Open Source Security Podcast
427 episodes - English - Latest episode: about 14 hours ago - ★★★★★ - 38 ratingsA security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Episode 276 - Security, behavior, and the environment
June 21, 2021 00:00 - 28 minutes - 26.7 MBJosh and Kurt talk about how our environment affects our behavior, and in turn our level of security. We often ignore what's happening around us when everything is related. Show Notes Judges more lenient after a break Dungeons and Data Poverty changes your DNA
Episode 275 - What in the @#$% is going on with ransomware?
June 14, 2021 00:00 - 28 minutes - 26.8 MBJosh and Kurt talk about why it seems like the world of ransomware has gotten out of control in the last few weeks. Every day there's some new and more bizarre ransomware story than we had yesterday. Show Notes Spurious Correlations Ransom recovered Adam Shostack Ransomware is not the problem Latvian Woman charged for writing ransomware
Episode 274 - Mr. Amazon's Neighborhood
June 07, 2021 00:00 - 28 minutes - 27.5 MBJosh and Kurt talk about Amazon sidewalk. There is a lot of attention, but how is this any different than the surveillance networks Apple and Google have built? Show Notes Amazon Sidewalk Ads and toothpaste Airtags and stalking
Episode 273 - Can we stop the coming artificial unintelligence deluge?
May 31, 2021 00:00 - 31 minutes - 29.5 MBJosh and Kurt talk about AI driven comments. We live in a world of massive confusion and disruption where what is true and false, real and fake, are often widely debated. As AI grows and evolves what does it mean for this future? We don't really have any answers, but we ask a lot of questions. This isn't easy, nor will it be solved quickly, but solving it is not optional. Show Notes AIs and Fake Comments ACLU AMA Cloudflare Cryptographic Attestation of Personhood Evil bit Boris Jo...
Episode 272 - The Biden Cybersecurity Executive Order
May 24, 2021 00:00 - 31 minutes - 29.8 MBJosh and Kurt talk about the Biden Administration new cybersecurity executive order. There are some good ideas in there, but at the end of the day it's an unfunded mandate. Unfunded mandates are difficult to implement. Show Notes Biden Executive Order Fact Sheet Obama's cyber EO
Episode 271 - Pipeline security: There is no problem humans can't make worse
May 17, 2021 00:00 - 31 minutes - 30.2 MBJosh and Kurt talk about how people handle problems. We open with the story of the Colonial Pipeline hack, but then go into some of the ways people tend to make problems worse. Show Notes Male vs Female trees Pipeline hack XKCD Pipelines TSA Pipeline Security
Episode 270 - Hello dark patterns my old friend
May 10, 2021 00:00 - 32 minutes - 30.7 MBJosh and Kurt talk about dark patterns. A dark pattern is when a service tries to confuse a user into doing something they don't want to, like unknowingly purchasing a monthly subscription to something you don't need or want. The US Federal Trade Commission is starting to discuss dark patterns in webs sites and apps. Show Notes Dark Patterns Types of Dark Patterns FTC Bringing Dark Patterns to Light LTT Dell Warranty
Episode 269 - Do not experiment on the Linux Kernel
May 03, 2021 00:00 - 29 minutes - 27.3 MBJosh and Kurt talk about the University of Minnesota experimenting on the Linux Kernel. There's a lot to unpack in this one, but the TL;DR is you probably don't want to experiment on the kernel. Show Notes Linux Bans University of Minnesota for Sending Buggy Patches in the Name of Research University of Minnesota security researchers apologize for deliberately buggy Linux patches The International Obfuscated C Code Contest
Episode 268 - Can we trust any 3rd parties?
April 26, 2021 00:00 - 30 minutes - 28.4 MBJosh and Kurt talk about what 3rd party means in the current world. From 5G suppliers, to the Codecov and Solarwinds breaches. Is there anyone we can trust? Show Notes Europe and 5G Codecov Codecov Reuters story Red Hat OpenSSH advisory
Episode 267 - Does 0day still mean 0day?
