Posts

The topic of hacking back keeps coming up these days. There’s an attempt to pass a bill in the US that would legalize hacking back. There are many opinions on this topic, I’m generally not one to take a hard stand against what someone else thinks. In this case though, if you think hacking back is a good idea, you’re wrong. Painfully wrong. Everything I’ve seen up to this point tells me the people who think hacking back is a good idea are either mistaken about the issue or they’re misleading others on purpose. Hacking back isn’t self defense, it’s not about being attacked, it’s not about protection. It’s a terrible idea that has no place in a modern society. Hacking back is some sort of stone age retribution tribal law. It has no place in our world. ...

Josh and Kurt talk about Canada Day, Not Petya, Interac goes down, Minecraft, airport security and books, then GDPR. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/331564004-opensourcesecuritypodcast-episode-54-turning-into-an-old-person.mp3 Show Notes Not Petya Interac goes down Remove books at airport security GDPR Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about security through obscurity, airplanes, the FAA, the Windows source code leak, and chicken sandwiches. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/330513530-opensourcesecuritypodcast-episode-53-a-plane-isnt-like-a-car.mp3 Show Notes FAA Security Through Obscurity Tavis Ormandy Windows Defender Linus’s Law Tesla Autopoilot Predicts Crashes 2010 Polish Air Force Tu-154 crash Windows 10 leak $1500 Chicken Sandwich Build a toaster from scratch Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

If you’ve not read my previous post on thought leadership, go do that now, this one builds on it. The thing that really kicked off my thinking on these matters was this article: Security liability is coming for software: Is your engineering team ready? The whole article is pretty silly, but the bit about liability and open source is the real treat. There’s some sort of special consideration when you use open source apparently, we’ll get back to that. Right now there is basically no liability of any sort when you use software. I doubt there will be anytime soon. Liability laws are tricky, but the lawyers I’ve spoken with have been clear that software isn’t currently covered in most instances. The whole article is basically nonsense from that respect. The people they interview set the stage for liability and responsibility then seem to discuss how open source should be treated special in this context. ...

Josh and Kurt talk about the new Stack Clash flaw, Grenfell Tower, risk management, and backwards compatibility. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/328927519-opensourcesecuritypodcast-episode-52-you-could-have-done-it-right-but-you-didnt.mp3 Show Notes Qualys Blog Qualys Advisory Smashing The Stack For Fun And Profit Grenfell Tower Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

For the last few weeks I’ve seen news stories and much lamenting on twitter about the security skills shortage. Some say there is no shortage, some say it’s horrible beyond belief. Basically there’s someone arguing every possible side of this. I’m not going to debate if there is or isn’t a worker shortage, that’s not really the point. A lot of complaining was done by people who would call themselves leaders in the security universe. I then read the below article and change my thinking up a bit. ...

Josh and Kurt talk to Dan Adinolfi about CVE. Most anything you ever wanted to know about CVE is discussed. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/327688703-opensourcesecuritypodcast-episode-51-all-about-cve.mp3 Show Notes CVE The MITRE Corporation Mikko Hypponen CVE Form CVE CNA Rules Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

I ran across this article about IoT security the other day The US Needs to Get Serious About Securing the Internet of Hackable Things I find articles like this frustrating for the simple fact everyone keeps talking about security, but nobody is going to do anything. If you look at the history of humanity, we’ve never been proactive when dealing with problems. We wait until things can’t get worse and the only actual option is to fix the problem. If you look at every problem there are at least two options. Option #1 is always “fix it”. Option #2 is ignore it. There could be more options, but generally we pick #2 because it’s the least amount of work in the short term. Humanity rarely cares about the long term implications of anything. ...

Josh and Kurt discuss Futurama, tornadoes, sudo, encryption, hacking back, and something called an ombudsman. Also episode 50! https://traffic.libsyn.com/secure/opensourcesecuritypodcast/326788036-opensourcesecuritypodcast-episode-50-this-is-a-security-podcast-after-all.mp3 Show Notes Star Trek Discovery Mowing lawn with a tornado Edmonton Tornado Sudo flaw Encryption ban Hacking Back Ombudsman Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

I’ve been thinking about the concept of free market forces this weekend. The basic idea here is that the price of a good is decided by the supply and demand of the market. If the market demands something, the price will go up if there it’s in short supply. This is basically why the Nintendo Switch is still selling on eBay for more than it would cost in the store. There is a demand but there isn’t a supply. But back to security. Let’s think about something I’m going to call “free market security”. What if demand and supply was driving security? Or we can flip the question around, what if the market will never drive security? ...