Josh and Kurt talk about the security concerns and logistics of Santa, elves, and the North Pole. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/297112068-opensourcesecuritypodcast-episode-18-the-security-of-santa.mp3 Show Notes Elf on the Shelf Furby without fur Norad Tracks Santa Futurama Xmas St. Nicholas David Sedaris on Santa US Senate Candy Desk You need 76 days to read all privacy statements Mona Lisa Theft Super Guppy LSST Data Management Back of the envelope 3589 x1.32large instances (1952 gigs ram) holds 7 petabytes of data in memory ...

Josh and Kurt talk to Michael Goetzman about Cyphercon https://traffic.libsyn.com/secure/opensourcesecuritypodcast/296503873-opensourcesecuritypodcast-episode-17-cyphercon-interview-with-korgo.mp3 Show Notes Cyphercon Cyphercon 2.0 Cyphercon 1.0 920 Sec Korgo Virus SafeHouse Spy Restaurant Discovery World Midwest Gaming Classic Summerfest: Cold War Battleground Nike Zeus Missile Poutine Ghost Fleet George Stroumboulopoulos Comment on Twitter

Last week I had the joy traveling through airports right after the United States Thanksgiving holiday. Now I don’t know how many of you have ever tried to travel the week after Thanksgiving but it’s kind of crazy, there are a lot of people, way more than usual, and a significant number of them have probably never been on an airplane or if they travel by air they don’t do it very often. The joke I like to tell people is that there are folks at the airport wondering why they can’t bring their goat onto the airplane. I’m not going to use this post to discuss the merits of airport security (that’s a whole different conversation), it’s really about coexisting with existing security systems. ...

Josh and Kurt talk about cybercrime and regulation. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/295920212-opensourcesecuritypodcast-episode-16-cat-and-mouse.mp3 Show Notes Avalanche Global Fraud Ring Spam King Rosendale Speed Trap Attacking Broadband Routers Spreadsheet of VPN providers DNSSEC Root Signing Ceremony Chicago Tylenol Murders Psychoactive Substances Act 2016 Computer Fraud and Abuse Act Calvinball CIH Virus Author Firefox 0day Comment on Twitter

Josh and Kurt talk about Cyber Monday security tips. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/295266221-opensourcesecuritypodcast-episode-15-cyber-black-monday.mp3 Show Notes Edmonton Bus Accidents BeyondCorp: A New Approach to Enterprise Security Black Hat Cell Towers Google ranks https results first Domain Tasting GnuCash Tesla Credentials Tavis Ormandy strcpy pwsafe Is mashing the keyboard cryptographically secure? Comment on Twitter

A few days ago there was a story about how to steal a Tesla by installing malware on the owner’s phone. If you look at the big picture view of this problem it’s not all that bad, but our security brains want to make a huge deal out of this. Now I’m not saying that Tesla shouldn’t fix this problem, especially since it’s going to be a trivial fix. What we want to think about is how all these working parts have to fit together. This is something we’re not very good at in the security universe; there can be one single horrible problem, but when we paint the full picture, it’s not what it seems. ...

Josh and Kurt have a guest! David A. Wheeler talks about open source security and the CII Badges project. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/294303517-opensourcesecuritypodcast-episode-14-david-a-wheeler-cii-badges.mp3 Show Notes CII Badge Program Badges Project Database Badges GitHub Project Page Comment on Twitter

DevOps security is a bit like developing without a safety net. This is meant to be a reference to a trapeze act at the circus for those of you who have never had the joy of witnessing the heart stopping excitement of the circus trapeze. The idea is that when you watch a trapeze act with a net, you know that if something goes wrong, they just land in a net. The really exciting and scary trapeze acts have no net. If these folks fall, that’s pretty much it for them. Someone pointed out to me that the current DevOps security is a bit like taking away the net. ...

Josh and Kurt talk about CVE, DWF, and the future of flaw reporting. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/293693983-opensourcesecuritypodcast-episode-13-cve-the-metric-system-of-security.mp3 Show Notes CVE CVE Candidates (CAN) DWF NVD Open Source Security Mailing List Larry Cashdollar’s Defcon talk Metric Inch Comment on Twitter

I keep hearing something from people about IoT that reminds me of the old saying, if you’ve done nothing wrong, you have nothing to fear. This attitude is incredibly dangerous in the context of IoT devices (it’s dangerous in all circumstances honestly). The way I keep hearing this in the context of IoT is something like this: “I don’t care if someone hacks my video camera, it’s just showing pictures of my driveway”. The problem here isn’t what video the camera is capturing, it’s the fact that if your camera gets hacked, the attacker can do nearly anything with the device on the Internet. Remember, at this point these things are fairly powerful general purpose computers that happen to have a camera. ...