Security

Josh and Kurt talk about an article about how expertise has a limited lifetime. We are all experts in something, but some of us will find our expert knowledge to be outdated eventually. We discuss what that means in the context of security and tech and disagree about how to best keep your skills up to date. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_299_Experts_From_A_World_That_No_Longer_Exists.mp3 Show Notes Experts From A World That No Longer Exists Neuroplasticity Scotty and the mouse Git 2.34 4H Public Speaking

Josh and Kurt talk to David A. Wheeler about everything OpenSSF. The Open Source Security Foundation is part of the Linux Foundation, and there are 6 OpenSSF working groups. David does a great job explaining how the OpenSSF works and what the 6 working groups are doing. The working group are (in no particular order): Identifying Security Threats, Security Tooling, Best Practices, Vulnerability Disclosures, Digital Identity Attestation, Securing Critical Projects. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_298_David_A_Wheeler_discusses_the_OpenSSF.mp3 Show Notes David A Wheeler Episode 14 – David A Wheeler: CII Badges Sigstore joins the OpenSSF OpenSSF Technical Working Groups NPM requires MFA LISH Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks

Josh and Kurt talk about the new Trojan Source bug. We don’t always agree on if this is a vulnerability (it’s not), but by the end we come to an agreement that ASCII is out, Unicode is in. We don’t live in a world where you can make a realistic suggestion to return to using only ASCII. There are a lot of weird moving parts with this one. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_296_Is_Trojan_Source_a_vulnerability.mp3 Show Notes Trojan Source oss-security message GitHub example

Josh and Kurt talk about Josh’s electric car and new job. We then talk about the recent UAParser.js malware incident. There have been a lot of calls to do more to secure open source, but nobody seems to have any concrete proposals or suggestions to fund any of these activities. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_295_Open_source_security_isnt_free.mp3 Show Notes UAParser.js CISA announcement

Josh and Kurt talk about the security of the Matrix movie series. There was a new Matrix trailer that made us want to discuss some of the security themes. We talk about how the movie is very focused on computing in the 90s. How Neo probably ran Linux and they used a real ssh exploit. How a lot of the plot is a bit silly. It’s a really fun episode. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_290_The_security_of_the_Matrix.mp3 Show Notes Matrix 4 trailer nmap in the Matrix VFX Artists react to the Mandalorian Glasshouse Universal Paperclips

Josh and Kurt talk about some happenings in the Linux Kernel. There are some new rules around how to submit patches that goes against how GitHub works. They’re also turning all compiler warnings into errors. It’s really interesting to understand what these steps mean today, and what they could mean in the future. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_288_Linux_Kernel_compiler_warnings_considered_dangerous.mp3 Show Notes The Register Linux story OpenSSL Release Notes

Josh and Kurt talk to Dan Lorenc from Google about supply chain security. What’s currently going on in this space and what sort of new thing scan we look forward to? We discuss Google’s open source use, Project Sigstore, the SLSA framework and more. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_286_Open_source_supply_chain_with_Googles_Dan_Lorenc.mp3 Show Notes Dan’s Twitter Sigstore SLSA Framework

Josh and Kurt talk about a story from Microsoft declaring Rust the future of safe programming, replacing C and C++. We discuss how tooling affects progress and why this isn’t always obvious when you’re in the middle of progress. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_282_The_security_of_Rust_who_left_all_this_awesome_in_here.mp3 Show Notes Microsoft: Rust Is the Industry’s ‘Best Chance’ at Safe Systems Programming Josh’s devopsdays talk Microsoft moved font handling out of the kernel Atari 2600 emulator in Minecraft Rate of technology adoption

Josh and Kurt talk about how our environment affects our behavior, and in turn our level of security. We often ignore what’s happening around us when everything is related. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_276_Security_behavior_and_the_environment.mp3 Show Notes Judges more lenient after a break Dungeons and Data Poverty changes your DNA

Josh and Kurt talk to Emil Wåreus from Debricked about the future of security scanners. Debricked is doing some incredibly cool things to avoid relying on humans for vulnerability identification and cataloging. Learn what the future of security scanning is going to look like. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_266_The_future_of_security_scanning_with_Debricked.mp3 Show Notes Debricked Emil’s Linkedin