Open Source Security Podcast

Josh and Kurt talk about a paper describing using a LLM to automatically create exploits for CVEs. The idea is probably already happening in many spaces such as pen testing and intelligence services. We can't keep up with the number of vulnerabilities we have, there's no way we can possibly keep up with a glut of LLM generated vulnerabilities. We really need to rethink how we handle vulnerabilities.

Sho...

Josh and Kurt talk about a database of game cheaters. Cheating in games has many similarities to security problems. Anti cheat rootkits are also terrible. The clever thing however is using statistics to identify cheaters. Statistics don't lie. Also, we discuss the Pretendo project sitting on a vulnerability for a year, is this ethical?

Show Notes

• Hacker News searchabl...

Josh and Kurt talk about a Notepad++ fake website. It's possibly not illegal, but it's certainly ethically wrong. We also end up discussing why it seems like all these weird and wild things keep happening. It's probably due to the massive size of open source (and everything) now. Things have gotten gigantic and we didn't really notice.

Show Notes

• Help us to take down the parasite we...

Josh and Kurt talk about a new FCC program to provide a cybersecurity certification mark. Similar to other consumer safety marks such as UL or CE. We also tie this conversation into GrapheneOS, and what trying to claim a consumer device is secure really means. Some of our compute devices have an infinite number of possible states. It's a really weird and hard problem.

Show Notes

• Gra...

Josh and Kurt talk about the recent events around XZ. It's only been a few days, and it's amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these details will change quickly over the coming week. We can't fix this problem as it stands, we don't know where to start yet. But that's not a reason to lose hope. We can fix this if we want to, but it won't be flashy, it'...

Josh and Kurt talk about the new SSDF attestation form from CISA. The current form isn't very complicated, and the SSDF has a lot of room for interpretation. But this is the start of something big. It's going to take a long time to see big changes in supply chain security, but we're confident they will come.

Show Notes

• Secure Software Development Attestation Form
• The U.S. Military I...

Josh and Kurt talk about what's going on at the National Vulnerability Database. NVD suddenly stopped enriching vulnerabilities, and it's sent shock-waves through the vulnerability management space. While there are many unknowns right now, the one thing we can count on is things won't go back to the way they were.

Show Notes

• Anchore's Blog
• Grype
• Josh's Cyphercon Talk
• Ecosyste.ms
• Epi...

Josh and Kurt talk about recent stories about data breaches, flipper zero banning, and realistic security. We have a lot of weird challenges in the world of security, but hard problems aren't impossible problems. Sometimes we forget that.

Show Notes

• Mon Dieu! Nearly half the French population have data nabbed in massive breach
• Feds move to ban auto theft tech device ‘Flipper Zero’
• G...

Josh and Kurt talk to GregKH about Linux Kernel security. We most focus on the topic of vulnerabilities in the Linux Kernel, and what being a CNA will mean for the future of Linux Kernel security vulnerabilities. The future of Linux Kernel security vulnerabilities is going to be very interesting.

Show Notes

• Greg K-H
• Linux Kernel is a CNA
• Machine learning and stable kernels
• Bug repor...

Josh and Kurt talk to Thomas Depierre about some of the European efforts to secure software. We touch on the CRA, MDA, FOSDEM, and more. As expected Thomas drops a huge amount of knowledge on what's happening in open source. We close the show with a lot of ideas around how to move the needle for open source. It's not easy, but it is possible.

Show Notes

• Thomas Depierre
• I am not a su...

Josh and Kurt talk about a blog post explaining how to create a very very small container image. Generally in the world of security less is more, but it's possible to remove too much. A lot of today's security tooling relies on certain things to exist in a container image, if we remove them we could actually result in worse security than leaving it in. It's a weird topic, but probably pretty important.

...

Josh and Kurt talk about open source projects proving builds, and things nobody wants to pay for in open source. It's easy to have unrealistic expectations for open source projects, but we have the open source capitalism demands.

Show Notes

• Open Source Doesn't Require Providing Builds
• The things nobody wants to pay for
• Audacity privacy policy update has caused an outcry
• The History ...

Josh and Kurt talk about an attack against PyTorch and NPM. The PyTorch attack shows the difficulty of trying to operate a large open source project. The NPM problem is one of the difficulty in trying to backdoor open source. A lot of people are watching and it only takes one person to notice a problem and we all benefit.

Show Notes

• Peanut Butter the dog plays Gyromite
• The Wizard mo...

Josh and Kurt talk about the 23andMe compromise and how they are blaming the users. It's obviously the the fault of the users, but there's still a lot of things to discuss on this one. Every company has to care about cybersecurity now, even if they don't want to.

Show Notes

• Security leaders weigh in on 23andme hack
• Don't need a gun when you have a Donk - Crocodile Dundee 2
• Hackers c...