Open Source Security Podcast
298 FOLLOWERS
Open Source Security Podcast
4d ago
Josh and Kurt talk about a Notepad++ fake website. It's possibly not illegal, but it's certainly ethically wrong. We also end up discussing why it seems like all these weird and wild things keep happening. It's probably due to the massive size of open source (and everything) now. Things have gotten gigantic and we didn't really notice.
Show Notes
Help us to take down the parasite website
Open Source is bigger than you can imagine
Toronto Pearson International Airport heist ..read more
Open Source Security Podcast
1w ago
Josh and Kurt talk about a new FCC program to provide a cybersecurity certification mark. Similar to other consumer safety marks such as UL or CE. We also tie this conversation into GrapheneOS, and what trying to claim a consumer device is secure really means. Some of our compute devices have an infinite number of possible states. It's a really weird and hard problem.
Show Notes
GrapheneOS
FCC approves cybersecurity label for consumer devices
Cyber Trust Mark Logo ..read more
Open Source Security Podcast
2w ago
Josh and Kurt talk about the security.txt file. It's not new, but it's not something we've discussed before. It's a great idea, an easy format, and well defined. It's not high on many of our todo lists, but it's something worth doing.
Show Notes
RFC 9116 ..read more
Open Source Security Podcast
3w ago
Josh and Kurt talk about the new SSDF attestation form from CISA. The current form isn't very complicated, and the SSDF has a lot of room for interpretation. But this is the start of something big. It's going to take a long time to see big changes in supply chain security, but we're confident they will come.
Show Notes
Secure Software Development Attestation Form
The U.S. Military Is Missing Six Nuclear Weapons
NIST 800-218 ..read more
Open Source Security Podcast
1M ago
Josh and Kurt talk about what's going on at the National Vulnerability Database. NVD suddenly stopped enriching vulnerabilities, and it's sent shock-waves through the vulnerability management space. While there are many unknowns right now, the one thing we can count on is things won't go back to the way they were.
Show Notes
Anchore's Blog
Grype
Josh's Cyphercon Talk
Ecosyste.ms
Episode 266 – The future of security scanning with Debricked ..read more
Open Source Security Podcast
1M ago
Josh and Kurt talk about an attack against GitHub where attackers are creating malicious repositories then artificially inflating the number of stars and forks. This is really a discussion about how can we try to find signal in all the noise of a massive ecosystem like GitHub.
Show Notes
GitHub besieged by millions of malicious repositories in ongoing attack ..read more
Open Source Security Podcast
1M ago
Josh and Kurt talk about recent stories about data breaches, flipper zero banning, and realistic security. We have a lot of weird challenges in the world of security, but hard problems aren't impossible problems. Sometimes we forget that.
Show Notes
Mon Dieu! Nearly half the French population have data nabbed in massive breach
Feds move to ban auto theft tech device ‘Flipper Zero’
Gmail and Yahoo’s 2024 inbox protections and what they mean for your email program
Vending machine error reveals secret face image database of college students ..read more
Open Source Security Podcast
1M ago
Josh and Kurt talk to GregKH about Linux Kernel security. We most focus on the topic of vulnerabilities in the Linux Kernel, and what being a CNA will mean for the future of Linux Kernel security vulnerabilities. The future of Linux Kernel security vulnerabilities is going to be very interesting.
Show Notes
Greg K-H
Linux Kernel is a CNA
Machine learning and stable kernels
Bug reporting for Linux ..read more
Open Source Security Podcast
2M ago
Josh and Kurt talk to Thomas Depierre about some of the European efforts to secure software. We touch on the CRA, MDA, FOSDEM, and more. As expected Thomas drops a huge amount of knowledge on what's happening in open source. We close the show with a lot of ideas around how to move the needle for open source. It's not easy, but it is possible.
Show Notes
Thomas Depierre
I am not a supplier
Open Source In The European Legislative Landscape devroom
Cyber Resilience Act
The 2023 Tidelift state of the open source maintainer report ..read more
Open Source Security Podcast
2M ago
Josh and Kurt talk about open source projects proving builds, and things nobody wants to pay for in open source. It's easy to have unrealistic expectations for open source projects, but we have the open source capitalism demands.
Show Notes
Open Source Doesn't Require Providing Builds
The things nobody wants to pay for
Audacity privacy policy update has caused an outcry
The History of X11 ..read more