A security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
Similar Podcasts
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
Go Time: Golang, Software Engineering
Your source for diverse discussions from around the Go community. This show records LIVE every Tuesday at 3pm US Eastern. Join the Golang community and chat with us during the show in the #gotimefm channel of Gophers slack. Panelists include Mat Ryer, Jon Calhoun, Carmen Andoh, Johnny Boursiquot, Angelica Hill, Mark Bates, Kris Brandow, and Natalie Pistunovich. We discuss cloud infrastructure, distributed systems, microservices, Kubernetes, Docker… oh and also Go! Some people search for GoTime or GoTimeFM and can’t find the show, so now the strings GoTime and GoTimeFM are in our description too.
The FOSS Pod
From the creative geniuses behind Brad & Will Made a Tech Pod, The FOSS Pod is a show about the free and open source software that’s changing the world, and the developers who are making it happen.
Episode 443 - The Supply Chain Security Crisis
Josh and Kurt talk about a story that discusses a story from Black Hat that references supply chains. There's a ton of doom and gloom around our software supply chains and much of the advice isn't realistic. If we want to take this seriously we need to stop obsessing over the little problems and focus on some big problems. Show Notes Black Hat USA 2024: Key Takeaways from the Premier Cybersecurity Event The Reason Train Design Changed After 1948
Episode 442 - The foundation of society, TLS certificates are a mess
Josh and Kurt talk about a few stories around the TLS CA certificate world. It's all pretty dire sounding. There's not a lot of organization or process in the space, and the root CAs are literally the foundation of modern society, everything needs them to function. There's not a lot of positive ideas here, it's mostly a show where Kurt explains to Josh what's going on, because Josh doesn't want to care (and will continue to ignore all of this going forward). Show Notes Firefox's Mozilla follows Google in losing trust in Entrust's TLS certificates DigiCert Revocation Incident (CNAME-Based Domain Validation) List of Trust Lists
Episode 441 - Is CWE useful?
Josh and Kurt talk about CWE. What is it, and why does it matter. We cover some history, some shortcomings, and some ideas on how CWE could be used to make security a lot better. We frame the future discussion around the OWASP top 10 list. We should be putting more effort into removing removing entire classes of vulnerabilities. Show Notes CWE Episode 360 – Memory safety and the NSA Inside 22,734 Steam games
Episode 440 - "What is open source" talk Josh gave
Josh and Kurt talk about a presentation Josh recently gave that was supposed to be about how open source works. The talk was the wrong topic for a security crowd, but there's a lot of interesting details in the questions and comments that emerged. It's clear a lot of security people don't really care about the fine details about what open source is, their primary goal is to help keep development secure. Show Notes Grassr00tz Pamela Chestek copyright paper Josh's presentation
Episode 439 - Where are all the youth in open source?
Josh and Kurt talk about a story talking about the "graying" of open source. There doesn't seem to be many young people working on open source, but we don't really know why that is. There are many thoughts, but a better question is why should anyone get involved in open source anymore? The world has changed quite a lot since open source was created. Show Notes The graying open source community needs fresh blood OSPOs for Good 2024 Day 1 Part 1 Day 1 Part 2 Day 2 Part 1 Day 2 Part 2 FFmpeg bug JSON Editor Online https://rfc3339.com/
Episode 438 - CISA's bad OSS advice vs the Whitehouse good advice
Josh and Kurt talk about two documents from the US government that discuss open source in very different ways. The CISA document lays out a way to measure open source, but we take issue with the idea of trying to measure which open source projects are "good". The Whitehouse on the other hand takes an approach that is very open source, get involved. Trying to measure open source isn't producing anything actionable, but getting involved is very actionable, and very much how open source works. Show Notes CISA: Continued Progress Towards a Secure Open Source Ecosystem Whitehouse: Administration Cybersecurity Priorities for the FY 2026 Budget
Episode 437 - CocoPods and proper funding for open source
Josh and Kurt talk about a pretty big bug found in CocoPods ownership. We also touch on a paper that discusses the technical debt that open source should have. We discuss what the long term sustainability of open source. There aren't any good solutions for open source today, but talking about these problems is important, we have to start to understand what's going on before we can plausibly discuss solutions. If you're an open source project that needs to put things on pause, or even walk way, that's OK. Show Notes CocoaPods Vulnerabilities Could Hit Apple, Microsoft, Facebook, TikTok, Snap and More The Expense of Unprotected Free Software Long-term maintenance of PCRE2 #426
