:00 +0000

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Episode Transcript

Josh Bressers (00:00) Today, open source securities talking to Frank Kolichek, the founder and CEO of Nextcloud. I am holy cow. I’m excited to have Frank here because I feel like European digital sovereignty and Nextcloud have been just like on the top of the headlines for months now. So Frank, welcome so much.

The Art of Crisis Management with David Bernstein

Mon, 02 Feb 2026 00:00:00 +0000

Josh talks to David Bernstein about the world of crisis management and business continuity. David is a certified emergency manager and tell us about preparing for both digital and physical disruptions. Everything is IT now, so the way we think about disaster preparedness is changing. We talk about understanding risks, creating plans, and the role of practice in the world of crisis management. This is a super interesting universe and Dave was very patient and kind. I learned a lot and can’t wait for Dave to come back.

Is software ever done?

Wed, 28 Jan 2026 00:00:00 +0000

I posted a graph on LinkedIn. It showed that of the 10 million open source projects tracked by ecosyste.ms, more than half haven’t been updated in two years. I didn’t suggest old was bad or good, but I got a number of replies about most of this software is “done” so it’s fine. We don’t have any evidence either way, I’m unwilling to make any claims about the numbers (yet, I’m working on it). This got me wondering what it would mean for software to be “done”. Which then led to the question is anything ever done? It’s a lot harder to figure this out than I had expected.

WTF is a passkey with William Brown

Mon, 26 Jan 2026 00:00:00 +0000

William Brown is back! This time Josh chats with him about Passkeys. WTF are they? A Passkey is a form of multi factor authentication, but it’s not super obvious what that really means. William does a fantastic job explaining what a Passkey is, how we got to where we are today with Passkeys. He shares a ton of explanations about the whole world of authentication along the way. Some of this stuff is basically magic.

All about Suricata with Victor Julien

Mon, 19 Jan 2026 00:00:00 +0000

Josh discusses Suricata with Victor Julien, the founder and lead developer of the Suricata project. Victor explains the history of Suricata, its impact on cybersecurity, and the community that keeps it all running. Challenges like encrypted traffic and the evolution of open-source projects. Victor even gives us a glimpse into what he sees as the future of the project. There’s a lot to learn about Suricata in this one.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

The Cathedral, the Megachurch, and the Bazaar

Tue, 13 Jan 2026 00:00:00 +0000

If you’re of a certain age, you probably remember the essay The Cathedral and the Bazaar. The TL;DR was that old open source was the cathedral of exclusive developers and groups. Then the Bazaar showed up (which was the Linux Kernel for example) and that freed us from the shackles of the cathedral.

Except if we look at how things evolved, it wasn’t actually a bazaar. It was a bunch of roadside churches that are now megachurches. But there is still a bazaar, and it’s holding up our modern infrastructure.

Iocaine poisons bots with Gergely Nagy

Mon, 12 Jan 2026 00:00:00 +0000

Josh talks to Gergely Nagy (algernon) about his tool Iocaine. Iocaine creates a maze to trap scraping bots in a world a fake pages they cannot escape. algernon tells us how Iocaine effectively traps bots by serving them endless loops of nonsensical URLs and web pages. It’s an extremely clever tool that’s designed to be completely hidden from normal users, but not hidden to the scrapers.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Anubis with Xe Iaso

Mon, 05 Jan 2026 00:00:00 +0000

Josh chats with Xe Iaso, the creator of Anubis the web AI firewall. We discuss how Anubis is tackling bots and scrapers. The discussion around the scrapers is fascinating and challenging, these things are everywhere and don’t behave very nicely. There’s also discussion about running a successful open source project. Xe has a lot of experience to share with us, you’re going to learn something new with this one.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Rustls with Dirkjan and Joe

Mon, 29 Dec 2025 00:00:00 +0000

Josh talk to Dirkjan and Joe about Rustls (pronounced rustles), a Rust-based TLS library. Dirkjan and Joe are developers on Rustls. We talk about the history that got us to this point. The many many challenges in writing a TLS library (Rust or not). We also chat about some of what’s to come. Rustls has an OpenSSL compatibility layer which makes is a really interesting project.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Daniel Thompson answers: Does the CRA apply to Santa?

Mon, 22 Dec 2025 00:00:00 +0000

Josh welcomes back Daniel Thompson explore the rather silly question of whether Santa Claus needs to be compliant with the Cyber Resilience Act (CRA). This episode was intended to be silly, but it ended up being an incredibly interesting conversation. Daniel explained a great deal about how the CRA works and how it could apply to Santa Claus. The TL;DR is even if he’s giving out free stuff, the CRA almost certainly applies. Daniel also fills us in on his book (you can email Josh to enter into a drawing for a copy), and his work on web browsers for the CRA. It’s an incredibly informative discussion.

Linux Foundation Europe with Gabriele Columbro

Mon, 15 Dec 2025 00:00:00 +0000

Josh has a chat with Gabriele Columbro, Executive Director of the Fintech Open Source Foundation and General Manager of Linux Foundation Europe. We of course discuss the Cyber Resilience Act (CRA), the evolving landscape of open source regulation, and the collaborative efforts of major foundations. Open source is everywhere, but there’s also a ton of work to do now. Gabriele has really good insight into where things are today and where they are heading in the future for open source and regulation.

Updating open source dependencies with Jamie Tanna

Mon, 08 Dec 2025 00:00:00 +0000

Josh discusses updating open source dependencies with Jamie Tanna. Jamie works on Renovate which gives them a lot of insight into the challenges of keeping your open source updated. We discuss the challenges of semantic versioning, supply chain security, and AI-generated code. If you’re new or old to the world of open source dependencies, there’s something to learn from this chat.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

TARmageddon with Alex Zenla

Mon, 01 Dec 2025 00:00:00 +0000

Josh discusses the TARmageddon vulnerability with Alex Zenla, CTO of Edera. In this episode, we explore the discovery of the TARmageddon vulnerability. It’s especially interesting because it’s Rust, but also involves multiple end of life crates. Alex shares the story of how Edera managed to figure all this out (it was not simple). Hard problems are still hard, but there’s a lot of lessons in this one.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Can AI replace our dependencies?

Wed, 26 Nov 2025 00:00:00 +0000

I keep seeing commentary about AI making open source dependencies obsolete. The idea is that instead of using an open source dependency, the AI will just write all the code you need. No more need for that random person in Nebraska. They can finally take a well deserved break!

Some people think this is inevitable, some think it’s hogwash. I like to take the stance of disliking everything equally. But to better understand all of this, let’s break it up into a few possible outcomes. There are 4 basic things that could happen if we take these arguments to their ridiculous extremes.

Python Security with Seth Larson

Mon, 24 Nov 2025 00:00:00 +0000

In this episode Seth Larson gives us a cornucopia of topics relating to Python security. Seth discusses the Python Software Foundation’s decision to reject a significant grant NSF. Diversity is a big deal to python, so this was a no brainier. We discuss the upcoming PyCon US conference, featuring a new security track that fosters collaboration between developers and security experts. Josh is a huge fan of having a security track at developer conferences. And we close on a paper about zip and tar archives Seth wrote. It seems like we should have zip and tar security figured out by now, but we don’t. Thankfully Seth is working on it.

Linux Vendor Firmware Service with Richard Hughes

Mon, 17 Nov 2025 00:00:00 +0000

Josh talks to Richard Hughes about the world of firmware. We cover how Richard’s journey from developing the ColorHug led to the creation of the Linux Vendor Firmware Service (LVFS), changing how firmware updates are managed for nearly every Linux user. Updating firmware has always been dicey, and on Linux it used to be impossible. Richard helps us understand how this all works and how we can all help out.

NPM supply chain attacks with Charlie Eriksen

Mon, 10 Nov 2025 00:00:00 +0000

Josh chats with Charlie Eriksen, a security researcher at Aikido Security. We discuss the recent NPM supply chain attacks that affect hundreds of packages. Charlie shares his experiences dealing with recent security breaches, the challenges of maintaining trust in open source software, and the importance of proactive measures to safeguard open source. The rapid pace of change is impacting our security practices and what steps can be taken to foster resilience in the face of evolving threats.

Detecting XZ in Debian with Otto Kekäläinen

Mon, 03 Nov 2025 00:00:00 +0000

In this episode, Josh and Otto dive into the world of Debian packaging, exploring the challenges of supply chain security and the importance of transparency in open source projects. They discuss Otto’s blog post about the XZ backdoor and how it’s a nearly impossible attack to detect. Otto does a great job breaking down an incredibly complex problem into understandable pieces.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Eclipse Foundation SBOMs with Mikael Barbero

Mon, 20 Oct 2025 00:00:00 +0000

In this conversation, Josh speaks with Mikael Barbero, head of security at the Eclipse Foundation. They discuss the foundation’s role in enhancing the security posture of open source projects, the importance of Software Bill of Materials (SBOMs), and the various security services provided to projects. Mikael explains the challenges and strategies involved in implementing security best practices across a diverse range of projects, as well as the foundation’s proactive approach to navigating security regulations and compliance. This is some great security work happening for open source projects.

Actually finding vulnerabilities using AI with Joshua Rogers

Mon, 13 Oct 2025 00:00:00 +0000

I chat with Joshua Rogers about a blog post he wrote as well as some bugs he submitted to the curl project. Joshua explains how he went searching for some AI tools to help find security bugs, and found out they can work, if you’re a competent human. We discuss the challenges of finding effective tools, the importance of human oversight in triaging vulnerabilities, and how to submit those bugs to open source projects responsibly. It’s a very sane and realistic conversation about what AI tools can and can’t do, and how humans should be interacting with these things.

Sustaining Package Repositories with Brian Fox

Mon, 06 Oct 2025 00:00:00 +0000

Brian Fox discusses the challenges and future of open source package repository infrastructure. We discuss the complexities of managing public registries, the impact of overconsumption, and the importance of sustainable practices in the open source community. Brian tells us how organizations can reduce their footprint and contribute to a more balanced ecosystem. The package repositories cannot continue to be the world’s CDN.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Arch Linux Security with Foxboron and Anthraxx

Mon, 29 Sep 2025 00:00:00 +0000

Join us for a conversation with Foxboron (Morten Linderud) and Anthraxx (Levente Polyak), members of the Arch Linux security team. We talk about the difficulties of maintaining a Linux distribution, the challenges of handling CVEs, and the dedication of volunteers who keep the open-source community working (and how overworked those volunteers are). We explain what makes Arch a little different, how they approach their security process, and what sort of help they would love to see in the future.

OpenSSL with Hana Andersen and Anton Arapov

Mon, 22 Sep 2025 00:00:00 +0000

I discuss all things OpenSSL with Hana Andersen and Anton Arapov from the OpenSSL Corporation. Discover the intricacies of organizing the first-ever OpenSSL conference in Prague, the importance of post-quantum cryptography, and the evolution of OpenSSL from a small team to a global community. Whether you’re a seasoned cryptographer or just curious about the future of secure communications, this episode offers insights and stories. Don’t miss out on learning how OpenSSL is still shaping the future of cryptography.

The Python Software Foundation with Deb Nicholson

Mon, 15 Sep 2025 00:00:00 +0000

In this episode I discuss the Python Software Foundation with Deb Nicholson. We discuss their contributions to the Python programming community. Learn how this dedicated organization supports the growth and innovation of Python, fostering an ecosystem for developers worldwide. Everything funding open-source projects to organizing community events, discover the initiatives that make the Python Software Foundation a force for positive change in the tech world.

Episode Links

Deb’s Linkedin
Python Core Devs talk about the GIL
Whither Python? Dr. Russell Keith Mcgee talks about Python’s history, including how the shift from 2 to 3 went.
Python: The Documentary, an origin story the recently released documentary about the origins of Python
Donate to the PSF as an individual
Donate to PSF as a company

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Using Mercator to map assets with Didier Barzin

Mon, 08 Sep 2025 00:00:00 +0000

In this episode, we the information system mapping tool Mercator with Didier Barzin, a CISO at a hospital in Luxembourg. Discover how Mercator revolutionizes the way organizations map their complex information systems. From hospitals to universities and even the banking sector. Mercator helps manage and protect vast networks by creating dynamic, comprehensive maps that replace outdated Excel sheets. Join us as we explore the challenges and innovations in information security and the impact of Mercator on various industries.

Talos Linux security with Andrey Smirnov

Mon, 01 Sep 2025 00:00:00 +0000

In this episode, I discuss into the security features of Talos Linux with Andrey Smirnov. Andrey explains how Talos focuses on its immutability and minimal attack surface. Discover how these enhancements fortify your systems against vulnerabilities, ensuring a secure and resilient infrastructure. Join us as we explore the security advancements that make Talos Linux not only a super easy way to run Kubernetes, but also a very secure way.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Open Source is one person

Thu, 28 Aug 2025 00:00:00 +0000

The Register recently published a story titled Putin on the code: DoD reportedly relies on utility written by Russian dev. They should be ashamed of this story. This poor open source developer is getting beat up now to score some internet points. It’s very upsetting.

But anyway, let’s look at some receipts.

If you’re not real smrt, it seems like pointing out an open source project is written by one person in a country you don’t like is a bad thing. It could be. But it also could be the software running THE WHOLE F*CKING PLANET is written by one person. In a country. But we have no idea which country. It’s not the same person mind you, but it’s one person.

Discussing the Open Source, Open Threats? paper with Behzad and Ali

Mon, 25 Aug 2025 00:00:00 +0000

In this episode I chat with the authors of a recent paper on open source security: Open Source, Open Threats? Investigating Security Challenges in Open-Source Software. I chat with Ali Akhavani and Behzad Ousat about their findings. There are interesting data points in the paper such as a 98% increase in reported vulnerabilities compared to a 25% growth in open source ecosystems. We discuss the challenges of maintaining security in a rapidly expanding digital landscape, and learn about the role of community engagement and automated tools in addressing these discrepancies. It’s a great paper and a fantastic discussion.

crates.io trusted publishing with Tobias Bieniek

Mon, 18 Aug 2025 00:00:00 +0000

In this episode we discuss crates.io trusted publishing with Tobias Bieniek. We cover the steps crates.io is taking to enhance supply chain security through trusted publishing, a method that leverages short-lived tokens and GitHub actions to safeguard against unauthorized access. Tobias shares insights into the challenges of managing a large-scale open-source repository, offering a glimpse into the future of secure software distribution. Tune in to learn how these advancements are shaping the landscape of open-source development.

CVE update with Patrick Garrity

Mon, 11 Aug 2025 00:00:00 +0000

In this episode I chat with Patrick Garrity from VulnCheck. We discuss the chaos that has enveloped the CVE and NVD programs over the past two years. We cover some of the transparency and communication challenges with the existing program. What some of the new things that have started to emerge as well as why they seem to be struggling. We end on the note that the last 3 months haven’t been confidence inspiring. It’s likely in 6 months everyone will be scrambling to deal with a difficult situation.

GCVE with Cédric Bonhomme and Alexandre Dulaunoy

Mon, 04 Aug 2025 00:00:00 +0000

In this episode I discuss GCVE and Vulnerability-Lookup with Alex and Cedric from CIRCL. GCVE offers a decentralized approach, allowing organizations to assign their own IDs and publish vulnerabilities independently. Vulnerability-Lookup is the tool that makes GCVE a reality. The flexibility addresses many of the limitations we see today with a single centralized ID system. The work happening by CIRCL on GCVE is very impressive, with all the current CVE turmoil, this is a project we should all be paying attention to.

EU Regulations will change everything with Daniel Thompson

Mon, 28 Jul 2025 00:00:00 +0000

In this episode, we dive into the Product Liability Directive and Cyber Resilience Act with Daniel Thompson, CEO of Crab Nebula. The EU’s new legislative framework impacts manufacturers in ways we don’t totally understand, but are going to bring substantial changes to how companies use and develop open source. Daniel explains the broader implications for software security and the future of digital products in the European market.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Open source microprocessors with Jan Pleskac

Mon, 21 Jul 2025 00:00:00 +0000

In this episode Jan Pleskac, CEO and co-founder of Tropic Square, shares insights on the challenges and innovations in creating open and auditable hardware. While most hardware is very closed, Tropic Square is working to change this. WE discuss how open source can enhance security, the complexities of integrating third-party technologies, and the future of secure computing devices.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Package URLs with Philippe Ombredanne

Mon, 23 Jun 2025 00:00:00 +0000

I’m joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages. We dive into how PURLs provide a universal, common-sense standard that is becoming essential for the future of SBOMs and securing the software supply chain.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Hobbyist Maintainers with Thomas DePierre

Mon, 16 Jun 2025 00:00:00 +0000

Thomas DePierre joins Open Source Security to discuss the central idea from his blog post, “You are all on the hobbyist maintainers turf now,” exploring the massive disconnect between the corporate world that consumes open source and the hobbyist community that actually produces it. The conversation reveals this isn’t a new problem, but a long-standing reality whose consequences for security, stability, and the future of software we are only now beginning to truly confront.

STIG automation with Aaron Lippold

TUF has been around for a long time now, starting out as research at New York University. At its core, TUF has a goal of letting clients securely fetch artifacts from package repositories. This sounds simple, or at least not super hard, but it’s actually a really hard problem. TUF provides a framework for signing packages that enables much stronger security guarantees than the traditional approach of curl piped to bash.

Securing GitHub Actions with William Woodruff

Mon, 12 May 2025 00:00:00 +0000

William Woodruff discussed his project, Zizmor, a security linter designed to help developers identify and fix vulnerabilities within their GitHub Actions workflows. This tool addresses inherent security risks in GitHub Actions, such as injection vulnerabilities, permission issues, and mutable tags, by providing static analysis and remediation guidance. Fresh off the heels of the tj-actions/changed-files backdoor, this is a great topic with some things everyone can do right away.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Embedded Security with Paul Asadoorian

Mon, 05 May 2025 00:00:00 +0000

Recently, I had the pleasure of chatting with Paul Asadoorian, Principal Security Researcher at Eclypsium and the host of the legendary Paul’s Security Weekly podcast. Our conversation dove into the often-murky waters of embedded systems and the Internet of Things (IoT), sparked by a specific vulnerability discussion on Paul’s show concerning reference code for the popular ESP32 microcontroller.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

tj-actions with Endor Lab's Dimitri Stiliadis

Mon, 28 Apr 2025 00:00:00 +0000

Dimitri Stiliadis, CTO from Endor Labs, discusses the recent tj-actions/changed-files supply chain attack, where a compromised GitHub Action exposed CI/CD secrets. We explore the impressive multi-stage attack vector and the broader often-overlooked vulnerabilities in our CI/CD pipelines, emphasizing the need to treat these build systems with production-level security rigor instead of ignoring them.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

What's happening with CVE

Wed, 23 Apr 2025 20:00:00 +0000

I’m not a super expert in all this, but I know enough to be dangerous. If I make any mistakes, please let me know (there are many ways to contact me listed in the “Contact” menu). I will clearly mark any changes to the post due to errors, feel free to check back and see what I got wrong. Since the CVE people won’t tell us anything useful, let’s use Cunningham’s Law to our advantage.

Syft, Grype, and Grant with Alan Pope

Mon, 21 Apr 2025 00:00:00 +0000

I chat with Alan Pope about the open source security tools Syft, Grype, and Grant. These tools help create Software Bills of Materials (SBOMs) and scan for vulnerabilities. Learn why generating and storing SBOMs is crucial for understanding your software supply chain and quickly responding to new threats like Log4Shell.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Can we trust CVE?

Sat, 19 Apr 2025 00:00:00 +0000

If you are a security nerd, and even if you’re not, you probably heard about the epic CVE mess that happened. It’s a very long story and was covered in many places, but the TL;DR was the funding for CVE fell through, panic ensued, then CISA found some temporary funds to keep the lights, so everything is fine and we can all go back to normal.

Well, some of us won’t go back to normal because the CISA funding is good for 11 months. Will there be more funding in 11 months? Will an asteroid destroy the Earth in 2032? Will society still exists at Christmas? Nobody really knows. Well that asteroid one, we sort of know that. We’ll be fine. Yay science!

CVE for EOL with Aaron Frost

Mon, 14 Apr 2025 00:00:00 +0000

Aaron Frost explores the overly complex world of vulnerability identifiers for end of life software. We discuss how incomplete CVE reporting creates blind spots for users while arming attackers with knowledge. The conversation uncovers the ethical tensions between resource constraints and security transparency, highlighting why the “vulnerable until proven otherwise” approach is the best path forward for end of life software.

