Open Source Security Podcast
427 episodes - English - Latest episode: about 11 hours ago - ★★★★★ - 38 ratingsA security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Episode 326 - Big fat containers
June 06, 2022 00:00 - 37 minutes - 35.4 MBJosh and Kurt talk about containers. There are a lot of opinions around what type of containers is best. Back when it all started there were only huge distro sized containers. Now we have a world with many different container types and sizes. Is one better? Show Notes Programming in the Apocalypse Bob Diachenko Paranoids Podcast
Episode 325 - Is one open source maintainer enough?
May 30, 2022 00:00 - 35 minutes - 31.3 MBJosh and Kurt talk about a recent OpenSSF issue that asks the question how many open source maintainers should a project have that's "healthy"? Josh did some research that shows the overwhelming majority of packages have one maintainer. What does that mean? Show Notes OpenSSF TAC Issue 101
Episode 324 - WTF is up with WFH
May 23, 2022 00:00 - 35 minutes - 34 MBJosh and Kurt talk about the whole work from home debate. It seems like there are a lot of very silly excuses why working from home is bad. We've both been working from home for a long time and have a chat about the topic. There's not much security in this one, but it is a fun discussion. Show Notes Boris Johnson blames cheese Apple and WFH
Episode 323 - The fake 7-Zip vulnerability and SBOM
May 16, 2022 00:00 - 38 minutes - 37.1 MBJosh and Kurt talk about a fake 7-Zip security report. It's pretty clear that everyone is running open source all the time. We end on some thoughts around what SBOM is good for, and who should be responsible for them. Show Notes Probably fake 7-Zip
Episode 322 - Adam Shostack on the security of Star Wars
May 09, 2022 00:00 - 33 minutes - 31.6 MBJosh and Kurt talk to Adam Shostack about his new book "Threats: What Every Engineer Should Learn From Star Wars". We discuss some of the lessons and threats in the Star Wars universe, it's an old code I hear. We also discuss if Star Wars is a better than Star Trek for teaching security (it probably is). It's a fun conversation and sounds like an amazing book. Show Notes Adam Shostack Adam's Website The book
Episode 321 - Relativistic Security: Project Zero on 0day
May 02, 2022 00:00 - 34 minutes - 31.9 MBJosh and Kurt talk about the Google Project Zero blog post about 0day vulnerabilities in 2021. There were a lot more than ever before, but why? Part of the challenge is the whole industry is expanding while a lot of our security technologies are not. When the universe around you is expanding but you're staying the same size, you are actually shrinking. Show Notes Google Project Zero blog post Apple 0days Joint cyber advisory
Episode 320 - Security Twitter is not the real world
April 25, 2022 00:00 - 32 minutes - 30.7 MBJosh and Kurt talk about a survey about a TuxCare patch management and vulnerability detection. Sometimes our security bubble makes us forget what it's like in the real world for the people who keep our infrastructure running. Patching isn't always immediate, automation doesn't fix everything, and accepting risk is very important. Show Notes State of Enterprise Vulnerability Detection and Patch Management CISA Known Exploited Vulnerabilities Catalog Google 0days
Episode 319 - Patch Tuesday with a capital T
April 18, 2022 00:00 - 30 minutes - 29.2 MBJosh and Kurt talk about a lot of security vulnerabilities in this month's Patch Tuesday. There's also a new Git vulnerability. This sparks the age old question of how fast to patch? The answer isn't binary, the right answer is whatever works best for you, not what someone tells you is best. Show Notes Patch Tuesday Git security update
Episode 318 - Social engineering and why zlib got a 2018 CVE ID
April 11, 2022 00:00 - 30 minutes - 28.4 MBJosh and Kurt talk about hackers using emergency data requests to gain access to sensitive data. The argument that somehow backdoors can be protected falls under this problem. We don't yet have the technical or policy protections in place to actually protect this data. We also explain why this zlib issue got a 2018 CVE ID in 2022. Show Notes Hackers using fake emergency data requests CVE-2018-25032 Global Security Database
Episode 317 - The lack of compromise in security
April 04, 2022 00:00 - 32 minutes - 29.4 MBJosh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there's not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not to let security turn into your identity, it ends up making a mess. Show Notes Josh's Twitter thread How to install week old npm packages
Episode 316 - You have to use open source
March 28, 2022 00:00 - 30 minutes - 28.2 MBJosh and Kurt talk about the latest NPM backdoored package. It feels like this keeps happening. We talk about why this is and why it's probably OK. Kurt fixes Linus' Law, in open source the superpower isn't bugs are shallow (they're not), the superpower is security bugs in open source can't be ignored. Show Notes node-ipc protestware
Episode 315 - Who even makes all these terrible decisions?
