Vulnerability

Josh and Kurt talk to Thomas Depierre about his “I am not a supplier” blog post. We drink from the firehose on this one. Thomas describes the realities and challenges of being an open source maintainer. What open source and society owe each other. How safety can help describe what we see. There’s too many topics to even list. The whole episode is an epic adventure through modern open source. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_365_I_am_not_your_supplier_with_Thomas_Depierre.mp3 Show Notes Thomas on Mastodon I am not a supplier The Treachery of Images (Ceci n’est pas une pipe) Atlantic Council report The Field Guide to Understanding ‘Human Error’ Google wants new rules for developers working on ‘critical’ projects Roads and Bridges:The Unseen Labor Behind Our Digital Infrastructure Sovereign Tech Fund

Josh and Kurt talk about how to think about open source in the context of society. Open source is more like a natural resource than a supplier. It’s common to think of open source projects as delivered to us, but it’s more like acquiring raw materials from the forest. The problem is we’re harvesting the raw materials in an unsustainable manner at the moment. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_357_Is_open_source_being_overexploited.mp3 Show Notes I am not a supplier Josh’s question about the environment sjvn Gorilla toolkit article Gorilla Web Toolkit Awesome Games Done Quick GeoGuessr Awesome Games Done Quick 2023

It seems like every few years the topic of counting vulnerabilities in products shows up. Last time the focus seemed to be around vulnerabilities in Linux distributions, which made distroless and very small container images popular. Today it seems to be around the vulnerabilities in open source dependencies. The general idea is you want to have as few vulnerabilities in the open source you’re using, so logically zero is the goal. ...

Josh and Kurt talk about really weird networking bugs. Josh tells a story about his home network problems that made no sense. There was also a qt5 bug that affected wireless networks that made virtually no sense. What should count as a security vulnerability? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_339_Is_a_network_problem_a_security_vulnerability.mp3 Show Notes Resolving an unusual wifi issue Hacker News thread Global Security Database IdeaPad 5 14ARE05

Josh and Kurt talk about the recent National Defense Authorization Act that requires security vulnerabilities to be fixed. What does this mean for us, is it as bad as some people are claiming it is? It’s actually not a huge deal, for most of us it’s really just time to deal with product security. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_338_The_government_didnt_make_vulnerabilities_illegal_Yet.mp3 Show Notes The Hacker Mind The Untold Stories of Open Source H.R.7900 - National Defense Authorization Act for Fiscal Year 2023 Kurt’s blog post

Josh and Kurt talk about the challenge of dealing with vulnerabilities at a large scale. We tend to treat every vulnerability equally when they are not equal at all. Some are trees we have to pay very close attention to, and some are part of a larger forest that can’t be treated as individual vulnerabilities. We often treat risk as a binary measurement instead of a sliding scale. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_330_The_sliding_scale_of_risk_seeing_the_forest_for_the_trees.mp3 Show Notes gsd.id The Register OpenSSL story OpenSSL bug

Josh and Kurt talk about a fake 7-Zip security report. It’s pretty clear that everyone is running open source all the time. We end on some thoughts around what SBOM is good for, and who should be responsible for them. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_323_The_fake_7Zip_vulnerability_and_SBOM.mp3 Show Notes Probably fake 7-Zip

Josh and Kurt talk about a survey about a TuxCare patch management and vulnerability detection. Sometimes our security bubble makes us forget what it’s like in the real world for the people who keep our infrastructure running. Patching isn’t always immediate, automation doesn’t fix everything, and accepting risk is very important. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_320_Security_Twitter_is_not_the_real_world.mp3 Show Notes State of Enterprise Vulnerability Detection and Patch Management CISA Known Exploited Vulnerabilities Catalog Google 0days

Josh and Kurt talk about hackers using emergency data requests to gain access to sensitive data. The argument that somehow backdoors can be protected falls under this problem. We don’t yet have the technical or policy protections in place to actually protect this data. We also explain why this zlib issue got a 2018 CVE ID in 2022. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_318_Social_engineering_and_why_zlib_got_a_2018_CVE_ID.mp3 Show Notes Hackers using fake emergency data requests CVE-2018-25032 Global Security Database

Josh and Kurt talk about the Linux Kernel Dirty Pipe security vulnerability. This bug is an amazing combination of amazing complexity, incredible simplicity, and a little bit of luck. The discovery is amazing, the analysis is enlightening. There’s almost no way a bug like this could be found outside of open source. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_314_The_Linux_Dirty_Pipe_vulnerability.mp3 Show Notes Dirty Pipe Writeup