Episode Links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Why I didn't go to VulnCon

Fri, 11 Apr 2025 12:00:00 +0000

VulnCon 2025 is over. I didn’t go. A bunch of people have asked me why, and rather than keep my answer to a small group, I thought it would make sense to write something public about it all.

The TL;DR is I went to a different conference that I thought was a better use of my time.

The conference I went to was Cyphercon and BSides Milwaukee. They are regional conferences in Wisconsin. Good people, great shows, a lot of fun and learning. Yeah, it was technically the week before VulnCon, but I lack the fortitude to do two conferences back to back. Some people can, I tip my hat to those folks. I’m not one of them. I should be clear though, this isn’t the only reason. I also don’t think VulnCon should exist (more on that at the end).

cargo-semver-checks with Predrag Gruevski

Mon, 07 Apr 2025 00:00:00 +0000

Cargo Semver Checks is a Rust tool by Predrag Gruevski that is tackling the problem of broken dependencies that cost developers time when trying to upgrade dependencies. Predrag’s work shows how automated checks can catch breaking changes before they’re released, potentially saving projects from unexpected failures and making dependency updates less painful across the entire Rust ecosystem.

Episode links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Distributed CI and Git with Lars Wirzenius

Mon, 31 Mar 2025 00:00:00 +0000

I got to chat with Lars about a new CI/CD system he’s been working on called Ambient. It sounds really cool and does some very clever things today, with even more things planned in the future. We also spend some time discussing a project he works on called Radicle, a distributed Git forge. It feels like having decentralized infrastructure might be more important than it’s ever been, for some reason.

FIDO authentication with William Brown

Mon, 24 Mar 2025 00:00:00 +0000

When William Brown posted a rant on Mastodon about the FIDO Metadata Service, it sounded like exactly the sort of thing I wanted to learn more about. So that’s what I did! It’s a fun conversation, William is really good at explaining insanely complicated topics in a way that’s easy to understand. This one is dense, but it’s really interesting, you’re going to learn a ton.

Episode links

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

CRA with Luis Villa

Mon, 17 Mar 2025 00:00:00 +0000

When Luis Villa said he was willing to talk to me about the CRA I knew it would be a great conversation. The number of actual lawyers who also work on open source issues isn’t a large number. Luis is one of those people and he has a ton of knowledge and insight he’s willing to share. Open source legal issues are especially weird because the very nature of the open source license was to hack copyright to give us more rights instead of less. So what did Luis have to tell us about the CRA?

Open Source Malware with Brian Fox

Mon, 10 Mar 2025 00:00:00 +0000

I recently sat down with Brian Fox, CTO and co-founder of Sonatype, about a report they recently published about malware in open source ecosystems. This is something that’s not a surprise to anyone paying attention, but there are some things Sonatype is doing in this space that’s very clever. I’ve known Brian for a long time so it was a treat to catch up and see what they found, and what it means for the future.

Open Source Foundations with Kelley Misata of Suricata

Mon, 03 Mar 2025 00:00:00 +0000

In the world of open source software, we often celebrate the code, the contributors, and the collaboration. But beneath the surface lies a world unknown to most. It’s not a secret, it’s just not something most of us pay attention to, the foundations that drive some of the open source projects. I had the opportunity to discuss this with Dr. Kelly Masada, who has served as president of the Open Information Security Foundation (OISF) for over 12 years. OISF is the organization behind Suricata, the very capable and well known open source network analysis and threat detection software.

Forking Open Source Projects with Sheogorath

Mon, 24 Feb 2025 00:00:00 +0000

If you use GitHub, you probably have “forked” a repo more times than you can count. It’s super common and the ideal way you can interact with a git repository you don’t control. But the idea of forking in open source can have another meaning, a far more interesting meaning. It’s when you take the open source project, and create a new open source project based on the first. It’s not as simple as clicking a button. The process is complicated and is a ton of corner cases.

Patching EOL Open Source with Aaron Frost

Mon, 17 Feb 2025 00:00:00 +0000

When I started Open Source Security HeroDevs reached out and asked if I wanted to have a chat. I was pretty interested in this discussion because the work HeroDevs does today is very similar to the work I did at Red Hat for a decade. While what they work on is a bit different than the sort of things we shipped in a Linux distribution, the basic idea is still the same.

Why do we keep ignoring CI security with François Proulx

Mon, 10 Feb 2025 00:00:00 +0000

When I started Open Source Security I knew one of those topics that could use more attention was the security of CI/CD systems. All the talk about securing the supply chain seems to almost exclusively focus on the development stage as well as the deployment stage. It seems like there’s not enough attention happening to the build stage (spoiler: most of the successful attacks have happened at this stage). When François Proulx reached out to chat about CD/CD systems, I couldn’t say yes fast enough.

Modern day authentication with Marc Boorshtein

Mon, 03 Feb 2025 00:00:00 +0000

When I thought doing an episode about authentication would be a good idea, Marc Boorshtein was the first person who came to mind for me. Marc knows more about authentication than anyone I know, and he’s really good at talking about it in a coherent way. Marc is the CTO of Tremolo Security, he’s been doing authentication for more than 20 years, long before many of us even knew this whole identity and authentication thing was something we should care about.

CVEs for End of Life?

Tue, 28 Jan 2025 12:00:00 +0000

Very recently the Node.js project filed a few CVE IDs for end of life products. For vulnerability nerds this is exciting because historically EOL things didn’t get CVE IDs just for being EOL. And as one would expect, there are plenty of folks who think this is the best idea ever, and a bunch worried this will be the event that destroys modern civilized society.

Today there’s not really a good place to track what is or isn’t end of life software. There are some datasets being worked on but they’re very new, and it’s “yet another dataset” we will all have to figure out. CVE could be a place to track details like this, but it’s not a simple conversation.

Open Source Maintenance with Gary Kramlich

Mon, 20 Jan 2025 00:00:00 +0000

I met Gary Kramlich a few years ago at the CypherCon security conference and we now chat on signal about open source things. When I started Open Source Security I knew he was one of the people I wanted to talk to about what it looks like to keep a project, codebase, and community alive for more than a decade.

Gary is the lead developer of the Pidgin chat program. You can find him at reaperworld.com

Safety vs Security with Thomas Depierre

Mon, 13 Jan 2025 08:00:00 -0600

I had a discussion with Thomas Depierre about his experience with safety and how safety concepts can apply to the field of security.

Thomas is an experienced SRE with a background in safety, he has thoughts into how people prevent disasters constantly, often without realizing it. You can find his blog at Software Maxims

An audio version of this disucssion is also available in podcast format. Look for “Open Source Security” wherever you get your podcasts.

The Future of Open Source Security

Wed, 01 Jan 2025 08:00:00 -0600

https://traffic.libsyn.com/opensourcesecuritypodcast/2025-01-the_future_of_open_source_security.mp3

It’s a new year and time for some changes to the opensourcesecurity.io website.

This site initially was meant to be the home of general open source security content, and has carried the name “Open Source Security” since 2018. Much of the content hosted here has been from the Open Source Security Podcast, it’s time to wrap up the podcast to put the focus back on Open Source Security (dot io).

Episode 461 - The new NIST password guidance

Mon, 30 Dec 2024 00:00:00 +0000

Josh and Kurt talk about new NIST password guidance. There’s some really good stuff in this new document. Ideas like usability and equity show up (which is amazing). There’s more strict guidance against rotating passwords and complex passwords. This new guidance gives us a lot to look forward to.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_461_The_new_NIST_password_guidance.mp3

Show Notes

Episode 460 - Santa's Supply Chain Security

Mon, 23 Dec 2024 00:00:00 +0000

Josh and Kurt talk about the supply chain of Santa. Does he purchase all those things? Are they counterfeit goods? Are they acquired some other way? And once he has all the stuff, the logistics of getting it to the sleigh is mind boggling. It’s all very complex

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_460_Santas_Supply_Chain_Security.mp3

Show Notes

Project Gunman

Episode 442 - The foundation of society, TLS certificates are a mess

Mon, 19 Aug 2024 00:00:00 +0000

Josh and Kurt talk about a few stories around the TLS CA certificate world. It’s all pretty dire sounding. There’s not a lot of organization or process in the space, and the root CAs are literally the foundation of modern society, everything needs them to function. There’s not a lot of positive ideas here, it’s mostly a show where Kurt explains to Josh what’s going on, because Josh doesn’t want to care (and will continue to ignore all of this going forward).

Episode 441 - Is CWE useful?

Mon, 12 Aug 2024 00:00:00 +0000

Josh and Kurt talk about CWE. What is it, and why does it matter. We cover some history, some shortcomings, and some ideas on how CWE could be used to make security a lot better. We frame the future discussion around the OWASP top 10 list. We should be putting more effort into removing removing entire classes of vulnerabilities.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_441_Is_CWE_useful.mp3

Show Notes

Episode 440 - "What is open source" talk Josh gave

Mon, 05 Aug 2024 00:00:00 +0000

Josh and Kurt talk about a presentation Josh recently gave that was supposed to be about how open source works. The talk was the wrong topic for a security crowd, but there’s a lot of interesting details in the questions and comments that emerged. It’s clear a lot of security people don’t really care about the fine details about what open source is, their primary goal is to help keep development secure.

Episode 439 - Where are all the youth in open source?

Mon, 29 Jul 2024 00:00:00 +0000

Josh and Kurt talk about a story talking about the “graying” of open source. There doesn’t seem to be many young people working on open source, but we don’t really know why that is. There are many thoughts, but a better question is why should anyone get involved in open source anymore? The world has changed quite a lot since open source was created.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_439_Where_are_all_the_youth_in_open_source.mp3

Show Notes

The graying open source community needs fresh blood
OSPOs for Good 2024
FFmpeg bug
JSON Editor Online
https://rfc3339.com/

Episode 438 - CISA's bad OSS advice vs the Whitehouse good advice

Mon, 22 Jul 2024 00:00:00 +0000

Josh and Kurt talk about two documents from the US government that discuss open source in very different ways. The CISA document lays out a way to measure open source, but we take issue with the idea of trying to measure which open source projects are “good”. The Whitehouse on the other hand takes an approach that is very open source, get involved. Trying to measure open source isn’t producing anything actionable, but getting involved is very actionable, and very much how open source works.

Episode 437 - CocoPods and proper funding for open source

Mon, 15 Jul 2024 00:00:00 +0000

Josh and Kurt talk about a pretty big bug found in CocoPods ownership. We also touch on a paper that discusses the technical debt that open source should have. We discuss what the long term sustainability of open source. There aren’t any good solutions for open source today, but talking about these problems is important, we have to start to understand what’s going on before we can plausibly discuss solutions. If you’re an open source project that needs to put things on pause, or even walk way, that’s OK.

Episode 436 - OpenSSH and node-ip - it's all exponential growth

Mon, 08 Jul 2024 00:00:00 +0000

Josh and Kurt talk about the recent OpenSSH vulnerability and the node-ip project owner taking their project private. They’re quasi related in the context of two open source projects handled bugs very differently. The OpenSSH bug isn’t really as serious as it seems, but you still want to patch.

The node-ip bug is a very different story. The relationship between users and open source developers is one experiencing more strain now than we’ve ever seen. It’s a weird conversation and we don’t have good answers. Security in general is a collection of unsolvable problems.

Episode 435 - polyfill.io - open source is too big to fix

Mon, 01 Jul 2024 00:00:00 +0000

Josh and Kurt talk about the latest polyfill.io mess. Apparently someone took over a very popular project and started to serve malware. First XZ, now this. What does it mean for open source? We don’t have any answers, and it’s hard to even talk about this problem because it’s so big. The thing is though, even if we can’t fix open source, it’s here to stay.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_435_polyfill_io_open_source_is_too_big_to_fix.mp3

Show Notes

Episode 434 - Unreported vulnerabilities and everyone is getting hacked

Mon, 24 Jun 2024 00:00:00 +0000

Josh and Kurt talk about three wangles of responsibility. We start with a story about a bike theft ring, bike theft doesn’t usually get any attention, but this one is special. Then we ask why it seems like everyone is getting hacked, it’s because they have to tell us now. And finally we have a story about the huge number of unreported vulnerabilities in open source projects. This statistic probably affects all software, but there’s some numbers for open source specifically.

Episode 433 - Should OpenSSH block misbehaving clients?

Mon, 17 Jun 2024 00:00:00 +0000

Josh and Kurt talk about a new proposal from OpenSSH to add a timeout to penalize clients misbehaving. But this then brings up the typical security conversation of “if it’s not perfect we shouldn’t do it”. Trying new things is a good thing, even if something fails, we learn a lesson that we can use in the future.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_433_Should_OpenSSH_block_misbehaving_clients.mp3

Show Notes

Episode 432 - Flipper Zero with Alex Kulagin

Mon, 10 Jun 2024 00:00:00 +0000

Josh and Kurt talk to Alex Kulagin from Flipper about the Flipper Zero. It’s one of the coolest hacker devices that exists on the market. We talk about what it is, how it started, what it can (and can’t) do. It’s a really fun conversation.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_432_Flipper_Zero_with_Alex_Kulagin.mp3

Show Notes

Why are vulnerabilities out of control in 2024?

Mon, 03 Jun 2024 14:00:00 +0000

Updated 2025-01-16: Since writing this post, there’s now a vulnerability focused discord you can join to discuss vulnerabilities. You can join with this link

If you follow the vulnerability world, 2024 is starting to feel like we’ve become trapped in the mirror universe. NVD collapsed, the Linux kernel is generating a huge number of CVE IDs, CISA is maybe enriching the CVE data, and the growth rate of CVE is higher than its ever been. It feels like we’re careening off a cliff in the clown car where half the people are trapped inside trying to get out, and the other half are laughing at the clown honking its nose.

Episode 431 - Redirecting HTTP to HTTPS

Mon, 03 Jun 2024 00:00:00 +0000

Josh and Kurt talk about a blog post titled “Your API Shouldn’t Redirect HTTP to HTTPS”. It’s an interesting idea, and probably a good one. There is however a lot of baggage in this space as you’ll hear in the discussion. There’s no a simple solution, but this is certainly something to discuss.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_431_Redirecting_HTTP_to_HTTPS.mp3

Show Notes

Episode 430 - Frozen kernel security

Mon, 27 May 2024 00:00:00 +0000

Josh and Kurt talk about a blog post about frozen kernels being more secure. We cover some of the history and how a frozen kernel works and discuss why they would be less secure. A frozen kernel is from when things worked very differently. What sort of changes will we see in the future?

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_430_Frozen_kernel_security.mp3

Show Notes

Episode 429 - The autonomy of open source developers

Mon, 20 May 2024 00:00:00 +0000

Josh and Kurt talk about open source and autonomy. This is even related to some recent return to office news. The conversation weaves between a few threads, but fundamentally there’s some questions about why do people do what they do, especially in the world of open source. This also is a problem we see in security, security people love to tell developers what to do. Developers don’t like being told what to do.

Episode 428 - GitHub artifact attestation

Mon, 13 May 2024 00:00:00 +0000

Josh and Kurt talk about a new to sign artifacts on GitHub. It’s in beta, it’s not going to be easy to use, it will have bugs. But that’s all OK. This is how we start. We need infrastructure like this to enable easier to use features in the future. Someday, everything will be signed by default.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_428_GitHub_artifact_attestation.mp3

Show Notes

GitHub artifact attestation

XZ Bonus Spectacular Episode

Mon, 01 Apr 2024 12:03:26 +0000

Josh and Kurt talk about the recent events around XZ. It’s only been a few days, and it’s amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these details will change quickly over the coming week. We can’t fix this problem as it stands, we don’t know where to start yet. But that’s not a reason to lose hope. We can fix this if we want to, but it won’t be flashy, it’ll be hard work.

Episode 422 - Do you have a security.txt file?

Mon, 01 Apr 2024 00:00:00 +0000

Josh and Kurt talk about the security.txt file. It’s not new, but it’s not something we’ve discussed before. It’s a great idea, an easy format, and well defined. It’s not high on many of our todo lists, but it’s something worth doing.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_422_Do_you_have_a_securitytxt_file.mp3

Show Notes

RFC 9116

GitHub besieged by millions of malicious repositories in ongoing attack

Episode 415 - Reducing attack surface for less security

Mon, 12 Feb 2024 00:00:00 +0000

Josh and Kurt talk about a blog post explaining how to create a very very small container image. Generally in the world of security less is more, but it’s possible to remove too much. A lot of today’s security tooling relies on certain things to exist in a container image, if we remove them we could actually result in worse security than leaving it in. It’s a weird topic, but probably pretty important.

Episode 407 - Should Santa use AI?

Mon, 18 Dec 2023 00:00:00 +0000

It’s the 2023 Christmas Spectacular! Josh and Kurt talk about what would happen if Santa starts using AI to judge which children are naughty and nice. There’s some fun in this one, but it does get pretty real. While we tried to discuss Santa using AI, the reality is this sort of AI is coming for many of us. AI will be making decisions for all of us in the near future (if it isn’t already). While less fun than we had hoped for, it’s an important conversation.

Episode 395 - Uncertainty, trust, and security

Mon, 02 Oct 2023 00:00:00 +0000

Josh and Kurt talk about uncertainty. There are a bunch of stories in the news lately that really just boil down to uncertainty. Uncertainty is incredibly dangerous for everyone. We are afraid of uncertainty, and often don’t really understand why it is. Trust is like a currency and uncertainty erodes trust faster than almost anything else.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_395_Uncertainty_trust_and_security.mp3

Show Notes

Episode 394 - The lie anyone can contribute to open source

Mon, 25 Sep 2023 00:00:00 +0000

Josh and Kurt talk about filing bugs for software. There’s the old saying that anyone can file bugs and submit patches for open source, but the reality is most people can’t. Filing bugs for both closed and open source is nearly impossible in many instances. Even if you want to file a bug for an open source project, there are a lot of hoops before it’s something that can be actionable.

Episode 390 - Rust shipping binaries doesn't matter

Mon, 28 Aug 2023 00:00:00 +0000

Josh and Kurt talk about a blog post that explains how C and C++ compilers prioritize performance over correctness. This is the class story of security vs usability. Security is never the primary goal. If a security requirement doesn’t also enable other business goals it will fail. We also touch on the news of a Rust package containing binary files. It doesn’t really have anything to do with security, it’s all about convenience.

OpenSSF Scorecard

Episode 383 - Is open source dying?

Mon, 10 Jul 2023 00:00:00 +0000

Josh and Kurt talk about the notion that open source is somehow dying. What’s actually happening is corporate open source is changing, which some are trying to deform into something wrong with open source. Open source is doing great, probably better than ever.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_383_Is_open_source_dying.mp3

Show Notes

Episode 382 - Red Hat, you were the chosen one!

Mon, 03 Jul 2023 00:00:00 +0000

Josh and Kurt talk about Red Hat closing up the RHEL source code. Kurt and Josh both worked at Red Hat in the past. This isn’t a show that bashes Red Hat, and it’s not a show praising them. We take an honest look at the past, present, and future of Linux. There’s a lot to talk about in this one. TL;DR, Red Hat was the chosen on, and we all feel betrayed.

Rocket ships and radishes

Wed, 07 Jun 2023 01:08:58 +0000

There’s been something in the back of my brain that’s been bothering me about talks at the big conferences lately but I just couldn’t figure out how to talk about it. Until I listed to this episode of The Hacker Mind Podcast on Self Healing Operating Systems (it’s a great podcast, like and subscribe). The episode was all about this incredibly bizarre way to store operating system state in a SQL database (yeah, you read that right). The guest made no excuses that this is a pretty wild idea and it’s not going to happen anytime soon. But we need weird research like this, it’s part of the forward march of progress.

Episode 375 - The market forces of left-pad, Episode 77 remaster part 2

Mon, 15 May 2023 00:00:00 +0000

Josh and Kurt finish up the leftpad discussion. We spent a lot of time talking about how the market will respond to these sort of events, and the market did indeed speak; very little has changed. There is an aspect of all these security events where we need to understand the cost vs benefit just isn’t there. it may never be there. Rather than whine and complain, we need to work with our constraints.

