farm-2852024_1920

Episode 260 - Dave Jevans tells us what CipherTrace is up to

Josh and Kurt talk with Dave Jevans CEO of CipherTrace and chairman of the anti-phishing working group about the challenges of keeping track of cryptocurrency in the modern age. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_260_Dave_Jevans_tells_us_what_CipherTrace_is_up_to.mp3 Show Notes Dave’s Twitter CipherTrace Anti Phishing Working Group

March 1, 2021
door-sign-1607503_1920

Episode 259 - What even is open source anymore?

Josh and Kurt talk about the question “what is open source?” Why do we think it’s broken today, and what sort of ideas about what should come next. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_259_What_even_is_open_source_anymore.mp3 Show Notes OSI Bruce Perens Post Open Source Josh’s community blog post Corey Doctorow Uber Twitter thread

February 22, 2021
pleasure-boat-510668_1920

The Titanic of security

I listen to a lot of podcasts. A lot of podcasts. I was listening to the Dave and Gunnar Show podcast episode 212 with guest David A. Wheeler. The Titanic was used as an example of changing process after a security incident. This opened up a flood of thoughts to me, but not for the reasons intended in the conversation. The point of the suggestion was the Titanic sinking created changes to international requirements to help avoid a similar disaster next time, and we should be viewing SolarWinds in a similar way. The idea being we should use the SolarWinds event to drive meaningful change to make security better. Why no change will come of this is a different conversation: TL;DR it’s because nobody important died from SolarWinds, the Titanic killed a lot of important people. But I think this is an interesting way to talk about how we tend to deal with problems in software and how we deal with them in real life. ...

February 15, 2021
source-code-583537_1920

Episode 258 - Stop using C

Josh and Kurt talk about the Google Project Zero report titled “A Year in Review of 0-days Exploited In-The-Wild in 2020”. It’s a cool report but we don’t agree on the conclusion. The answer isn’t to security harder, it’s to stop using C. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_258_Stop_using_C.mp3 Show Notes Google Project Zero Year of 0-days Kurt’s CUPS tweet

February 15, 2021
water-2438837_1920

Episode 257 - The sudo and libgcrypt vulnerabilities

Josh and Kurt talk about the recent sudo and libgcrypt security vulnerabilities. What’s the deal with these buffer overflows and TOCTU bugs? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_257_The_sudo_and_libgcrypt_vulnerabilities.mp3 Show Notes Sudo buffer overflow Sudo SELinux bug libgcrypt buffer overflow

February 8, 2021
watercolor-5212708_1920

It's the community, stupid

I’ve been thinking about what open source is a lot lately. I mean A LOT, probably more than is healthy. There have been a ton of open source happenings in the world and the discussions around open source licenses have been numerous. There are even a lot of discussions around the very idea of open source itself. What we once thought was simple and clear is not simple or clear it would seem. ...

February 2, 2021
Screenshot from 2021-01-31 14-06-42

Episode 256 - 9 bits of podcast, 8 bits of computing

Josh and Kurt talk about 8 bit computing. What sort of security lessons can we learn from the 8 bit world? More than you think. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_256_9_bits_of_podcast_8_bits_of_computing.mp3 Show Notes Legend of Zelda Random Number Generation Green rocket flame SR71 leaked fuel How do Namibian Himbas see colour? Suptuple meter music

February 1, 2021
rust-4246812_1920

You cannot manage your supply chain

What a year it’s been! I feel like 2021 went by like a … it’s still January??? So it’s pretty much impossible to ignore any of the events of the last month. I want to talk about something that’s near and dear to my heart, and in the news, not for a good reason. Software supply chains. This is probably a dreadful topic to most, but I love software supply chains. I was talking about them before anyone was even thinking about them. I’m not going to pull a “get off my lawn” here, I think it’s cool everyone is starting to care. I want to talk about how to be realistic about your supply chain. Almost all advice I’ve seen of the last month has been terrible, so I’m going to also give some terrible advice. ...

January 30, 2021
hand-1549399_1920

Episode 255 - What if security wasn't joyless?

Josh and Kurt talk about what we can stop doing. We take a position of asking “does it spark joy” for tools and infrastructure. Everyone is doing something they should stop. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_255_What_if_security_wasnt_joyless.mp3 Show Notes Does it spark joy?

January 25, 2021
antique-1868726_1920

Episode 254 - Right to Repair Security

Josh and Kurt talk about the new right to repair rules in the EU. There’s a strange line between loving the idea of right to repair, but also being horrified as security people at the idea of a device being on the Internet for 30 years. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_254_Right_to_Repair_Security.mp3 Show Notes EU right to repair repair.eu

January 18, 2021