In this episode, I discuss into the security features of Talos Linux with Andrey Smirnov. Andrey explains how Talos focuses on its immutability and minimal attack surface. Discover how these enhancements fortify your systems against vulnerabilities, ensuring a secure and resilient infrastructure. Join us as we explore the security advancements that make Talos Linux not only a super easy way to run Kubernetes, but also a very secure way. Episode Links Talos Linux Andrey This episode is also av...| Open Source Security
In this episode I chat with the authors of a recent paper on open source security: Open Source, Open Threats? Investigating Security Challenges in Open-Source Software. I chat with Ali Akhavani and Behzad Ousat about their findings. There are interesting data points in the paper such as a 98% increase in reported vulnerabilities compared to a 25% growth in open source ecosystems. We discuss the challenges of maintaining security in a rapidly expanding digital landscape, and learn about the ro...| Open Source Security
In this episode we discuss crates.io trusted publishing with Tobias Bieniek. We cover the steps crates.io is taking to enhance supply chain security through trusted publishing, a method that leverages short-lived tokens and GitHub actions to safeguard against unauthorized access. Tobias shares insights into the challenges of managing a large-scale open-source repository, offering a glimpse into the future of secure software distribution. Tune in to learn how these advancements are shaping the...| Open Source Security
In this episode I chat with Patrick Garrity from VulnCheck. We discuss the chaos that has enveloped the CVE and NVD programs over the past two years. We cover some of the transparency and communication challenges with the existing program. What some of the new things that have started to emerge as well as why they seem to be struggling. We end on the note that the last 3 months haven’t been confidence inspiring. It’s likely in 6 months everyone will be scrambling to deal with a difficult ...| Open Source Security
In this episode I discuss GCVE and Vulnerability-Lookup with Alex and Cedric from CIRCL. GCVE offers a decentralized approach, allowing organizations to assign their own IDs and publish vulnerabilities independently. Vulnerability-Lookup is the tool that makes GCVE a reality. The flexibility addresses many of the limitations we see today with a single centralized ID system. The work happening by CIRCL on GCVE is very impressive, with all the current CVE turmoil, this is a project we should al...| Open Source Security
In this episode, we dive into the Product Liability Directive and Cyber Resilience Act with Daniel Thompson, CEO of Crab Nebula. The EU’s new legislative framework impacts manufacturers in ways we don’t totally understand, but are going to bring substantial changes to how companies use and develop open source. Daniel explains the broader implications for software security and the future of digital products in the European market. Episode Links Daniel Crab Nebula This episode is also avail...| Open Source Security
In this episode Jan Pleskac, CEO and co-founder of Tropic Square, shares insights on the challenges and innovations in creating open and auditable hardware. While most hardware is very closed, Tropic Square is working to change this. WE discuss how open source can enhance security, the complexities of integrating third-party technologies, and the future of secure computing devices. Episode Links Jan Pleskac Tropic Square Tropic Square GitHub This episode is also available as a podcast, search...| Open Source Security
I’m joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages. We dive into how PURLs provide a universal, common-sense standard that is becoming essential for the future of SBOMs and securing the software supply chain. Episode Links Philippe AboutCode PURL AI-Generated Code Search This episode is also available as a podcast, search for “Open Source Security” on your favorit...| Open Source Security
I chat with Aaron Lippold, creator of MITRE’s Security Automation Framework (SAF), to discuss how to escape the pain of manual STIG compliance. We explore the technical details of open-source tools like InSpec, Heimdall, and Vulcan that automate validation, normalize diverse security data, and streamline the entire security authoring process. Episode Links Aaron MITRE SAF This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.| Open Source Security
I recently chatted with Andrew Nesbitt about his project, Ecosyste.ms. Ecosyste.ms catalogs open source projects by tracking packages, dependencies, repositories, and more. With this dataset Andrew is able to incredible insights into the world of open source. We chat all about how Ecosyste.ms works and how he manages to wrangle all this data. Episode Links Andrew Ecosyste.ms Open Collective OpenSSF Issue 101 This episode is also available as a podcast, search for “Open Source Security” on...| Open Source Security
Daniel Stenberg, the maintainer of Curl, discusses the increase in AI security reports that are wasting the time of maintainers. We discuss Curl’s new policy of banning the bad actors while establishing some pretty sane AI usage guidelines. We chat about how this low-effort, high-impact abuse pattern is a denial-of-service attack on the curl project (and other open source projects too). Episode Links Daniel Curl Curl project founder snaps over deluge of time-sucking AI slop bug reports Curl...| Open Source Security
I recently had a chat with Kairo about a project he maintains called Repository Service for TUF (RSTUF). We explain why TUF is tough (har har har), what RSTUF can do, and some of the challenges around securing repositories. Episode Links Kairo RSTUF TUF RSTUF OpenSSF Slack Channel This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. The Update Framework (TUF) Fundamentals TUF has been around for a long time now, starting out as re...| Open Source Security
