Open Source Security Podcast

Josh and Kurt talk about the weird world we live in how where we can't control a lot of our hardware. We don't really have control over most devices we interact with on a daily basis. The conversation shifts into a question of how can we decide what to trust and where. It's a very strange problem we experience now. Show Notes Boots theory MGM cybersecurity issue shuts down slot machines and ATMs in Las Vegas casinos New York Fire Department Forcible Entry Reference Guide Request for Information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization

Josh and Kurt talk about why CVE is making the news lately. Things are not well in the CVE program, and it's not looking like anything will get fixed anytime soon. Josh and Kurt have a unique set of knowledge around CVE. There's a lot of confusion and difficulty in understanding how CVE works. Show Notes Curl blog post Now it's PostgreSQL's turn to have a bogus CVE GitHub Advisory Database Josh's "CVE tried to get me fired" story

Josh and Kurt talk about wordpress selling web services with a 100 year lifespan. Will WordPress still be around in 100 years? What would 100 years of disaster recovery look like? Most of us will never need to think about 100 years of disaster recovery. Show Notes WordPress is now selling 100-year domains Danish ransomware 15-Minute City The Year Without Pants

Josh and Kurt talk about a blog post that explains how C and C++ compilers prioritize performance over correctness. This is the class story of security vs usability. Security is never the primary goal. If a security requirement doesn't also enable other business goals it will fail. We also touch on the news of a Rust package containing binary files. It doesn't really have anything to do with security, it's all about convenience. Show Notes C and C++ Prioritize Performance over Correctness Nisha's toot Barry Marshall Rust devs push back as Serde project ships precompiled binaries Why DARPA Hopes To 'Distill' Old Binaries Into Readable Code Mario 64 decompilation

Josh and Kurt talk about the HashiCorp license change and copyright problems in open source. This isn't the first and won't be the last time we see this, but it's very likely open source developers and communities will view any project that has a contributor license agreement as a problem moving forward. Show Notes Josh's BSidesLV talk Hacker News marked site as malware HashiCorp license change A Theory of Joint Authorship for Free and Open Source Software Projects

Josh and Kurt ask the question what is a vulnerability, but in the framing of video games. Security loves to categorize all bugs as security vulnerabilities or not security vulnerabilities. But the reality nothing is so simple. Everything is a question of risk, not vulnerability. The discussion about video games can help us to better have this discussion. Show Notes Colossus bug Minecraft Heist

Josh and Kurt talk about the difference between what we think of as traditional open source, and enterprise software projects that have an open source license. They are both technically open source, but how the projects work is very very different. Show Notes CentOS Stream PR The Most Prolific Packager For Alpine Linux Is Stepping Away

Josh and Kurt talk about a new Google proposal that would add DRM for the web. All the ad driven companies seem to be acting very strangely, there's probably a reason for this. The way ads used to pay for content is changing, but a lot of these giant companies don't know how to adapt. It's going to be very interesting times in the near future. Show Notes Web Environment Integrity Hacker News Thread Island Browser hunter2

Josh and Kurt talk about insider threats, but not quite in the way one would expect. The potential for insider threats is possibly higher than usual right now, but what about open source? Are open source developers insider threats for your organization? Have you ever thought about this before? Show Notes CISA insider threats hacks4pancakes toot Don’t Trust a Programmer Who Knows C++ CISA Insider Threat Mitigation

Josh and Kurt talk about some of the efforts to measure and understand open source. There are projects like the OpenSSF Scorecard. We want to measure open source for some idea of quality. Is AI generated code better than a random open source project found on GitHub? Can we track the countries contributors are from? These are all interesting problems that everyone will have to deal with soon. Show Notes OpenSSF Scorecard

Josh and Kurt talk about the notion that open source is somehow dying. What's actually happening is corporate open source is changing, which some are trying to deform into something wrong with open source. Open source is doing great, probably better than ever. Show Notes Open Source isn't sustainable anymore VORON Design Video of the first lathe Plane Crazy Evernote layoffs

Josh and Kurt talk about Red Hat closing up the RHEL source code. Kurt and Josh both worked at Red Hat in the past. This isn't a show that bashes Red Hat, and it's not a show praising them. We take an honest look at the past, present, and future of Linux. There's a lot to talk about in this one. TL;DR, Red Hat was the chosen on, and we all feel betrayed. Show Notes Red Hat's first blog post Red Hat's honest post DeWitt clause

Josh and Kurt talk about the incredible Reddit debacle. At the center of it all is an API. What does it mean to be using an API and how does this relate itself back to our own risk. Many of us rely on APIs for countless things, and if a company decides to cut off that API somehow, it could create a mess. Show Notes Grimace's Birthday Reddit’s new API pricing will kill off Apollo on June 30 Cory Doctorow enshitification Wal Mart pickle story Elon Musk and Mark Zuckerberg agree to hold cage fight

Josh and Kurt talk about a new program from the Sovereign Tech Fund to fund open source work. It's a great looking program with an acceptable amount of money behind the program. We also talk about a story claiming millions of perfectly good hard drives are destroyed per year. They're probably not OK at all. Show Notes Sovereign Tech Fund Challenges Why millions of usable hard drives are being destroyed LTT Buys Storage Array

Josh and Kurt talk about some new open source projects that aim to start taking back some of our privacy and rights. It's a huge hill to climb, but it seems like there is some hope. Open source doesn't care about growth, or numbers, or anything really, so it can't ever lose. Show Notes Codeberg Veilid Hawkins Cheezies Apollo's Reddit API costs

Josh and Kurt talk about namespaces. They were a topic in the last podcast, and resulted in a much much larger discussion for us. We decided to hash out some of our thinking in an episode. This is a much harder problem than either of us expected. We don't have any great answers, but we do have a lot of questions. Show Notes Not Red Hat NPM hash package Episode 129 – The EU bug bounty program

Josh and Kurt talk about PyPI suspending new accounts and packages for a day, and a 60 minutes story about deepfakes. The problems are mostly the same, but for very different reasons. The world is changing faster than we can keep up, so what is a human to do? Show Notes PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted](https://thehackernews.com/2023/05/pypi-repository-under-attack-user-sign.html) 60 minutes reporter voice clone Cooridor Crew deepfakes Certificate bit flip Candy is delicious

Josh and Kurt talk about the Open Source Summit in Vancouver. Josh was there and we pick on two observations. Firstly that security keeps trying to use fear as a feature, except it doesn't work. Secondly we discuss AI and how people are talking about it. It is changing things, how much is yet to be seen. Show Notes SLSA FRSCA S2C2F MSI leak Intel microcode Tom Scott AI Video

Josh and Kurt finish up the leftpad discussion. We spent a lot of time talking about how the market will respond to these sort of events, and the market did indeed speak; very little has changed. There is an aspect of all these security events where we need to understand the cost vs benefit just isn't there. it may never be there. Rather than whine and complain, we need to work with our constraints. Show Notes Episode 77 – npm and the supply chain

Josh and Kurt revisit Episode 77, which was named "npm and the supply chain" but was a discussion about the incident we all know now as "leftpad". We didn't understand what was happening at the time, but this would become an event we talk about for years to come. It's shocking how many of the things we discuss are still completely valid five years later. Show Notes Episode 77 – npm and the supply chain