A security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
…
continue reading
1
The NDS Show - An Intelligence Community Podcast covering Geospatial Intelligence, Open Source Intelligence OSINT, Human Intelligence HUMINT, Military & National Security
The NDS Show
Unlock a world of valuable insights and thought-provoking discussions related to the Intelligence Community (CIA, NSA, NGA, FBI, Military Intelligence). Join Nick, a successful entrepreneur and business leader, on his journey to discover a world of INTELLIGENCE in all facets of our lives. As an Army Veteran with expertise in geospatial Intelligence Operations, and multiple successful businesses and investments across a variety of industries, including technology, defense, real estate, crypto ...
…
continue reading
Josh and Kurt talk about the recent CUPS issue. The vulnerability itself wasn't all that exciting, but the whole disclosure process was wild. There's a lot to talk about, many things didn't quite go as planned and it all leaked early. Let's talk about why and what it all means. Show Notes CUPS vulnerability Akamai report Wil Wheaton: being a nerd i…
…
continue reading
1
Episode 448 - What's wrong with CISA?
34:48
34:48
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
34:48
Josh and Kurt talk about a few things that have recently come out of CISA. They seem to be blaming the vendors for a lot of the problems, but there's also not any actionable advice telling the vendors what they should be doing. This feels like the classic case of "just security harder". We need CISA to be leading the way funding and defining securi…
…
continue reading
1
Episode 447 - The Tidelift 2024 open source maintainer report
38:52
38:52
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
38:52
Josh and Kurt talk about the 2024 Tidelift maintainer report. The report is pretty big and covers a ton of ground. We focus in a few of the statistics that should worry anyone who uses open source. We've known for a while developers are struggling, and the numbers back that up. This one feels like the old "we've tried nothing and we're all out of i…
…
continue reading
1
Episode 446 - Researchers took over .MOBI TLD
33:06
33:06
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
33:06
Josh and Kurt talk about some security researchers sort of taking over the .MOBI whois server. The story is a bit sensational, but we ask if it really matters? There are a lot of interesting possible attacks, but turning something like this into a good attack is really hard, maybe impossible. The researchers presented the findings in a very reasona…
…
continue reading
1
Beyond OSINT: Fusing Commercial Data Analysis for Digital ISR w/ Steve Loori
1:22:36
1:22:36
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
1:22:36
Steve Loori, a seasoned intelligence community professional, shares his incredible journey from the Marine Corps to becoming a leader in the world of commercial data analysis and Open Source Intelligence for surveillance and reconnaissance. Starting with his experiences as a young Marine during the Iraq War, Steve delves into how those early challe…
…
continue reading
Josh and Kurt talk to Jay Jacobs about Exploit Prediction Scoring System (EPSS). EPSS is a new way to view vulnerabilities. It's a metric for the likelyhood that a vulnerability will be exploited in the next 30 days. Jay explains how EPSS got to where it is today, how the scoring works, and how we can start to think about including it in our larger…
…
continue reading
1
Episode 444 - Open Source and End of Life
37:49
37:49
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
37:49
Josh and Kurt talk about Chrome unexpectedly going EOL on Ubuntu 18. Keeping old things alive is really hard to do, and in open source it's becoming more common to just run the latest version rather than trying to keep old versions alive for long periods of time. Show Notes Chrome dumped support for Ubuntu 18.04 – but it'll be back Linus Torvalds t…
…
continue reading
1
Episode 443 - The Supply Chain Security Crisis
34:23
34:23
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
34:23
Josh and Kurt talk about a story that discusses a story from Black Hat that references supply chains. There's a ton of doom and gloom around our software supply chains and much of the advice isn't realistic. If we want to take this seriously we need to stop obsessing over the little problems and focus on some big problems. Show Notes Black Hat USA …
…
continue reading
1
Episode 442 - The foundation of society, TLS certificates are a mess
40:35
40:35
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
40:35
Josh and Kurt talk about a few stories around the TLS CA certificate world. It's all pretty dire sounding. There's not a lot of organization or process in the space, and the root CAs are literally the foundation of modern society, everything needs them to function. There's not a lot of positive ideas here, it's mostly a show where Kurt explains to …
…
continue reading
Josh and Kurt talk about CWE. What is it, and why does it matter. We cover some history, some shortcomings, and some ideas on how CWE could be used to make security a lot better. We frame the future discussion around the OWASP top 10 list. We should be putting more effort into removing removing entire classes of vulnerabilities. Show Notes CWE Epis…
…
continue reading
1
Episode 440 - "What is open source" talk Josh gave
34:36
34:36
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
34:36
Josh and Kurt talk about a presentation Josh recently gave that was supposed to be about how open source works. The talk was the wrong topic for a security crowd, but there's a lot of interesting details in the questions and comments that emerged. It's clear a lot of security people don't really care about the fine details about what open source is…
…
continue reading
1
Episode 439 - Where are all the youth in open source?
