Bästa Open Source Security podcaster (2024)

1
Episode 454 - The state of open source with Brian Fox from Sonatype and Donald Fischer from Tidelift 43:13

4d ago43:13

43:13

Josh and Kurt talk to Brian Fox from Sonatype and Donald Fischer from Tidelift about their recent reports as well as open source. There are really interesting connections between the two reports. The overall theme seems to be open source is huge, everywhere, and needs help. But all is no lost! There's some great ideas on what the future needs to lo…

1
Episode 453 - Software Liability 36:28

11d ago36:28

36:28

Josh and Kurt talk about three government activities happening around security. CISA has a request for comment, and an international strategic plan around cybersecurity. These are both good ideas, and hopefully will help drive change. But we also discuss an EU proposal that brings liability rules to software which sounds like a great way to force c…

1
Episode 452 - All about Meshtastic 39:29

18d ago39:29

39:29

Josh and Kurt talk about the Meshtastic open source project. It's a really slick mesh radio system that runs on very cheap radio equipment. This episode isn't very security related (there are a few things), but it is very open source. Show Notes Meshtastic Heltec LoRa 32(V3) Radio 465 Rutgers University Confirmed: Meshtastic and LoRa are dangerous …

1
Episode 451 - Python security with Seth Larson 36:24

25d ago36:24

36:24

Josh and Kurt talk to Seth Larson from the Python Software Foundation about security the Python ecosystem. Seth is an employee of the PSF and is doing some amazing work. Seth is showing what can be accomplished when we pay open source developers to do some of the tasks a volunteer might consider boring, but is super important work. Show Notes Seth …

1
Episode 450 - What's Wrong With WordPress 39:01

1M ago39:01

39:01

Josh and Kurt talk about the current Wordpress / WP Engine mess. In what is certainly a supply chain attack, the Advanced Custom Fields forking. This whole saga is weird and filled with chaos and stupidity. We have no idea how it will end, but we do know that the blog platform you use shouldn't be this exciting. The bad sort of exciting. Show Notes…

1
Episode 449 - The CUPSpocalypse 38:01

1M ago38:01

38:01

Josh and Kurt talk about the recent CUPS issue. The vulnerability itself wasn't all that exciting, but the whole disclosure process was wild. There's a lot to talk about, many things didn't quite go as planned and it all leaked early. Let's talk about why and what it all means. Show Notes CUPS vulnerability Akamai report Wil Wheaton: being a nerd i…

1
Episode 448 - What's wrong with CISA? 34:48

2M ago34:48

34:48

Josh and Kurt talk about a few things that have recently come out of CISA. They seem to be blaming the vendors for a lot of the problems, but there's also not any actionable advice telling the vendors what they should be doing. This feels like the classic case of "just security harder". We need CISA to be leading the way funding and defining securi…

1
Episode 447 - The Tidelift 2024 open source maintainer report 38:52

2M ago38:52

38:52

Josh and Kurt talk about the 2024 Tidelift maintainer report. The report is pretty big and covers a ton of ground. We focus in a few of the statistics that should worry anyone who uses open source. We've known for a while developers are struggling, and the numbers back that up. This one feels like the old "we've tried nothing and we're all out of i…

1
Episode 446 - Researchers took over .MOBI TLD 33:06

2M ago33:06

33:06

Josh and Kurt talk about some security researchers sort of taking over the .MOBI whois server. The story is a bit sensational, but we ask if it really matters? There are a lot of interesting possible attacks, but turning something like this into a good attack is really hard, maybe impossible. The researchers presented the findings in a very reasona…

1
Beyond OSINT: Fusing Commercial Data Analysis for Digital ISR w/ Steve Loori 1:22:36

2M ago1:22:36

1:22:36

Steve Loori, a seasoned intelligence community professional, shares his incredible journey from the Marine Corps to becoming a leader in the world of commercial data analysis and Open Source Intelligence for surveillance and reconnaissance. Starting with his experiences as a young Marine during the Iraq War, Steve delves into how those early challe…