William Woodruff discussed his project, Zizmor, a security linter designed to help developers identify and fix vulnerabilities within their GitHub Actions workflows. This tool addresses inherent security risks in GitHub Actions, such as injection vulnerabilities, permission issues, and mutable tags, by providing static analysis and remediation guidance. Fresh off the heels of the tj-actions/changed-files backdoor, this is a great topic with some things everyone can do right away. Episode Link...| Open Source Security
Recently, I had the pleasure of chatting with Paul Asadoorian, Principal Security Researcher at Eclypsium and the host of the legendary Paul’s Security Weekly podcast. Our conversation dove into the often-murky waters of embedded systems and the Internet of Things (IoT), sparked by a specific vulnerability discussion on Paul’s show concerning reference code for the popular ESP32 microcontroller. Episode Links Paul Eclypsium Below the surface podcast RVAsec This episode is also available a...| Open Source Security
Dimitri Stiliadis, CTO from Endor Labs, discusses the recent tj-actions/changed-files supply chain attack, where a compromised GitHub Action exposed CI/CD secrets. We explore the impressive multi-stage attack vector and the broader often-overlooked vulnerabilities in our CI/CD pipelines, emphasizing the need to treat these build systems with production-level security rigor instead of ignoring them. Episode Links Dimitri’s Linkedin Endor Labs Harden-Runner detection: tj-actions/changed-files...| Open Source Security
I’m not a super expert in all this, but I know enough to be dangerous. If I make any mistakes, please let me know (there are many ways to contact me listed in the “Contact” menu). I will clearly mark any changes to the post due to errors, feel free to check back and see what I got wrong. Since the CVE people won’t tell us anything useful, let’s use Cunningham’s Law to our advantage.| Open Source Security
I chat with Alan Pope about the open source security tools Syft, Grype, and Grant. These tools help create Software Bills of Materials (SBOMs) and scan for vulnerabilities. Learn why generating and storing SBOMs is crucial for understanding your software supply chain and quickly responding to new threats like Log4Shell. Episode Links Alan Syft Grype Grant Linux Matters podcast https://anchore.com/opensource/ This episode is also available as a podcast, search for “Open Source Security” on...| Open Source Security
If you are a security nerd, and even if you’re not, you probably heard about the epic CVE mess that happened. It’s a very long story and was covered in many places, but the TL;DR was the funding for CVE fell through, panic ensued, then CISA found some temporary funds to keep the lights, so everything is fine and we can all go back to normal. Well, some of us won’t go back to normal because the CISA funding is good for 11 months. Will there be more funding in 11 months? Will an asteroid ...| Open Source Security
Aaron Frost explores the overly complex world of vulnerability identifiers for end of life software. We discuss how incomplete CVE reporting creates blind spots for users while arming attackers with knowledge. The conversation uncovers the ethical tensions between resource constraints and security transparency, highlighting why the “vulnerable until proven otherwise” approach is the best path forward for end of life software. Episode Links This episode is also available as a podcast, sear...| Open Source Security
VulnCon 2025 is over. I didn’t go. A bunch of people have asked me why, and rather than keep my answer to a small group, I thought it would make sense to write something public about it all. The TL;DR is I went to a different conference that I thought was a better use of my time. The conference I went to was Cyphercon and BSides Milwaukee. They are regional conferences in Wisconsin. Good people, great shows, a lot of fun and learning. Yeah, it was technically the week before VulnCon, but I ...| Open Source Security
Cargo Semver Checks is a Rust tool by Predrag Gruevski that is tackling the problem of broken dependencies that cost developers time when trying to upgrade dependencies. Predrag’s work shows how automated checks can catch breaking changes before they’re released, potentially saving projects from unexpected failures and making dependency updates less painful across the entire Rust ecosystem. Episode links Predrag’s Mastodon Predrag’s Blog “We never update unless forced to” — carg...| Open Source Security
I got to chat with Lars about a new CI/CD system he’s been working on called Ambient. It sounds really cool and does some very clever things today, with even more things planned in the future. We also spend some time discussing a project he works on called Radicle, a distributed Git forge. It feels like having decentralized infrastructure might be more important than it’s ever been, for some reason.| Open Source Security
When William Brown posted a rant on Mastodon about the FIDO Metadata Service, it sounded like exactly the sort of thing I wanted to learn more about. So that’s what I did! It’s a fun conversation, William is really good at explaining insanely complicated topics in a way that’s easy to understand. This one is dense, but it’s really interesting, you’re going to learn a ton. Episode links William’s Mastodon Yubico FEITIAN Token2 This episode is also available as a podcast, search for...| Open Source Security
When Luis Villa said he was willing to talk to me about the CRA I knew it would be a great conversation. The number of actual lawyers who also work on open source issues isn’t a large number. Luis is one of those people and he has a ton of knowledge and insight he’s willing to share. Open source legal issues are especially weird because the very nature of the open source license was to hack copyright to give us more rights instead of less. So what did Luis have to tell us about the CRA?| Open Source Security
