Posts

The EU recently announced they are going to sponsor a security bug bounty program for 14 open source projects in 2019. There has been quite a bit of buzz about this program in all the usual places. The opinions are all over the place. Some people wonder why those 14, some wonder why not more. Some think it’s great. Some think it’s a horrible idea. I don’t want to focus too much on the details as they are unimportant in the big picture. Which applications are part of the program don’t really matter. What matters is why are we here today and where should this go in the future. ...

Josh and Kurt talk about which articles of the GDPR apply to Santa, and if he’s following the rules the way he should be (spoiler, he’s probably not). Should Santa be on his own naughty list? We also create a new holiday character - George the DPO Elf! https://traffic.libsyn.com/secure/opensourcesecuritypodcast/2018_Christmas_Special_Is_Santa_GDPR_compliant.mp3 Show Notes David Sedaris Santaland Canadian Tire Ice Truck Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about Mozilla pulling a paywall bypassing extension. We then turn our attention to talking about walled gardens. Are they good, are they bad? Something in the middle? There is a lot of prior art to draw on here, everything from Windows, Android, iOS, even Linux distributions. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_127_Walled_gardens_appstores_and_more.mp3 Show Notes Mozilla blocks a paywall bypass extension Turning a root ball Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt continue the discussion from episode 125. We look at the possible future of software supply chains. It’s far less dire than previously expected. It’s likely there will be some change in the near future. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_126_The_not_so_dire_future_of_supply_chain_security.mp3 Show Notes Episode 125 Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about how open source deals with malicious events. It’s probably impossible to stop these from happening, but the open source universe deals with it in its own unique way. We start to discuss what you can do, since everyone is using open source everywhere now. There will be a second part to this episode where we discuss what the future holds for these sort of problems. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_125_Open_Source_supply_chains_npm_and_you.mp3 Show Notes NPM event-stream backdoor Josh’s blog post Comment on Twitter with the #osspodcast hashtag ...

A story broke recently about a backdoor added to a Node Package Manager (NPM) package called event-stream. This package is downloaded about two million times a week by developers. That’s a pretty impressive amount, many projects would be happy with two million downloads a year. The Register did a pretty good writeup, I don’t want to recap the details here, I have a different purpose and that’s really to look at how does this happen and can we stop it? ...

Josh and Kurt talk about Cloudflare’s new Workers service. We spend a lot of time discussing how economics drives technology, not security. It’s quite likely this new service is less secure than existing alternatives, but it will be cheaper and faster which will matter more than security. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_124_Cloudflares_service_workers_and_the_economics_of_security.mp3 Show Notes Cloudflare Workers AV vs Whitelisting tweets Comment on Twitter with the #osspodcast hashtag

The topic of securing your open source dependencies just seems to keep getting bigger and bigger. I always expect it to get less attention for some reason, and every year I’m wrong about what’s happening out there. I remember when I first started talking about this topic, nobody really cared about it. It’s getting a lot more traction these days, especially as we see stories about open source dependencies being wildly out of date and some even being malicious backdoors. ...

Josh and Kurt talk to Liz Rice about Kubernetes and container security. How did we get where we are today, what’s new and exciting today, and where do we think things are going. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_123_Talking_about_Kubernetes_and_container_security_with_Liz_Rice.mp3 Show Notes Liz Rice Operating Kubernetes Clusters and Applications Safely book Aqua Security Clair container scanner Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about Apple’s new T2 security chip. It’s not open source but we expect it to change the security landscape in the coming years. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_122_What_will_Apples_T2_chip_mean_for_the_rest_of_us.mp3 Show Notes T2 Overview Evil maid poker attack Comment on Twitter with the #osspodcast hashtag