I’ve started a project to put the CVE data into Elasticsearch and see if there is anything clever we can learn about it. Ever if there isn’t anything overly clever, it’s fun to do. And I get to make pretty graphs, which everyone likes to look at. I stuck a few of my early results on Twitter because it seemed like a fun thing to do. One of the graphs I put up was comparing the 3 BSDs. The image is below. ...
Josh and Kurt discuss disclosing your password, pwn2own, wikileaks, Back Orifice, HTTPS inspection, and antivirus. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/313701429-opensourcesecuritypodcast-episode-38-we-ruin-everything.mp3 Show Notes xkcd comic Defendant refusing to give up password Prisoner ID Password Fraud Victim’s Google Warrant pwn2own VM escape pwn2own Mozilla 22 hour fix Wikileaks non disclosure Back Orifice HTTPS inspection tools may be unsafe Join our Facebook Group Comment on Twitter with the #osspodcast hashtag
Last week there was a story about Consumer Reports doing security testing of products. Consumer Reports to Begin Evaluating Products, Services for Privacy and Data Security As one can imagine there were a fair number of “they’ll get it wrong” sort of comments. They will get it wrong, at first, but that’s not a reason to pick on these guys. They’re quite brave to take this task on, it’s nearly impossible if you think about the state of security (especially consumer security). But this is how things start. There is no industry that has gone from broken to perfect in one step. It’s a long hard road when you have to deal with systemic problems in an industry. Consumer product security problems may be larger and more complex than any other industry has ever had to solve thanks to things such as globalization and how inexpensive tiny computers have become. ...
Josh and Kurt discuss how the Vault 7 leaks shows we live in the Neuromancer world, and this is likely the new normal. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/311442678-opensourcesecuritypodcast-episode-37-your-bathtub-is-more-dangerous-than-a-shark.mp3 Show Notes Hacker News Writeup about Vault 7 SATAN RTL-SDR White House Reconstruction Baseband Hacking CGA Graphics Chromium Security Brag Sheet French Zoo Poacher Join our Facebook Group Comment on Twitter with the #osspodcast hashtag
Josh and Kurt discuss an IoT bear, Alexa and Siri, Google’s E2Email and S/MIME. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/310851037-opensourcesecuritypodcast-episode-36-a-good-enough-podcast.mp3 Show Notes IoT Bear Alexa murder evidence Google E2Email Google S/MIME Join our Facebook Group Comment on Twitter with the #osspodcast hashtag
If you watched the 89th Academy Awards you saw a pretty big mistake at the end of the show, the short story is Warren Beatty was handed the wrong envelope, he opened it, looked at it, then gave it to Faye Dunaway to read, which she did. The wrong people came on stage and started giving speeches, confused scrambling happened, and the correct winner was brought on stage. No doubt this will be talked about for many years to come as one of the most interesting and exciting events in the history of the awards ceremony. ...
Josh and Kurt discuss SHA-1 and cloudbleed. Bug bounties come up, we compare security to the Higgs boson, and IPv6 comes up at the end. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/309898784-opensourcesecuritypodcast-episode-35-crazy-cosmic-accident.mp3 Show Notes SHA-1 attack Google Security Blog about SHA-1 Zcash hash algorithm analysis Webkit SVN Collision Google bug about cloudbleed Cloudflare Blog Known cloudbleed sites SHA-1 CVE-2005-4900 Whitewood Entropy Join our Facebook Group Comment on Twitter with the #osspodcast hashtag
Unless you’ve been living under a rock, you heard that some researchers managed to create a SHA-1 collision. The short story as to why this matters is the whole purpose of a hashing algorithm is to make it impossible to generate collisions on purpose. Unfortunately though impossible things are usually also impossible so in reality we just make sure it’s really really hard to generate a collision. Thanks to Moore’s Law, hard things don’t stay hard forever. This is why MD5 had to go live on a farm out in the country, and we’re not allowed to see it anymore … because it’s having too much fun. SHA-1 will get to join it soon. ...
Josh and Kurt discuss RSA, the cryptographer’s panel and of course, AI. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/309062655-opensourcesecuritypodcast-episode-34-bathing-in-ebola-virus.mp3 Show Notes FTP Firewall Problem RSA Cryptographer’s Panel ‘Overcome’ encryption Casino bombing Bill C-23 Security and AI DARPA AI challenge Amazon sells eggs Ford sleepy drivers Judge Caprio Logojoy Join our Facebook Group Comment on Twitter with the #osspodcast hashtag
Josh and Kurt are at the same place at the same time! We discuss our RSA sessions and how things went. Talk of CVE IDs, open source libraries, Wordpress, and early morning sessions. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/307825712-opensourcesecuritypodcast-episode-33-everybody-who-went-to-the-circus-is-in-the-circus-rsa-2017.mp3 Show Notes Bradley Kuh Typosquatting package managers (mirror) zlib embedded library problem Wordpress CVE ID Josh’s 7am BoF session Bruce Schneier RSA talk Join our Facebook Group Comment on Twitter with the #osspodcast hashtag