Open Source Security Podcast
427 episodes - English - Latest episode: about 14 hours ago - ★★★★★ - 38 ratingsA security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Episode 376 - Open Source Summit, who built your open source, and AI
May 22, 2023 00:00 - 36 minutes - 34.2 MBJosh and Kurt talk about the Open Source Summit in Vancouver. Josh was there and we pick on two observations. Firstly that security keeps trying to use fear as a feature, except it doesn't work. Secondly we discuss AI and how people are talking about it. It is changing things, how much is yet to be seen. Show Notes SLSA FRSCA S2C2F MSI leak Intel microcode Tom Scott AI Video
Episode 375 - The market forces of left-pad, Episode 77 remaster part 2
May 15, 2023 00:00 - 29 minutes - 28.2 MBJosh and Kurt finish up the leftpad discussion. We spent a lot of time talking about how the market will respond to these sort of events, and the market did indeed speak; very little has changed. There is an aspect of all these security events where we need to understand the cost vs benefit just isn't there. it may never be there. Rather than whine and complain, we need to work with our constraints. Show Notes Episode 77 – npm and the supply chain
Episode 374 - The event we called left-pad, Episode 77 remaster part 1
May 08, 2023 00:00 - 29 minutes - 28.5 MBJosh and Kurt revisit Episode 77, which was named "npm and the supply chain" but was a discussion about the incident we all know now as "leftpad". We didn't understand what was happening at the time, but this would become an event we talk about for years to come. It's shocking how many of the things we discuss are still completely valid five years later. Show Notes Episode 77 – npm and the supply chain
Episode 373 – HHGG security, Episode 42 remaster part 2
May 01, 2023 00:00 - 34 minutes - 32.9 MBThis is the second part of remastering Episode 42 which is all about the security in the Hitchhiker’s Guide to the Galaxy movie. It's a fun show and it's shocking how many of these security themes are still relevant today. Show Notes Original Episode 42 Part 1
Episode 372 - HHGG security, Episode 42 remaster part 1
April 24, 2023 00:00 - 30 minutes - 29.5 MBThe podcast is on a hiatus for a little while due to some personal matters, but that creates an opportunity to remaster some fun old episodes. These shows are REALLY hard to listen to at the current quality (tools and talent has come a long way in the last few years). This is a remaster of Episode 42 which is all about the security in the Hitchhiker’s Guide to the Galaxy movie. It's a fun show and it's shocking how many of these security themes are still relevant today. Show Notes Origi...
Episode 371 - pip install is the tool we deserve but not the tool we need
April 17, 2023 00:00 - 34 minutes - 32.9 MBJosh and Kurt talk about a blog post about pip and virtual environments. This eventually turns into a larger conversation around packaging tools and how we see incremental changes over time. The package ecosystems were what we needed a few years ago, but our needs have changed. Show Notes One Does Not Simply 'pip install' Dag Wieers RPM Webfinger GitHub repo
Episode 370 - Open Source is bigger than you can imagine
April 10, 2023 00:00 - 34 minutes - 32 MBJosh and Kurt talk about some data on the size of NPM. Josh wrote a blog post and a report about the amount of SEO spam in NPM was released. Open source is enormous, and it's mostly one person. It's hard to imagine how this all works sometimes and this lack of understanding can create challenges. Show Notes Josh's blog on the size of NPM One In Two New Npm Packages Is SEO Spam Right Now Linux Kernel power distribution graph
Episode 369 - OpenAI broke ChatGPT then tried to blame open source
April 03, 2023 00:00 - 30 minutes - 29.6 MBJosh and Kurt talk about OpenAI having a bug in ChatGPT, then they tried to blame open source. It didn't go very well. In this episode Josh and Kurt argue a lot, maybe someday we'll know who was the least wrong. Show Notes ChatGPT Tweet ChatGPT Blog redis bug
Episode 368 - The Sovereign Tech Fund with Fiona Krakenbürger
March 27, 2023 00:00 - 39 minutes - 35.9 MBJosh and Kurt talk to Fiona Krakenbürger about the Sovereign Tech Fund. This is a fund created by Germany to fund important open source projects. Fiona has amazing insight into how this fund was created, what it's doing today to help fund open source. She discusses where we go from here and what the future will look like. The Sovereign Tech Fund is a forward thinking program to fund open source across the world. This episode is a window into the future. Show Notes Fiona on Mastodon Sove...