I recently sat down with Brian Fox, CTO and co-founder of Sonatype, about a report they recently published about malware in open source ecosystems. This is something that’s not a surprise to anyone paying attention, but there are some things Sonatype is doing in this space that’s very clever. I’ve known Brian for a long time so it was a treat to catch up and see what they found, and what it means for the future.| Open Source Security
In the world of open source software, we often celebrate the code, the contributors, and the collaboration. But beneath the surface lies a world unknown to most. It’s not a secret, it’s just not something most of us pay attention to, the foundations that drive some of the open source projects. I had the opportunity to discuss this with Dr. Kelly Masada, who has served as president of the Open Information Security Foundation (OISF) for over 12 years. OISF is the organization behind Suricat...| Open Source Security
If you use GitHub, you probably have “forked” a repo more times than you can count. It’s super common and the ideal way you can interact with a git repository you don’t control. But the idea of forking in open source can have another meaning, a far more interesting meaning. It’s when you take the open source project, and create a new open source project based on the first. It’s not as simple as clicking a button. The process is complicated and is a ton of corner cases.| Open Source Security
When I started Open Source Security HeroDevs reached out and asked if I wanted to have a chat. I was pretty interested in this discussion because the work HeroDevs does today is very similar to the work I did at Red Hat for a decade. While what they work on is a bit different than the sort of things we shipped in a Linux distribution, the basic idea is still the same.| Open Source Security
When I started Open Source Security I knew one of those topics that could use more attention was the security of CI/CD systems. All the talk about securing the supply chain seems to almost exclusively focus on the development stage as well as the deployment stage. It seems like there’s not enough attention happening to the build stage (spoiler: most of the successful attacks have happened at this stage). When François Proulx reached out to chat about CD/CD systems, I couldn’t say yes fas...| Open Source Security
When I thought doing an episode about authentication would be a good idea, Marc Boorshtein was the first person who came to mind for me. Marc knows more about authentication than anyone I know, and he’s really good at talking about it in a coherent way. Marc is the CTO of Tremolo Security, he’s been doing authentication for more than 20 years, long before many of us even knew this whole identity and authentication thing was something we should care about.| Open Source Security
Very recently the Node.js project filed a few CVE IDs for end of life products. For vulnerability nerds this is exciting because historically EOL things didn’t get CVE IDs just for being EOL. And as one would expect, there are plenty of folks who think this is the best idea ever, and a bunch worried this will be the event that destroys modern civilized society. Today there’s not really a good place to track what is or isn’t end of life software. There are some datasets being worked on b...| Open Source Security
I had a discussion with Dick Brooks about government regulations and open source software security. The conversation covered the frameworks that affect enterprise software, users of open source, and open source developers. At the moment, all these regulations don’t mean a ton for open source developers, which is good news. Dick is the co-founder of Business Cyber Guardian and former enterprise architect at ISO New England. He’s a self proclaimed old school software engineer who worked at ...| Open Source Security
I met Gary Kramlich a few years ago at the CypherCon security conference and we now chat on signal about open source things. When I started Open Source Security I knew he was one of the people I wanted to talk to about what it looks like to keep a project, codebase, and community alive for more than a decade. Gary is the lead developer of the Pidgin chat program. You can find him at reaperworld.com| Open Source Security
I had a discussion with Thomas Depierre about his experience with safety and how safety concepts can apply to the field of security. Thomas is an experienced SRE with a background in safety, he has thoughts into how people prevent disasters constantly, often without realizing it. You can find his blog at Software Maxims An audio version of this disucssion is also available in podcast format. Look for “Open Source Security” wherever you get your podcasts.| Open Source Security
https://traffic.libsyn.com/opensourcesecuritypodcast/2025-01-the_future_of_open_source_security.mp3It’s a new year and time for some changes to the opensourcesecurity.io website. This site initially was meant to be the home of general open source security content, and has carried the name “Open Source Security” since 2018. Much of the content hosted here has been from the Open Source Security Podcast, it’s time to wrap up the podcast to put the focus back on Open Source Security (dot ...| Open Source Security
Josh and Kurt talk about new NIST password guidance. There’s some really good stuff in this new document. Ideas like usability and equity show up (which is amazing). There’s more strict guidance against rotating passwords and complex passwords. This new guidance gives us a lot to look forward to. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_461_The_new_NIST_password_guidance.mp3Show Notes Usagi Electric NIST proposes barring some of the most nonsensical password rules NIST...| Open Source Security
Josh and Kurt talk about the supply chain of Santa. Does he purchase all those things? Are they counterfeit goods? Are they acquired some other way? And once he has all the stuff, the logistics of getting it to the sleigh is mind boggling. It’s all very complex https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_460_Santas_Supply_Chain_Security.mp3Show Notes Project Gunman| Open Source Security