April 19, 2021 00:00 - 28 minutes - 27.1 MBJosh and Kurt talk about 0day security vulnerabilities. What are they? What were they? And why the name has taken on a new meaning, and that's OK. Show Notes Hacker History Podcast Chrome 0day NTFS Documentation
Episode 266 - The future of security scanning with Debricked
April 12, 2021 00:00 - 28 minutes - 25.9 MBJosh and Kurt talk to Emil Wåreus from Debricked about the future of security scanners. Debricked is doing some incredibly cool things to avoid relying on humans for vulnerability identification and cataloging. Learn what the future of security scanning is going to look like. Show Notes Debricked Emil's Linkedin
Episode 265 - The lies closed source can tell, open source can't
April 05, 2021 00:00 - 31 minutes - 26.7 MBJosh and Kurt talk about the PHP backdoor and the Ubiquity whistleblower. The key takeaway is to note how an open source project cannot cover up an incident, but closed source can and will cover up damaging information. Show Notes PHP backdoor Ubiquity coverup 3D printed TSA keys LockPickingLaywer Determining Key Shape from Sound Lock camera
Episode 264 - DevSecOps with GitLab's Mark Loveless
March 29, 2021 00:00 - 33 minutes - 30 MBJosh and Kurt talk to Mark Loveless from GitLab. We touch on DevSecOps, what GitLab is doing, threat modeling, and the time Mark tested positive for TNT at the airport. It's a great conversation. Show Notes Mark Loveless Twitter GitLab GitLab Handbook How we approach open source security PASTA threat modeling GitLab security features Tales from the Past - "You Tested Positive for TNT"
Episode 263 - GitHub pulls exploits, LinuxFoundation sign all the things
March 22, 2021 00:00 - 32 minutes - 30.3 MBJosh and Kurt talk about how terrible daylight savings is. GitHub yanking some exploit code. And the Linux Foundation new project to sign all the things. Show Notes Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github GitHub content restrictions Reproducing the Microsoft Exchange Proxylogon Exploit Chain
Episode 262 - A discussion with Loris and Pop from Sysdig
March 15, 2021 00:00 - 31 minutes - 24 MBJosh and Kurt talk to Loris Degioanni and Dan from Sysdig. Sysdig are the minds behind Falco, an amazing open source runtime security engine. We talk about where their technology came from, they huge code donation to the CNCF and what securing a modern infrastructure looks like today. Show Notes Sysdig Falco Loris' Twitter Dan "Pop" Popandrea's Twitter Sysdig contributes Falco’s kernel module, eBPF probe, and libraries to the CNCF pdig Sysdig 2021 container security and usage ...
Episode 261 - DWF is back! Welcome to community powered CVE
March 08, 2021 00:00 - 32 minutes - 29.7 MBJosh and Kurt talk about DWF. It's back and the intention is to have real community driven security identifiers! Show Notes Committee vs Community dwflist repo dwf-request tooling repo dwf-workflow policy repo CVE plateua graph iwantacve.org
Episode 260 - Dave Jevans tells us what CipherTrace is up to
March 01, 2021 00:00 - 29 minutes - 23.2 MBJosh and Kurt talk with Dave Jevans CEO of CipherTrace and chairman of the anti-phishing working group about the challenges of keeping track of cryptocurrency in the modern age. Show Notes Dave's Twitter CipherTrace Anti Phishing Working Group
Episode 259 - What even is open source anymore?