Episode 367 - Open source will never be the same
March 20, 2023 00:00 - 32 minutes - 30.9 MBJosh and Kurt talk about GitHub enforcing sanctions against an open source developer and Docker changing how their registry works. There's a lot to unpack in this one. There's a lot of happenings going on in the world of open source. We are seeing governments paying attention to open source like never before, change is coming and everything is going to change. Show Notes ipmitool Repository Archived, Developer Suspended By GitHub Elixir: Docker now charges open source orgs $300
Episode 366 - Software liability is coming
March 13, 2023 00:00 - 34 minutes - 33.1 MBJosh and Kurt talk about the number of dependencies that is now normal. Keeping track of thousands of dependencies used to be impressive, now it's normal. In what instances should we know everything about our open source? The days of being able to ignore your software liability is looking like it's coming to an end. Show Notes LTT millenial pause The perverse incentive of vulnerability counting National Cybersecurity Strategy
Episode 365 - "I am not your supplier" with Thomas Depierre
March 06, 2023 00:00 - 52 minutes - 49 MBJosh and Kurt talk to Thomas Depierre about his "I am not a supplier" blog post. We drink from the firehose on this one. Thomas describes the realities and challenges of being an open source maintainer. What open source and society owe each other. How safety can help describe what we see. There's too many topics to even list. The whole episode is an epic adventure through modern open source. Show Notes Thomas on Mastodon I am not a supplier The Treachery of Images (Ceci n'est pas une ...
Episode 364 - Using SBOMs is hard
February 27, 2023 00:00 - 36 minutes - 33.9 MBJosh and Kurt talk about SBOMs. Quite a bit has happened in the world of SBOMs in the last year or so. There are going to be different types of SBOMs, like build, source, or runtime. Each will tell us different things depending on what we need to know. We also cover some of the community efforts happening around SBOMs. They're still not easy to use, but it's better better. Show Notes SBOM Types draft SBOM Drift OpenSSF SBOM Everywhere
Episode 363 - Joylynn Kirui from Microsoft on DevSecOps
February 20, 2023 00:00 - 31 minutes - 29.5 MBJosh and Kurt talk to Joylynn Kirui about DevSecOps in the Microsoft universe. Joylynn gives us an overview of the current state of devops and tells us about some of the tools Microsoft has made available to the open source universe. Show Notes Joylynn Kirui Joylynn on DVT Tech Insights Episode 174 - a chat with GitHub about CodeQL S2C2F Azure Open Source Day
Episode 362 - A lesson in Rust from Carol Nichols
February 13, 2023 00:00 - 41 minutes - 37.7 MBJosh and Kurt talk to Carol Nichols about Rust. Carol is an authority on Rust and helps us understand how Rust works, why it's different. Why Rust doesn't have the same problems C and C++ have, and what the future of it all could look like. It's a really fun show with some great questions from Carol along the way. Show Notes Carol Nichols on Mastodon The Rust Programming Language, 2nd Edition Rust book online Netflix tech blog on Java performance Rust in the context of Railroad Br...
Episode 361 - GitHub got pwnt, but it wasn't very exciting
February 06, 2023 00:00 - 33 minutes - 31.2 MBJosh and Kurt talk about the recent GitHub breach. It wasn't terribly exciting, but there are some interesting conversations to have around securing certificates, source code, and hardware security modules. In general GitHub did most things right on this one. Show Notes GitHub blog post Hacker History Podcast episode with Robert Super Mario 64 decompile Mario 64 built without optimization Link to the Past source code
Episode 360 - Memory safety and the NSA
January 30, 2023 00:00 - 34 minutes - 33 MBJosh and Kurt talk about the NSA guidance on using memory safety issues. The TL;DR is to stop using C. We discuss why C has so many problem, why we can't fix C, and what some alternatives looks like. Even the alternatives have their own set of issues and there are many options, but the one thing we can agree on is we have to stop using C. Show Notes NSA Releases Guidance on How to Protect Against Software Memory Safety Issues Drum memory and the story of Mel Netflix performance Disc...
