Episode 436 - OpenSSH and node-ip - it's all exponential growth
Open Source Security Podcast
by Josh Bressers & Kurt Seifried
3d ago
Josh and Kurt talk about the recent OpenSSH vulnerability and the node-ip project owner taking their project private. They're quasi related in the context of two open source projects handled bugs very differently. The OpenSSH bug isn't really as serious as it seems, but you still want to patch. The node-ip bug is a very different story. The relationship between users and open source developers is one experiencing more strain now than we've ever seen. It's a weird conversation and we don't have good answers. Security in general is a collection of unsolvable problems. Show Notes Qualys security ..read more
Visit website
Episode 435 - polyfill.io - open source is too big to fix
Open Source Security Podcast
by Josh Bressers & Kurt Seifried
1w ago
Josh and Kurt talk about the latest polyfill.io mess. Apparently someone took over a very popular project and started to serve malware. First XZ, now this. What does it mean for open source? We don't have any answers, and it's hard to even talk about this problem because it's so big. The thing is though, even if we can't fix open source, it's here to stay. Show Notes Polyfill supply chain attack hits 100K+ sites OpenSSF Scorecard ..read more
Visit website
Episode 434 - Unreported vulnerabilities and everyone is getting hacked
Open Source Security Podcast
by Josh Bressers & Kurt Seifried
2w ago
Josh and Kurt talk about three wangles of responsibility. We start with a story about a bike theft ring, bike theft doesn't usually get any attention, but this one is special. Then we ask why it seems like everyone is getting hacked, it's because they have to tell us now. And finally we have a story about the huge number of unreported vulnerabilities in open source projects. This statistic probably affects all software, but there's some numbers for open source specifically. Show Notes The West Coast’s Fanciest Stolen Bikes Are Getting Trafficked by One Mastermind in Jalisco, Mexico $5 million ..read more
Visit website
Episode 433 - Should OpenSSH block misbehaving clients?
Open Source Security Podcast
by Josh Bressers & Kurt Seifried
3w ago
Josh and Kurt talk about a new proposal from OpenSSH to add a timeout to penalize clients misbehaving. But this then brings up the typical security conversation of "if it's not perfect we shouldn't do it". Trying new things is a good thing, even if something fails, we learn a lesson that we can use in the future. Show Notes OpenSSH introduces options to penalize undesirable behavior Hacker News comments ..read more
Visit website
Episode 432 - Flipper Zero with Alex Kulagin
Open Source Security Podcast
by Josh Bressers & Kurt Seifried
1M ago
Josh and Kurt talk to Alex Kulagin from Flipper about the Flipper Zero. It's one of the coolest hacker devices that exists on the market. We talk about what it is, how it started, what it can (and can't) do. It's a really fun conversation. Show Notes Flipper Zero Website Headphone jack radio capture Flipper Zero on Tik Tok ..read more
Visit website
Episode 431 - Redirecting HTTP to HTTPS
Open Source Security Podcast
by Josh Bressers & Kurt Seifried
1M ago
Josh and Kurt talk about a blog post titled "Your API Shouldn't Redirect HTTP to HTTPS". It's an interesting idea, and probably a good one. There is however a lot of baggage in this space as you'll hear in the discussion. There's no a simple solution, but this is certainly something to discuss. Show Notes Your API Shouldn't Redirect HTTP to HTTPS Hacker News discussion HSTS Section 5.1 ..read more
Visit website
Episode 430 - Frozen kernel security
Open Source Security Podcast
by Josh Bressers & Kurt Seifried
1M ago
Josh and Kurt talk about a blog post about frozen kernels being more secure. We cover some of the history and how a frozen kernel works and discuss why they would be less secure. A frozen kernel is from when things worked very differently. What sort of changes will we see in the future? Show Notes Kurt's strange coffee Why a 'frozen' distribution Linux kernel isn't the safest choice for security ..read more
Visit website
Episode 429 - The autonomy of open source developers
Open Source Security Podcast
by Josh Bressers & Kurt Seifried
1M ago
Josh and Kurt talk about open source and autonomy. This is even related to some recent return to office news. The conversation weaves between a few threads, but fundamentally there's some questions about why do people do what they do, especially in the world of open source. This also is a problem we see in security, security people love to tell developers what to do. Developers don't like being told what to do. Show Notes pycurl issue Apple, SpaceX, Microsoft return-to-office mandates drove senior talent away RSA ANIMATE: Drive: The surprising truth about what motivates us Sudo-rs dependencie ..read more
Visit website
Episode 428 - GitHub artifact attestation
Open Source Security Podcast
by Josh Bressers & Kurt Seifried
2M ago
Josh and Kurt talk about a new to sign artifacts on GitHub. It's in beta, it's not going to be easy to use, it will have bugs. But that's all OK. This is how we start. We need infrastructure like this to enable easier to use features in the future. Someday, everything will be signed by default. Show Notes GitHub artifact attestation ..read more
Visit website
Episode 427 - Will run0 replace sudo?
Open Source Security Podcast
by Josh Bressers & Kurt Seifried
2M ago
Josh and Kurt talk about a sudo replacement going into systemd called run0. It sounds like it'll get a lot right, but systemd is a pretty big attack surface and not everyone is a fan. We shall have to see if this ends up replacing sudo. Show Notes Conan O'Brien on Hot Ones Lennart's Mastodon thread xkcd automation ..read more
Visit website

Follow Open Source Security Podcast on FeedSpot

Continue with Google
Continue with Apple
OR