One of the few themes that comes up time and time again when we talk about security is how bad people tend to be at understanding what’s actually going on. This isn’t really anyone’s fault, we’re expecting people to go against what is essentially millions of years of evolution that created our behaviors. Most security problems revolve around the human being the weak link and doing something that is completely expected and completely wrong. ...

Josh and Kurt discuss airplane laptop bans, ATM hacking, pointing at things, and Certificate Authorities. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/316915938-opensourcesecuritypodcast-episode-41-all-your-money-are-belong-to-us.mp3 Show Notes Loaner laptops on planes ATM hacking Japanese rail safety point and call Certificate Authority Authorization in DNS Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

If you listen to my podcast (which you should be doing already), I had a bit of a rant at the start this week about an assignment my son had over the weekend. He wasn’t supposed to use any “screens” which is part of a drug addiction lesson. I get where this lesson is going, but I’ve really been thinking about the bigger idea of expectations and reality. This assignment is a great example of someone failing to understand the world has changed around them. ...

Josh and Kurt discuss Verizon spyware, FCC privacy, Smart TVs, Tor’s rewrite, Google’s new operating system, bitcoin, and NanoCore. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/315737179-opensourcesecuritypodcast-episode-40-lets-fork-bitcoin-again.mp3 Show Notes Verizon Spyware Story FCC Broadband Privacy Inserting tracking headers Smart TVs run Flash Tor rewrite in safer language Fuchsia Bitcoin fork NanoCore Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

If you pay any attention to the security universe, you’re aware that Tavis Ormandy is basically on fire right now with his security research. He found the Cloudflare data leak issue a few weeks back, and is currently going to town on LastPass. The LastPass crew seems to be dealing with this pretty well, I’m not seeing a lot of complaining, mostly just info and fixes which is the right way to do these things. ...

Josh and Kurt discuss certificates, OpenSSL, dishwashers, Flash, and laptop travel bans. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/314794586-opensourcesecuritypodcast-episode-39-flash-on-your-dishwasher.mp3 Show Notes SNES bluetooth remake Symantec vs Google OpenSSL license change Dishwasher directory traversal Fedex $5 for Flash Laptop and iPad airline ban Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

I’ve started a project to put the CVE data into Elasticsearch and see if there is anything clever we can learn about it. Ever if there isn’t anything overly clever, it’s fun to do. And I get to make pretty graphs, which everyone likes to look at. I stuck a few of my early results on Twitter because it seemed like a fun thing to do. One of the graphs I put up was comparing the 3 BSDs. The image is below. ...

Josh and Kurt discuss disclosing your password, pwn2own, wikileaks, Back Orifice, HTTPS inspection, and antivirus. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/313701429-opensourcesecuritypodcast-episode-38-we-ruin-everything.mp3 Show Notes xkcd comic Defendant refusing to give up password Prisoner ID Password Fraud Victim’s Google Warrant pwn2own VM escape pwn2own Mozilla 22 hour fix Wikileaks non disclosure Back Orifice HTTPS inspection tools may be unsafe Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Last week there was a story about Consumer Reports doing security testing of products. Consumer Reports to Begin Evaluating Products, Services for Privacy and Data Security As one can imagine there were a fair number of “they’ll get it wrong” sort of comments. They will get it wrong, at first, but that’s not a reason to pick on these guys. They’re quite brave to take this task on, it’s nearly impossible if you think about the state of security (especially consumer security). But this is how things start. There is no industry that has gone from broken to perfect in one step. It’s a long hard road when you have to deal with systemic problems in an industry. Consumer product security problems may be larger and more complex than any other industry has ever had to solve thanks to things such as globalization and how inexpensive tiny computers have become. ...

Josh and Kurt discuss how the Vault 7 leaks shows we live in the Neuromancer world, and this is likely the new normal. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/311442678-opensourcesecuritypodcast-episode-37-your-bathtub-is-more-dangerous-than-a-shark.mp3 Show Notes Hacker News Writeup about Vault 7 SATAN RTL-SDR White House Reconstruction Baseband Hacking CGA Graphics Chromium Security Brag Sheet French Zoo Poacher Join our Facebook Group Comment on Twitter with the #osspodcast hashtag