Episode 359 - The NOTAM outage and other legacy technology
January 23, 2023 00:00 - 34 minutes - 32.7 MBJosh and Kurt talk about the recent FAA NOTAM outage. Keeping legacy things running for long periods of time is really hard to do, this system is no different. It's also really hard to upgrade many of these due to corner cases and institutional knowledge. There aren't any great answers here, but we do ask a lot of questions about long running tech. Show Notes NOTAM outage AIX is not dead IBM Linux commercial Apple A/UX How NOT To Implement the POSIX Standard, Featuring Windows NT ...
Episode 358 - Furby vs Alexa
January 16, 2023 00:00 - 31 minutes - 29.8 MBJosh and Kurt talk about the Furby source code going public. This is an opportunity to discuss what's changed in our attitude in devices that record our audio? Our devices today are vastly more powerful and dangerous than a Furby, what does your risk appetite look like? Show Notes Furby source code Talking Toy Or Spy? Adam Ruins Everything - Why Jaywalking Is a Crime
Episode 357 - Is open source being overexploited?
January 09, 2023 00:00 - 34 minutes - 32.3 MBJosh and Kurt talk about how to think about open source in the context of society. Open source is more like a natural resource than a supplier. It's common to think of open source projects as delivered to us, but it's more like acquiring raw materials from the forest. The problem is we're harvesting the raw materials in an unsustainable manner at the moment. Show Notes I am not a supplier Josh's question about the environment sjvn Gorilla toolkit article Gorilla Web Toolkit Awesom...
Episode 356 - LastPass ducked up, now what?
January 02, 2023 00:00 - 35 minutes - 33.3 MBJosh and Kurt talk about the LastPass saga. There's a lot of great explanations about what happened, but there hasn't been a lot of info on how to start cleaning up this mess. We rehash some of the existing details then try to untangle what existing users can do to try to start recovering. The real problem is how LastPass is dealing with this, not the technical details. Show Notes Great writeup of LastPass Jeremi M Gosney Mastodon explanation Tavis writeup on password managers Use a...
Episode 355 - Security Boxing Day
December 26, 2022 00:00 - 31 minutes - 30.5 MBJosh and Kurt talk about some security gifts for boxing day. We start out with the idea of the security poverty line and discuss a few ideas for how a low resource group can make their open source more secure. There are no simple answers unfortunately. Show Notes Wendy Nather Security Poverty Line Boots Theory
Episode 354 - Jerry Bell tells us why Mastodon is awesome and MFA is hard
December 19, 2022 00:00 - 31 minutes - 29.4 MBJosh and Kurt talk about how hard multi factor authentication is. This all starts from a Mastodon thread, and Jerry Bell, the administrator of infosec.exchange joins us to discuss password security and all things Mastodon. Infosec.exchange is an incredible story and Jerry weaves a thrilling tale. Show Notes infosec.exchange MFA discussion Jerry's 2FA advice MalwareTech retracts Mastodon statements
Episode 353 - Jill Moné-Corallo on GitHub's bug bounty program
December 12, 2022 00:00 - 26 minutes - 25.4 MBJosh and Kurt talk to Jill Moné-Corallo about GitHub's bug bounty and product security team. It's a treat to discuss bug bounties with someone who is managing a very large bug bounty for one of the most important web sites in the world of software today. Show Notes Jill's Twitter Jill's Mastodon GitHub Bug Bounty Bug bounty scope Eight years of the GitHub Security Bug Bounty program GitHub NPM bug bounty find
Episode 352 - Stylometry removes anonymity
December 05, 2022 00:00 - 32 minutes - 30.3 MBJosh and Kurt talk about a new tool that can do Stylometry analysis of Hacker News authors. The availability of such tools makes anonymity much harder on the Internet, but it's also not unexpected. The amount of power and tooling available now is incredible. We also discuss some of the future challenges we will see from all this technology. Show Notes Hacker News Stylometry Analyzer FBI Profiler on the Unabomber Impersonate Eli Lilly for $8 Shakespeare Stylometry
Episode 351 - Is security or usability a law of the universe?
