Open Source Security Podcast
427 episodes - English - Latest episode: about 14 hours ago - ★★★★★ - 38 ratingsA security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Episode 226 - Door 01: Advent calendars
December 01, 2020 00:00 - 4 minutes - 4.83 MBJosh and Kurt talk about advent calendars. We are publishing 25 5 minute episodes in 25 days. Also portable X-ray machines.
Episode 225 - Who is responsible if IoT burns down your house?
November 23, 2020 00:00 - 30 minutes - 27.4 MBJosh and Kurt talk about the safety and liability of new devices. What happens when your doorbell can burn down your house? What if it's your fault the doorbell burned down your house? There isn't really any prior art for where our devices are taking us, who knows what the future will look like. Show Notes Ring Doorbell recall Ring incorrect screw diagram Punctured battery Episode 145 – What do security and fire have in common? Phillips vs Robertson screws wendy knox everette ...
Episode 224 - Are old Android devices dangerous?
November 16, 2020 00:00 - 31 minutes - 30.1 MBJosh and Kurt talk about what happens when important root certificates expire on old Android devices? Who should be responsible? How can we fix this? Is this even something we can or should fix? How devices should age is a really hard problem that needs a lot of discussion. Show Notes Unboxing coins Old Android devices certificate store Steve1989MREInfo
Episode 223 - Full disclosure won, deal with it
November 09, 2020 00:00 - 30 minutes - 28.7 MBJosh and Kurt talk about the idea behind the full disclosure of security vulnerability details. There have been discussions about this topic for decades with many people on all sides of the issue. The reality is however, if you look at the current state of things, this discussion is settled, full disclosure won. Show Notes Hacker One 100 million payout Project Zero bug Remington gun trigger class action lawsuit Square windows on a plane
Episode 222 - HashiCorp Boundary with Jeff Mitchell
November 02, 2020 00:00 - 29 minutes - 25.5 MBJosh and Kurt talk to Jeff Mitchell about the new HashiCorp project Boundary. We discuss what Boundary is, why it's cooler than a VPN, and how you can get involved. Show Notes Jeff Mitchell HashiCorp Boundary announcement Discuss forum Boundary Project Boundary GitHub
Episode 221 - Security, magic, and FaceID
October 26, 2020 00:00 - 30 minutes - 29.4 MBJosh and Kurt talk about how to get started in security. It's like the hero's journey, but with security instead of magic. We then talk about what Webkit bringing Face ID and Touch ID to the browsers will mean. Show Notes Hero's Journey Mudge's Tweet L0pht at Congress Bob Ross Webkit Face ID and Touch ID for the Web
Episode 220 - Securing network time and IoT
October 19, 2020 00:00 - 30 minutes - 28.3 MBJosh and Kurt talk about Network Time Security (NTS) how it works and what it means for the world (probably not very much). We also talk about Singapore's Cybersecurity Labelling Scheme (CLS). It probably won't do a lot in the short term, but we hope it's a beacon of hope for the future. Show Notes Network Time Security NTP and the University of Wisconsin Cybersecurity Labelling Scheme (CLS)
Episode 219 - Chat with Larry Cashdollar
October 12, 2020 00:00 - 32 minutes - 25.5 MBJosh and Kurt have a chat with Larry Cashdollar. The three of us go way back. Larry has done some amazing things and he tells us all about it! Show Notes Akamai Larry's website Larry's First CVE
Episode 218 - The past was a terrible place
October 05, 2020 00:00 - 29 minutes - 28.3 MBJosh and Kurt talk about change. Specifically we discuss how the past was a terrible place. Never believe anyone who tells you it was better. Part of a career now is learning how to learn. The things you learn today won't be useful skills in a few years. The future is is always better than the past. Even in 2020. Show Notes I no longer build software Temple OS Top Gear electric car 1959 Bel Air crash test
Episode 217 - How to tell your story with Travis Murdock
September 28, 2020 00:00 - 29 minutes - 28.1 MBJosh and Kurt talk to Travis Murdock about how to tell your story. Travis explains how to talk to the press and how to tell our story in a way that helps get our message across and lets the reporter do their job better. Show Notes Ruder Finn CVE-2009-3555 Heartbleed
Episode 216 - Security didn't find life on Venus
September 21, 2020 00:00 - 31 minutes - 29.7 MBJosh and Kurt talk about how we talk about what we do in the context of life on Venus. We didn't really discover life on Venus, we discovered a gas that could be created by life on Venus. The world didn't hear that though. We have a similar communication problem in security. How often are your words misunderstood? Show Notes Phosphine on Venus GPS and relativity
