Josh and Kurt talk about the security of employees leaving jobs. Be it a voluntary departure or in the context of the current layoffs we see, what are the security implications of having to remove access for one or more people departing their job? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_328_The_Security_of_Jobs_or_Job_Security.mp3 Show Notes Tesla Layoffs Coinbase layoffs
Josh and Kurt talk about a funny GitHub reply that notified 400,000 people. It’s fun to laugh at this, but it’s an easy open to discussing alert fatigue and why it’s important to be very mindful of our communications. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_327_The_security_of_alert_fatigue.mp3 Show Notes GitHub 400K notifications Hacker News thread Reddit user TV Bluetooth
Josh and Kurt talk to Adam Shostack about his new book “Threats: What Every Engineer Should Learn From Star Wars”. We discuss some of the lessons and threats in the Star Wars universe, it’s an old code I hear. We also discuss if Star Wars is a better than Star Trek for teaching security (it probably is). It’s a fun conversation and sounds like an amazing book. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_322_Adam_Shostack_on_the_security_of_Star_Wars.mp3 Show Notes Adam Shostack Adam’s Website The book
Josh and Kurt talk about a lot of security vulnerabilities in this month’s Patch Tuesday. There’s also a new Git vulnerability. This sparks the age old question of how fast to patch? The answer isn’t binary, the right answer is whatever works best for you, not what someone tells you is best. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_319_Patch_Tuesday_with_a_capital_T.mp3 Show Notes Patch Tuesday Git security update
Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there’s not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not to let security turn into your identity, it ends up making a mess. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_317_The_lack_of_compromise_in_security.mp3 Show Notes Josh’s Twitter thread How to install week old npm packages
Josh and Kurt talk about the Linux Kernel Dirty Pipe security vulnerability. This bug is an amazing combination of amazing complexity, incredible simplicity, and a little bit of luck. The discovery is amazing, the analysis is enlightening. There’s almost no way a bug like this could be found outside of open source. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_314_The_Linux_Dirty_Pipe_vulnerability.mp3 Show Notes Dirty Pipe Writeup
Josh and Kurt talk about the challenges of security at scale. Specifically we focus on why a lot of security starts to fall apart once you have to do something more than a few times. There’s a lot of new thinking we need to push security forward. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_313_Insecurity_at_scale.mp3 Show Notes Stable Linux Kernel and Machine Learning
Josh and Kurt talk about SBOMs. Not what they are, there’s plenty about that. We talk about why everyone keeps claiming they’re super important, and why we’re starting to see some people question if we really need them. SBOMs are part of a future that’s still being invented. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_312_The_Legend_of_the_SBOM.mp3 Show Notes Questioning SBOMs Rezilion Log4j diagram David A Wheeler on CII Badges Using open source is communism
Josh and Kurt talk to Hayley Tsukayama from the EFF about privacy. We all know privacy in the modern age is very complicated and difficult. Normal people don’t have many allies when it comes to privacy. The EFF has been blazing the trail for digital rights for more than 30 years! This episode has a ton of amazing details, it’s easy to see how the EFF became the jewel of the Internet. ...
Josh and Kurt talk about the epic failure that was episode 300. But this ties nicely into the topic of the day which is new ways to do things. The example is a new way to hold a controller when playing Tetris. There are always new tools and new ideas in security. Sometimes we have to abandon the old way because the new way to too good to ignore. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_301_Youre_holding_it_wrong_the_importance_of_unlearning.mp3 Show Notes Lawfare Apple NSO podcast New way to play Tetris