November 28, 2022 00:00 - 33 minutes - 31.9 MBJosh and Kurt talk about end to end encrypted messages. This has been a popular topic lately due to the Mastodon popularity. Mastodon has a uniquely insecure messaging system, but they aren't the only one. The eternal debate of can security and usability exist together? We suspect it can't be, but it's a very complicated topic. Show Notes EFF on Mastodon DM privacy Towards End-to-End Encryption for Direct Messages in the Fediverse Pluralistic: 14 Nov 2022 Even if you're paying for the...
Episode 350 - Spam, Email, Content Moderation, and Infrastructure Oh My
November 21, 2022 00:00 - 31 minutes - 30.9 MBJosh and Kurt talk about email security and the perils of trying to run your own mail infrastructure. We then get into discussing the value and danger of trying to run your own infrastructure, email, blogs, or most anything. There's a lot to juggle about all this these days, it's complicated. Show Notes PowerDMARC Will Dormann GossiTheDog upgrades Exchange lcamtuf's blog I like Ice Cream
Episode 349 - The cyber is coming from inside the house - the UK is scanning itself
November 14, 2022 00:00 - 31 minutes - 29.6 MBJosh and Kurt talk about the UK plan to scan their country's IP space. The purpose and outcome of this isn't completely clear at this point, but we are hopeful the data can be used as a positive force. We are only going to see more programs like this as all the governments are told they have to cyber harder. Show Notes NCSC Scanning information Motherboard podcast about NCIS
Episode 348 - OpenSSL is the new lead paint
November 07, 2022 00:00 - 33 minutes - 32.8 MBJosh and Kurt talk about the recent OpenSSL nothingburger. OpenSSL got everyone whipped into a frenzy over a critical vulnerability, then changed the severity to high. The correct solution to this whole problem is to stop using a TLS library written in C, we need to be using memory safe languages. Don't migrate from OpenSSL 1 to 3, migrate from OpenSSL 1 to Rustls. Show Notes OpenSSL Blog Post OpenSSL pre-announcement Mark Cox Tweet 3.0 only affected GossiTheDog NDA Tweet Claims o...
Episode 347 - Airtags in luggage and weasel security - two peas in a suitcase
October 31, 2022 00:00 - 33 minutes - 31.6 MBJosh and Kurt talk about Lufthansa trying to ban Airtags. This has a similar feel to all the security events where a company tries to hand waive away a security problem then having to walk back all their previous statements. There is almost always a massive imbalance between the large companies and consumers. Show Notes Lufthansa bans airtags Airtag stalking problems Lufthansa unbans airtags Cult of the Dead Cow book TV Typewriter Andre the Giant on an airplane Poison Squad
Episode 346 - Security and working from home have terrible things in common
October 24, 2022 00:00 - 32 minutes - 31.6 MBJosh and Kurt talk about stories detailing tech working with multiple jobs. This raises some questions about fairness, accountability, and the future of work. As an industry we are very bad at measuring what we do, which is a problem shared with many jobs currently working from home. Show Notes Equifax surveilled 1,000 remote workers, fired 24 found juggling two jobs Business Insider 2 jobs story Ken Thompson lines of code
Episode 345 - Cheap hacking devices turn security upside down
October 17, 2022 00:00 - 30 minutes - 28.6 MBJosh and Kurt talk about ineffective security from the past we still use today. There has been a great deal of progress in the last few decades bringing us amazing products like the Flipper Zero, cameras that can peer inside locks, and even software defined radio. A great deal of security relies on people not having easy access to these cheap devices. What does this mean for the future of security? Show Notes Cloning a Rare ISA Card to Use a Rare CD Drive Vintage Tech YouTubers Discussi...
