Josh and Kurt talk about attacking open source. How serious is the threat of developers being targeted or a git repo being watched for secret security fixes? The reality of it all is there are many layers in a security journey, the most important things you can do are also the least exciting. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_215_Real_security_is_boring.mp3 Show Notes Targeting developers XKCD Infrastructure comic Hiding security flaws in git Mossad vs Not-Mossad (PDF warning)

Josh and Kurt talk about how your actions can tell the world if you actually take security seriously. We frame the discussion in the context of Slack paying a very low bug bounty and discover some ways we can look at Slack and decide if they do indeed take our security very seriously. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_213_Security_Signals_What_are_you_telling_the_world.mp3 Show Notes Reddit carbon monoxide Part 1 Part 2 GCP Grey minus infinity Josh’s blog post

Every company tells you they take security seriously. Some even take it very seriously. But do they? I started to think about this because of a recent Slack bug. I think there are a lot of interesting things we can look at to decide if a company is taking security seriously or if the company thinks security is just a PR problem. I’m going to call the behavior we want to look at “security signals”. ...

Josh and Kurt talk about Chromium sending traffic to root DNS servers. Telemetry watching what we do. Cryptocurrency scams and a few other random topics. Also pandas. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_212_Grab_Bag_The_Security_We_Deserve_Edition.mp3 Show Notes Blanket rack Chromium DNS traffic Ubuntu MOTD Microsoft telemetry YAM coin implodes Panda Cubs

A few days ago I ran across this report from MITRE. It’s titled “2020 CWE Top 25 Most Dangerous Software Weaknesses”. I found the report lacking the sort of details I was hoping for, so I’m going rogue and adding those details myself because it’s a topic I care about and I like seeing conclusions. Think of this as a sort of modern graffiti. Firstly, all of my data and graphs come from the NVD CVE json data. You can find my project to put this data into Elasticsearch then doing interesting things with it on GitHub here. All graphs are screenshots from Kibana. ...

Josh and Kurt talk about the Microsoft 2 year old signature bug and GitLab no longer processing MFA resets for free users. Signing things is hard, but trying to manage users and infrastructure at scale is even harder. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_211_The_only_thing_harder_than_signing_files_is_managing_users.mp3 Show Notes Microsoft signed jar bug GitLab Support is no longer processing MFA resets for free users Someone Is Hijacking Tor Exit Nodes to Conduct MITM Attacks

Josh and Kurt talk about the current state of information security. There are aspects that resemble a cult more than we would like. It’s not all bad though, there are some things we can do to help move things forward. This episode shouldn’t be taken too seriously. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_210_Cult_of_Information_Security.mp3 Show Notes “cult of information security” How to start a cult

Josh and Kurt talk about Secure Boot. The conversation uses the recent “Boot Hole” vulnerability to frame a conversation about what Secure Boot is and isn’t. Why the Boot Hole flaw doesn’t really matter, and why Secure Boot was very scary for Linux users back when it came out. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_209_Secure_Boot_isnt_Secure.mp3 Show Notes Boot Hole

Josh and Kurt talk about some of the necessary evils of security. There are challenges we face like passwords and resource management. Sometimes the problem is old ideas, sometimes it’s we don’t have metrics. Can you measure not getting hacked? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_208_Passwords_are_pollution.mp3 Show Notes Clearing checks FAIR Institute Factorio

Josh and Kurt start this one by explaining how the Twitter hacker was just a dumb criminal (most criminals are dumb). We then discuss the new GPT-3 AI that can create text. How we create, and how social media is doing everything it can to weaponize our attention. It’s not a fight humanity is winning. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_207_Weaponized_attention.mp3 Show Notes GPT-3 AI Blipverts Show Tags #weaponizedattention #GPT-3 #GPT3