Monday, January 24, 2022
Open Source Security Podcast

Episode 307 – Got vulnerabilities? Introducing GSD

Josh and Kurt talk about the Global Security Database (GSD) project. This is a Cloud Security Alliance (CSA) effort to build community around vulnerability identifiers. Show Notes We rate dogs Racoons that heal your sadness Global Security Database Episode 261 –...
Open Source Security Podcast

Episode 306 – Open source isn't broken, it's an experience

Josh and Kurt talk about the faker and colors NPM events. There is a lot of discussion around open source being broken or somehow failing because of these events. The real answer is open source is an experience. How we interact with...
Open Source Security Podcast

Episode 305 – Norton, Ethereum, NFT, and Apes

Josh and Kurt talk about Norton creating an Ethereum mining pool. This is almost certainly a bad idea, we explain why. We then discuss the reality of NFTs and the case of stolen apes. NFTs can be very confusing. The whole world...
Open Source Security Podcast

Episode 304 – Will we ever fix all the vulnerabilities?

Josh and Kurt talk about the question will we ever fix all the vulnerabilities? The question came from Reddit and is very reasonable, but it turns out this is REALLY hard to discuss. The answer is of course "no", but why it...
Open Source Security Podcast

Episode 303 – Log4j Christmas Spectacular!

Josh and Kurt start the show with the reading of a security themed Christmas poem. We then discuss some of the new happenings around Log4j. The basic theme is that even if we were over-investing in Log4j, it probably wouldn't have caught...
Open Source Security Podcast

Episode 302 – Log4j is a mess

Josh and Kurt talk about the same topic everyone is talking about, Log4j. This episode was recorded on the Wednesday after the first Log4j issue. We point out all the gaps and difficulties for the defenders. The situation has gotten worse since...
Open Source Security Podcast

Episode 301 – You're holding it wrong: the importance of unlearning

Josh and Kurt talk about the epic failure that was episode 300. But this ties nicely into the topic of the day which is new ways to do things. The example is a new way to hold a controller when playing Tetris....
Open Source Security Podcast

Episode 300 – Apple vs NSO: What can copyright do for you?

Josh and Kurt talk about Apple suing NSA using a copyright claim as their vehicle. Copyright is often used as a reason to bring lawsuits, even when it doesn't always make sense. Copyright has been used by open source to expand rights,...
Open Source Security Podcast

Episode 299 – Experts From A World That No Longer Exists

Josh and Kurt talk about an article about how expertise has a limited lifetime. We are all experts in something, but some of us will find our expert knowledge to be outdated eventually. We discuss what that means in the context of...
Open Source Security Podcast

Episode 298 – David A Wheeler discusses the OpenSSF

Josh and Kurt talk to David A. Wheeler about everything OpenSSF. The Open Source Security Foundation is part of the Linux Foundation, and there are 6 OpenSSF working groups. David does a great job explaining how the OpenSSF works and what the...
Open Source Security Podcast

Episode 297 – 25 years of smashing stacks, fun, and profit

Josh and Kurt talk about the famous Phrack 49 article "Smashing the Stack for Fun and Profit" turning 25 years old. This paper created a massive amount of change in the industry, possibly more than any other paper ever written. Everything from...
Open Source Security Podcast

Episode 296 – Is Trojan Source a vulnerability?

Josh and Kurt talk about the new Trojan Source bug. We don't always agree on if this is a vulnerability (it's not), but by the end we come to an agreement that ASCII is out, Unicode is in. We don't live in...
Open Source Security Podcast

Episode 295 – Open source security isn't free

Josh and Kurt talk about Josh's electric car and new job. We then talk about the recent UAParser.js malware incident. There have been a lot of calls to do more to secure open source, but nobody seems to have...
Open Source Security Podcast

Episode 294 – Chris Wysopal on the state of security education

Josh and Kurt talk to Chris Wysopal, AKA Weld Pond, about security education. We talk about the current state of how we are learning about security as students and developers. What the best way to get developers interested in...
Open Source Security Podcast

Episode 293 – Scoring OpenSSF Security Scoring

Josh and Kurt talk about the release of OpenSSF Security Scorecards version 3. This is a great project that will probably make a huge difference. Most of the things the scorecards are measuring are no brainier activities. We go...

Linux Servers at Risk of RCE Due to Critical CWP Bugs

The two flaws in Control Web Panel – a popular web hosting management software used by 200K+ servers – allow code execution as root on Linux servers.

Trickbot Injections Get Harder to Detect & Analyze

The authors of the infamous malware family have added measures for better protecting malicious code injections against inspection and research.

AT&T announces multi-gigabit fiber: $110 a month for 2Gbps, $180 for 5Gbps

Enlarge (credit: Getty Images | zf L) AT&T has started offering 2Gbps and 5Gbps symmetrical Internet speeds over its fiber-to-the-home network, the telecom company announced today. The multi-gigabit speeds are...

Registration for the (ISC)² Entry-Level Cybersecurity Certification Exam Pilot Program Is Now Open

New certification validates students' and career changers' foundational skills and helps kickstart their cybersecurity careers.
SecurityWeek

DC, 3 States Sue Google Saying it Invades Users' Privacy

The District of Columbia and three states are suing Google for allegedly deceiving consumers and invading their privacy by making it nearly impossible for them to stop their location from being tracked. read more