After my last post about security spending, I was thinking about how most security teams integrate into the overall business (hint: they don’t). As part of this thought experiment I decided to compare traditional security to something that in modern times has come to be called helicopter parenting. A helicopter parent is someone who won’t let their kids do anything on their own. These are the people you hear about who follow their child to college, to sports practice. They yell at teachers and coaches for not respecting how special the child is. The kids are never allowed to take any risks because risk is dangerous and bad. If they climb the tree, while it could be a life altering experience, they could also fall and get hurt. Skateboarding is possibly the most dangerous thing anyone could ever do! We better make sure nothing bad can ever happen. ...

Josh and Kurt talk about backdoors in code and products that have been put there on purpose. We talk about unlocking phones. Encryption backdoors with a focus on why they won’t work. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_96_all_about_backdoors.mp3 Show Notes CALEA Cellebrite unlocking phones Schneier on Ray Ozzie’s proposal UK RIP act Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about Twitter doing the right thing when they logged a lot of passwords, the npm malicious getcookies package, and how backdoors work in code. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_95_twitter_passwords_and_npm_backdoors.mp3 Show Notes Twitter password logging npm getcookies xkcd gluing things together Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about the Amazon Route 53 incident and what it really means for the modern infrastructure. Complaining nobody is using DNSSEC or securing BGP aren’t the right conversations to be having. Reality must be considered in any honest conversation about these topics. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_94_dns_bgp_and_reality.mp3 Show Notes Route 53 attack Cloudflare’s 1.1.1.1 Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about security flaws in beep and patch. How on earth were there security flaws in beep and patch? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_93-Security_flaws_in_beep_and_patch_how_did_we_get_here.mp3 Show Notes beep security flaw patch security flaw Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk to Rami Saas, the CEO of WhiteSource about 3rd party open source security as well as open source licensing. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode-92_chat_with_rami_saas.mp3 Show Notes WhiteSource Rami Saas Open Source Licenses Mercedes C-Class 205 Open Source Licenses Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk to a 7 year old about security. We cover Minecraft security, passwords, hacking, and many many other nuggets of wisdom. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode-91_security_lessons_from_a_7_year_old.mp3 Show Notes Minecraft John Doe Roblox Roblox Join our Facebook Group Comment on Twitter with the #osspodcast hashtag Keywords: passwords, minecraft

I was watching a few Twitter conversations about purchasing security last week and had yet another conversation about security ROI. This has me thinking about what we spend money on. In many industries we can spend our way out of problems, not all problems, but a lot of problems. With security if I gave you a blank check and said “fix it”, you couldn’t. Our problem isn’t money, it’s more fundamental than that. ...

Josh and Kurt talk about all the current misinformation, how humans react to it, and what it means for security. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode-90_humans_and_misinformation.mp3 Show Notes Virus infections during lent Wikipedia circular reporting Guccifer Bad Twitter VPN advice Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about the recent AMD flaws and the events surrounding the disclosure. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode-89_short_selling_amd_security_flaws.mp3 Show Notes AMD flaws Activist investing Microsoft side channel bounty Join our Facebook Group Comment on Twitter with the #osspodcast hashtag