March 21, 2022 00:00 - 33 minutes - 30.7 MBJosh and Kurt talk about Microsoft accidentally letting us find out about ads in file explorer. Changing your clocks sucks. And touch on some of the security implications of the Russian invasion and sanctions. There are a lot of security lessons we can all learn. Mostly what not to do. Show Notes Ads in Windows Filemanager Russia running out of storage Russia threatens to nationalize industry Onagawa Nuclear Power Plant Cockcroft's Follies German government advises citizens to u...
Episode 314 - The Linux Dirty Pipe vulnerability
March 14, 2022 00:00 - 26 minutes - 24.7 MBJosh and Kurt talk about the Linux Kernel Dirty Pipe security vulnerability. This bug is an amazing combination of amazing complexity, incredible simplicity, and a little bit of luck. The discovery is amazing, the analysis is enlightening. There's almost no way a bug like this could be found outside of open source. Show Notes Dirty Pipe Writeup
Episode 313 - Insecurity at scale
March 07, 2022 00:00 - 31 minutes - 28.3 MBJosh and Kurt talk about the challenges of security at scale. Specifically we focus on why a lot of security starts to fall apart once you have to do something more than a few times. There's a lot of new thinking we need to push security forward. Show Notes Stable Linux Kernel and Machine Learning
Episode 312 - The Legend of the SBOM
February 28, 2022 00:00 - 34 minutes - 31 MBJosh and Kurt talk about SBOMs. Not what they are, there's plenty about that. We talk about why everyone keeps claiming they're super important, and why we're starting to see some people question if we really need them. SBOMs are part of a future that's still being invented. Show Notes Questioning SBOMs Rezilion Log4j diagram David A Wheeler on CII Badges Using open source is communism
Episode 311 - Did you scan the QR code?
February 21, 2022 00:00 - 32 minutes - 29.9 MBJosh and Kurt talk about the Coinbase Super Bowl ad. It was a QR code, lots of security people were aghast at how many people scanned the QR code. The reality is scanning QR codes isn't dangerous. What other security advice just won't go away? Show Notes Coinbase Ad Kurt's Twitter question QR code parking scam Mossad or not Mossad Kurt's talk
Episode 310 - Hayley Tsukayama from the EFF talks about privacy
February 14, 2022 00:00 - 37 minutes - 32.3 MBJosh and Kurt talk to Hayley Tsukayama from the EFF about privacy. We all know privacy in the modern age is very complicated and difficult. Normal people don't have many allies when it comes to privacy. The EFF has been blazing the trail for digital rights for more than 30 years! This episode has a ton of amazing details, it's easy to see how the EFF became the jewel of the Internet. Show Notes Hayley's Twitter EFF How to Fix the Internet Episode 277 – Privacy and activism with Chri...
Episode 309 - The bright future of open source security
February 07, 2022 00:00 - 31 minutes - 29.1 MBJosh and Kurt talk about NPM requiring 2FA for the top 100 packages. We discuss the new Alpha and Omega projects from the OpenSSF and what it could mean for the future of open source security. Then we end on a note about the new Samba critical vulnerability. Show Notes NPM requires 2FA OpenSSF Alpha and Omega David A. Wheeler episode Linux Foundation LFX Samba Advisory
Episode 308 - Welcome to the jungle - How to talk about open source security
January 31, 2022 00:00 - 31 minutes - 29 MBJosh and Kurt talk about how to get attention for security problems. Recent research around Twitter credentials checked into GitHub showed us how to get a lot of attention when compared to a problem like Log4Shell which took years before anyone really picked up on the problem. It's hard to talk about security sometimes. Show Notes Josh's computer vision code Twitter secrets Qualys pwnkit
Episode 307 - Got vulnerabilities? Introducing GSD
January 24, 2022 00:00 - 30 minutes - 27.6 MBJosh and Kurt talk about the Global Security Database (GSD) project. This is a Cloud Security Alliance (CSA) effort to build community around vulnerability identifiers. Show Notes We rate dogs Racoons that heal your sadness Global Security Database Episode 261 – DWF is back! Welcome to community powered CVE GSD mailing list GSD Circle group GSD Database GSD Project Plan
Episode 306 - Open source isn't broken, it's an experience
January 17, 2022 00:00 - 35 minutes - 32.4 MBJosh and Kurt talk about the faker and colors NPM events. There is a lot of discussion around open source being broken or somehow failing because of these events. The real answer is open source is an experience. How we interact with our dependencies determines what the experience looks like. Show Notes Developer corrupts colors and faker Will Wright Pee Internet Anonymity
Episode 305 - Norton, Ethereum, NFT, and Apes
January 10, 2022 00:00 - 31 minutes - 29.3 MBJosh and Kurt talk about Norton creating an Ethereum mining pool. This is almost certainly a bad idea, we explain why. We then discuss the reality of NFTs and the case of stolen apes. NFTs can be very confusing. The whole world of cryptocurrency is very confusing for normal people. None of this is new, there have always been con artists, there will always be con artists. Show Notes Norton Crypto FAQ Stolen Ape Smart contract to buy the constitution YEAR token
Episode 304 - Will we ever fix all the vulnerabilities?