Episode 374 - The event we called left-pad, Episode 77 remaster part 1

Mon, 08 May 2023 00:00:00 +0000

Josh and Kurt revisit Episode 77, which was named “npm and the supply chain” but was a discussion about the incident we all know now as “leftpad”. We didn’t understand what was happening at the time, but this would become an event we talk about for years to come. It’s shocking how many of the things we discuss are still completely valid five years later.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_374_The_event_we_called_left-pad_Episode_77_remaster_part_1.mp3

Show Notes

Episode 77 – npm and the supply chain

Episode 373 – HHGG security, Episode 42 remaster part 2

Mon, 01 May 2023 00:00:00 +0000

This is the second part of remastering Episode 42 which is all about the security in the Hitchhiker’s Guide to the Galaxy movie. It’s a fun show and it’s shocking how many of these security themes are still relevant today.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_373_HHGG_security_Episode_42_remaster_part_2.mp3

Show Notes

Episode 372 - HHGG security, Episode 42 remaster part 1

Mon, 24 Apr 2023 00:00:00 +0000

The podcast is on a hiatus for a little while due to some personal matters, but that creates an opportunity to remaster some fun old episodes. These shows are REALLY hard to listen to at the current quality (tools and talent has come a long way in the last few years).

This is a remaster of Episode 42 which is all about the security in the Hitchhiker’s Guide to the Galaxy movie. It’s a fun show and it’s shocking how many of these security themes are still relevant today.

Episode 368 - The Sovereign Tech Fund with Fiona Krakenbürger

Mon, 27 Mar 2023 00:00:00 +0000

Josh and Kurt talk to Fiona Krakenbürger about the Sovereign Tech Fund. This is a fund created by Germany to fund important open source projects. Fiona has amazing insight into how this fund was created, what it’s doing today to help fund open source. She discusses where we go from here and what the future will look like. The Sovereign Tech Fund is a forward thinking program to fund open source across the world. This episode is a window into the future.

The perverse incentive of vulnerability counting

Tue, 03 Jan 2023 15:16:05 +0000

It seems like every few years the topic of counting vulnerabilities in products shows up. Last time the focus seemed to be around vulnerabilities in Linux distributions, which made distroless and very small container images popular. Today it seems to be around the vulnerabilities in open source dependencies. The general idea is you want to have as few vulnerabilities in the open source you’re using, so logically zero is the goal.

Episode 345 - Cheap hacking devices turn security upside down

Mon, 17 Oct 2022 00:01:00 +0000

Josh and Kurt talk about ineffective security from the past we still use today. There has been a great deal of progress in the last few decades bringing us amazing products like the Flipper Zero, cameras that can peer inside locks, and even software defined radio. A great deal of security relies on people not having easy access to these cheap devices. What does this mean for the future of security?

Episode 344 - Python tarfile - 2022 is nothing like 2007

Mon, 10 Oct 2022 00:01:00 +0000

Josh and Kurt talk about a newly rediscovered old python vulnerability. It raises a lot of questions about what was OK in 2007 vs what’s OK in 2022. The issue is very complicated and has a wild story surrounding it. There is no reason to not fix this in 2022.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_344_Python_tarfile_2022_is_nothing_like_2007.mp3

Show Notes

Episode 343 - Stop trying to fix the open source software supply chain

Mon, 03 Oct 2022 00:01:00 +0000

Josh and Kurt talk about a blog post that explains there isn’t really an open source software supply chain. The whole idea of open source being one thing is incorrect, open source is really a lot of little things put together. A lot of companies and organizations get this wrong.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_343_Stop_trying_to_fix_the_open_source_software_supply_chain.mp3

Show Notes

Episode 342 - Programming languages are the new operating system

Mon, 26 Sep 2022 00:01:00 +0000

Josh and Kurt talk about programming language ecosystems tracking and publishing security advisory details. We are at a point in the language ecosystems where they are giving us services that have historically been reserved for operating systems.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_342_Programming_languages_are_the_new_operating_system.mp3

Show Notes

Holding open source to a higher standard

Sun, 25 Sep 2022 23:54:17 +0000

Open source has always been held to a higher standard. It has always surpassed this standard.

I ran across a story recently about a proposed bill in the US Congress that is meant to “help” open source software. The bill lays out steps CISA should take to help secure open source software. This post isn’t meant to argue if open source needs to be fixed (it doesn’t), but rather let’s consider the standards and expectations open source is held to.

Episode 341 - Time till open source alternative

Mon, 19 Sep 2022 00:01:00 +0000

Josh and Kurt talk about the Time Till Open Source Alternative blog post. The numbers probably don’t mean what we think they mean anymore. A lot of modern open source is really corporate controlled. Just because something carries an open source license doesn’t mean you can contribute to it.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_341_Time_till_open_source_alternative.mp3

Show Notes

Episode 340 - Let's chat about Let's Encrypt with Josh Aas

Mon, 12 Sep 2022 00:00:00 +0000

Josh and Kurt talk with Josh Aas from the Internet Security Research Group about Let’s Encrypt, Prossimo, and Divvi Up. A lot has changed since the last time we spoke with Josh. Let’s Encrypt won, and the ISG are working on some really cool new projects.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_340_Lets_chat_about_Lets_Encrypt_with_Josh_Aas.mp3

Show Notes

Why has software supply chain security exploded?

Tue, 06 Sep 2022 13:39:46 +0000

I take a bike ride every morning, it’s a nice way to think about topics of the day. I’ve been wondering lately why software supply chain security has exploded in popularity in the last year or so. Nothing happens by accident, so there must be some series of events we can point at that has led to everyone suddenly making this a priority. Software supply chain security is not new, I’ve been doing it since about 2002 when I was helping track and coordinate security vulnerabilities in Linux distributions. We didn’t call it a supply chain back then, and nobody really paid attention to it. So what changed between then and now?

Episode 329 - Signing (What is it good for)

Mon, 27 Jun 2022 00:01:00 +0000

Josh and Kurt talk about what the actual purpose of signing artifacts is. This is one of those spaces where the chain of custody for signing content is a lot more complicated than it sometimes seems to be. Is delivering software over https just as good as using a detached signature? How did we end up here, what do we think the future looks like? This episode will have something for everyone to complain about!

OpenSSF TAC Issue 101

Episode 324 - WTF is up with WFH

Mon, 23 May 2022 00:00:00 +0000

Josh and Kurt talk about the whole work from home debate. It seems like there are a lot of very silly excuses why working from home is bad. We’ve both been working from home for a long time and have a chat about the topic. There’s not much security in this one, but it is a fun discussion.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_324_WTF_is_up_with_WFH.mp3

Show Notes

Episode 323 - The fake 7-Zip vulnerability and SBOM

Mon, 16 May 2022 00:00:00 +0000

Josh and Kurt talk about a fake 7-Zip security report. It’s pretty clear that everyone is running open source all the time. We end on some thoughts around what SBOM is good for, and who should be responsible for them.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_323_The_fake_7Zip_vulnerability_and_SBOM.mp3

Show Notes

Probably fake 7-Zip

node-ipc protestware

Facts vs Feelings

Mon, 21 Mar 2022 22:07:21 +0000

Earlier today I asked a question on Twitter

Holy cow that thread took on a life of its own. The question is easy enough, do we have any security data on pinning vs not pinning dependencies? We don’t, I know this, but I was hoping someone was working on something (I don’t think they are). But during the thread I also think I figured how to be start collecting this data. That’s a post for the future.

Episode 315 - Who even makes all these terrible decisions?

Mon, 21 Mar 2022 00:01:00 +0000

Josh and Kurt talk about Microsoft accidentally letting us find out about ads in file explorer. Changing your clocks sucks. And touch on some of the security implications of the Russian invasion and sanctions. There are a lot of security lessons we can all learn. Mostly what not to do.

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_315_Who_even_makes_all_these_terrible_decisions.mp3

Episode 311 - Did you scan the QR code?

Mon, 21 Feb 2022 00:01:00 +0000

Josh and Kurt talk about the Coinbase Super Bowl ad. It was a QR code, lots of security people were aghast at how many people scanned the QR code. The reality is scanning QR codes isn’t dangerous. What other security advice just won’t go away?

https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_311_Did_you_scan_the_QR_code.mp3

Show Notes

Episode 310 - Hayley Tsukayama from the EFF talks about privacy

Mon, 14 Feb 2022 00:01:00 +0000

Josh and Kurt talk to Hayley Tsukayama from the EFF about privacy. We all know privacy in the modern age is very complicated and difficult. Normal people don’t have many allies when it comes to privacy. The EFF has been blazing the trail for digital rights for more than 30 years! This episode has a ton of amazing details, it’s easy to see how the EFF became the jewel of the Internet.

Will cyber security vulnerabilities ever “stop existing” ?

Episode 303 - Log4j Christmas Spectacular!

Mon, 27 Dec 2021 00:01:00 +0000

Josh and Kurt start the show with the reading of a security themed Christmas poem. We then discuss some of the new happenings around Log4j. The basic theme is that even if we were over-investing in Log4j, it probably wouldn’t have caught this. There are still a lot of things to unpack with this event. We are sure we’ll be talking about it well into the future.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_303_Log4j_Christmas_Spectacular.mp3

Log before Christmas poem

‘Twas the night before Christmas, when all through the stack
Not a scanner was scanning, not even a rack,

Episode 302 - Log4j is a mess

Mon, 20 Dec 2021 00:01:00 +0000

Josh and Kurt talk about the same topic everyone is talking about, Log4j. This episode was recorded on the Wednesday after the first Log4j issue. We point out all the gaps and difficulties for the defenders. The situation has gotten worse since then.

Good luck to everyone dealign with this thing

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_302_Log4j_is_a_mess.mp3

Show Notes

Episode 301 - You're holding it wrong: the importance of unlearning

Mon, 13 Dec 2021 00:01:00 +0000

Josh and Kurt talk about the epic failure that was episode 300. But this ties nicely into the topic of the day which is new ways to do things. The example is a new way to hold a controller when playing Tetris. There are always new tools and new ideas in security. Sometimes we have to abandon the old way because the new way to too good to ignore.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_301_Youre_holding_it_wrong_the_importance_of_unlearning.mp3

Show Notes

log4j is hard to find and harder to fix

Sun, 12 Dec 2021 19:45:08 +0000

If you pay attention to tech news, you know what’s going on with log4j right now. It’s being called Log4Shell which is a great name. I’ll spare you repeating the details of the issue, there are many many stories about it at this point.

What I’ve not seen is a good explanation about why knowing if you are using log4j is hard, and fixing it will be even harder than finding it.

Episode 300 - Apple vs NSO: What can copyright do for you?

Mon, 06 Dec 2021 00:00:00 +0000

This episode need a huge disclaimer: we got almost all of the details of this wrong, the lawsuit is based on CFAA, not on copyright. We apologize for this enormous oversight.

Josh and Kurt talk about Apple suing NSO using a copyright claim as their vehicle. Copyright is often used as a reason to bring lawsuits, even when it doesn’t always make sense. Copyright has been used by open source to expand rights, and many companies to restrict rights. It’s a very odd law sometimes. At the end of the day it seems the only real path forward for a problem like NSO is up to governments to protect their citizens.

Postbank

The future of DWF

Thu, 15 Jul 2021 18:08:36 +0000

TL;DR - The future of community identifier is going to be the Cloud Security Alliance. See this blog post for more details.

A few months ago the Distributed Weakness Filing project (DWF), announced it was coming back to work with some new ideas around how we work with vulnerability identifiers. The initial blog post defines some of the reasons, we won’t rehash them here.

It should surprise nobody that the DWF project did not grow to an enormous size in a few short months. Vulnerability identification is a complex and hard problem. We were looking to try out some new ideas and see which were effective and which were not effective. It was to start to build the structure to deal with a future community. Most importantly it was to help figure out what we don’t know we don’t know.

Episode 279 - The audacity of Audacity: When open source goes rogue

Mon, 12 Jul 2021 00:01:00 +0000

Josh and Kurt talk about the events happening to the Audacity audio editor. What happens if a popular open source application is acquired by an unknown entity? Can this happen to other open source projects? What can we do about it?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_279_The_audacity_of_Audacity_When_open_source_goes_rogue.mp3

Show Notes

Episode 278 - Could SELinux have stopped SolarWinds?

Mon, 05 Jul 2021 00:01:00 +0000

Josh and Kurt talk about a listener provided question. Could SELinux have stopped the SolarWinds attack? Given what we know, the answer is technically yes, but practically no. SELinux is awesome, but it’s very difficult to sandbox something like a build system.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_278_Could_SELinux_have_stopped_SolarWinds.mp3

Show Notes

Gone in 60 milliseconds

Episode 273 - Can we stop the coming artificial unintelligence deluge?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_265_The_lies_closed_source_can_tell_open_source_cant.mp3

Show Notes

It's time to fix CVE

Tue, 30 Mar 2021 14:13:00 +0000

The late, great, John Lewis is well known for a quote about getting into trouble.

Never, ever be afraid to make some noise and get in good trouble, necessary trouble.

It’s time to start some good trouble.

Anyone who knows me, reads this blog, or follows me on Twitter, is well aware I have been a proponent of CVE Identifiers for a very long time. I once assigned CVE IDs to most open source security vulnerabilities. I’ve helped more than one company and project adopt CVE IDs for their advisories. I encourage anyone who will listen to adopt CVE IDs. I’ve even talked about it on the podcast many times.

The Titanic of security

Mon, 15 Feb 2021 15:13:00 +0000

I listen to a lot of podcasts. A lot of podcasts. I was listening to the Dave and Gunnar Show podcast episode 212 with guest David A. Wheeler. The Titanic was used as an example of changing process after a security incident. This opened up a flood of thoughts to me, but not for the reasons intended in the conversation. The point of the suggestion was the Titanic sinking created changes to international requirements to help avoid a similar disaster next time, and we should be viewing SolarWinds in a similar way. The idea being we should use the SolarWinds event to drive meaningful change to make security better. Why no change will come of this is a different conversation: TL;DR it’s because nobody important died from SolarWinds, the Titanic killed a lot of important people. But I think this is an interesting way to talk about how we tend to deal with problems in software and how we deal with them in real life.

Episode 258 - Stop using C

Mon, 15 Feb 2021 00:01:00 +0000

Josh and Kurt talk about the Google Project Zero report titled “A Year in Review of 0-days Exploited In-The-Wild in 2020”. It’s a cool report but we don’t agree on the conclusion. The answer isn’t to security harder, it’s to stop using C.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_258_Stop_using_C.mp3

Show Notes

Episode 257 - The sudo and libgcrypt vulnerabilities

Mon, 08 Feb 2021 00:01:00 +0000

Josh and Kurt talk about the recent sudo and libgcrypt security vulnerabilities. What’s the deal with these buffer overflows and TOCTU bugs?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_257_The_sudo_and_libgcrypt_vulnerabilities.mp3

Show Notes

It's the community, stupid

Tue, 02 Feb 2021 01:23:36 +0000

I’ve been thinking about what open source is a lot lately. I mean A LOT, probably more than is healthy. There have been a ton of open source happenings in the world and the discussions around open source licenses have been numerous. There are even a lot of discussions around the very idea of open source itself. What we once thought was simple and clear is not simple or clear it would seem.

Episode 256 - 9 bits of podcast, 8 bits of computing

Mon, 01 Feb 2021 00:01:00 +0000

Josh and Kurt talk about 8 bit computing. What sort of security lessons can we learn from the 8 bit world? More than you think.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_256_9_bits_of_podcast_8_bits_of_computing.mp3

Show Notes

You cannot manage your supply chain

Sat, 30 Jan 2021 02:19:17 +0000

What a year it’s been! I feel like 2021 went by like a … it’s still January???

So it’s pretty much impossible to ignore any of the events of the last month. I want to talk about something that’s near and dear to my heart, and in the news, not for a good reason. Software supply chains. This is probably a dreadful topic to most, but I love software supply chains. I was talking about them before anyone was even thinking about them. I’m not going to pull a “get off my lawn” here, I think it’s cool everyone is starting to care. I want to talk about how to be realistic about your supply chain. Almost all advice I’ve seen of the last month has been terrible, so I’m going to also give some terrible advice.

Episode 255 - What if security wasn't joyless?

Mon, 25 Jan 2021 00:01:00 +0000

Josh and Kurt talk about what we can stop doing. We take a position of asking “does it spark joy” for tools and infrastructure. Everyone is doing something they should stop.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_255_What_if_security_wasnt_joyless.mp3

Show Notes

Does it spark joy?

Episode 254 - Right to Repair Security

Mon, 18 Jan 2021 00:01:00 +0000

Josh and Kurt talk about the new right to repair rules in the EU. There’s a strange line between loving the idea of right to repair, but also being horrified as security people at the idea of a device being on the Internet for 30 years.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_254_Right_to_Repair_Security.mp3

Show Notes

Episode 253 - Defenders only need to be right once

Mon, 11 Jan 2021 00:01:00 +0000

Josh and Kurt talk about this idea that seems to exist in security of “attackers only need to be right once” which is silly. The reality is attackers have to get everything right, defenders really only need to get it right once. But “defenders only need to be right once” isn’t going to sell any products.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_253_Defenders_only_need_to_be_right_once.mp3

Show Notes

Episode 252 - Is open source dangerous? Open source won, who cares, shut up!

Mon, 04 Jan 2021 00:01:00 +0000

Josh and Kurt talk about a report on open source security from the Canadian Centre for Cyber Security. The title pretty much sums it up.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_252_Is_open_source_dangerous_Open_source_won_who_cares_shut_up.mp3

Show Notes

Episode 251 - Communication is hard, security communication is more hard

Mon, 28 Dec 2020 00:01:00 +0000

Josh and Kurt talk about communication. It’s really hard to talk about a lot of what we do. How do we know if a device is secure? How do we know our knowledge is correct?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_251_Communication_is_hard_security_communication_is_more_hard.mp3

Show Notes

Episode 250 - Door 25: Why do we do the things we do? Question everything

Fri, 25 Dec 2020 00:01:00 +0000

Josh and Kurt talk about why we do the things we do. Sometimes we have to question everything

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_250_Door_25_Why_do_we_do_the_things_we_do_Question_everything.mp3

Episode 249 - Door 24: Information wants to be free

Thu, 24 Dec 2020 00:01:00 +0000

Josh and Kurt talk about the idea of information wanting to be free. It’s Christmas, we should give it what it wants!

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_249_Door_24_Information_wants_to_be_free.mp3

Episode 248 - Door 23: How to report 1000 security flaws

Wed, 23 Dec 2020 00:01:00 +0000

Josh and Kurt talk about how to file 1000 security flaws. One is easy, scale is hard.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_248_Door_23_How_to_report_1000_security_flaws.mp3

Episode 247 - Door 22: How to report one security flaw

Tue, 22 Dec 2020 00:01:00 +0000

Josh and Kurt talk about how to report one security flaw

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_247_Door_22_How_to_report_one_security_flaw.mp3

Episode 246 - Door 21: Bug bounties

Mon, 21 Dec 2020 00:01:00 +0000

Josh and Kurt talk about bug bounties

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_246_Door_21_Bug_bounties.mp3

Episode 245 - Door 20: Is SMS 2FA better than no 2FA?

Sun, 20 Dec 2020 00:01:00 +0000

Josh and Kurt talk about if SMS 2 factor auth is better than no 2FA

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_245_Door_20_Is_SMS_2FA_better_than_no_2FA.mp3

Episode 244 - Door 19: TLS certificate trust

Sat, 19 Dec 2020 00:01:00 +0000

Josh and Kurt talk about modern TLS certificate trust

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_244_Door_19_TLS_certificate_trust.mp3

Episode 243 - Door 18: Don't roll your own crypto or auth

Fri, 18 Dec 2020 00:01:00 +0000

Josh and Kurt talk about why it’s a horrible idea to roll your own crypto or auth

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_243_Door_18_Dont_roll_your_own_crypto_or_auth.mp3

Episode 242 - Door 17: Vulnerability response

Thu, 17 Dec 2020 00:01:00 +0000

Josh and Kurt talk about vulnerability response. What is it, what does it mean, how does it work

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_242_Door_17_Vulnerability_response.mp3

Episode 241 - Door 16: 16 bits of change

Wed, 16 Dec 2020 00:01:00 +0000

Josh and Kurt talk about the switch from 16 to 32 to 64 bit and even the changes from Intel to ARM

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_241_Door_16_16_bits_of_change.mp3

Episode 240 - Door 15: Supplier compliance

Tue, 15 Dec 2020 00:01:00 +0000

Josh and Kurt talk about supplier compliance

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_240_Door_15_Supplier_compliance.mp3

Committee or Community: Slowing down the future

Mon, 14 Dec 2020 15:02:41 +0000

I wrote a blog post about looking back, and I have a bit of snark in there where I talk about slowing down the future. I wanted to explain this a bit more and give everyone some food for thought around how we used to do things and how we should do them moving forward. There are groups and people that exist to slow things down. Sometimes that’s on purpose for good reasons, sometimes it’s on purpose for bad reasons, sometimes it’s not on purpose at all.

