Posts

DevOps security is a bit like developing without a safety net. This is meant to be a reference to a trapeze act at the circus for those of you who have never had the joy of witnessing the heart stopping excitement of the circus trapeze. The idea is that when you watch a trapeze act with a net, you know that if something goes wrong, they just land in a net. The really exciting and scary trapeze acts have no net. If these folks fall, that’s pretty much it for them. Someone pointed out to me that the current DevOps security is a bit like taking away the net. ...

Josh and Kurt talk about CVE, DWF, and the future of flaw reporting. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/293693983-opensourcesecuritypodcast-episode-13-cve-the-metric-system-of-security.mp3 Show Notes CVE CVE Candidates (CAN) DWF NVD Open Source Security Mailing List Larry Cashdollar’s Defcon talk Metric Inch Comment on Twitter

I keep hearing something from people about IoT that reminds me of the old saying, if you’ve done nothing wrong, you have nothing to fear. This attitude is incredibly dangerous in the context of IoT devices (it’s dangerous in all circumstances honestly). The way I keep hearing this in the context of IoT is something like this: “I don’t care if someone hacks my video camera, it’s just showing pictures of my driveway”. The problem here isn’t what video the camera is capturing, it’s the fact that if your camera gets hacked, the attacker can do nearly anything with the device on the Internet. Remember, at this point these things are fairly powerful general purpose computers that happen to have a camera. ...

Josh and special guest host Dave Sirrine talk about feedback, OpenSSL, OAuth2, Let’s Encrypt, disclosure, and locks. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/292434458-opensourcesecuritypodcast-episode-12-security-trebuchet.mp3 Show Notes coh’s feedback OpenSSL security advisory Red Hat CLI security API Shovel Knight Pumpkin OAuth2 bug Let’s Encrypt Half of all Chrome connections use https Google’s Windows Bug RichSec (Richmond VA Information Security Users Group) RVASec (Yearly conference in June held by RichSec) Schuyler Towne - “Why do you lock your door?” Comment on Twitter ...

There are certain things people want and will pay for. There are things they want and won’t. If we look at security it’s pretty clear now that security is one of those things people want, but most won’t pay for. The insane success of Let’s Encrypt is where this thought came from. Certificates aren’t new, they used to even be really cheap (there were free providers, but there was a time cost of jumping through hoops). Let’s Encrypt make the time and actual cost basically zero, now it’s deployed all over. Depending who you ask, they’re one of the biggest CAs around now, and that took them a year? That’s crazy. ...

Tonight while I was handing out candy on Halloween as the children came to the door trick-or-treating getting whatever candy I’ve not yet eaten. I started thinking about scary stories the security universe. Some of the things we do in Security could be compared to the old fable of the cursed monkey’s paw, which is one of my favorite stories. For those who don’t know what this story is, the quick version of the story is essentially there is a monkey’s paw, an actual severed appendage of a monkey (it’s not some sort of figurative item). It has some fingers on it that may or may not signify the number of wishes used. The paw is indestructible, the previous owner doesn’t want it, but can’t get rid of it until some unsuspecting suckers shows up. The idea is you make a wish you get three wishes or five or whatever depending upon the version of the story that’s told (these old folk tales can differ greatly depending on what part of the world is telling them) and then the monkey paw gives you exactly what you asked for. The problem is what you asked for comes with horrifying consequences. For example there was an old man who had the paw and he asked for $200, the next day he got his $200 because his son was killed at work and they brought him $200 of his last paycheck. Of course there’s different variants of this but the basic idea is the paw seems clever, it grants wishes, but every wish comes with terrible consequences. ...

Josh and special guest host Dave Sirrine talk about Halloween, passwords, hardware timing attacks, chip and pin, security economics, SSL/TLS, and Mozilla enabling TLS 1.3 by default. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/290834937-opensourcesecuritypodcast-episode-11-the-poison-candy-episode.mp3 Show Notes Risky Candy XKCD Password Strength Diceware Haswell Timing Attack Rowhammer on Android Eavesdropping keystrokes via VOIP SSL/TLS Timeline Comment on Twitter

Sysadmins used to rule the world. Anyone who’s been around for more than a few years remembers the days when whatever the system administrator wanted, the system administrator got. They were the center of the business. Without them nothing would work. They were generally super smart and could quite often work magic with what they had. It was certainly a different time back then. Now developers are king, the days of the sysadmin have waned. The systems we run workloads on are becoming a commodity, you either buy a relatively complete solution, or you just run it in the cloud. These days most anyone using technology for their business relies on developers instead of sysadmins. ...

Kurt and Josh discuss Dirty COW, the big IoT DDoS, and Josh can’t pronounce Mirai or Dyn. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/289791587-opensourcesecuritypodcast-episode-10-the-super-botnet-that-nobody-can-stop.mp3 Show Notes Dirty Cow Kees Cook Kernel Bug Lifetime Rowhammer Mirai botnet DDoS Law of truly large numbers Comment on Twitter

If I asked everyone to tell me what security is, what do you do about it, and why you do it. I wouldn’t get two answers that were the same. I probably wouldn’t even get two that are similar. Why is this? After recording Episode 9 of the Open Source Security Podcast I co-host, I started thinking about measuring a lot. It came up in the podcast in the context of bug bounties, which get exactly what they measure. But do they measure the right things? I don’t know the answer, nor does it really matter. It’s just important to keep this in mind as in any system, you will get exactly what you measure. ...