Open Source Security

Josh and Kurt embark on a thought experiment to discuss how a commercial entity would handle something like the xz incident. It was very specific and difficult to understand. It's easy to claim just because source code being available doesn't matter. But the reality is when source code is needed, it can make a huge difference for everyone working together, just like we saw with xz.

• Lindt admits chocolate may not be ‘expertly crafted’ in class-action lawsuit battle
• Mitchell & Webb - Needlessly ambiguous terms

Josh and Kurt talk about the way Wordpress vets their plugins. While Wordpress has been in the news lately, they do some clever things to get plugins approved. There's a static analyzer that runs against new submissions. We discuss using static analysis, securing open source, contributing and more.

• Linus Torvalds Lands A 2.6% Performance Improvement With Minor Linux Kernel Patch
• Kurt's Plugin

Josh and Kurt talk to Brian Fox from Sonatype and Donald Fischer from Tidelift about their recent reports as well as open source. There are really interesting connections between the two reports. The overall theme seems to be open source is huge, everywhere, and needs help. But all is no lost! There's some great ideas on what the future needs to look like.

• Donald Fischer
• Brian Fox
• Tidelift
• Sonatype
• The 2024 Tidelift state of the open source maintainer report
• Sonatype State of the Software Supply Chain
• Anchore 2024 Software Supply Chain Security Report
• OpenSSF TAC issue 101

Josh and Kurt talk about three government activities happening around security. CISA has a request for comment, and an international strategic plan around cybersecurity. These are both good ideas, and hopefully will help drive change. But we also discuss an EU proposal that brings liability rules to software which sounds like a great way to force change to happen.

• Request for Comment on Product Security Bad Practices Guidance
• FY2025-2026 CISA International Strategic Plan
• EU brings product liability rules in line with digital age and circular economy
• CSA Cloud Controls Matrix

Josh and Kurt talk about the Meshtastic open source project. It's a really slick mesh radio system that runs on very cheap radio equipment. This episode isn't very security related (there are a few things), but it is very open source.

• Meshtastic
• Heltec LoRa 32(V3) Radio
• 465 Rutgers University Confirmed: Meshtastic and LoRa are dangerous
• Meshtastic Routing Issues & Deployment Scenarios
• TC2-BBS-mesh
• The Comms Channel
• Josh's BBS
• Heltec T114 bug

Josh and Kurt talk to Seth Larson from the Python Software Foundation about security the Python ecosystem. Seth is an employee of the PSF and is doing some amazing work. Seth is showing what can be accomplished when we pay open source developers to do some of the tasks a volunteer might consider boring, but is super important work.

• Seth Larson
• XKCD PGP Signature
• Seth's Blog
• Python and Sigstore
• Deprecating PGP - PEP 761
• Python SBOMs

Josh and Kurt talk about the current Wordpress / WP Engine mess. In what is certainly a supply chain attack, the Advanced Custom Fields forking. This whole saga is weird and filled with chaos and stupidity. We have no idea how it will end, but we do know that the blog platform you use shouldn't be this exciting. The bad sort of exciting.

• WordPress.org’s latest move involves taking control of a WP Engine plugin
• Wordpress / WP Engine timeline
• Knorr German Recipes

Josh and Kurt talk about the recent CUPS issue. The vulnerability itself wasn't all that exciting, but the whole disclosure process was wild. There's a lot to talk about, many things didn't quite go as planned and it all leaked early. Let's talk about why and what it all means.

• CUPS vulnerability
• Akamai report
• Wil Wheaton: being a nerd is not about what you love; it’s about how you love it

Josh and Kurt talk about a few things that have recently come out of CISA. They seem to be blaming the vendors for a lot of the problems, but there's also not any actionable advice telling the vendors what they should be doing. This feels like the classic case of "just security harder". We need CISA to be leading the way funding and defining security, not blaming vendors for giving the market what it demands.

• iCloud Photos Downloader
• CISA boss: Makers of insecure software must stop enabling today's cyber villains
• A Security Market for Lemons
• CISA and FBI Release Secure by Design Alert on Eliminating Cross-Site Scripting Vulnerabilities
• CISA Secure by Design Pledge
• Railroad Newsletter
• CISA Secure Software Development Attestation Form

Josh and Kurt talk about the 2024 Tidelift maintainer report. The report is pretty big and covers a ton of ground. We focus in a few of the statistics that should worry anyone who uses open source. We've known for a while developers are struggling, and the numbers back that up. This one feels like the old "we've tried nothing and we're all out of ideas".

• THE 2024 TIDELIFT STATE OF THE OPEN SOURCE MAINTAINER REPORT
• Canadian passport
• Changelog Interviews #433
• Pandas CVE

Josh and Kurt talk about some security researchers sort of taking over the .MOBI whois server. The story is a bit sensational, but we ask if it really matters? There are a lot of interesting possible attacks, but turning something like this into a good attack is really hard, maybe impossible. The researchers presented the findings in a very reasonable way.

• We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI
• Heinz says sorry for ketchup QR code that links to porn site

Josh and Kurt talk to Jay Jacobs about Exploit Prediction Scoring System (EPSS). EPSS is a new way to view vulnerabilities. It's a metric for the likelyhood that a vulnerability will be exploited in the next 30 days. Jay explains how EPSS got to where it is today, how the scoring works, and how we can start to think about including it in our larger risk equations. It's a really fun discussion.

• Jay Jacobs on LinkedIn
• EPSS
• Jay's graph animation
• Cyentia's A Visual Exploration of Exploits in the Wild

Josh and Kurt talk about Chrome unexpectedly going EOL on Ubuntu 18. Keeping old things alive is really hard to do, and in open source it's becoming more common to just run the latest version rather than trying to keep old versions alive for long periods of time.

• Chrome dumped support for Ubuntu 18.04 – but it'll be back
• Linus Torvalds talks AI, Rust adoption, and why the Linux kernel is 'the only thing that matters'
• Pidgin backdoor

Josh and Kurt talk about a story that discusses a story from Black Hat that references supply chains. There's a ton of doom and gloom around our software supply chains and much of the advice isn't realistic. If we want to take this seriously we need to stop obsessing over the little problems and focus on some big problems.

• Black Hat USA 2024: Key Takeaways from the Premier Cybersecurity Event
• The Reason Train Design Changed After 1948

Josh and Kurt talk about a few stories around the TLS CA certificate world. It's all pretty dire sounding. There's not a lot of organization or process in the space, and the root CAs are literally the foundation of modern society, everything needs them to function. There's not a lot of positive ideas here, it's mostly a show where Kurt explains to Josh what's going on, because Josh doesn't want to care (and will continue to ignore all of this going forward).

• Firefox's Mozilla follows Google in losing trust in Entrust's TLS certificates
• DigiCert Revocation Incident (CNAME-Based Domain Validation)
• List of Trust Lists

Josh and Kurt talk about CWE. What is it, and why does it matter. We cover some history, some shortcomings, and some ideas on how CWE could be used to make security a lot better. We frame the future discussion around the OWASP top 10 list. We should be putting more effort into removing removing entire classes of vulnerabilities.

• CWE
• Episode 360 – Memory safety and the NSA
• Inside 22,734 Steam games

Josh and Kurt talk about a presentation Josh recently gave that was supposed to be about how open source works. The talk was the wrong topic for a security crowd, but there's a lot of interesting details in the questions and comments that emerged. It's clear a lot of security people don't really care about the fine details about what open source is, their primary goal is to help keep development secure.

• Grassr00tz
• Pamela Chestek copyright paper
• Josh's presentation

Josh and Kurt talk about a story talking about the "graying" of open source. There doesn't seem to be many young people working on open source, but we don't really know why that is. There are many thoughts, but a better question is why should anyone get involved in open source anymore? The world has changed quite a lot since open source was created.

• The graying open source community needs fresh blood
• OSPOs for Good 2024
  • Day 1 Part 1
  • Day 1 Part 2
  • Day 2 Part 1
  • Day 2 Part 2
• FFmpeg bug
• JSON Editor Online
• https://rfc3339.com/

Josh and Kurt talk about two documents from the US government that discuss open source in very different ways. The CISA document lays out a way to measure open source, but we take issue with the idea of trying to measure which open source projects are "good". The Whitehouse on the other hand takes an approach that is very open source, get involved. Trying to measure open source isn't producing anything actionable, but getting involved is very actionable, and very much how open source works.

• CISA: Continued Progress Towards a Secure Open Source Ecosystem
• Whitehouse: Administration Cybersecurity Priorities for the FY 2026 Budget

Josh and Kurt talk about a pretty big bug found in CocoPods ownership. We also touch on a paper that discusses the technical debt that open source should have. We discuss what the long term sustainability of open source. There aren't any good solutions for open source today, but talking about these problems is important, we have to start to understand what's going on before we can plausibly discuss solutions. If you're an open source project that needs to put things on pause, or even walk way, that's OK.

• CocoaPods Vulnerabilities Could Hit Apple, Microsoft, Facebook, TikTok, Snap and More
• The Expense of Unprotected Free Software
• Long-term maintenance of PCRE2 #426

Josh and Kurt talk about the recent OpenSSH vulnerability and the node-ip project owner taking their project private. They're quasi related in the context of two open source projects handled bugs very differently. The OpenSSH bug isn't really as serious as it seems, but you still want to patch.

The node-ip bug is a very different story. The relationship between users and open source developers is one experiencing more strain now than we've ever seen. It's a weird conversation and we don't have good answers. Security in general is a collection of unsolvable problems.

• Qualys security advisory
• Hacker News Discussion
• Security Cryptography Whatever
• Dev rejects CVE severity, makes his GitHub repo read-only

Josh and Kurt talk about the latest polyfill.io mess. Apparently someone took over a very popular project and started to serve malware. First XZ, now this. What does it mean for open source? We don't have any answers, and it's hard to even talk about this problem because it's so big. The thing is though, even if we can't fix open source, it's here to stay.

• Polyfill supply chain attack hits 100K+ sites
• OpenSSF Scorecard

Josh and Kurt talk about three wangles of responsibility. We start with a story about a bike theft ring, bike theft doesn't usually get any attention, but this one is special. Then we ask why it seems like everyone is getting hacked, it's because they have to tell us now. And finally we have a story about the huge number of unreported vulnerabilities in open source projects. This statistic probably affects all software, but there's some numbers for open source specifically.