Episode 239 - Door 14: Backdoors

Mon, 14 Dec 2020 00:01:00 +0000

Josh and Kurt talk about backdoors in open source software

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_239_Door_14_Backdoors.mp3

Episode 238 - Door 13: Unlucky or survivor bias?

Sun, 13 Dec 2020 00:01:00 +0000

Josh and Kurt talk about the unluckiest man in the world and survivor bias

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_238_Door_13_Unlucky_or_survivor_bias.mp3

Episode 237 - Door 12: Video game hacking

Sat, 12 Dec 2020 00:01:00 +0000

Josh and Kurt talk about video game hacking. The speedrunners are doing the best security research today

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_237_Door_12_Video_game_hacking.mp3

Episode 236 - Door 11: Should you get on a 737?

Fri, 11 Dec 2020 00:01:00 +0000

Josh and Kurt talk about the safety of a 737

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_236_Door_11_Should_you_get_on_a_737.mp3

Episode 235 - Door 10: Deciding what information matters

Thu, 10 Dec 2020 00:01:00 +0000

Josh and Kurt talk about Apple leaking internal IP addresses. Sometimes we create our own emergencies over things that don’t matter.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_235_Door_10_Deciding_what_information_matters.mp3

Episode 234 - Door 09: public key cryptography

Wed, 09 Dec 2020 00:01:00 +0000

Josh and Kurt talk about public key cryptography

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_234_Door_09_public_key_cryptography.mp3

Episode 233 - Door 08: man 8 security

Tue, 08 Dec 2020 00:01:00 +0000

Josh and Kurt talk about the OpenBSD security(8) man page and the importance of automating security

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_233_Door_08_man_8_security.mp3

Episode 232 - Door 07: 7 is the best prime, 2 is the dumbest

Mon, 07 Dec 2020 00:01:00 +0000

Josh and Kurt talk about prime numbers

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_232_Door_07_7_is_the_best_prime_2_is_the_dumbest.mp3

Episode 231 - Door 06: 6 wifi risks ... that don't actually matter

Sun, 06 Dec 2020 00:01:00 +0000

Josh and Kurt talk about the non problems with public wifi we love to pretend matter

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_231_Door_06_6_wifi_risks_that_dont_actually_matter.mp3

Episode 230 - Door 05: 5 reasons you need 24/7 robot monitoring

Sat, 05 Dec 2020 00:01:00 +0000

Josh and Kurt talk about why you need 24/7 monitoring of all the things

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_230_Door_05_5_reasons_you_need_247_robot_monitoring.mp3

Episode 229 - Door 04: EFF's Cover Your Tracks

Fri, 04 Dec 2020 00:01:00 +0000

Josh and Kurt talk about how the EFF is helping us prevent Internet tracking

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_229_Door_04_EFFs_Cover_Your_Tracks.mp3

Episode 228 - Door 03: Do all vulnerabilities matter equally?

Thu, 03 Dec 2020 00:01:00 +0000

Josh and Kurt talk about how many security vulnerabilities matter enough to fix?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_228_Door_03_Do_all_vulnerabilities_matter_equally.mp3

Episode 227 - Door 02: Marketing department or selection bias?

Wed, 02 Dec 2020 00:01:00 +0000

Josh and Kurt talk about cybersecurity statistics and the value of the data we have.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_227_Door_02_Marketing_department_or_selection_bias.mp3

Episode 226 - Door 01: Advent calendars

Tue, 01 Dec 2020 00:01:00 +0000

Josh and Kurt talk about advent calendars. We are publishing 25 5 minute episodes in 25 days. Also portable X-ray machines.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_226_Door_01_Advent_calendars.mp3

Episode 225 - Who is responsible if IoT burns down your house?

Mon, 23 Nov 2020 00:01:00 +0000

Josh and Kurt talk about the safety and liability of new devices. What happens when your doorbell can burn down your house? What if it’s your fault the doorbell burned down your house? There isn’t really any prior art for where our devices are taking us, who knows what the future will look like.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_225_Who_is_responsible_if_IoT_burns_down_your_house.mp3

Show Notes

We can't move forward by looking back

This tweet from Jim Manico really has me thinking about why we like to consider security bugs special. There are a lot of tools on the market today to scan your github repos, containers, operating systems, web pages … pick something, for security vulnerabilities. I’ve written a very very long series about these scanners and why they’re generally terrible today but will get better, but only if we demand it. I’m now wondering why we want to consider security special. Why do we have an entire industry focused just on security bugs?

We take security seriously, VERY SRSLY!

Mon, 31 Aug 2020 12:54:10 +0000

Every company tells you they take security seriously. Some even take it very seriously. But do they? I started to think about this because of a recent Slack bug. I think there are a lot of interesting things we can look at to decide if a company is taking security seriously or if the company thinks security is just a PR problem. I’m going to call the behavior we want to look at “security signals”.

Episode 212 - Grab Bag: The Security We Deserve Edition

Mon, 31 Aug 2020 00:01:00 +0000

Josh and Kurt talk about Chromium sending traffic to root DNS servers. Telemetry watching what we do. Cryptocurrency scams and a few other random topics. Also pandas.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_212_Grab_Bag_The_Security_We_Deserve_Edition.mp3

Show Notes

2020 CWE Top 25 I mean 10 or maybe 4.5

Mon, 24 Aug 2020 13:16:00 +0000

A few days ago I ran across this report from MITRE. It’s titled “2020 CWE Top 25 Most Dangerous Software Weaknesses”. I found the report lacking the sort of details I was hoping for, so I’m going rogue and adding those details myself because it’s a topic I care about and I like seeing conclusions. Think of this as a sort of modern graffiti.

Firstly, all of my data and graphs come from the NVD CVE json data. You can find my project to put this data into Elasticsearch then doing interesting things with it on GitHub here. All graphs are screenshots from Kibana.

Boot Hole

Episode 208 - Passwords are pollution

Mon, 03 Aug 2020 00:02:50 +0000

Josh and Kurt talk about some of the necessary evils of security. There are challenges we face like passwords and resource management. Sometimes the problem is old ideas, sometimes it’s we don’t have metrics. Can you measure not getting hacked?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_208_Passwords_are_pollution.mp3

Mon, 29 Jun 2020 00:04:55 +0000

Josh and Kurt talk about human behavior. The conversation makes its way to conferences and the perpetual question of if a conference is useful or not. We come to the agreement the big shows aren’t what they used to be, but things like BSides are great experiences.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_203_Humans_conferences_and_security_let_me_think_and_get_back_to_you_in_a_bit.mp3

Show Notes

The ineffective CISO

Tue, 23 Jun 2020 14:20:00 +0000

I’ve been thinking about this one for a while. I’ve seen some CISOs who are amazing at what they do, and I’ve seen plenty that can’t get anything done. After working with one that I think is particularly good lately, I’ve made some observations that has changed my mind about the modern day CISO reporting structure.

The TL;DR of this post is if you have a CISO that claims they can only get their job done if they report to the board or CEO, you have an ineffective CISO.

Episode 202 - The convergence of application security

Mon, 22 Jun 2020 00:01:25 +0000

Josh and Kurt talk about the security of applications. We talk about the security of infrastructure all the time, but what happens when we combine infrastructure into an application or solution?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_202_The_convergence_of_application_security.mp3

Show Notes

Episode 201 - We broke CVSSv3, now how do we fix it?

Mon, 15 Jun 2020 00:01:42 +0000

Josh and Kurt talk about CVSSv3 and how it’s broken. We started with a blog post to explain why the NVD CVSS scores are so wrong, and we ended up researching CVSSv3 and found out it’s far more broken than any of us expected in ways we didn’t expect. NVD isn’t broken, CVSSv3 is. How did we get here? Are there any options that work today? Where should we go next?

Episode 200 - Talking Container Security with Liz Rice

Mon, 08 Jun 2020 00:01:17 +0000

Josh and Kurt talk to Liz Rice from Aqua Security about container security and her new book on the same topic. What does container security look like today? What are some things you can do now? What will container security look like in the future?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_200_Talking_Container_Security_with_Liz_Rice.mp3

Show Notes

Episode 199 - Special cases are special: DNS, Websockets, and CSV

Mon, 01 Jun 2020 00:01:22 +0000

Josh and Kurt talk about a grab bag of topics. A DNS security flaw, port scanning your machine from a web browser, and CSV files running arbitrary code. All of these things end up being the result of corner cases. Letting a corner case be part of a default setup is always a mistake. Yes always, not even that one time.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_199_Special_cases_are_special_DNS_Websockets_and_CSV.mp3

Show Notes

Broken vulnerability severities

Wed, 27 May 2020 14:37:00 +0000

This blog post originally started out as a way to point out why the NVD CVSS scores are usually wrong. One of the amazing things about having easy access to data is you can ask a lot of questions, questions you didn’t even know you had, and find answers right away. If you haven’t read it yet, I wrote a very long series on security scanners. One of my struggles I have is there are often many “critical” findings in those scan reports that aren’t actually critical. I wanted to write something that explained why that was, but because my data took me somewhere else, this is the post you get. I knew CVSSv3 wasn’t perfect (even the CVSS folks know this), but I found some really interesting patterns in the data. The TL;DR of this post is: It may be time to start talking about CVSSv4.

Episode 198 - Good advice or bad advice? Hang up, look up, and call back

Mon, 25 May 2020 00:54:19 +0000

Josh and Kurt talk about the Krebs blog post titled “When in Doubt: Hang Up, Look Up, & Call Back”. In the world of security there isn’t a lot of actionable advice, it’s worth discussing if something like this will work, or ever if it’s the right way to handle these situations.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_198_-_Good_advice_or_bad_advice_Hang_up_look_up_and_call_back.mp3

Show Notes

When in Doubt: Hang Up, Look Up, & Call Back
Tech Support Scam podcast: Part 1, Part 2
STIR/SHAKEN
Drill the wrong safe deposit box
2009 Bank of Ireland robbery

Show Tags

#BGP

Eating goldfish off the treadmill

Comment on Twitter with the #osspodcast hashtag

Episode 191 - Security scanners are all terrible

Wed, 08 Apr 2020 19:54:00 +0000

Josh and Kurt talk about security scanners. They’re all pretty bad today, but there are some things we can do to make them better. Step one is to understand the problem. Do you know why you’re running the scanner and what the reports mean?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_191_Security_scanners_are_all_terrible.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Who are the experts

Tue, 07 Apr 2020 14:18:00 +0000

These are certainly strange times we are living in. None of us will ever forget what’s happening and we will all retell stories for the rest of our days. Many of us asked “tell me about the depression grandma”, similar questions will be asked of us someday.

The whirlwind of confusion and chaos got me thinking about advice and who we listen to. Most of us know a staggering number of people who are apparently experts in immunology. I have no intention of talking about the politics of the current times, goodness knows nobody in their right mind should care what I think. What all this does have me pondering is what are experts and how can we decide who we should listen to?

Episode 190 - Building a talent "ecosystem"

Sun, 05 Apr 2020 23:45:00 +0000

Josh and Kurt talk about building a talent ecosystem. What starts out as an attempt by Kurt to talk about Canada evolves into a discussion about how talent can evolve, or be purposely grown. Canada’s entertainment industry and Unit 8200 are good examples of this.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_190_Building_a_talent_ecosystem.mp3

Show Notes

Show Tags

#securitytalent
#talentecosystem

Comment on Twitter with the #osspodcast hashtag

Episode 189 - Video game hackers - speedrunning

Mon, 30 Mar 2020 00:08:00 +0000

Josh and Kurt talk about video games and hacking. Specifically how speed runners are really just video game hackers.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_189_Video_game_hackers_speedrunning.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Part 6: What do we do now?

Thu, 26 Mar 2020 16:46:25 +0000

Well, we’ve made it to the end. What started out as a short blog post ended up being 7 posts long. If you made it this far I commend you for your mental fortitude.

I’m going to sum everything up with these 4 takeaways.

Understand the problem we want to solve
Push back on scanner vendors
Work with your vendors
Get involved in open source

Understand the problem we want to solve

In security it’s sometimes easy to lose sight of what we’re really trying to do. Running a scanner isn’t a goal in itself, the goal is to improve security, or it should be if it isn’t. Make sure you never forget what’s really happening. Sometimes in the excitement of security, the real reason we’re doing what we do can be lost.

Part 5: Which of these security problems do I need to care about?

Wed, 25 Mar 2020 13:01:27 +0000

If you just showed up here, go back and start at the intro post, you’ll want the missing context before reading this article. Or not, I mean, whatever.

I’ve spent the last few posts going over the challenges of security scanners. I think the most important takeaway is we need to temper our expectations. Even a broken clock is right twice a day. So assuming some of the security flaws reported are real, how can we figure out what we should be paying attention to?

Part 4: Application scanning

Tue, 24 Mar 2020 14:40:38 +0000

We’ve already discussed the perils of code and composition scanning. If you’ve not already read those, you should go back to the beginning.

Now we’re going to discuss application scanning. The basic idea here is we have a scanner that interacts with a running application and looks for bugs. The other two scanners run against static content. A running application is dynamic and ever changing. If we thought code scanning was hard, this is even harder. Well it can be harder, it can also be easier. Sometimes.

Episode 188 - Depressing news sucks, we're talking about cheating in video games

Mon, 23 Mar 2020 00:00:00 +0000

Josh and Kurt talk about video games. Yeah, video games. Specifically about cheating in video games. There’s a lot of other security themes in the discussion. With the news being horrible these days, we needed to talk about something fun.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_188_Depressing_news_sucks_were_talking_about_cheating_in_video_games.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 187 - Wireguard vs IPsec: the OK Boomer of security

Sun, 15 Mar 2020 23:35:00 +0000

Josh and Kurt talk about Wireguard. There have been a lot of recent conversations about it and if it’s better or worse than other VPN solutions. It’s safe to say in our modern age, less is usually more, especially when it comes to security. Wireguard has a lot going for it, it can’t be ignored.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_187_Wireguard_vs_IPsec_the_OK_Boomer_of_security.mp3

Show Notes

Show Tags

#wireguard
#IPSec

Comment on Twitter with the #osspodcast hashtag

Part 3: Composition scanning

Thu, 12 Mar 2020 12:49:05 +0000

If you just showed up here, go back and start at the intro post, you’ll want the missing context before reading this article.

In this post we’re going to talk about a newer type of scanner called a composition scanner. The idea here is when you build an application today it’s never just what you wrote. It also includes source code from a large number of other sources. Usually these other sources are open source.

Part 2: Scanning the code

Wed, 11 Mar 2020 13:07:13 +0000

If you just showed up here, go back and start at the intro post, you’ll want the missing context before reading this article.

The first type of scanner we’re going to cover are source code scanners. It seems fitting to start at the bottom with the code that drives everything. Every software project has source code. It doesn’t matter what language you use. Some is compiled, some interpreted, it’s all still source code. The idea behind a source code scanner is to review the code a human wrote and find potential security problems with it. This sounds easy enough in theory, but it’s extremely difficult in practice.

Part 1: Is your security scanner running? You better go catch it!

Tue, 10 Mar 2020 13:13:46 +0000

This post is the first part in a series on automated security scanners. I explain some of the ideas and goals in the intro post, rather than rehashing that post as filler, just go read it, rehashing content isn’t exciting.

There are different kinds of security scanners, but the problem with all of them is basically the same. The results returned by the scanners are not good in the same way catching poison ivy is not good. The more you have, the worse it is. The most important thing to understand, and the whole reason I’m writing this series, is that scanners will get better in the future. How they get better will be driven by all of us. If we do nothing, they will get better in a way that might not make our lives easier. If we can understand the current shortcomings of these systems, we can better work with the vendors to improve them in ways that will benefit everyone.

The Security Scanner Problem

Tue, 10 Mar 2020 13:13:41 +0000

Are you running a security scanner? It seems like everyone is doing it, maybe it’s time to get with it. It’s looking like automated security scanning is the next stage in the long winding history of the security industry. If you’ve never run one of these scanners that’s OK. I’m going to explain what they are, how they work, how we’re not using them correctly, and most importantly, what you can do about it. If you are running a scanner I’m either going to tell you why you’re doing it wrong, or why you’re doing it REALLY wrong. If you’re a vendor who builds a security scanner I assure you I understand there is a high probability I am indeed an idiot and don’t know what I’m talking about. I’m sure everything will be fine.

Episode 186 - Endpoint security with Tony Meehan

Sun, 08 Mar 2020 23:01:00 +0000

Josh and Kurt talk to Tony Meehan from Elastic (formerly Endgame) about endpoint detection, response, protection, and even SIEM. Tony has a great history coming from the NSA and has a number of great stories to help understand the topics.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_186_Endpoint_security_with_Tony_Meehan.mp3

Show Notes

Show Tags

#EndpointSecurity

Show Tags

#SIMSwap

Comment on Twitter with the #osspodcast hashtag

Episode 180 - A Tale of Two Vulnerabilities

Mon, 27 Jan 2020 01:01:00 +0000

Josh and Kurt talk about two recent vulnerabilities that have had very different outcomes. One was the Citrix remote code execution flaw. While the flaw is bad, the handling of the flaw was possibly worse than the flaw itself. The other was the Microsoft ECC encryption flaw. It was well handled even though it was hard to understand and it is a pretty big deal. As all these things go, fixing and disclosing vulnerabilities is hard.

Episode 179 - Google Project Zero and the 90 day clock

Mon, 20 Jan 2020 00:34:00 +0000

Josh and Kurt talk about the updated Google Project Zero disclosure policy. What’s the new policy, what does it mean, and will it really matter? We suspect it will improve some things, but won’t drastically change much.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_179_Google_Project_Zero_and_the_90_day_clock.mp3

Show Notes

Show Tags

#GoogleProject0
#CoordinatedDisclosure
#ResponsibleDisclosure

Show Tags

#CodeQL
#GitHub

Comment on Twitter with the #osspodcast hashtag

Episode 173 - Ho Ho Homeland Security

Mon, 09 Dec 2019 00:10:00 +0000

Josh Santa and Kurt talk the border nightmare Santa Clause has to deal with as he traverses the globe. Questions we explore include: Are the reindeer farm animals? Is the North Pole a farm? Is Santa an intellectual property thief? Does Krampus eat politicians? Does Santa have a passport? Does Santa have an emergency radio?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_173_Ho_Ho_Homeland_Security.mp3

Show Notes

Pirate Joes

Comment on Twitter with the #osspodcast hashtag

Episode 172 - The security of planned obsolescence

Mon, 02 Dec 2019 00:03:00 +0000

Josh and Kurt talk about the security implications of planned obsolescence. We use Intel’s recent decision to remove old drivers from their website as the start of the conversation. By the end we realize this is more of a decision society needs to understand and make more than anything. Is constantly throwing out technology OK?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_172_The_security_of_planned_obsolescence.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 171 - Measuring cybersecurity with Kathryn Waldron

Mon, 25 Nov 2019 01:44:00 +0000

Josh and Kurt talk to Kathryn Waldron of the R Street Institute about a paper she recently published that collects a number of cybersecurity measuring devices in one place.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_171_Measuring_cybersecurity_with_Kathryn_Waldron.mp3

Show Notes

Show Tags

#Regulation

Comment on Twitter with the #osspodcast hashtag

Episode 170 - Until that quantum computer is cracking RSA keys, go sit back down!

Mon, 18 Nov 2019 00:00:00 +0000

Josh and Kurt talk about banking and privacy. It’s very likely nothing will get better anytime soon, humans will continue to be terrible at understanding certain risks. We also discuss what quantum supremacy means (or doesn’t mean) for security.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_170_Until_that_quantum_computer_is_cracking_RSA_keys_go_sit_back_down.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 169 - What happens when leadership doesn't care about security?

Mon, 11 Nov 2019 01:19:00 +0000

Josh and Kurt talk about government security incidents. The security concerns at the government level often have real life and death consequences. What happens when the leadership knowingly disregards security policy?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_169_What_happens_when_leadership_doesnt_care_about_security.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 168 - The draconian draconians of DRM

Mon, 04 Nov 2019 00:00:00 +0000

Josh and Kurt talk about the social norms of security. We also discuss security coprocessors and the reasons behind adding them to hardware. Is DRM a draconian security measure or do we need it to secure the future? We also touch on the story of NordVPN getting hacked. The real story isn’t they got hacked, the story is they responded like clowns. The actual problem was one of leadership, there are certain leadership skills you can’t be taught, you can only learn.

