Thursday, June 1, 2023
Open Source Security Podcast

Episode 377 – The world is changing too fast for humans to understand

Josh and Kurt talk about PyPI suspending new accounts and packages for a day, and a 60 minutes story about deepfakes. The problems are mostly the same, but for very different reasons. The world is changing faster than we...
Open Source Security Podcast

Episode 376 – Open Source Summit, who built your open source, and AI

Josh and Kurt talk about the Open Source Summit in Vancouver. Josh was there and we pick on two observations. Firstly that security keeps trying to use fear as a feature, except it doesn't work. Secondly we discuss AI...
Open Source Security Podcast

Episode 375 – The market forces of left-pad, Episode 77 remaster part 2

Josh and Kurt finish up the leftpad discussion. We spent a lot of time talking about how the market will respond to these sort of events, and the market did indeed speak; very little has changed. There is an...
Open Source Security Podcast

Episode 374 – The event we called left-pad, Episode 77 remaster part 1

Josh and Kurt revisit Episode 77, which was named "npm and the supply chain" but was a discussion about the incident we all know now as "leftpad". We didn't understand what was happening at the time, but this would...
Open Source Security Podcast

Episode 373 – HHGG security, Episode 42 remaster part 2

This is the second part of remastering Episode 42 which is all about the security in the Hitchhiker’s Guide to the Galaxy movie. It's a fun show and it's shocking how many of these security themes are still...
Open Source Security Podcast

Episode 372 – HHGG security, Episode 42 remaster part 1

The podcast is on a hiatus for a little while due to some personal matters, but that creates an opportunity to remaster some fun old episodes. These shows are REALLY hard to listen to at the current quality (tools...
Open Source Security Podcast

Episode 371 – pip install is the tool we deserve but not the tool we need

Josh and Kurt talk about a blog post about pip and virtual environments. This eventually turns into a larger conversation around packaging tools and how we see incremental changes over time. The package ecosystems were what we needed a...
Open Source Security Podcast

Episode 370 – Open Source is bigger than you can imagine

Josh and Kurt talk about some data on the size of NPM. Josh wrote a blog post and a report about the amount of SEO spam in NPM was released. Open source is enormous, and it's mostly one person....
Open Source Security Podcast

Episode 369 – OpenAI broke ChatGPT then tried to blame open source

Josh and Kurt talk about OpenAI having a bug in ChatGPT, then they tried to blame open source. It didn't go very well. In this episode Josh and Kurt argue a lot, maybe someday we'll know who was the...
Open Source Security Podcast

Episode 368 – The Sovereign Tech Fund with Fiona Krakenbürger

Josh and Kurt talk to Fiona Krakenbürger about the Sovereign Tech Fund. This is a fund created by Germany to fund important open source projects. Fiona has amazing insight into how this fund was created, what it's doing today...
Open Source Security Podcast

Episode 367 – Open source will never be the same

Josh and Kurt talk about GitHub enforcing sanctions against an open source developer and Docker changing how their registry works. There's a lot to unpack in this one. There's a lot of happenings going on in the world of...
Open Source Security Podcast

Episode 366 – Software liability is coming

Josh and Kurt talk about the number of dependencies that is now normal. Keeping track of thousands of dependencies used to be impressive, now it's normal. In what instances should we know everything about our open source? The days...
Open Source Security Podcast

Episode 365 – “I am not your supplier” with Thomas Depierre

Josh and Kurt talk to Thomas Depierre about his "I am not a supplier" blog post. We drink from the firehose on this one. Thomas describes the realities and challenges of being an open source maintainer. What open source...
Open Source Security Podcast

Episode 364 – Using SBOMs is hard

Josh and Kurt talk about SBOMs. Quite a bit has happened in the world of SBOMs in the last year or so. There are going to be different types of SBOMs, like build, source, or runtime. Each will tell...
Open Source Security Podcast

Episode 363 – Joylynn Kirui from Microsoft on DevSecOps

Josh and Kurt talk to Joylynn Kirui about DevSecOps in the Microsoft universe. Joylynn gives us an overview of the current state of devops and tells us about some of the tools Microsoft has made available to the open...
The Register

Ukraine war blurs lines between cyber-crims and state-sponsored attackers

This RomCom is no laughing matter A change in the deployment of the RomCom malware strain has illustrated the blurring distinction between cyberattacks motivated by money and those fueled by geopolitics, in this case Russia's illegal invasion of Ukraine,...
SC Magazine

We need to refine and secure AI, not turn our backs on the technology 

While the potential poisoning of ChatGPT raises some concerns, we need to take this threat as an opportunity to better refine and secure emerging AI models.
The Hacker News

Active Mirai Botnet Variant Exploiting Zyxel Devices for DDoS Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw in Zyxel gear to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2023-28771 (CVSS score: 9.8), the issue relates to a command injection flaw impacting...
The Hacker News

Urgent WordPress Update Fixes Critical Flaw in Jetpack Plugin on Million of Sites

WordPress has issued an automatic update to address a critical flaw in the Jetpack plugin that’s installed on over five million sites. The vulnerability, which was unearthed during an internal security audit, resides in an API present in the plugin since version 2.0,...
The Register

Dark Pink cyber-spies add info stealers to their arsenal, notch up more victims

Not to be confused with K-Pop sensation BLACKPINK, gang pops military, govt and education orgs Dark Pink, a suspected nation-state-sponsored cyber-espionage group, has expanded its list of targeted organizations, both geographically and by sector, and has carried out at...