1
Episode 445 - EPSS with Jay Jacobs 41:12

2M ago41:12

41:12

Josh and Kurt talk to Jay Jacobs about Exploit Prediction Scoring System (EPSS). EPSS is a new way to view vulnerabilities. It's a metric for the likelyhood that a vulnerability will be exploited in the next 30 days. Jay explains how EPSS got to where it is today, how the scoring works, and how we can start to think about including it in our larger…

1
Episode 444 - Open Source and End of Life 37:49

2M ago37:49

37:49

Josh and Kurt talk about Chrome unexpectedly going EOL on Ubuntu 18. Keeping old things alive is really hard to do, and in open source it's becoming more common to just run the latest version rather than trying to keep old versions alive for long periods of time. Show Notes Chrome dumped support for Ubuntu 18.04 – but it'll be back Linus Torvalds t…

1
Episode 443 - The Supply Chain Security Crisis 34:23

3M ago34:23

34:23

Josh and Kurt talk about a story that discusses a story from Black Hat that references supply chains. There's a ton of doom and gloom around our software supply chains and much of the advice isn't realistic. If we want to take this seriously we need to stop obsessing over the little problems and focus on some big problems. Show Notes Black Hat USA …

1
Episode 442 - The foundation of society, TLS certificates are a mess 40:35

3M ago40:35

40:35

Josh and Kurt talk about a few stories around the TLS CA certificate world. It's all pretty dire sounding. There's not a lot of organization or process in the space, and the root CAs are literally the foundation of modern society, everything needs them to function. There's not a lot of positive ideas here, it's mostly a show where Kurt explains to …

1
Episode 441 - Is CWE useful? 33:23

3M ago33:23

33:23

Josh and Kurt talk about CWE. What is it, and why does it matter. We cover some history, some shortcomings, and some ideas on how CWE could be used to make security a lot better. We frame the future discussion around the OWASP top 10 list. We should be putting more effort into removing removing entire classes of vulnerabilities. Show Notes CWE Epis…

1
Episode 440 - "What is open source" talk Josh gave 34:36

3M ago34:36

34:36

Josh and Kurt talk about a presentation Josh recently gave that was supposed to be about how open source works. The talk was the wrong topic for a security crowd, but there's a lot of interesting details in the questions and comments that emerged. It's clear a lot of security people don't really care about the fine details about what open source is…

1
Episode 439 - Where are all the youth in open source? 29:27

4M ago29:27

29:27

Josh and Kurt talk about a story talking about the "graying" of open source. There doesn't seem to be many young people working on open source, but we don't really know why that is. There are many thoughts, but a better question is why should anyone get involved in open source anymore? The world has changed quite a lot since open source was created…

1
Episode 438 - CISA's bad OSS advice vs the Whitehouse good advice 34:52

4M ago34:52

34:52

Josh and Kurt talk about two documents from the US government that discuss open source in very different ways. The CISA document lays out a way to measure open source, but we take issue with the idea of trying to measure which open source projects are "good". The Whitehouse on the other hand takes an approach that is very open source, get involved.…

1
Episode 437 - CocoPods and proper funding for open source 36:50

4M ago36:50

36:50

Josh and Kurt talk about a pretty big bug found in CocoPods ownership. We also touch on a paper that discusses the technical debt that open source should have. We discuss what the long term sustainability of open source. There aren't any good solutions for open source today, but talking about these problems is important, we have to start to underst…

1
Episode 436 - OpenSSH and node-ip - it's all exponential growth 32:10

4M ago32:10

32:10

Josh and Kurt talk about the recent OpenSSH vulnerability and the node-ip project owner taking their project private. They're quasi related in the context of two open source projects handled bugs very differently. The OpenSSH bug isn't really as serious as it seems, but you still want to patch. The node-ip bug is a very different story. The relatio…