29:27
29:27
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
29:27
Josh and Kurt talk about a story talking about the "graying" of open source. There doesn't seem to be many young people working on open source, but we don't really know why that is. There are many thoughts, but a better question is why should anyone get involved in open source anymore? The world has changed quite a lot since open source was created…
…
continue reading
1
Episode 438 - CISA's bad OSS advice vs the Whitehouse good advice
34:52
34:52
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
34:52
Josh and Kurt talk about two documents from the US government that discuss open source in very different ways. The CISA document lays out a way to measure open source, but we take issue with the idea of trying to measure which open source projects are "good". The Whitehouse on the other hand takes an approach that is very open source, get involved.…
…
continue reading
1
Episode 437 - CocoPods and proper funding for open source
36:50
36:50
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
36:50
Josh and Kurt talk about a pretty big bug found in CocoPods ownership. We also touch on a paper that discusses the technical debt that open source should have. We discuss what the long term sustainability of open source. There aren't any good solutions for open source today, but talking about these problems is important, we have to start to underst…
…
continue reading
1
Episode 436 - OpenSSH and node-ip - it's all exponential growth
32:10
32:10
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
32:10
Josh and Kurt talk about the recent OpenSSH vulnerability and the node-ip project owner taking their project private. They're quasi related in the context of two open source projects handled bugs very differently. The OpenSSH bug isn't really as serious as it seems, but you still want to patch. The node-ip bug is a very different story. The relatio…
…
continue reading
1
Episode 435 - polyfill.io - open source is too big to fix
38:50
38:50
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
38:50
Josh and Kurt talk about the latest polyfill.io mess. Apparently someone took over a very popular project and started to serve malware. First XZ, now this. What does it mean for open source? We don't have any answers, and it's hard to even talk about this problem because it's so big. The thing is though, even if we can't fix open source, it's here …
…
continue reading
1
Episode 434 - Unreported vulnerabilities and everyone is getting hacked
31:17
31:17
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
31:17
Josh and Kurt talk about three wangles of responsibility. We start with a story about a bike theft ring, bike theft doesn't usually get any attention, but this one is special. Then we ask why it seems like everyone is getting hacked, it's because they have to tell us now. And finally we have a story about the huge number of unreported vulnerabiliti…
…
continue reading
1
Episode 433 - Should OpenSSH block misbehaving clients?
