one-way-street-362172_1920

Episode 316 - You have to use open source

Josh and Kurt talk about the latest NPM backdoored package. It feels like this keeps happening. We talk about why this is and why it’s probably OK. Kurt fixes Linus’ Law, in open source the superpower isn’t bugs are shallow (they’re not), the superpower is security bugs in open source can’t be ignored. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_316_You_have_to_use_open_source.mp3 Show Notes node-ipc protestware

March 28, 2022
justice-gbb257d75b_1920

Facts vs Feelings

Earlier today I asked a question on Twitter Holy cow that thread took on a life of its own. The question is easy enough, do we have any security data on pinning vs not pinning dependencies? We don’t, I know this, but I was hoping someone was working on something (I don’t think they are). But during the thread I also think I figured how to be start collecting this data. That’s a post for the future. ...

March 21, 2022
jens-lelie-u0vgcIOQG08-unsplash

Episode 315 - Who even makes all these terrible decisions?

Josh and Kurt talk about Microsoft accidentally letting us find out about ads in file explorer. Changing your clocks sucks. And touch on some of the security implications of the Russian invasion and sanctions. There are a lot of security lessons we can all learn. Mostly what not to do. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_315_Who_even_makes_all_these_terrible_decisions.mp3 Show Notes Ads in Windows Filemanager Russia running out of storage Russia threatens to nationalize industry Onagawa Nuclear Power Plant Cockcroft’s Follies German government advises citizens to uninstall Kaspersky

March 21, 2022
scrap-iron-72065

Episode 314 - The Linux Dirty Pipe vulnerability

Josh and Kurt talk about the Linux Kernel Dirty Pipe security vulnerability. This bug is an amazing combination of amazing complexity, incredible simplicity, and a little bit of luck. The discovery is amazing, the analysis is enlightening. There’s almost no way a bug like this could be found outside of open source. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_314_The_Linux_Dirty_Pipe_vulnerability.mp3 Show Notes Dirty Pipe Writeup

March 14, 2022
crocodile-1851313_1920

Episode 313 - Insecurity at scale

Josh and Kurt talk about the challenges of security at scale. Specifically we focus on why a lot of security starts to fall apart once you have to do something more than a few times. There’s a lot of new thinking we need to push security forward. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_313_Insecurity_at_scale.mp3 Show Notes Stable Linux Kernel and Machine Learning

March 7, 2022
mesopotamia-1827242_1920

Episode 312 - The Legend of the SBOM

Josh and Kurt talk about SBOMs. Not what they are, there’s plenty about that. We talk about why everyone keeps claiming they’re super important, and why we’re starting to see some people question if we really need them. SBOMs are part of a future that’s still being invented. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_312_The_Legend_of_the_SBOM.mp3 Show Notes Questioning SBOMs Rezilion Log4j diagram David A Wheeler on CII Badges Using open source is communism

February 28, 2022
qr-wide

Episode 311 - Did you scan the QR code?

Josh and Kurt talk about the Coinbase Super Bowl ad. It was a QR code, lots of security people were aghast at how many people scanned the QR code. The reality is scanning QR codes isn’t dangerous. What other security advice just won’t go away? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_311_Did_you_scan_the_QR_code.mp3 Show Notes Coinbase Ad Kurt’s Twitter question QR code parking scam Mossad or not Mossad Kurt’s talk

February 21, 2022
private-1647769_1920

Episode 310 - Hayley Tsukayama from the EFF talks about privacy

Josh and Kurt talk to Hayley Tsukayama from the EFF about privacy. We all know privacy in the modern age is very complicated and difficult. Normal people don’t have many allies when it comes to privacy. The EFF has been blazing the trail for digital rights for more than 30 years! This episode has a ton of amazing details, it’s easy to see how the EFF became the jewel of the Internet. ...

February 14, 2022
light-bulb-4514505_1920

Episode 309 - The bright future of open source secuirty

Josh and Kurt talk about NPM requiring 2FA for the top 100 packages. We discuss the new Alpha and Omega projects from the OpenSSF and what it could mean for the future of open source security. Then we end on a note about the new Samba critical vulnerability. https://traffic.libsyn.com/secure/forcedn/opensourcesecuritypodcast/Episode_309_The_bright_future_of_open_source_security.mp3 Show Notes NPM requires 2FA OpenSSF Alpha and Omega David A. Wheeler episode Linux Foundation LFX Samba Advisory

February 7, 2022
the-1865639_1920

Episode 308 - Welcome to the jungle - How to talk about open source security

Josh and Kurt talk about how to get attention for security problems. Recent research around Twitter credentials checked into GitHub showed us how to get a lot of attention when compared to a problem like Log4Shell which took years before anyone really picked up on the problem. It’s hard to talk about security sometimes. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_308_Welcome_to_the_jungle_How_to_talk_about_open_source_security.mp3 Show Notes Josh’s computer vision code Twitter secrets Qualys pwnkit

January 31, 2022