Unless you’ve been living under a rock for the past few … forever, you may have noticed that open source is taking took over the world. If software ate the world, open source is the dessert course. As of late there have been an uptick in stories about backdoors in open source software. These backdoors were put there by what is assumed to be “bad people” which is probably accurate since everyone is a villain in some way. ...

Josh and Kurt talk about the current state of credit security freezes in the US. We recount a thrilling tale of all the things Josh had to do to get new Internet service. It was all quite silly really. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_158_The_mess_that_we_call_credit_agencies_in_the_US.mp3 Show Notes Weak security freeze pins ’null’ license plate Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about snakeoil cryptography at Black Hat and the new backdoored cryptography fight. Both of these problems will be with us for a very long time. These are fights worth fighting because it’s the right thing to do. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_157_Backdoors_and_snake_oil_in_our_cryptography.mp3 Show Notes Time AI video Kurt’s Tweet about technical explanations Josh’s blog post about bug training Schneier on Barr’s encryption discussion Comment on Twitter with the #osspodcast hashtag ...

Recently there was a thread on Twitter I stuck my nose into about appsec and why it doesn’t work. I have a response in there that I believe is a nice way to explain my biggest problem with appsec. I would sum it up as “Appsec isn’t people”. Here is a clever image to help. You know you can take it seriously because the text is green. The best way to think about this is to ask a different but related question. Why don’t we have training for developers to write code with fewer bugs? Even the suggestion of this would be ridiculed by every single person in the software world. I can only imagine the university course “CS 107: Error free development”. Everyone would fail the course. It would probably be a blast to teach, you could spend the whole semester yelling at the students for being stupid and not just writing code with fewer bugs. You don’t even have to grade anything, just fail them all because you know the projects have bugs. ...

Josh and Kurt talk about Kazakhstan requiring citizens to place a government controlled root CA certificate on their computers. How does this work. What does it mean for the citizens of Kazakhstan, and why we all should be paying attention. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_156_What_if_we_MitM_a_whole_country.mp3 Show Notes Kazakhstan MitM all TLS traffic Mozilla bug Comment on Twitter with the #osspodcast hashtag

Once again the topic of backdooring cryptography is in the news. The same people will fight the same fight. Again. So far sanity has prevailed every time we do this, but that doesn’t mean anyone should sit this one out. Make sure you tell everyone to pay attention and care. Trustworthy cryptography is too important. Given the language used it sounds a lot like what’s really being discussed is having the ability to view chat apps, view emails, and unlock phones. All things with a consumer focus. They’ve lost this fight more times than we can count now, no doubt this direction change is an attempt to spread confusion. ...

Josh and Kurt talk about a new way to steal cars because a service didn’t do proper background checks. We also discuss how this relates to working with criminals, such as ransomware, and what it means for the future of the ransomware industry. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_155_Stealing_cars_and_ransomware.mp3 Show Notes Car2go theft Alberta driver’s license security Albertosaurus Las Vegas won’t pay a ransom Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk to the authors of a new book The Fifth Domain. Dick Clarke and Rob Knake join us to discuss the book, cybersecurity, US policy, how we got where we are today and what the future holds for cybersecurity. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_154_Chat_with_the_authors_of_the_book_The_Fifth_Domain.mp3 Show Notes The Fifth Domain Dick Clarke Rob Knake Future State Podcast Show Tags #FifthDomain #Cybersecurity Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about user expectations around Facebook’s AI. Normal people are starting to see the capabilities and potential risk with all these services. We also cover the topic of China owning a number of VPN services. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_153_The_unexpected_security_of_AI_photographs_and_VPN.mp3 Show Notes Facebook’s AI descriptions China owns a lot of VPNs VPN comparison Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about the disclosure of security vulnerabilities. It’s still not a settled topic, we frame the conversation around a recent disclosure from Tavis Ormandy of Google Project Zero. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_152_Tavis_breaks_the_world_again.mp3 Show Notes Tavis Tavis ruins everything cDc book France Bans Judge Analytics Elastic Source Code Comment on Twitter with the #osspodcast hashtag