Tag: Open Source Security
Episode 394 – The lie anyone can contribute to open source
Josh and Kurt talk about filing bugs for software. There's the old saying that anyone can file bugs and submit patches for open source, but the reality is most people can't. Filing bugs for both closed and open source...
Episode 393 – Can you secure something you don’t own?
Josh and Kurt talk about the weird world we live in how where we can't control a lot of our hardware. We don't really have control over most devices we interact with on a daily basis. The conversation shifts...
Episode 392 – Curl and the calamity of CVE
Josh and Kurt talk about why CVE is making the news lately. Things are not well in the CVE program, and it's not looking like anything will get fixed anytime soon. Josh and Kurt have a unique set of...
Episode 391 – The WordPress 100 year disaster recovery problem
Josh and Kurt talk about wordpress selling web services with a 100 year lifespan. Will WordPress still be around in 100 years? What would 100 years of disaster recovery look like? Most of us will never need to think...
Episode 390 – Rust shipping binaries doesn’t matter
Josh and Kurt talk about a blog post that explains how C and C++ compilers prioritize performance over correctness. This is the class story of security vs usability. Security is never the primary goal. If a security requirement doesn't...
Episode 389 – What would HashiCorp do?
Josh and Kurt talk about the HashiCorp license change and copyright problems in open source. This isn't the first and won't be the last time we see this, but it's very likely open source developers and communities will view...
Episode 388 – Video game vulnerabilities
Josh and Kurt ask the question what is a vulnerability, but in the framing of video games. Security loves to categorize all bugs as security vulnerabilities or not security vulnerabilities. But the reality nothing is so simple. Everything is...
Episode 387 – Enterprise open source is different
Josh and Kurt talk about the difference between what we think of as traditional open source, and enterprise software projects that have an open source license. They are both technically open source, but how the projects work is very...
Episode 386 – We are watching web 2.0 burn
Josh and Kurt talk about a new Google proposal that would add DRM for the web. All the ad driven companies seem to be acting very strangely, there's probably a reason for this. The way ads used to pay...
Episode 385 – Is open source an insider threat?
Josh and Kurt talk about insider threats, but not quite in the way one would expect. The potential for insider threats is possibly higher than usual right now, but what about open source? Are open source developers insider threats...
Episode 384 – What’s next for open source?
Josh and Kurt talk about some of the efforts to measure and understand open source. There are projects like the OpenSSF Scorecard. We want to measure open source for some idea of quality. Is AI generated code better than...
Episode 383 – Is open source dying?
Josh and Kurt talk about the notion that open source is somehow dying. What's actually happening is corporate open source is changing, which some are trying to deform into something wrong with open source. Open source is doing great,...
Episode 382 – Red Hat, you were the chosen one!
Josh and Kurt talk about Red Hat closing up the RHEL source code. Kurt and Josh both worked at Red Hat in the past. This isn't a show that bashes Red Hat, and it's not a show praising them....
Episode 381 – WTF Reddit, APIs and risk
Josh and Kurt talk about the incredible Reddit debacle. At the center of it all is an API. What does it mean to be using an API and how does this relate itself back to our own risk. Many...
Episode 380 – A new Sovereign Tech Fund program and the BBC on destroying hard drives
Josh and Kurt talk about a new program from the Sovereign Tech Fund to fund open source work. It's a great looking program with an acceptable amount of money behind the program. We also talk about a story claiming...
From Watering Hole to Spyware: EvilBamboo Targets Tibetans, Uyghurs, and Taiwanese
Tibetan, Uyghur, and Taiwanese individuals and organizations are the targets of a persistent campaign orchestrated by a threat actor codenamed EvilBamboo to gather sensitive information.
"The attacker has created fake Tibetan websites, along with social media profiles, likely used to deploy browser-based...
In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover
A critical vulnerability in the TeamCity CI/CD server could allow unauthenticated attackers to execute code and take over vulnerable servers.
The post In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover appeared first on SecurityWeek.
Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks
Predator spyware delivered to iPhones and Android devices using iOS and Chrome zero-day vulnerabilities and MitM attacks.
The post Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks appeared first on SecurityWeek.
BEC Scammer Pleads Guilty to Part in $6m Scheme
Nigerian was extradited to the US from Canada
Researchers Spot Novel “Deadglyph” Backdoor
Malware is linked to UAE-backed spies