Episode 167 - Security is terrible because digital literacy is terrible

Mon, 28 Oct 2019 00:00:00 +0000

Josh and Kurt talk about the horrid state of digital literacy in the US. We start out talking about broken Phillips Hue light bulbs, then discuss research from Pew on the digital literacy of Americans. We may have accidentally discovered a use for all the cookie warnings every web site has.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_167_Security_is_terrible_because_digital_literacy_is_terrible.mp3

Show Notes

Pew Research on American’s Digitcal Literacy

Show Tags

#DoH
#DNSOverHTTPS

Josh and Kurt talk about the current state of credit security freezes in the US. We recount a thrilling tale of all the things Josh had to do to get new Internet service. It was all quite silly really.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_158_The_mess_that_we_call_credit_agencies_in_the_US.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 157 - Backdoors and snake oil in our cryptography

Mon, 19 Aug 2019 01:37:00 +0000

Josh and Kurt talk about snakeoil cryptography at Black Hat and the new backdoored cryptography fight. Both of these problems will be with us for a very long time. These are fights worth fighting because it’s the right thing to do.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_157_Backdoors_and_snake_oil_in_our_cryptography.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Appsec isn't people

Tue, 13 Aug 2019 13:10:44 +0000

Recently there was a thread on Twitter I stuck my nose into about appsec and why it doesn’t work.

I have a response in there that I believe is a nice way to explain my biggest problem with appsec. I would sum it up as “Appsec isn’t people”. Here is a clever image to help.

You know you can take it seriously because the text is green.

The best way to think about this is to ask a different but related question. Why don’t we have training for developers to write code with fewer bugs? Even the suggestion of this would be ridiculed by every single person in the software world. I can only imagine the university course “CS 107: Error free development”. Everyone would fail the course. It would probably be a blast to teach, you could spend the whole semester yelling at the students for being stupid and not just writing code with fewer bugs. You don’t even have to grade anything, just fail them all because you know the projects have bugs.

Episode 156 - What if we MitM a whole country?

Mon, 29 Jul 2019 00:25:00 +0000

Josh and Kurt talk about Kazakhstan requiring citizens to place a government controlled root CA certificate on their computers. How does this work. What does it mean for the citizens of Kazakhstan, and why we all should be paying attention.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_156_What_if_we_MitM_a_whole_country.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Why you can't backdoor cryptography

Fri, 26 Jul 2019 13:10:24 +0000

Once again the topic of backdooring cryptography is in the news. The same people will fight the same fight. Again. So far sanity has prevailed every time we do this, but that doesn’t mean anyone should sit this one out. Make sure you tell everyone to pay attention and care. Trustworthy cryptography is too important.

Given the language used it sounds a lot like what’s really being discussed is having the ability to view chat apps, view emails, and unlock phones. All things with a consumer focus. They’ve lost this fight more times than we can count now, no doubt this direction change is an attempt to spread confusion.

Episode 155 - Stealing cars and ransomware

Mon, 22 Jul 2019 00:01:00 +0000

Josh and Kurt talk about a new way to steal cars because a service didn’t do proper background checks. We also discuss how this relates to working with criminals, such as ransomware, and what it means for the future of the ransomware industry.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_155_Stealing_cars_and_ransomware.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 154 - Chat with the authors of the book "The Fifth Domain"

Tue, 16 Jul 2019 00:10:00 +0000

Josh and Kurt talk to the authors of a new book The Fifth Domain. Dick Clarke and Rob Knake join us to discuss the book, cybersecurity, US policy, how we got where we are today and what the future holds for cybersecurity.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_154_Chat_with_the_authors_of_the_book_The_Fifth_Domain.mp3

Show Notes

Show Tags

#FifthDomain
#Cybersecurity

History of firefighting

Comment on Twitter with the #osspodcast hashtag

Episode 144 - The security of money, which one is best?

Mon, 06 May 2019 00:05:00 +0000

Josh and Kurt talk about the security of money. Not how to keep it secure, but the security issues around using cash, credit, and bitcoin. We also talk about Banksy’s clever method for proving something is original.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_144_The_security_of_money_which_one_is_best.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 143 - Security lessons from the phone book

Mon, 29 Apr 2019 00:05:00 +0000

Josh and Kurt talk about the phone book (yeah, the big paper book people used to use). Kurt got one in the mail. While it’s certainly a relic from another time, there were security tips in it among other wild things.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_143_Security_lessons_from_the_phone_book.mp3

Show Notes

Chad Loder’s Twitter

Comment on Twitter with the #osspodcast hashtag

Episode 142 - Hypothetical security: what if you find a USB flash drive?

Sun, 21 Apr 2019 23:48:00 +0000

Josh and Kurt talk about what one could do if you find a USB drive. The context is based on the story where the Secret Service was rumored to have plugged a malicious USB drive into a computer. The purpose of discussion is to explore how to handle a situation like this in the real world. We end the episode with a fantastic comparison of swim safety and security.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_142_Hypothetical_security_what_if_you_find_a_USB_flash_drive.mp3

Show Notes

Show Tags

#ImpossibleSecurity

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_138_Information_wants_to_be_free.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 137.5 - Holy cow Beto was in the cDc, this is awesome!

Mon, 18 Mar 2019 00:01:00 +0000

Josh and Kurt talk about Beto being in the Cult of the Dead Cow (cDc). This is a pretty big deal in a very good way. We hit on some history, why it’s a great thing, what we can probably expect from opponents. There’s even some advice at the end how we can all help. We need more politicians with backgrounds like this.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_137_5_Holy_cow_Beto_was_in_the_cDc_this_is_awesome.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 137 - When the IoT attacks!

Mon, 11 Mar 2019 00:03:00 +0000

Josh and Kurt talk about when devices attack! It’s not quite that exciting, but there have been a slew of news about physical devices causing problems for humans. We end on the note that we’re getting closer to a point when lawyers and regulators will start to pay attention. We’re not there yet, so we still have a horrible insecure future on the horizon.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_137_When_the_IoT_attacks.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 136 - How people feel is more important than being right

Mon, 04 Mar 2019 01:08:00 +0000

Josh and Kurt talk about github blocking the Deepfakes repository. There’s a far bigger discussion about how people feel, and sometimes security fails to understand that making people feel happy or safer is more important than being right.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_136_How_people_feel_is_more_important_than_being_right.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 135 - Passwords, AI, and cloud strategy

Mon, 25 Feb 2019 01:07:00 +0000

Josh and Kurt talk about change your password day (what a terrible day). Google’s password checkup (not a terrible idea), an AI finding new spice flavors we expect will one day take over the world, and we finish up on a new DoD cloud strategy. Also Josh burnt his finger, but is going to be OK.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_135_Passwords_AI_and_cloud_strategy.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 134 - What's up with the container runc security flaw?

Mon, 18 Feb 2019 01:23:00 +0000

Josh and Kurt talk about the new runc container security flaw. How does the flaw work, what can you do about it, what should you do about it, and what the future of container security may look like.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_134_Whats_up_with_the_container_runc_security_flaw.mp3

Show Notes

runc security flaw - CVE-2019-5736

Comment on Twitter with the #osspodcast hashtag

Episode 133 - Smart locks and the government hacking devices

Mon, 11 Feb 2019 00:49:00 +0000

Josh and Kurt talk about the fiasco hacks4pancakes described on Twitter and what the future of smart locks will look like. We then discuss what it means if the Japanese government starts hacking consumer IoT gear, is it ethical? Will it make anything better?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_133_Smart_locks_and_the_government_hacking_devices.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 132 - Bird Scooter: 0, Cory Doctorow: 1

Mon, 04 Feb 2019 01:01:00 +0000

Josh and Kurt talk about the Bird Scooter vs Corey Doctorow incident. We then get into some of the social norms around new technology and what lessons the security industry can take from something new like shared scooters.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_132_Bird_Scooter_0_Cory_Doctorow_1.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 131 - Windows micropatches, Google's privacy fine, and Mastercard fixes trial abuse

Mon, 28 Jan 2019 01:03:00 +0000

Josh and Kurt talk about non-Microsoft Windows micropatches. The days of pretending closed source matters are long gone. Google gets hit with a privacy fine, that probably won’t matter. And Mastercard makes it easier for consumers to not accidentally sign up for services they don’t want.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_131_Windows_micropatches_Googles_privacy_fine_and_Mastercard_fixes_trial_abuse.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 130 - Chat with Snyk co-founder Danny Grander

Mon, 21 Jan 2019 01:12:00 +0000

Josh and Kurt talk to Danny Grander one of the co-founders of Snyk about Zip Slip, what it is, how to fix it, and how they disclosed everything. We also touch on plenty of other open source security topics as Danny is involved in many aspects of open source security.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_130_Chat_with_Snyk_cofounder_Danny__Grander.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Security isn't a feature

Tue, 15 Jan 2019 15:48:31 +0000

As CES draws to a close, I’ve seen more than one security person complain that nobody at the show was talking about security. There were an incredible number of consumer devices unveiled, no doubt there is no security in any of them. I think we get caught up in the security world sometimes so we forget that the VAST majority of people don’t care if something has zero security. People want interesting features that amuse them or make their lives easier. Security is rarely either of these, generally it makes their lives worse so it’s an anti-feature to many.

Episode 129 - The EU bug bounty program

Mon, 14 Jan 2019 00:58:00 +0000

Josh and Kurt talk about the EU bug bounty program. There have been a fair number of people complaining it’s solving the wrong problem, but it’s the only way the EU has to spend money on open source today. If that doesn’t change this program will fail.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_129_The_EU_bug_bounty_program.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 128 - Australia's encryption backdoor bill

Mon, 07 Jan 2019 00:41:00 +0000

Josh and Kurt talk about Australia’s recently passed encryption bill. What is the law that was passed, what does it mean, and what are the possible outcomes? The show notes contain a flow chart of possible outcomes.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode-128_Australias_encryption_backdoor_bill.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Misguided misguidings over the EU bug bounty

Sun, 30 Dec 2018 15:03:00 +0000

The EU recently announced they are going to sponsor a security bug bounty program for 14 open source projects in 2019. There has been quite a bit of buzz about this program in all the usual places. The opinions are all over the place. Some people wonder why those 14, some wonder why not more. Some think it’s great. Some think it’s a horrible idea.

I don’t want to focus too much on the details as they are unimportant in the big picture. Which applications are part of the program don’t really matter. What matters is why are we here today and where should this go in the future.

2018 Christmas Special - Is Santa GDPR compliant?

Mon, 24 Dec 2018 01:00:00 +0000

Josh and Kurt talk about which articles of the GDPR apply to Santa, and if he’s following the rules the way he should be (spoiler, he’s probably not). Should Santa be on his own naughty list? We also create a new holiday character - George the DPO Elf!

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/2018_Christmas_Special_Is_Santa_GDPR_compliant.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 127 - Walled gardens, appstores, and more

Mon, 17 Dec 2018 00:56:00 +0000

Josh and Kurt talk about Mozilla pulling a paywall bypassing extension. We then turn our attention to talking about walled gardens. Are they good, are they bad? Something in the middle? There is a lot of prior art to draw on here, everything from Windows, Android, iOS, even Linux distributions.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_127_Walled_gardens_appstores_and_more.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 126 - The not so dire future of supply chain security

Mon, 10 Dec 2018 01:15:00 +0000

Josh and Kurt continue the discussion from episode 125. We look at the possible future of software supply chains. It’s far less dire than previously expected. It’s likely there will be some change in the near future.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_126_The_not_so_dire_future_of_supply_chain_security.mp3

Show Notes

Episode 125

Comment on Twitter with the #osspodcast hashtag

Episode 125 - Open Source, supply chains, npm, and you

Mon, 03 Dec 2018 01:00:00 +0000

Josh and Kurt talk about how open source deals with malicious events. It’s probably impossible to stop these from happening, but the open source universe deals with it in its own unique way. We start to discuss what you can do, since everyone is using open source everywhere now. There will be a second part to this episode where we discuss what the future holds for these sort of problems.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_125_Open_Source_supply_chains_npm_and_you.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

What's up with backdoored npm packages?

Tue, 27 Nov 2018 02:45:16 +0000

A story broke recently about a backdoor added to a Node Package Manager (NPM) package called event-stream. This package is downloaded about two million times a week by developers. That’s a pretty impressive amount, many projects would be happy with two million downloads a year.

The Register did a pretty good writeup, I don’t want to recap the details here, I have a different purpose and that’s really to look at how does this happen and can we stop it?

Episode 124 - Cloudflare's service workers and the economics of security

Mon, 26 Nov 2018 01:39:00 +0000

Josh and Kurt talk about Cloudflare’s new Workers service. We spend a lot of time discussing how economics drives technology, not security. It’s quite likely this new service is less secure than existing alternatives, but it will be cheaper and faster which will matter more than security.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_124_Cloudflares_service_workers_and_the_economics_of_security.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Dependencies in open source

Mon, 19 Nov 2018 23:41:27 +0000

The topic of securing your open source dependencies just seems to keep getting bigger and bigger. I always expect it to get less attention for some reason, and every year I’m wrong about what’s happening out there. I remember when I first started talking about this topic, nobody really cared about it. It’s getting a lot more traction these days, especially as we see stories about open source dependencies being wildly out of date and some even being malicious backdoors.

Episode 123 - Talking about Kubernetes and container security with Liz Rice

Mon, 19 Nov 2018 01:02:00 +0000

Josh and Kurt talk to Liz Rice about Kubernetes and container security. How did we get where we are today, what’s new and exciting today, and where do we think things are going.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_123_Talking_about_Kubernetes_and_container_security_with_Liz_Rice.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 122 - What will Apple's T2 chip mean for the rest of us?

Mon, 12 Nov 2018 04:01:00 +0000

Josh and Kurt talk about Apple’s new T2 security chip. It’s not open source but we expect it to change the security landscape in the coming years.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_122_What_will_Apples_T2_chip_mean_for_the_rest_of_us.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 121 - All about the security of voting

Mon, 05 Nov 2018 01:01:00 +0000

Josh and Kurt talk about voting security. What does it mean, how does it work. What works, what doesn’t work, and most importantly why we may not see secure electronic voting anytime soon.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_121_All_about_the_security_of_voting.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 120 - Bloomberg and hardware backdoors - it's already happening

Mon, 29 Oct 2018 00:01:00 +0000

Josh and Kurt talk about Bloomberg’s story about backdoors and motherboards. The story is probably false, but this is almost certainly happening already with hardware. What does it mean if your hardware is already backdoored by one or more countries?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_120_Bloomberg_and_hardware_backdoors_its_already_happening.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Targeted vs General purpose security

Tue, 23 Oct 2018 13:13:34 +0000

There seems to be a lot of questions going around lately about how to best give out simple security advice that is actionable. Goodness knows I’ve talked about this more than I can even remember at this point. The security industry is really bad at giving out actionable advice. It’s common someone will ask what’s good advice. They’ll get a few morsels, them someone will point out whatever corner case makes that advice bad and the conversation will spiral into nonsense where we find ourselves trying to defend someone mostly concerned about cat pictures from being kidnapped by a foreign nation. Eventually whoever asked for help quit listening a long time ago and decided to just keep their passwords written on a sticky note under the keyboard.

Episode 119 - The Google+ and Facebook incidents, it's not your data anymore

Mon, 22 Oct 2018 00:22:00 +0000

Josh and Kurt talk about the Google+ and Facebook data incidents. We don’t have any control over this data anymore. The incidents didn’t really affect the users because we have no idea who has access to it. We also touch on GDPR and what it could mean in this context.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_119_the_google_and_facebook_incidents_its_not_your_data_anymore.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 118 - Cloudflare's IPFS and onion service

Mon, 15 Oct 2018 01:39:00 +0000

Josh and Kurt talk about Cloudflare’s new IPFS and Onion services. One brings distributed blockchain files to the masses, the other lets you host your site on tor easily.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_118_cloudflares_ipfs_and_onion_service.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 117 - Will security follow Linus' lead on being nice?

Mon, 08 Oct 2018 00:01:00 +0000

Josh and Kurt talk about Linus’ effort to work on his attitude. What will this mean for security and IT in general?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_117_Will_security_follow_Linus_lead_on_being_nice.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Millions of unfixed security flaws is a lie

Mon, 01 Oct 2018 13:26:08 +0000

On a pretty regular basis I see claims that the public CVE dataset is missing some large number of security issues. I’ve seen ranges from tens of thousands all the way up to millions. The purpose behind such statements is to show that the CVE data is woefully incomplete. Of course almost everyone making that claim has a van filled with security issues and candy they’re trying very hard to lure us into. It’s a pretty typical sales tactic as old as time itself. Whatever you have today isn’t good enough, but what I have, holy cow it’s better. It’s so much better you better come right over and see for yourself. After you pay me of course.

Episode 116 - The future of the CISO with Michael Piacente

Mon, 01 Oct 2018 00:01:00 +0000

Josh and Kurt talk to Michael Piacente from Hitch Partners about the past, present, and future role of the CISO in the industry.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_116_The_future_of_the_CISO_with_Michael_Piacente.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 115 - Discussion with Brian Hajost from SteelCloud

Mon, 24 Sep 2018 00:02:00 +0000

Josh and Kurt talk to Brian Hajost from SteelCloud about public sector compliance. The world of public sector compliance can be confusing and strange, but it’s not that bad when it’s explained by someone with experience.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_115_Discussion_with_Brian_Hajost_from_SteelCloud.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 114 - Review of "Click Here to Kill Everybody"

Mon, 17 Sep 2018 00:13:00 +0000

Josh and Kurt review Bruce Schneier’s new book Click Here to Kill Everybody. It’s a book everyone could benefit from reading. It does a nice job explaining many existing security problems in a simple manner.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_114_review_of_click_here_to_kill_everybody.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Episode 113 - Actual real security advice

Mon, 10 Sep 2018 00:07:00 +0000

Josh and Kurt talk about actual real world advice. Based on a story about trying to secure political campaigns, if we had to give some security help what should it look like, who should we give it to?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_113_actual_real_security_advice.mp3

Show Notes

Security advice to Democrats
Our actual advice
- Don’t run your own services
- Email - Google or Microsoft
- Don’t’ use GPG
- Use a trusted device
- Use a password manager on a secure device
- Use 2FA
- Backups

Josh and Kurt talk about phishing training and how it doesn’t really matter. Josh spoke at OSCon and comes back with some fun observations and advice. People want practical actionable advice and we’re not good at that.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_109_OSCon_and_actionable_advice.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Episode 108 - Bluetooth, phishing, airgaps, and eating soup off the floor

Mon, 06 Aug 2018 01:01:00 +0000

Josh and Kurt talk about the latest attack on bluetooth and discuss phishing in the modern world. U2F is a great way to stop phishing, training is not. We also discuss airgaps in response to attacks on airgapped power utilities.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_108_bluetooth_phishing_airgaps_and_eating_soup_off_the_floor.mp3

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_105_more_backdoors_in_open_source.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

The father of modern security: B. F. Skinner

Wed, 11 Jul 2018 13:43:00 +0000

A lot of what we call security is voodoo. Most of it actually.

What I mean with that statement is our security process is often based on ideas that don’t really work. As an industry we have built up a lot of ideas and processes that aren’t actually grounded in facts and science. We don’t understand why we do certain things, but we know that if we don’t do those things something bad will happen! Will it really happen? I heard something will happen. I suspect the answer is no, but it’s very difficult to explain this concept sometimes.

