A security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
Similar Podcasts
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
Security Now (Audio)
Steve Gibson, the man who coined the term spyware and created the first anti-spyware program, creator of SpinRite and ShieldsUP, discusses the hot topics in security today with Leo Laporte.
Records live every Tuesday at 4:30pm Eastern / 1:30pm Pacific / 21:30 UTC.
Go Time: Golang, Software Engineering
Your source for diverse discussions from around the Go community. This show records LIVE every Tuesday at 3pm US Eastern. Join the Golang community and chat with us during the show in the #gotimefm channel of Gophers slack. Panelists include Mat Ryer, Jon Calhoun, Carmen Andoh, Johnny Boursiquot, Angelica Hill, Mark Bates, Kris Brandow, and Natalie Pistunovich. We discuss cloud infrastructure, distributed systems, microservices, Kubernetes, Docker… oh and also Go! Some people search for GoTime or GoTimeFM and can’t find the show, so now the strings GoTime and GoTimeFM are in our description too.
Episode 348 - OpenSSL is the new lead paint
Josh and Kurt talk about the recent OpenSSL nothingburger. OpenSSL got everyone whipped into a frenzy over a critical vulnerability, then changed the severity to high. The correct solution to this whole problem is to stop using a TLS library written in C, we need to be using memory safe languages. Don't migrate from OpenSSL 1 to 3, migrate from OpenSSL 1 to Rustls. Show Notes OpenSSL Blog Post OpenSSL pre-announcement Mark Cox Tweet 3.0 only affected GossiTheDog NDA Tweet Claims of a name and logo Rustls Image Credit
Episode 347 - Airtags in luggage and weasel security - two peas in a suitcase
Josh and Kurt talk about Lufthansa trying to ban Airtags. This has a similar feel to all the security events where a company tries to hand waive away a security problem then having to walk back all their previous statements. There is almost always a massive imbalance between the large companies and consumers. Show Notes Lufthansa bans airtags Airtag stalking problems Lufthansa unbans airtags Cult of the Dead Cow book TV Typewriter Andre the Giant on an airplane Poison Squad
Episode 346 - Security and working from home have terrible things in common
Josh and Kurt talk about stories detailing tech working with multiple jobs. This raises some questions about fairness, accountability, and the future of work. As an industry we are very bad at measuring what we do, which is a problem shared with many jobs currently working from home. Show Notes Equifax surveilled 1,000 remote workers, fired 24 found juggling two jobs Business Insider 2 jobs story Ken Thompson lines of code
Episode 345 - Cheap hacking devices turn security upside down
Josh and Kurt talk about ineffective security from the past we still use today. There has been a great deal of progress in the last few decades bringing us amazing products like the Flipper Zero, cameras that can peer inside locks, and even software defined radio. A great deal of security relies on people not having easy access to these cheap devices. What does this mean for the future of security? Show Notes Cloning a Rare ISA Card to Use a Rare CD Drive Vintage Tech YouTubers Discussion Panel | VCFMW 17 (2022) Flipper Zero Lock camera HackRF One The history of Hash Reddit post-it notes in apartment
Episode 344 - Python tarfile - 2022 is nothing like 2007
Josh and Kurt talk about a newly rediscovered old python vulnerability. It raises a lot of questions about what was OK in 2007 vs what's OK in 2022. The issue is very complicated and has a wild story surrounding it. There is no reason to not fix this in 2022. Show Notes CVE-2007-4559 Red Hat Bug Register story Response from upstream Upstream patch ZippSlip Current upstream bug CSURF
Episode 343 - Stop trying to fix the open source software supply chain
Josh and Kurt talk about a blog post that explains there isn't really an open source software supply chain. The whole idea of open source being one thing is incorrect, open source is really a lot of little things put together. A lot of companies and organizations get this wrong. Show Notes Iliana's Twitter There is no “software supply chain” Google supply chain blog GitHub ansi_term advisory PyPI 2FA Dashboard tarfile issue rediscovered in 2022