Episode 215 - Real security is boring
September 14, 2020 00:00 - 30 minutes - 28.8 MBJosh and Kurt talk about attacking open source. How serious is the threat of developers being targeted or a git repo being watched for secret security fixes? The reality of it all is there are many layers in a security journey, the most important things you can do are also the least exciting. Show Notes Targeting developers XKCD Infrastructure comic Hiding security flaws in git Mossad vs Not-Mossad (PDF warning)
Episode 213 - Security Signals: What are you telling the world
September 07, 2020 01:55 - 32 minutes - 30.3 MBJosh and Kurt talk about how your actions can tell the world if you actually take security seriously. We frame the discussion in the context of Slack paying a very low bug bounty and discover some ways we can look at Slack and decide if they do indeed take our security very seriously. Show Notes Reddit carbon monoxide Part 1 Part 2 GCP Grey minus infinity Josh's blog post
Episode 212 - Grab Bag: The Security We Deserve Edition
August 31, 2020 00:00 - 29 minutes - 28.2 MBJosh and Kurt talk about Chromium sending traffic to root DNS servers. Telemetry watching what we do. Cryptocurrency scams and a few other random topics. Also pandas. Show Notes Blanket rack Chromium DNS traffic Ubuntu MOTD Microsoft telemetry YAM coin implodes Panda Cubs
Episode 211 - The only thing harder than signing files is managing users
August 24, 2020 00:00 - 29 minutes - 28.9 MBJosh and Kurt talk about the Microsoft 2 year old signature bug and Github no longer processing MFA resets for free users. Signing things is hard, but trying to manage users and infrastructure at scale is even harder. Show Notes Microsoft signed jar bug GitLab Support is no longer processing MFA resets for free users Someone Is Hijacking Tor Exit Nodes to Conduct MITM Attacks
Episode 210 - Cult of Information Security
August 17, 2020 00:00 - 28 minutes - 26.1 MBJosh and Kurt talk about the current state of information security. There are aspects that resemble a cult more than we would like. It's not all bad though, there are some things we can do to help move things forward. This episode shouldn't be taken too seriously. Show Notes "cult of information security" How to start a cult
Episode 209 - Secure Boot isn't Secure
August 10, 2020 00:00 - 33 minutes - 30.5 MBJosh and Kurt talk about Secure Boot. The conversation uses the recent "Boot Hole" vulnerability to frame a conversation about what Secure Boot is and isn't. Why the Boot Hole flaw doesn't really matter, and why Secure Boot was very scary for Linux users back when it came out. Show Notes Boot Hole
Episode 208 - Passwords are pollution
August 03, 2020 00:00 - 32 minutes - 30.1 MBJosh and Kurt talk about some of the necessary evils of security. There are challenges we face like passwords and resource management. Sometimes the problem is old ideas, sometimes it's we don't have metrics. Can you measure not getting hacked? Show Notes Clearing checks FAIR Institute Factorio
Episode 207 - Weaponized attention
July 27, 2020 00:00 - 33 minutes - 31.6 MBJosh and Kurt start this one by explaining how the Twitter hacker was just a dumb criminal (most criminals are dumb). We then discuss the new GPT-3 AI that can create text. How we create, and how social media is doing everything it can to weaponize our attention. It's not a fight humanity is winning. Show Notes GPT-3 AI Blipverts
Episode 206 - Confidential Virtual Machines; The future of cloud computing
July 20, 2020 00:00 - 31 minutes - 28.8 MBJosh and Kurt talk about Google's new confidential VMs. The AMD Secure Encrypted Virtualization is the technology that makes it all possible. What is SEV, how does it work, and why should you care? This technology is going to be the future of the cloud. Show Notes Google confidential VMs AMD SEV SEV vs SGX
Episode 205 - The State of Open Source Security with Alyssa Miller from Snyk
July 13, 2020 00:00 - 31 minutes - 28.5 MBJosh and Kurt talk to Alyssa Miller from Snyk about the State of Open Source Security 2020 report. Alyssa was the report author and has some great insight into the current trends we're seeing in open source security. Some of the challenges developers face. We discuss the difficulty static and composition analysis scanners face. It's a great conversation! Show Notes The State of Open Source Security 2020 Alyssa's Twitter
Episode 204 - What Would Apple Do?
