Josh and Kurt talk about a listener provided question. Could SELinux have stopped the SolarWinds attack? Given what we know, the answer is technically yes, but practically no. SELinux is awesome, but it’s very difficult to sandbox something like a build system. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_278_Could_SELinux_have_stopped_SolarWinds.mp3 Show Notes Gone in 60 milliseconds
Josh and Kurt talk about why it seems like the world of ransomware has gotten out of control in the last few weeks. Every day there’s some new and more bizarre ransomware story than we had yesterday. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_275_What_in_the_is_going_on_with_ransomware.mp3 Show Notes Spurious Correlations Ransom recovered Adam Shostack Ransomware is not the problem Latvian Woman charged for writing ransomware
Josh and Kurt talk about what 3rd party means in the current world. From 5G suppliers, to the Codecov and Solarwinds breaches. Is there anyone we can trust? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_268_Can_we_trust_any_3rd_parties.mp3 Show Notes Europe and 5G Codecov Codecov Reuters story Red Hat OpenSSH advisory
I listen to a lot of podcasts. A lot of podcasts. I was listening to the Dave and Gunnar Show podcast episode 212 with guest David A. Wheeler. The Titanic was used as an example of changing process after a security incident. This opened up a flood of thoughts to me, but not for the reasons intended in the conversation. The point of the suggestion was the Titanic sinking created changes to international requirements to help avoid a similar disaster next time, and we should be viewing SolarWinds in a similar way. The idea being we should use the SolarWinds event to drive meaningful change to make security better. Why no change will come of this is a different conversation: TL;DR it’s because nobody important died from SolarWinds, the Titanic killed a lot of important people. But I think this is an interesting way to talk about how we tend to deal with problems in software and how we deal with them in real life. ...