Posts

On a pretty regular basis I see claims that the public CVE dataset is missing some large number of security issues. I’ve seen ranges from tens of thousands all the way up to millions. The purpose behind such statements is to show that the CVE data is woefully incomplete. Of course almost everyone making that claim has a van filled with security issues and candy they’re trying very hard to lure us into. It’s a pretty typical sales tactic as old as time itself. Whatever you have today isn’t good enough, but what I have, holy cow it’s better. It’s so much better you better come right over and see for yourself. After you pay me of course. ...

Josh and Kurt talk to Michael Piacente from Hitch Partners about the past, present, and future role of the CISO in the industry. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_116_The_future_of_the_CISO_with_Michael_Piacente.mp3 Show Notes Hitch Partners Michael Piacente Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk to Brian Hajost from SteelCloud about public sector compliance. The world of public sector compliance can be confusing and strange, but it’s not that bad when it’s explained by someone with experience. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_115_Discussion_with_Brian_Hajost_from_SteelCloud.mp3 Show Notes SteelCloud DISA STIG Comment on Twitter with the #osspodcast hashtag

Josh and Kurt review Bruce Schneier’s new book Click Here to Kill Everybody. It’s a book everyone could benefit from reading. It does a nice job explaining many existing security problems in a simple manner. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_114_review_of_click_here_to_kill_everybody.mp3 Show Notes Click Here to Kill Everybody There Will Be Cyberwar Reddit OSHA Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about actual real world advice. Based on a story about trying to secure political campaigns, if we had to give some security help what should it look like, who should we give it to? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_113_actual_real_security_advice.mp3 Show Notes Security advice to Democrats Our actual advice Don’t run your own services Email - Google or Microsoft Don’t’ use GPG Use a trusted device Use a password manager on a secure device Use 2FA Backups Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about the new Google Titan security key. There are some in the industry uneasy about the supply chain for the devices. We also discuss the latest Struts security issue. Struts is old and scary now, stop using it. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode-112_googles_titan_key_and_the_latest_struts_issue.mp3 Show Notes Google’s security key security questions Struts security issue Comment on Twitter with the #osspodcast hashtag

We love to do security reviews on the projects, products, and services our companies use. Security reviews are one of those ways we can show how important security is. If those reviews didn’t get done we might end up using a service that could put our users and data at risk. Every good horror story involving dinosaurs starts with bad security reviews! It’s a lesson too few of us really take to heart. ...

Josh and Kurt talk about TLS 1.3 and DNS. What can we expect from the future for these, how are they related (or not related). We touch on DNSSEC and why it probably won’t matter. DNS over TLS is looking pretty great though. There is also a guest appearance from quantum crypto. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_111_The_TLS_1_3_and_DNS_episode.mp3 Show Notes Cloudflare TLS 1.3 blog NIST post quantum crypto Comment on Twitter with the #osspodcast hashtag ...

I gave a talk at OSCON 20 about security. It’s not a typical security talk though. I’ve given and attended a lot of what I would call “typical” security presentations. It’s generally about some big security idea, there’s likely some amount of blaming everyone except the security industry itself. We should make sure we throw in some analogies, maybe comparing cars to buggies or bridge safety. Blockchain is pretty hip now so that can probably solve the problem, maybe with AI. In general these presentation aren’t overly exciting and tend to play to the audience. They are fun, but that’s not the point this time. ...

Josh and Kurt talk about Black Hat and Defcon and how unexciting they have become. What happened with hotels at Defcon, and more importantly how many security policies have 2nd and 3rd level effects we often can’t foresee. We end with important information about pizza, bananas, and can openers. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_110_review_of_black_hat_defcon_and_the_effect_of_security_policies.mp3 Show Notes Kids hacking voting machines Black Hat plaintext email Defcon hotel shenanigans International Pizza Expo How to use a can opener How to open a banana Join our Facebook Group ...