January 03, 2022 00:00 - 34 minutes - 32.1 MBJosh and Kurt talk about the question will we ever fix all the vulnerabilities? The question came from Reddit and is very reasonable, but it turns out this is REALLY hard to discuss. The answer is of course "no", but why it is no is very complicated. Far more complicated than either of us thought it would be. Show Notes Will cyber security vulnerabilities ever "stop existing" ?
Episode 303 - Log4j Christmas Spectacular!
December 27, 2021 00:00 - 34 minutes - 32 MBJosh and Kurt start the show with the reading of a security themed Christmas poem. We then discuss some of the new happenings around Log4j. The basic theme is that even if we were over-investing in Log4j, it probably wouldn't have caught this. There are still a lot of things to unpack with this event, I'm sure we'll be talking about it well into the future. Log before Christmas poem 'Twas the night before Christmas, when all through the stack Not a scanner was scanning, not even a rack,...
Episode 302 - Log4j is a mess
December 20, 2021 00:00 - 33 minutes - 31.4 MBJosh and Kurt talk about the same topic everyone is talking about, Log4j. This episode was recorded on the Wednesday after the first Log4j issue. We point out all the gaps and difficulties for the defenders. The situation has gotten worse since then. Good luck to everyone dealign with this thing Show Notes Log4j GSD entry Minecraft server discussion Log4j GitHub issue 608
Episode 301 - You're holding it wrong: the importance of unlearning
December 13, 2021 00:00 - 31 minutes - 29 MBJosh and Kurt talk about the epic failure that was episode 300. But this ties nicely into the topic of the day which is new ways to do things. The example is a new way to hold a controller when playing Tetris. There are always new tools and new ideas in security. Sometimes we have to abandon the old way because the new way to too good to ignore. Show Notes Lawfare Apple NSO podcast New way to play Tetris
Episode 300 - Apple vs NSO: What can copyright do for you?
December 06, 2021 00:00 - 31 minutes - 29.6 MBthe lawsuit is based on CFAA, not on copyright. We apologize for this enormous oversight. Josh and Kurt talk about Apple suing NSO using a copyright claim as their vehicle. Copyright is often used as a reason to bring lawsuits, even when it doesn't always make sense. Copyright has been used by open source to expand rights, and many companies to restrict rights. It's a very odd law sometimes. At the end of the day it seems the only real path forward for a problem like NSO is up to governmen...
Episode 299 - Experts From A World That No Longer Exists
November 29, 2021 00:00 - 34 minutes - 32.7 MBJosh and Kurt talk about an article about how expertise has a limited lifetime. We are all experts in something, but some of us will find our expert knowledge to be outdated eventually. We discuss what that means in the context of security and tech and disagree about how to best keep your skills up to date. Show Notes Experts From A World That No Longer Exists Neuroplasticity Scotty and the mouse Git 2.34 4H Public Speaking
Episode 298 - David A Wheeler discusses the OpenSSF
November 22, 2021 00:00 - 38 minutes - 31.1 MBJosh and Kurt talk to David A. Wheeler about everything OpenSSF. The Open Source Security Foundation is part of the Linux Foundation, and there are 6 OpenSSF working groups. David does a great job explaining how the OpenSSF works and what the 6 working groups are doing. The working group are (in no particular order): Identifying Security Threats, Security Tooling, Best Practices, Vulnerability Disclosures, Digital Identity Attestation, Securing Critical Projects. Show Notes David A Wheele...
Episode 297 - 25 years of smashing stacks, fun, and profit
November 15, 2021 00:00 - 33 minutes - 30.7 MBJosh and Kurt talk about the famous Phrack 49 article "Smashing the Stack for Fun and Profit" turning 25 years old. This paper created a massive amount of change in the industry, possibly more than any other paper ever written. Everything from making exploiting stack overflows easier, to defenders creating technologies such as stack canaries are the direct result of this work. Show Notes Phrack 49 Kurt's Interview with Elias Levi aka Aleph One
Episode 296 - Is Trojan Source a vulnerability?