Episode 344 - Python tarfile - 2022 is nothing like 2007
October 10, 2022 00:00 - 34 minutes - 32.4 MBJosh and Kurt talk about a newly rediscovered old python vulnerability. It raises a lot of questions about what was OK in 2007 vs what's OK in 2022. The issue is very complicated and has a wild story surrounding it. There is no reason to not fix this in 2022. Show Notes CVE-2007-4559 Red Hat Bug Register story Response from upstream Upstream patch ZippSlip Current upstream bug CSURF
Episode 343 - Stop trying to fix the open source software supply chain
October 03, 2022 00:00 - 32 minutes - 30.2 MBJosh and Kurt talk about a blog post that explains there isn't really an open source software supply chain. The whole idea of open source being one thing is incorrect, open source is really a lot of little things put together. A lot of companies and organizations get this wrong. Show Notes Iliana's Twitter There is no “software supply chain” Google supply chain blog GitHub ansi_term advisory PyPI 2FA Dashboard tarfile issue rediscovered in 2022
Episode 342 - Programming languages are the new operating system
September 26, 2022 00:00 - 29 minutes - 28.3 MBJosh and Kurt talk about programming language ecosystems tracking and publishing security advisory details. We are at a point in the language ecosystems where they are giving us services that have historically been reserved for operating systems. Show Notes Kelsey Hightower tweet OSS-Fuzz
Episode 341 - Time till open source alternative
September 19, 2022 00:00 - 35 minutes - 33.4 MBJosh and Kurt talk about the Time Till Open Source Alternative blog post. The numbers probably don't mean what we think they mean anymore. A lot of modern open source is really corporate controlled. Just because something carries an open source license doesn't mean you can contribute to it. Show Notes Time Till Open Source Alternative GitHub Desktop issue 78 The Reddit Safe
Episode 340 - Let's chat about Let's Encrypt with Josh Aas
September 12, 2022 00:00 - 33 minutes - 29.4 MBJosh and Kurt talk with Josh Aas from the Internet Security Research Group about Let's Encrypt, Prossimo, and Divvi Up. A lot has changed since the last time we spoke with Josh. Let's Encrypt won, and the ISG are working on some really cool new projects. Show Notes Josh Aas Internet Security Research Group (ISRG) Let's Encrypt Episode 87 – Chat with Let’s Encrypt co-founder Josh Aas New Major Funding from the Ford Foundation ISRG annual reports Peter Eckersley
Episode 339 - Is a network problem a security vulnerability
September 05, 2022 00:00 - 38 minutes - 35.7 MBJosh and Kurt talk about really weird networking bugs. Josh tells a story about his home network problems that made no sense. There was also a qt5 bug that affected wireless networks that made virtually no sense. What should count as a security vulnerability? Show Notes Resolving an unusual wifi issue Hacker News thread Global Security Database IdeaPad 5 14ARE05
Episode 338 - The government didn't make vulnerabilities illegal. Yet.
August 29, 2022 00:00 - 36 minutes - 35 MBJosh and Kurt talk about the recent National Defense Authorization Act that requires security vulnerabilities to be fixed. What does this mean for us, is it as bad as some people are claiming it is? It's actually not a huge deal, for most of us it's really just time to deal with product security. Show Notes The Hacker Mind The Untold Stories of Open Source H.R.7900 - National Defense Authorization Act for Fiscal Year 2023 Kurt's blog post
Episode 337 - Security patches are getting worse - Dustin Childs from ZDI tells us why
August 22, 2022 00:00 - 31 minutes - 30.5 MBJosh and Kurt talk to Dustin Childs about the recent ZDI Black Hat talk where they discovered the current trend of security patches not actually fixing the security problem. We talk about what this problem means. Why is it happening, and what ZDI is doing to try nudge the industry in the right direction. Show Notes Dustin Childs ZDI Sloppy Software Patches Are a ‘Disturbing Trend’ Zero Day Initiative launches new bug disclosure timelines ISO 28147
Episode 336 - We don't have data, we have security biases
August 15, 2022 00:00 - 33 minutes - 32.1 MBJosh and Kurt talk about our lack of security and some of the data bias problems that can emerge. A lot of what we think is security data is really just biased data. This is OK as long as we understand the data is broken and know this is the first step in a longer journey. Show Notes Tweet about data The 6 most common types of bias when working with data Syft and Grype stars graph John Snow, Cholera, the Broad Street Pump Bob Lord tweet
Episode 335 - Bull*&$% security ideas
August 08, 2022 00:00 - 38 minutes - 36.9 MBJosh and Kurt talk about a tweet from @kmcquade3 asking the question "What's a concept in security that is generally accepted as true but is actually bull%$#*?" How many of the replies make sense? Most of them do. We go over some of the best replies as fast as we can. Show Notes The tweet that started it all Mark Loveless Mark Manning Richard (Dick) Brooks @ImbecillicusRex What Train Have We Got? Dan Alejo 🏳️🌈 postmodern 🇺🇸 Robert C. Seacord 🇺🇦 Yip Wai Peng Sachin S...
