Josh and Kurt talk about the recent events around XZ. It’s only been a few days, and it’s amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these details will change quickly over the coming week. We can’t fix this problem as it stands, we don’t know where to start yet. But that’s not a reason to lose hope. We can fix this if we want to, but it won’t be flashy, it’ll be hard work. ...
Josh and Kurt talk about hackers using emergency data requests to gain access to sensitive data. The argument that somehow backdoors can be protected falls under this problem. We don’t yet have the technical or policy protections in place to actually protect this data. We also explain why this zlib issue got a 2018 CVE ID in 2022. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_318_Social_engineering_and_why_zlib_got_a_2018_CVE_ID.mp3 Show Notes Hackers using fake emergency data requests CVE-2018-25032 Global Security Database
Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there’s not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not to let security turn into your identity, it ends up making a mess. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_317_The_lack_of_compromise_in_security.mp3 Show Notes Josh’s Twitter thread How to install week old npm packages
Josh and Kurt talk about what 3rd party means in the current world. From 5G suppliers, to the Codecov and Solarwinds breaches. Is there anyone we can trust? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_268_Can_we_trust_any_3rd_parties.mp3 Show Notes Europe and 5G Codecov Codecov Reuters story Red Hat OpenSSH advisory
Josh and Kurt talk about the PHP backdoor and the Ubiquity whistleblower. The key takeaway is to note how an open source project cannot cover up an incident, but closed source can and will cover up damaging information. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_265_The_lies_closed_source_can_tell_open_source_cant.mp3 Show Notes PHP backdoor Ubiquity coverup 3D printed TSA keys LockPickingLaywer Determining Key Shape from Sound Lock camera