November 08, 2021 00:00 - 33 minutes - 31.8 MBJosh and Kurt talk about the new Trojan Source bug. We don't always agree on if this is a vulnerability (it's not), but by the end we come to an agreement that ASCII is out, Unicode is in. We don't live in a world where you can make a realistic suggestion to return to using only ASCII. There are a lot of weird moving parts with this one. Show Notes Trojan Source oss-security message GitHub example
Episode 295 - Open source security isn't free
November 01, 2021 00:00 - 33 minutes - 31.4 MBJosh and Kurt talk about Josh's electric car and new job. We then talk about the recent UAParser.js malware incident. There have been a lot of calls to do more to secure open source, but nobody seems to have any concrete proposals or suggestions to fund any of these activities. Show Notes UAParser.js CISA announcement
Episode 294 - Chris Wysopal on the state of security education
October 25, 2021 00:00 - 32 minutes - 29.2 MBJosh and Kurt talk to Chris Wysopal, AKA Weld Pond, about security education. We talk about the current state of how we are learning about security as students and developers. What the best way to get developers interested in learning more about security? We end the show with fantastic advice from Chris for anyone new to the field of technology or security. Show Notes Chris Wysopal Veracode l0phtcrack
Episode 293 - Scoring OpenSSF Security Scoring
October 18, 2021 00:00 - 34 minutes - 32.2 MBJosh and Kurt talk about the release of OpenSSF Security Scorecards version 3. This is a great project that will probably make a huge difference. Most of the things the scorecards are measuring are no brainier activities. We go through the list of metrics being measured. There are only a few that we don't think are fantastic. Show Notes 4 of spades OpenSSF Chris Montgomery audio explanation Scorecard 3.0.0 Scoring criteria Python Skeleton
Episode 292 - Apache RCE and Twitch epic pwn
October 11, 2021 00:00 - 30 minutes - 29.1 MBJosh and Kurt talk about the recent Twitch hack and how in the modern age leaking source code almost certainly doesn't matter. The leaked data however is a big deal. We also discuss a recent Apache httpd update. Some things went right, some things went wrong. Dealing with vulnerabilities is hard. Show Notes Parasocial Relationship Twitch Hack Soviet B-29 Clone Apache CVE Apache Advisory GossiTheDog Tweet Hacker Fantastic exploit
Episode 291 - Everyone sucks at vulnerability disclosure
October 04, 2021 00:00 - 35 minutes - 33 MBJosh and Kurt talk about recent events around Apple and Microsoft disclosing security vulnerabilities. Microsoft usually does a good job, but Apple has a long history of not having a great bug bounty or vulnerability disclosure policy. None of this is simple, but hopefully you'll have some fun and learn a bit about the whole vulnerability disclosure process. Show Notes Apple 0days Microsoft Exchange flaw THIS IS HOW THEY TELL ME THE WORLD ENDS Linux Foundation Vulnerability Disclosu...
Episode 290 - The security of the Matrix
September 27, 2021 00:00 - 35 minutes - 33.2 MBJosh and Kurt talk about the security of the Matrix movie series. There was a new Matrix trailer that made us want to discuss some of the security themes. We talk about how the movie is very focused on computing in the 90s. How Neo probably ran Linux and they used a real ssh exploit. How a lot of the plot is a bit silly. It's a really fun episode. Show Notes Matrix 4 trailer nmap in the Matrix VFX Artists react to the Mandalorian Glasshouse Universal Paperclips
Episode 289 - Who left this 0day on the floor?
September 20, 2021 00:00 - 33 minutes - 31.2 MBJosh and Kurt talk about an unusual number of really bad security updates. We even recorded this before the Azure OMIGOD vulnerability was disclosed. It's certainly been a wild week with Apple and Chrome 0days, and a Travis CI secret leak. Maybe this is the new normal. Show Notes Matrix 4 trailer Travis CI issue Apple 0day patches Chrome 0day patches CGP Grey Where is the European Union
Episode 288 - Linux Kernel compiler warnings considered dangerous
September 13, 2021 00:00 - 36 minutes - 34.3 MBJosh and Kurt talk about some happenings in the Linux Kernel. There are some new rules around how to submit patches that goes against how GitHub works. They're also turning all compiler warnings into errors. It's really interesting to understand what these steps mean today, and what they could mean in the future. Show Notes The Register Linux story OpenSSL Release Notes
Episode 287 - Is GitHub's Copilot the new Clippy?