1
Episode 435 - polyfill.io - open source is too big to fix 38:50

5M ago38:50

38:50

Josh and Kurt talk about the latest polyfill.io mess. Apparently someone took over a very popular project and started to serve malware. First XZ, now this. What does it mean for open source? We don't have any answers, and it's hard to even talk about this problem because it's so big. The thing is though, even if we can't fix open source, it's here …

1
Episode 434 - Unreported vulnerabilities and everyone is getting hacked 31:17

5M ago31:17

31:17

Josh and Kurt talk about three wangles of responsibility. We start with a story about a bike theft ring, bike theft doesn't usually get any attention, but this one is special. Then we ask why it seems like everyone is getting hacked, it's because they have to tell us now. And finally we have a story about the huge number of unreported vulnerabiliti…

1
Episode 433 - Should OpenSSH block misbehaving clients? 31:40

5M ago31:40

31:40

Josh and Kurt talk about a new proposal from OpenSSH to add a timeout to penalize clients misbehaving. But this then brings up the typical security conversation of "if it's not perfect we shouldn't do it". Trying new things is a good thing, even if something fails, we learn a lesson that we can use in the future. Show Notes OpenSSH introduces optio…

1
Episode 432 - Flipper Zero with Alex Kulagin 33:08

5M ago33:08

33:08

Josh and Kurt talk to Alex Kulagin from Flipper about the Flipper Zero. It's one of the coolest hacker devices that exists on the market. We talk about what it is, how it started, what it can (and can't) do. It's a really fun conversation. Show Notes Flipper Zero Website Headphone jack radio capture Flipper Zero on Tik Tok…

1
Episode 431 - Redirecting HTTP to HTTPS 32:52

6M ago32:52

32:52

Josh and Kurt talk about a blog post titled "Your API Shouldn't Redirect HTTP to HTTPS". It's an interesting idea, and probably a good one. There is however a lot of baggage in this space as you'll hear in the discussion. There's no a simple solution, but this is certainly something to discuss. Show Notes Your API Shouldn't Redirect HTTP to HTTPS H…

1
Episode 430 - Frozen kernel security 34:18

6M ago34:18

34:18

Josh and Kurt talk about a blog post about frozen kernels being more secure. We cover some of the history and how a frozen kernel works and discuss why they would be less secure. A frozen kernel is from when things worked very differently. What sort of changes will we see in the future? Show Notes Kurt's strange coffee Why a 'frozen' distribution L…

1
Episode 429 - The autonomy of open source developers 32:06

6M ago32:06

32:06

Josh and Kurt talk about open source and autonomy. This is even related to some recent return to office news. The conversation weaves between a few threads, but fundamentally there's some questions about why do people do what they do, especially in the world of open source. This also is a problem we see in security, security people love to tell dev…

1
Episode 428 - GitHub artifact attestation 37:25

6M ago37:25

37:25

Josh and Kurt talk about a new to sign artifacts on GitHub. It's in beta, it's not going to be easy to use, it will have bugs. But that's all OK. This is how we start. We need infrastructure like this to enable easier to use features in the future. Someday, everything will be signed by default. Show Notes GitHub artifact attestation…

1
Why Synthetic Aperture Radar (SAR) is CRUCIAL for Earth Observation w Umbra Space's Gabe Dominocielo 1:06:17

6M ago1:06:17

1:06:17

Gabe Dominocielo, co-founder of Umbra Space, discusses the challenges and excitement of launching SAR satellites and the unique capabilities of synthetic aperture radar. He shares insights into the process of developing satellites, the choice of SAR technology, and the importance of precision in radar imagery. Gabe also talks about the diverse rang…

1
Episode 427 - Will run0 replace sudo? 30:12

6M ago30:12

30:12

Josh and Kurt talk about a sudo replacement going into systemd called run0. It sounds like it'll get a lot right, but systemd is a pretty big attack surface and not everyone is a fan. We shall have to see if this ends up replacing sudo. Show Notes Conan O'Brien on Hot Ones Lennart's Mastodon thread xkcd automation…