• The West Coast’s Fanciest Stolen Bikes Are Getting Trafficked by One Mastermind in Jalisco, Mexico
• $5 million worth of stolen tools recovered thanks to Apple's AirTag — 12 secret storage facilities had around 15,000 construction tools
• Vulnerability fixes in plain sight: How your scanners are missing hundreds of vulnerabilities

Josh and Kurt talk about a new proposal from OpenSSH to add a timeout to penalize clients misbehaving. But this then brings up the typical security conversation of "if it's not perfect we shouldn't do it". Trying new things is a good thing, even if something fails, we learn a lesson that we can use in the future.

• OpenSSH introduces options to penalize undesirable behavior
• Hacker News comments

Josh and Kurt talk to Alex Kulagin from Flipper about the Flipper Zero. It's one of the coolest hacker devices that exists on the market. We talk about what it is, how it started, what it can (and can't) do. It's a really fun conversation.

• Flipper Zero Website
• Headphone jack radio capture
• Flipper Zero on Tik Tok

Josh and Kurt talk about a blog post titled "Your API Shouldn't Redirect HTTP to HTTPS". It's an interesting idea, and probably a good one. There is however a lot of baggage in this space as you'll hear in the discussion. There's no a simple solution, but this is certainly something to discuss.

• Your API Shouldn't Redirect HTTP to HTTPS
• Hacker News discussion
• HSTS Section 5.1

Josh and Kurt talk about a blog post about frozen kernels being more secure. We cover some of the history and how a frozen kernel works and discuss why they would be less secure. A frozen kernel is from when things worked very differently. What sort of changes will we see in the future?

• Kurt's strange coffee
• Why a 'frozen' distribution Linux kernel isn't the safest choice for security

Josh and Kurt talk about open source and autonomy. This is even related to some recent return to office news. The conversation weaves between a few threads, but fundamentally there's some questions about why do people do what they do, especially in the world of open source. This also is a problem we see in security, security people love to tell developers what to do. Developers don't like being told what to do.

• pycurl issue
• Apple, SpaceX, Microsoft return-to-office mandates drove senior talent away
• RSA ANIMATE: Drive: The surprising truth about what motivates us
• Sudo-rs dependencies: when less is better
• phishing webcomic
• Debian OpenSSL Bug (16 years)

Josh and Kurt talk about a new to sign artifacts on GitHub. It's in beta, it's not going to be easy to use, it will have bugs. But that's all OK. This is how we start. We need infrastructure like this to enable easier to use features in the future. Someday, everything will be signed by default.

• GitHub artifact attestation

Josh and Kurt talk about a sudo replacement going into systemd called run0. It sounds like it'll get a lot right, but systemd is a pretty big attack surface and not everyone is a fan. We shall have to see if this ends up replacing sudo.

• Conan O'Brien on Hot Ones
• Lennart's Mastodon thread
• xkcd automation

Josh and Kurt talk about a paper describing using a LLM to automatically create exploits for CVEs. The idea is probably already happening in many spaces such as pen testing and intelligence services. We can't keep up with the number of vulnerabilities we have, there's no way we can possibly keep up with a glut of LLM generated vulnerabilities. We really need to rethink how we handle vulnerabilities.

• OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories
• paper: LLM Agents can Autonomously Exploit One-day Vulnerabilities
• Cisco Fixes RV320/RV325 Vulnerability by Banning “curl” in User-Agent
• Episode 219 – Chat with Larry Cashdollar
• Cory Doctorow: What Kind of Bubble is AI?

Josh and Kurt talk about a database of game cheaters. Cheating in games has many similarities to security problems. Anti cheat rootkits are also terrible. The clever thing however is using statistics to identify cheaters. Statistics don't lie. Also, we discuss the Pretendo project sitting on a vulnerability for a year, is this ethical?

• Hacker News searchable database

• Benford's law

• John Oliver Medicaid

• Mario64 invisible walls

• Pretendo

• Pretendo exploit

Josh and Kurt talk about a Notepad++ fake website. It's possibly not illegal, but it's certainly ethically wrong. We also end up discussing why it seems like all these weird and wild things keep happening. It's probably due to the massive size of open source (and everything) now. Things have gotten gigantic and we didn't really notice.

• Help us to take down the parasite website
• Open Source is bigger than you can imagine
• Toronto Pearson International Airport heist

Josh and Kurt talk about a new FCC program to provide a cybersecurity certification mark. Similar to other consumer safety marks such as UL or CE. We also tie this conversation into GrapheneOS, and what trying to claim a consumer device is secure really means. Some of our compute devices have an infinite number of possible states. It's a really weird and hard problem.

• GrapheneOS
• FCC approves cybersecurity label for consumer devices
• Cyber Trust Mark Logo

Josh and Kurt talk about the recent events around XZ. It's only been a few days, and it's amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these details will change quickly over the coming week. We can't fix this problem as it stands, we don't know where to start yet. But that's not a reason to lose hope. We can fix this if we want to, but it won't be flashy, it'll be hard work.

• GossiTheDog's Blog Post
• fr0gger diagram
• OpenSSF Blog (archive)
• stb library

Josh and Kurt talk about the security.txt file. It's not new, but it's not something we've discussed before. It's a great idea, an easy format, and well defined. It's not high on many of our todo lists, but it's something worth doing.

• RFC 9116

Josh and Kurt talk about the new SSDF attestation form from CISA. The current form isn't very complicated, and the SSDF has a lot of room for interpretation. But this is the start of something big. It's going to take a long time to see big changes in supply chain security, but we're confident they will come.

• Secure Software Development Attestation Form
• The U.S. Military Is Missing Six Nuclear Weapons
• NIST 800-218

Josh and Kurt talk about what's going on at the National Vulnerability Database. NVD suddenly stopped enriching vulnerabilities, and it's sent shock-waves through the vulnerability management space. While there are many unknowns right now, the one thing we can count on is things won't go back to the way they were.

• Anchore's Blog
• Grype
• Josh's Cyphercon Talk
• Ecosyste.ms
• Episode 266 – The future of security scanning with Debricked

Josh and Kurt talk about an attack against GitHub where attackers are creating malicious repositories then artificially inflating the number of stars and forks. This is really a discussion about how can we try to find signal in all the noise of a massive ecosystem like GitHub.

• GitHub besieged by millions of malicious repositories in ongoing attack

Josh and Kurt talk about recent stories about data breaches, flipper zero banning, and realistic security. We have a lot of weird challenges in the world of security, but hard problems aren't impossible problems. Sometimes we forget that.

• Mon Dieu! Nearly half the French population have data nabbed in massive breach
• Feds move to ban auto theft tech device ‘Flipper Zero’
• Gmail and Yahoo’s 2024 inbox protections and what they mean for your email program
• Vending machine error reveals secret face image database of college students

Josh and Kurt talk to GregKH about Linux Kernel security. We most focus on the topic of vulnerabilities in the Linux Kernel, and what being a CNA will mean for the future of Linux Kernel security vulnerabilities. The future of Linux Kernel security vulnerabilities is going to be very interesting.

• Greg K-H
• Linux Kernel is a CNA
• Machine learning and stable kernels
• Bug reporting for Linux

Josh and Kurt talk to Thomas Depierre about some of the European efforts to secure software. We touch on the CRA, MDA, FOSDEM, and more. As expected Thomas drops a huge amount of knowledge on what's happening in open source. We close the show with a lot of ideas around how to move the needle for open source. It's not easy, but it is possible.

• Thomas Depierre
• I am not a supplier
• Open Source In The European Legislative Landscape devroom
• Cyber Resilience Act
• The 2023 Tidelift state of the open source maintainer report

Josh and Kurt talk about a blog post explaining how to create a very very small container image. Generally in the world of security less is more, but it's possible to remove too much. A lot of today's security tooling relies on certain things to exist in a container image, if we remove them we could actually result in worse security than leaving it in. It's a weird topic, but probably pretty important.

• How I reduced the size of my very first published docker image by 40% - A lesson in dockerizing shell scripts
• Hacker News Discussion
• Episode 293 – Scoring OpenSSF Security Scoring

Josh and Kurt talk about open source projects proving builds, and things nobody wants to pay for in open source. It's easy to have unrealistic expectations for open source projects, but we have the open source capitalism demands.

• Open Source Doesn't Require Providing Builds
• The things nobody wants to pay for
• Audacity privacy policy update has caused an outcry
• The History of X11

Josh and Kurt talk about an attack against PyTorch and NPM. The PyTorch attack shows the difficulty of trying to operate a large open source project. The NPM problem is one of the difficulty in trying to backdoor open source. A lot of people are watching and it only takes one person to notice a problem and we all benefit.

• Peanut Butter the dog plays Gyromite
• The Wizard movie
• PyTorch supply chain attack
• npm Package Found Delivering Sophisticated RAT
• Deceptive Deprecation: The Truth About npm Deprecated Packages
• Changing a lightbulb
• Spelunking the Bitcoin Blockchain with Josh Bressers | CypherCon 4.0
• Operation Triangulation - What You Get When Attack iPhones of Researchers
• 9th Annual State of the Software Supply Chain

Josh and Kurt talk about the 23andMe compromise and how they are blaming the users. It's obviously the the fault of the users, but there's still a lot of things to discuss on this one. Every company has to care about cybersecurity now, even if they don't want to.

• Security leaders weigh in on 23andme hack
• Don't need a gun when you have a Donk - Crocodile Dundee 2
• Hackers can infect network-connected wrenches to install ransomware
• My disappointment is immeasurable, and my day is ruined

Josh and Kurt talk about a grab bag of old technologies that defined the security industry. Technology like SELinux, SSH, Snort, ModSecurity and more all started with humble beginnings, and many of them created new security industries.

• SELinux
• AppArmor
• SSH
• ModSecurity
• Snort
• Nmap
• Nessus
• What comes after open source

Josh and Kurt talk about package identifiers. We break this down in the context of an OpenSSF response to a CISA paper on software identifications. The identifiers that get all the air time are purl, CPE, SWID, and OmniBOR. This is a surprisingly complex problem space. It feels easy, but it's not.

