Log4shell

Josh and Kurt talk about the challenge of dealing with vulnerabilities at a large scale. We tend to treat every vulnerability equally when they are not equal at all. Some are trees we have to pay very close attention to, and some are part of a larger forest that can’t be treated as individual vulnerabilities. We often treat risk as a binary measurement instead of a sliding scale. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_330_The_sliding_scale_of_risk_seeing_the_forest_for_the_trees.mp3 Show Notes gsd.id The Register OpenSSL story OpenSSL bug

Josh and Kurt talk about how to get attention for security problems. Recent research around Twitter credentials checked into GitHub showed us how to get a lot of attention when compared to a problem like Log4Shell which took years before anyone really picked up on the problem. It’s hard to talk about security sometimes. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_308_Welcome_to_the_jungle_How_to_talk_about_open_source_security.mp3 Show Notes Josh’s computer vision code Twitter secrets Qualys pwnkit

Josh and Kurt talk about the same topic everyone is talking about, Log4j. This episode was recorded on the Wednesday after the first Log4j issue. We point out all the gaps and difficulties for the defenders. The situation has gotten worse since then. Good luck to everyone dealign with this thing https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_302_Log4j_is_a_mess.mp3 Show Notes Log4j GSD entry Minecraft server discussion Log4j GitHub issue 608