Josh and Kurt talk about a CWE Top 25 list from MITRE. The list itself is fine, but we discuss why the list looks the way it does (it’s because of WordPress). We also discuss why Josh hates lists like this (because they never create any actions). We finish up running through the whole list with a few comments about the findings. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_459_CWE_Top_25_List.mp3Show Notes 2024 CWE Top 25 Most Dangerous Software Weaknesses Set of 9 Unusual O...| Open Source Security
Josh and Kurt talk about the FBI telling everyone to use end to end encrypted messengers. This is a pretty drastic deviation from messages in the past. The reason for this is it appears the US telephone networks are pwnt beyond repair at this point, which is concerning. The only real solution now is to treat the phone network as untrusted and encrypt all the traffic. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_458_FBI_endorses_E2E_encryption.mp3Show Notes Salt Typhoon U.S. of...| Open Source Security
Josh and Kurt talk about a serious D-Link security vulnerability in a bunch of end of life products. The crux of the discussion focuses on D-Link, but the reality is almost all consumer gear you plug into the internet is terrible. And there’s little hope it will get better anytime soon. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_457_The_D-Link_D-bacle.mp3Show Notes China has utterly pwned ’thousands and thousands’ of devices at US telcos D-Link tells users to trash old...| Open Source Security
Josh and Kurt embark on a thought experiment to discuss how a commercial entity would handle something like the xz incident. It was very specific and difficult to understand. It’s easy to claim just because source code being available doesn’t matter. But the reality is when source code is needed, it can make a huge difference for everyone working together, just like we saw with xz. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_456_What_if_XZ_happened_to_a_company_The_openne...| Open Source Security
Josh and Kurt talk about the way Wordpress vets their plugins. While Wordpress has been in the news lately, they do some clever things to get plugins approved. There’s a static analyzer that runs against new submissions. We discuss using static analysis, securing open source, contributing and more. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_455_Wordpress_plugin_security.mp3Show Notes Linus Torvalds Lands A 2.6% Performance Improvement With Minor Linux Kernel Patch Kurt’s...| Open Source Security
Josh and Kurt talk to Brian Fox from Sonatype and Donald Fischer from Tidelift about their recent reports as well as open source. There are really interesting connections between the two reports. The overall theme seems to be open source is huge, everywhere, and needs help. But all is no lost! There’s some great ideas on what the future needs to look like. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_454_The_state_of_open_source_with_Brian_Fox_from_Sonatype_and_Donald_Fische...| Open Source Security
Josh and Kurt talk about three government activities happening around security. CISA has a request for comment, and an international strategic plan around cybersecurity. These are both good ideas, and hopefully will help drive change. But we also discuss an EU proposal that brings liability rules to software which sounds like a great way to force change to happen. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_453_Software_Liability.mp3Show Notes Request for Comment on Product S...| Open Source Security
Josh and Kurt talk about the Meshtastic open source project. It’s a really slick mesh radio system that runs on very cheap radio equipment. This episode isn’t very security related (there are a few things), but it is very open source. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_452_All_about_Meshtastic.mp3Show Notes Meshtastic Heltec LoRa 32(V3) Radio 465 Rutgers University Confirmed: Meshtastic and LoRa are dangerous Meshtastic Routing Issues & Deployment Scenarios TC2-B...| Open Source Security
Josh and Kurt talk to Seth Larson from the Python Software Foundation about security the Python ecosystem. Seth is an employee of the PSF and is doing some amazing work. Seth is showing what can be accomplished when we pay open source developers to do some of the tasks a volunteer might consider boring, but is super important work. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_451_Python_security_with_Seth_Larson.mp3Show Notes Seth Larson XKCD PGP Signature Seth’s Blog Python...| Open Source Security
It’s once again time for the outrage generators on social media to ask if SBOMs have any value. This seems to happen a few times a year. Probably lines up with the pent up excitement while we wait for the McRib to return. I could dig up a few examples of these articles but I can’t be bothered, and it doesn’t matter. I’d rather spend my time searching for a McRib … I mean, writing this blog post.| Open Source Security
Josh and Kurt talk about the current Wordpress / WP Engine mess. In what is certainly a supply chain attack, the Advanced Custom Fields forking. This whole saga is weird and filled with chaos and stupidity. We have no idea how it will end, but we do know that the blog platform you use shouldn’t be this exciting. The bad sort of exciting. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_450_Whats_Wrong_With_Wordpress.mp3Show Notes WordPress.org’s latest move involves taking con...| Open Source Security
Josh and Kurt talk about the recent CUPS issue. The vulnerability itself wasn’t all that exciting, but the whole disclosure process was wild. There’s a lot to talk about, many things didn’t quite go as planned and it all leaked early. Let’s talk about why and what it all means. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_449_The_CUPSpocalypse.mp3Show Notes CUPS vulnerability Akamai report Wil Wheaton: being a nerd is not about what you love; it’s about how you love it| Open Source Security
