For the last few weeks Kurt and I have been having a lively conversation about security ratings scales. Is CVSS good enough? What about the Microsoft scale? Are there other scales we should be looking at? What’s good, what’s missing, what should we be talking about. There’s been a lot of back and forth and different ideas, over the course of our discussions I’ve come to realize an important aspect of security which is we don’t look forward very often. What I mean by this is there is a very strong force in the world of security to use prior art to drive our future decisions. Except all of that prior art is comically out of date in the world of today. ...

Josh and Kurt talk about what happens when important root certificates expire on old Android devices? Who should be responsible? How can we fix this? Is this even something we can or should fix? How devices should age is a really hard problem that needs a lot of discussion. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_224_Are_old_Android_devices_dangerous.mp3 Show Notes Unboxing coins Old Android devices certificate store Steve1989MREInfo

Josh and Kurt talk about the idea behind the full disclosure of security vulnerability details. There have been discussions about this topic for decades with many people on all sides of the issue. The reality is however, if you look at the current state of things, this discussion is settled, full disclosure won. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_223_Full_disclosure_won_deal_with_it.mp3 Show Notes Hacker One 100 million payout Project Zero bug Remington gun trigger class action lawsuit Square windows on a plane

Josh and Kurt talk to Jeff Mitchell about the new HashiCorp project Boundary. We discuss what Boundary is, why it’s cooler than a VPN, and how you can get involved. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_222_HashiCorp_Boundary_with_Jeff_Mitchell.mp3 Show Notes Jeff Mitchell HashiCorp Boundary announcement Discuss forum Boundary Project Boundary GitHub

Josh and Kurt talk about how to get started in security. It’s like the hero’s journey, but with security instead of magic. We then talk about what Webkit bringing Face ID and Touch ID to the browsers will mean. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_221_Security_magic_and_FaceID.mp3 Show Notes Hero’s Journey Mudge’s Tweet L0pht at Congress Bob Ross Webkit Face ID and Touch ID for the Web

Josh and Kurt talk about Network Time Security (NTS) how it works and what it means for the world (probably not very much). We also talk about Singapore’s Cybersecurity Labelling Scheme (CLS). It probably won’t do a lot in the short term, but we hope it’s a beacon of hope for the future. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_220_Securing_network_time_and_IoT.mp3 Show Notes Network Time Security NTP and the University of Wisconsin Cybersecurity Labelling Scheme (CLS)

Josh and Kurt have a chat with Larry Cashdollar. The three of us go way back. Larry has done some amazing things and he tells us all about it! https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_219_Chat_with_Larry_Cashdollar.mp3 Show Notes Akamai Larry’s website Larry’s First CVE

Josh and Kurt talk about change. Specifically we discuss how the past was a terrible place. Never believe anyone who tells you it was better. Part of a career now is learning how to learn. The things you learn today won’t be useful skills in a few years. The future is is always better than the past. Even in 2020. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_218_The_past_was_a_terrible_place.mp3 Show Notes I no longer build software Temple OS Top Gear electric car 1959 Bel Air crash test

This tweet from Jim Manico really has me thinking about why we like to consider security bugs special. There are a lot of tools on the market today to scan your github repos, containers, operating systems, web pages … pick something, for security vulnerabilities. I’ve written a very very long series about these scanners and why they’re generally terrible today but will get better, but only if we demand it. I’m now wondering why we want to consider security special. Why do we have an entire industry focused just on security bugs? ...

Josh and Kurt talk to Travis Murdock about how to tell your story. Travis explains how to talk to the press and how to tell our story in a way that helps get our message across and lets the reporter do their job better. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_217_How_to_tell_your_story_with_Travis_Murdock.mp3 Show Notes Ruder Finn CVE-2009-3555 Heartbleed