A security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
Similar Podcasts
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
Go Time: Golang, Software Engineering
Your source for diverse discussions from around the Go community. This show records LIVE every Tuesday at 3pm US Eastern. Join the Golang community and chat with us during the show in the #gotimefm channel of Gophers slack. Panelists include Mat Ryer, Jon Calhoun, Carmen Andoh, Johnny Boursiquot, Angelica Hill, Mark Bates, Kris Brandow, and Natalie Pistunovich. We discuss cloud infrastructure, distributed systems, microservices, Kubernetes, Docker… oh and also Go! Some people search for GoTime or GoTimeFM and can’t find the show, so now the strings GoTime and GoTimeFM are in our description too.
The FOSS Pod
From the creative geniuses behind Brad & Will Made a Tech Pod, The FOSS Pod is a show about the free and open source software that’s changing the world, and the developers who are making it happen.
Episode 343 - Stop trying to fix the open source software supply chain
Josh and Kurt talk about a blog post that explains there isn't really an open source software supply chain. The whole idea of open source being one thing is incorrect, open source is really a lot of little things put together. A lot of companies and organizations get this wrong. Show Notes Iliana's Twitter There is no “software supply chain” Google supply chain blog GitHub ansi_term advisory PyPI 2FA Dashboard tarfile issue rediscovered in 2022
Episode 342 - Programming languages are the new operating system
Josh and Kurt talk about programming language ecosystems tracking and publishing security advisory details. We are at a point in the language ecosystems where they are giving us services that have historically been reserved for operating systems. Show Notes Kelsey Hightower tweet OSS-Fuzz
Episode 341 - Time till open source alternative
Josh and Kurt talk about the Time Till Open Source Alternative blog post. The numbers probably don't mean what we think they mean anymore. A lot of modern open source is really corporate controlled. Just because something carries an open source license doesn't mean you can contribute to it. Show Notes Time Till Open Source Alternative GitHub Desktop issue 78 The Reddit Safe
Episode 340 - Let's chat about Let's Encrypt with Josh Aas
Josh and Kurt talk with Josh Aas from the Internet Security Research Group about Let's Encrypt, Prossimo, and Divvi Up. A lot has changed since the last time we spoke with Josh. Let's Encrypt won, and the ISG are working on some really cool new projects. Show Notes Josh Aas Internet Security Research Group (ISRG) Let's Encrypt Episode 87 – Chat with Let’s Encrypt co-founder Josh Aas New Major Funding from the Ford Foundation ISRG annual reports Peter Eckersley
Episode 339 - Is a network problem a security vulnerability
Josh and Kurt talk about really weird networking bugs. Josh tells a story about his home network problems that made no sense. There was also a qt5 bug that affected wireless networks that made virtually no sense. What should count as a security vulnerability? Show Notes Resolving an unusual wifi issue Hacker News thread Global Security Database IdeaPad 5 14ARE05
Episode 338 - The government didn't make vulnerabilities illegal. Yet.
Josh and Kurt talk about the recent National Defense Authorization Act that requires security vulnerabilities to be fixed. What does this mean for us, is it as bad as some people are claiming it is? It's actually not a huge deal, for most of us it's really just time to deal with product security. Show Notes The Hacker Mind The Untold Stories of Open Source H.R.7900 - National Defense Authorization Act for Fiscal Year 2023 Kurt's blog post
Episode 337 - Security patches are getting worse - Dustin Childs from ZDI tells us why
Josh and Kurt talk to Dustin Childs about the recent ZDI Black Hat talk where they discovered the current trend of security patches not actually fixing the security problem. We talk about what this problem means. Why is it happening, and what ZDI is doing to try nudge the industry in the right direction. Show Notes Dustin Childs ZDI Sloppy Software Patches Are a ‘Disturbing Trend’ Zero Day Initiative launches new bug disclosure timelines ISO 28147
Episode 336 - We don't have data data, we have security biases
Josh and Kurt talk about our lack of security and some of the data bias problems that can emerge. A lot of what we think is security data is really just biased data. This is OK as long as we understand the data is broken and know this is the first step in a longer journey. Show Notes Tweet about data The 6 most common types of bias when working with data Syft and Grype stars graph John Snow, Cholera, the Broad Street Pump Bob Lord tweet
Episode 335 - Bull*&$% security ideas
Josh and Kurt talk about a tweet from @kmcquade3 asking the question "What's a concept in security that is generally accepted as true but is actually bull%$#*?" How many of the replies make sense? Most of them do. We go over some of the best replies as fast as we can. Show Notes The tweet that started it all Mark Loveless Mark Manning Richard (Dick) Brooks @ImbecillicusRex What Train Have We Got? Dan Alejo 🏳️🌈 postmodern 🇺🇸 Robert C. Seacord 🇺🇦 Yip Wai Peng Sachin Shahi
Episode 334 - Leap seconds break everything
Josh and Kurt talk about leap seconds. Every time there's a leap second, things break. Facebook wants to get rid of them because they break computers, but Google found a clever way to keep leap seconds without breaking anything. Corner cases are hard, security is often just one huge corner case. There are lessons we can learn here. Show Notes How and why the leap second affected Cloudflare DNS Facebook wants to get rid of leap seconds Leap Smear Falsehoods programmers believe about time
Episode 333 - Open Source is unfair
Josh and Kurt talk about Microsoft creating a policy of not allowing anyone to charge for open source in their app store. This policy was walked back quickly, but it raises some questions about how fair or unfair open source really is. It's mostly unfair to developers if you look at the big picture. Show Notes Syft Grype Microsoft bans and unbans open source Tidelift survey Bruce Perens - What comes after open source
Episode 332 - PyPI: 2FA or not 2FA, that is the question
Josh and Kurt talk about PyPI mandating two factor authentication for the top 1% of projects. It feels like a simple idea, but it's not when you start to think about it. What problems does 2FA solve? How common are these attacks? What are the second and third order effects of mandating 2FA? This episode should have something for everyone on all sides of this discussion to violently disagree with. Show Notes PyPI announcement NPM expired domains Morten Linderud Tweet Congratulations: We Now Have Opinions on Your Open Source Contributions
Episode 331 - GPG, but nothing makes sense
Josh and Kurt talk about their very silly GPG key management from the past. This is sadly a very true story that details how both Kurt and Josh protected their GPG keys. Josh's setup is like something out of a very bad spy novel. It was very over the top for a key that really didn't matter. Show Notes XKCD signed email Shire calendar Guardian editors destroy Snowden laptop
Episode 330 - The sliding scale of risk: seeing the forest for the trees
Josh and Kurt talk about the challenge of dealing with vulnerabilities at a large scale. We tend to treat every vulnerability equally when they are not equal at all. Some are trees we have to pay very close attention to, and some are part of a larger forest that can't be treated as individual vulnerabilities. We often treat risk as a binary measurement instead of a sliding scale. Show Notes gsd.id The Register OpenSSL story OpenSSL bug
Episode 329 - Signing (What is it good for)
Josh and Kurt talk about what the actual purpose of signing artifacts is. This is one of those spaces where the chain of custody for signing content is a lot more complicated than it sometimes seems to be. Is delivering software over https just as good as using a detached signature? How did we end up here, what do we think the future looks like? This episode will have something for everyone to complain about! Show Notes Twitter thread Kurt's security advisory page Bug 998