Josh and Kurt talk about open source and autonomy. This is even related to some recent return to office news. The conversation weaves between a few threads, but fundamentally there’s some questions about why do people do what they do, especially in the world of open source. This also is a problem we see in security, security people love to tell developers what to do. Developers don’t like being told what to do. ...
Josh and Kurt talk about the whole work from home debate. It seems like there are a lot of very silly excuses why working from home is bad. We’ve both been working from home for a long time and have a chat about the topic. There’s not much security in this one, but it is a fun discussion. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_324_WTF_is_up_with_WFH.mp3 Show Notes Boris Johnson blames cheese Apple and WFH
Josh and Kurt talk about the Google Project Zero blog post about 0day vulnerabilities in 2021. There were a lot more than ever before, but why? Part of the challenge is the whole industry is expanding while a lot of our security technologies are not. When the universe around you is expanding but you’re staying the same size, you are actually shrinking. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_321_Relativistic_Security_Project_Zero_on_0day.mp3 Show Notes Google Project Zero blog post Apple 0days Joint cyber advisory
Josh and Kurt talk about the epic failure that was episode 300. But this ties nicely into the topic of the day which is new ways to do things. The example is a new way to hold a controller when playing Tetris. There are always new tools and new ideas in security. Sometimes we have to abandon the old way because the new way to too good to ignore. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_301_Youre_holding_it_wrong_the_importance_of_unlearning.mp3 Show Notes Lawfare Apple NSO podcast New way to play Tetris
This episode need a huge disclaimer: we got almost all of the details of this wrong, the lawsuit is based on CFAA, not on copyright. We apologize for this enormous oversight. Josh and Kurt talk about Apple suing NSO using a copyright claim as their vehicle. Copyright is often used as a reason to bring lawsuits, even when it doesn’t always make sense. Copyright has been used by open source to expand rights, and many companies to restrict rights. It’s a very odd law sometimes. At the end of the day it seems the only real path forward for a problem like NSO is up to governments to protect their citizens. ...
Josh and Kurt talk about recent events around Apple and Microsoft disclosing security vulnerabilities. Microsoft usually does a good job, but Apple has a long history of not having a great bug bounty or vulnerability disclosure policy. None of this is simple, but hopefully you’ll have some fun and learn a bit about the whole vulnerability disclosure process. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_291_Everyone_sucks_at_vulnerability_disclosure.mp3 Show Notes Apple 0days Microsoft Exchange flaw THIS IS HOW THEY TELL ME THE WORLD ENDS Linux Foundation Vulnerability Disclosure Timezone problem
Josh and Kurt talk about an unusual number of really bad security updates. We even recorded this before the Azure OMIGOD vulnerability was disclosed. It’s certainly been a wild week with Apple and Chrome 0days, and a Travis CI secret leak. Maybe this is the new normal. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_289_Who_left_this_0day_on_the_floor.mp3 Show Notes Matrix 4 trailer Travis CI issue Apple 0day patches Chrome 0day patches CGP Grey Where is the European Union
Josh and Kurt talk about the new right to repair rules in the EU. There’s a strange line between loving the idea of right to repair, but also being horrified as security people at the idea of a device being on the Internet for 30 years. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_254_Right_to_Repair_Security.mp3 Show Notes EU right to repair repair.eu