Log4j

forest-5673934_1920

Episode 330 - The sliding scale of risk: seeing the forest for the trees

Josh and Kurt talk about the challenge of dealing with vulnerabilities at a large scale. We tend to treat every vulnerability equally when they are not equal at all. Some are trees we have to pay very close attention to, and some are part of a larger forest that can’t be treated as individual vulnerabilities. We often treat risk as a binary measurement instead of a sliding scale. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_330_The_sliding_scale_of_risk_seeing_the_forest_for_the_trees.mp3 Show Notes gsd.id The Register OpenSSL story OpenSSL bug

July 4, 2022
plumbing-g34702d0e3_1920

Episode 304 - Will we ever fix all the vulnerabilities?

Josh and Kurt talk about the question will we ever fix all the vulnerabilities? The question came from Reddit and is very reasonable, but it turns out this is REALLY hard to discuss. The answer is of course “no”, but why it is no is very complicated. Far more complicated than either of us thought it would be. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_304_Will_we_ever_fix_all_the_vulnerabilities.mp3 Show Notes Will cyber security vulnerabilities ever “stop existing” ?

January 3, 2022
fire-3792951_1920

Episode 303 - Log4j Christmas Spectacular!

Josh and Kurt start the show with the reading of a security themed Christmas poem. We then discuss some of the new happenings around Log4j. The basic theme is that even if we were over-investing in Log4j, it probably wouldn’t have caught this. There are still a lot of things to unpack with this event. We are sure we’ll be talking about it well into the future. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_303_Log4j_Christmas_Spectacular.mp3 Log before Christmas poem ‘Twas the night before Christmas, when all through the stack Not a scanner was scanning, not even a rack, ...

December 27, 2021
Log4Shell_logo

Episode 302 - Log4j is a mess

Josh and Kurt talk about the same topic everyone is talking about, Log4j. This episode was recorded on the Wednesday after the first Log4j issue. We point out all the gaps and difficulties for the defenders. The situation has gotten worse since then. Good luck to everyone dealign with this thing https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_302_Log4j_is_a_mess.mp3 Show Notes Log4j GSD entry Minecraft server discussion Log4j GitHub issue 608

December 20, 2021