Josh and Kurt talk about the Google Project Zero blog post about 0day vulnerabilities in 2021. There were a lot more than ever before, but why? Part of the challenge is the whole industry is expanding while a lot of our security technologies are not. When the universe around you is expanding but you’re stayingContinue reading “Episode 321 – Relativistic Security: Project Zero on 0day”
Search results for: cve
Episode 309 – The bright future of open source secuirty
Josh and Kurt talk about NPM requiring 2FA for the top 100 packages. We discuss the new Alpha and Omega projects from the OpenSSF and what it could mean for the future of open source security. Then we end on a note about the new Samba critical vulnerability. Show Notes NPM requires 2FA OpenSSF Alpha and Omega DavidContinue reading “Episode 309 – The bright future of open source secuirty”
Episode 308 – Welcome to the jungle – How to talk about open source security
Josh and Kurt talk about how to get attention for security problems. Recent research around Twitter credentials checked into GitHub showed us how to get a lot of attention when compared to a problem like Log4Shell which took years before anyone really picked up on the problem. It’s hard to talk about security sometimes. Show Notes Josh’s computerContinue reading “Episode 308 – Welcome to the jungle – How to talk about open source security”
Episode 307 – Got vulnerabilities? Introducing GSD
Josh and Kurt talk about the Global Security Database (GSD) project. This is a Cloud Security Alliance (CSA) effort to build community around vulnerability identifiers. Show Notes We rate dogs Racoons that heal your sadness Global Security Database Episode 261 – DWF is back! Welcome to community powered CVE GSD mailing list GSD Circle group GSD Database GSDContinue reading “Episode 307 – Got vulnerabilities? Introducing GSD”
Episode 303 – Log4j Christmas Spectacular!
Josh and Kurt start the show with the reading of a security themed Christmas poem. We then discuss some of the new happenings around Log4j. The basic theme is that even if we were over-investing in Log4j, it probably wouldn’t have caught this. There are still a lot of things to unpack with this event. We are sureContinue reading “Episode 303 – Log4j Christmas Spectacular!”
Episode 292 – Apache RCE and Twitch epic pwn
Josh and Kurt talk about the recent Twitch hack and how in the modern age leaking source code almost certainly doesn’t matter. The leaked data however is a big deal. We also discuss a recent Apache httpd update. Some things went right, some things went wrong. Dealing with vulnerabilities is hard. Show Notes Parasocial RelationshipContinue reading “Episode 292 – Apache RCE and Twitch epic pwn”
The future of DWF
TL;DR – The future of community identifier is going to be the Cloud Security Alliance. See this blog post for more details. A few months ago the Distributed Weakness Filing project (DWF), announced it was coming back to work with some new ideas around how we work with vulnerability identifiers. The initial blog post definesContinue reading “The future of DWF”
Episode 257 – The sudo and libgcrypt vulnerabilities
Josh and Kurt talk about the recent sudo and libgcrypt security vulnerabilities. What’s the deal with these buffer overflows and TOCTU bugs? Show Notes Sudo buffer overflow Sudo SELinux bug libgcrypt buffer overflow
Episode 219 – Chat with Larry Cashdollar
Josh and Kurt have a chat with Larry Cashdollar. The three of us go way back. Larry has done some amazing things and he tells us all about it! Show Notes Akamai Larry’s website Larry’s First CVE
Episode 217 – How to tell your story with Travis Murdock
Josh and Kurt talk to Travis Murdock about how to tell your story. Travis explains how to talk to the press and how to tell our story in a way that helps get our message across and lets the reporter do their job better. Show Notes Ruder Finn CVE-2009-3555 Heartbleed
Open Source Security 