Josh and Kurt talk about a CWE Top 25 list from MITRE. The list itself is fine, but we discuss why the list looks the way it does (it’s because of WordPress). We also discuss why Josh hates lists like this (because they never create any actions). We finish up running through the whole list with a few comments about the findings. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_459_CWE_Top_25_List.mp3 Show Notes 2024 CWE Top 25 Most Dangerous Software Weaknesses Set of 9 Unusual Odd Sided dice - D3, D5, D7, D9, D11, D13, D15, D17 & D19

Josh and Kurt talk about the FBI telling everyone to use end to end encrypted messengers. This is a pretty drastic deviation from messages in the past. The reason for this is it appears the US telephone networks are pwnt beyond repair at this point, which is concerning. The only real solution now is to treat the phone network as untrusted and encrypt all the traffic. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_458_FBI_endorses_E2E_encryption.mp3 Show Notes Salt Typhoon U.S. officials urge Americans to use encrypted apps amid unprecedented cyberattack LTT Hacked phone Security Cryptography Whatever Telegram Secure Messaging Apps Comparison

Josh and Kurt talk about a serious D-Link security vulnerability in a bunch of end of life products. The crux of the discussion focuses on D-Link, but the reality is almost all consumer gear you plug into the internet is terrible. And there’s little hope it will get better anytime soon. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_457_The_D-Link_D-bacle.mp3 Show Notes China has utterly pwned ’thousands and thousands’ of devices at US telcos D-Link tells users to trash old VPN routers over bug too dangerous to identify D-Link YouTube explainer video

Josh and Kurt embark on a thought experiment to discuss how a commercial entity would handle something like the xz incident. It was very specific and difficult to understand. It’s easy to claim just because source code being available doesn’t matter. But the reality is when source code is needed, it can make a huge difference for everyone working together, just like we saw with xz. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_456_What_if_XZ_happened_to_a_company_The_openness_of_open_source.mp3 Show Notes Lindt admits chocolate may not be ‘expertly crafted’ in class-action lawsuit battle Mitchell & Webb - Needlessly ambiguous terms

Josh and Kurt talk about the way Wordpress vets their plugins. While Wordpress has been in the news lately, they do some clever things to get plugins approved. There’s a static analyzer that runs against new submissions. We discuss using static analysis, securing open source, contributing and more. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_455_Wordpress_plugin_security.mp3 Show Notes Linus Torvalds Lands A 2.6% Performance Improvement With Minor Linux Kernel Patch Kurt’s Plugin

Josh and Kurt talk to Brian Fox from Sonatype and Donald Fischer from Tidelift about their recent reports as well as open source. There are really interesting connections between the two reports. The overall theme seems to be open source is huge, everywhere, and needs help. But all is no lost! There’s some great ideas on what the future needs to look like. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_454_The_state_of_open_source_with_Brian_Fox_from_Sonatype_and_Donald_Fischer_from_Tidelift.mp3 Show Notes Donald Fischer Brian Fox Tidelift Sonatype The 2024 Tidelift state of the open source maintainer report Sonatype State of the Software Supply Chain Anchore 2024 Software Supply Chain Security Report OpenSSF TAC issue 101

Josh and Kurt talk about three government activities happening around security. CISA has a request for comment, and an international strategic plan around cybersecurity. These are both good ideas, and hopefully will help drive change. But we also discuss an EU proposal that brings liability rules to software which sounds like a great way to force change to happen. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_453_Software_Liability.mp3 Show Notes Request for Comment on Product Security Bad Practices Guidance FY2025-2026 CISA International Strategic Plan EU brings product liability rules in line with digital age and circular economy CSA Cloud Controls Matrix

Josh and Kurt talk about the Meshtastic open source project. It’s a really slick mesh radio system that runs on very cheap radio equipment. This episode isn’t very security related (there are a few things), but it is very open source. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_452_All_about_Meshtastic.mp3 Show Notes Meshtastic Heltec LoRa 32(V3) Radio 465 Rutgers University Confirmed: Meshtastic and LoRa are dangerous Meshtastic Routing Issues & Deployment Scenarios TC2-BBS-mesh The Comms Channel Josh’s BBS Heltec T114 bug

Josh and Kurt talk to Seth Larson from the Python Software Foundation about security the Python ecosystem. Seth is an employee of the PSF and is doing some amazing work. Seth is showing what can be accomplished when we pay open source developers to do some of the tasks a volunteer might consider boring, but is super important work. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_451_Python_security_with_Seth_Larson.mp3 Show Notes Seth Larson XKCD PGP Signature Seth’s Blog Python and Sigstore Deprecating PGP - PEP 761 Python SBOMs

It’s once again time for the outrage generators on social media to ask if SBOMs have any value. This seems to happen a few times a year. Probably lines up with the pent up excitement while we wait for the McRib to return. I could dig up a few examples of these articles but I can’t be bothered, and it doesn’t matter. I’d rather spend my time searching for a McRib … I mean, writing this blog post. ...