• OpenSSF CISA response
• purl
• CPE
• OmniBOR
• SWID

Josh and Kurt talk about how some hackers saved the day with a Polish train. We delve into a discussion about how we don't really own anything anymore if you look around. There's a great talk from the Blender Conference about this and how GPL makes a difference in the world of software ownership. It's sort of a dire conversation, but not all hope is lost.

• Polish manufacturer accused of programming failures into its trains to gain more servicing business
• Polish Hackers Repaired Trains the Manufacturer Artificially Bricked. Now The Train Company Is Threatening Them
• Blender Conference Keynote
• Corey Doctorow
• Chicago has a problem until the year 2083 | Stand-up Maths
• Chicago Doesn’t Own Its Own Streets | Climate Town

Josh and Kurt talk about a story asking for a Kubernetes LTS. Should open source projects have LTS versions? What does LTS even mean? Why is maintaining software so hard? It's a lively discussion all about the past, present, and future of open source LTS.

• Why Kubernetes needs an LTS
• Linux gives up on 6-year LTS kernels, says they’re too much work

It's the 2023 Christmas Spectacular! Josh and Kurt talk about what would happen if Santa starts using AI to judge which children are naughty and nice. There's some fun in this one, but it does get pretty real. While we tried to discuss Santa using AI, the reality is this sort of AI is coming for many of us. AI will be making decisions for all of us in the near future (if it isn't already). While less fun than we had hoped for, it's an important conversation.

• Sea Elf
• Ollama
• UnitedHealth uses faulty AI to deny elderly patients medically necessary coverage, lawsuit claims
• Stephen Fry on AI
• Lawyer who cited cases concocted by AI asks judge to spare sanctions
• Hugging Face

Josh and Kurt talk about a few security stories about radio. The TETRA:BURST attack on police radios, spoofing GPS for airplanes near Iran, and Apple including cellular radios in the macbooks. The common thread between all these stories is looking at the return on investment for security. Sometimes good enough security is fine, sometimes it's not worth fixing certain security problems because the risk vs reward doesn't work out.

• TETRA:BURST
• GPS spoofing attack
• Apple MacBooks cellular radio
• Mossad vs Not Mossad

Josh and Kurt talk about Capcom claiming modding a game is akin to cheating. The arguments used are fundamentally one of equity vs equality. Humans love to focus on equality instead of equity when we deal with most problems. This is especially true in the world of security. Rather than doing something that has a net positive, we ignore the details and focus on doing something that feels "right".

• Why Capcom thinks PC game modding is akin to “cheating”
• Ben Heck

Josh and Kurt talk about the Canadian Government banning WeChat and Kaspersky. There's a lot of weird little details in this conversation. It fundamentally comes down to a conversation about risk. It's easy to spout nonsense about risk, but having an honest discussion about it is REALLY complicated. But the government plays by a very different set of rules.

• Canada bans WeChat, Kaspersky applications on government devices
• Fitness tracking app Strava gives away location of secret US army bases
• Phishing emails increase over 1,200 percent since ChatGPT launch
• FedRAMP Rev 5
• FAIR Institute

Josh and Kurt talk about the new EU eIDAS regulation. This is a bill that will force web browsers to add root certificates based on law instead of technical merits, which is how it's currently done. This is concerning for a number of reasons that we discuss on the show. This proposal is not a good idea.

• Mozilla site
• Root CA mailing list
• UK eIDAS regulation
• EFF statement on eIDAS
• Fixed XKCD comic

Josh and Kurt talk about security skills shortage. We start out on the topic of cybersecurity skills and weave our way around a number of human related problems in this space. The world of tech has a lot of weird problems and there's not a lot of movement to fix many of them. Tech is weird and hard, and with the almost complete lack of regulation creates some of these challenges. In the world of security we need a better talent pipeline, but that takes actual efforts, not just complaining on the internet.

• Schneier on security skill shortage
• British Airways flight smoke
• The Password Game
• Tesla accidents
• Lawn darts

Josh and Kurt talk about a proposed Dutch proposal that would allow the intelligence services to hack victims of adversaries they are in the process of infiltrating. The purpose of this discussion isn't to focus on the Dutch specifically, but rather to discuss the larger topic of government oversight. These are all very new concepts and nobody knows how things should work.

• Dutch hacking proposal
• Give Me Toilet Paper! by Asuka424 in 9:54 - Summer Games Done Quick 2023
• Flipper Zero Smart Meter
• Frequency Hopping
• Teri Kanfield

Josh and Kurt talk to Daniel Stenberg about curl. Daniel is the creator of curl, we chat with him about the security of curl. Daniel tells us how curl is kept secure, we learn about some of the historical reasons curl works the way it does. We hear the story about the curl CVE situation firsthand. We also touch on the importance of curating the community of a popular open source project.

• Daniel's Mastodon account
• Curl
• The curl CVE blog
• Broken curl on PowerShell
• wolfSSL

Josh and Kurt talk about Sonatype's 9th Annual State of the Software Supply Chain. There's a ton of data in the report, but the thing we want to talk about is the statistic that only 11% of open source is actually being maintained. Do we think that's true? Does it really matter?

• Sonatype report
• ecosyste.ms
• GNOME libcue flaw
• Reality 2.0 supply chain episode

Josh and Kurt talk about a curl and glibc bug. The bugs themselves aren't super interesting, but there are other conversations around the bugs that are interesting. Why don't we just rewrite everything in Rust? Why can't we just train developers to stop writing insecure code. How can AI solve this problem? It's a marvelous conversation that ends on the very basic idea: we already have the security the market demands. Unless we change that demand, security won't change.

• Curl vulnerability
• glibc vulnerability
• Josh's Badge Project
• Bob Lord's phishing message

Josh and Kurt talk about contributor license agreements (CLAs). CLAs used to be seen as a necessary evil, but they're almost certainly bad now. We're seeing CLAs being abused, it's clear now anything controlled by a CLA won't be open source forever.

• A Theory of Joint Authorship for Free and Open Source Software Projects
• Bruce Perens: What Comes After Open Source

Josh and Kurt talk about uncertainty. There are a bunch of stories in the news lately that really just boil down to uncertainty. Uncertainty is incredibly dangerous for everyone. We are afraid of uncertainty, and often don't really understand why it is. Trust is like a currency and uncertainty erodes trust faster than almost anything else.

• Unity's license mess
• Godot
• Meta and Salesforce want to re-hire people they fired earlier this year
• U.S. Debt Credit Rating Downgraded, Only Second Time In Nation’s History

Josh and Kurt talk about filing bugs for software. There's the old saying that anyone can file bugs and submit patches for open source, but the reality is most people can't. Filing bugs for both closed and open source is nearly impossible in many instances. Even if you want to file a bug for an open source project, there are a lot of hoops before it's something that can be actionable.

• Linux is a nightmare
• Lodash just declared issue bankruptcy and closed every issue and open PR
• Linux Kernel Faces Reduction in Long-Term Support Due to Maintenance Challenges
• Curl NULL pointer dereference

Josh and Kurt talk about the weird world we live in how where we can't control a lot of our hardware. We don't really have control over most devices we interact with on a daily basis. The conversation shifts into a question of how can we decide what to trust and where. It's a very strange problem we experience now.

• Boots theory
• MGM cybersecurity issue shuts down slot machines and ATMs in Las Vegas casinos
• New York Fire Department Forcible Entry Reference Guide
• Request for Information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization

Josh and Kurt talk about why CVE is making the news lately. Things are not well in the CVE program, and it's not looking like anything will get fixed anytime soon. Josh and Kurt have a unique set of knowledge around CVE. There's a lot of confusion and difficulty in understanding how CVE works.

• Curl blog post
• Now it's PostgreSQL's turn to have a bogus CVE
• GitHub Advisory Database
• Josh's "CVE tried to get me fired" story

Josh and Kurt talk about wordpress selling web services with a 100 year lifespan. Will WordPress still be around in 100 years? What would 100 years of disaster recovery look like? Most of us will never need to think about 100 years of disaster recovery.

• WordPress is now selling 100-year domains
• Danish ransomware
• 15-Minute City
• The Year Without Pants

Josh and Kurt talk about a blog post that explains how C and C++ compilers prioritize performance over correctness. This is the class story of security vs usability. Security is never the primary goal. If a security requirement doesn't also enable other business goals it will fail. We also touch on the news of a Rust package containing binary files. It doesn't really have anything to do with security, it's all about convenience.

• C and C++ Prioritize Performance over Correctness
• Nisha's toot
• Barry Marshall
• Rust devs push back as Serde project ships precompiled binaries
• Why DARPA Hopes To 'Distill' Old Binaries Into Readable Code
• Mario 64 decompilation

Josh and Kurt talk about the HashiCorp license change and copyright problems in open source. This isn't the first and won't be the last time we see this, but it's very likely open source developers and communities will view any project that has a contributor license agreement as a problem moving forward.

• Josh's BSidesLV talk
• Hacker News marked site as malware
• HashiCorp license change
• A Theory of Joint Authorship for Free and Open Source Software Projects

Josh and Kurt ask the question what is a vulnerability, but in the framing of video games. Security loves to categorize all bugs as security vulnerabilities or not security vulnerabilities. But the reality nothing is so simple. Everything is a question of risk, not vulnerability. The discussion about video games can help us to better have this discussion.

• Colossus bug
• Minecraft Heist

Josh and Kurt talk about the difference between what we think of as traditional open source, and enterprise software projects that have an open source license. They are both technically open source, but how the projects work is very very different.

• CentOS Stream PR
• The Most Prolific Packager For Alpine Linux Is Stepping Away

Josh and Kurt talk about a new Google proposal that would add DRM for the web. All the ad driven companies seem to be acting very strangely, there's probably a reason for this. The way ads used to pay for content is changing, but a lot of these giant companies don't know how to adapt. It's going to be very interesting times in the near future.

• Web Environment Integrity
• Hacker News Thread
• Island Browser
• hunter2

Josh and Kurt talk about insider threats, but not quite in the way one would expect. The potential for insider threats is possibly higher than usual right now, but what about open source? Are open source developers insider threats for your organization? Have you ever thought about this before?