31:40
31:40
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
31:40
Josh and Kurt talk about a new proposal from OpenSSH to add a timeout to penalize clients misbehaving. But this then brings up the typical security conversation of "if it's not perfect we shouldn't do it". Trying new things is a good thing, even if something fails, we learn a lesson that we can use in the future. Show Notes OpenSSH introduces optio…
…
continue reading
1
Episode 432 - Flipper Zero with Alex Kulagin
33:08
33:08
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
33:08
Josh and Kurt talk to Alex Kulagin from Flipper about the Flipper Zero. It's one of the coolest hacker devices that exists on the market. We talk about what it is, how it started, what it can (and can't) do. It's a really fun conversation. Show Notes Flipper Zero Website Headphone jack radio capture Flipper Zero on Tik Tok…
…
continue reading
1
Episode 431 - Redirecting HTTP to HTTPS
32:52
32:52
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
32:52
Josh and Kurt talk about a blog post titled "Your API Shouldn't Redirect HTTP to HTTPS". It's an interesting idea, and probably a good one. There is however a lot of baggage in this space as you'll hear in the discussion. There's no a simple solution, but this is certainly something to discuss. Show Notes Your API Shouldn't Redirect HTTP to HTTPS H…
…
continue reading
Josh and Kurt talk about a blog post about frozen kernels being more secure. We cover some of the history and how a frozen kernel works and discuss why they would be less secure. A frozen kernel is from when things worked very differently. What sort of changes will we see in the future? Show Notes Kurt's strange coffee Why a 'frozen' distribution L…
…
continue reading
1
Episode 429 - The autonomy of open source developers
32:06
32:06
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
32:06
Josh and Kurt talk about open source and autonomy. This is even related to some recent return to office news. The conversation weaves between a few threads, but fundamentally there's some questions about why do people do what they do, especially in the world of open source. This also is a problem we see in security, security people love to tell dev…
…
continue reading
1
Episode 428 - GitHub artifact attestation
37:25
37:25
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
37:25
Josh and Kurt talk about a new to sign artifacts on GitHub. It's in beta, it's not going to be easy to use, it will have bugs. But that's all OK. This is how we start. We need infrastructure like this to enable easier to use features in the future. Someday, everything will be signed by default. Show Notes GitHub artifact attestation…
…
continue reading
1
Why Synthetic Aperture Radar (SAR) is CRUCIAL for Earth Observation w Umbra Space's Gabe Dominocielo
1:06:17
1:06:17
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
1:06:17
Gabe Dominocielo, co-founder of Umbra Space, discusses the challenges and excitement of launching SAR satellites and the unique capabilities of synthetic aperture radar. He shares insights into the process of developing satellites, the choice of SAR technology, and the importance of precision in radar imagery. Gabe also talks about the diverse rang…
…
continue reading
1
Episode 427 - Will run0 replace sudo?
30:12
30:12
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
30:12
Josh and Kurt talk about a sudo replacement going into systemd called run0. It sounds like it'll get a lot right, but systemd is a pretty big attack surface and not everyone is a fan. We shall have to see if this ends up replacing sudo. Show Notes Conan O'Brien on Hot Ones Lennart's Mastodon thread xkcd automation…
…
continue reading
1
REIMAGINE Geospatial Intelligence w/ former NGA Director Robert Sharp
1:40:46
1:40:46
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
1:40:46
Robert (Bob) Sharp shares his journey in the military and as the director of the National Geospatial-Intelligence Agency (NGA). He discusses how he accidentally became an admiral and the joy he found in changing jobs and working with different people. He also talks about the importance of specialization and generalization in the intelligence commun…
…
continue reading
1
Episode 426 - Automatically exploiting CVEs with AI
37:31
37:31
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
37:31
Josh and Kurt talk about a paper describing using a LLM to automatically create exploits for CVEs. The idea is probably already happening in many spaces such as pen testing and intelligence services. We can't keep up with the number of vulnerabilities we have, there's no way we can possibly keep up with a glut of LLM generated vulnerabilities. We r…
…
continue reading
1
Episode 425 - Video game cheaters, also pretendo
30:36
30:36
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
30:36
Josh and Kurt talk about a database of game cheaters. Cheating in games has many similarities to security problems. Anti cheat rootkits are also terrible. The clever thing however is using statistics to identify cheaters. Statistics don't lie. Also, we discuss the Pretendo project sitting on a vulnerability for a year, is this ethical? Show Notes H…
…
continue reading
1
Episode 424 - The Notepad++ Parasite Website
35:22
35:22
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
35:22
Josh and Kurt talk about a Notepad++ fake website. It's possibly not illegal, but it's certainly ethically wrong. We also end up discussing why it seems like all these weird and wild things keep happening. It's probably due to the massive size of open source (and everything) now. Things have gotten gigantic and we didn't really notice. Show Notes H…
…
continue reading
1
Episode 423 - FCC cybersecurity label for consumer devices
32:09
32:09
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
32:09
Josh and Kurt talk about a new FCC program to provide a cybersecurity certification mark. Similar to other consumer safety marks such as UL or CE. We also tie this conversation into GrapheneOS, and what trying to claim a consumer device is secure really means. Some of our compute devices have an infinite number of possible states. It's a really wei…
…
continue reading
Josh and Kurt talk about the recent events around XZ. It's only been a few days, and it's amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these details will change quickly over the coming week. We can't fix this problem as it stands, we don't know where to start yet. But that's not a reason t…
…
continue reading
1
Episode 422 - Do you have a security.txt file?
