Josh and Kurt talk about OpenAI having a bug in ChatGPT, then they tried to blame open source. It didn’t go very well. In this episode Josh and Kurt argue a lot, maybe someday we’ll know who was the least wrong. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_369_OpenAI_broke_ChatGPT_then_tried_to_blame_open_source.mp3 Show Notes ChatGPT Tweet ChatGPT Blog redis bug
Josh and Kurt talk about the number of dependencies that is now normal. Keeping track of thousands of dependencies used to be impressive, now it’s normal. In what instances should we know everything about our open source? The days of being able to ignore your software liability is looking like it’s coming to an end. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_366_Software_liability_is_coming.mp3 Show Notes LTT millenial pause The perverse incentive of vulnerability counting National Cybersecurity Strategy
Josh and Kurt talk to Thomas Depierre about his “I am not a supplier” blog post. We drink from the firehose on this one. Thomas describes the realities and challenges of being an open source maintainer. What open source and society owe each other. How safety can help describe what we see. There’s too many topics to even list. The whole episode is an epic adventure through modern open source. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_365_I_am_not_your_supplier_with_Thomas_Depierre.mp3 Show Notes Thomas on Mastodon I am not a supplier The Treachery of Images (Ceci n’est pas une pipe) Atlantic Council report The Field Guide to Understanding ‘Human Error’ Google wants new rules for developers working on ‘critical’ projects Roads and Bridges:The Unseen Labor Behind Our Digital Infrastructure Sovereign Tech Fund
Josh and Kurt talk about how to think about open source in the context of society. Open source is more like a natural resource than a supplier. It’s common to think of open source projects as delivered to us, but it’s more like acquiring raw materials from the forest. The problem is we’re harvesting the raw materials in an unsustainable manner at the moment. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_357_Is_open_source_being_overexploited.mp3 Show Notes I am not a supplier Josh’s question about the environment sjvn Gorilla toolkit article Gorilla Web Toolkit Awesome Games Done Quick GeoGuessr Awesome Games Done Quick 2023
It seems like every few years the topic of counting vulnerabilities in products shows up. Last time the focus seemed to be around vulnerabilities in Linux distributions, which made distroless and very small container images popular. Today it seems to be around the vulnerabilities in open source dependencies. The general idea is you want to have as few vulnerabilities in the open source you’re using, so logically zero is the goal. ...
Josh and Kurt talk about really weird networking bugs. Josh tells a story about his home network problems that made no sense. There was also a qt5 bug that affected wireless networks that made virtually no sense. What should count as a security vulnerability? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_339_Is_a_network_problem_a_security_vulnerability.mp3 Show Notes Resolving an unusual wifi issue Hacker News thread Global Security Database IdeaPad 5 14ARE05
Josh and Kurt talk about the recent National Defense Authorization Act that requires security vulnerabilities to be fixed. What does this mean for us, is it as bad as some people are claiming it is? It’s actually not a huge deal, for most of us it’s really just time to deal with product security. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_338_The_government_didnt_make_vulnerabilities_illegal_Yet.mp3 Show Notes The Hacker Mind The Untold Stories of Open Source H.R.7900 - National Defense Authorization Act for Fiscal Year 2023 Kurt’s blog post
Josh and Kurt talk about the challenge of dealing with vulnerabilities at a large scale. We tend to treat every vulnerability equally when they are not equal at all. Some are trees we have to pay very close attention to, and some are part of a larger forest that can’t be treated as individual vulnerabilities. We often treat risk as a binary measurement instead of a sliding scale. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_330_The_sliding_scale_of_risk_seeing_the_forest_for_the_trees.mp3 Show Notes gsd.id The Register OpenSSL story OpenSSL bug
Josh and Kurt talk about a fake 7-Zip security report. It’s pretty clear that everyone is running open source all the time. We end on some thoughts around what SBOM is good for, and who should be responsible for them. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_323_The_fake_7Zip_vulnerability_and_SBOM.mp3 Show Notes Probably fake 7-Zip
Josh and Kurt talk about a survey about a TuxCare patch management and vulnerability detection. Sometimes our security bubble makes us forget what it’s like in the real world for the people who keep our infrastructure running. Patching isn’t always immediate, automation doesn’t fix everything, and accepting risk is very important. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_320_Security_Twitter_is_not_the_real_world.mp3 Show Notes State of Enterprise Vulnerability Detection and Patch Management CISA Known Exploited Vulnerabilities Catalog Google 0days