Josh and Kurt talk to Jay Jacobs about Exploit Prediction Scoring System (EPSS). EPSS is a new way to view vulnerabilities. It’s a metric for the likelyhood that a vulnerability will be exploited in the next 30 days. Jay explains how EPSS got to where it is today, how the scoring works, and how we can start to think about including it in our larger risk equations. It’s a really fun discussion. ...
Josh and Kurt talk to Alex Kulagin from Flipper about the Flipper Zero. It’s one of the coolest hacker devices that exists on the market. We talk about what it is, how it started, what it can (and can’t) do. It’s a really fun conversation. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_432_Flipper_Zero_with_Alex_Kulagin.mp3 Show Notes Flipper Zero Website Headphone jack radio capture Flipper Zero on Tik Tok
Josh and Kurt talk to GregKH about Linux Kernel security. We most focus on the topic of vulnerabilities in the Linux Kernel, and what being a CNA will mean for the future of Linux Kernel security vulnerabilities. The future of Linux Kernel security vulnerabilities is going to be very interesting. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_417_Linux_Kernel_security_with_Greg_K-H.mp3 Show Notes Greg K-H Linux Kernel is a CNA Machine learning and stable kernels Bug reporting for Linux
Josh and Kurt talk to Thomas Depierre about some of the European efforts to secure software. We touch on the CRA, MDA, FOSDEM, and more. As expected Thomas drops a huge amount of knowledge on what’s happening in open source. We close the show with a lot of ideas around how to move the needle for open source. It’s not easy, but it is possible. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_416_Thomas_Depierre_on_open_source_in_Europe.mp3 Show Notes Thomas Depierre I am not a supplier Open Source In The European Legislative Landscape devroom Cyber Resilience Act The 2023 Tidelift state of the open source maintainer report
Josh and Kurt talk to Daniel Stenberg about curl. Daniel is the creator of curl, we chat with him about the security of curl. Daniel tells us how curl is kept secure, we learn about some of the historical reasons curl works the way it does. We hear the story about the curl CVE situation firsthand. We also touch on the importance of curating the community of a popular open source project. ...
Josh and Kurt talk to Fiona Krakenbürger about the Sovereign Tech Fund. This is a fund created by Germany to fund important open source projects. Fiona has amazing insight into how this fund was created, what it’s doing today to help fund open source. She discusses where we go from here and what the future will look like. The Sovereign Tech Fund is a forward thinking program to fund open source across the world. This episode is a window into the future. ...
Josh and Kurt talk to Thomas Depierre about his “I am not a supplier” blog post. We drink from the firehose on this one. Thomas describes the realities and challenges of being an open source maintainer. What open source and society owe each other. How safety can help describe what we see. There’s too many topics to even list. The whole episode is an epic adventure through modern open source. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_365_I_am_not_your_supplier_with_Thomas_Depierre.mp3 Show Notes Thomas on Mastodon I am not a supplier The Treachery of Images (Ceci n’est pas une pipe) Atlantic Council report The Field Guide to Understanding ‘Human Error’ Google wants new rules for developers working on ‘critical’ projects Roads and Bridges:The Unseen Labor Behind Our Digital Infrastructure Sovereign Tech Fund
Josh and Kurt talk to Joylynn Kirui about DevSecOps in the Microsoft universe. Joylynn gives us an overview of the current state of devops and tells us about some of the tools Microsoft has made available to the open source universe. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_363_Joylynn_Kirui_from_Microsoft_on_De_SecOps.mp3 Show Notes Joylynn Kirui Joylynn on DVT Tech Insights Episode 174 - a chat with GitHub about CodeQL S2C2F Azure Open Source Day
Josh and Kurt talk to Carol Nichols about Rust. Carol is an authority on Rust and helps us understand how Rust works, why it’s different. Why Rust doesn’t have the same problems C and C++ have, and what the future of it all could look like. It’s a really fun show with some great questions from Carol along the way. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_362_A_lesson_in_Rust_from_Carol_Nichols.mp3 Show Notes Carol Nichols on Mastodon The Rust Programming Language, 2nd Edition Rust book online Netflix tech blog on Java performance Rust in the context of Railroad Brakes Kees Cook blog - Bounded Flexible Arrays in C Consumer Reports on memory safety OSS-Fuzz and Rust
Josh and Kurt talk about how hard multi factor authentication is. This all starts from a Mastodon thread, and Jerry Bell, the administrator of infosec.exchange joins us to discuss password security and all things Mastodon. Infosec.exchange is an incredible story and Jerry weaves a thrilling tale. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_354_Jerry_Bell_tells_us_why_Mastodon_is_awesome_and_MFA_is_hard.mp3 Show Notes infosec.exchange MFA discussion Jerry’s 2FA advice MalwareTech retracts Mastodon statements