Open Source Security Podcast
A security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
Episode 191 - Security scanners are all terribleApr 6, 2020 35:18
Josh and Kurt talk about security scanners. They're all pretty bad today, but there are some things we can do to make them better. Step one is to understand the problem. Do you know why you're running the scanner and what the reports mean?Show Notes Edmonton freeze thaw cycles Josh's security scanner blog series
Episode 190 - Building a talent "ecosystem"Apr 5, 2020 32:03
Josh and Kurt talk about building a talent ecosystem. What starts out as an attempt by Kurt to talk about Canada evolves into a discussion about how talent can evolve, or be purposely grown. Canada's entertainment industry and Unit 8200 are good examples of this.Show Notes SCTV Red Team Project Moon Shot book AvE channel Turning a tree root into a bowl Mailing the Hope Diamond The Ecosystem
Episode 189 - Video game hackers - speedrunningMar 30, 2020 33:43
Description:Developer speedrun commentary Super Mario World end credits glitch explained Mario 3 RCE Breath of the Wild speedrun Super Metroid reverse boss order TMR beats every NES game
Episode 188 - Depressing news sucks, we're talking about cheating in video gamesMar 23, 2020 31:01
Josh and Kurt talk about video games. Yeah, video games. Specifically about cheating in video games. There's a lot of other security themes in the discussion. With the news being horrible these days, we needed to talk about something fun.Show Notes Penny Arcade Banned from Fortnite Apollo Robbins, world's best pickpocket
Episode 187 - Wireguard vs IPsec: the OK Boomer of securityMar 15, 2020 30:07
Josh and Kurt talk about Wireguard. There have been a lot of recent conversations about it and if it's better or worse than other VPN solutions. It's safe to say in our modern age, less is usually more, especially when it comes to security. Wireguard has a lot going for it, it can't be ignored.Show Notes Replacing a Nintendo Switch fan WireGuard Hacker News discussion
Episode 186 - Endpoint security with Tony MeehanMar 8, 2020 30:23
Josh and Kurt talk to Tony Meehan from Elastic (formerly Endgame) about endpoint detection, response, protection, and even SIEM. Tony has a great history coming from the NSA and has a number of great stories to help understand the topics.Show Notes Tony Meehan Rob Joyce on Disrupting Nation State Hackers Bobby Filar living off the land blog Dwell time graph Snowboarder vs Tree
Episode 185 - Is it even possible to fix open source security?Mar 2, 2020 31:55
Josh and Kurt talk about the Linux Foundation Census 2. There is a lot of talk around how to fix open source security, but the reality is we can't fix it. We need to stop trying to fix what isn't broken and engineering around the system we have, not the system we want.Show Notes Linux Foundation Census 2 Core Infrastructure Initiative
Episode 184 - It’s DNS. It's always DNSFeb 24, 2020 33:03
Josh and Kurt talk about the sale of the corp.com domain. Is it going to be the end of the world, or a non event? We disagree on what should happen with it. Josh hopes an evildoer buys it, Kurt hopes for Microsoft. We also briefly discuss the CIA owning Crypto AG.Show Notes corp.com is for sale CIA owned Crypto AG
Episode 183 - The great working from home experimentFeb 17, 2020 32:32
Josh and Kurt talk about a huge working from home experiment because of the the Coronavirus. We also discuss some of the advice going on around the outbreak, as well as how humans are incredibly good at ignoring good advice, often to their own peril. Also an airplane wheel falls off.Show Notes Work from home Hacker News discussion CDC advice How to wash your hands Air Canada flight without running wather Airplane wheel falling off
Episode 182 - Does open source owe us anything?Feb 10, 2020 28:42
Episode 181 - The security of SIM swappingFeb 3, 2020 32:28
Josh and Kurt talk about SIM swapping. What is it, how does it work. Why should you care? There's not a ton you can do to protect yourself, but we go over some of the basic concepts and what to watch out for. It's unfortunate this is still a problem.Show Notes Five Major US Wireless Carriers Are Vulnerable to SIM Swapping Edmonton Police SIM swap website
Episode 180 - A Tale of Two VulnerabilitiesJan 27, 2020 31:07
