I’ve been thinking about the concept of free market forces this weekend. The basic idea here is that the price of a good is decided by the supply and demand of the market. If the market demands something, the price will go up if there it’s in short supply. This is basically why the Nintendo Switch is still selling on eBay for more than it would cost in the store. There is a demand but there isn’t a supply. But back to security. Let’s think about something I’m going to call “free market security”. What if demand and supply was driving security? Or we can flip the question around, what if the market will never drive security? ...

Josh and Kurt discuss Samba, FTP sites, MSDOS, regulation, and the airplane laptop travel ban. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/325265404-opensourcesecuritypodcast-episode-49-testing-software-is-impossible.mp3 Show Notes Samba Bug Wannacry Honeypot Schneier and regulating IoT Cyber ITL Refrigerator death Airplane laptop ban Israeli airport security Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

I was having some security conversations last week and cybersecurity insurance came up as a topic. This isn’t overly unusual as it’s a pretty popular topic, but someone said something that really got me thinking. What if the insurance covered the customers instead of the companies? Now I understand that many cybersecurity insurance policies can cover some amount of customer damage and loss, but fundamentally the coverage is for the company that is attacked, customers who have data stolen will maybe get a year of free credit monitoring or some other token service. That’s all well and good, but I couldn’t help myself from thinking about this problem from another angle. Let’s think about insurance in the context of shoplifting. For this thought exercise we’re going to use a real store in our example, which won’t be exactly correct, but the point is to think about the problem, not get all the minor details correct. ...

If you pay attention to Twitter at all, you’ve probably seen people arguing about patching your enterprise after the WannaCry malware. The short story is that Microsoft fixed a very serious security flaw a few months before the malware hit. That means there are quite a few machines on the Internet that haven’t applied a critical security update. Of course as you imagine there is plenty of back and forth about updates. There are two basic arguments I keep seeing. ...

Josh and Kurt have a guest! Mike Paquette from Elastic discusses the fundamentals and basics of Machine Learning. We also discuss how ML could have helped with WannaCry. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/323810101-opensourcesecuritypodcast-episode-48-machine-learning-not-actually-magic.mp3 Show Notes Canadians stranded in Portgual Elastic Machine Learning Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Josh and Kurt discuss the WannaCry worm. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/322577205-opensourcesecuritypodcast-episode-47-wannacry-everything-is-basically-broken.mp3 Show Notes MS17-010 How to accidentally stop a global cyber attack Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Josh and Kurt discuss the recent Google phish attack. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/320997006-opensourcesecuritypodcast-episode-46-turns-out-im-not-a-bad-guy.mp3 Show Notes Google phish spam Mail from 2011 detailing attack Links to OAuth permissions on major services https://myaccount.google.com/permissions https://twitter.com/settings/applications https://www.facebook.com/settings?tab=applications https://www.linkedin.com/psettings/third-party-applications https://account.live.com/Consent/Manage https://www.amazon.com/gp/mas/your-account/myapps Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

I was reading the newspaper the other day (the real dead tree newspaper) and I came across an op-ed from my congressperson. Gallagher: Cybersecurity for small business It’s about what you’d expect but comes with some actionable advice! Well, not really. Here it is so you don’t have to read the whole thing. Businesses can start by taking some simple and relatively inexpensive steps to protect themselves, such as: » Installing antivirus, threat detection and firewall software and systems. » Encrypting company data and installing security patches to make sure computers and servers are up to date. » Strengthening password practices, including requiring the use of strong passwords and two-factor authentication. » Educating employees on how to recognize an attempted attack, including preparing rapid response measures to mitigate the damage of an attack in progress or recently completed. ...

Josh and Kurt discuss not-counterfeit MTG cards, antivirus, squirrelmail, unroll.me, grsecurity, baby monitors, and trust. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/320432805-opensourcesecuritypodcast-episode-45-trust-is-more-important-now-than-the-truth.mp3 Show Notes Mom Apologizes For Trying To Sell Son’s Rare Magic Card Squirrelmail security issue Stealing all your mail grsecurity Baby monitor security Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

The other day I ran across someone trying to keep their locker secured by using a combination lock. As you can see in the picture, the lock is on the handle of the locker, not on the loop that actually locks the door. When I saw this I had a good chuckle, took a picture, and put out a snarky tweet. I then started to think about this quite a bit. Is this the user’s fault or is this bad design? I’m going to blame bad design on this one. It’s easy to blame users, we do it often, but I think in most instances, the problem is the design, not the user. If nothing is ever our fault, we will never improve anything. I suspect this is part of the problem we see across the cybersecurity universe. ...