Josh and Kurt talk about a few things that have recently come out of CISA. They seem to be blaming the vendors for a lot of the problems, but there’s also not any actionable advice telling the vendors what they should be doing. This feels like the classic case of “just security harder”. We need CISA to be leading the way funding and defining security, not blaming vendors for giving the market what it demands.| Open Source Security
Josh and Kurt talk about the 2024 Tidelift maintainer report. The report is pretty big and covers a ton of ground. We focus in a few of the statistics that should worry anyone who uses open source. We’ve known for a while developers are struggling, and the numbers back that up. This one feels like the old “we’ve tried nothing and we’re all out of ideas”. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_447_The_Tidelift_2024_open_source_maintainer_report.mp3Show Notes THE...| Open Source Security
Josh and Kurt talk about some security researchers sort of taking over the .MOBI whois server. The story is a bit sensational, but we ask if it really matters? There are a lot of interesting possible attacks, but turning something like this into a good attack is really hard, maybe impossible. The researchers presented the findings in a very reasonable way. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_446_Researchers_took_over_MOBI_TLD.mp3Show Notes We Spent $20 To Achieve RCE ...| Open Source Security
Josh and Kurt talk to Jay Jacobs about Exploit Prediction Scoring System (EPSS). EPSS is a new way to view vulnerabilities. It’s a metric for the likelyhood that a vulnerability will be exploited in the next 30 days. Jay explains how EPSS got to where it is today, how the scoring works, and how we can start to think about including it in our larger risk equations. It’s a really fun discussion.| Open Source Security
Josh and Kurt talk about Chrome unexpectedly going EOL on Ubuntu 18. Keeping old things alive is really hard to do, and in open source it’s becoming more common to just run the latest version rather than trying to keep old versions alive for long periods of time. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_444_Open_Source_and_End_of_Life.mp3Show Notes Chrome dumped support for Ubuntu 18.04 – but it’ll be back Linus Torvalds talks AI, Rust adoption, and why the Linux ker...| Open Source Security
Josh and Kurt talk about a story that discusses a story from Black Hat that references supply chains. There’s a ton of doom and gloom around our software supply chains and much of the advice isn’t realistic. If we want to take this seriously we need to stop obsessing over the little problems and focus on some big problems. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_443_The_Supply_Chain_Security_Crisis.mp3Show Notes Black Hat USA 2024: Key Takeaways from the Premier Cyber...| Open Source Security
Josh and Kurt talk about a few stories around the TLS CA certificate world. It’s all pretty dire sounding. There’s not a lot of organization or process in the space, and the root CAs are literally the foundation of modern society, everything needs them to function. There’s not a lot of positive ideas here, it’s mostly a show where Kurt explains to Josh what’s going on, because Josh doesn’t want to care (and will continue to ignore all of this going forward).| Open Source Security
Josh and Kurt talk about CWE. What is it, and why does it matter. We cover some history, some shortcomings, and some ideas on how CWE could be used to make security a lot better. We frame the future discussion around the OWASP top 10 list. We should be putting more effort into removing removing entire classes of vulnerabilities. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_441_Is_CWE_useful.mp3Show Notes CWE Episode 360 – Memory safety and the NSA Inside 22,734 Steam games| Open Source Security
Josh and Kurt talk about a presentation Josh recently gave that was supposed to be about how open source works. The talk was the wrong topic for a security crowd, but there’s a lot of interesting details in the questions and comments that emerged. It’s clear a lot of security people don’t really care about the fine details about what open source is, their primary goal is to help keep development secure.| Open Source Security
Josh and Kurt talk about a story talking about the “graying” of open source. There doesn’t seem to be many young people working on open source, but we don’t really know why that is. There are many thoughts, but a better question is why should anyone get involved in open source anymore? The world has changed quite a lot since open source was created. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_439_Where_are_all_the_youth_in_open_source.mp3Show Notes The graying open so...| Open Source Security
Josh and Kurt talk about two documents from the US government that discuss open source in very different ways. The CISA document lays out a way to measure open source, but we take issue with the idea of trying to measure which open source projects are “good”. The Whitehouse on the other hand takes an approach that is very open source, get involved. Trying to measure open source isn’t producing anything actionable, but getting involved is very actionable, and very much how open source wo...| Open Source Security
Josh and Kurt talk about a pretty big bug found in CocoPods ownership. We also touch on a paper that discusses the technical debt that open source should have. We discuss what the long term sustainability of open source. There aren’t any good solutions for open source today, but talking about these problems is important, we have to start to understand what’s going on before we can plausibly discuss solutions. If you’re an open source project that needs to put things on pause, or even wa...| Open Source Security
Josh and Kurt talk about the recent OpenSSH vulnerability and the node-ip project owner taking their project private. They’re quasi related in the context of two open source projects handled bugs very differently. The OpenSSH bug isn’t really as serious as it seems, but you still want to patch. The node-ip bug is a very different story. The relationship between users and open source developers is one experiencing more strain now than we’ve ever seen. It’s a weird conversation and we d...| Open Source Security
