Josh and special guest host Dave Sirrine talk about Halloween, passwords, hardware timing attacks, chip and pin, security economics, SSL/TLS, and Mozilla enabling TLS 1.3 by default. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/290834937-opensourcesecuritypodcast-episode-11-the-poison-candy-episode.mp3 Show Notes Risky Candy XKCD Password Strength Diceware Haswell Timing Attack Rowhammer on Android Eavesdropping keystrokes via VOIP SSL/TLS Timeline Comment on Twitter

Sysadmins used to rule the world. Anyone who’s been around for more than a few years remembers the days when whatever the system administrator wanted, the system administrator got. They were the center of the business. Without them nothing would work. They were generally super smart and could quite often work magic with what they had. It was certainly a different time back then. Now developers are king, the days of the sysadmin have waned. The systems we run workloads on are becoming a commodity, you either buy a relatively complete solution, or you just run it in the cloud. These days most anyone using technology for their business relies on developers instead of sysadmins. ...

Kurt and Josh discuss Dirty COW, the big IoT DDoS, and Josh can’t pronounce Mirai or Dyn. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/289791587-opensourcesecuritypodcast-episode-10-the-super-botnet-that-nobody-can-stop.mp3 Show Notes Dirty Cow Kees Cook Kernel Bug Lifetime Rowhammer Mirai botnet DDoS Law of truly large numbers Comment on Twitter

If I asked everyone to tell me what security is, what do you do about it, and why you do it. I wouldn’t get two answers that were the same. I probably wouldn’t even get two that are similar. Why is this? After recording Episode 9 of the Open Source Security Podcast I co-host, I started thinking about measuring a lot. It came up in the podcast in the context of bug bounties, which get exactly what they measure. But do they measure the right things? I don’t know the answer, nor does it really matter. It’s just important to keep this in mind as in any system, you will get exactly what you measure. ...

This title is a bit click baity, but it’s true, not for the reason you think. Keep reading to see why. If you’ve ever been involved in keeping a software product updated, I mean from the development side of things, you know it’s not a simple task. It’s nearly impossible really. The biggest problem is that even after you’ve tested it to death and gone out of your way to ensure the update is as small as possible, things break. Something always breaks. ...

Kurt and Josh discuss responsible disclosure, irresponsible disclosure, bug bounties, measuring security, usability AND security, as well as quality of life. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/288890601-opensourcesecuritypodcast-episode-9-are-bug-bounties-measuring-the-wrong-things.mp3 Show Notes Responsible Disclosure OpenSSL Security Policy Rain Forest Puppy Policy ISO 29147 Facebook Bug Bounty Security Spending Security AND Usability Comment on Twitter

I had a discussion last week with some fellow security folks about how we can discuss security with normal people. If you pay attention to what’s going on, you know the security people and the non security people don’t really communicate well. We eventually made our way to comparing what we do to the door to door religious groups. They’re rarely seen in a positive light, are usually annoying, and only seem to show up when it’s most inconvenient. This got me thinking, we probably have more in common there than we want to admit, but there are also some lessons for us. ...

Kurt and Josh discuss prime numbers (probably getting a lot of it wrong), Samsung, passwords, National Cyber Security Awareness Month, and bathroom scales. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/287233537-opensourcesecuritypodcast-episode-8-the-primality-of-prime-numbers.mp3 Show Notes New Prime Number Research Randomness testing Kurt’s Repo of Primes DNSSEC Signing Ceremony Magento Skimmer XKCD Wrench Comic Firesheep National Cyber Security Awareness Month Stop Trying to Fix the User Only Trust Food Delivered by Zebra Bathroom Scale Flaw Comment on Twitter

Kurt and Josh discuss the ORWL computer, crashing systemd with one line, NIST, and a security journal. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/285901909-opensourcesecuritypodcast-episode-7-more-powerful-than-root.mp3 Show Notes Physically secure open source computer Ancient Linux fax machine firmware systemd one liner crash Open security journal Let’s Encrypt Random Numbers in Go DRAFT Vulnerability Description Ontology Comment on Twitter

Sometimes when you plan for a security event, it would be expected that the thing you’re doing will be making some outcome (something bad probably) impossible. The goal of the security group is to keep the bad guys out, or keep the data in, or keep the servers patched, or find all the security bugs in the code. One way to look at this is security is often in the business of preventing things from happening, such as making data exfiltration impossible. I’m here to tell you it’s impossible to make something impossible. ...