Josh and Kurt talk to Jill Moné-Corallo about GitHub’s bug bounty and product security team. It’s a treat to discuss bug bounties with someone who is managing a very large bug bounty for one of the most important web sites in the world of software today. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_353_Jill_Mone-Corallo_on_GitHubs_bug_bounty_program.mp3 Show Notes Jill’s Twitter Jill’s Mastodon GitHub Bug Bounty Bug bounty scope Eight years of the GitHub Security Bug Bounty program GitHub NPM bug bounty find

Josh and Kurt talk about a new tool that can do Stylometry analysis of Hacker News authors. The availability of such tools makes anonymity much harder on the Internet, but it’s also not unexpected. The amount of power and tooling available now is incredible. We also discuss some of the future challenges we will see from all this technology. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_352_Stylometry_removes_anonymity.mp3 Show Notes Hacker News Stylometry Analyzer FBI Profiler on the Unabomber Impersonate Eli Lilly for $8 Shakespeare Stylometry

Josh and Kurt talk about end to end encrypted messages. This has been a popular topic lately due to the Mastodon popularity. Mastodon has a uniquely insecure messaging system, but they aren’t the only one. The eternal debate of can security and usability exist together? We suspect it can’t be, but it’s a very complicated topic. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_351_Is_security_or_usability_a_law_of_the_universe.mp3 Show Notes EFF on Mastodon DM privacy Towards End-to-End Encryption for Direct Messages in the Fediverse Pluralistic: 14 Nov 2022 Even if you’re paying for the product, you’re still the product

Josh and Kurt talk about email security and the perils of trying to run your own mail infrastructure. We then get into discussing the value and danger of trying to run your own infrastructure, email, blogs, or most anything. There’s a lot to juggle about all this these days, it’s complicated. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_350_Spam_Email_Content_Moderation_and_Infrastructure_Oh_My.mp3 Show Notes PowerDMARC Will Dormann GossiTheDog upgrades Exchange lcamtuf’s blog I like Ice Cream

Josh and Kurt talk about the UK plan to scan their country’s IP space. The purpose and outcome of this isn’t completely clear at this point, but we are hopeful the data can be used as a positive force. We are only going to see more programs like this as all the governments are told they have to cyber harder. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_349_The_cyber_is_coming_from_inside_the_house_the_UK_is_scanning_itself.mp3 Show Notes NCSC Scanning information Motherboard podcast about NCIS

Josh and Kurt talk about the recent OpenSSL nothingburger. OpenSSL got everyone whipped into a frenzy over a critical vulnerability, then changed the severity to high. The correct solution to this whole problem is to stop using a TLS library written in C, we need to be using memory safe languages. Don’t migrate from OpenSSL 1 to 3, migrate from OpenSSL 1 to Rustls. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_348_OpenSSL_is_the_new_lead_paint.mp3 Show Notes OpenSSL Blog Post OpenSSL pre-announcement Mark Cox Tweet 3.0 only affected GossiTheDog NDA Tweet Claims of a name and logo Rustls

Josh and Kurt talk about Lufthansa trying to ban Airtags. This has a similar feel to all the security events where a company tries to hand waive away a security problem then having to walk back all their previous statements. There is almost always a massive imbalance between the large companies and consumers. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_347_Airtags_in_luggage_and_weasel_security_two_peas_in_a_suitcase.mp3 Show Notes Lufthansa bans airtags Airtag stalking problems Lufthansa unbans airtags Cult of the Dead Cow book TV Typewriter Andre the Giant on an airplane Poison Squad Bagtracker

Josh and Kurt talk about stories detailing tech working with multiple jobs. This raises some questions about fairness, accountability, and the future of work. As an industry we are very bad at measuring what we do, which is a problem shared with many jobs currently working from home. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_346_Security_and_working_from_home_have_terrible_things_in_common.mp3 Show Notes Equifax surveilled 1,000 remote workers, fired 24 found juggling two jobs Business Insider 2 jobs story Ken Thompson lines of code

Josh and Kurt talk about ineffective security from the past we still use today. There has been a great deal of progress in the last few decades bringing us amazing products like the Flipper Zero, cameras that can peer inside locks, and even software defined radio. A great deal of security relies on people not having easy access to these cheap devices. What does this mean for the future of security? ...

Josh and Kurt talk about a newly rediscovered old python vulnerability. It raises a lot of questions about what was OK in 2007 vs what’s OK in 2022. The issue is very complicated and has a wild story surrounding it. There is no reason to not fix this in 2022. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_344_Python_tarfile_2022_is_nothing_like_2007.mp3 Show Notes CVE-2007-4559 Red Hat Bug Register story Response from upstream Upstream patch ZippSlip Current upstream bug CSURF