September 06, 2021 00:00 - 31 minutes - 28.7 MBJosh and Kurt talk about GitHub Copilot. What can we learn from a report claiming 40% of code generated by Copilot has security vulnerabilities? Is this the future or just some sort of strange new thing that will be gone as fast as it came? Show Notes GitHub Copilot Copilot research paper
Episode 286 - Open source supply chain with Google's Dan Lorenc
August 30, 2021 00:00 - 37 minutes - 36 MBJosh and Kurt talk to Dan Lorenc from Google about supply chain security. What's currently going on in this space and what sort of new thing scan we look forward to? We discuss Google's open source use, Project Sigstore, the SLSA framework and more. Show Notes Dan's Twitter Sigstore SLSA Framework
Episode 285 - Open source owes you nothing!
August 23, 2021 00:00 - 32 minutes - 30.3 MBJosh and Kurt talk about open source bugs. What happens if a project decides to close most of their bugs? Nothing really. Bug trackers aren't a help desk. Show Notes Emacs closes 45% of bugs UVI Tesla investigation UK COVID spreadsheet
Episode 284 - What happens when we DRM power tools?
August 16, 2021 00:00 - 35 minutes - 33.3 MBJosh and Kurt talk about a Home Depot plan to put DRM on power tools. Anyone can add a computer to anything for a few dollars now. How secure is any of this. What does it mean when the things we buy start to acquire DRM? There are a lot of new questions we don't have any real answers for. Show Notes Home Depot power tools Ray Ozzie's IoT board First-sale doctrine
Episode 283 - When vulnerability disclosure becomes dangerous
August 09, 2021 00:00 - 34 minutes - 32.5 MBJosh and Kurt talk about a very difficult disclosure problem. What happens when you have to report a vulnerability to an ethically questionable company? It's less simple than it sounds, many of the choices could end up harming victims. Show Notes Disclosure Dilemmas @evacide Bob Diachenko This Is How They Tell Me The World Ends
Episode 282 - The security of Rust: who left all this awesome in here?
August 02, 2021 00:00 - 30 minutes - 27.7 MBJosh and Kurt talk about a story from Microsoft declaring Rust the future of safe programming, replacing C and C++. We discuss how tooling affects progress and why this isn't always obvious when you're in the middle of progress. Show Notes Microsoft: Rust Is the Industry’s ‘Best Chance’ at Safe Systems Programming Josh's devopsdays talk Microsoft moved font handling out of the kernel Atari 2600 emulator in Minecraft Rate of technology adoption
Episode 281 - If you spy on journalists, you're the bad guys
July 26, 2021 00:00 - 32 minutes - 30.3 MBJosh and Kurt talk about the news that the NSO Group is widely distributing spyware onto a large number of devices. This news should be a wake up call for anyone creating devices and systems that could be attacked, it's time to segment services. There's not a lot individuals can do at this point, but we have some ideas at the end of the episode. Show Notes NSO Group spying Technical details Twitter thread Are we the Baddies?
Episode 280 - The perils of Single Sign On
July 19, 2021 00:00 - 30 minutes - 28.9 MBJosh and Kurt talk about what happens when you lose access to your Single Sign On provider. These providers have become critical to many of us, if we lose access to our SSO account we will lose access to many services. Show Notes Postbank
Episode 279 - The audacity of Audacity: When open source goes rogue
July 12, 2021 00:00 - 31 minutes - 29.3 MBJosh and Kurt talk about the events happening to the Audacity audio editor. What happens if a popular open source application is acquired by an unknown entity? Can this happen to other open source projects? What can we do about it? Show Notes SGDQ Paper Mario Paper Mario Arbitrary Code Execution explained Freenode Audacity acquired by Muse Group Audacity fork
Episode 278 - Could SELinux have stopped SolarWinds?
July 05, 2021 00:00 - 30 minutes - 27 MBJosh and Kurt talk about a listener provided question. Could SELinux have stopped the SolarWinds attack? Given what we know, the answer is technically yes, but practically no. SELinux is awesome, but it's very difficult to sandbox something like a build system. Show Notes Gone in 60 milliseconds
Episode 277 - Privacy and activism with Chris Weiland
June 28, 2021 00:00 - 31 minutes - 31 MBJosh and Kurt talk to Chris Weiland from Restore the Fourth Minnesota. Restore The Fourth Minnesota is nonprofit dedicated to restoring the Fourth Amendment to the U.S. Constitution and ending unconstitutional mass government surveillance. Chris drops a ton of knowledge about how to be an effective tech activist, what his group is doing, and most importantly we get actionable advice! Show Notes Restore the Fourth Minnesota Restore the Fourth Minnesota on Twitter Writ of assistance C...