• CISA insider threats
• hacks4pancakes toot
• Don’t Trust a Programmer Who Knows C++
• CISA Insider Threat Mitigation

Josh and Kurt talk about some of the efforts to measure and understand open source. There are projects like the OpenSSF Scorecard. We want to measure open source for some idea of quality. Is AI generated code better than a random open source project found on GitHub? Can we track the countries contributors are from? These are all interesting problems that everyone will have to deal with soon.

• OpenSSF Scorecard

Josh and Kurt talk about the notion that open source is somehow dying. What's actually happening is corporate open source is changing, which some are trying to deform into something wrong with open source. Open source is doing great, probably better than ever.

• Open Source isn't sustainable anymore
• VORON Design
• Video of the first lathe
• Plane Crazy
• Evernote layoffs

Josh and Kurt talk about Red Hat closing up the RHEL source code. Kurt and Josh both worked at Red Hat in the past. This isn't a show that bashes Red Hat, and it's not a show praising them. We take an honest look at the past, present, and future of Linux. There's a lot to talk about in this one. TL;DR, Red Hat was the chosen on, and we all feel betrayed.

• Red Hat's first blog post
• Red Hat's honest post
• DeWitt clause

Josh and Kurt talk about the incredible Reddit debacle. At the center of it all is an API. What does it mean to be using an API and how does this relate itself back to our own risk. Many of us rely on APIs for countless things, and if a company decides to cut off that API somehow, it could create a mess.

• Grimace's Birthday
• Reddit’s new API pricing will kill off Apollo on June 30
• Cory Doctorow enshitification
• Wal Mart pickle story
• Elon Musk and Mark Zuckerberg agree to hold cage fight

Josh and Kurt talk about a new program from the Sovereign Tech Fund to fund open source work. It's a great looking program with an acceptable amount of money behind the program. We also talk about a story claiming millions of perfectly good hard drives are destroyed per year. They're probably not OK at all.

• Sovereign Tech Fund Challenges
• Why millions of usable hard drives are being destroyed
• LTT Buys Storage Array

Josh and Kurt talk about some new open source projects that aim to start taking back some of our privacy and rights. It's a huge hill to climb, but it seems like there is some hope. Open source doesn't care about growth, or numbers, or anything really, so it can't ever lose.

• Codeberg
• Veilid
• Hawkins Cheezies
• Apollo's Reddit API costs

Josh and Kurt talk about namespaces. They were a topic in the last podcast, and resulted in a much much larger discussion for us. We decided to hash out some of our thinking in an episode. This is a much harder problem than either of us expected. We don't have any great answers, but we do have a lot of questions.

• Not Red Hat
• NPM hash package
• Episode 129 – The EU bug bounty program

Josh and Kurt talk about PyPI suspending new accounts and packages for a day, and a 60 minutes story about deepfakes. The problems are mostly the same, but for very different reasons. The world is changing faster than we can keep up, so what is a human to do?

• PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted](https://thehackernews.com/2023/05/pypi-repository-under-attack-user-sign.html)
• 60 minutes reporter voice clone
• Cooridor Crew deepfakes
• Certificate bit flip
• Candy is delicious

Josh and Kurt talk about the Open Source Summit in Vancouver. Josh was there and we pick on two observations. Firstly that security keeps trying to use fear as a feature, except it doesn't work. Secondly we discuss AI and how people are talking about it. It is changing things, how much is yet to be seen.

• SLSA
• FRSCA
• S2C2F
• MSI leak
• Intel microcode
• Tom Scott AI Video

Josh and Kurt finish up the leftpad discussion. We spent a lot of time talking about how the market will respond to these sort of events, and the market did indeed speak; very little has changed. There is an aspect of all these security events where we need to understand the cost vs benefit just isn't there. it may never be there. Rather than whine and complain, we need to work with our constraints.

• Episode 77 – npm and the supply chain

Josh and Kurt revisit Episode 77, which was named "npm and the supply chain" but was a discussion about the incident we all know now as "leftpad". We didn't understand what was happening at the time, but this would become an event we talk about for years to come. It's shocking how many of the things we discuss are still completely valid five years later.

• Episode 77 – npm and the supply chain

This is the second part of remastering Episode 42 which is all about the security in the Hitchhiker’s Guide to the Galaxy movie. It's a fun show and it's shocking how many of these security themes are still relevant today.

• Original Episode 42
• Part 1

The podcast is on a hiatus for a little while due to some personal matters, but that creates an opportunity to remaster some fun old episodes. These shows are REALLY hard to listen to at the current quality (tools and talent has come a long way in the last few years).

This is a remaster of Episode 42 which is all about the security in the Hitchhiker’s Guide to the Galaxy movie. It's a fun show and it's shocking how many of these security themes are still relevant today.

• Original Episode 42

Josh and Kurt talk about a blog post about pip and virtual environments. This eventually turns into a larger conversation around packaging tools and how we see incremental changes over time. The package ecosystems were what we needed a few years ago, but our needs have changed.

• One Does Not Simply 'pip install'
• Dag Wieers RPM
• Webfinger GitHub repo

Josh and Kurt talk about some data on the size of NPM. Josh wrote a blog post and a report about the amount of SEO spam in NPM was released. Open source is enormous, and it's mostly one person. It's hard to imagine how this all works sometimes and this lack of understanding can create challenges.

• Josh's blog on the size of NPM
• One In Two New Npm Packages Is SEO Spam Right Now
• Linux Kernel power distribution graph

Josh and Kurt talk about OpenAI having a bug in ChatGPT, then they tried to blame open source. It didn't go very well. In this episode Josh and Kurt argue a lot, maybe someday we'll know who was the least wrong.

• ChatGPT Tweet
• ChatGPT Blog
• redis bug

Josh and Kurt talk to Fiona Krakenbürger about the Sovereign Tech Fund. This is a fund created by Germany to fund important open source projects. Fiona has amazing insight into how this fund was created, what it's doing today to help fund open source. She discusses where we go from here and what the future will look like. The Sovereign Tech Fund is a forward thinking program to fund open source across the world. This episode is a window into the future.

• Fiona on Mastodon
• Sovereign Tech Fund
• Sovereign Tech Fund Feasibility Study
• NJ Governor Requests Expertise of 6 People Who Still Know COBOL
• OpenSSF Criticality Score
• European critical open source software
• OSTIF critical open source projects
• Apply to the Sovereign Tech Fund

Josh and Kurt talk about GitHub enforcing sanctions against an open source developer and Docker changing how their registry works. There's a lot to unpack in this one. There's a lot of happenings going on in the world of open source. We are seeing governments paying attention to open source like never before, change is coming and everything is going to change.

• ipmitool Repository Archived, Developer Suspended By GitHub
• Elixir: Docker now charges open source orgs $300

Josh and Kurt talk about the number of dependencies that is now normal. Keeping track of thousands of dependencies used to be impressive, now it's normal. In what instances should we know everything about our open source? The days of being able to ignore your software liability is looking like it's coming to an end.

• LTT millenial pause
• The perverse incentive of vulnerability counting
• National Cybersecurity Strategy

Josh and Kurt talk to Thomas Depierre about his "I am not a supplier" blog post. We drink from the firehose on this one. Thomas describes the realities and challenges of being an open source maintainer. What open source and society owe each other. How safety can help describe what we see. There's too many topics to even list. The whole episode is an epic adventure through modern open source.

• Thomas on Mastodon
• I am not a supplier
• The Treachery of Images (Ceci n'est pas une pipe)
• Atlantic Council report
• The Field Guide to Understanding 'Human Error'
• Google wants new rules for developers working on 'critical' projects
• Roads and Bridges:The Unseen Labor Behind Our Digital Infrastructure
• Sovereign Tech Fund

Josh and Kurt talk about SBOMs. Quite a bit has happened in the world of SBOMs in the last year or so. There are going to be different types of SBOMs, like build, source, or runtime. Each will tell us different things depending on what we need to know. We also cover some of the community efforts happening around SBOMs. They're still not easy to use, but it's better better.

• SBOM Types draft
• SBOM Drift
• OpenSSF SBOM Everywhere

Josh and Kurt talk to Joylynn Kirui about DevSecOps in the Microsoft universe. Joylynn gives us an overview of the current state of devops and tells us about some of the tools Microsoft has made available to the open source universe.

• Joylynn Kirui
• Joylynn on DVT Tech Insights
• Episode 174 - a chat with GitHub about CodeQL
• S2C2F
• Azure Open Source Day

Josh and Kurt talk to Carol Nichols about Rust. Carol is an authority on Rust and helps us understand how Rust works, why it's different. Why Rust doesn't have the same problems C and C++ have, and what the future of it all could look like. It's a really fun show with some great questions from Carol along the way.

• Carol Nichols on Mastodon
• The Rust Programming Language, 2nd Edition
• Rust book online
• Netflix tech blog on Java performance
• Rust in the context of Railroad Brakes
• Kees Cook blog - Bounded Flexible Arrays in C
• Consumer Reports on memory safety
• OSS-Fuzz and Rust

Josh and Kurt talk about the recent GitHub breach. It wasn't terribly exciting, but there are some interesting conversations to have around securing certificates, source code, and hardware security modules. In general GitHub did most things right on this one.

• GitHub blog post
• Hacker History Podcast episode with Robert
• Super Mario 64 decompile
• Mario 64 built without optimization
• Link to the Past source code

Josh and Kurt talk about the NSA guidance on using memory safety issues. The TL;DR is to stop using C. We discuss why C has so many problem, why we can't fix C, and what some alternatives looks like. Even the alternatives have their own set of issues and there are many options, but the one thing we can agree on is we have to stop using C.

• NSA Releases Guidance on How to Protect Against Software Memory Safety Issues
• Drum memory and the story of Mel
• Netflix performance
• Discord Go vs Rust
• NVIDIA switch to Spark

Josh and Kurt talk about the recent FAA NOTAM outage. Keeping legacy things running for long periods of time is really hard to do, this system is no different. It's also really hard to upgrade many of these due to corner cases and institutional knowledge. There aren't any great answers here, but we do ask a lot of questions about long running tech.

