If you’ve ever written code, even a few lines of it, you know there is always some sort of tradeoff between doing it “right” and doing it “now”. This is basically the reality of any industry, there is always the right way, and then there’s the way it’s going to get done. If you’ve ever done any sort of home remodeling project you’re well aware of uncovering the sins of the past as soon as that wall gets opened up. ...

Josh and Kurt talk about scareware, malware, and how hard this stuff is to stop, and how the answer isn’t fixing people. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/299913768-opensourcesecuritypodcast-episode-23-we-cant-patch-people.mp3 Show Notes Bitsquatting Typosquatting L.A. Phishing Uber Email IDS Infomercial subreddit (Where did the soda go?) Super Mario Run Malware Booba Methbot Sumitomo copper affair Comment on Twitter with the #osspodcast hashtag

During the holiday, I started playing Doom 2. I bet I’ve not touched this game in more than ten years. I can’t even remember the last time I played it. My home directory was full of garbage and it was time to clean it up when I came across doom2.wad. I’ve been carrying this file around in my home directory for nearly twenty years now. It’s always there like an old friend you know you can call at any time, day or night. I decided it was time to install one of the doom engines and give it a go. I picked prboom, it’s something I used a long time ago and doesn’t have any fancy features like mouselook or jumping. Part of the appeal is to keep the experience close to the original. Plus if you could jump a lot of these levels would be substantially easier. The game depends on not having those features. ...

Josh and Kurt talk about planned obsolescence and IoT devices. Should manufacturers brick devices? We also have a crazy discussion about the ethics of hacking back. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/299448186-opensourcesecuritypodcast-episode-22-iot-wild-west.mp3 Show Notes First Uses of Coffee Did coffee cause the enlightenment? Nest bricks Revolv devices Phoebus Cartel Verizon will brick the Note 7 Trolley Problem Toaster toasts the weather 80% of medical device companies have less than 50 employees Passive wifi chips Crystal radio Great Seal Bug Moscow Embassy Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about CVE 10K. CVE IDs have finally crossed the line, we need 5 digits to display them. This has never happened before now. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/298898472-opensourcesecuritypodcast-episode-21-cve-10k-extravaganza.mp3 Show Notes OpenSSH CVE10K assignments CVE-2016-10005 CVE syntax change CVE Numbering Authorities OpenSSH Security Advisory C to HDL Reboot Boeing Dreamliner One person writes most Linux video camera drivers Donald Becker China Airlines Flight 120 Comment on Twitter with the #osspodcast hashtag

As the dumpster fire that is 2016 crawls to the finish line, we had another story about a massive Yahoo breach. 1 billion user accounts had data stolen. Just to give some context here, that has to be hundreds of gigabytes at an absolute minimum. That’s a crazy amount of data. And nobody really cares. Sure, there is some noise about all this, but in a week or two nobody will even remember. There has been a similar story to this about every month all year long. Can you even remember any of them? The stock market doesn’t, basically everyone who has ever had a crazy breach hasn’t seen a long term problem with their stock. Sure there will be a blip where everyone panics for a few days, then things go back to normal. ...

Josh and Kurt talk about the death of PGP, and how it’s not actually dead at all. It’s still really hard to use though. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/298557680-opensourcesecuritypodcast-episode-20-the-death-of-pgp.mp3 Show Notes I’m giving up on PGP Yubikey 4 Josh’s PGP setup blog post Kurt’s key with multiple signatures PGP short ID collisons Let’s Encrypt ICQ website from the late 90’s Signal Secure Messaging $2 million fraud at NorQuest College Scammers pose as company exec EV certificate requirements Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about the bricking devices (on purpose). https://traffic.libsyn.com/secure/opensourcesecuritypodcast/297769068-opensourcesecuritypodcast-episode-19-a-field-full-of-razor-blades-and-monsters.mp3 Show Notes Samsung will brick the Note 7s Verizon won’t brick the phones Hoverboard imports banned Firestone tire recall Denmark Apple refurbished phone case Deprecating SHA1 South Korean Banking Encryption Canada’s Worst Driver Fitbit bought Pebble Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about the security concerns and logistics of Santa, elves, and the North Pole. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/297112068-opensourcesecuritypodcast-episode-18-the-security-of-santa.mp3 Show Notes Elf on the Shelf Furby without fur Norad Tracks Santa Futurama Xmas St. Nicholas David Sedaris on Santa US Senate Candy Desk You need 76 days to read all privacy statements Mona Lisa Theft Super Guppy LSST Data Management Back of the envelope 3589 x1.32large instances (1952 gigs ram) holds 7 petabytes of data in memory ...

Josh and Kurt talk to Michael Goetzman about Cyphercon https://traffic.libsyn.com/secure/opensourcesecuritypodcast/296503873-opensourcesecuritypodcast-episode-17-cyphercon-interview-with-korgo.mp3 Show Notes Cyphercon Cyphercon 2.0 Cyphercon 1.0 920 Sec Korgo Virus SafeHouse Spy Restaurant Discovery World Midwest Gaming Classic Summerfest: Cold War Battleground Nike Zeus Missile Poutine Ghost Fleet George Stroumboulopoulos Comment on Twitter