Josh and Kurt talk about two recent vulnerabilities that have had very different outcomes. One was the Citrix remote code execution flaw. While the flaw is bad, the handling of the flaw was possibly worse than the flaw itself. The other was the Microsoft ECC encryption flaw. It was well handled even though it was hard to understand and it is a pretty big deal. As all these things go, fixing and disclosing vulnerabilities is hard.Show Notes Microsoft flaw CVE-2020-0601 Citrix flaw CVE-2019-19781 Citrix mitigation instructions
Episode 179 - Google Project Zero and the 90 day clockJan 20, 2020 31:25
Josh and Kurt talk about the updated Google Project Zero disclosure policy. What's the new policy, what does it mean, and will it really matter? We suspect it will improve some things, but won't drastically change much.Show Notes Google and 90 day patch disclosure Upgrading all Windows versions
Episode 178 - Are CVEs important and will ransomware put you out of business?Jan 13, 2020 32:36
Josh and Kurt talk about a discussion on Twitter about if discovering CVE IDs is important for a resume? We don't think it is. We also discuss the idea of ransomware putting a company out of business. Did it really? Possibly but it probably won't create any substantial change in the industry.Show Notes Games Done Quick Ransomware puts company out of business 1 in 5 companies shut down due to ransomware Laura Shin SIM Swap Podcast
Episode 177 - Fake or real? The security of counterfeit goodsJan 6, 2020 29:58
Josh and Kurt talk about marketplace safety and security. Will we ever see an end to the constant flow of counterfeit goods? The security industry has the same problem the marketplace industry has, without substantial injury we don't see movement towards meaningful change.Show Notes BrickLink Cars in Canada lighting on fire President Roosevelt used Al Capone's Limo Dangerous car seats Fake external hard drive
Episode 176 - The 'predictions are stupid' prediction episodeDec 30, 2019 32:13
Josh and Kurt talk about security predictions for 2020. None of the predictions are even a bit controversial or unexpected. We're in a state of slow change, without disruptive technology next year will look a lot like this year.Show Notes The Rising Speed of Technological Adoption Slack Certified GDPR Fines and Notices
Episode 175 - Defenders will always be one step behindDec 23, 2019 30:27
Josh and Kurt talk about the opportunistic nature of crime. Defenders have to defend, which means the adversaries are by definition always a step ahead. We use the context of automobile crimes to frame the discussion.Show Notes Stealing cars with radio relays RTL Software Defined Radio Canada most stolen car
Episode 174 - GitHub turns security up to 11; A discussion with Rob SchultheisDec 16, 2019 29:41
Josh and Kurt talk to Rob Schultheis from GitHub about some of the amazing projects GitHub is working on. We discuss GitHub security advisories, getting a CVE from GitHub, and what the new GitHub Security Lab is doing. It's a great conversation about how GitHub is working to make security better for all of us.Show Notes GitHub Security Advisories GitHub CVE requests GitHub Security Lab GitHub Security Lab Slack GitHub Security Lab Twitter
Episode 173 - Ho Ho Homeland SecurityDec 9, 2019 34:52
Josh Santa and Kurt talk the border nightmare Santa Clause has to deal with as he traverses the globe. Questions we explore include: Are the reindeer farm animals? Is the North Pole a farm? Is Santa an intellectual property thief? Does Krampus eat politicians? Does Santa have a passport? Does Santa have an emergency radio?Show Notes Pirate Joes
Episode 172 - The security of planned obsolescenceDec 2, 2019 32:08
Josh and Kurt talk about the security implications of planned obsolescence. We use Intel's recent decision to remove old drivers from their website as the start of the conversation. By the end we realize this is more of a decision society needs to understand and make more than anything. Is constantly throwing out technology OK?Show Notes Intel removes old drivers Upgrading all versions of Windows Sniffing your Smart TV
Episode 171 - Measuring cybersecurity with Kathryn WaldronNov 25, 2019 30:52
Episode 170 - Until that quantum computer is cracking RSA keys, go sit back down!Nov 17, 2019 31:57