Episode 104 - The Gentoo security incident

Mon, 09 Jul 2018 00:14:00 +0000

Josh and Kurt talk about the Gentoo security incident. Gentoo did a really good job being open and dealing with the incident quickly. The basic takeaway from all this is make sure your organization is forcing users to use 2 factor authentication. The long term solution is going to be all identity providers forcing everyone to use 2FA.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_104_the_gentoo_security_incident.mp3

Show Notes

Join our Facebook Group

Episode 103 - The Seven Properties of Highly Secure Devices

Mon, 02 Jul 2018 02:13:00 +0000

Josh and Kurt talk about a Microsoft Research paper titled “The Seven Properties of Highly Secure Devices”. We take a real world view into how to secure our devices. What works, what doesn’t work, and why this list is actually really good.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_103_the_seven_properties_of_highly_secure_devices.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Episode 102 - Michael Feiertag from tCell

Mon, 25 Jun 2018 00:35:00 +0000

Josh and Kurt talk to Michael Feiertag, the CEO of tCell. We talk about what a Web Application Firewall is, what it does and doesn’t do, and what the future of this technology looks like. We touch on how this affects a DevOps environment. Security has to fit into the existing model, not try to change it.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_102_michael_feiertag_from_tcell.mp3

Show Notes

Join our Facebook Group

Episode 101 - Our unregulated future is here to stay

Sun, 17 Jun 2018 23:56:00 +0000

Josh and Kurt talk about Bird scooters. The implications of the scooters on the city, segways, bicycles. The topic of how these vehicles interact with pedestrians on the road and trails. It’s an example of humans not wanting to follow the rules and generally making the situation annoying for everyone. It’s the old security story of new technology without clear rules. The show ends with some horrifying numbers behind how bad things get before people really care.

Episode 100 - You're bad at buying security, we can help!

Mon, 11 Jun 2018 01:30:00 +0000

Josh and Kurt talk about how to be a smart security buyer. We have guest Steve Mayzak walk us through how a the buying process works as well as giving out a ton of great advice. Even if you’re experienced with how to buy security technology you should give this a listen.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_100_your_bad_at_buying_solutions_we_can_help.mp3

Show Notes

Buyer training

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Security ROI isn't impossible, we suck at measuring

Tue, 05 Jun 2018 16:11:00 +0000

As of late I’ve been seeing a lot of grumbling that security return on investment (ROI) is impossible. This is of course nonsense. Understanding your ROI is one of the most important things you can do as a business leader. You have to understand if what you’re doing makes sense. By the very nature of business, some of the things we do have more value than other things. Some things even have negative value. If we don’t know which things are the most important, we’re just doing voodoo security.

Episode 99 - Consumer security is too broken to fix, and it doesn't matter

Mon, 04 Jun 2018 01:53:00 +0000

Josh and Kurt talk about a number of consumer security issues. The FBI told everyone to reboot their routers which they won’t do. The .app top level domain is a cesspool of malware. Everyone has a cell phone and won’t update them properly. None of this probably matters though. Unless there are real measurable tragedies caused by this tech, people tend not to really care.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_99_consumer_security_is_too_broken_to_fix_and_it_doesnt_matter.mp3

Show Notes

Josh and Kurt talk to a 7 year old about security. We cover Minecraft security, passwords, hacking, and many many other nuggets of wisdom.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode-91_security_lessons_from_a_7_year_old.mp3

Show Notes

Wed, 07 Mar 2018 20:45:00 +0000

This week I’ve been thinking about how security people and non security people interact. Various conversations I have often end up with someone suggesting everyone needs some sort of security responsibility. My suspicion is this will never work. First some background to think about. In any organization there are certain responsibilities everyone has. Without using security as our specific example just yet, let’s consider how a typical building functions. You have people who are tasked with keeping the electricity working, the plumbing, the heating and cooling. Some people keep the building clean, some take care of the elevators. Some work in the building to accomplish some other task. If the company that inhabits the building is a bank you can imagine the huge number of tasks that take place inside.

Episode 86 - What happens when 23 thousand certificates leak?

Mon, 05 Mar 2018 22:05:00 +0000

Josh and Kurt talk about the Trustico certificate incident and Let’s Encrypt.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_86_What_happens_when_23_thousand_certificates_leak.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Episode 85 - NPM ate my files

Wed, 28 Feb 2018 14:45:00 +0000

Josh and Kurt talk about npm 5.7.0 breaking Linux systems.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_85_npm_ate_my_files.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Episode 84 - Have I been pwned?

Sun, 25 Feb 2018 20:09:00 +0000

Josh and Kurt talk about the new data dump from Have I been pwned?

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_84_Have_I_been_pwned.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Episode 83 - XKCD + CVE = XKCVE

Wed, 21 Feb 2018 00:08:00 +0000

Episode 56 - Devil's Advocate and other fuzzy topics

Tue, 18 Jul 2017 20:50:00 +0000

Josh and Kurt talk about forest fires, fuzzing, old time Internet, and Net Neutrality. Listen to Kurt play the Devil’s Advocate and manage to change Josh’s mind about net neutrality.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_56_-_Devils_advocate_and_other_fuzzy_topics.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Episode 55 - Good docs ruin my story

Wed, 12 Jul 2017 13:56:00 +0000

Josh and Kurt talk about Let’s Encrypt, certificates, Kaspersky, A/V, code signing, Not Petya, self driving cars, and failures that become security problems.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/332865562-opensourcesecuritypodcast-episode-55-good-docs-ruin-my-story.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Who's got your hack back?

Sun, 09 Jul 2017 00:22:00 +0000

The topic of hacking back keeps coming up these days. There’s an attempt to pass a bill in the US that would legalize hacking back. There are many opinions on this topic, I’m generally not one to take a hard stand against what someone else thinks. In this case though, if you think hacking back is a good idea, you’re wrong. Painfully wrong.

Everything I’ve seen up to this point tells me the people who think hacking back is a good idea are either mistaken about the issue or they’re misleading others on purpose. Hacking back isn’t self defense, it’s not about being attacked, it’s not about protection. It’s a terrible idea that has no place in a modern society. Hacking back is some sort of stone age retribution tribal law. It has no place in our world.

Episode 54 - Turning into an old person

Tue, 04 Jul 2017 21:07:00 +0000

Josh and Kurt talk about Canada Day, Not Petya, Interac goes down, Minecraft, airport security and books, then GDPR.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/331564004-opensourcesecuritypodcast-episode-54-turning-into-an-old-person.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Episode 53 - A plane isn't like a car

Wed, 28 Jun 2017 12:14:00 +0000

Josh and Kurt talk about security through obscurity, airplanes, the FAA, the Windows source code leak, and chicken sandwiches.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/330513530-opensourcesecuritypodcast-episode-53-a-plane-isnt-like-a-car.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

When in doubt, blame open source

Mon, 26 Jun 2017 00:54:00 +0000

If you’ve not read my previous post on thought leadership, go do that now, this one builds on it. The thing that really kicked off my thinking on these matters was this article:

Security liability is coming for software: Is your engineering team ready?

The whole article is pretty silly, but the bit about liability and open source is the real treat. There’s some sort of special consideration when you use open source apparently, we’ll get back to that. Right now there is basically no liability of any sort when you use software. I doubt there will be anytime soon. Liability laws are tricky, but the lawyers I’ve spoken with have been clear that software isn’t currently covered in most instances. The whole article is basically nonsense from that respect. The people they interview set the stage for liability and responsibility then seem to discuss how open source should be treated special in this context.

Episode 52 - You could have done it right, but you didn't

Tue, 20 Jun 2017 02:01:00 +0000

Josh and Kurt talk about the new Stack Clash flaw, Grenfell Tower, risk management, and backwards compatibility.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/328927519-opensourcesecuritypodcast-episode-52-you-could-have-done-it-right-but-you-didnt.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Thought leaders aren't leaders

Sun, 18 Jun 2017 02:15:00 +0000

For the last few weeks I’ve seen news stories and much lamenting on twitter about the security skills shortage. Some say there is no shortage, some say it’s horrible beyond belief. Basically there’s someone arguing every possible side of this. I’m not going to debate if there is or isn’t a worker shortage, that’s not really the point. A lot of complaining was done by people who would call themselves leaders in the security universe. I then read the below article and change my thinking up a bit.

Episode 51 - All about CVE

Mon, 12 Jun 2017 12:44:00 +0000

Josh and Kurt talk to Dan Adinolfi about CVE. Most anything you ever wanted to know about CVE is discussed.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/327688703-opensourcesecuritypodcast-episode-51-all-about-cve.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Humanity isn't proactive

Sun, 11 Jun 2017 21:51:00 +0000

I ran across this article about IoT security the other day

The US Needs to Get Serious About Securing the Internet of Hackable Things

I find articles like this frustrating for the simple fact everyone keeps talking about security, but nobody is going to do anything. If you look at the history of humanity, we’ve never been proactive when dealing with problems. We wait until things can’t get worse and the only actual option is to fix the problem. If you look at every problem there are at least two options. Option #1 is always “fix it”. Option #2 is ignore it. There could be more options, but generally we pick #2 because it’s the least amount of work in the short term. Humanity rarely cares about the long term implications of anything.

Episode 50 - This is a security podcast after all

Tue, 06 Jun 2017 21:25:00 +0000

Josh and Kurt discuss Futurama, tornadoes, sudo, encryption, hacking back, and something called an ombudsman. Also episode 50!

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/326788036-opensourcesecuritypodcast-episode-50-this-is-a-security-podcast-after-all.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Free Market Security

Sun, 04 Jun 2017 21:04:00 +0000

I’ve been thinking about the concept of free market forces this weekend. The basic idea here is that the price of a good is decided by the supply and demand of the market. If the market demands something, the price will go up if there it’s in short supply. This is basically why the Nintendo Switch is still selling on eBay for more than it would cost in the store. There is a demand but there isn’t a supply. But back to security. Let’s think about something I’m going to call “free market security”. What if demand and supply was driving security? Or we can flip the question around, what if the market will never drive security?

Episode 49 - Testing software is impossible

Tue, 30 May 2017 22:39:00 +0000

Josh and Kurt discuss Samba, FTP sites, MSDOS, regulation, and the airplane laptop travel ban.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/325265404-opensourcesecuritypodcast-episode-49-testing-software-is-impossible.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Stealing from customers

Mon, 29 May 2017 21:59:00 +0000

I was having some security conversations last week and cybersecurity insurance came up as a topic. This isn’t overly unusual as it’s a pretty popular topic, but someone said something that really got me thinking.

What if the insurance covered the customers instead of the companies?

Now I understand that many cybersecurity insurance policies can cover some amount of customer damage and loss, but fundamentally the coverage is for the company that is attacked, customers who have data stolen will maybe get a year of free credit monitoring or some other token service. That’s all well and good, but I couldn’t help myself from thinking about this problem from another angle. Let’s think about insurance in the context of shoplifting. For this thought exercise we’re going to use a real store in our example, which won’t be exactly correct, but the point is to think about the problem, not get all the minor details correct.

You know how to fix enterprise patching? Please tell me more!!!

Mon, 22 May 2017 00:54:00 +0000

If you pay attention to Twitter at all, you’ve probably seen people arguing about patching your enterprise after the WannaCry malware. The short story is that Microsoft fixed a very serious security flaw a few months before the malware hit. That means there are quite a few machines on the Internet that haven’t applied a critical security update. Of course as you imagine there is plenty of back and forth about updates. There are two basic arguments I keep seeing.

Episode 48 - Machine Learning: Not actually magic

Sun, 21 May 2017 19:53:00 +0000

Josh and Kurt have a guest! Mike Paquette from Elastic discusses the fundamentals and basics of Machine Learning. We also discuss how ML could have helped with WannaCry.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/323810101-opensourcesecuritypodcast-episode-48-machine-learning-not-actually-magic.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Episode 47 - WannaCry: Everything is basically broken

Sun, 14 May 2017 17:22:00 +0000

Josh and Kurt discuss the WannaCry worm.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/322577205-opensourcesecuritypodcast-episode-47-wannacry-everything-is-basically-broken.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Episode 46 - Turns out I'm not a bad guy

Thu, 04 May 2017 20:38:00 +0000

Josh and Kurt discuss the recent Google phish attack.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/320997006-opensourcesecuritypodcast-episode-46-turns-out-im-not-a-bad-guy.mp3

Show Notes

Google phish spam
Mail from 2011 detailing attack
Links to OAuth permissions on major services

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Security like it's 2005!

Wed, 03 May 2017 12:29:00 +0000

I was reading the newspaper the other day (the real dead tree newspaper) and I came across an op-ed from my congressperson.

Gallagher: Cybersecurity for small business

It’s about what you’d expect but comes with some actionable advice! Well, not really. Here it is so you don’t have to read the whole thing.

Businesses can start by taking some simple and relatively inexpensive steps to protect themselves, such as:
» Installing antivirus, threat detection and firewall software and systems.
» Encrypting company data and installing security patches to make sure computers and servers are up to date.
» Strengthening password practices, including requiring the use of strong passwords and two-factor authentication.
» Educating employees on how to recognize an attempted attack, including preparing rapid response measures to mitigate the damage of an attack in progress or recently completed.

Episode 42 - Hitchhiker's Guide to Security

Thu, 13 Apr 2017 12:13:00 +0000

Josh and Kurt discuss the security themes and events in the context of the HHGG movie.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/317490724-opensourcesecuritypodcast-episode-42-hitchhikers-guide-to-security.mp3

Show Notes

HHGG Movie (2005)

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Inverse Law of CVEs

Thu, 23 Mar 2017 23:26:00 +0000

I’ve started a project to put the CVE data into Elasticsearch and see if there is anything clever we can learn about it. Ever if there isn’t anything overly clever, it’s fun to do. And I get to make pretty graphs, which everyone likes to look at.

I stuck a few of my early results on Twitter because it seemed like a fun thing to do. One of the graphs I put up was comparing the 3 BSDs. The image is below.

Episode 38 - We Ruin Everything

Wed, 22 Mar 2017 01:34:00 +0000

Josh and Kurt discuss disclosing your password, pwn2own, wikileaks, Back Orifice, HTTPS inspection, and antivirus.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/313701429-opensourcesecuritypodcast-episode-38-we-ruin-everything.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Security, Consumer Reports, and Failure

Sun, 12 Mar 2017 21:03:00 +0000

Last week there was a story about Consumer Reports doing security testing of products.

Consumer Reports to Begin Evaluating Products, Services for Privacy and Data Security

As one can imagine there were a fair number of “they’ll get it wrong” sort of comments. They will get it wrong, at first, but that’s not a reason to pick on these guys. They’re quite brave to take this task on, it’s nearly impossible if you think about the state of security (especially consumer security). But this is how things start. There is no industry that has gone from broken to perfect in one step. It’s a long hard road when you have to deal with systemic problems in an industry. Consumer product security problems may be larger and more complex than any other industry has ever had to solve thanks to things such as globalization and how inexpensive tiny computers have become.

Episode 37 - Your bathtub is more dangerous than a shark

Thu, 09 Mar 2017 00:40:00 +0000

Josh and Kurt discuss how the Vault 7 leaks shows we live in the Neuromancer world, and this is likely the new normal.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/311442678-opensourcesecuritypodcast-episode-37-your-bathtub-is-more-dangerous-than-a-shark.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Episode 36 - A Good Enough Podcast

Sun, 05 Mar 2017 18:48:00 +0000

Josh and Kurt discuss an IoT bear, Alexa and Siri, Google’s E2Email and S/MIME.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/310851037-opensourcesecuritypodcast-episode-36-a-good-enough-podcast.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

What the Oscars can teach us about security

Thu, 02 Mar 2017 19:05:00 +0000

If you watched the 89th Academy Awards you saw a pretty big mistake at the end of the show, the short story is Warren Beatty was handed the wrong envelope, he opened it, looked at it, then gave it to Faye Dunaway to read, which she did. The wrong people came on stage and started giving speeches, confused scrambling happened, and the correct winner was brought on stage. No doubt this will be talked about for many years to come as one of the most interesting and exciting events in the history of the awards ceremony.

Episode 35 - Crazy Cosmic Accident

Tue, 28 Feb 2017 03:04:00 +0000

Josh and Kurt discuss SHA-1 and cloudbleed. Bug bounties come up, we compare security to the Higgs boson, and IPv6 comes up at the end.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/309898784-opensourcesecuritypodcast-episode-35-crazy-cosmic-accident.mp3

Sun, 12 Feb 2017 15:00:00 +0000

If I demand you jump off the roof and fly, and you say no, can I call you a defeatist? What would you think? To a reasonable person it would be insane to associate this attitude with being a defeatist. There are certain expectations that fall within the confines of reality. Expecting things to happen outside of those rules is reckless and can often be dangerous.

Yet in the universe of cybersecurity we do this constantly. Anyone who doesn’t pretend we can fix problems is a defeatist and part of the problem. We just have to work harder and not claim something can’t be done, that’s how we’ll fix everything! After being called a defeatist during a discussion, I decided to write some things down. We spend a lot of time trying to fly off of roofs instead of looking for practical realistic solutions for our security problems.

Episode 32 - Gambling as a Service

Wed, 08 Feb 2017 01:35:00 +0000

Josh and Kurt discuss random numbers, a lot. Also slot machines, gambling, and dice.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/306639696-opensourcesecuritypodcast-episode-32-gambling-as-a-service.mp3

Show Notes

Show tags:

#random
#prng

Episode 28 - RSA Conference 2017

Thu, 19 Jan 2017 14:00:00 +0000

Josh and Kurt discuss their involvement in the upcoming 2017 RSA conference: Open Source, CVEs, and Open Source CVE. Of course IoT and encryption manage to come up as topics.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/303432626-opensourcesecuritypodcast-episode-28-rsa-conference-2017.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

What does security and USB-C have in common?

Mon, 16 Jan 2017 18:26:00 +0000

I’ve decided to create yet another security analogy! You can’t tell, but I’m very excited to do this. One of my long standing complaints about security is there are basically no good analogies that make sense. We always try to talk about auto safety, or food safety, or maybe building security, how about pollution. There’s always some sort of existing real world scenario we try warp and twist in a way so we can tell a security story that makes sense. So far they’ve all failed. The analogy always starts out strong, then something happens that makes everything fall apart. I imagine a big part of this is because security is really new, but it’s also really hard to understand. It’s just not something humans are good at understanding.

Episode 27 - Prove to me you are human

Mon, 16 Jan 2017 15:45:00 +0000

Josh and Kurt discuss NTP, authentication issues, network security, airplane security, AI, and Minecraft.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/302981179-opensourcesecuritypodcast-episode-27-prove-to-me-you-are-human.mp3

Show Notes

Join our Facebook Group

Comment on Twitter with the #osspodcast hashtag

Episode 26 - Tell your sister, Stallman was right

Thu, 12 Jan 2017 14:03:00 +0000

Josh and Kurt end up discussing video game speed running, which is really just hacking. We also end up discussing the pitfalls of the modern world where you don’t own your software or services. Stallman was right!

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/302260581-opensourcesecuritypodcast-episode-26-tell-your-sister-stallman-was-right.mp3

Show Notes

Episode 25 - The future is now

Tue, 10 Jan 2017 14:00:00 +0000

Josh and Kurt end up discussing CES, IoT, WiFi everywhere, and the future.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/301707567-opensourcesecuritypodcast-episode-25-the-future-is-now.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Security Advice: Bad, Terrible, or Awful

Mon, 09 Jan 2017 15:30:00 +0000

As an industry, we suck at giving advice. I don’t mean this in some negative hateful way, it’s just the way it is. It’s human nature really. As a species most of us aren’t very good at giving or receiving advice. There’s always that vision of the wise old person dropping wisdom on the youth like it’s candy. But in reality they don’t like the young people much more than the young people like them. Ever notice the contempt the young and old have for each other? It’s just sort of how things work. If you find someone older and wiser than you who is willing to hand out good advice, stick close to that person. You won’t find many more like that.

Looks like you have a bad case of embedded libraries

Episode 21 - CVE 10K Extravaganza

Wed, 21 Dec 2016 14:14:00 +0000

Josh and Kurt talk about CVE 10K. CVE IDs have finally crossed the line, we need 5 digits to display them. This has never happened before now.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/298898472-opensourcesecuritypodcast-episode-21-cve-10k-extravaganza.mp3

Show Notes

Comment on Twitter with the #osspodcast hashtag

Does "real" security matter?

Mon, 19 Dec 2016 18:45:00 +0000

As the dumpster fire that is 2016 crawls to the finish line, we had another story about a massive Yahoo breach. 1 billion user accounts had data stolen. Just to give some context here, that has to be hundreds of gigabytes at an absolute minimum. That’s a crazy amount of data.

And nobody really cares.

Sure, there is some noise about all this, but in a week or two nobody will even remember. There has been a similar story to this about every month all year long. Can you even remember any of them? The stock market doesn’t, basically everyone who has ever had a crazy breach hasn’t seen a long term problem with their stock. Sure there will be a blip where everyone panics for a few days, then things go back to normal.