Josh and Kurt talk about the latest polyfill.io mess. Apparently someone took over a very popular project and started to serve malware. First XZ, now this. What does it mean for open source? We don’t have any answers, and it’s hard to even talk about this problem because it’s so big. The thing is though, even if we can’t fix open source, it’s here to stay. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_435_polyfill_io_open_source_is_too_big_to_fix.mp3Show Notes Polyfil...| Open Source Security
Josh and Kurt talk about three wangles of responsibility. We start with a story about a bike theft ring, bike theft doesn’t usually get any attention, but this one is special. Then we ask why it seems like everyone is getting hacked, it’s because they have to tell us now. And finally we have a story about the huge number of unreported vulnerabilities in open source projects. This statistic probably affects all software, but there’s some numbers for open source specifically.| Open Source Security
Josh and Kurt talk about a new proposal from OpenSSH to add a timeout to penalize clients misbehaving. But this then brings up the typical security conversation of “if it’s not perfect we shouldn’t do it”. Trying new things is a good thing, even if something fails, we learn a lesson that we can use in the future. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_433_Should_OpenSSH_block_misbehaving_clients.mp3Show Notes OpenSSH introduces options to penalize undesirable beh...| Open Source Security
Josh and Kurt talk to Alex Kulagin from Flipper about the Flipper Zero. It’s one of the coolest hacker devices that exists on the market. We talk about what it is, how it started, what it can (and can’t) do. It’s a really fun conversation. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_432_Flipper_Zero_with_Alex_Kulagin.mp3Show Notes Flipper Zero Website Headphone jack radio capture Flipper Zero on Tik Tok| Open Source Security
Josh and Kurt talk about a blog post titled “Your API Shouldn’t Redirect HTTP to HTTPS”. It’s an interesting idea, and probably a good one. There is however a lot of baggage in this space as you’ll hear in the discussion. There’s no a simple solution, but this is certainly something to discuss. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_431_Redirecting_HTTP_to_HTTPS.mp3Show Notes Your API Shouldn’t Redirect HTTP to HTTPS Hacker News discussion HSTS Section 5.1| Open Source Security
Josh and Kurt talk about a blog post about frozen kernels being more secure. We cover some of the history and how a frozen kernel works and discuss why they would be less secure. A frozen kernel is from when things worked very differently. What sort of changes will we see in the future? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_430_Frozen_kernel_security.mp3Show Notes Kurt’s strange coffee Why a ‘frozen’ distribution Linux kernel isn’t the safest choice for security| Open Source Security
Josh and Kurt talk about open source and autonomy. This is even related to some recent return to office news. The conversation weaves between a few threads, but fundamentally there’s some questions about why do people do what they do, especially in the world of open source. This also is a problem we see in security, security people love to tell developers what to do. Developers don’t like being told what to do.| Open Source Security
Josh and Kurt talk about a new to sign artifacts on GitHub. It’s in beta, it’s not going to be easy to use, it will have bugs. But that’s all OK. This is how we start. We need infrastructure like this to enable easier to use features in the future. Someday, everything will be signed by default. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_428_GitHub_artifact_attestation.mp3Show Notes GitHub artifact attestation| Open Source Security
Josh and Kurt talk about a sudo replacement going into systemd called run0. It sounds like it’ll get a lot right, but systemd is a pretty big attack surface and not everyone is a fan. We shall have to see if this ends up replacing sudo. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_427_Will_run0_replace_sudo.mp3Show Notes Conan O’Brien on Hot Ones Lennart’s Mastodon thread xkcd automation| Open Source Security
Josh and Kurt talk about a paper describing using a LLM to automatically create exploits for CVEs. The idea is probably already happening in many spaces such as pen testing and intelligence services. We can’t keep up with the number of vulnerabilities we have, there’s no way we can possibly keep up with a glut of LLM generated vulnerabilities. We really need to rethink how we handle vulnerabilities. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_426_Automatically_exploiting_...| Open Source Security
Josh and Kurt talk about a database of game cheaters. Cheating in games has many similarities to security problems. Anti cheat rootkits are also terrible. The clever thing however is using statistics to identify cheaters. Statistics don’t lie. Also, we discuss the Pretendo project sitting on a vulnerability for a year, is this ethical? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_425_Video_game_cheaters_also_pretendo.mp3Show Notes Hacker News searchable database Benford’s ...| Open Source Security
Josh and Kurt talk about a Notepad++ fake website. It’s possibly not illegal, but it’s certainly ethically wrong. We also end up discussing why it seems like all these weird and wild things keep happening. It’s probably due to the massive size of open source (and everything) now. Things have gotten gigantic and we didn’t really notice. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_424_The_Notepad_Parasite_Website.mp3Show Notes Help us to take down the parasite website O...| Open Source Security
