Wednesday, May 12, 2021
Open Source Security Podcast

Episode 270 – Hello dark patterns my old friend

Josh and Kurt talk about dark patterns. A dark pattern is when a service tries to confuse a user into doing something they don't want to, like unknowingly purchasing a monthly subscription to something you don't need or want....
Open Source Security Podcast

Episode 269 – Do not experiment on the Linux Kernel

Josh and Kurt talk about the University of Minnesota experimenting on the Linux Kernel. There's a lot to unpack in this one, but the TL;DR is you probably don't want to experiment on the kernel. Show Notes Linux...
Open Source Security Podcast

Episode 268 – Can we trust any 3rd parties?

Josh and Kurt talk about what 3rd party means in the current world. From 5G suppliers, to the Codecov and Solarwinds breaches. Is there anyone we can trust? Show Notes Europe and 5G Codecov Codecov Reuters story Red...
Open Source Security Podcast

Episode 267 – Does 0day still mean 0day?

Josh and Kurt talk about 0day security vulnerabilities. What are they? What were they? And why the name has taken on a new meaning, and that's OK. Show Notes Hacker History Podcast Chrome 0day NTFS Documentation
Open Source Security Podcast

Episode 266 – The future of security scanning with Debricked

Josh and Kurt talk to Emil Wåreus from Debricked about the future of security scanners. Debricked is doing some incredibly cool things to avoid relying on humans for vulnerability identification and cataloging. Learn what the future of security scanning...
Open Source Security Podcast

Episode 265 – The lies closed source can tell, open source can't

Josh and Kurt talk about the PHP backdoor and the Ubiquity whistleblower. The key takeaway is to note how an open source project cannot cover up an incident, but closed source can and will cover up damaging information. Show...
Open Source Security Podcast

Episode 264 – DevSecOps with GitLab's Mark Loveless

Josh and Kurt talk to Mark Loveless from GitLab. We touch on DevSecOps, what GitLab is doing, threat modeling, and the time Mark tested positive for TNT at the airport. It's a great conversation. Show Notes Mark Loveless...
Open Source Security Podcast

Episode 263 – GitHub pulls exploits, LinuxFoundation sign all the things

Josh and Kurt talk about how terrible daylight savings is. GitHub yanking some exploit code. And the Linux Foundation new project to sign all the things. Show Notes Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github...
Open Source Security Podcast

Episode 262 – A discussion with Loris and Pop from Sysdig

Josh and Kurt talk to Loris Degioanni and Dan from Sysdig. Sysdig are the minds behind Falco, an amazing open source runtime security engine. We talk about where their technology came from, they huge code donation to the CNCF...
Open Source Security Podcast

Episode 261 – DWF is back! Welcome to community powered CVE

Josh and Kurt talk about DWF. It's back and the intention is to have real community driven security identifiers! Show Notes Committee vs Community dwflist repo dwf-request tooling repo dwf-workflow policy repo CVE plateua graph iwantacve.org
Open Source Security Podcast

Episode 260 – Dave Jevans tells us what CipherTrace is up to

Josh and Kurt talk with Dave Jevans CEO of CipherTrace and chairman of the anti-phishing working group about the challenges of keeping track of cryptocurrency in the modern age. Show Notes Dave's Twitter CipherTrace Anti Phishing Working Group
Open Source Security Podcast

Episode 259 – What even is open source anymore?

Josh and Kurt talk about the question "what is open source?" Why do we think it's broken today, and what sort of ideas about what should come next. Show Notes OSI Bruce Perens Post Open Source Josh's community...
Open Source Security Podcast

Episode 258 – Stop using C

Josh and Kurt talk about the Google Project Zero report titled "A Year in Review of 0-days Exploited In-The-Wild in 2020". It's a cool report but we don't agree on the conclusion. The answer isn't to security harder, it's...
Open Source Security Podcast

Episode 257 – The sudo and libgcrypt vulnerabilities

Josh and Kurt talk about the recent sudo and libgcrypt security vulnerabilities. What's the deal with these buffer overflows and TOCTU bugs? Show Notes Sudo buffer overflow Sudo SELinux bug libgcrypt buffer overflow
Open Source Security Podcast

Episode 256 – 9 bits of podcast, 8 bits of computing

Josh and Kurt talk about 8 bit computing. What sort of security lessons can we learn from the 8 bit world? More than you think. Show Notes Legend of Zelda Random Number Generation Green rocket flame SR71 leaked...

Half of Government Security Incidents Caused by Missing Patches

Half of Government Security Incidents Caused by Missing PatchesCybersecurity is both a driver and a major barrier to public sector IT modernization, according to new research from BAE Systems Applied Intelligence. The cyber consultancy polled 250 managers with IT responsibility...
SecurityWeek

Germany Halts Facebook Sharing WhatsApp Data

A German regulator on Tuesday slapped a three-month ban on Facebook collecting user data from WhatsApp accounts and referred the case to an EU watchdog, citing concerns about election integrity. read more
The Register

Blessed are the cryptographers, labelling them criminal enablers is just foolish

Preserving privacy is hard. I know because when I tried, I quickly learned not to play with weapons Column  Nearly a decade ago I decided to try my hand as a cryptographer. It went about as well as you...
The Hacker News

Ransomware Gang Leaks Metropolitan Police Data After Failed Negotiations

The cybercrime syndicate behind Babuk ransomware has leaked more personal files belonging to the Metropolitan Police Department (MPD) after negotiations with the DC Police broke down, warning that they intend to publish all data ransom demands are not met. "The...
Security Affairs

NSA and ODNI analyze potential risks to 5G networks

U.S. Intelligence agencies warn of weaknesses in 5G networks that could be exploited by crooks and nation-state actors for intelligence gathering. The U.S. National Security Agency (NSA), along with the DHS Cybersecurity and Infrastructure Security Agency (CISA), and the Office...