Posts

The topic of securing your open source dependencies just seems to keep getting bigger and bigger. I always expect it to get less attention for some reason, and every year I’m wrong about what’s happening out there. I remember when I first started talking about this topic, nobody really cared about it. It’s getting a lot more traction these days, especially as we see stories about open source dependencies being wildly out of date and some even being malicious backdoors. ...

Josh and Kurt talk to Liz Rice about Kubernetes and container security. How did we get where we are today, what’s new and exciting today, and where do we think things are going. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_123_Talking_about_Kubernetes_and_container_security_with_Liz_Rice.mp3 Show Notes Liz Rice Operating Kubernetes Clusters and Applications Safely book Aqua Security Clair container scanner Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about Apple’s new T2 security chip. It’s not open source but we expect it to change the security landscape in the coming years. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_122_What_will_Apples_T2_chip_mean_for_the_rest_of_us.mp3 Show Notes T2 Overview Evil maid poker attack Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about voting security. What does it mean, how does it work. What works, what doesn’t work, and most importantly why we may not see secure electronic voting anytime soon. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_121_All_about_the_security_of_voting.mp3 Show Notes Canadian electoral system Oregon mail voting Commonwealth of Nations Voter fraud in the US Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about Bloomberg’s story about backdoors and motherboards. The story is probably false, but this is almost certainly happening already with hardware. What does it mean if your hardware is already backdoored by one or more countries? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_120_Bloomberg_and_hardware_backdoors_its_already_happening.mp3 Show Notes Bloomberg Story Jordan Robertson Michael Riley PCB Factory Hard Disk Firmware Hacking Farmers hacking their tractors Comment on Twitter with the #osspodcast hashtag

There seems to be a lot of questions going around lately about how to best give out simple security advice that is actionable. Goodness knows I’ve talked about this more than I can even remember at this point. The security industry is really bad at giving out actionable advice. It’s common someone will ask what’s good advice. They’ll get a few morsels, them someone will point out whatever corner case makes that advice bad and the conversation will spiral into nonsense where we find ourselves trying to defend someone mostly concerned about cat pictures from being kidnapped by a foreign nation. Eventually whoever asked for help quit listening a long time ago and decided to just keep their passwords written on a sticky note under the keyboard. ...

Josh and Kurt talk about the Google+ and Facebook data incidents. We don’t have any control over this data anymore. The incidents didn’t really affect the users because we have no idea who has access to it. We also touch on GDPR and what it could mean in this context. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_119_the_google_and_facebook_incidents_its_not_your_data_anymore.mp3 Show Notes Facebook hack Google+ hack Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about Cloudflare’s new IPFS and Onion services. One brings distributed blockchain files to the masses, the other lets you host your site on tor easily. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_118_cloudflares_ipfs_and_onion_service.mp3 Show Notes IPFS Onion service Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about Linus’ effort to work on his attitude. What will this mean for security and IT in general? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_117_Will_security_follow_Linus_lead_on_being_nice.mp3 Show Notes Linus steps aside Contributor Covenant Comment on Twitter with the #osspodcast hashtag

On a pretty regular basis I see claims that the public CVE dataset is missing some large number of security issues. I’ve seen ranges from tens of thousands all the way up to millions. The purpose behind such statements is to show that the CVE data is woefully incomplete. Of course almost everyone making that claim has a van filled with security issues and candy they’re trying very hard to lure us into. It’s a pretty typical sales tactic as old as time itself. Whatever you have today isn’t good enough, but what I have, holy cow it’s better. It’s so much better you better come right over and see for yourself. After you pay me of course. ...