February 22, 2021 00:00 - 33 minutes - 30 MBJosh and Kurt talk about the question "what is open source?" Why do we think it's broken today, and what sort of ideas about what should come next. Show Notes OSI Bruce Perens Post Open Source Josh's community blog post Corey Doctorow Uber Twitter thread
Episode 258 - Stop using C
February 15, 2021 00:00 - 30 minutes - 27.6 MBJosh and Kurt talk about the Google Project Zero report titled "A Year in Review of 0-days Exploited In-The-Wild in 2020". It's a cool report but we don't agree on the conclusion. The answer isn't to security harder, it's to stop using C. Show Notes Google Project Zero Year of 0-days Kurt's CUPS tweet
Episode 257 - The sudo and libgcrypt vulnerabilities
February 08, 2021 00:00 - 31 minutes - 29.7 MBJosh and Kurt talk about the recent sudo and libgcrypt security vulnerabilities. What's the deal with these buffer overflows and TOCTU bugs? Show Notes Sudo buffer overflow Sudo SELinux bug libgcrypt buffer overflow
Episode 256 - 9 bits of podcast, 8 bits of computing
February 01, 2021 00:00 - 31 minutes - 29.7 MBJosh and Kurt talk about 8 bit computing. What sort of security lessons can we learn from the 8 bit world? More than you think. Show Notes Legend of Zelda Random Number Generation Green rocket flame SR71 leaked fuel How do Namibian Himbas see colour? Suptuple meter music
Episode 255 - What if security wasn't joyless?
January 25, 2021 00:00 - 30 minutes - 28.4 MBJosh and Kurt talk about what we can stop doing. We take a position of asking "does it spark joy" for tools and infrastructure. Everyone is doing something they should stop. Show Notes Does it spark joy?
Episode 254 - Right to Repair Security
January 18, 2021 00:00 - 30 minutes - 27.8 MBJosh and Kurt talk about the new right to repair rules in the EU. There's a strange line between loving the idea of right to repair, but also being horrified as security people at the idea of a device being on the Internet for 30 years. Show Notes EU right to repair repair.eu
Episode 253 - Defenders only need to be right once
January 11, 2021 00:00 - 32 minutes - 30.4 MBJosh and Kurt talk about this idea that seems to exist in security of "attackers only need to be right once" which is silly. The reality is attackers have to get everything right, defenders really only need to get it right once. But "defenders only need to be right once" isn't going to sell any products. Show Notes Richard Feynman and manhole covers Richard Feynman on Why He Can't Tell You How Magnets Work Israeli airport security FAA stolen sweater XKCD Is it worth the time CGP...
Episode 252 - Is open source dangerous? Open source won, who cares, shut up!
January 04, 2021 00:00 - 28 minutes - 27.3 MBJosh and Kurt talk about a report on open source security from the Canadian Centre for Cyber Security. The title pretty much sums it up. Show Notes Security Considerations for Open Source Build an 8 bit computer from scratch
Episode 251 - Communication is hard, security communication is more hard
December 28, 2020 00:00 - 31 minutes - 29.7 MBJosh and Kurt talk about communication. It's really hard to talk about a lot of what we do. How do we know if a device is secure? How do we know our knowledge is correct? Show Notes 90 percent of U.S. bills carry traces of cocaine Is the moon a star or planet? A mole of moles New homeowner 'freaked out' when stranger took control of her security system Coffee maker ransomware NIST Phish Scale The metric system Operation Paperclip
Episode 250 - Door 25: Why do we do the things we do? Question everything
December 25, 2020 00:00 - 6 minutes - 5.32 MBJosh and Kurt talk about why we do the things we do. Sometimes we have to question everything. Links SLAM missile
Episode 249 - Door 24: Information wants to be free
December 24, 2020 00:00 - 5 minutes - 4.4 MBJosh and Kurt talk about the idea of information wanting to be free. It's Christmas, we should give it what it wants! Links Hacker Manifesto
Episode 248 - Door 23: How to report 1000 security flaws
December 23, 2020 00:00 - 5 minutes - 4.16 MBJosh and Kurt talk about how to file 1000 security flaws. One is easy, scale is hard.
Episode 247 - Door 22: How to report one security flaw
December 22, 2020 00:00 - 5 minutes - 4.11 MBJosh and Kurt talk about how to report one security flaw
Episode 246 - Door 21: Bug bounties
December 21, 2020 00:00 - 5 minutes - 3.81 MBJosh and Kurt talk about bug bounties
Episode 245 - Door 20: Is SMS 2FA better than no 2FA?