1
REIMAGINE Geospatial Intelligence w/ former NGA Director Robert Sharp 1:40:46

7M ago1:40:46

1:40:46

Robert (Bob) Sharp shares his journey in the military and as the director of the National Geospatial-Intelligence Agency (NGA). He discusses how he accidentally became an admiral and the joy he found in changing jobs and working with different people. He also talks about the importance of specialization and generalization in the intelligence commun…

1
Episode 426 - Automatically exploiting CVEs with AI 37:31

7M ago37:31

37:31

Josh and Kurt talk about a paper describing using a LLM to automatically create exploits for CVEs. The idea is probably already happening in many spaces such as pen testing and intelligence services. We can't keep up with the number of vulnerabilities we have, there's no way we can possibly keep up with a glut of LLM generated vulnerabilities. We r…

1
Episode 425 - Video game cheaters, also pretendo 30:36

7M ago30:36

30:36

Josh and Kurt talk about a database of game cheaters. Cheating in games has many similarities to security problems. Anti cheat rootkits are also terrible. The clever thing however is using statistics to identify cheaters. Statistics don't lie. Also, we discuss the Pretendo project sitting on a vulnerability for a year, is this ethical? Show Notes H…

1
Episode 424 - The Notepad++ Parasite Website 35:22

7M ago35:22

35:22

Josh and Kurt talk about a Notepad++ fake website. It's possibly not illegal, but it's certainly ethically wrong. We also end up discussing why it seems like all these weird and wild things keep happening. It's probably due to the massive size of open source (and everything) now. Things have gotten gigantic and we didn't really notice. Show Notes H…

1
Episode 423 - FCC cybersecurity label for consumer devices 32:09

7M ago32:09

32:09

Josh and Kurt talk about a new FCC program to provide a cybersecurity certification mark. Similar to other consumer safety marks such as UL or CE. We also tie this conversation into GrapheneOS, and what trying to claim a consumer device is secure really means. Some of our compute devices have an infinite number of possible states. It's a really wei…

1
XZ Bonus Spectacular Episode 1:01:04

8M ago1:01:04

1:01:04

Josh and Kurt talk about the recent events around XZ. It's only been a few days, and it's amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these details will change quickly over the coming week. We can't fix this problem as it stands, we don't know where to start yet. But that's not a reason t…

1
Episode 422 - Do you have a security.txt file? 30:13

8M ago30:13

30:13

Josh and Kurt talk about the security.txt file. It's not new, but it's not something we've discussed before. It's a great idea, an easy format, and well defined. It's not high on many of our todo lists, but it's something worth doing. Show Notes RFC 9116

1
Episode 421 - CISA's new SSDF attestation form 41:03

8M ago41:03

41:03

Josh and Kurt talk about the new SSDF attestation form from CISA. The current form isn't very complicated, and the SSDF has a lot of room for interpretation. But this is the start of something big. It's going to take a long time to see big changes in supply chain security, but we're confident they will come. Show Notes Secure Software Development A…

1
Episode 420 - What's going on at NVD 39:04

8M ago39:04

39:04

Josh and Kurt talk about what's going on at the National Vulnerability Database. NVD suddenly stopped enriching vulnerabilities, and it's sent shock-waves through the vulnerability management space. While there are many unknowns right now, the one thing we can count on is things won't go back to the way they were. Show Notes Anchore's Blog Grype Jo…

1
Episode 419 - Malicious GitHub repositories 34:06

8M ago34:06

34:06

Josh and Kurt talk about an attack against GitHub where attackers are creating malicious repositories then artificially inflating the number of stars and forks. This is really a discussion about how can we try to find signal in all the noise of a massive ecosystem like GitHub. Show Notes GitHub besieged by millions of malicious repositories in ongo…