• NOTAM outage
• AIX is not dead
• IBM Linux commercial
• Apple A/UX
• How NOT To Implement the POSIX Standard, Featuring Windows NT
• iSH
• Hand Made Vacuum Tubes

Josh and Kurt talk about the Furby source code going public. This is an opportunity to discuss what's changed in our attitude in devices that record our audio? Our devices today are vastly more powerful and dangerous than a Furby, what does your risk appetite look like?

• Furby source code
• Talking Toy Or Spy?
• Adam Ruins Everything - Why Jaywalking Is a Crime

Josh and Kurt talk about how to think about open source in the context of society. Open source is more like a natural resource than a supplier. It's common to think of open source projects as delivered to us, but it's more like acquiring raw materials from the forest. The problem is we're harvesting the raw materials in an unsustainable manner at the moment.

• I am not a supplier
• Josh's question about the environment
• sjvn Gorilla toolkit article
• Gorilla Web Toolkit
• Awesome Games Done Quick GeoGuessr
• Awesome Games Done Quick 2023

Josh and Kurt talk about the LastPass saga. There's a lot of great explanations about what happened, but there hasn't been a lot of info on how to start cleaning up this mess. We rehash some of the existing details then try to untangle what existing users can do to try to start recovering. The real problem is how LastPass is dealing with this, not the technical details.

• Great writeup of LastPass
• Jeremi M Gosney Mastodon explanation
• Tavis writeup on password managers
• Use a Passphrase

Josh and Kurt talk about some security gifts for boxing day. We start out with the idea of the security poverty line and discuss a few ideas for how a low resource group can make their open source more secure. There are no simple answers unfortunately.

• Wendy Nather
• Security Poverty Line
• Boots Theory

Josh and Kurt talk about how hard multi factor authentication is. This all starts from a Mastodon thread, and Jerry Bell, the administrator of infosec.exchange joins us to discuss password security and all things Mastodon. Infosec.exchange is an incredible story and Jerry weaves a thrilling tale.

• infosec.exchange MFA discussion
• Jerry's 2FA advice
• MalwareTech retracts Mastodon statements

Josh and Kurt talk to Jill Moné-Corallo about GitHub's bug bounty and product security team. It's a treat to discuss bug bounties with someone who is managing a very large bug bounty for one of the most important web sites in the world of software today.

• Jill's Twitter
• Jill's Mastodon
• GitHub Bug Bounty
• Bug bounty scope
• Eight years of the GitHub Security Bug Bounty program
• GitHub NPM bug bounty find

Josh and Kurt talk about a new tool that can do Stylometry analysis of Hacker News authors. The availability of such tools makes anonymity much harder on the Internet, but it's also not unexpected. The amount of power and tooling available now is incredible. We also discuss some of the future challenges we will see from all this technology.

• Hacker News Stylometry Analyzer
• FBI Profiler on the Unabomber
• Impersonate Eli Lilly for $8
• Shakespeare Stylometry

Josh and Kurt talk about end to end encrypted messages. This has been a popular topic lately due to the Mastodon popularity. Mastodon has a uniquely insecure messaging system, but they aren't the only one. The eternal debate of can security and usability exist together? We suspect it can't be, but it's a very complicated topic.

• EFF on Mastodon DM privacy
• Towards End-to-End Encryption for Direct Messages in the Fediverse
• Pluralistic: 14 Nov 2022 Even if you're paying for the product, you're still the product

Josh and Kurt talk about email security and the perils of trying to run your own mail infrastructure. We then get into discussing the value and danger of trying to run your own infrastructure, email, blogs, or most anything. There's a lot to juggle about all this these days, it's complicated.

• PowerDMARC
• Will Dormann
• GossiTheDog upgrades Exchange
• lcamtuf's blog
• I like Ice Cream

Josh and Kurt talk about the UK plan to scan their country's IP space. The purpose and outcome of this isn't completely clear at this point, but we are hopeful the data can be used as a positive force. We are only going to see more programs like this as all the governments are told they have to cyber harder.

• NCSC Scanning information
• Motherboard podcast about NCIS

Josh and Kurt talk about the recent OpenSSL nothingburger. OpenSSL got everyone whipped into a frenzy over a critical vulnerability, then changed the severity to high. The correct solution to this whole problem is to stop using a TLS library written in C, we need to be using memory safe languages. Don't migrate from OpenSSL 1 to 3, migrate from OpenSSL 1 to Rustls.

• OpenSSL Blog Post
• OpenSSL pre-announcement
• Mark Cox Tweet 3.0 only affected
• GossiTheDog NDA Tweet
• Claims of a name and logo
• Rustls

Image Credit

Josh and Kurt talk about Lufthansa trying to ban Airtags. This has a similar feel to all the security events where a company tries to hand waive away a security problem then having to walk back all their previous statements. There is almost always a massive imbalance between the large companies and consumers.

• Lufthansa bans airtags
• Airtag stalking problems
• Lufthansa unbans airtags
• Cult of the Dead Cow book
• TV Typewriter
• Andre the Giant on an airplane
• Poison Squad

Josh and Kurt talk about stories detailing tech working with multiple jobs. This raises some questions about fairness, accountability, and the future of work. As an industry we are very bad at measuring what we do, which is a problem shared with many jobs currently working from home.

• Equifax surveilled 1,000 remote workers, fired 24 found juggling two jobs
• Business Insider 2 jobs story
• Ken Thompson lines of code

Josh and Kurt talk about ineffective security from the past we still use today. There has been a great deal of progress in the last few decades bringing us amazing products like the Flipper Zero, cameras that can peer inside locks, and even software defined radio. A great deal of security relies on people not having easy access to these cheap devices. What does this mean for the future of security?

• Cloning a Rare ISA Card to Use a Rare CD Drive
• Vintage Tech YouTubers Discussion Panel | VCFMW 17 (2022)
• Flipper Zero
• Lock camera
• HackRF One
• The history of Hash
• Reddit post-it notes in apartment

Josh and Kurt talk about a newly rediscovered old python vulnerability. It raises a lot of questions about what was OK in 2007 vs what's OK in 2022. The issue is very complicated and has a wild story surrounding it. There is no reason to not fix this in 2022.

• CVE-2007-4559
• Red Hat Bug
• Register story
• Response from upstream
• Upstream patch
• ZippSlip
• Current upstream bug
• CSURF

Josh and Kurt talk about a blog post that explains there isn't really an open source software supply chain. The whole idea of open source being one thing is incorrect, open source is really a lot of little things put together. A lot of companies and organizations get this wrong.

• Iliana's Twitter
• There is no “software supply chain”
• Google supply chain blog
• GitHub ansi_term advisory
• PyPI 2FA Dashboard
• tarfile issue rediscovered in 2022

Josh and Kurt talk about programming language ecosystems tracking and publishing security advisory details. We are at a point in the language ecosystems where they are giving us services that have historically been reserved for operating systems.

• Kelsey Hightower tweet
• OSS-Fuzz

Josh and Kurt talk about the Time Till Open Source Alternative blog post. The numbers probably don't mean what we think they mean anymore. A lot of modern open source is really corporate controlled. Just because something carries an open source license doesn't mean you can contribute to it.

• Time Till Open Source Alternative
• GitHub Desktop issue 78
• The Reddit Safe

Josh and Kurt talk with Josh Aas from the Internet Security Research Group about Let's Encrypt, Prossimo, and Divvi Up. A lot has changed since the last time we spoke with Josh. Let's Encrypt won, and the ISG are working on some really cool new projects.

• Josh Aas
• Internet Security Research Group (ISRG)
• Let's Encrypt
• Episode 87 – Chat with Let’s Encrypt co-founder Josh Aas
• New Major Funding from the Ford Foundation
• ISRG annual reports
• Peter Eckersley

Josh and Kurt talk about really weird networking bugs. Josh tells a story about his home network problems that made no sense. There was also a qt5 bug that affected wireless networks that made virtually no sense. What should count as a security vulnerability?

• Resolving an unusual wifi issue
• Hacker News thread
• Global Security Database
• IdeaPad 5 14ARE05

Josh and Kurt talk about the recent National Defense Authorization Act that requires security vulnerabilities to be fixed. What does this mean for us, is it as bad as some people are claiming it is? It's actually not a huge deal, for most of us it's really just time to deal with product security.

• The Hacker Mind
• The Untold Stories of Open Source
• H.R.7900 - National Defense Authorization Act for Fiscal Year 2023
• Kurt's blog post

Josh and Kurt talk to Dustin Childs about the recent ZDI Black Hat talk where they discovered the current trend of security patches not actually fixing the security problem. We talk about what this problem means. Why is it happening, and what ZDI is doing to try nudge the industry in the right direction.

• Dustin Childs
• ZDI
• Sloppy Software Patches Are a ‘Disturbing Trend’
• Zero Day Initiative launches new bug disclosure timelines
• ISO 28147

Josh and Kurt talk about our lack of security and some of the data bias problems that can emerge. A lot of what we think is security data is really just biased data. This is OK as long as we understand the data is broken and know this is the first step in a longer journey.

• Tweet about data
• The 6 most common types of bias when working with data
• Syft and Grype stars graph
• John Snow, Cholera, the Broad Street Pump
• Bob Lord tweet

Josh and Kurt talk about a tweet from @kmcquade3 asking the question "What's a concept in security that is generally accepted as true but is actually bull%$#*?" How many of the replies make sense? Most of them do. We go over some of the best replies as fast as we can.

• The tweet that started it all
• Mark Loveless
• Mark Manning
• Richard (Dick) Brooks
• @ImbecillicusRex
• What Train Have We Got?
• Dan
• Alejo 🏳️‍🌈
• postmodern
• 🇺🇸 Robert C. Seacord 🇺🇦
• Yip Wai Peng
• Sachin Shahi

Josh and Kurt talk about leap seconds. Every time there's a leap second, things break. Facebook wants to get rid of them because they break computers, but Google found a clever way to keep leap seconds without breaking anything. Corner cases are hard, security is often just one huge corner case. There are lessons we can learn here.

• How and why the leap second affected Cloudflare DNS
• Facebook wants to get rid of leap seconds
• Leap Smear
• Falsehoods programmers believe about time

Josh and Kurt talk about Microsoft creating a policy of not allowing anyone to charge for open source in their app store. This policy was walked back quickly, but it raises some questions about how fair or unfair open source really is. It's mostly unfair to developers if you look at the big picture.