3589 x1.32large instances (1952 gigs ram)

holds 7 petabytes of data in memory

Episode 17 - Cyphercon Interview with Korgo

Tue, 06 Dec 2016 14:07:00 +0000

Josh and Kurt talk to Michael Goetzman about Cyphercon

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/296503873-opensourcesecuritypodcast-episode-17-cyphercon-interview-with-korgo.mp3

Show Notes

Comment on Twitter

Airports, Goats, Computers, and Users

Sun, 04 Dec 2016 17:17:00 +0000

Last week I had the joy traveling through airports right after the United States Thanksgiving holiday. Now I don’t know how many of you have ever tried to travel the week after Thanksgiving but it’s kind of crazy, there are a lot of people, way more than usual, and a significant number of them have probably never been on an airplane or if they travel by air they don’t do it very often. The joke I like to tell people is that there are folks at the airport wondering why they can’t bring their goat onto the airplane. I’m not going to use this post to discuss the merits of airport security (that’s a whole different conversation), it’s really about coexisting with existing security systems.

Episode 16 - Cat and mouse

Fri, 02 Dec 2016 20:50:00 +0000

Josh and Kurt talk about cybercrime and regulation.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/295920212-opensourcesecuritypodcast-episode-16-cat-and-mouse.mp3

Show Notes

Show Notes

Comment on Twitter

Security is in the same leaky boat as the sysadmins

Mon, 31 Oct 2016 00:39:00 +0000

Sysadmins used to rule the world. Anyone who’s been around for more than a few years remembers the days when whatever the system administrator wanted, the system administrator got. They were the center of the business. Without them nothing would work. They were generally super smart and could quite often work magic with what they had. It was certainly a different time back then.

Now developers are king, the days of the sysadmin have waned. The systems we run workloads on are becoming a commodity, you either buy a relatively complete solution, or you just run it in the cloud. These days most anyone using technology for their business relies on developers instead of sysadmins.

Episode 10 - The super botnet that nobody can stop

Mon, 24 Oct 2016 21:25:00 +0000

Kurt and Josh discuss Dirty COW, the big IoT DDoS, and Josh can’t pronounce Mirai or Dyn.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/289791587-opensourcesecuritypodcast-episode-10-the-super-botnet-that-nobody-can-stop.mp3

Show Notes

Comment on Twitter

Everything you know about security is wrong

Sun, 23 Oct 2016 22:21:00 +0000

If I asked everyone to tell me what security is, what do you do about it, and why you do it. I wouldn’t get two answers that were the same. I probably wouldn’t even get two that are similar. Why is this? After recording Episode 9 of the Open Source Security Podcast I co-host, I started thinking about measuring a lot. It came up in the podcast in the context of bug bounties, which get exactly what they measure. But do they measure the right things? I don’t know the answer, nor does it really matter. It’s just important to keep this in mind as in any system, you will get exactly what you measure.

IoT Can Never Be Fixed

Sat, 22 Oct 2016 02:32:00 +0000

This title is a bit click baity, but it’s true, not for the reason you think. Keep reading to see why.

If you’ve ever been involved in keeping a software product updated, I mean from the development side of things, you know it’s not a simple task. It’s nearly impossible really. The biggest problem is that even after you’ve tested it to death and gone out of your way to ensure the update is as small as possible, things break. Something always breaks.

Episode 9 - Are bug bounties measuring the wrong things?

Tue, 18 Oct 2016 22:00:00 +0000

Kurt and Josh discuss responsible disclosure, irresponsible disclosure, bug bounties, measuring security, usability AND security, as well as quality of life.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/288890601-opensourcesecuritypodcast-episode-9-are-bug-bounties-measuring-the-wrong-things.mp3

Show Notes

Comment on Twitter

Can I interest you in talking about Security?

Mon, 17 Oct 2016 14:00:00 +0000

I had a discussion last week with some fellow security folks about how we can discuss security with normal people. If you pay attention to what’s going on, you know the security people and the non security people don’t really communicate well. We eventually made our way to comparing what we do to the door to door religious groups. They’re rarely seen in a positive light, are usually annoying, and only seem to show up when it’s most inconvenient. This got me thinking, we probably have more in common there than we want to admit, but there are also some lessons for us.

Episode 8 - The primality of prime numbers

Tue, 11 Oct 2016 23:33:00 +0000

Kurt and Josh discuss prime numbers (probably getting a lot of it wrong), Samsung, passwords, National Cyber Security Awareness Month, and bathroom scales.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/287233537-opensourcesecuritypodcast-episode-8-the-primality-of-prime-numbers.mp3

Show Notes

Comment on Twitter

Episode 7 - More Powerful than root!

Mon, 03 Oct 2016 21:05:00 +0000

Kurt and Josh discuss the ORWL computer, crashing systemd with one line, NIST, and a security journal.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/285901909-opensourcesecuritypodcast-episode-7-more-powerful-than-root.mp3

Show Notes

Comment on Twitter

Impossible is impossible!

Mon, 03 Oct 2016 14:00:00 +0000

Sometimes when you plan for a security event, it would be expected that the thing you’re doing will be making some outcome (something bad probably) impossible. The goal of the security group is to keep the bad guys out, or keep the data in, or keep the servers patched, or find all the security bugs in the code. One way to look at this is security is often in the business of preventing things from happening, such as making data exfiltration impossible. I’m here to tell you it’s impossible to make something impossible.

Episode 6 - Foundational Knowledge of Security

Thu, 29 Sep 2016 19:03:00 +0000

Kurt and Josh discuss interesting news stories

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/285305681-opensourcesecuritypodcast-episode-6-foundational-knowledge-of-security.mp3

Show Notes

Comment on Twitter

Episode 5 - OpenSSL: The library we deserve

Thu, 29 Sep 2016 00:39:00 +0000

Kurt and Josh discuss the recent OpenSSL update(s)

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/285193058-opensourcesecuritypodcast-episode-5-openssl-the-library-we-deserve.mp3

Show Notes

Comment on Twitter

Who left all this fire everywhere?

Mon, 26 Sep 2016 14:00:00 +0000

If you’re paying attention, you saw the news about Yahoo’s breach. Five hundred million accounts. That’s a whole lot of data if you think about it. But here’s the thing. If you’re a security person, are you surprised by this? If you are, you’ve not been paying attention.

It’s pretty well accepted that there are two types of large infrastructures. Those who know they’ve been hacked, and those who don’t yet know they’ve been hacked. Any group as large as Yahoo probably has more attackers inside their infrastructure than anyone really wants to think about. This is certainly true of every single large infrastructure and cloud provider and consumer out there. Think about that for a little bit. If you’re part of a large infrastructure, you have threat actors inside your network right now, probably more than you think.

Episode 4 - Dead squirrel in a box

Wed, 21 Sep 2016 03:24:00 +0000

Josh and Kurt discuss news of the day, shipping, and container security

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/283885003-opensourcesecuritypodcast-episode-4-dead-squirrel-in-a-box.mp3

Show Notes

Comment on Twitter

Is dialup still an option?

Tue, 20 Sep 2016 13:00:00 +0000

TL;DR - No.

Here’s why.

I was talking with my Open Source Security Podcast co-host Kurt Seifried about what it would be like to access the modern Internet using dialup. So I decided to give this a try. My first thought was to find a modem, but after looking into this, it isn’t really an option anymore.

The setup

No Modem
Fedora 24 VM
Firefox as packaged with Fedora 24
Use the firewall via wondershaper to control the network speed
“App Telemetry” firefox plugin to time the site load time

I know it’s not perfect, but it’s probably close enough to get a feel for what’s going on. I understand this doesn’t exactly recreate a modem experience with details like compression, latency, and someone picking up the phone during a download. There was nothing worse than having that 1 megabyte download at 95% when someone decided they needed to make a phone call. Call waiting was also a terrible plague.

Why do we do security?

Sun, 18 Sep 2016 20:56:00 +0000

I had a discussion last week that ended with this question. “Why do we do security”. There wasn’t a great answer to this question. I guess I sort of knew this already, but it seems like something too obvious to not have an answer. Even as I think about it I can’t come up with a simple answer. It’s probably part of the problems you see in infosec.

The purpose of security isn’t just to be “secure”, it’s to manage risk in some meaningful way. In the real world this is usually pretty easy for us to understand. You have physical things, you want to keep them from getting broken, stolen, lost, pick something. It usually makes some sort of sense.

Episode 3 - The Lockpicking Sewing Circle

Tue, 13 Sep 2016 19:55:00 +0000

Josh and Kurt discuss news of the day, banks, 3D printing, and lockpicking.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/282763713-opensourcesecuritypodcast-episode-3-the-lockpicking-sewing-circle.mp3

Show Notes

Comment on Twitter

On Experts

Mon, 12 Sep 2016 14:00:00 +0000

Are you an expert? Do you know an expert? Do you want to be an expert?

This came up for me the other day while having a discussion with a self proclaimed expert. I’m not going to claim I’m an expert at anything, but if you tell me all about how good you are, I’m not going to take it at face value. I’m going to demand some proof. “Trust me” isn’t proof.

Episode 2 - Instills the proper amount of fear

Wed, 07 Sep 2016 00:28:00 +0000

Josh and Kurt discuss how open source security works.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/281731016-opensourcesecuritypodcast-episode-2-instills-the-proper-amount-of-fear.mp3

Show Notes

Comment on Twitter

Episode 1 - Rich History of Security Flaws

Wed, 07 Sep 2016 00:24:00 +0000

Josh and Kurt discuss their first podcast as well as random bits about open source security.

https://traffic.libsyn.com/secure/opensourcesecuritypodcast/281712199-opensourcesecuritypodcast-episode-1-rich-history-of-security-flaws.mp3

Show Notes

Comment on Twitter

You can't weigh risk if you don't know what you don't know

Tue, 06 Sep 2016 14:00:00 +0000

There is an old saying we’ve all heard at some point. It’s often attributed to Donald Rumsfeld.

There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know

If any of us have ever been in a planning meeting, a variant of this has no doubt come up at some point. It came up for me last week, and every time I hear it I think about all things we don’t know we don’t know. If you’re not familiar with the concept, it works a bit like this. I know I don’t know to drive a boat. But because I know I don’t know this, I could learn. If you know you lack certain knowledge, you could find a way to learn it. If you don’t know what you don’t know, there is nothing you can do about it. The future is often an unknown unknown. There is nothing we can do about the future in many instances, you just have to wait until it becomes a known, and hope it won’t be anything too horrible. There can also be blindness when you think you know something, but you really don’t. This is when people tend to stop listening to the actual experts because they think they are an expert.

How do we explain email to an "expert"?

Mon, 29 Aug 2016 14:00:00 +0000

This has been a pretty wild week, more wild than usual I think we can all agree. The topic I found the most interesting wasn’t about one of the countless 0day flaws, it was a story from Slate titled: In Praise of the Private Email Server

The TL;DR says running your own email server is a great idea. Almost everyone came out proclaiming it a terrible idea. I agree it’s a terrible idea, but this also got me thinking. How do you explain this to someone who doesn’t really understand what’s going on?

The cost of mentoring, or why we need heroes

Sun, 21 Aug 2016 23:07:00 +0000

Earlier this week I had a chat with David A. Wheeler about mentoring. The conversation was fascinating and covered many things, but the topic of mentoring really got me thinking. David pointed out that nobody will mentor if they’re not getting paid. My first thought was that it can’t be true! But upon reflection, I’m pretty sure it is.

I can’t think of anyone I mentored where a paycheck wasn’t involved. There are people in the community I’ve given advice to, sometimes for an extended period of time, but I would hesitate to claim I was a mentor. Now I think just equating this to a paycheck would be incorrect and inaccurate. There are plenty of mentors in other organizations that aren’t necessarily getting a paycheck, but I would say they’re getting paid in some sense of the word. If you’re working with at risk youth for example, you may not get paid money, but you do have satisfaction in knowing you’re making a difference in someone’s life. If you mentor kids as part of a sports team, you’re doing it because you’re getting value out of the relationship. If you’re not getting value, you’re going to quit.

Can't Trust This!

Mon, 15 Aug 2016 14:20:00 +0000

Last week saw a really interesting bug in TCP come to light. CVE-2016-5696 describes an issue in the way Linux deals with challenge ACKs defined in RFC 5961. The issue itself is really clever and interesting. It’s not exactly new but given the research was presented at USENIX, it suddenly got more attention from the press.

The researchers showed themselves injecting data into a standard http connection, which is easy to understand and terrifying to most people. Generally speaking we operate in a world where TCP connections are mostly trustworthy. It’s not true if you have a “man in the middle”, but with this bug you don’t need a MiTM if you’re using a public network, which is horrifying.

We're figuring out the security problem (finally)

Mon, 08 Aug 2016 13:17:00 +0000

If you attended Black Hat last week, the single biggest message I kept hearing over and over again is that what we do today in the security industry isn’t working. They say the first step is admitting you have a problem (and we have a big one). Of course it’s easy to proclaim this, if you just look at the numbers it’s pretty clear. The numbers haven’t really ever been in our favor though, we’ve mostly ignored them in the past, I think we’re taking real looks at them now.

Everyone has been hacked

Mon, 01 Aug 2016 14:00:00 +0000

Unless you live in a cave (if you do, I’m pretty jealous) you’ve heard about all the political hacking going on. I don’t like to take sides, so let’s put aside who is right or wrong and use it as a lesson in thinking about how we have to operate in what is the new world.

In the past, there were ways to communicate that one could be relatively certain was secure and/or private. Long ago you didn’t write everything down. There was a lot of verbal communication. When things were written down there was generally only one copy. Making copies of things was hard. Recording communications was hard. Even viewing or hearing many of these conversations if you weren’t supposed to was hard. None of this is true anymore, it hasn’t been true for a long time, yet we still act like what we do is just fine.

Using a HooToo Nano as a magic VPN box

Mon, 18 Jul 2016 14:56:00 +0000

I’ve been getting myself ready for Blackhat. If you’re going you know this conference isn’t like most. You don’t bring your normal gear with you. You turn the tinfoil hat knob up to an 11, then keep turning it until it breaks off. I did do one thing that’s pretty clever this year though, I have no doubt it could be useful for someone else putting together an overengineered tin foil hat security rig.

Entry level AI

Mon, 11 Jul 2016 13:57:00 +0000

I was listening to the podcast Security Weekly and the topic of using AI For security work came up. This got me thinking about how most people make their way into security and what something like AI might mean for the industry.

In virtually every industry you start out doing some sort of horrible job nobody else wants to do, but you have to start there because it’s the place you start to learn the skills you need for more exciting and interesting work. Nobody wants to go over yesterday’s security event log, but somebody does it.

But I have work to do!

Tue, 05 Jul 2016 12:21:00 +0000

There’s a news story going around that talks about how horrible computer security tends to be in hospitals. This probably doesn’t surprise anyone who works in the security industry, security is often something that gets in the way, it’s not something that helps get work done.

There are two really important lessons we should take away from this. The first is that a doctor or nurse isn’t a security expert, doesn’t want to be a security expert, and shouldn’t be a security expert. Their job is helping sick people. We want them helping sick people, especially if we’re the people who are sick. The second is that when security gets in the way, security loses. Security should lose when it gets in the way, we’ve been winning far too often and it’s critically damaged the industry.

The future of security

Mon, 27 Jun 2016 15:35:00 +0000

The Red Hat Summit is happening this week in San Francisco. It’s a big deal if you’re part of the Red Hat universe, which I am. I’m giving the Red Hat security roadmap talk this year. The topic has me thinking about the future of security quite a lot. It’s easy to think about this in the context of an organization like Red Hat, we have a lot of resources, and there are a lot of really interesting things happening. Everything from container security, to operating system security, to middleware security. My talk will end up youtube at some point, I’ll link to it, but I also keep thinking about the bigger picture. Where will security be in the next 5, 10, 15 years?

Decentralized Security

Mon, 20 Jun 2016 13:35:00 +0000

If you’re a fan of the cryptocurrency projects, you’ve heard of something called Ethereum. It’s similar to bitcoin, but is a seperate coin. It’s been in the news lately due to an attack on the currency. Nobody is sure how this story will end at this point, there are a few possible options, none are good. This got me thinking about the future of security, there are some parallels when you compare traditional currency to crypto currency as well as where we see security heading (stick with me here).

Ready to form Voltron! why security is like a giant robot make of lions

Mon, 13 Jun 2016 14:00:00 +0000

Due to various conversations about security this week, Voltron came up in the context of security. This is sort of a strange topic, but it makes sense when we ponder modern day security. If you talk to anyone, there is generally one thing they push as a solution for a problem. This is no different for security technologies. There is always one thing that will fix your problems. In reality this is never the case. Good security is about putting a number of technologies together to create something bigger and better than any one thing can do by itself.

Is there a future view that isn't a security dystopia?

Mon, 06 Jun 2016 14:00:00 +0000

I recently finished reading the book Ghost Fleet, it’s not a bad read if you’re into what cyberwar could look like. It’s not great though, I won’t suggest it as the book of the summer. The biggest thing I keep thinking about is I’ve yet to really see any sort of book that takes place in the future, with a focus on technology, that isn’t a dystopian warning. Ghost Fleet is no different.

Regulation can fix security, except you can't regulate security

Sun, 29 May 2016 23:07:00 +0000

Every time I start a discussion about how we can solve some of our security problems it seems like the topics of professional organizations and regulation are where things end up. I think regulations and professional organizations can fix a lot of problems in an industry, I’m not sure they work for security. First let’s talk about why regulation usually works, then, why it won’t work for security.

What is regulation?
You may not know it, but you deal with regulated industries every day. The food we eat, the cars we drive, the buildings we use, the roads, our water, products we buy, phones, internet, banks; there are literally too many to list. The reasons for the regulation vary greatly, but at the end of the day it’s a nice way to use laws to protect society. It doesn’t always directly protect people, sometimes it protects the government, or maybe even a giant corporation, but the basic idea is because of the regulation society is a better place. There are plenty of corner cases but for now let’s just assume the goal is to make the world a better place.

Thoughts on our security bubble

Mon, 23 May 2016 00:23:00 +0000

Last week I spent time with a lot of normal people. Well, they were all computer folks, but not the sort one would find in a typical security circle. It really got me thinking about the bubble we live in as the security people.

There are a lot of things we take for granted. I can reference Dunning Kruger and “turtles all the way down” and not have to explain myself. If I talk about a buffer overflow, or most any security term I never have to explain what’s going on. Even some of the more obscure technologies like container scanners and SCAP don’t need but a few words to explain what happens. It’s easy to talk to security people, at least it’s easy for security people to talk to other security people.

Security will fix itself, eventually

Sun, 15 May 2016 23:06:00 +0000

If you’re in the security industry these days things often don’t look very good. Everywhere you look it sometimes feels like everything is on fire. The joke is there are two types of companies, those that know they’ve been hacked and those that don’t. The world of devices looks even worse. They’re all running old software, most will never see updates, most of the people building the things don’t know or care about proper security, most people buying them don’t know this is a problem.

Security isn't a feature, it's a part of everything

Sun, 08 May 2016 23:08:00 +0000

Almost every industry goes through a time when new novel features are sold as some sort of add on or extra product. Remember needing a TCP stack? What about having to buy a sound card for your computer, or a CD drive? (Does anyone even know what a CD is anymore?) Did you know that web browsers used to cost money? Times were crazy.

Let’s think about security now. There is a lot of security that’s some sort of add on, or maybe a separate product. Some of this is because it’s a clever idea, some things exist because people are willing to pay for it even if it should be included. No matter what we’re talking about, there is always a march toward commoditization. This is how Linux took over the universe, the operating system is a commodity now, it’s all about how you put things together using things like containers and devops and cloud.

Trusting, Trusting Trust

Sun, 01 May 2016 23:04:00 +0000

A long time ago Ken Thompson wrote something called Reflections on Trusting Trust. If you’ve never read this, go read it right now. It’s short and it’s something everyone needs to understand. The paper basically explains how Ken backdoored the compiler on a UNIX system in such a way it was extremely hard to get rid of the backdoors (yes, more than one). His conclusion was you can only trust code you wrote. Given the nature of the world today, that’s no longer an option.

Can we train our way out of security flaws?

Sun, 24 Apr 2016 23:07:00 +0000

I had a discussion with some people I work with smarter than myself about training developers. The usual training suggests came up, but at the end of the day, and this will no doubt enrage some of you, we can’t train developers to write secure code.

It’s OK, my twitter handle is @joshbressers, go tell me how dumb I am, I can handle it.

So anyhow, training. It’s a great idea in theory. It works in many instances, but security isn’t one of them. If you look at where training is really successful it’s for things like how to use a new device, or how to work with a bit of software. Those are really single purpose items, that’s the trick. If you have a device that really only does one thing, you can train a person how to use it; it has a finite scope. Writing software has no scope. To quote myself from this discussion:

Software end of life matters!