Josh and Kurt talk about banking and privacy. It's very likely nothing will get better anytime soon, humans will continue to be terrible at understanding certain risks. We also discuss what quantum supremacy means (or doesn't mean) for security.Show Notes National Bank Privacy Issues Quantum Supremecy Claims Hype Cycle Scottish person talking to Siri SMBC Quantum Comic
Episode 169 - What happens when leadership doesn't care about security?Nov 11, 2019 31:20
Josh and Kurt talk about government security incidents. The security concerns at the government level often have real life and death consequences. What happens when the leadership knowingly disregards security policy?Show Notes Breaking into a SCIF Whitehouse cybersecurity team Bugged typewriter
Episode 168 - The draconian draconians of DRMNov 3, 2019 30:55
Josh and Kurt talk about the social norms of security. We also discuss security coprocessors and the reasons behind adding them to hardware. Is DRM a draconian security measure or do we need it to secure the future? We also touch on the story of NordVPN getting hacked. The real story isn't they got hacked, the story is they responded like clowns. The actual problem was one of leadership, there are certain leadership skills you can't be taught, you can only learn.Show Notes Before Windows boots protections
Episode 167 - Security is terrible because digital literacy is terribleOct 28, 2019 35:19
Josh and Kurt talk about the horrid state of digital literacy in the US. We start out talking about broken Phillips Hue light bulbs, then discuss research from Pew on the digital literacy of Americans. We may have accidentally discovered a use for all the cookie warnings every web site has.Show Notes Pew Research on American's Digitcal Literacy
Episode 166 - Every day should be cybersecurity awareness month!Oct 21, 2019 24:39
Episode 165 - Grab Bag of Microsoft Security NewsOct 13, 2019 27:45
Description:Microsoft KB 4516071 A Security Market for Lemons Kurt's file wiping advisory Lock Picking Lawyer vs Consumer Reports Sun Ray Linux Gamers: 20% of auto reported crashes
Episode 164 - DNS over HTTPS: Probably not the end of the worldOct 7, 2019 30:03
Josh and Kurt about DNS over HTTPS and how it may or may not destroy civilization. We also discuss the disruption of cloud in the context of security and touch on the news that GitHub is now a CVE CNA!Show Notes DNS over HTTPS California Privacy Law Defensive Security Podcast GitHub is a CNA
Episode 163 - Death to Python 2Sep 30, 2019 33:22
Episode 162 - SBOM with Allan FriedmanSep 23, 2019 30:35
Episode 161 - Human nature and ad powered open sourceSep 16, 2019 29:19
Josh and Kurt start out discussing human nature and how it affects how we view security. A lot of things that look easy are actually really hard. We also talk about the npm library Standard showing command line ads. Are ads part of the future of open source?Show Notes thegrugq secure android DoD JEDI program Firefox privacy settings Standard ads Max Headroom
Episode 160 - Disclosing security issues is insanely complicated: Part 2Sep 9, 2019 31:11
Josh and Kurt talk about disclosing security flaws in open source. This is part two of a discussion around how to disclose security issues. This episode focuses on some expectations and behaviors for open source projects as well as researchers trying to disclose a problem to a project.Show Notes webmin backdoor Github security advisories
Episode 159 - Disclosing security issues is insanely complicated: Part 1Sep 2, 2019 29:23
Josh and Kurt talk about disclosing security flaws. It's a topic that's come up a few times in the last few weeks and it's more complicated than it's ever been. We certainly ask more questions than we answer in this episode, there will be a part 2 that focuses on open source disclosure.Show Notes Lock Picking Lawyer Tavis' Windows flaw
Episode 158 - The mess that we call credit agencies in the USAug 26, 2019 27:48
Episode 157 - Backdoors and snake oil in our cryptographyAug 19, 2019 30:58
Josh and Kurt talk about snakeoil cryptography at Black Hat and the new backdoored cryptography fight. Both of these problems will be with us for a very long time. These are fights worth fighting because it's the right thing to do.Show Notes Time AI video Kurt's Tweet about technical explanations Josh's blog post about bug training Schneier on Barr's encryption discussion
