Josh and Kurt talk about the new runc container security flaw. How does the flaw work, what can you do about it, what should you do about it, and what the future of container security may look like. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_134_Whats_up_with_the_container_runc_security_flaw.mp3 Show Notes runc security flaw - CVE-2019-5736 Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about the fiasco hacks4pancakes described on Twitter and what the future of smart locks will look like. We then discuss what it means if the Japanese government starts hacking consumer IoT gear, is it ethical? Will it make anything better? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_133_Smart_locks_and_the_government_hacking_devices.mp3 Show Notes @hacks4pancakes smart lock fiasco LockPickingLawyer Japanese government hacking devices Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about the Bird Scooter vs Corey Doctorow incident. We then get into some of the social norms around new technology and what lessons the security industry can take from something new like shared scooters. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_132_Bird_Scooter_0_Cory_Doctorow_1.mp3 Show Notes Bird vs Corey Doctorow Josh’s CES blog Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about non-Microsoft Windows micropatches. The days of pretending closed source matters are long gone. Google gets hit with a privacy fine, that probably won’t matter. And Mastercard makes it easier for consumers to not accidentally sign up for services they don’t want. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_131_Windows_micropatches_Googles_privacy_fine_and_Mastercard_fixes_trial_abuse.mp3 Show Notes 3 Windows micropatches Google fined $57 million Mastercard free trial abuse Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk to Danny Grander one of the co-founders of Snyk about Zip Slip, what it is, how to fix it, and how they disclosed everything. We also touch on plenty of other open source security topics as Danny is involved in many aspects of open source security. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_130_Chat_with_Snyk_cofounder_Danny__Grander.mp3 Show Notes Danny’s Twitter Danny’s LinkedIn Snyk Zip Slip Snyk state of open source security Comment on Twitter with the #osspodcast hashtag ...

As CES draws to a close, I’ve seen more than one security person complain that nobody at the show was talking about security. There were an incredible number of consumer devices unveiled, no doubt there is no security in any of them. I think we get caught up in the security world sometimes so we forget that the VAST majority of people don’t care if something has zero security. People want interesting features that amuse them or make their lives easier. Security is rarely either of these, generally it makes their lives worse so it’s an anti-feature to many. ...

Josh and Kurt talk about the EU bug bounty program. There have been a fair number of people complaining it’s solving the wrong problem, but it’s the only way the EU has to spend money on open source today. If that doesn’t change this program will fail. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_129_The_EU_bug_bounty_program.mp3 Show Notes Josh’s blog post Julia Reda EU bug bounty site Tidelift What motivates us Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about Australia’s recently passed encryption bill. What is the law that was passed, what does it mean, and what are the possible outcomes? The show notes contain a flow chart of possible outcomes. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode-128_Australias_encryption_backdoor_bill.mp3 Show Notes Josh’s flow chart Australia Access and Assistance Encryption Bill 2018 Comment on Twitter with the #osspodcast hashtag

The EU recently announced they are going to sponsor a security bug bounty program for 14 open source projects in 2019. There has been quite a bit of buzz about this program in all the usual places. The opinions are all over the place. Some people wonder why those 14, some wonder why not more. Some think it’s great. Some think it’s a horrible idea. I don’t want to focus too much on the details as they are unimportant in the big picture. Which applications are part of the program don’t really matter. What matters is why are we here today and where should this go in the future. ...

Josh and Kurt talk about which articles of the GDPR apply to Santa, and if he’s following the rules the way he should be (spoiler, he’s probably not). Should Santa be on his own naughty list? We also create a new holiday character - George the DPO Elf! https://traffic.libsyn.com/secure/opensourcesecuritypodcast/2018_Christmas_Special_Is_Santa_GDPR_compliant.mp3 Show Notes David Sedaris Santaland Canadian Tire Ice Truck Comment on Twitter with the #osspodcast hashtag