Google

Josh and Kurt talk about a new Google proposal that would add DRM for the web. All the ad driven companies seem to be acting very strangely, there’s probably a reason for this. The way ads used to pay for content is changing, but a lot of these giant companies don’t know how to adapt. It’s going to be very interesting times in the near future. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_386_We_are_watching_web_2_0_burn.mp3 Show Notes Web Environment Integrity Hacker News Thread Island Browser hunter2

Josh and Kurt talk about a blog post that explains there isn’t really an open source software supply chain. The whole idea of open source being one thing is incorrect, open source is really a lot of little things put together. A lot of companies and organizations get this wrong. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_343_Stop_trying_to_fix_the_open_source_software_supply_chain.mp3 Show Notes Iliana’s Twitter There is no “software supply chain” Google supply chain blog GitHub ansi_term advisory PyPI 2FA Dashboard tarfile issue rediscovered in 2022

Josh and Kurt talk about programming language ecosystems tracking and publishing security advisory details. We are at a point in the language ecosystems where they are giving us services that have historically been reserved for operating systems. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_342_Programming_languages_are_the_new_operating_system.mp3 Show Notes Kelsey Hightower tweet OSS-Fuzz

Josh and Kurt talk about leap seconds. Every time there’s a leap second, things break. Facebook wants to get rid of them because they break computers, but Google found a clever way to keep leap seconds without breaking anything. Corner cases are hard, security is often just one huge corner case. There are lessons we can learn here. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_334_Leap_seconds_break_everything.mp3 Show Notes How and why the leap second affected Cloudflare DNS Facebook wants to get rid of leap seconds Leap Smear Falsehoods programmers believe about time

Josh and Kurt talk to Dan Lorenc from Google about supply chain security. What’s currently going on in this space and what sort of new thing scan we look forward to? We discuss Google’s open source use, Project Sigstore, the SLSA framework and more. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_286_Open_source_supply_chain_with_Googles_Dan_Lorenc.mp3 Show Notes Dan’s Twitter Sigstore SLSA Framework

Josh and Kurt talk about what happens when you lose access to your Single Sign On provider. These providers have become critical to many of us, if we lose access to our SSO account we will lose access to many services. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_280_The_perils_of_Single_Sign_On.mp3 Show Notes Postbank

Josh and Kurt talk about Amazon sidewalk. There is a lot of attention, but how is this any different than the surveillance networks Apple and Google have built? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_274_Mr_Amazons_Neighborhood.mp3 Show Notes Amazon Sidewalk Ads and toothpaste Airtags and stalking

Josh and Kurt talk about 0day security vulnerabilities. What are they? What were they? And why the name has taken on a new meaning, and that’s OK. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_267_Does_0day_still_mean_0day.mp3 Show Notes Hacker History Podcast Chrome 0day NTFS Documentation

Josh and Kurt talk about Google’s new confidential VMs. The AMD Secure Encrypted Virtualization is the technology that makes it all possible. What is SEV, how does it work, and why should you care? This technology is going to be the future of the cloud. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_206_Confidential_Virtual_Machines_The_future_of_cloud_computing.mp3 Show Notes Google confidential VMs AMD SEV SEV vs SGX Show Tags #confidentialcomputing

Josh and Kurt talk about some recent security actions Apple has taken. Not all are good, but in general Apple is doing things to benefit their customers (their customers are not advertisers). We also discuss some of the challenges when your customers are advertisers. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_204_What_Would_Apple_Do.mp3 Show Notes Apple one year certificates Apple declines to implement 16 new APIs Apple is tracking unsigned executables