Episode 436 - OpenSSH and node-ip - it's all exponential growth
Josh and Kurt talk about the recent OpenSSH vulnerability and the node-ip project owner taking their project private. They're quasi related in the context of two open source projects handled bugs very differently. The OpenSSH bug isn't really as serious as it seems, but you still want to patch. The node-ip bug is a very different story. The relationship between users and open source developers is one experiencing more strain now than we've ever seen. It's a weird conversation and we don't have good answers. Security in general is a collection of unsolvable problems. Show Notes Qualys security advisory Hacker News Discussion Security Cryptography Whatever Dev rejects CVE severity, makes his GitHub repo read-only
Episode 435 - polyfill.io - open source is too big to fix
Josh and Kurt talk about the latest polyfill.io mess. Apparently someone took over a very popular project and started to serve malware. First XZ, now this. What does it mean for open source? We don't have any answers, and it's hard to even talk about this problem because it's so big. The thing is though, even if we can't fix open source, it's here to stay. Show Notes Polyfill supply chain attack hits 100K+ sites OpenSSF Scorecard
Episode 434 - Unreported vulnerabilities and everyone is getting hacked
Josh and Kurt talk about three wangles of responsibility. We start with a story about a bike theft ring, bike theft doesn't usually get any attention, but this one is special. Then we ask why it seems like everyone is getting hacked, it's because they have to tell us now. And finally we have a story about the huge number of unreported vulnerabilities in open source projects. This statistic probably affects all software, but there's some numbers for open source specifically. Show Notes The West Coast’s Fanciest Stolen Bikes Are Getting Trafficked by One Mastermind in Jalisco, Mexico $5 million worth of stolen tools recovered thanks to Apple's AirTag — 12 secret storage facilities had around 15,000 construction tools Vulnerability fixes in plain sight: How your scanners are missing hundreds of vulnerabilities
Episode 433 - Should OpenSSH block misbehaving clients?
Josh and Kurt talk about a new proposal from OpenSSH to add a timeout to penalize clients misbehaving. But this then brings up the typical security conversation of "if it's not perfect we shouldn't do it". Trying new things is a good thing, even if something fails, we learn a lesson that we can use in the future. Show Notes OpenSSH introduces options to penalize undesirable behavior Hacker News comments
Episode 432 - Flipper Zero with Alex Kulagin
Josh and Kurt talk to Alex Kulagin from Flipper about the Flipper Zero. It's one of the coolest hacker devices that exists on the market. We talk about what it is, how it started, what it can (and can't) do. It's a really fun conversation. Show Notes Flipper Zero Website Headphone jack radio capture Flipper Zero on Tik Tok
Episode 431 - Redirecting HTTP to HTTPS
Josh and Kurt talk about a blog post titled "Your API Shouldn't Redirect HTTP to HTTPS". It's an interesting idea, and probably a good one. There is however a lot of baggage in this space as you'll hear in the discussion. There's no a simple solution, but this is certainly something to discuss. Show Notes Your API Shouldn't Redirect HTTP to HTTPS Hacker News discussion HSTS Section 5.1
Episode 430 - Frozen kernel security
Josh and Kurt talk about a blog post about frozen kernels being more secure. We cover some of the history and how a frozen kernel works and discuss why they would be less secure. A frozen kernel is from when things worked very differently. What sort of changes will we see in the future? Show Notes Kurt's strange coffee Why a 'frozen' distribution Linux kernel isn't the safest choice for security
Episode 429 - The autonomy of open source developers
Josh and Kurt talk about open source and autonomy. This is even related to some recent return to office news. The conversation weaves between a few threads, but fundamentally there's some questions about why do people do what they do, especially in the world of open source. This also is a problem we see in security, security people love to tell developers what to do. Developers don't like being told what to do. Show Notes pycurl issue Apple, SpaceX, Microsoft return-to-office mandates drove senior talent away RSA ANIMATE: Drive: The surprising truth about what motivates us Sudo-rs dependencies: when less is better phishing webcomic Debian OpenSSL Bug (16 years)