Josh and Kurt talk about an attack against PyTorch and NPM. The PyTorch attack shows the difficulty of operating a large open source project. The NPM situation continues to show the difficulty in trying to backdoor open source. Many people are watching, and it only takes one person to notice a problem and report it,Continue reading “Episode 413 – PyTorch and NPM get attacked, but it’s OK”
Tag Archives: npm
Episode 378 – Naming things is harder than security
Josh and Kurt talk about namespaces. They were a topic in the last podcast, and resulted in a much much larger discussion for us. We decided to hash out some of our thinking in an episode. This is a much harder problem than either of us expected. We don’t have any great answers, but weContinue reading “Episode 378 – Naming things is harder than security”
Episode 375 – The market forces of left-pad, Episode 77 remaster part 2
Josh and Kurt finish up the leftpad discussion. We spent a lot of time talking about how the market will respond to these sort of events, and the market did indeed speak; very little has changed. There is an aspect of all these security events where we need to understand the cost vs benefit justContinue reading “Episode 375 – The market forces of left-pad, Episode 77 remaster part 2”
Episode 374 – The event we called left-pad, Episode 77 remaster part 1
Josh and Kurt revisit Episode 77, which was named “npm and the supply chain” but was a discussion about the incident we all know now as “leftpad”. We didn’t understand what was happening at the time, but this would become an event we talk about for years to come. It’s shocking how many of theContinue reading “Episode 374 – The event we called left-pad, Episode 77 remaster part 1”
Episode 370 – Open Source is bigger than you can imagine
Josh and Kurt talk about some data on the size of NPM. Josh wrote a blog post and a report about the amount of SEO spam in NPM was released. Open source is enormous, and it’s mostly one person. It’s hard to imagine how this all works sometimes and this lack of understanding can createContinue reading “Episode 370 – Open Source is bigger than you can imagine”
Episode 353 – Jill MonĂ©-Corallo on GitHub’s bug bounty program
Josh and Kurt talk to Jill MonĂ©-Corallo about GitHub’s bug bounty and product security team. It’s a treat to discuss bug bounties with someone who is managing a very large bug bounty for one of the most important web sites in the world of software today. Show Notes
Episode 342 – Programming languages are the new operating system
Josh and Kurt talk about programming language ecosystems tracking and publishing security advisory details. We are at a point in the language ecosystems where they are giving us services that have historically been reserved for operating systems. Show Notes
Episode 332 – PyPI: 2FA or not 2FA, that is the question
Josh and Kurt talk about PyPI mandating two factor authentication for the top 1% of projects. It feels like a simple idea, but it’s not when you start to think about it. What problems does 2FA solve? How common are these attacks? What are the second and third order effects of mandating 2FA? This episodeContinue reading “Episode 332 – PyPI: 2FA or not 2FA, that is the question”
Episode 317 – The lack of compromise in security
Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there’s not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not toContinue reading “Episode 317 – The lack of compromise in security”
Episode 316 – You have to use open source
Josh and Kurt talk about the latest NPM backdoored package. It feels like this keeps happening. We talk about why this is and why it’s probably OK. Kurt fixes Linus’ Law, in open source the superpower isn’t bugs are shallow (they’re not), the superpower is security bugs in open source can’t be ignored. Show NotesContinue reading “Episode 316 – You have to use open source”
Open Source Security 