Posts

As the dumpster fire that is 2016 crawls to the finish line, we had another story about a massive Yahoo breach. 1 billion user accounts had data stolen. Just to give some context here, that has to be hundreds of gigabytes at an absolute minimum. That’s a crazy amount of data. And nobody really cares. Sure, there is some noise about all this, but in a week or two nobody will even remember. There has been a similar story to this about every month all year long. Can you even remember any of them? The stock market doesn’t, basically everyone who has ever had a crazy breach hasn’t seen a long term problem with their stock. Sure there will be a blip where everyone panics for a few days, then things go back to normal. ...

Josh and Kurt talk about the death of PGP, and how it’s not actually dead at all. It’s still really hard to use though. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/298557680-opensourcesecuritypodcast-episode-20-the-death-of-pgp.mp3 Show Notes I’m giving up on PGP Yubikey 4 Josh’s PGP setup blog post Kurt’s key with multiple signatures PGP short ID collisons Let’s Encrypt ICQ website from the late 90’s Signal Secure Messaging $2 million fraud at NorQuest College Scammers pose as company exec EV certificate requirements Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about the bricking devices (on purpose). https://traffic.libsyn.com/secure/opensourcesecuritypodcast/297769068-opensourcesecuritypodcast-episode-19-a-field-full-of-razor-blades-and-monsters.mp3 Show Notes Samsung will brick the Note 7s Verizon won’t brick the phones Hoverboard imports banned Firestone tire recall Denmark Apple refurbished phone case Deprecating SHA1 South Korean Banking Encryption Canada’s Worst Driver Fitbit bought Pebble Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about the security concerns and logistics of Santa, elves, and the North Pole. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/297112068-opensourcesecuritypodcast-episode-18-the-security-of-santa.mp3 Show Notes Elf on the Shelf Furby without fur Norad Tracks Santa Futurama Xmas St. Nicholas David Sedaris on Santa US Senate Candy Desk You need 76 days to read all privacy statements Mona Lisa Theft Super Guppy LSST Data Management Back of the envelope 3589 x1.32large instances (1952 gigs ram) holds 7 petabytes of data in memory ...

Josh and Kurt talk to Michael Goetzman about Cyphercon https://traffic.libsyn.com/secure/opensourcesecuritypodcast/296503873-opensourcesecuritypodcast-episode-17-cyphercon-interview-with-korgo.mp3 Show Notes Cyphercon Cyphercon 2.0 Cyphercon 1.0 920 Sec Korgo Virus SafeHouse Spy Restaurant Discovery World Midwest Gaming Classic Summerfest: Cold War Battleground Nike Zeus Missile Poutine Ghost Fleet George Stroumboulopoulos Comment on Twitter

Last week I had the joy traveling through airports right after the United States Thanksgiving holiday. Now I don’t know how many of you have ever tried to travel the week after Thanksgiving but it’s kind of crazy, there are a lot of people, way more than usual, and a significant number of them have probably never been on an airplane or if they travel by air they don’t do it very often. The joke I like to tell people is that there are folks at the airport wondering why they can’t bring their goat onto the airplane. I’m not going to use this post to discuss the merits of airport security (that’s a whole different conversation), it’s really about coexisting with existing security systems. ...

Josh and Kurt talk about cybercrime and regulation. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/295920212-opensourcesecuritypodcast-episode-16-cat-and-mouse.mp3 Show Notes Avalanche Global Fraud Ring Spam King Rosendale Speed Trap Attacking Broadband Routers Spreadsheet of VPN providers DNSSEC Root Signing Ceremony Chicago Tylenol Murders Psychoactive Substances Act 2016 Computer Fraud and Abuse Act Calvinball CIH Virus Author Firefox 0day Comment on Twitter

Josh and Kurt talk about Cyber Monday security tips. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/295266221-opensourcesecuritypodcast-episode-15-cyber-black-monday.mp3 Show Notes Edmonton Bus Accidents BeyondCorp: A New Approach to Enterprise Security Black Hat Cell Towers Google ranks https results first Domain Tasting GnuCash Tesla Credentials Tavis Ormandy strcpy pwsafe Is mashing the keyboard cryptographically secure? Comment on Twitter

A few days ago there was a story about how to steal a Tesla by installing malware on the owner’s phone. If you look at the big picture view of this problem it’s not all that bad, but our security brains want to make a huge deal out of this. Now I’m not saying that Tesla shouldn’t fix this problem, especially since it’s going to be a trivial fix. What we want to think about is how all these working parts have to fit together. This is something we’re not very good at in the security universe; there can be one single horrible problem, but when we paint the full picture, it’s not what it seems. ...

Josh and Kurt have a guest! David A. Wheeler talks about open source security and the CII Badges project. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/294303517-opensourcesecuritypodcast-episode-14-david-a-wheeler-cii-badges.mp3 Show Notes CII Badge Program Badges Project Database Badges GitHub Project Page Comment on Twitter