Josh and Kurt talk about a new FCC program to provide a cybersecurity certification mark. Similar to other consumer safety marks such as UL or CE. We also tie this conversation into GrapheneOS, and what trying to claim a consumer device is secure really means. Some of our compute devices have an infinite number of possible states. It’s a really weird and hard problem. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_423_FCC_cybersecurity_label_for_consumer_devices.mp3Show Notes ...| Open Source Security
Josh and Kurt talk about the recent events around XZ. It’s only been a few days, and it’s amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these details will change quickly over the coming week. We can’t fix this problem as it stands, we don’t know where to start yet. But that’s not a reason to lose hope. We can fix this if we want to, but it won’t be flashy, it’ll be hard work.| Open Source Security
Josh and Kurt talk about the security.txt file. It’s not new, but it’s not something we’ve discussed before. It’s a great idea, an easy format, and well defined. It’s not high on many of our todo lists, but it’s something worth doing. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_422_Do_you_have_a_securitytxt_file.mp3Show Notes RFC 9116| Open Source Security
Josh and Kurt talk about the new SSDF attestation form from CISA. The current form isn’t very complicated, and the SSDF has a lot of room for interpretation. But this is the start of something big. It’s going to take a long time to see big changes in supply chain security, but we’re confident they will come. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_421_CISA_new_SSDF_attestation_form.mp3Show Notes Secure Software Development Attestation Form The U.S. Military Is Missi...| Open Source Security
Josh and Kurt talk about what’s going on at the National Vulnerability Database. NVD suddenly stopped enriching vulnerabilities, and it’s sent shock-waves through the vulnerability management space. While there are many unknowns right now, the one thing we can count on is things won’t go back to the way they were. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_420_Whats_going_on_at_NVD.mp3Show Notes Anchore’s Blog Grype Josh’s Cyphercon Talk Ecosyste.ms Episode 266 –...| Open Source Security
Josh and Kurt talk about an attack against GitHub where attackers are creating malicious repositories then artificially inflating the number of stars and forks. This is really a discussion about how can we try to find signal in all the noise of a massive ecosystem like GitHub. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_419_Malicious_GitHub_repositories.mp3Show Notes GitHub besieged by millions of malicious repositories in ongoing attack| Open Source Security
Josh and Kurt talk about recent stories about data breaches, flipper zero banning, and realistic security. We have a lot of weird challenges in the world of security, but hard problems aren’t impossible problems. Sometimes we forget that. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_418_Being_right_all_the_time_is_hard.mp3Show Notes Mon Dieu! Nearly half the French population have data nabbed in massive breach Feds move to ban auto theft tech device ‘Flipper Zero’ Gmail ...| Open Source Security
Josh and Kurt talk to GregKH about Linux Kernel security. We most focus on the topic of vulnerabilities in the Linux Kernel, and what being a CNA will mean for the future of Linux Kernel security vulnerabilities. The future of Linux Kernel security vulnerabilities is going to be very interesting. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_417_Linux_Kernel_security_with_Greg_K-H.mp3Show Notes Greg K-H Linux Kernel is a CNA Machine learning and stable kernels Bug reporting for...| Open Source Security
Josh and Kurt talk to Thomas Depierre about some of the European efforts to secure software. We touch on the CRA, MDA, FOSDEM, and more. As expected Thomas drops a huge amount of knowledge on what’s happening in open source. We close the show with a lot of ideas around how to move the needle for open source. It’s not easy, but it is possible. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_416_Thomas_Depierre_on_open_source_in_Europe.mp3Show Notes Thomas Depierre I am not a s...| Open Source Security
Josh and Kurt talk about a blog post explaining how to create a very very small container image. Generally in the world of security less is more, but it’s possible to remove too much. A lot of today’s security tooling relies on certain things to exist in a container image, if we remove them we could actually result in worse security than leaving it in. It’s a weird topic, but probably pretty important.| Open Source Security
Josh and Kurt talk about open source projects proving builds, and things nobody wants to pay for in open source. It’s easy to have unrealistic expectations for open source projects, but we have the open source that capitalism demands. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_414_The_exploited_ecosystem_of_open_source.mp3Show Notes Open Source Doesn’t Require Providing Builds The things nobody wants to pay for Audacity privacy policy update has caused an outcry The Hist...| Open Source Security
Josh and Kurt talk about an attack against PyTorch and NPM. The PyTorch attack shows the difficulty of operating a large open source project. The NPM situation continues to show the difficulty in trying to backdoor open source. Many people are watching, and it only takes one person to notice a problem and report it, and we all benefit. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_413_PyTorch_and_NPM_get_attacked_but_its_OK.mp3Show Notes Peanut Butter the dog plays Gyromite The...| Open Source Security
Josh and Kurt talk about the 23andMe compromise and how they are blaming the users. It’s obviously the the fault of the users, but there’s still a lot of things to discuss on this one. Every company has to care about cybersecurity now, even if they don’t want to. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_412_Blame_the_users_for_bad_passwords.mp3Show Notes Security leaders weigh in on 23andme hack Don’t need a gun when you have a Donk - Crocodile Dundee 2 Hackers can...| Open Source Security
