Josh and Kurt talk about the University of Minnesota experimenting on the Linux Kernel. There’s a lot to unpack in this one, but the TL;DR is you probably don’t want to experiment on the kernel. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_269_Do_not_experiment_on_the_Linux_Kernel.mp3 Show Notes Linux Bans University of Minnesota for Sending Buggy Patches in the Name of Research University of Minnesota security researchers apologize for deliberately buggy Linux patches The International Obfuscated C Code Contest

Josh and Kurt talk about what 3rd party means in the current world. From 5G suppliers, to the Codecov and Solarwinds breaches. Is there anyone we can trust? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_268_Can_we_trust_any_3rd_parties.mp3 Show Notes Europe and 5G Codecov Codecov Reuters story Red Hat OpenSSH advisory

Josh and Kurt talk about 0day security vulnerabilities. What are they? What were they? And why the name has taken on a new meaning, and that’s OK. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_267_Does_0day_still_mean_0day.mp3 Show Notes Hacker History Podcast Chrome 0day NTFS Documentation

Josh and Kurt talk to Emil Wåreus from Debricked about the future of security scanners. Debricked is doing some incredibly cool things to avoid relying on humans for vulnerability identification and cataloging. Learn what the future of security scanning is going to look like. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_266_The_future_of_security_scanning_with_Debricked.mp3 Show Notes Debricked Emil’s Linkedin

Josh and Kurt talk about the PHP backdoor and the Ubiquity whistleblower. The key takeaway is to note how an open source project cannot cover up an incident, but closed source can and will cover up damaging information. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_265_The_lies_closed_source_can_tell_open_source_cant.mp3 Show Notes PHP backdoor Ubiquity coverup 3D printed TSA keys LockPickingLaywer Determining Key Shape from Sound Lock camera

The late, great, John Lewis is well known for a quote about getting into trouble. Never, ever be afraid to make some noise and get in good trouble, necessary trouble. It’s time to start some good trouble. Anyone who knows me, reads this blog, or follows me on Twitter, is well aware I have been a proponent of CVE Identifiers for a very long time. I once assigned CVE IDs to most open source security vulnerabilities. I’ve helped more than one company and project adopt CVE IDs for their advisories. I encourage anyone who will listen to adopt CVE IDs. I’ve even talked about it on the podcast many times. ...

Josh and Kurt talk to Mark Loveless from GitLab. We touch on DevSecOps, what GitLab is doing, threat modeling, and the time Mark tested positive for TNT at the airport. It’s a great conversation. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_264_DevSecOps_with_GitLabs_Mark_Loveless.mp3 Show Notes Mark Loveless Twitter GitLab GitLab Handbook How we approach open source security PASTA threat modeling GitLab security features Tales from the Past - “You Tested Positive for TNT”

Josh and Kurt talk about how terrible daylight savings is. GitHub yanking some exploit code. And the Linux Foundation new project to sign all the things. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_263_GitHub_pulls_exploits_LinuxFoundation_sign_all_the_things.mp3 Show Notes Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github GitHub content restrictions Reproducing the Microsoft Exchange Proxylogon Exploit Chain

Josh and Kurt talk to Loris Degioanni and Dan from Sysdig. Sysdig are the minds behind Falco, an amazing open source runtime security engine. We talk about where their technology came from, they huge code donation to the CNCF and what securing a modern infrastructure looks like today. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_262_A_discussion_with_Loris_and_Pop_from_Sysdig.mp3 Show Notes Sysdig Falco Loris’ Twitter Dan “Pop” Popandrea’s Twitter Sysdig contributes Falco’s kernel module, eBPF probe, and libraries to the CNCF pdig Sysdig 2021 container security and usage report: Shifting left is not enough

Josh and Kurt talk about DWF. It’s back and the intention is to have real community driven security identifiers! https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_261_DWF_is_back_Welcome_to_community_powered_CVE.mp3 Show Notes Committee vs Community dwflist repo dwf-request tooling repo dwf-workflow policy repo CVE plateua graph iwantacve.org