Episode 334 - Leap seconds break everything
August 01, 2022 00:00 - 32 minutes - 31.2 MBJosh and Kurt talk about leap seconds. Every time there's a leap second, things break. Facebook wants to get rid of them because they break computers, but Google found a clever way to keep leap seconds without breaking anything. Corner cases are hard, security is often just one huge corner case. There are lessons we can learn here. Show Notes How and why the leap second affected Cloudflare DNS Facebook wants to get rid of leap seconds Leap Smear Falsehoods programmers believe about...
Episode 333 - Open Source is unfair
July 25, 2022 00:00 - 34 minutes - 32.9 MBJosh and Kurt talk about Microsoft creating a policy of not allowing anyone to charge for open source in their app store. This policy was walked back quickly, but it raises some questions about how fair or unfair open source really is. It's mostly unfair to developers if you look at the big picture. Show Notes Syft Grype Microsoft bans and unbans open source Tidelift survey Bruce Perens - What comes after open source
Episode 332 - PyPI: 2FA or not 2FA, that is the question
July 18, 2022 00:00 - 39 minutes - 36.7 MBJosh and Kurt talk about PyPI mandating two factor authentication for the top 1% of projects. It feels like a simple idea, but it's not when you start to think about it. What problems does 2FA solve? How common are these attacks? What are the second and third order effects of mandating 2FA? This episode should have something for everyone on all sides of this discussion to violently disagree with. Show Notes PyPI announcement NPM expired domains Morten Linderud Tweet Congratulations:...
Episode 331 - GPG, but nothing makes sense
July 11, 2022 00:00 - 35 minutes - 34 MBJosh and Kurt talk about their very silly GPG key management from the past. This is sadly a very true story that details how both Kurt and Josh protected their GPG keys. Josh's setup is like something out of a very bad spy novel. It was very over the top for a key that really didn't matter. Show Notes XKCD signed email Shire calendar Guardian editors destroy Snowden laptop
Episode 330 - The sliding scale of risk: seeing the forest for the trees
July 04, 2022 00:00 - 38 minutes - 35.7 MBJosh and Kurt talk about the challenge of dealing with vulnerabilities at a large scale. We tend to treat every vulnerability equally when they are not equal at all. Some are trees we have to pay very close attention to, and some are part of a larger forest that can't be treated as individual vulnerabilities. We often treat risk as a binary measurement instead of a sliding scale. Show Notes gsd.id The Register OpenSSL story OpenSSL bug
Episode 329 - Signing (What is it good for)
June 27, 2022 00:00 - 30 minutes - 29.8 MBJosh and Kurt talk about what the actual purpose of signing artifacts is. This is one of those spaces where the chain of custody for signing content is a lot more complicated than it sometimes seems to be. Is delivering software over https just as good as using a detached signature? How did we end up here, what do we think the future looks like? This episode will have something for everyone to complain about! Show Notes Twitter thread Kurt's security advisory page Bug 998
Episode 328 - The Security of Jobs or Job Security
June 20, 2022 00:00 - 29 minutes - 28.4 MBJosh and Kurt talk about the security of employees leaving jobs. Be it a voluntary departure or in the context of the current layoffs we see, what are the security implications of having to remove access for one or more people departing their job? Show Notes Tesla Layoffs Coinbase layoffs
Episode 327 - The security of alert fatigue
June 13, 2022 00:00 - 34 minutes - 32.8 MBJosh and Kurt talk about a funny GitHub reply that notified 400,000 people. It's fun to laugh at this, but it's an easy open to discussing alert fatigue and why it's important to be very mindful of our communications. Show Notes GitHub 400K notifications Hacker News thread Reddit user TV Bluetooth