Episode 156 - What if we MitM a whole country?Jul 29, 2019 29:57
Josh and Kurt talk about Kazakhstan requiring citizens to place a government controlled root CA certificate on their computers. How does this work. What does it mean for the citizens of Kazakhstan, and why we all should be paying attention.Show Notes Kazakhstan MitM all TLS traffic Mozilla bug
Episode 155 - Stealing cars and ransomwareJul 22, 2019 27:22
Josh and Kurt talk about a new way to steal cars because a service didn't do proper background checks. We also discuss how this relates to working with criminals, such as ransomware, and what it means for the future of the ransomware industry.Show Notes Car2go theft Alberta driver's license security Albertosaurus Las Vegas won't pay a ransom
Episode 154 - Chat with the authors of the book "The Fifth Domain"Jul 16, 2019 31:17
Josh and Kurt talk to the authors of a new book The Fifth Domain. Dick Clarke and Rob Knake join us to discuss the book, cybersecurity, US policy, how we got where we are today and what the future holds for cybersecurity.Show Notes The Fifth Domain Dick Clarke Rob Knake Future State Podcast
Episode 153 - The unexpected security of AI, photographs, and VPNJul 8, 2019 34:33
Episode 152 - Tavis breaks the world ... againJul 1, 2019 30:40
Episode 151 - The DARPA Cyber Grand Challenge with David BrumleyJun 24, 2019 30:12
Episode 150 - Our ad funded dystopian presentJun 17, 2019 30:09
Josh and Kurt talk about the future Chrome and ad blockers. There is a lot of nuance to unpack around this one. There are two versions of the Internet today. One with an ad blocker and one without. The Internet without an ad blocker is a dystopian nightmare. The actionable advice at the end of this one is to use Firefox.
Episode 149 - Chat with Michael Coates about data securityJun 10, 2019 26:27
Episode 148 - You just got pwnt, what now?Jun 3, 2019 29:21
Josh and Kurt talk about public disclosure. We start out with a story about Canva, then discuss what do you do if you have a security incident? Who do you tell, what do you tell them. How do you tell your story? It's a really hard problem even if it's something you've done many times in the past.
Episode 147 - Scams and operations as part of the supply chainMay 27, 2019 30:27
Episode 146 - What the @#$% happened to Microsoft?May 20, 2019 32:24
Episode 145 - What do security and fire have in common?May 13, 2019 34:20
Episode 144 - The security of money, which one is best?May 6, 2019 33:34
Episode 143 - Security lessons from the phone bookApr 29, 2019 34:40
Episode 142 - Hypothetical security: what if you find a USB flash drive?Apr 21, 2019 31:27
Josh and Kurt talk about what one could do if you find a USB drive. The context is based on the story where the Secret Service was rumored to have plugged a malicious USB drive into a computer. The purpose of discussion is to explore how to handle a situation like this in the real world. We end the episode with a fantastic comparison of swim safety and security.
Episode 141 - Timezones are hard, security is harderApr 15, 2019 36:14
Josh and Kurt talk about the difficulty of security. We look at the difficulty of the EU not observing daylight savings time, which is probably magnitudes easier than getting security right. We also hit on a discussion on Reddit about U2F that shows the difficulty. Security today is too hard, even for the experts.
Episode 140 - Good enough security is a pretty high barApr 8, 2019 34:20
Josh and Kurt talk about identity. It's a nice example we can generally understand in the context of how much security is enough security? When we deal with identity the idea of good enough is often acceptable for the vast majority of uses. Perfect identity tracking isn't really a thing nor is it practical.
Episode 139 - Secure voting, firefox send, and toxic comments on the internetApr 1, 2019 30:57
Episode 138 - Information wants to be freeMar 25, 2019 32:19
Episode 137.5 - Holy cow Beto was in the cDc, this is awesome!Mar 18, 2019 35:17
Josh and Kurt talk about Beto being in the Cult of the Dead Cow (cDc). This is a pretty big deal in a very good way. We hit on some history, why it's a great thing, what we can probably expect from opponents. There's even some advice at the end how we can all help. We need more politicians with backgrounds like this.