July 06, 2020 00:00 - 32 minutes - 31.4 MBJosh and Kurt talk about some recent security actions Apple has taken. Not all are good, but in general Apple is doing things to benefit their customers (their customers are not advertisers). We also discuss some of the challenges when your customers are advertisers. Show Notes Apple one year certificates Apple declines to implement 16 new APIs Apple is tracking unsigned executables
Episode 203 - Humans, conferences, and security: let me think and get back to you in a bit
June 29, 2020 00:00 - 32 minutes - 31 MBJosh and Kurt talk about human behavior. The conversation makes its way to conferences and the perpetual question of if a conference is useful or not. We come to the agreement the big shows aren't what they used to be, but things like BSides are great experiences. Show Notes Security and Human Behaviour Josh's blog post Mudge's Twitter thread
Episode 202 - The convergence of application security
June 22, 2020 00:00 - 29 minutes - 27.8 MBJosh and Kurt talk about the security of applications. We talk about the security of infrastructure all the time, but what happens when we combine infrastructure into an application or solution? Show Notes Picture of Kurt's security check-up Dragon controls
Episode 201 - We broke CVSSv3, now how do we fix it?
June 15, 2020 00:00 - 31 minutes - 29.3 MBJosh and Kurt talk about CVSSv3 and how it's broken. We started with a blog post to explain why the NVD CVSS scores are so wrong, and we ended up researching CVSSv3 and found out it's far more broken than any of us expected in ways we didn't expect. NVD isn't broken, CVSSv3 is. How did we get here? Are there any options that work today? Where should we go next? Show Notes Josh's blog post NVD Red Hat security data Josh's CVE data project Microsoft security ratings scale
Episode 200 - Talking Container Security with Liz Rice
June 08, 2020 00:00 - 28 minutes - 26.3 MBJosh and Kurt talk to Liz Rice from Aqua Security about container security and her new book on the same topic. What does container security look like today? What are some things you can do now? What will container security look like in the future? Show Notes Container Security download Pictures of elephants Kubernetes Security book Starboard project Dynamic threat analysis
Episode 199 - Special cases are special: DNS, Websockets, and CSV
June 01, 2020 00:00 - 29 minutes - 27.8 MBJosh and Kurt talk about a grab bag of topics. A DNS security flaw, port scanning your machine from a web browser, and CSV files running arbitrary code. All of these things end up being the result of corner cases. Letting a corner case be part of a default setup is always a mistake. Yes always, not even that one time. Show Notes Bind advisory Robustness Principal eBay port scanning localhost OWASP CSV injection
Episode 198 - Good advice or bad advice? Hang up, look up, and call back
May 25, 2020 00:00 - 33 minutes - 31.9 MBJosh and Kurt talk about the Krebs blog post titled "When in Doubt: Hang Up, Look Up, & Call Back". In the world of security there isn't a lot of actionable advice, it's worth discussing if something like this will work, or ever if it's the right way to handle these situations. Show notes When in Doubt: Hang Up, Look Up, & Call Back Tech Support Scam podcast: Part 1, Part 2 STIR/SHAKEN Drill the wrong safe deposit box 2009 Bank of Ireland robbery
Episode 197 - Beer, security, and consistency; the newer, better, triad
May 17, 2020 23:22 - 29 minutes - 28.4 MBJosh and Kurt talk about what beer and reproducible builds have in common. It's a lot more than you think, and it mostly comes down to quality control. If you can't reproduce what you do, you're not a mature organization and you need maturity to have quality. Show Notes Reinheitsgebot Josh's Blog Post Ken Thompson's reflections on trusting trust Tor Browser Deterministic Builds One line package broke npm create Donkey Kong 64 memory leak
Episode 196 - Pounding square solutions into round holes: forced updates from Ubuntu
May 11, 2020 00:00 - 32 minutes - 31.4 MBJosh and Kurt talk about automatic updates. Specifically we discuss a recent decision by Ubuntu to enable forced automatic updates. There are lessons here for the security community. We have a history of jumping to solutions rather than defining and understanding problems. Sometimes our solutions aren't the best. Also murder bees. Show Notes The Oatmeal giant bee comic Honeybees cook giant hornet Ubuntu 20.04 LTS’ snap obsession has snapped me off of it Forum discussion
Episode 195 - Is BGP actually insecure?