• Syft
• Grype
• Microsoft bans and unbans open source
• Tidelift survey
• Bruce Perens - What comes after open source

Josh and Kurt talk about PyPI mandating two factor authentication for the top 1% of projects. It feels like a simple idea, but it's not when you start to think about it. What problems does 2FA solve? How common are these attacks? What are the second and third order effects of mandating 2FA? This episode should have something for everyone on all sides of this discussion to violently disagree with.

• PyPI announcement
• NPM expired domains
• Morten Linderud Tweet
• Congratulations: We Now Have Opinions on Your Open Source Contributions

Josh and Kurt talk about their very silly GPG key management from the past. This is sadly a very true story that details how both Kurt and Josh protected their GPG keys. Josh's setup is like something out of a very bad spy novel. It was very over the top for a key that really didn't matter.

• XKCD signed email
• Shire calendar
• Guardian editors destroy Snowden laptop

Josh and Kurt talk about the challenge of dealing with vulnerabilities at a large scale. We tend to treat every vulnerability equally when they are not equal at all. Some are trees we have to pay very close attention to, and some are part of a larger forest that can't be treated as individual vulnerabilities. We often treat risk as a binary measurement instead of a sliding scale.

• gsd.id
• The Register OpenSSL story
• OpenSSL bug

Josh and Kurt talk about what the actual purpose of signing artifacts is. This is one of those spaces where the chain of custody for signing content is a lot more complicated than it sometimes seems to be. Is delivering software over https just as good as using a detached signature? How did we end up here, what do we think the future looks like? This episode will have something for everyone to complain about!

• Twitter thread
• Kurt's security advisory page
• Bug 998

Josh and Kurt talk about the security of employees leaving jobs. Be it a voluntary departure or in the context of the current layoffs we see, what are the security implications of having to remove access for one or more people departing their job?

• Tesla Layoffs
• Coinbase layoffs

Josh and Kurt talk about a funny GitHub reply that notified 400,000 people. It's fun to laugh at this, but it's an easy open to discussing alert fatigue and why it's important to be very mindful of our communications.

• GitHub 400K notifications Hacker News thread
• Reddit user TV Bluetooth

Josh and Kurt talk about containers. There are a lot of opinions around what type of containers is best. Back when it all started there were only huge distro sized containers. Now we have a world with many different container types and sizes. Is one better?

• Programming in the Apocalypse
• Bob Diachenko
• Paranoids Podcast

Josh and Kurt talk about a recent OpenSSF issue that asks the question how many open source maintainers should a project have that's "healthy"? Josh did some research that shows the overwhelming majority of packages have one maintainer. What does that mean?

• OpenSSF TAC Issue 101

Josh and Kurt talk about the whole work from home debate. It seems like there are a lot of very silly excuses why working from home is bad. We've both been working from home for a long time and have a chat about the topic. There's not much security in this one, but it is a fun discussion.

• Boris Johnson blames cheese
• Apple and WFH

Josh and Kurt talk about a fake 7-Zip security report. It's pretty clear that everyone is running open source all the time. We end on some thoughts around what SBOM is good for, and who should be responsible for them.

• Probably fake 7-Zip

Josh and Kurt talk to Adam Shostack about his new book "Threats: What Every Engineer Should Learn From Star Wars". We discuss some of the lessons and threats in the Star Wars universe, it's an old code I hear. We also discuss if Star Wars is a better than Star Trek for teaching security (it probably is). It's a fun conversation and sounds like an amazing book.

• Adam Shostack
• Adam's Website
• The book

Josh and Kurt talk about the Google Project Zero blog post about 0day vulnerabilities in 2021. There were a lot more than ever before, but why? Part of the challenge is the whole industry is expanding while a lot of our security technologies are not. When the universe around you is expanding but you're staying the same size, you are actually shrinking.

• Google Project Zero blog post
• Apple 0days
• Joint cyber advisory

Josh and Kurt talk about a survey about a TuxCare patch management and vulnerability detection. Sometimes our security bubble makes us forget what it's like in the real world for the people who keep our infrastructure running. Patching isn't always immediate, automation doesn't fix everything, and accepting risk is very important.

• State of Enterprise Vulnerability Detection and Patch Management
• CISA Known Exploited Vulnerabilities Catalog
• Google 0days

Josh and Kurt talk about a lot of security vulnerabilities in this month's Patch Tuesday. There's also a new Git vulnerability. This sparks the age old question of how fast to patch? The answer isn't binary, the right answer is whatever works best for you, not what someone tells you is best.

• Patch Tuesday
• Git security update

Josh and Kurt talk about hackers using emergency data requests to gain access to sensitive data. The argument that somehow backdoors can be protected falls under this problem. We don't yet have the technical or policy protections in place to actually protect this data. We also explain why this zlib issue got a 2018 CVE ID in 2022.

• Hackers using fake emergency data requests
• CVE-2018-25032
• Global Security Database

Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there's not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not to let security turn into your identity, it ends up making a mess.

• Josh's Twitter thread
• How to install week old npm packages

Josh and Kurt talk about the latest NPM backdoored package. It feels like this keeps happening. We talk about why this is and why it's probably OK. Kurt fixes Linus' Law, in open source the superpower isn't bugs are shallow (they're not), the superpower is security bugs in open source can't be ignored.

• node-ipc protestware

Josh and Kurt talk about Microsoft accidentally letting us find out about ads in file explorer. Changing your clocks sucks. And touch on some of the security implications of the Russian invasion and sanctions. There are a lot of security lessons we can all learn. Mostly what not to do.

• Ads in Windows Filemanager
• Russia running out of storage
• Russia threatens to nationalize industry
• Onagawa Nuclear Power Plant
• Cockcroft's Follies
• German government advises citizens to uninstall Kaspersky

Josh and Kurt talk about the Linux Kernel Dirty Pipe security vulnerability. This bug is an amazing combination of amazing complexity, incredible simplicity, and a little bit of luck. The discovery is amazing, the analysis is enlightening. There's almost no way a bug like this could be found outside of open source.

• Dirty Pipe Writeup

Josh and Kurt talk about the challenges of security at scale. Specifically we focus on why a lot of security starts to fall apart once you have to do something more than a few times. There's a lot of new thinking we need to push security forward.

• Stable Linux Kernel and Machine Learning

Josh and Kurt talk about SBOMs. Not what they are, there's plenty about that. We talk about why everyone keeps claiming they're super important, and why we're starting to see some people question if we really need them. SBOMs are part of a future that's still being invented.

• Questioning SBOMs
• Rezilion Log4j diagram
• David A Wheeler on CII Badges
• Using open source is communism

Josh and Kurt talk about the Coinbase Super Bowl ad. It was a QR code, lots of security people were aghast at how many people scanned the QR code. The reality is scanning QR codes isn't dangerous. What other security advice just won't go away?

• Coinbase Ad
• Kurt's Twitter question
• QR code parking scam
• Mossad or not Mossad
• Kurt's talk

Josh and Kurt talk to Hayley Tsukayama from the EFF about privacy. We all know privacy in the modern age is very complicated and difficult. Normal people don't have many allies when it comes to privacy. The EFF has been blazing the trail for digital rights for more than 30 years! This episode has a ton of amazing details, it's easy to see how the EFF became the jewel of the Internet.

• Hayley's Twitter
• EFF
• How to Fix the Internet
• Episode 277 – Privacy and activism with Chris Weiland
• Washington State privacy bill
• Join the EFF (seriously, do this!)

Josh and Kurt talk about NPM requiring 2FA for the top 100 packages. We discuss the new Alpha and Omega projects from the OpenSSF and what it could mean for the future of open source security. Then we end on a note about the new Samba critical vulnerability.

• NPM requires 2FA
• OpenSSF Alpha and Omega
• David A. Wheeler episode
• Linux Foundation LFX
• Samba Advisory

Josh and Kurt talk about how to get attention for security problems. Recent research around Twitter credentials checked into GitHub showed us how to get a lot of attention when compared to a problem like Log4Shell which took years before anyone really picked up on the problem. It's hard to talk about security sometimes.

• Josh's computer vision code
• Twitter secrets
• Qualys pwnkit

Josh and Kurt talk about the Global Security Database (GSD) project. This is a Cloud Security Alliance (CSA) effort to build community around vulnerability identifiers.

• We rate dogs
• Racoons that heal your sadness
• Global Security Database
• Episode 261 – DWF is back! Welcome to community powered CVE
• GSD mailing list
• GSD Circle group
• GSD Database
• GSD Project Plan

Josh and Kurt talk about the faker and colors NPM events. There is a lot of discussion around open source being broken or somehow failing because of these events. The real answer is open source is an experience. How we interact with our dependencies determines what the experience looks like.

• Developer corrupts colors and faker
• Will Wright Pee
• Internet Anonymity

Josh and Kurt talk about Norton creating an Ethereum mining pool. This is almost certainly a bad idea, we explain why. We then discuss the reality of NFTs and the case of stolen apes. NFTs can be very confusing. The whole world of cryptocurrency is very confusing for normal people. None of this is new, there have always been con artists, there will always be con artists.

• Norton Crypto FAQ
• Stolen Ape
• Smart contract to buy the constitution
• YEAR token

Josh and Kurt talk about the question will we ever fix all the vulnerabilities? The question came from Reddit and is very reasonable, but it turns out this is REALLY hard to discuss. The answer is of course "no", but why it is no is very complicated. Far more complicated than either of us thought it would be.

• Will cyber security vulnerabilities ever "stop existing" ?

Josh and Kurt start the show with the reading of a security themed Christmas poem. We then discuss some of the new happenings around Log4j. The basic theme is that even if we were over-investing in Log4j, it probably wouldn't have caught this. There are still a lot of things to unpack with this event, I'm sure we'll be talking about it well into the future.

