Open Source Security Podcast

Josh and Kurt talk about Network Time Security (NTS) how it works and what it means for the world (probably not very much). We also talk about Singapore's Cybersecurity Labelling Scheme (CLS). It probably won't do a lot in the short term, but we hope it's a beacon of hope for the future. Show Notes Network Time Security NTP and the University of Wisconsin Cybersecurity Labelling Scheme (CLS)

Josh and Kurt have a chat with Larry Cashdollar. The three of us go way back. Larry has done some amazing things and he tells us all about it! Show Notes Akamai Larry's website Larry's First CVE

Josh and Kurt talk about change. Specifically we discuss how the past was a terrible place. Never believe anyone who tells you it was better. Part of a career now is learning how to learn. The things you learn today won't be useful skills in a few years. The future is is always better than the past. Even in 2020. Show Notes I no longer build software Temple OS Top Gear electric car 1959 Bel Air crash test

Josh and Kurt talk to Travis Murdock about how to tell your story. Travis explains how to talk to the press and how to tell our story in a way that helps get our message across and lets the reporter do their job better. Show Notes Ruder Finn CVE-2009-3555 Heartbleed

Josh and Kurt talk about how we talk about what we do in the context of life on Venus. We didn't really discover life on Venus, we discovered a gas that could be created by life on Venus. The world didn't hear that though. We have a similar communication problem in security. How often are your words misunderstood? Show Notes Phosphine on Venus GPS and relativity

Josh and Kurt talk about attacking open source. How serious is the threat of developers being targeted or a git repo being watched for secret security fixes? The reality of it all is there are many layers in a security journey, the most important things you can do are also the least exciting. Show Notes Targeting developers XKCD Infrastructure comic Hiding security flaws in git Mossad vs Not-Mossad (PDF warning)

Josh and Kurt talk about how your actions can tell the world if you actually take security seriously. We frame the discussion in the context of Slack paying a very low bug bounty and discover some ways we can look at Slack and decide if they do indeed take our security very seriously. Show Notes Reddit carbon monoxide Part 1 Part 2 GCP Grey minus infinity Josh's blog post

Josh and Kurt talk about Chromium sending traffic to root DNS servers. Telemetry watching what we do. Cryptocurrency scams and a few other random topics. Also pandas. Show Notes Blanket rack Chromium DNS traffic Ubuntu MOTD Microsoft telemetry YAM coin implodes Panda Cubs

Josh and Kurt talk about the Microsoft 2 year old signature bug and Github no longer processing MFA resets for free users. Signing things is hard, but trying to manage users and infrastructure at scale is even harder. Show Notes Microsoft signed jar bug GitLab Support is no longer processing MFA resets for free users Someone Is Hijacking Tor Exit Nodes to Conduct MITM Attacks

Josh and Kurt talk about the current state of information security. There are aspects that resemble a cult more than we would like. It's not all bad though, there are some things we can do to help move things forward. This episode shouldn't be taken too seriously. Show Notes "cult of information security" How to start a cult

Josh and Kurt talk about Secure Boot. The conversation uses the recent "Boot Hole" vulnerability to frame a conversation about what Secure Boot is and isn't. Why the Boot Hole flaw doesn't really matter, and why Secure Boot was very scary for Linux users back when it came out. Show Notes Boot Hole

Josh and Kurt talk about some of the necessary evils of security. There are challenges we face like passwords and resource management. Sometimes the problem is old ideas, sometimes it's we don't have metrics. Can you measure not getting hacked? Show Notes Clearing checks FAIR Institute Factorio

Josh and Kurt start this one by explaining how the Twitter hacker was just a dumb criminal (most criminals are dumb). We then discuss the new GPT-3 AI that can create text. How we create, and how social media is doing everything it can to weaponize our attention. It's not a fight humanity is winning. Show Notes GPT-3 AI Blipverts

Josh and Kurt talk about Google's new confidential VMs. The AMD Secure Encrypted Virtualization is the technology that makes it all possible. What is SEV, how does it work, and why should you care? This technology is going to be the future of the cloud. Show Notes Google confidential VMs AMD SEV SEV vs SGX

Josh and Kurt talk to Alyssa Miller from Snyk about the State of Open Source Security 2020 report. Alyssa was the report author and has some great insight into the current trends we're seeing in open source security. Some of the challenges developers face. We discuss the difficulty static and composition analysis scanners face. It's a great conversation! Show Notes The State of Open Source Security 2020 Alyssa's Twitter

Josh and Kurt talk about some recent security actions Apple has taken. Not all are good, but in general Apple is doing things to benefit their customers (their customers are not advertisers). We also discuss some of the challenges when your customers are advertisers. Show Notes Apple one year certificates Apple declines to implement 16 new APIs Apple is tracking unsigned executables

Josh and Kurt talk about human behavior. The conversation makes its way to conferences and the perpetual question of if a conference is useful or not. We come to the agreement the big shows aren't what they used to be, but things like BSides are great experiences. Show Notes Security and Human Behaviour Josh's blog post Mudge's Twitter thread

Josh and Kurt talk about the security of applications. We talk about the security of infrastructure all the time, but what happens when we combine infrastructure into an application or solution? Show Notes Picture of Kurt's security check-up Dragon controls

Josh and Kurt talk about CVSSv3 and how it's broken. We started with a blog post to explain why the NVD CVSS scores are so wrong, and we ended up researching CVSSv3 and found out it's far more broken than any of us expected in ways we didn't expect. NVD isn't broken, CVSSv3 is. How did we get here? Are there any options that work today? Where should we go next? Show Notes Josh's blog post NVD Red Hat security data Josh's CVE data project Microsoft security ratings scale

Josh and Kurt talk to Liz Rice from Aqua Security about container security and her new book on the same topic. What does container security look like today? What are some things you can do now? What will container security look like in the future? Show Notes Container Security download Pictures of elephants Kubernetes Security book Starboard project Dynamic threat analysis