Josh and Kurt talk to David A. Wheeler about everything OpenSSF. The Open Source Security Foundation is part of the Linux Foundation, and there are 6 OpenSSF working groups. David does a great job explaining how the OpenSSF works and what the 6 working groups are doing. The working group are (in no particular order): Identifying Security Threats,Continue reading “Episode 298 – David A Wheeler discusses the OpenSSF”
Tag Archives: vulnerability
Episode 292 – Apache RCE and Twitch epic pwn
Josh and Kurt talk about the recent Twitch hack and how in the modern age leaking source code almost certainly doesn’t matter. The leaked data however is a big deal. We also discuss a recent Apache httpd update. Some things went right, some things went wrong. Dealing with vulnerabilities is hard. Show Notes Parasocial RelationshipContinue reading “Episode 292 – Apache RCE and Twitch epic pwn”
Episode 291 – Everyone sucks at vulnerability disclosure
Josh and Kurt talk about recent events around Apple and Microsoft disclosing security vulnerabilities. Microsoft usually does a good job, but Apple has a long history of not having a great bug bounty or vulnerability disclosure policy. None of this is simple, but hopefully you’ll have some fun and learn a bit about the wholeContinue reading “Episode 291 – Everyone sucks at vulnerability disclosure”
Episode 289 – Who left this 0day on the floor?
Josh and Kurt talk about an unusual number of really bad security updates. We even recorded this before the Azure OMIGOD vulnerability was disclosed. It’s certainly been a wild week with Apple and Chrome 0days, and a Travis CI secret leak. Maybe this is the new normal. Show Notes Matrix 4 trailer Travis CI issueContinue reading “Episode 289 – Who left this 0day on the floor?”
Episode 287 – Is GitHub’s Copilot the new Clippy?
Josh and Kurt talk about GitHub Copilot. What can we learn from a report claiming 40% of code generated by Copilot has security vulnerabilities? Is this the future or just some sort of strange new thing that will be gone as fast as it came? Show Notes GitHub Copilot Copilot research paper
Episode 283 – When vulnerability disclosure becomes dangerous
Josh and Kurt talk about a very difficult disclosure problem. What happens when you have to report a vulnerability to an ethically questionable company? It’s less simple than it sounds, many of the choices could end up harming victims. Show Notes Disclosure Dilemmas @evacide Bob Diachenko This Is How They Tell Me The World Ends
Episode 267 – Does 0day still mean 0day?
Josh and Kurt talk about 0day security vulnerabilities. What are they? What were they? And why the name has taken on a new meaning, and that’s OK. Show Notes Hacker History Podcast Chrome 0day NTFS Documentation
It’s time to fix CVE
The late, great, John Lewis is well known for a quote about getting into trouble. Never, ever be afraid to make some noise and get in good trouble, necessary trouble. It’s time to start some good trouble. Anyone who knows me, reads this blog, or follows me on Twitter, is well aware I have beenContinue reading “It’s time to fix CVE”
Episode 223 – Full disclosure won, deal with it
Josh and Kurt talk about the idea behind the full disclosure of security vulnerability details. There have been discussions about this topic for decades with many people on all sides of the issue. The reality is however, if you look at the current state of things, this discussion is settled, full disclosure won. Show NotesContinue reading “Episode 223 – Full disclosure won, deal with it”
Broken vulnerability severities
This blog post originally started out as a way to point out why the NVD CVSS scores are usually wrong. One of the amazing things about having easy access to data is you can ask a lot of questions, questions you didn’t even know you had, and find answers right away. If you haven’t readContinue reading “Broken vulnerability severities”
Open Source Security 