Log before Christmas poem

'Twas the night before Christmas, when all through the stack Not a scanner was scanning, not even a rack,

The SBOMs were uploaded to the portal with care, In hopes that next year would be boring and bare

The interns were nestled all snug at their beds; While visions of dashboards danced in their heads;

The CISO in their 'kerchief, and I in my cap, Had just slept our laptops for a long winter's nap,

When all of a sudden the pager went ack ack I sprang to my laptop with worries of attack

Away to the browser I flew like a flash, Tore open the window and cleared out the cache

The red of the dashboard the glow of the screen Gave a lustre of disaster my eyes rarely seen

When what to my wondering eyes did we appear, But a new advisory and eight vulnerabilities to fear,

Like a little old hacker all ready to play, I knew in a moment it must be Log4j

More rapid than gigabit its coursers they came, And it whistled, and shouted, and called them by name:

"Now, Log4Shell! now CVE! now ASF and NVD! On, CISA! on, LunaSec! on, GossiTheDog!

To the top of the HackerNews! to the top of the wall! Now hack away! hack away! hack away all!"

Like the bits that before the wild CDN fly by When they meet with a firewall, they mount to the sky;

So up to the cloud like bastards they flew With tweets full of vulns, and Log4j too—

And then, in a twinkling, I read in the slack The wailing and screaming of each analyst called back

As I drew in my head, and was turning around, Down the network Log4j came with a bound.

It was dressed in a hoodie, black and zipped tight, The clothes were all swag from a conference one night

A bundle of vulns it had checked in its git And it looked like a pedler just being a twit

The changelog—how it twinkled! its features, how merry! Its versions were like roses, its logo like a cherry!

Its droll little mouth was drawn up like an at, And the beard on its chin made it look stupid and fat

The stump of a diff it held tight in its teeth, And the bits, they encircled the repo like a wreath;

It had a flashy readme an annoying little fad That shook when it downloaded, like a disk drive gone bad

It was chubby and plump, an annoying old package, And I laughed when I saw it, in spite of the hackage

A wink of its bits and a twist of its head Soon gave me to know I had everything to dread

It spoke not a word, but went straight to its work, And pwnt all the servers; then turned with a jerk,

And laying its patches aside of its nose, And giving a nod, up the network it rose;

It sprang to its packet, to its team gave them more, And away they all fled leaving behind a back door

But I heard it exclaim, ere it drove out of sight— “Merry Christmas you nerds, Log4j won tonight!”

Josh and Kurt talk about the same topic everyone is talking about, Log4j. This episode was recorded on the Wednesday after the first Log4j issue. We point out all the gaps and difficulties for the defenders. The situation has gotten worse since then.

Good luck to everyone dealign with this thing

• Log4j GSD entry
• Minecraft server discussion
• Log4j GitHub issue 608

Josh and Kurt talk about the epic failure that was episode 300. But this ties nicely into the topic of the day which is new ways to do things. The example is a new way to hold a controller when playing Tetris. There are always new tools and new ideas in security. Sometimes we have to abandon the old way because the new way to too good to ignore.

• Lawfare Apple NSO podcast
• New way to play Tetris

the lawsuit is based on CFAA, not on copyright. We apologize for this enormous oversight.

Josh and Kurt talk about Apple suing NSO using a copyright claim as their vehicle. Copyright is often used as a reason to bring lawsuits, even when it doesn't always make sense. Copyright has been used by open source to expand rights, and many companies to restrict rights. It's a very odd law sometimes. At the end of the day it seems the only real path forward for a problem like NSO is up to governments to protect their citizens.

• Apple sues NSO group
• VMWare EULA

Josh and Kurt talk about an article about how expertise has a limited lifetime. We are all experts in something, but some of us will find our expert knowledge to be outdated eventually. We discuss what that means in the context of security and tech and disagree about how to best keep your skills up to date.

• Experts From A World That No Longer Exists
• Neuroplasticity
• Scotty and the mouse
• Git 2.34
• 4H Public Speaking

Josh and Kurt talk to David A. Wheeler about everything OpenSSF. The Open Source Security Foundation is part of the Linux Foundation, and there are 6 OpenSSF working groups. David does a great job explaining how the OpenSSF works and what the 6 working groups are doing. The working group are (in no particular order): Identifying Security Threats, Security Tooling, Best Practices, Vulnerability Disclosures, Digital Identity Attestation, Securing Critical Projects.

• David A Wheeler
• Episode 14 – David A Wheeler: CII Badges
• Sigstore joins the OpenSSF
• OpenSSF Technical Working Groups
• NPM requires MFA
• LISH
• Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks

Josh and Kurt talk about the famous Phrack 49 article "Smashing the Stack for Fun and Profit" turning 25 years old. This paper created a massive amount of change in the industry, possibly more than any other paper ever written. Everything from making exploiting stack overflows easier, to defenders creating technologies such as stack canaries are the direct result of this work.

• Phrack 49
• Kurt's Interview with Elias Levi aka Aleph One

Josh and Kurt talk about the new Trojan Source bug. We don't always agree on if this is a vulnerability (it's not), but by the end we come to an agreement that ASCII is out, Unicode is in. We don't live in a world where you can make a realistic suggestion to return to using only ASCII. There are a lot of weird moving parts with this one.

• Trojan Source
• oss-security message
• GitHub example

Josh and Kurt talk about Josh's electric car and new job. We then talk about the recent UAParser.js malware incident. There have been a lot of calls to do more to secure open source, but nobody seems to have any concrete proposals or suggestions to fund any of these activities.

• UAParser.js
• CISA announcement

Josh and Kurt talk to Chris Wysopal, AKA Weld Pond, about security education. We talk about the current state of how we are learning about security as students and developers. What the best way to get developers interested in learning more about security? We end the show with fantastic advice from Chris for anyone new to the field of technology or security.

• Chris Wysopal
• Veracode
• l0phtcrack

Josh and Kurt talk about the release of OpenSSF Security Scorecards version 3. This is a great project that will probably make a huge difference. Most of the things the scorecards are measuring are no brainier activities. We go through the list of metrics being measured. There are only a few that we don't think are fantastic.

• 4 of spades
• OpenSSF
• Chris Montgomery audio explanation
• Scorecard 3.0.0
• Scoring criteria
• Python Skeleton

Josh and Kurt talk about the recent Twitch hack and how in the modern age leaking source code almost certainly doesn't matter. The leaked data however is a big deal. We also discuss a recent Apache httpd update. Some things went right, some things went wrong. Dealing with vulnerabilities is hard.

• Parasocial Relationship
• Twitch Hack
• Soviet B-29 Clone
• Apache CVE
• Apache Advisory
• GossiTheDog Tweet
• Hacker Fantastic exploit

Josh and Kurt talk about recent events around Apple and Microsoft disclosing security vulnerabilities. Microsoft usually does a good job, but Apple has a long history of not having a great bug bounty or vulnerability disclosure policy. None of this is simple, but hopefully you'll have some fun and learn a bit about the whole vulnerability disclosure process.

• Apple 0days
• Microsoft Exchange flaw
• THIS IS HOW THEY TELL ME THE WORLD ENDS
• Linux Foundation Vulnerability Disclosure
• Timezone problem

Josh and Kurt talk about the security of the Matrix movie series. There was a new Matrix trailer that made us want to discuss some of the security themes. We talk about how the movie is very focused on computing in the 90s. How Neo probably ran Linux and they used a real ssh exploit. How a lot of the plot is a bit silly. It's a really fun episode.

• Matrix 4 trailer
• nmap in the Matrix
• VFX Artists react to the Mandalorian
• Glasshouse
• Universal Paperclips

Josh and Kurt talk about an unusual number of really bad security updates. We even recorded this before the Azure OMIGOD vulnerability was disclosed. It's certainly been a wild week with Apple and Chrome 0days, and a Travis CI secret leak. Maybe this is the new normal.

• Matrix 4 trailer
• Travis CI issue
• Apple 0day patches
• Chrome 0day patches
• CGP Grey Where is the European Union

Josh and Kurt talk about some happenings in the Linux Kernel. There are some new rules around how to submit patches that goes against how GitHub works. They're also turning all compiler warnings into errors. It's really interesting to understand what these steps mean today, and what they could mean in the future.

• The Register Linux story
• OpenSSL Release Notes

Josh and Kurt talk about GitHub Copilot. What can we learn from a report claiming 40% of code generated by Copilot has security vulnerabilities? Is this the future or just some sort of strange new thing that will be gone as fast as it came?

• GitHub Copilot
• Copilot research paper

Josh and Kurt talk to Dan Lorenc from Google about supply chain security. What's currently going on in this space and what sort of new thing scan we look forward to? We discuss Google's open source use, Project Sigstore, the SLSA framework and more.

• Dan's Twitter
• Sigstore
• SLSA Framework

Josh and Kurt talk about open source bugs. What happens if a project decides to close most of their bugs? Nothing really. Bug trackers aren't a help desk.

• Emacs closes 45% of bugs
• UVI
• Tesla investigation
• UK COVID spreadsheet

Josh and Kurt talk about a Home Depot plan to put DRM on power tools. Anyone can add a computer to anything for a few dollars now. How secure is any of this. What does it mean when the things we buy start to acquire DRM? There are a lot of new questions we don't have any real answers for.

• Home Depot power tools
• Ray Ozzie's IoT board
• First-sale doctrine

Josh and Kurt talk about a very difficult disclosure problem. What happens when you have to report a vulnerability to an ethically questionable company? It's less simple than it sounds, many of the choices could end up harming victims.

• Disclosure Dilemmas
• @evacide
• Bob Diachenko
• This Is How They Tell Me The World Ends

Josh and Kurt talk about a story from Microsoft declaring Rust the future of safe programming, replacing C and C++. We discuss how tooling affects progress and why this isn't always obvious when you're in the middle of progress.

Show Notes

• Microsoft: Rust Is the Industry’s ‘Best Chance’ at Safe Systems Programming
• Josh's devopsdays talk
• Microsoft moved font handling out of the kernel
• Atari 2600 emulator in Minecraft
• Rate of technology adoption

Josh and Kurt talk about the news that the NSO Group is widely distributing spyware onto a large number of devices. This news should be a wake up call for anyone creating devices and systems that could be attacked, it's time to segment services. There's not a lot individuals can do at this point, but we have some ideas at the end of the episode.

• NSO Group spying
• Technical details Twitter thread
• Are we the Baddies?