December 20, 2020 00:00 - 5 minutes - 4.07 MBJosh and Kurt talk about if SMS 2 factor auth is better than no 2FA Links Cyber deepfaked their host
Episode 244 - Door 19: TLS certificate trust
December 19, 2020 00:00 - 5 minutes - 4.02 MBJosh and Kurt talk about modern TLS certificate trust
Episode 243 - Door 18: Don't roll your own crypto or auth
December 18, 2020 00:00 - 5 minutes - 3.79 MBJosh and Kurt talk about why it's a horrible idea to roll your own crypto or auth
Episode 242 - Door 17: Vulnerability response
December 17, 2020 00:00 - 5 minutes - 3.83 MBJosh and Kurt talk about vulnerability response. What is it, what does it mean, how does it work
Episode 241 - Door 16: 16 bits of change
December 16, 2020 00:00 - 5 minutes - 3.9 MBJosh and Kurt talk about the switch from 16 to 32 to 64 bit and even the changes from Intel to ARM
Episode 240 - Door 15: Supplier compliance
December 15, 2020 00:00 - 5 minutes - 4.05 MBJosh and Kurt talk about supplier compliance Links Annex A.15.1 of ISO 27001:2013 Episode 162 – SBOM with Allan Friedman
Episode 239 - Door 14: Backdoors
December 14, 2020 00:00 - 5 minutes - 3.85 MBJosh and Kurt talk about backdoors in open source software
Episode 238 - Door 13: Unlucky or survivor bias?
December 13, 2020 00:00 - 4 minutes - 3.9 MBJosh and Kurt talk about the unluckiest man in the world and survivor bias Links Unluckiest man in the world
Episode 237 - Door 12: Video game hacking
December 12, 2020 00:00 - 4 minutes - 3.72 MBJosh and Kurt talk about video game hacking. The speedrunners are doing the best security research today Links Super Mario World RCE
Episode 236 - Door 11: Should you get on a 737?
December 11, 2020 00:00 - 5 minutes - 3.83 MBJosh and Kurt talk about the safety of a 737 Links FAA says 737 is safe
Episode 235 - Door 10: Deciding what information matters
December 10, 2020 00:00 - 5 minutes - 3.87 MBJosh and Kurt talk about Apple leaking internal IP addresses. Sometimes we create our own emergencies over things that don't matter. Links Apple's internal IP addresses
Episode 234 - Door 09: public key cryptography
December 09, 2020 00:00 - 5 minutes - 4.06 MBJosh and Kurt talk about public key cryptography
Episode 233 - Door 08: man 8 security
December 08, 2020 00:00 - 5 minutes - 4.08 MBJosh and Kurt talk about the OpenBSD security(8) man page and the importance of automating security Links OpenBSD security(8) page
Episode 232 - Door 07: 7 is the best prime, 2 is the dumbest
December 07, 2020 00:00 - 5 minutes - 4.13 MBJosh and Kurt talk about prime numbers
Episode 231 - Door 06: 6 wifi risks ... that don't actually matter
December 06, 2020 00:00 - 5 minutes - 3.86 MBJosh and Kurt talk about the non problems with public wifi we love to pretend matter Links The Half Dozen Risks of Using Dirty Public Wi-Fi Networks
Episode 230 - Door 05: 5 reasons you need 24/7 robot monitoring
December 05, 2020 00:00 - 4 minutes - 3.62 MBJosh and Kurt talk about why you need 24/7 monitoring of all the things Links Swiss air force office hours DC-10 cargo door
Episode 229 - Door 04: EFF's Cover Your Tracks
December 04, 2020 00:00 - 5 minutes - 3.94 MBJosh and Kurt talk about how the EFF is helping us prevent Internet tracking Links EFF Cover Your Tracks
Episode 228 - Door 03: Do all vulnerabilities matter equally?
December 03, 2020 00:00 - 5 minutes - 3.74 MBJosh and Kurt talk about how many security vulnerabilities matter enough to fix? Links A Third of Known Computer Security Flaws Have No Solution Episode 162 – SBOM with Allan Friedman
Episode 227 - Door 02: Marketing department or selection bias?
December 02, 2020 00:00 - 4 minutes - 3.16 MBJosh and Kurt talk about cybersecurity statistics and the value of the data we have. Links 24 Cybersecurity Statistics That Matter In 2020