Episode 137 - When the IoT attacks!Mar 11, 2019 30:34
Josh and Kurt talk about when devices attack! It's not quite that exciting, but there have been a slew of news about physical devices causing problems for humans. We end on the note that we're getting closer to a point when lawyers and regulators will start to pay attention. We're not there yet, so we still have a horrible insecure future on the horizon.
Episode 136 - How people feel is more important than being rightMar 4, 2019 31:35
Episode 135 - Passwords, AI, and cloud strategyFeb 25, 2019 30:38
Josh and Kurt talk about change your password day (what a terrible day). Google's password checkup (not a terrible idea), an AI finding new spice flavors we expect will one day take over the world, and we finish up on a new DoD cloud strategy. Also Josh burnt his finger, but is going to be OK.
Episode 134 - What's up with the container runc security flaw?Feb 18, 2019 28:58
Episode 133 - Smart locks and the government hacking devicesFeb 11, 2019 31:10
Episode 132 - Bird Scooter: 0, Cory Doctorow: 1Feb 4, 2019 30:11
Episode 131 - Windows micropatches, Google's privacy fine, and Mastercard fixes trial abuseJan 28, 2019 33:26
Josh and Kurt talk about non-Microsoft Windows micropatches. The days of pretending closed source matters are long gone. Google gets hit with a privacy fine, that probably won't matter. And Mastercard makes it easier for consumers to not accidentally sign up for services they don't want.
Episode 130 - Chat with Snyk co-founder Danny GranderJan 21, 2019 34:03
Episode 129 - The EU bug bounty programJan 14, 2019 33:15
Episode 128 - Australia's encryption backdoor billJan 7, 2019 32:59
2018 Christmas Special - Is Santa GDPR compliant?Dec 24, 2018 37:37
Episode 127 - Walled gardens, appstores, and moreDec 17, 2018 35:00
Josh and Kurt talk about Mozilla pulling a paywall bypassing extension. We then turn our attention to talking about walled gardens. Are they good, are they bad? Something in the middle? There is a lot of prior art to draw on here, everything from Windows, Android, iOS, even Linux distributions.
Episode 126 - The not so dire future of supply chain securityDec 10, 2018 33:13
Episode 125 - Open Source, supply chains, npm, and youDec 3, 2018 31:04
Josh and Kurt talk about how open source deals with malicious events. It's probably impossible to stop these from happening, but the open source universe deals with it in its own unique way. We start to discuss what you can do, since everyone is using open source everywhere now. There will be a second part to this episode where we discuss what the future holds for these sort of problems.
Episode 124 - Cloudflare's service workers and the economics of securityNov 26, 2018 34:04
Josh and Kurt talk about Cloudflare's new Workers service. We spend a lot of time discussing how economics drives technology, not security. It's quite likely this new service is less secure than existing alternatives, but it will be cheaper and faster which will matter more than security.
Episode 123 - Talking about Kubernetes and container security with Liz RiceNov 19, 2018 27:52
Episode 122 - What will Apple's T2 chip mean for the rest of us?Nov 12, 2018 33:04
Episode 121 - All about the security of votingNov 5, 2018 36:48
Episode 120 - Bloomberg and hardware backdoors - it's already happeningOct 29, 2018 30:56
Episode 119 - The Google+ and Facebook incidents, it's not your data anymoreOct 22, 2018 31:38
Episode 118 - Cloudflare's IPFS and onion serviceOct 15, 2018 30:49
Episode 117 - Will security follow Linus' lead on being nice?Oct 8, 2018 31:02
Episode 116 - The future of the CISO with Michael PiacenteOct 1, 2018 30:31
Episode 115 - Discussion with Brian Hajost from SteelCloudSep 24, 2018 30:16
Episode 114 - Review of "Click Here to Kill Everybody"Sep 17, 2018 30:50
Episode 113 - Actual real security adviceSep 10, 2018 30:38
Episode 112 - Google's Titan Key and the latest Struts issueSep 3, 2018 29:06
Episode 111 - The TLS 1.3 and DNS episodeAug 27, 2018 32:39
Episode 110 - Review of Black Hat, Defcon, and the effect of security policiesAug 19, 2018 34:49
Josh and Kurt talk about Black Hat and Defcon and how unexciting they have become. What happened with hotels at Defcon, and more importantly how many security policies have 2nd and 3rd level effects we often can't foresee. We end with important information about pizzza, bananas, and can openers.