May 04, 2020 00:00 - 31 minutes - 29.2 MBJosh and Kurt talk about the uproar around Cloudflare's "Is BGP safe yet" site. It's always interesting watching how much people will push back on new things, even if the new things is probably a step in the right direction. The clever thing Cloudflare is doing in this instance is they are making the BGP problem something anyone can understand. Also send us your funny dog stories. Show Notes Is BGP safe yet? Reddit BGP conversation Hacker News BGP conversation Stealing cryptocurren...
Episode 194 - Working from home security: resistance is futile
April 27, 2020 00:00 - 31 minutes - 29.4 MBJosh and Kurt talk about the new normal that's working away from an office. It's not exactly working from home as there are some unforeseen challenges that we just took for granted in the past. There are a lot of new and strange security problems we have to adapt to, everyone is doing amazing work with very little right now. Show Notes Microsoft buys corp.com Hijack computer network traffic with a Pi Zero
Episode 193 - Security lessons from space: Apollo 13 edition
April 20, 2020 00:00 - 35 minutes - 32.4 MBJosh and Kurt talk about space. We intended to focus on Apollo 13 but as usual we have no ability to stay on topic. There is a lot of fun space discussions in this one though. Do you think you can hack Voyager 1? Only if you have a big enough satellite dish. Show Notes Eavesdropping on Apollo 11 Apollo 11 classified weather satellite The pen that saved Apollo 11
Episode 192 - Work without progress - what Infosec can learn from treadmills
April 13, 2020 00:00 - 33 minutes - 30 MBJosh and Kurt talk about Kurt's recent treadmill purchase and the lessons we can lean in security from the consumer market. The consumer market has learned a lot about how to interact with their customers in the last few decades, the security industry is certainly behind in this space today. Once again we display our ability to tie even the seemingly mundane things back to a discussion about security. Show Notes Eating goldfish off the treadmill
Episode 191 - Security scanners are all terrible
April 06, 2020 00:00 - 35 minutes - 32.1 MBJosh and Kurt talk about security scanners. They're all pretty bad today, but there are some things we can do to make them better. Step one is to understand the problem. Do you know why you're running the scanner and what the reports mean? Show Notes Edmonton freeze thaw cycles Josh's security scanner blog series
Episode 190 - Building a talent "ecosystem"
April 05, 2020 23:44 - 32 minutes - 28.3 MBJosh and Kurt talk about building a talent ecosystem. What starts out as an attempt by Kurt to talk about Canada evolves into a discussion about how talent can evolve, or be purposely grown. Canada's entertainment industry and Unit 8200 are good examples of this. Show Notes SCTV Red Team Project Moon Shot book AvE channel Turning a tree root into a bowl Mailing the Hope Diamond The Ecosystem
Episode 189 - Video game hackers - speedrunning
March 30, 2020 00:00 - 33 minutes - 30.6 MBJosh and Kurt talk about video games and hacking. Specifically how speed runners are really just video game hackers. Show Notes Developer speedrun commentary Super Mario World end credits glitch explained Mario 3 RCE Breath of the Wild speedrun Super Metroid reverse boss order TMR beats every NES game
Episode 188 - Depressing news sucks, we're talking about cheating in video games
March 23, 2020 00:00 - 31 minutes - 28.1 MBJosh and Kurt talk about video games. Yeah, video games. Specifically about cheating in video games. There's a lot of other security themes in the discussion. With the news being horrible these days, we needed to talk about something fun. Show Notes Penny Arcade Banned from Fortnite Apollo Robbins, world's best pickpocket
Episode 187 - Wireguard vs IPsec: the OK Boomer of security
March 15, 2020 23:34 - 30 minutes - 27.2 MBJosh and Kurt talk about Wireguard. There have been a lot of recent conversations about it and if it's better or worse than other VPN solutions. It's safe to say in our modern age, less is usually more, especially when it comes to security. Wireguard has a lot going for it, it can't be ignored. Show Notes Replacing a Nintendo Switch fan WireGuard Hacker News discussion
Episode 186 - Endpoint security with Tony Meehan
March 08, 2020 23:00 - 30 minutes - 22.8 MBJosh and Kurt talk to Tony Meehan from Elastic (formerly Endgame) about endpoint detection, response, protection, and even SIEM. Tony has a great history coming from the NSA and has a number of great stories to help understand the topics. Show Notes Tony Meehan Rob Joyce on Disrupting Nation State Hackers Bobby Filar living off the land blog Dwell time graph Snowboarder vs Tree
Episode 185 - Is it even possible to fix open source security?
