I have seen the future, and it is bug bounties

Every now and then I see something on a blog or Twitter about how you can’t replace a pen test with a bug bounty. For a long time I agreed with this, but I’ve recently changed my mind. I know this isn’t a super popular opinion (yet), and I don’t think either side of this argument is exactly right. Fundamentally the future of looking for issues will not be a pen test. They won’t really be bug bounties either, but I’m going to predict pen testing will evolve into what we currently call bug bounties. ...

April 24, 2017

Episode 43 - We are totally immature

Josh and Kurt discuss Shadow Brokers, pronouncing GIF, Atlanta’s road problems, browser phishing, warning sirens, IoT, and fake Magic the Gathering cards. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/318438805-opensourcesecuritypodcast-episode-43-we-are-totally-immature.mp3 Show Notes Shadow Brokers How to pronounce GIF Atlanta gas leak breaks road New browser location phishing attack Hacked warning sirens IoT bricking malware Fake MTG cards Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

April 19, 2017

Crawl, Walk, Drive

It’s that time of year again. I don’t mean when all the government secrets are leaked onto the Internet by some unknown organization. I mean the time of year when it’s unsafe to cross streets or ride your bike. At least in the United States. It’s possible more civilized countries don’t have this problem. I enjoy getting around without a car, but I feel like the number of near misses has gone up a fair bit, and it’s always a person much younger than me with someone much older than them in the passenger seat. At first I didn’t think much about this and just dreamed of how self driving cars will rid us of the horror that is human drivers. After the last near fatality while crossing the street it dawned on me that now is the time all the kids have their driving learner’s permit. I do think I preferred not knowing this since now I know my adversary. It has a name, and that name is “youth”. ...

April 17, 2017

Episode 42 - Hitchhiker's Guide to Security

Josh and Kurt discuss the security themes and events in the context of the HHGG movie. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/317490724-opensourcesecuritypodcast-episode-42-hitchhikers-guide-to-security.mp3 Show Notes HHGG Movie (2005) Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

April 13, 2017

The obvious answer is never the secure answer

One of the few themes that comes up time and time again when we talk about security is how bad people tend to be at understanding what’s actually going on. This isn’t really anyone’s fault, we’re expecting people to go against what is essentially millions of years of evolution that created our behaviors. Most security problems revolve around the human being the weak link and doing something that is completely expected and completely wrong. ...

April 10, 2017

Episode 41 - All your money are belong to us

Josh and Kurt discuss airplane laptop bans, ATM hacking, pointing at things, and Certificate Authorities. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/316915938-opensourcesecuritypodcast-episode-41-all-your-money-are-belong-to-us.mp3 Show Notes Loaner laptops on planes ATM hacking Japanese rail safety point and call Certificate Authority Authorization in DNS Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

April 10, 2017

The expectation of security

If you listen to my podcast (which you should be doing already), I had a bit of a rant at the start this week about an assignment my son had over the weekend. He wasn’t supposed to use any “screens” which is part of a drug addiction lesson. I get where this lesson is going, but I’ve really been thinking about the bigger idea of expectations and reality. This assignment is a great example of someone failing to understand the world has changed around them. ...

April 2, 2017

Episode 40 - Let's fork bitcoin, again

Josh and Kurt discuss Verizon spyware, FCC privacy, Smart TVs, Tor’s rewrite, Google’s new operating system, bitcoin, and NanoCore. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/315737179-opensourcesecuritypodcast-episode-40-lets-fork-bitcoin-again.mp3 Show Notes Verizon Spyware Story FCC Broadband Privacy Inserting tracking headers Smart TVs run Flash Tor rewrite in safer language Fuchsia Bitcoin fork NanoCore Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

April 2, 2017

Remember kids, if you're going to disclose, disclose responsibly!

If you pay any attention to the security universe, you’re aware that Tavis Ormandy is basically on fire right now with his security research. He found the Cloudflare data leak issue a few weeks back, and is currently going to town on LastPass. The LastPass crew seems to be dealing with this pretty well, I’m not seeing a lot of complaining, mostly just info and fixes which is the right way to do these things. ...

March 28, 2017

Episode 39 - Flash on your dishwasher

Josh and Kurt discuss certificates, OpenSSL, dishwashers, Flash, and laptop travel bans. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/314794586-opensourcesecuritypodcast-episode-39-flash-on-your-dishwasher.mp3 Show Notes SNES bluetooth remake Symantec vs Google OpenSSL license change Dishwasher directory traversal Fedex $5 for Flash Laptop and iPad airline ban Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

March 28, 2017