Episode 109 - OSCon and actionable adviceAug 13, 2018 34:18
Episode 108 - Bluetooth, phishing, airgaps, and eating soup off the floorAug 6, 2018 30:35
Episode 107 - The year of the Linux Desktop and other hardware storiesJul 30, 2018 29:04
Josh and Kurt talk about modern hardware, how security relates to devices and actions. Everything from secure devices, to the cables we use, to thermal cameras and coat hangers. We end the conversation discussing the words we use and how they affect the way people see us and themselves.
Episode 106 - Data isn't oil, it's nuclear wasteJul 23, 2018 29:54
Josh and Kurt talk about Cory Doctorow's piece on Facebook data privacy. It's common to call data the new oil but it's more like nuclear waste. How we fix the data problem in the future is going to require solutions we can't yet imagine as well as new ways of thinking about the problems.
Episode 105 - More backdoors in open sourceJul 16, 2018 31:45
Episode 104 - The Gentoo security incidentJul 9, 2018 33:14
Josh and Kurt talk about the Gentoo security incident. Gentoo did a really good job being open and dealing with the incident quickly. The basic takeaway from all this is make sure your organization is forcing users to use 2 factor authentication. The long term solution is going to be all identity providers forcing everyone to use 2FA.
Episode 103 - The Seven Properties of Highly Secure DevicesJul 2, 2018 33:23
Episode 102 - Michael Feiertag from tCellJun 25, 2018 30:50
Josh and Kurt talk to Michael Feiertag, the CEO of tCell. We talk about what a Web Application Firewall is, what it does and doesn't do, and what the future of this technology looks like. We touch on how this affects a DevOps environment. Security has to fit into the existing model, not try to change it.
Episode 101 - Our unregulated future is here to stayJun 17, 2018 32:46
Josh and Kurt talk about Bird scooters. The implications of the scooters on the city, segways, bicycles. The topic of how these vehicles interact with pedestrians on the road and trails. It's an example of humans not wanting to follow the rules and generally making the situation annoying for everyone. It's the old security story of new technology without clear rules. The show ends with some horrifying numbers behind how bad things can get before people really care.
Episode 100 - You're bad at buying security, we can help!Jun 11, 2018 35:54
Episode 99 - Consumer security is too broken to fix, and it doesn't matterJun 4, 2018 34:20
Josh and Kurt talk about a number of consumer security issues. The FBI told everyone to reboot their routers which they won't do. The .app top level domain is a cesspool of malware. Everyone has a cell phone and won't update them properly. None of this probably matters though. Unless there are real measurable tragedies caused by this tech, people tend not to really care.
Episode 98 - When IT decisions kill peopleMay 28, 2018 34:24
Episode 97 - Automation: Humans are slow and dumbMay 20, 2018 33:08
Episode 96 - Are legal backdoors a good idea?May 11, 2018 32:54
Episode 95 - Twitter passwords and npm backdoorsMay 7, 2018 29:32
Episode 94 - DNSSEC, BGP, and realityApr 30, 2018 28:18
Episode 93 - Security flaws in beep and patch, how did we get here?Apr 15, 2018 36:04
Episode 92 - Chat with Rami Saas the CEO of WhiteSourceApr 15, 2018 33:34
Episode 91 - Security lessons from a 7 year oldApr 8, 2018 19:04
Josh and Kurt talk to a 7 year old about security. We cover Minecraft security, passwords, hacking, and many many other nuggets of wisdom.