There seems to be a lot of questions going around lately about how to best give out simple security advice that is actionable. Goodness knows I’ve talked about this more than I can even remember at this point. The security industry is really bad at giving out actionable advice. It’s common someone will ask what’s good advice. They’ll get a few morsels, them someone will point out whatever corner case makes that advice bad and the conversation will spiral into nonsense where we find ourselves trying to defend someone mostly concerned about cat pictures from being kidnapped by a foreign nation. Eventually whoever asked for help quit listening a long time ago and decided to just keep their passwords written on a sticky note under the keyboard. ...

Josh and Kurt talk about the Google+ and Facebook data incidents. We don’t have any control over this data anymore. The incidents didn’t really affect the users because we have no idea who has access to it. We also touch on GDPR and what it could mean in this context. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_119_the_google_and_facebook_incidents_its_not_your_data_anymore.mp3 Show Notes Facebook hack Google+ hack Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about Cloudflare’s new IPFS and Onion services. One brings distributed blockchain files to the masses, the other lets you host your site on tor easily. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_118_cloudflares_ipfs_and_onion_service.mp3 Show Notes IPFS Onion service Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about Linus’ effort to work on his attitude. What will this mean for security and IT in general? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_117_Will_security_follow_Linus_lead_on_being_nice.mp3 Show Notes Linus steps aside Contributor Covenant Comment on Twitter with the #osspodcast hashtag

On a pretty regular basis I see claims that the public CVE dataset is missing some large number of security issues. I’ve seen ranges from tens of thousands all the way up to millions. The purpose behind such statements is to show that the CVE data is woefully incomplete. Of course almost everyone making that claim has a van filled with security issues and candy they’re trying very hard to lure us into. It’s a pretty typical sales tactic as old as time itself. Whatever you have today isn’t good enough, but what I have, holy cow it’s better. It’s so much better you better come right over and see for yourself. After you pay me of course. ...

Josh and Kurt talk to Michael Piacente from Hitch Partners about the past, present, and future role of the CISO in the industry. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_116_The_future_of_the_CISO_with_Michael_Piacente.mp3 Show Notes Hitch Partners Michael Piacente Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk to Brian Hajost from SteelCloud about public sector compliance. The world of public sector compliance can be confusing and strange, but it’s not that bad when it’s explained by someone with experience. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_115_Discussion_with_Brian_Hajost_from_SteelCloud.mp3 Show Notes SteelCloud DISA STIG Comment on Twitter with the #osspodcast hashtag

Josh and Kurt review Bruce Schneier’s new book Click Here to Kill Everybody. It’s a book everyone could benefit from reading. It does a nice job explaining many existing security problems in a simple manner. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_114_review_of_click_here_to_kill_everybody.mp3 Show Notes Click Here to Kill Everybody There Will Be Cyberwar Reddit OSHA Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about actual real world advice. Based on a story about trying to secure political campaigns, if we had to give some security help what should it look like, who should we give it to? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_113_actual_real_security_advice.mp3 Show Notes Security advice to Democrats Our actual advice Don’t run your own services Email - Google or Microsoft Don’t’ use GPG Use a trusted device Use a password manager on a secure device Use 2FA Backups Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about the new Google Titan security key. There are some in the industry uneasy about the supply chain for the devices. We also discuss the latest Struts security issue. Struts is old and scary now, stop using it. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode-112_googles_titan_key_and_the_latest_struts_issue.mp3 Show Notes Google’s security key security questions Struts security issue Comment on Twitter with the #osspodcast hashtag