Very recently the Node.js project filed a few CVE IDs for end of life products. For vulnerability nerds this is exciting because historically EOL things didn’t get CVE IDs just for being EOL. And as one would expect, there are plenty of folks who think this is the best idea ever, and a bunch worried this will be the event that destroys modern civilized society. Today there’s not really a good place to track what is or isn’t end of life software. There are some datasets being worked on but they’re very new, and it’s “yet another dataset” we will all have to figure out. CVE could be a place to track details like this, but it’s not a simple conversation. ...

I had a discussion with Dick Brooks about government regulations and open source software security. The conversation covered the frameworks that affect enterprise software, users of open source, and open source developers. At the moment, all these regulations don’t mean a ton for open source developers, which is good news. Dick is the co-founder of Business Cyber Guardian and former enterprise architect at ISO New England. He’s a self proclaimed old school software engineer who worked at Digital Equipment Corporation. These days Dick is involved in working on secure development programs with governments around the world. ...

I met Gary Kramlich a few years ago at the CypherCon security conference and we now chat on signal about open source things. When I started Open Source Security I knew he was one of the people I wanted to talk to about what it looks like to keep a project, codebase, and community alive for more than a decade. Gary is the lead developer of the Pidgin chat program. You can find him at reaperworld.com ...

I had a discussion with Thomas Depierre about his experience with safety and how safety concepts can apply to the field of security. Thomas is an experienced SRE with a background in safety, he has thoughts into how people prevent disasters constantly, often without realizing it. You can find his blog at Software Maxims An audio version of this disucssion is also available in podcast format. Look for “Open Source Security” wherever you get your podcasts. ...

https://traffic.libsyn.com/opensourcesecuritypodcast/2025-01-the_future_of_open_source_security.mp3 It’s a new year and time for some changes to the opensourcesecurity.io website. This site initially was meant to be the home of general open source security content, and has carried the name “Open Source Security” since 2018. Much of the content hosted here has been from the Open Source Security Podcast, it’s time to wrap up the podcast to put the focus back on Open Source Security (dot io). ...

Josh and Kurt talk about new NIST password guidance. There’s some really good stuff in this new document. Ideas like usability and equity show up (which is amazing). There’s more strict guidance against rotating passwords and complex passwords. This new guidance gives us a lot to look forward to. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_461_The_new_NIST_password_guidance.mp3 Show Notes Usagi Electric NIST proposes barring some of the most nonsensical password rules NIST SP 800-63(B) STRIDE threat model PASTA threat model

Josh and Kurt talk about the supply chain of Santa. Does he purchase all those things? Are they counterfeit goods? Are they acquired some other way? And once he has all the stuff, the logistics of getting it to the sleigh is mind boggling. It’s all very complex https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_460_Santas_Supply_Chain_Security.mp3 Show Notes Project Gunman

Josh and Kurt talk about a CWE Top 25 list from MITRE. The list itself is fine, but we discuss why the list looks the way it does (it’s because of WordPress). We also discuss why Josh hates lists like this (because they never create any actions). We finish up running through the whole list with a few comments about the findings. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_459_CWE_Top_25_List.mp3 Show Notes 2024 CWE Top 25 Most Dangerous Software Weaknesses Set of 9 Unusual Odd Sided dice - D3, D5, D7, D9, D11, D13, D15, D17 & D19

Josh and Kurt talk about the FBI telling everyone to use end to end encrypted messengers. This is a pretty drastic deviation from messages in the past. The reason for this is it appears the US telephone networks are pwnt beyond repair at this point, which is concerning. The only real solution now is to treat the phone network as untrusted and encrypt all the traffic. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_458_FBI_endorses_E2E_encryption.mp3 Show Notes Salt Typhoon U.S. officials urge Americans to use encrypted apps amid unprecedented cyberattack LTT Hacked phone Security Cryptography Whatever Telegram Secure Messaging Apps Comparison

Josh and Kurt talk about a serious D-Link security vulnerability in a bunch of end of life products. The crux of the discussion focuses on D-Link, but the reality is almost all consumer gear you plug into the internet is terrible. And there’s little hope it will get better anytime soon. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_457_The_D-Link_D-bacle.mp3 Show Notes China has utterly pwned ’thousands and thousands’ of devices at US telcos D-Link tells users to trash old VPN routers over bug too dangerous to identify D-Link YouTube explainer video