Josh and Kurt talk about the recent CUPS issue. The vulnerability itself wasn’t all that exciting, but the whole disclosure process was wild. There’s a lot to talk about, many things didn’t quite go as planned and it all leaked early. Let’s talk about why and what it all means. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_449_The_CUPSpocalypse.mp3 Show Notes CUPS vulnerability Akamai report Wil Wheaton: being a nerd is not about what you love; it’s about how you love it

Josh and Kurt talk about a few things that have recently come out of CISA. They seem to be blaming the vendors for a lot of the problems, but there’s also not any actionable advice telling the vendors what they should be doing. This feels like the classic case of “just security harder”. We need CISA to be leading the way funding and defining security, not blaming vendors for giving the market what it demands. ...

Josh and Kurt talk about the 2024 Tidelift maintainer report. The report is pretty big and covers a ton of ground. We focus in a few of the statistics that should worry anyone who uses open source. We’ve known for a while developers are struggling, and the numbers back that up. This one feels like the old “we’ve tried nothing and we’re all out of ideas”. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_447_The_Tidelift_2024_open_source_maintainer_report.mp3 Show Notes THE 2024 TIDELIFT STATE OF THE OPEN SOURCE MAINTAINER REPORT Canadian passport Changelog Interviews #433 Pandas CVE

Josh and Kurt talk about some security researchers sort of taking over the .MOBI whois server. The story is a bit sensational, but we ask if it really matters? There are a lot of interesting possible attacks, but turning something like this into a good attack is really hard, maybe impossible. The researchers presented the findings in a very reasonable way. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_446_Researchers_took_over_MOBI_TLD.mp3 Show Notes We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI Heinz says sorry for ketchup QR code that links to porn site

Josh and Kurt talk to Jay Jacobs about Exploit Prediction Scoring System (EPSS). EPSS is a new way to view vulnerabilities. It’s a metric for the likelyhood that a vulnerability will be exploited in the next 30 days. Jay explains how EPSS got to where it is today, how the scoring works, and how we can start to think about including it in our larger risk equations. It’s a really fun discussion. ...

Josh and Kurt talk about Chrome unexpectedly going EOL on Ubuntu 18. Keeping old things alive is really hard to do, and in open source it’s becoming more common to just run the latest version rather than trying to keep old versions alive for long periods of time. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_444_Open_Source_and_End_of_Life.mp3 Show Notes Chrome dumped support for Ubuntu 18.04 – but it’ll be back Linus Torvalds talks AI, Rust adoption, and why the Linux kernel is ’the only thing that matters’ Pidgin backdoor

Josh and Kurt talk about a story that discusses a story from Black Hat that references supply chains. There’s a ton of doom and gloom around our software supply chains and much of the advice isn’t realistic. If we want to take this seriously we need to stop obsessing over the little problems and focus on some big problems. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_443_The_Supply_Chain_Security_Crisis.mp3 Show Notes Black Hat USA 2024: Key Takeaways from the Premier Cybersecurity Event The Reason Train Design Changed After 1948

Josh and Kurt talk about a few stories around the TLS CA certificate world. It’s all pretty dire sounding. There’s not a lot of organization or process in the space, and the root CAs are literally the foundation of modern society, everything needs them to function. There’s not a lot of positive ideas here, it’s mostly a show where Kurt explains to Josh what’s going on, because Josh doesn’t want to care (and will continue to ignore all of this going forward). ...

Josh and Kurt talk about CWE. What is it, and why does it matter. We cover some history, some shortcomings, and some ideas on how CWE could be used to make security a lot better. We frame the future discussion around the OWASP top 10 list. We should be putting more effort into removing removing entire classes of vulnerabilities. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_441_Is_CWE_useful.mp3 Show Notes CWE Episode 360 – Memory safety and the NSA Inside 22,734 Steam games

Josh and Kurt talk about a presentation Josh recently gave that was supposed to be about how open source works. The talk was the wrong topic for a security crowd, but there’s a lot of interesting details in the questions and comments that emerged. It’s clear a lot of security people don’t really care about the fine details about what open source is, their primary goal is to help keep development secure. ...