Posts

I had a discussion last week with some fellow security folks about how we can discuss security with normal people. If you pay attention to what’s going on, you know the security people and the non security people don’t really communicate well. We eventually made our way to comparing what we do to the door to door religious groups. They’re rarely seen in a positive light, are usually annoying, and only seem to show up when it’s most inconvenient. This got me thinking, we probably have more in common there than we want to admit, but there are also some lessons for us. ...

Kurt and Josh discuss prime numbers (probably getting a lot of it wrong), Samsung, passwords, National Cyber Security Awareness Month, and bathroom scales. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/287233537-opensourcesecuritypodcast-episode-8-the-primality-of-prime-numbers.mp3 Show Notes New Prime Number Research Randomness testing Kurt’s Repo of Primes DNSSEC Signing Ceremony Magento Skimmer XKCD Wrench Comic Firesheep National Cyber Security Awareness Month Stop Trying to Fix the User Only Trust Food Delivered by Zebra Bathroom Scale Flaw Comment on Twitter

Kurt and Josh discuss the ORWL computer, crashing systemd with one line, NIST, and a security journal. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/285901909-opensourcesecuritypodcast-episode-7-more-powerful-than-root.mp3 Show Notes Physically secure open source computer Ancient Linux fax machine firmware systemd one liner crash Open security journal Let’s Encrypt Random Numbers in Go DRAFT Vulnerability Description Ontology Comment on Twitter

Sometimes when you plan for a security event, it would be expected that the thing you’re doing will be making some outcome (something bad probably) impossible. The goal of the security group is to keep the bad guys out, or keep the data in, or keep the servers patched, or find all the security bugs in the code. One way to look at this is security is often in the business of preventing things from happening, such as making data exfiltration impossible. I’m here to tell you it’s impossible to make something impossible. ...

Kurt and Josh discuss interesting news stories https://traffic.libsyn.com/secure/opensourcesecuritypodcast/285305681-opensourcesecuritypodcast-episode-6-foundational-knowledge-of-security.mp3 Show Notes How much gold can you steal from the Canadian mint? Stop plugging random usb sticks in IoT DoS Cost of Security Kijiji World of VNC Shodan Security and Tribal Knowledge Comment on Twitter

Kurt and Josh discuss the recent OpenSSL update(s) https://traffic.libsyn.com/secure/opensourcesecuritypodcast/285193058-opensourcesecuritypodcast-episode-5-openssl-the-library-we-deserve.mp3 Show Notes OpenSSL Flaw Logo ​Sloppy programming leads to OpenSSL woes CVE-2016-6309 (OpenSSL advisory) [Critical severity] 26th September 2016 Sendmail “Bat” Book OpenSSL Man Pages Comment on Twitter

If you’re paying attention, you saw the news about Yahoo’s breach. Five hundred million accounts. That’s a whole lot of data if you think about it. But here’s the thing. If you’re a security person, are you surprised by this? If you are, you’ve not been paying attention. It’s pretty well accepted that there are two types of large infrastructures. Those who know they’ve been hacked, and those who don’t yet know they’ve been hacked. Any group as large as Yahoo probably has more attackers inside their infrastructure than anyone really wants to think about. This is certainly true of every single large infrastructure and cloud provider and consumer out there. Think about that for a little bit. If you’re part of a large infrastructure, you have threat actors inside your network right now, probably more than you think. ...

Josh and Kurt discuss news of the day, shipping, and container security https://traffic.libsyn.com/secure/opensourcesecuritypodcast/283885003-opensourcesecuritypodcast-episode-4-dead-squirrel-in-a-box.mp3 Show Notes Stealing shipped gold Shipping the Hope Diamond The French Underground Spam Nation The Random Darknet Shopper Kinder Eggs in the US Mailing crazy things Mailing Bricks to Alaska Uber’s self driving fleet Off the Hook radio show How to wipe email servers Government firewall rules xkcd grammar police Project Bubblewrap Comment on Twitter

TL;DR - No. Here’s why. I was talking with my Open Source Security Podcast co-host Kurt Seifried about what it would be like to access the modern Internet using dialup. So I decided to give this a try. My first thought was to find a modem, but after looking into this, it isn’t really an option anymore. The setup No Modem Fedora 24 VM Firefox as packaged with Fedora 24 Use the firewall via wondershaper to control the network speed “App Telemetry” firefox plugin to time the site load time I know it’s not perfect, but it’s probably close enough to get a feel for what’s going on. I understand this doesn’t exactly recreate a modem experience with details like compression, latency, and someone picking up the phone during a download. There was nothing worse than having that 1 megabyte download at 95% when someone decided they needed to make a phone call. Call waiting was also a terrible plague. ...

I had a discussion last week that ended with this question. “Why do we do security”. There wasn’t a great answer to this question. I guess I sort of knew this already, but it seems like something too obvious to not have an answer. Even as I think about it I can’t come up with a simple answer. It’s probably part of the problems you see in infosec. The purpose of security isn’t just to be “secure”, it’s to manage risk in some meaningful way. In the real world this is usually pretty easy for us to understand. You have physical things, you want to keep them from getting broken, stolen, lost, pick something. It usually makes some sort of sense. ...