Sometimes when you plan for a security event, it would be expected that the thing you’re doing will be making some outcome (something bad probably) impossible. The goal of the security group is to keep the bad guys out, or keep the data in, or keep the servers patched, or find all the security bugs in the code. One way to look at this is security is often in the business of preventing things from happening, such as making data exfiltration impossible. I’m here to tell you it’s impossible to make something impossible. ...

Kurt and Josh discuss interesting news stories https://traffic.libsyn.com/secure/opensourcesecuritypodcast/285305681-opensourcesecuritypodcast-episode-6-foundational-knowledge-of-security.mp3 Show Notes How much gold can you steal from the Canadian mint? Stop plugging random usb sticks in IoT DoS Cost of Security Kijiji World of VNC Shodan Security and Tribal Knowledge Comment on Twitter

Kurt and Josh discuss the recent OpenSSL update(s) https://traffic.libsyn.com/secure/opensourcesecuritypodcast/285193058-opensourcesecuritypodcast-episode-5-openssl-the-library-we-deserve.mp3 Show Notes OpenSSL Flaw Logo ​Sloppy programming leads to OpenSSL woes CVE-2016-6309 (OpenSSL advisory) [Critical severity] 26th September 2016 Sendmail “Bat” Book OpenSSL Man Pages Comment on Twitter

If you’re paying attention, you saw the news about Yahoo’s breach. Five hundred million accounts. That’s a whole lot of data if you think about it. But here’s the thing. If you’re a security person, are you surprised by this? If you are, you’ve not been paying attention. It’s pretty well accepted that there are two types of large infrastructures. Those who know they’ve been hacked, and those who don’t yet know they’ve been hacked. Any group as large as Yahoo probably has more attackers inside their infrastructure than anyone really wants to think about. This is certainly true of every single large infrastructure and cloud provider and consumer out there. Think about that for a little bit. If you’re part of a large infrastructure, you have threat actors inside your network right now, probably more than you think. ...

Josh and Kurt discuss news of the day, shipping, and container security https://traffic.libsyn.com/secure/opensourcesecuritypodcast/283885003-opensourcesecuritypodcast-episode-4-dead-squirrel-in-a-box.mp3 Show Notes Stealing shipped gold Shipping the Hope Diamond The French Underground Spam Nation The Random Darknet Shopper Kinder Eggs in the US Mailing crazy things Mailing Bricks to Alaska Uber’s self driving fleet Off the Hook radio show How to wipe email servers Government firewall rules xkcd grammar police Project Bubblewrap Comment on Twitter

TL;DR - No. Here’s why. I was talking with my Open Source Security Podcast co-host Kurt Seifried about what it would be like to access the modern Internet using dialup. So I decided to give this a try. My first thought was to find a modem, but after looking into this, it isn’t really an option anymore. The setup No Modem Fedora 24 VM Firefox as packaged with Fedora 24 Use the firewall via wondershaper to control the network speed “App Telemetry” firefox plugin to time the site load time I know it’s not perfect, but it’s probably close enough to get a feel for what’s going on. I understand this doesn’t exactly recreate a modem experience with details like compression, latency, and someone picking up the phone during a download. There was nothing worse than having that 1 megabyte download at 95% when someone decided they needed to make a phone call. Call waiting was also a terrible plague. ...

I had a discussion last week that ended with this question. “Why do we do security”. There wasn’t a great answer to this question. I guess I sort of knew this already, but it seems like something too obvious to not have an answer. Even as I think about it I can’t come up with a simple answer. It’s probably part of the problems you see in infosec. The purpose of security isn’t just to be “secure”, it’s to manage risk in some meaningful way. In the real world this is usually pretty easy for us to understand. You have physical things, you want to keep them from getting broken, stolen, lost, pick something. It usually makes some sort of sense. ...

Josh and Kurt discuss news of the day, banks, 3D printing, and lockpicking. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/282763713-opensourcesecuritypodcast-episode-3-the-lockpicking-sewing-circle.mp3 Show Notes Segate NAS mining bitcoin Telnet honeypot activity Bravia TVs losing Youtube 10 Million Raspberry Pis last.fm passwords Hack Proof Systems 3D printing pen LulzBot Comment on Twitter

Are you an expert? Do you know an expert? Do you want to be an expert? This came up for me the other day while having a discussion with a self proclaimed expert. I’m not going to claim I’m an expert at anything, but if you tell me all about how good you are, I’m not going to take it at face value. I’m going to demand some proof. “Trust me” isn’t proof. ...

Josh and Kurt discuss how open source security works. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/281731016-opensourcesecuritypodcast-episode-2-instills-the-proper-amount-of-fear.mp3 Show Notes CII Badges CVE Node Security Project CSO open source story Comment on Twitter