Sun, 17 Apr 2016 20:33:00 +0000

Anytime you work on a software project, the big events are always new releases. We love to get our update and see what sort of new and exciting things have been added. New versions are exciting, they’re the result of months or years of hard work. Who doesn’t love to talk about the new cool things going on?

There’s a side of software that rarely gets talked about though, and honestly in the past it just wasn’t all that important or exciting. That’s the end of life. When is it time to kill off the old versions. Or sometimes even kill an entire project. When you do, what happens to the people using it? These are hard things to decide, there aren’t good answers usually, it’s just not a topic we’re good at yet.

What happened with Badlock?

Tue, 12 Apr 2016 22:07:00 +0000

Unless you live under a rock, you’ve heard of the Badlock security issue. It went public on April 12. Then things got weird.

I wrote about this a bit in a previous post. I mentioned there that this better be good. If it’s not, people will get grumpy. People got grumpy.

The thing is, this is a nice security flaw. Whoever found it is clearly bright, and if you look at the Samba patchset, it wasn’t trivial to fix. Hats off to those two groups.

Cybersecurity education isn't good, nobody is shocked

Sun, 10 Apr 2016 20:24:00 +0000

There was a news story published last week about the almost total lack of cybersecurity attention in undergraduate education. Most people in the security industry won’t be surprised by this. In the majority of cases when the security folks have to talk to developers, there is a clear lack of understanding about security.

Every now and then I run across someone claiming that our training and education is going great. Sometimes I believe them for a few seconds, then I remember the state of things. Here’s the thing. While there is a lot of good training and education opportunities. The ratio between competent security people and developers is without doubt going down. Software engineering positions are growing at more than double the rate of other positions. By definition it’s significantly harder to educate a security person, the math says there’s a problem here (this disregards the fact that as an industry we do a horrible job of passing on knowledge).

Security is really about Risk vs Reward

Sun, 03 Apr 2016 21:16:00 +0000

Every now and then the conversation erupts about what is security really? There’s the old saying that the only secure computer is one that’s off (or fill in your favorite quote here, there are hundreds). But the thing is, security isn’t the binary concept: you can be secure, or insecure. That’s not how anything works. Everything is a sliding scale, you are never secure, you are never insecure. You’re somewhere in the middle. Rather than bumble around about your risk though, you need to understand what’s going on and plan for the risk.

Ransomware is scary, but not for the reasons you think it is

Tue, 29 Mar 2016 12:29:00 +0000

If you’ve been paying any attention for the past few weeks, you know what ransomware is. It’s a pretty massive pain for anyone who gets it, and in some cases, it was a matter of life and death.

It’s easy to understand what makes this stuff scary, but there’s another angle most haven’t caught on to yet, and it’s not a pleasant train of thought.

Firstly, let’s consider a few thing.

I'm going to do something really cool in 3 weeks! ... Probably.

Wed, 23 Mar 2016 22:38:00 +0000

If you pay attention to the security news, there is something coming called Badlock. It just set off a treasure hunt for security flaws in Samba. Rather than link to the web site (I’d rather not support this sort of behavior), let’s think about this as reasonable people.

I can imagine three possible outcomes to the events that have been set in motion.

On April 12 a truly impressive security flaw will be disclosed. We will all be impressed.
Someone will figure this out before April 12, they have no incentive to act responsibly and will publish what the know right away, better to be first than to be right!
Whatever happens on April 12 won’t be nearly as interesting or exciting as we’ve been led to believe. The world will say a collective ‘meh’ and we’ll go back to looking at pictures of cats.

Numbers 1 and 2 rely on the flaw being quite serious. If it is serious, I suspect there is a far greater chance of #2 happening than #1. As an industry we should hope for #3, we don’t need more terrible flaws.

Everything is fine, nothing to see here!

Sun, 20 Mar 2016 22:26:00 +0000

As anyone who reads this blog knows, I’ve been talking about soft skills in security for quite some time now. I’m willing to say it’s one of our biggest issues at the moment, a point which I get a lot of disagreement on. I have sympathy for anyone who thinks this stuff doesn’t matter, I used to be there. Until I had to start talking to people. As soon as you talk to most anyone outside the security echo chamber, you see what’s actually going on, and it’s not great.

Containers are like sandwiches

Sun, 13 Mar 2016 22:00:00 +0000

During the RSA conference, I was talking about containers and it occurred to me we can think about them like a sandwich. Not so much that they’re tasty, but rather where does your container come from. I was pleased that almost all of the security people I spoke with understand the current security nightmare containers are. The challenge of course is how do we explain what’s going on to everyone else. Securtiy is hard and we’re bad at talking about it. They also didn’t know what Red Hat was doing, which is totally our own fault, but we’ll talk about that somewhere else.

The interesting things from RSA are what didn't happen, and containers are sandwiches

Mon, 07 Mar 2016 01:09:00 +0000

The RSA conference is done. It was a very long and busy show, there were plenty of interesting people there and lots of clever ideas and things to do.

I think the best part is what didn’t happen though. We love talking about the exciting things from the show, I’m going to talk about the unexciting non events I was waiting to happen (but thankfully they did not).

The DROWN issue came and went. It wasn’t very exciting, it got the appropriate amount of attention. Basically SSLv2 is still broken, don’t use it for any reasons. If you use SSLv2, it’s like licking the handrail at the airport. Nobody is going to feel bad for you.

Let's talk about soft skills at RSA, plus some other things

Mon, 29 Feb 2016 02:10:00 +0000

It’s been no secret that I think the lack of soft skills in the security space is one of our biggest problems. While usually I usually only write all about the world’s problems and how to fix them here, during RSA I’m going to take a somewhat different approach.

I’m giving a talk on Friday titled Why Won’t Anyone Listen to Us?

I’m going to talk about how a security person can talk to a normal person without turning them against us. We’re a group that doesn’t like talking to anyone, even each other. We need to start talking to people. I’m not saying we should stand around and accept abuse, I am saying the world wants help with security. We’re not really in a place to give it because we don’t like people. But they need our help, most of them know it even!

Thinking about glibc and Heartbleed, how do fix things

Tue, 23 Feb 2016 13:14:00 +0000

After my last blog post Change direction, increase speed! (or why glibc changes nothing) it really got me thinking about how can we start to fix some of this. The sad conclusion is that nothing can be fixed in the short term. Rather than trying to make up some nonsense about how to fix this, I want to explain what’s happening and why this can’t be fixed anytime soon.

Let’s look at Heartbleed first.

Change direction, increase speed! (or why glibc changes nothing)

Sun, 21 Feb 2016 22:49:00 +0000

The glibc issue has had me thinking. What will we learn from this?

I’m pretty sure the answer is “nothing”, which then made me wonder why this is.

The conclusion I came up with is we are basically the aliens from space invaders. Change direction, increase speed! While this can give the appearance of doing something, we are all very busy all the time. It’s not super useful when you really think about it. Look at Shellshock, Heartbleed, GHOST, LOGJAM, Venom, pick an issue with a fancy name. After the flurry of news stories and interviews, did anything change, or did everyone just go back to business as usual? Business as usual pretty much.

glibc for humans

Fri, 19 Feb 2016 01:36:00 +0000

Unless you’ve been living under a rock, you’ve heard about the latest glibc issue.
CVE-2015-7547 - glibc stack-based buffer overflow in getaddrinfo()

It’s always hard to understand some of these issues, so I’m going to do my best to explain it using simple language. Making security easy to understand is something I’ve been talking about for a long time now, it’s time to do something about it.

What is it?
The fundamental problem here is that glibc has a bug that could allow a DNS response from an attacker to run the command of that attacker’s choosing on your system. The final goal of course would be to become the root user.

Does the market care about security?

Sun, 31 Jan 2016 23:22:00 +0000

I had some discussions this week about security and the market. When I say the market I speak of what sort of products will people or won’t people buy based on some requirements centered around security. This usually ends up at a discussion about regulation. That got me wondering if there are any industries that are unregulated, have high safety requirements, and aren’t completely unsafe?

After a little research, it seems SCUBA is the industry I was looking for. If you read the linked article (which you should, it’s great) the SCUBA story is an important lesson for the security industry. Our industry moves fast, too fast to regulate. Regulation would either hurt innovation or be useless due to too much change. Either way it would be very expensive. SCUBA is a place where the lack of regulation has allowed for dramatic innovation over the past 50 years. The article compares the personal aircraft industry which has substantial regulation and very little innovation (but the experimental aircraft industry is innovating due to lax regulation).

Security and Tribal Knowledge

Mon, 25 Jan 2016 00:57:00 +0000

I’ve noted a few times in the past the whole security industry is run by magicians. I don’t mean this in a bad way, it’s just how things work. Long term will will have to change, but it’s not going to be an easy path.

When I say everything is run by magicians I speak of extremely smart people who are so smart they don’t need or have process (they probably don’t want it either so there’s no incentive). They can do whatever needs to be done whenever it needs doing. The folks in the center are incredibly smart but they learned their skills on their own and don’t know how to pass on knowledge. We have no way to pass knowledge on to others, many don’t even know this is a problem. Magicians can be awesome if you have one, until they quit. New industries are created by magicians but no industry succeeds with magicians. There are a finite number of these people and an infinite number of problems.

OpenSSH, security, and everyone else

Mon, 18 Jan 2016 02:43:00 +0000

If you pay attention at all, this week you heard about a security flaw in OpenSSH.

Link to scary security flaw

Of course nothing is going to change because of this. We didn’t make any real changes after Heartbleed or Shellshock, this isn’t nearly as bad, it’s business as usual.

Trying to force change isn’t the important part though. The important thing to think about is the context this bug exists in. The folks who work on OpenSSH are some of the brightest security minds in the world. We’re talking well above average here, not just bright. If they can’t avoid security mistakes, is there any hope for the normal people?

What the lottery and security have in common

Sun, 10 Jan 2016 17:32:00 +0000

If you live in the US you can’t escape the news about the Powerball lottery. The jackpot has grown to $1.3 Billion (with a capital B). Everyone is buying tickets and talking about what they’ll do when they win enough money to ruin their life.

This made me realize the unfortunate truth about security we like to ignore. Humans are bad at reality. Here is how most of my conversations go.

A security analogy that works

Mon, 04 Jan 2016 23:31:00 +0000

Over the holiday break I spent a lot of time reading and thinking about what the security problem really is. It’s really hard to describe, no analogies work, and things just seem to keep getting worse.

Until now!

Maybe.

Well, things will probably keep getting worse, but I think I’ve found a way to describe this almost anyone can understand. We can’t really talk about our problems today, which makes it impossible to fix anything.

Security reminds me of the gym on January 2

Tue, 29 Dec 2015 18:53:00 +0000

If you have any sort of gym membership you dread the month of January. Every year, there are countless people who make a resolution to get in shape, so the gym is flooded with people for much of January. I’m in favor of everyone staying in shape and having a gym membership, my point isn’t to claim how annoying the n00bs are. The point of this story is how few people stick around, and most give up because doing nothing is often easier than doing something.

A Christmas Cyber

Mon, 21 Dec 2015 14:00:00 +0000

Mallory was dead: to begin with. Bob knew he was dead, and nobody liked Bob, he was the security guy, nobody likes the security guy.

“Merry Christmas Bob!” said Alice. “Bah humbug!” was the reply. Bob had to work over Christmas protecting the network, he had no reason to be merry. As Bob opened the door to the server room he noticed the door knocker looked like Mallory, which was odd as the server room door didn’t have a knocker. A closer inspection led Bob to believe his mind was playing tricks on him.

Security is the new paperless office!

Mon, 14 Dec 2015 14:00:00 +0000

If you’re old enough, you remember reading a lot about the coming “paperless office”. It never came, but I realized there are parallels we can draw in the context of our current security problems.

Back in the 90’s, everyone wanted a paperless office. It sounded neat and with the future coming, who would need paper with all the flying cars and hoverboards! It turns out paper didn’t go away. Everyone keeps talking about how security is the most important thing ever, investing in the paperless office was once the most important thing ever.

Security lacks patience

Mon, 07 Dec 2015 18:03:00 +0000

I had a meeting with some non security people to discuss some of the challenges around security. It’s a rather popular topic these days but nobody knows what that means (remember 5 years ago when everyone talked about cloud but nobody knew what that meant?). The details are irrelevant, the most important thing that came out of this meeting was when someone pointed out as a group we are impatient.

Where is the physical trust boundary?

Mon, 30 Nov 2015 14:18:00 +0000

There’s a story of a toothbrush security advisory making the rounds.

This advisory is pretty funny but it matters. The actual issue with the toothbrush isn’t a huge deal, an attacker isn’t going to do anything exciting with the problems. The interesting issue here is we’re at the start of many problems like this we’re going to see.

Today some engineers built a clever toothbrush. Tomorrow they’re going to build new things, different things. Security will matter for some of them. It won’t matter for most of them.

If your outcome is perfect or nothing, nothing always wins

Fri, 20 Nov 2015 14:02:00 +0000

This tweet
https://twitter.com/RichFelker/status/666325066838339584

Led to this thread
http://marc.info/?t=144778171800001&r=1&w=2

The short version is there are some developers from Red Hat working on gcc attempting to prevent ROP style attacks. More than one person has accused this work of being pointless and a waste of time. It’s not, the waste of time is arguing about why trying new things is dumb.

Here’s the important thing security people always screw up.

The only waste of time is if you do nothing and complain about the people who are doing something.

Your containers were built in some guy's barn!

Mon, 16 Nov 2015 14:06:00 +0000

Today containers are a bit like how cars used to work a long long long time ago. You couldn’t really buy a car, you had to build it yourself or find someone who could build one for you in their barn. The parts were terrible and things would break all the time. It probably ran on steam or was pulled by a horse.

Containers aren’t magic. Well they are for most people. Almost all technology is basically magic for almost everyone. There are some who understand it but generally speaking, it’s complicated. People know enough to get by which is fine, but that also means you have to trust your supplier. Your car is probably magic to you. You put gas in a hole in the back, then you can press buttons, push peddles, and turn wheels to transport you places. I’m sure a lot of people at this point are running through the basics of how cars work in their heads to reassure themselves its’ not magic and they know what’s going on!

Is the Linux ransomware the first of many?

Wed, 11 Nov 2015 03:03:00 +0000

If you pay any attention to the news, no doubt the story of the Linux ransomware that’s making the rounds. There has been much said about the technical merits of this, but there are two things I keep wondering.

Is this a singular incident, or the first of many?

**
** You could argue this either way. It might be a one off blip, it might be the first of more to come. We shouldn’t start to get worked up just yet. If there’s another one of these before the year ends I’m going to stock up on coffee for the impending long nights.

The Third Group

Tue, 27 Oct 2015 13:03:00 +0000

Anytime you do anything, no matter how small or big, there will always be three groups of people involved. How we interact with these groups can affect the outcome of our decisions and projects. If you don’t know they exist it can be detrimental to what you’re working on. If you know who they are and how to deal with them, a great deal of pain can be avoided, and you will put yourself in a better position to succeed.

How do we talk to normal people?

Tue, 20 Oct 2015 13:20:00 +0000

How do we talk to the regular people? What’s going to motivate them? What matters to them?

You can easily make the case that business is driven by financial rewards, but what can we say or do to get normal people to understand us, to care? Money? Privacy? Donuts?

I’m not saying we’re going to turn people into experts, I’m not even suggesting they will reach a point of being slightly competent. Most people can’t fix their car, or wire their house, or fix their pipes. Some can, but most can’t. People don’t need to really know anything about security, they don’t want to, so there’s no point in us even trying. When we do try, they get confused and scared. So really this comes down to:

How do we talk to business?

Tue, 13 Oct 2015 13:28:00 +0000

How many times have you tried to get buyin for a security idea at work, or with a client, only to have them say “no”. Even though you knew it was really important, they still made the wrong decision.

We’ve all seen this more times than we can count. We usually walk away grumbling about how sorry they’ll be someday. Some of them will be, some won’t. The reason is always the same though:

What's filling the vacuum?

Tue, 06 Oct 2015 15:42:00 +0000

Anytime there’s some sort of vacuum, something will appear to fill the gap. In this context we’re going to look at what’s filling the vacuum in security. There are a lot of smart people, but we’re failing horribly at getting our message out.

The answer to this isn’t simple. You have to look at what’s getting attention that doesn’t deserve to get attention. Just because we know a product, service, or idea is hogwash doesn’t mean non security people know this. They have to attempt to find someone to trust, then listen to what they have to say. Unfortunately when you’re talking about extremely complex and technical problems, they listen to whoever they can understand as there’s no way they can determine who is technically more correct. They’re going to follow whoever sounds the smartest.

We're losing the battle for security

Tue, 29 Sep 2015 13:39:00 +0000

The security people are currently losing the battle to win the hearts and minds of the people. The war is far from over but it’s not currently looking good for our team.

As with all problems, if there is a vacuum, something or someone end up filling it. This is happening right now in security. There are a lot of really smart security people out there. We generally know what’s wrong, and sometimes even know how to fix it, but the people we need to listen aren’t. I don’t blame them either, we’re not telling them what they need to know.

How to build trust

Tue, 22 Sep 2015 15:53:00 +0000

One the hardest things we have to do is to build trust.

It’s not hard for everyone, just us specifically. It’s not in our nature.

Security people tend not to trust anyone. Everything we do is based on not trusting anyone, it’s literally our job. Trust is a two way street. If you expect someone to trust you, you have to trust them to a certain degree. This is our first problem. We don’t trust anybody, for good reason often, but it’s a problem. We have to learn how to trust others so we can get them to trust us. This is of course easier said than done. Would you trust someone with your password? I wouldn’t, but a lot of people do. This is a place where they won’t understand why we don’t trust them. Of course sharing a password isn’t a great idea, but that’s not the point.

How can we describe a buffer overflow in common terms?

Sun, 13 Sep 2015 16:11:00 +0000

We can’t.

You think you can, but you can’t. This reminds of the Feynman video where he’s asked how magnets work and he doesn’t explain it, he explains why he can’t explain it.

Our problem is we’re generally too clever to know when to stop. There are limits to our cleverness unfortunately.

I’m picking on buffer overflows in this case because they’re something that’s pretty universal throughout the security universe. Most everyone knows what they are, how they work, and we all think we could explain it to our grandma.

Being a nice security person

Tue, 08 Sep 2015 12:08:00 +0000

Sometimes it’s really hard to be nice to someone. This is especially true if you think they’re not very smart. Respect is a two way street though. If you think someone’s an idiot, they probably think you’re an idiot. You’re both going to end up right once it’s all over though.

As an industry we overestimate how much people know about security, which I think is the root of our problem.

Everyone is afraid of us

Thu, 03 Sep 2015 12:39:00 +0000

How many times have you been afraid to say something about security because you knew if you’re wrong, you’re going to be destroyed in public about it by your peers?

How many times did you try really hard to completely discredit someone who said something wrong about security?

How many times have you been wrong but still argued because you didn’t want to admit it?

How many good ideas never saw the light of day because of this?

You are bad at talking to people

Wed, 02 Sep 2015 11:36:00 +0000

You’re probably bad at talking to people. I don’t mean your friends you play D&D or Halo or whatever hip game people play now, I mean humans, like the guy who serves you coffee in the morning.

We’ve all had more than once instance where we said something and ended up with a room full of people staring at us because it wasn’t terribly nice or thoughtful. At the time you had no idea anything was wrong, you still might not.

About

Mon, 01 Jan 0001 00:00:00 +0000

Open Source Security is a media project to help showcase and educate on open source security. Our goal is to give the community a platform educate both developers and users on how open source security works.

There’s a lot of good work happening that doesn’t get attention because there’s no marketing department behind it, they don’t have a developer relations team posting on LinkedIn every two hours. Let’s focus on those people and teams then learn what they do and how they do it. The goal is to hear from the people doing the work, they know what’s up, they have a lot to teach us. We just have to listen.

Contact Info

Mon, 01 Jan 0001 00:00:00 +0000

We are always looking for guests. We want guest that have an open source focus, ideally security, but security can be a strange topic, we’re open to a lot of interpretation.

We prefer technical guest who are doing the work. Your CEO may be a great and smart person, but we want your head of engineering, or even better, one of your developers!

Please get in touch of you have an idea for a topic or guest.

Media

Mon, 01 Jan 0001 00:00:00 +0000