Episode 342 - Programming languages are the new operating system
Josh and Kurt talk about programming language ecosystems tracking and publishing security advisory details. We are at a point in the language ecosystems where they are giving us services that have historically been reserved for operating systems. Show Notes Kelsey Hightower tweet OSS-Fuzz
Episode 341 - Time till open source alternative
Josh and Kurt talk about the Time Till Open Source Alternative blog post. The numbers probably don't mean what we think they mean anymore. A lot of modern open source is really corporate controlled. Just because something carries an open source license doesn't mean you can contribute to it. Show Notes Time Till Open Source Alternative GitHub Desktop issue 78 The Reddit Safe
Episode 340 - Let's chat about Let's Encrypt with Josh Aas
Josh and Kurt talk with Josh Aas from the Internet Security Research Group about Let's Encrypt, Prossimo, and Divvi Up. A lot has changed since the last time we spoke with Josh. Let's Encrypt won, and the ISG are working on some really cool new projects. Show Notes Josh Aas Internet Security Research Group (ISRG) Let's Encrypt Episode 87 – Chat with Let’s Encrypt co-founder Josh Aas New Major Funding from the Ford Foundation ISRG annual reports Peter Eckersley
Episode 339 - Is a network problem a security vulnerability
Josh and Kurt talk about really weird networking bugs. Josh tells a story about his home network problems that made no sense. There was also a qt5 bug that affected wireless networks that made virtually no sense. What should count as a security vulnerability? Show Notes Resolving an unusual wifi issue Hacker News thread Global Security Database IdeaPad 5 14ARE05
Episode 338 - The government didn't make vulnerabilities illegal. Yet.
Josh and Kurt talk about the recent National Defense Authorization Act that requires security vulnerabilities to be fixed. What does this mean for us, is it as bad as some people are claiming it is? It's actually not a huge deal, for most of us it's really just time to deal with product security. Show Notes The Hacker Mind The Untold Stories of Open Source H.R.7900 - National Defense Authorization Act for Fiscal Year 2023 Kurt's blog post
Episode 337 - Security patches are getting worse - Dustin Childs from ZDI tells us why
Josh and Kurt talk to Dustin Childs about the recent ZDI Black Hat talk where they discovered the current trend of security patches not actually fixing the security problem. We talk about what this problem means. Why is it happening, and what ZDI is doing to try nudge the industry in the right direction. Show Notes Dustin Childs ZDI Sloppy Software Patches Are a ‘Disturbing Trend’ Zero Day Initiative launches new bug disclosure timelines ISO 28147
Episode 336 - We don't have data data, we have security biases
Josh and Kurt talk about our lack of security and some of the data bias problems that can emerge. A lot of what we think is security data is really just biased data. This is OK as long as we understand the data is broken and know this is the first step in a longer journey. Show Notes Tweet about data The 6 most common types of bias when working with data Syft and Grype stars graph John Snow, Cholera, the Broad Street Pump Bob Lord tweet
Episode 335 - Bull*&$% security ideas
Josh and Kurt talk about a tweet from @kmcquade3 asking the question "What's a concept in security that is generally accepted as true but is actually bull%$#*?" How many of the replies make sense? Most of them do. We go over some of the best replies as fast as we can. Show Notes The tweet that started it all Mark Loveless Mark Manning Richard (Dick) Brooks @ImbecillicusRex What Train Have We Got? Dan Alejo 🏳️🌈 postmodern 🇺🇸 Robert C. Seacord 🇺🇦 Yip Wai Peng Sachin Shahi
Episode 334 - Leap seconds break everything
Josh and Kurt talk about leap seconds. Every time there's a leap second, things break. Facebook wants to get rid of them because they break computers, but Google found a clever way to keep leap seconds without breaking anything. Corner cases are hard, security is often just one huge corner case. There are lessons we can learn here. Show Notes How and why the leap second affected Cloudflare DNS Facebook wants to get rid of leap seconds Leap Smear Falsehoods programmers believe about time