door-sign-1607503_1920

Episode 259 - What even is open source anymore?

Josh and Kurt talk about the question “what is open source?” Why do we think it’s broken today, and what sort of ideas about what should come next. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_259_What_even_is_open_source_anymore.mp3 Show Notes OSI Bruce Perens Post Open Source Josh’s community blog post Corey Doctorow Uber Twitter thread

February 22, 2021
pleasure-boat-510668_1920

The Titanic of security

I listen to a lot of podcasts. A lot of podcasts. I was listening to the Dave and Gunnar Show podcast episode 212 with guest David A. Wheeler. The Titanic was used as an example of changing process after a security incident. This opened up a flood of thoughts to me, but not for the reasons intended in the conversation. The point of the suggestion was the Titanic sinking created changes to international requirements to help avoid a similar disaster next time, and we should be viewing SolarWinds in a similar way. The idea being we should use the SolarWinds event to drive meaningful change to make security better. Why no change will come of this is a different conversation: TL;DR it’s because nobody important died from SolarWinds, the Titanic killed a lot of important people. But I think this is an interesting way to talk about how we tend to deal with problems in software and how we deal with them in real life. ...

February 15, 2021
source-code-583537_1920

Episode 258 - Stop using C

Josh and Kurt talk about the Google Project Zero report titled “A Year in Review of 0-days Exploited In-The-Wild in 2020”. It’s a cool report but we don’t agree on the conclusion. The answer isn’t to security harder, it’s to stop using C. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_258_Stop_using_C.mp3 Show Notes Google Project Zero Year of 0-days Kurt’s CUPS tweet

February 15, 2021
water-2438837_1920

Episode 257 - The sudo and libgcrypt vulnerabilities

Josh and Kurt talk about the recent sudo and libgcrypt security vulnerabilities. What’s the deal with these buffer overflows and TOCTU bugs? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_257_The_sudo_and_libgcrypt_vulnerabilities.mp3 Show Notes Sudo buffer overflow Sudo SELinux bug libgcrypt buffer overflow

February 8, 2021
watercolor-5212708_1920

It's the community, stupid

I’ve been thinking about what open source is a lot lately. I mean A LOT, probably more than is healthy. There have been a ton of open source happenings in the world and the discussions around open source licenses have been numerous. There are even a lot of discussions around the very idea of open source itself. What we once thought was simple and clear is not simple or clear it would seem. ...

February 2, 2021
Screenshot from 2021-01-31 14-06-42

Episode 256 - 9 bits of podcast, 8 bits of computing

Josh and Kurt talk about 8 bit computing. What sort of security lessons can we learn from the 8 bit world? More than you think. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_256_9_bits_of_podcast_8_bits_of_computing.mp3 Show Notes Legend of Zelda Random Number Generation Green rocket flame SR71 leaked fuel How do Namibian Himbas see colour? Suptuple meter music

February 1, 2021
rust-4246812_1920

You cannot manage your supply chain

What a year it’s been! I feel like 2021 went by like a … it’s still January??? So it’s pretty much impossible to ignore any of the events of the last month. I want to talk about something that’s near and dear to my heart, and in the news, not for a good reason. Software supply chains. This is probably a dreadful topic to most, but I love software supply chains. I was talking about them before anyone was even thinking about them. I’m not going to pull a “get off my lawn” here, I think it’s cool everyone is starting to care. I want to talk about how to be realistic about your supply chain. Almost all advice I’ve seen of the last month has been terrible, so I’m going to also give some terrible advice. ...

January 30, 2021
hand-1549399_1920

Episode 255 - What if security wasn't joyless?

Josh and Kurt talk about what we can stop doing. We take a position of asking “does it spark joy” for tools and infrastructure. Everyone is doing something they should stop. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_255_What_if_security_wasnt_joyless.mp3 Show Notes Does it spark joy?

January 25, 2021
antique-1868726_1920

Episode 254 - Right to Repair Security

Josh and Kurt talk about the new right to repair rules in the EU. There’s a strange line between loving the idea of right to repair, but also being horrified as security people at the idea of a device being on the Internet for 30 years. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_254_Right_to_Repair_Security.mp3 Show Notes EU right to repair repair.eu

January 18, 2021
old-1220013_1920

Episode 253 - Defenders only need to be right once

Josh and Kurt talk about this idea that seems to exist in security of “attackers only need to be right once” which is silly. The reality is attackers have to get everything right, defenders really only need to get it right once. But “defenders only need to be right once” isn’t going to sell any products. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_253_Defenders_only_need_to_be_right_once.mp3 Show Notes Richard Feynman and manhole covers Richard Feynman on Why He Can’t Tell You How Magnets Work Israeli airport security FAA stolen sweater XKCD Is it worth the time CGP Grey The trouble with transporters

January 11, 2021