March 02, 2020 00:00 - 31 minutes - 30.4 MBJosh and Kurt talk about the Linux Foundation Census 2. There is a lot of talk around how to fix open source security, but the reality is we can't fix it. We need to stop trying to fix what isn't broken and engineering around the system we have, not the system we want. Show Notes Linux Foundation Census 2 Core Infrastructure Initiative
Episode 184 - It’s DNS. It's always DNS
February 24, 2020 00:00 - 33 minutes - 26.9 MBJosh and Kurt talk about the sale of the corp.com domain. Is it going to be the end of the world, or a non event? We disagree on what should happen with it. Josh hopes an evildoer buys it, Kurt hopes for Microsoft. We also briefly discuss the CIA owning Crypto AG. Show Notes corp.com is for sale CIA owned Crypto AG
Episode 183 - The great working from home experiment
February 17, 2020 00:13 - 32 minutes - 26.5 MBJosh and Kurt talk about a huge working from home experiment because of the the Coronavirus. We also discuss some of the advice going on around the outbreak, as well as how humans are incredibly good at ignoring good advice, often to their own peril. Also an airplane wheel falls off. Show Notes Work from home Hacker News discussion CDC advice How to wash your hands Air Canada flight without running wather Airplane wheel falling off
Episode 182 - Does open source owe us anything?
February 10, 2020 00:00 - 28 minutes - 24 MBJosh and Kurt talk about open source maintainers and building communities. While an open source maintainer doesn't owe anyone anything, there are some difficult conversations around holding back a community rather than letting it flourish. Show Notes Actix-web story Lodash Possible Lodash security issue Javascript libraries are almost never updated Ularn
Episode 181 - The security of SIM swapping
February 03, 2020 00:00 - 32 minutes - 30.7 MBJosh and Kurt talk about SIM swapping. What is it, how does it work. Why should you care? There's not a ton you can do to protect yourself, but we go over some of the basic concepts and what to watch out for. It's unfortunate this is still a problem. Show Notes Five Major US Wireless Carriers Are Vulnerable to SIM Swapping Edmonton Police SIM swap website
Episode 180 - A Tale of Two Vulnerabilities
January 27, 2020 01:01 - 31 minutes - 29.2 MBJosh and Kurt talk about two recent vulnerabilities that have had very different outcomes. One was the Citrix remote code execution flaw. While the flaw is bad, the handling of the flaw was possibly worse than the flaw itself. The other was the Microsoft ECC encryption flaw. It was well handled even though it was hard to understand and it is a pretty big deal. As all these things go, fixing and disclosing vulnerabilities is hard. Show Notes Microsoft flaw CVE-2020-0601 Citrix flaw CVE...
Episode 179 - Google Project Zero and the 90 day clock
January 20, 2020 00:32 - 31 minutes - 28.2 MBJosh and Kurt talk about the updated Google Project Zero disclosure policy. What's the new policy, what does it mean, and will it really matter? We suspect it will improve some things, but won't drastically change much. Show Notes Google and 90 day patch disclosure Upgrading all Windows versions
Episode 178 - Are CVEs important and will ransomware put you out of business?
January 13, 2020 00:00 - 32 minutes - 30.5 MBJosh and Kurt talk about a discussion on Twitter about if discovering CVE IDs is important for a resume? We don't think it is. We also discuss the idea of ransomware putting a company out of business. Did it really? Possibly but it probably won't create any substantial change in the industry. Show Notes Games Done Quick Ransomware puts company out of business 1 in 5 companies shut down due to ransomware Laura Shin SIM Swap Podcast
Episode 177 - Fake or real? The security of counterfeit goods
January 06, 2020 00:00 - 29 minutes - 28.5 MBJosh and Kurt talk about marketplace safety and security. Will we ever see an end to the constant flow of counterfeit goods? The security industry has the same problem the marketplace industry has, without substantial injury we don't see movement towards meaningful change. Show Notes BrickLink Cars in Canada lighting on fire President Roosevelt used Al Capone's Limo Dangerous car seats Fake external hard drive
Episode 176 - The 'predictions are stupid' prediction episode
December 30, 2019 00:00 - 32 minutes - 29.8 MBJosh and Kurt talk about security predictions for 2020. None of the predictions are even a bit controversial or unexpected. We're in a state of slow change, without disruptive technology next year will look a lot like this year. Show Notes The Rising Speed of Technological Adoption Slack Certified GDPR Fines and Notices