Josh and Kurt talk about the Biden Administration new cybersecurity executive order. There are some good ideas in there, but at the end of the day it’s an unfunded mandate. Unfunded mandates are difficult to implement. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_272_The_Biden_Cybersecurity_Executive_Order.mp3 Show Notes Biden Executive Order Fact Sheet Obama’s cyber EO
Josh and Kurt talk about how people handle problems. We open with the story of the Colonial Pipeline hack, but then go into some of the ways people tend to make problems worse. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_271_Pipeline_security_There_is_no_problem_humans_cant_make_worse.mp3 Show Notes Male vs Female trees Pipeline hack XKCD Pipelines TSA Pipeline Security
Josh and Kurt talk about dark patterns. A dark pattern is when a service tries to confuse a user into doing something they don’t want to, like unknowingly purchasing a monthly subscription to something you don’t need or want. The US Federal Trade Commission is starting to discuss dark patterns in webs sites and apps. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_270_Hello_dark_patterns_my_old_friend.mp3 Show Notes Dark Patterns Types of Dark Patterns FTC Bringing Dark Patterns to Light LTT Dell Warranty
Josh and Kurt talk about the University of Minnesota experimenting on the Linux Kernel. There’s a lot to unpack in this one, but the TL;DR is you probably don’t want to experiment on the kernel. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_269_Do_not_experiment_on_the_Linux_Kernel.mp3 Show Notes Linux Bans University of Minnesota for Sending Buggy Patches in the Name of Research University of Minnesota security researchers apologize for deliberately buggy Linux patches The International Obfuscated C Code Contest
Josh and Kurt talk about what 3rd party means in the current world. From 5G suppliers, to the Codecov and Solarwinds breaches. Is there anyone we can trust? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_268_Can_we_trust_any_3rd_parties.mp3 Show Notes Europe and 5G Codecov Codecov Reuters story Red Hat OpenSSH advisory
Josh and Kurt talk about 0day security vulnerabilities. What are they? What were they? And why the name has taken on a new meaning, and that’s OK. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_267_Does_0day_still_mean_0day.mp3 Show Notes Hacker History Podcast Chrome 0day NTFS Documentation
Josh and Kurt talk to Emil Wåreus from Debricked about the future of security scanners. Debricked is doing some incredibly cool things to avoid relying on humans for vulnerability identification and cataloging. Learn what the future of security scanning is going to look like. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_266_The_future_of_security_scanning_with_Debricked.mp3 Show Notes Debricked Emil’s Linkedin
Josh and Kurt talk about the PHP backdoor and the Ubiquity whistleblower. The key takeaway is to note how an open source project cannot cover up an incident, but closed source can and will cover up damaging information. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_265_The_lies_closed_source_can_tell_open_source_cant.mp3 Show Notes PHP backdoor Ubiquity coverup 3D printed TSA keys LockPickingLaywer Determining Key Shape from Sound Lock camera
The late, great, John Lewis is well known for a quote about getting into trouble. Never, ever be afraid to make some noise and get in good trouble, necessary trouble. It’s time to start some good trouble. Anyone who knows me, reads this blog, or follows me on Twitter, is well aware I have been a proponent of CVE Identifiers for a very long time. I once assigned CVE IDs to most open source security vulnerabilities. I’ve helped more than one company and project adopt CVE IDs for their advisories. I encourage anyone who will listen to adopt CVE IDs. I’ve even talked about it on the podcast many times. ...
Josh and Kurt talk to Mark Loveless from GitLab. We touch on DevSecOps, what GitLab is doing, threat modeling, and the time Mark tested positive for TNT at the airport. It’s a great conversation. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_264_DevSecOps_with_GitLabs_Mark_Loveless.mp3 Show Notes Mark Loveless Twitter GitLab GitLab Handbook How we approach open source security PASTA threat modeling GitLab security features Tales from the Past - “You Tested Positive for TNT”