Josh and Kurt talk about what happens when you lose access to your Single Sign On provider. These providers have become critical to many of us, if we lose access to our SSO account we will lose access to many services.

• Postbank

Josh and Kurt talk about the events happening to the Audacity audio editor. What happens if a popular open source application is acquired by an unknown entity? Can this happen to other open source projects? What can we do about it?

• SGDQ Paper Mario
• Paper Mario Arbitrary Code Execution explained
• Freenode
• Audacity acquired by Muse Group
• Audacity fork

Josh and Kurt talk about a listener provided question. Could SELinux have stopped the SolarWinds attack? Given what we know, the answer is technically yes, but practically no. SELinux is awesome, but it's very difficult to sandbox something like a build system.

• Gone in 60 milliseconds

Josh and Kurt talk to Chris Weiland from Restore the Fourth Minnesota. Restore The Fourth Minnesota is nonprofit dedicated to restoring the Fourth Amendment to the U.S. Constitution and ending unconstitutional mass government surveillance. Chris drops a ton of knowledge about how to be an effective tech activist, what his group is doing, and most importantly we get actionable advice!

• Restore the Fourth Minnesota
• Restore the Fourth Minnesota on Twitter
• Writ of assistance
• Carpenter vs United States
• How many US federal laws are there?
• Restore the Fourth
• Episode 114 – Review of "Click Here to Kill Everybody"
• EFF EFA
• ACLU affiliates
• Glenn Greenwald TED talk

Josh and Kurt talk about how our environment affects our behavior, and in turn our level of security. We often ignore what's happening around us when everything is related.

• Judges more lenient after a break
• Dungeons and Data
• Poverty changes your DNA

Josh and Kurt talk about why it seems like the world of ransomware has gotten out of control in the last few weeks. Every day there's some new and more bizarre ransomware story than we had yesterday.

• Spurious Correlations
• Ransom recovered
• Adam Shostack Ransomware is not the problem
• Latvian Woman charged for writing ransomware

Josh and Kurt talk about Amazon sidewalk. There is a lot of attention, but how is this any different than the surveillance networks Apple and Google have built?

• Amazon Sidewalk
• Ads and toothpaste
• Airtags and stalking

Josh and Kurt talk about AI driven comments. We live in a world of massive confusion and disruption where what is true and false, real and fake, are often widely debated. As AI grows and evolves what does it mean for this future? We don't really have any answers, but we ask a lot of questions. This isn't easy, nor will it be solved quickly, but solving it is not optional.

• AIs and Fake Comments
• ACLU AMA
• Cloudflare Cryptographic Attestation of Personhood
• Evil bit
• Boris Johnson Painting Buses

Josh and Kurt talk about the Biden Administration new cybersecurity executive order. There are some good ideas in there, but at the end of the day it's an unfunded mandate. Unfunded mandates are difficult to implement.

• Biden Executive Order
• Fact Sheet
• Obama's cyber EO

Josh and Kurt talk about how people handle problems. We open with the story of the Colonial Pipeline hack, but then go into some of the ways people tend to make problems worse.

• Male vs Female trees
• Pipeline hack
• XKCD Pipelines
• TSA Pipeline Security

Josh and Kurt talk about dark patterns. A dark pattern is when a service tries to confuse a user into doing something they don't want to, like unknowingly purchasing a monthly subscription to something you don't need or want. The US Federal Trade Commission is starting to discuss dark patterns in webs sites and apps.

• Dark Patterns
• Types of Dark Patterns
• FTC Bringing Dark Patterns to Light
• LTT Dell Warranty

Josh and Kurt talk about the University of Minnesota experimenting on the Linux Kernel. There's a lot to unpack in this one, but the TL;DR is you probably don't want to experiment on the kernel.

• Linux Bans University of Minnesota for Sending Buggy Patches in the Name of Research
• University of Minnesota security researchers apologize for deliberately buggy Linux patches
• The International Obfuscated C Code Contest

Josh and Kurt talk about what 3rd party means in the current world. From 5G suppliers, to the Codecov and Solarwinds breaches. Is there anyone we can trust?

• Europe and 5G
• Codecov
• Codecov Reuters story
• Red Hat OpenSSH advisory

Josh and Kurt talk about 0day security vulnerabilities. What are they? What were they? And why the name has taken on a new meaning, and that's OK.

• Hacker History Podcast
• Chrome 0day
• NTFS Documentation

Josh and Kurt talk to Emil Wåreus from Debricked about the future of security scanners. Debricked is doing some incredibly cool things to avoid relying on humans for vulnerability identification and cataloging. Learn what the future of security scanning is going to look like.

Show Notes

• Debricked
• Emil's Linkedin

Josh and Kurt talk about the PHP backdoor and the Ubiquity whistleblower. The key takeaway is to note how an open source project cannot cover up an incident, but closed source can and will cover up damaging information.

• PHP backdoor
• Ubiquity coverup
• 3D printed TSA keys
• LockPickingLaywer
• Determining Key Shape from Sound
• Lock camera

Josh and Kurt talk to Mark Loveless from GitLab. We touch on DevSecOps, what GitLab is doing, threat modeling, and the time Mark tested positive for TNT at the airport. It's a great conversation.

Show Notes

• Mark Loveless Twitter
• GitLab
• GitLab Handbook
• How we approach open source security
• PASTA threat modeling
• GitLab security features
• Tales from the Past - "You Tested Positive for TNT"

Josh and Kurt talk about how terrible daylight savings is. GitHub yanking some exploit code. And the Linux Foundation new project to sign all the things.

• Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github
• GitHub content restrictions
• Reproducing the Microsoft Exchange Proxylogon Exploit Chain

Josh and Kurt talk to Loris Degioanni and Dan from Sysdig. Sysdig are the minds behind Falco, an amazing open source runtime security engine. We talk about where their technology came from, they huge code donation to the CNCF and what securing a modern infrastructure looks like today.

• Sysdig
• Falco
• Loris' Twitter
• Dan "Pop" Popandrea's Twitter
• Sysdig contributes Falco’s kernel module, eBPF probe, and libraries to the CNCF
• pdig
• Sysdig 2021 container security and usage report: Shifting left is not enough

Josh and Kurt talk about DWF. It's back and the intention is to have real community driven security identifiers!

Show Notes

• Committee vs Community
• dwflist repo
• dwf-request tooling repo
• dwf-workflow policy repo
• CVE plateua graph
• iwantacve.org

Josh and Kurt talk with Dave Jevans CEO of CipherTrace and chairman of the anti-phishing working group about the challenges of keeping track of cryptocurrency in the modern age.

Show Notes

• Dave's Twitter
• CipherTrace
• Anti Phishing Working Group

Josh and Kurt talk about the question "what is open source?" Why do we think it's broken today, and what sort of ideas about what should come next.

Show Notes

• OSI
• Bruce Perens Post Open Source
• Josh's community blog post
• Corey Doctorow Uber Twitter thread

Josh and Kurt talk about the Google Project Zero report titled "A Year in Review of 0-days Exploited In-The-Wild in 2020". It's a cool report but we don't agree on the conclusion. The answer isn't to security harder, it's to stop using C.

Show Notes

• Google Project Zero Year of 0-days
• Kurt's CUPS tweet

Josh and Kurt talk about the recent sudo and libgcrypt security vulnerabilities. What's the deal with these buffer overflows and TOCTU bugs?

Show Notes

• Sudo buffer overflow
• Sudo SELinux bug
• libgcrypt buffer overflow

Josh and Kurt talk about 8 bit computing. What sort of security lessons can we learn from the 8 bit world? More than you think.

Show Notes

• Legend of Zelda Random Number Generation
• Green rocket flame
• SR71 leaked fuel
• How do Namibian Himbas see colour?
• Suptuple meter music

Josh and Kurt talk about what we can stop doing. We take a position of asking "does it spark joy" for tools and infrastructure. Everyone is doing something they should stop.

Show Notes

• Does it spark joy?

Josh and Kurt talk about the new right to repair rules in the EU. There's a strange line between loving the idea of right to repair, but also being horrified as security people at the idea of a device being on the Internet for 30 years.

Show Notes

• EU right to repair
• repair.eu

Josh and Kurt talk about this idea that seems to exist in security of "attackers only need to be right once" which is silly. The reality is attackers have to get everything right, defenders really only need to get it right once. But "defenders only need to be right once" isn't going to sell any products.

Show Notes

• Richard Feynman and manhole covers
• Richard Feynman on Why He Can't Tell You How Magnets Work
• Israeli airport security
• FAA stolen sweater
• XKCD Is it worth the time
• CGP Grey The trouble with transporters

Josh and Kurt talk about a report on open source security from the Canadian Centre for Cyber Security. The title pretty much sums it up.

Show Notes

• Security Considerations for Open Source
• Build an 8 bit computer from scratch

Josh and Kurt talk about communication. It's really hard to talk about a lot of what we do. How do we know if a device is secure? How do we know our knowledge is correct?

Show Notes

• 90 percent of U.S. bills carry traces of cocaine
• Is the moon a star or planet?
• A mole of moles
• New homeowner 'freaked out' when stranger took control of her security system
• Coffee maker ransomware
• NIST Phish Scale
• The metric system
• Operation Paperclip

Josh and Kurt talk about why we do the things we do. Sometimes we have to question everything.

• SLAM missile

Josh and Kurt talk about the idea of information wanting to be free. It's Christmas, we should give it what it wants!

• Hacker Manifesto

Josh and Kurt talk about how to file 1000 security flaws. One is easy, scale is hard.

Josh and Kurt talk about how to report one security flaw

Josh and Kurt talk about bug bounties

Josh and Kurt talk about if SMS 2 factor auth is better than no 2FA

• Cyber deepfaked their host

Josh and Kurt talk about modern TLS certificate trust

Josh and Kurt talk about why it's a horrible idea to roll your own crypto or auth

Josh and Kurt talk about vulnerability response. What is it, what does it mean, how does it work

Josh and Kurt talk about the switch from 16 to 32 to 64 bit and even the changes from Intel to ARM

Josh and Kurt talk about supplier compliance

• Annex A.15.1 of ISO 27001:2013
• Episode 162 – SBOM with Allan Friedman

Josh and Kurt talk about backdoors in open source software