Posts

Josh and Kurt end up discussing video game speed running, which is really just hacking. We also end up discussing the pitfalls of the modern world where you don’t own your software or services. Stallman was right! https://traffic.libsyn.com/secure/opensourcesecuritypodcast/302260581-opensourcesecuritypodcast-episode-26-tell-your-sister-stallman-was-right.mp3 Show Notes Games Done Quick Super Mario Brother Speedrun Super Mario Brother Minus World Explanation speedrun.com Legend of Zelda Ghost Buffer Overflow Double Free Chris Evans NES audio exploit pwsafe Bad Ham Review Richard Stallman ...

Josh and Kurt end up discussing CES, IoT, WiFi everywhere, and the future. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/301707567-opensourcesecuritypodcast-episode-25-the-future-is-now.mp3 Show Notes CES WiFi Everywhere WiFi Hairbrush Ketchup QR Code Expired Domain Shodan uses NTP to gain IPv6 addresses FTC prize for securing IoT Antivirus MITM problems Rootshell Consumer Reports MacBook Pro Comment on Twitter with the #osspodcast hashtag

As an industry, we suck at giving advice. I don’t mean this in some negative hateful way, it’s just the way it is. It’s human nature really. As a species most of us aren’t very good at giving or receiving advice. There’s always that vision of the wise old person dropping wisdom on the youth like it’s candy. But in reality they don’t like the young people much more than the young people like them. Ever notice the contempt the young and old have for each other? It’s just sort of how things work. If you find someone older and wiser than you who is willing to hand out good advice, stick close to that person. You won’t find many more like that. ...

A long time ago pretty much every application and library carried around its own copy of zlib. zlib is a library that does really fast and really good compression and decompression. If you’re storing data or transmitting data, it’s very likely this library is in use. It’s easy to use and is public domain. It’s no surprise it became the industry standard. Then one day, CVE-2002-0059 happened. CVE-2002-0059 was a security flaw that was easy to trigger and easy to exploit. It affected network listening applications that used zlib (which was most of them). Today if this came out, it would make heartbleed look like a joke. This was long long ago though, most people didn’t know anything about security (or care in many instances). If you look at the updates that came out because of this flaw, they were huge because literally hundreds of software applications and libraries had to be patched. This affected Windows and Linux, which was most everything back then. Today it would affect every device on the planet. This isn’t an exaggeration. Every. Single. Device. ...

Josh and Kurt discuss 2016 predictions in 2017, what they got right, what they got wrong, and a bunch of other random things. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/300679437-opensourcesecuritypodcast-episode-24-the-2016-prediction-edition.mp3 Show Notes CSO Online - Top 15 security predictions for 2016 Gartner 2016 predictions Trend Micro 2016 predictions Dark Reading 2016 predictions Comment on Twitter with the #osspodcast hashtag

If you’ve ever written code, even a few lines of it, you know there is always some sort of tradeoff between doing it “right” and doing it “now”. This is basically the reality of any industry, there is always the right way, and then there’s the way it’s going to get done. If you’ve ever done any sort of home remodeling project you’re well aware of uncovering the sins of the past as soon as that wall gets opened up. ...

Josh and Kurt talk about scareware, malware, and how hard this stuff is to stop, and how the answer isn’t fixing people. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/299913768-opensourcesecuritypodcast-episode-23-we-cant-patch-people.mp3 Show Notes Bitsquatting Typosquatting L.A. Phishing Uber Email IDS Infomercial subreddit (Where did the soda go?) Super Mario Run Malware Booba Methbot Sumitomo copper affair Comment on Twitter with the #osspodcast hashtag

During the holiday, I started playing Doom 2. I bet I’ve not touched this game in more than ten years. I can’t even remember the last time I played it. My home directory was full of garbage and it was time to clean it up when I came across doom2.wad. I’ve been carrying this file around in my home directory for nearly twenty years now. It’s always there like an old friend you know you can call at any time, day or night. I decided it was time to install one of the doom engines and give it a go. I picked prboom, it’s something I used a long time ago and doesn’t have any fancy features like mouselook or jumping. Part of the appeal is to keep the experience close to the original. Plus if you could jump a lot of these levels would be substantially easier. The game depends on not having those features. ...

Josh and Kurt talk about planned obsolescence and IoT devices. Should manufacturers brick devices? We also have a crazy discussion about the ethics of hacking back. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/299448186-opensourcesecuritypodcast-episode-22-iot-wild-west.mp3 Show Notes First Uses of Coffee Did coffee cause the enlightenment? Nest bricks Revolv devices Phoebus Cartel Verizon will brick the Note 7 Trolley Problem Toaster toasts the weather 80% of medical device companies have less than 50 employees Passive wifi chips Crystal radio Great Seal Bug Moscow Embassy Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about CVE 10K. CVE IDs have finally crossed the line, we need 5 digits to display them. This has never happened before now. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/298898472-opensourcesecuritypodcast-episode-21-cve-10k-extravaganza.mp3 Show Notes OpenSSH CVE10K assignments CVE-2016-10005 CVE syntax change CVE Numbering Authorities OpenSSH Security Advisory C to HDL Reboot Boeing Dreamliner One person writes most Linux video camera drivers Donald Becker China Airlines Flight 120 Comment on Twitter with the #osspodcast hashtag