Episode 328 – The Security of Jobs or Job Security
Josh and Kurt talk about the security of employees leaving jobs. Be it a voluntary departure or in the context of the current layoffs we see, what are the security implications of having to remove access for one or...
Episode 327 – The security of alert fatigue
Josh and Kurt talk about a funny GitHub reply that notified 400,000 people. It's fun to laugh at this, but it's an easy open to discussing alert fatigue and why it's important to be very mindful of our communications. Show Notes ...
Episode 326 – Big fat containers
Josh and Kurt talk about containers. There are a lot of opinions around what type of containers is best. Back when it all started there were only huge distro sized containers. Now we have a world with many different container types and...
Episode 325 – Is one open source maintainer enough?
Josh and Kurt talk about a recent OpenSSF issue that asks the question how many open source maintainers should a project have that's "healthy"? Josh did some research that shows the overwhelming majority of packages have one maintainer. What...
Episode 324 – WTF is up with WFH
Josh and Kurt talk about the whole work from home debate. It seems like there are a lot of very silly excuses why working from home is bad. We've both been working from home for a long time and...
Episode 323 – The fake 7-Zip vulnerability and SBOM
Josh and Kurt talk about a fake 7-Zip security report. It's pretty clear that everyone is running open source all the time. We end on some thoughts around what SBOM is good for, and who should be responsible for...
Episode 322 – Adam Shostack on the security of Star Wars
Josh and Kurt talk to Adam Shostack about his new book "Threats: What Every Engineer Should Learn From Star Wars". We discuss some of the lessons and threats in the Star Wars universe, it's an old code I hear. We also discuss...
Episode 321 – Relativistic Security: Project Zero on 0day
Josh and Kurt talk about the Google Project Zero blog post about 0day vulnerabilities in 2021. There were a lot more than ever before, but why? Part of the challenge is the whole industry is expanding while a lot...
Episode 320 – Security Twitter is not the real world
Josh and Kurt talk about a survey about a TuxCare patch management and vulnerability detection. Sometimes our security bubble makes us forget what it's like in the real world for the people who keep our infrastructure running. Patching isn't always immediate, automation...
Episode 319 – Patch Tuesday with a capital T
Josh and Kurt talk about a lot of security vulnerabilities in this month's Patch Tuesday. There's also a new Git vulnerability. This sparks the age old question of how fast to patch? The answer isn't binary, the right answer is whatever works...
Episode 318 – Social engineering and why zlib got a 2018 CVE ID
Josh and Kurt talk about hackers using emergency data requests to gain access to sensitive data. The argument that somehow backdoors can be protected falls under this problem. We don't yet have the technical or policy protections in place to actually protect...
Episode 317 – The lack of compromise in security
Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there's not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This...
Episode 316 – You have to use open source
Josh and Kurt talk about the latest NPM backdoored package. It feels like this keeps happening. We talk about why this is and why it's probably OK. Kurt fixes Linus' Law, in open source the superpower isn't bugs...
Episode 315 – Who even makes all these terrible decisions?
Josh and Kurt talk about Microsoft accidentally letting us find out about ads in file explorer. Changing your clocks sucks. And touch on some of the security implications of the Russian invasion and sanctions. There are a lot of...
Episode 314 – The Linux Dirty Pipe vulnerability
Josh and Kurt talk about the Linux Kernel Dirty Pipe security vulnerability. This bug is an amazing combination of amazing complexity, incredible simplicity, and a little bit of luck. The discovery is amazing, the analysis is enlightening. There's almost...
Oracle spent 6 months to fix ‘Mega’ flaws in the Fusion Middleware
Researchers disclose technical details of a critical flaw in Fusion Middleware, tracked as CVE-2022–21445, that Oracle took six months to patch.
Security researchers have published technical details of a critical Fusion Middleware vulnerability, tracked as CVE-2022–21445, that was reported to...
Multiple malicious packages in PyPI repository found stealing AWS secrets
Researchers discovered multiple malicious Python packages in the official PyPI repository stealing AWS credentials and other info.
Sonatype researchers discovered multiple Python packages in the official PyPI repository that have been developed to steal secrets (i.e. AWS credentials and environment...
The Post-Roe Privacy Nightmare Has Arrived
Plus: Microsoft details Russia’s Ukraine hacking campaign, Meta’s election integrity efforts dwindle, and more.
How to Move Your WhatsApp Chats Across Devices and Apps
It's never been easier to switch between iPhone and Android—and to get your messages out of the Meta ecosystem entirely.
We’re now truly in the era of ransomware as pure extortion without the encryption
Why screw around with cryptography and keys when just stealing the info is good enough Feature US and European cops, prosecutors, and NGOs recently convened a two-day workshop in the Hague to discuss how to respond to the growing...