Josh and Kurt talk about a grab bag of old technologies that defined the security industry. Technology like SELinux, SSH, Snort, ModSecurity and more all started with humble beginnings, and many of them created new security industries. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_411_The_security_tools_that_started_it_all.mp3Show Notes SELinux AppArmor SSH ModSecurity Snort Nmap Nessus What comes after open source| Open Source Security
Josh and Kurt talk about package identifiers. We break this down in the context of an OpenSSF response to a CISA paper on software identifications. The identifiers that get all the air time are purl, CPE, SWID, and OmniBOR. This is a surprisingly complex problem space. It feels easy, but it’s not. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_410_Package_identifiers_are_really_hard.mp3Show Notes OpenSSF CISA response purl CPE OmniBOR SWID| Open Source Security
Josh and Kurt talk about how some hackers saved the day with a Polish train. We delve into a discussion about how we don’t really own anything anymore if you look around. There’s a great talk from the Blender Conference about this and how GPL makes a difference in the world of software ownership. It’s sort of a dire conversation, but not all hope is lost. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_409_You_wouldnt_hack_a_train_fixed.mp3Show Notes Polish manufacturer acc...| Open Source Security
Josh and Kurt talk about a story asking for a Kubernetes LTS. Should open source projects have LTS versions? What does LTS even mean? Why is maintaining software so hard? It’s a lively discussion all about the past, present, and future of open source LTS. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_408_Does_Kubernetes_need_long_term_support_fixed.mp3Show Notes Why Kubernetes needs an LTS Linux gives up on 6-year LTS kernels, says they’re too much work| Open Source Security
It’s the 2023 Christmas Spectacular! Josh and Kurt talk about what would happen if Santa starts using AI to judge which children are naughty and nice. There’s some fun in this one, but it does get pretty real. While we tried to discuss Santa using AI, the reality is this sort of AI is coming for many of us. AI will be making decisions for all of us in the near future (if it isn’t already). While less fun than we had hoped for, it’s an important conversation.| Open Source Security
Josh and Kurt talk about a few security stories about radio. The TETRA:BURST attack on police radios, spoofing GPS for airplanes near Iran, and Apple including cellular radios in the macbooks. The common thread between all these stories is looking at the return on investment for security. Sometimes good enough security is fine, sometimes it’s not worth fixing certain security problems because the risk vs reward doesn’t work out. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode...| Open Source Security
Josh and Kurt talk about Capcom claiming modding a game is akin to cheating. The arguments used are fundamentally one of equity vs equality. Humans love to focus on equality instead of equity when we deal with most problems. This is especially true in the world of security. Rather than doing something that has a net positive, we ignore the details and focus on doing something that feels “right”. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_405_Modding_games_isnt_cheating_a...| Open Source Security
Josh and Kurt talk about the Canadian Government banning WeChat and Kaspersky. There’s a lot of weird little details in this conversation. It fundamentally comes down to a conversation about risk. It’s easy to spout nonsense about risk, but having an honest discussion about it is REALLY complicated. But the government plays by a very different set of rules. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_403_Does_the_government_banning_apps_work.mp3Show Notes Canada bans WeCh...| Open Source Security
Josh and Kurt talk about the new EU eIDAS regulation. This is a bill that will force web browsers to add root certificates based on law instead of technical merits, which is how it’s currently done. This is concerning for a number of reasons that we discuss on the show. This proposal is not a good idea. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_402_The_EUs_eIDAS_regulation_is_a_terrible_idea.mp3Show Notes Mozilla site Root CA mailing list UK eIDAS regulation EFF statement...| Open Source Security
Josh and Kurt talk about security skills shortage. We start out on the topic of cybersecurity skills and weave our way around a number of human related problems in this space. The world of tech has a lot of weird problems and there’s not a lot of movement to fix many of them. Tech is weird and hard, and with the almost complete lack of regulation creates some of these challenges. In the world of security we need a better talent pipeline, but that takes actual efforts, not just complaining o...| Open Source Security
Josh and Kurt talk about a proposed Dutch proposal that would allow the intelligence services to hack victims of adversaries they are in the process of infiltrating. The purpose of this discussion isn’t to focus on the Dutch specifically, but rather to discuss the larger topic of government oversight. These are all very new concepts and nobody knows how things should work. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_400_When_can_the_government_hack_a_victim.mp3 Show Notes D...| Open Source Security
Open Source is one person| Open Source Security
Thomas DePierre joins Open Source Security to discuss the central idea from his blog post, “You are all on the hobbyist maintainers turf now,” exploring the massive disconnect between the corporate world that consumes open source and the hobbyist community that actually produces it. The conversation reveals this isn’t a new problem, but a long-standing reality whose consequences for security, stability, and the future of software we are only now beginning to truly confront.| Open Source Security