1
Episode 418 - Being right all the time is hard 30:17

9M ago30:17

30:17

Josh and Kurt talk about recent stories about data breaches, flipper zero banning, and realistic security. We have a lot of weird challenges in the world of security, but hard problems aren't impossible problems. Sometimes we forget that. Show Notes Mon Dieu! Nearly half the French population have data nabbed in massive breach Feds move to ban auto…

1
Episode 417 - Linux Kernel security with Greg K-H 42:40

9M ago42:40

42:40

Josh and Kurt talk to GregKH about Linux Kernel security. We most focus on the topic of vulnerabilities in the Linux Kernel, and what being a CNA will mean for the future of Linux Kernel security vulnerabilities. The future of Linux Kernel security vulnerabilities is going to be very interesting. Show Notes Greg K-H Linux Kernel is a CNA Machine le…

1
Episode 416 - Thomas Depierre on open source in Europe 42:45

9M ago42:45

42:45

Josh and Kurt talk to Thomas Depierre about some of the European efforts to secure software. We touch on the CRA, MDA, FOSDEM, and more. As expected Thomas drops a huge amount of knowledge on what's happening in open source. We close the show with a lot of ideas around how to move the needle for open source. It's not easy, but it is possible. Show …

1
Episode 415 - Reducing attack surface for less security 31:08

9M ago31:08

31:08

Josh and Kurt talk about a blog post explaining how to create a very very small container image. Generally in the world of security less is more, but it's possible to remove too much. A lot of today's security tooling relies on certain things to exist in a container image, if we remove them we could actually result in worse security than leaving it…

1
Episode 414 - The exploited ecosystem of open source 32:26

9M ago32:26

32:26

Josh and Kurt talk about open source projects proving builds, and things nobody wants to pay for in open source. It's easy to have unrealistic expectations for open source projects, but we have the open source capitalism demands. Show Notes Open Source Doesn't Require Providing Builds The things nobody wants to pay for Audacity privacy policy updat…

1
Episode 413 - PyTorch and NPM get attacked, but it's OK 35:19

10M ago35:19

35:19

Josh and Kurt talk about an attack against PyTorch and NPM. The PyTorch attack shows the difficulty of trying to operate a large open source project. The NPM problem is one of the difficulty in trying to backdoor open source. A lot of people are watching and it only takes one person to notice a problem and we all benefit. Show Notes Peanut Butter t…

1
Episode 412 - Blame the users for bad passwords! 33:03

10M ago33:03

33:03

Josh and Kurt talk about the 23andMe compromise and how they are blaming the users. It's obviously the the fault of the users, but there's still a lot of things to discuss on this one. Every company has to care about cybersecurity now, even if they don't want to. Show Notes Security leaders weigh in on 23andme hack Don't need a gun when you have a …

1
Episode 411 - The security tools that started it all 29:27

10M ago29:27

29:27

Josh and Kurt talk about a grab bag of old technologies that defined the security industry. Technology like SELinux, SSH, Snort, ModSecurity and more all started with humble beginnings, and many of them created new security industries. Show Notes SELinux AppArmor SSH ModSecurity Snort Nmap Nessus What comes after open source…

1
Episode 410 - Package identifiers are really hard 31:52

10M ago31:52

31:52

Josh and Kurt talk about package identifiers. We break this down in the context of an OpenSSF response to a CISA paper on software identifications. The identifiers that get all the air time are purl, CPE, SWID, and OmniBOR. This is a surprisingly complex problem space. It feels easy, but it's not. Show Notes OpenSSF CISA response purl CPE OmniBOR S…

1
Episode 409 - You wouldn't hack a train? 35:35

11M ago35:35

35:35

Josh and Kurt talk about how some hackers saved the day with a Polish train. We delve into a discussion about how we don't really own anything anymore if you look around. There's a great talk from the Blender Conference about this and how GPL makes a difference in the world of software ownership. It's sort of a dire conversation, but not all hope i…

Podcaster värda att lyssna på

Open Source Security podcaster

Podcaster värda att lyssna på

Snabbguide