Josh and Kurt discuss SHA-1 and cloudbleed. Bug bounties come up, we compare security to the Higgs boson, and IPv6 comes up at the end. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/309898784-opensourcesecuritypodcast-episode-35-crazy-cosmic-accident.mp3 Show Notes SHA-1 attack Google Security Blog about SHA-1 Zcash hash algorithm analysis Webkit SVN Collision Google bug about cloudbleed Cloudflare Blog Known cloudbleed sites SHA-1 CVE-2005-4900 Whitewood Entropy Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Unless you’ve been living under a rock, you heard that some researchers managed to create a SHA-1 collision. The short story as to why this matters is the whole purpose of a hashing algorithm is to make it impossible to generate collisions on purpose. Unfortunately though impossible things are usually also impossible so in reality we just make sure it’s really really hard to generate a collision. Thanks to Moore’s Law, hard things don’t stay hard forever. This is why MD5 had to go live on a farm out in the country, and we’re not allowed to see it anymore … because it’s having too much fun. SHA-1 will get to join it soon. ...

Josh and Kurt discuss RSA, the cryptographer’s panel and of course, AI. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/309062655-opensourcesecuritypodcast-episode-34-bathing-in-ebola-virus.mp3 Show Notes FTP Firewall Problem RSA Cryptographer’s Panel ‘Overcome’ encryption Casino bombing Bill C-23 Security and AI DARPA AI challenge Amazon sells eggs Ford sleepy drivers Judge Caprio Logojoy Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Josh and Kurt are at the same place at the same time! We discuss our RSA sessions and how things went. Talk of CVE IDs, open source libraries, Wordpress, and early morning sessions. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/307825712-opensourcesecuritypodcast-episode-33-everybody-who-went-to-the-circus-is-in-the-circus-rsa-2017.mp3 Show Notes Bradley Kuh Typosquatting package managers (mirror) zlib embedded library problem Wordpress CVE ID Josh’s 7am BoF session Bruce Schneier RSA talk Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

If I demand you jump off the roof and fly, and you say no, can I call you a defeatist? What would you think? To a reasonable person it would be insane to associate this attitude with being a defeatist. There are certain expectations that fall within the confines of reality. Expecting things to happen outside of those rules is reckless and can often be dangerous. Yet in the universe of cybersecurity we do this constantly. Anyone who doesn’t pretend we can fix problems is a defeatist and part of the problem. We just have to work harder and not claim something can’t be done, that’s how we’ll fix everything! After being called a defeatist during a discussion, I decided to write some things down. We spend a lot of time trying to fly off of roofs instead of looking for practical realistic solutions for our security problems. ...

Josh and Kurt discuss random numbers, a lot. Also slot machines, gambling, and dice. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/306639696-opensourcesecuritypodcast-episode-32-gambling-as-a-service.mp3 Show Notes Dilbert Random Numbers Slot Machine Cheats dieharder Cracking the Scratch Lottery Intel Atom 2000 Lavarand diceomatic Google security neuroscience Militant moderates Show tags: #random #prng Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Josh and Kurt discuss door locks, Ikea, chair testing sounds, electrical safety, autonomous cars, and XML vs JSON. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/305513722-opensourcesecuritypodcast-episode-31-xml-is-never-the-solution.mp3 Show Notes Mersenne Prime Door Lock Ransomware Ikea Chair Testing Machine Costume Safety Tesseract Roost WiFi battery Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Last week I kept running into old school people trying to justify why something that made sense in the past still makes sense today. Usually I ignore these sort of statements, but I feel like I’m seeing them often enough it’s time to write something up. We’re in the middle of disruptive change. That means that the way security used to work doesn’t work anymore (some people think it does) and in the near future, it won’t work at all. In some instances will actually be harmful if it’s not already. ...

Josh and Kurt discuss security automation. Machine learning, AI, and a bunch of moral and philosophical boundaries that new future will bring. You’ve been warned. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/304449487-opensourcesecuritypodcast-episode-30-im-not-an-expert-but-ive-been-yelled-at-by-experts.mp3 Show Notes XKCD Is It Worth the Time? Larry Wall Google Translate AI invents its own language to translate with Black Mirror Social Media Episode St. Louis Public Library Ransomware Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

I found myself in a discussion earlier this week that worked its way into return on investment topics. Of course nobody could really agree on what the return was which is sort of how these conversations often work out. It’s really hard to decide what the return on investment is for security features and products. It can be hard to even determine cost sometimes, which should be the easy number to figure out. ...