30:13
30:13
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
30:13
Josh and Kurt talk about the security.txt file. It's not new, but it's not something we've discussed before. It's a great idea, an easy format, and well defined. It's not high on many of our todo lists, but it's something worth doing. Show Notes RFC 9116
…
continue reading
1
Episode 421 - CISA's new SSDF attestation form
41:03
41:03
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
41:03
Josh and Kurt talk about the new SSDF attestation form from CISA. The current form isn't very complicated, and the SSDF has a lot of room for interpretation. But this is the start of something big. It's going to take a long time to see big changes in supply chain security, but we're confident they will come. Show Notes Secure Software Development A…
…
continue reading
Josh and Kurt talk about what's going on at the National Vulnerability Database. NVD suddenly stopped enriching vulnerabilities, and it's sent shock-waves through the vulnerability management space. While there are many unknowns right now, the one thing we can count on is things won't go back to the way they were. Show Notes Anchore's Blog Grype Jo…
…
continue reading
1
Episode 419 - Malicious GitHub repositories
34:06
34:06
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
34:06
Josh and Kurt talk about an attack against GitHub where attackers are creating malicious repositories then artificially inflating the number of stars and forks. This is really a discussion about how can we try to find signal in all the noise of a massive ecosystem like GitHub. Show Notes GitHub besieged by millions of malicious repositories in ongo…
…
continue reading
1
Episode 418 - Being right all the time is hard
30:17
30:17
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
30:17
Josh and Kurt talk about recent stories about data breaches, flipper zero banning, and realistic security. We have a lot of weird challenges in the world of security, but hard problems aren't impossible problems. Sometimes we forget that. Show Notes Mon Dieu! Nearly half the French population have data nabbed in massive breach Feds move to ban auto…
…
continue reading
1
Episode 417 - Linux Kernel security with Greg K-H
42:40
42:40
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
42:40
Josh and Kurt talk to GregKH about Linux Kernel security. We most focus on the topic of vulnerabilities in the Linux Kernel, and what being a CNA will mean for the future of Linux Kernel security vulnerabilities. The future of Linux Kernel security vulnerabilities is going to be very interesting. Show Notes Greg K-H Linux Kernel is a CNA Machine le…
…
continue reading
1
Episode 416 - Thomas Depierre on open source in Europe
42:45
42:45
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
42:45
Josh and Kurt talk to Thomas Depierre about some of the European efforts to secure software. We touch on the CRA, MDA, FOSDEM, and more. As expected Thomas drops a huge amount of knowledge on what's happening in open source. We close the show with a lot of ideas around how to move the needle for open source. It's not easy, but it is possible. Show …
…
continue reading
1
Episode 415 - Reducing attack surface for less security
31:08
31:08
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
31:08
Josh and Kurt talk about a blog post explaining how to create a very very small container image. Generally in the world of security less is more, but it's possible to remove too much. A lot of today's security tooling relies on certain things to exist in a container image, if we remove them we could actually result in worse security than leaving it…
…
continue reading
1
Episode 414 - The exploited ecosystem of open source
32:26
32:26
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
32:26
Josh and Kurt talk about open source projects proving builds, and things nobody wants to pay for in open source. It's easy to have unrealistic expectations for open source projects, but we have the open source capitalism demands. Show Notes Open Source Doesn't Require Providing Builds The things nobody wants to pay for Audacity privacy policy updat…
…
continue reading
1
Episode 413 - PyTorch and NPM get attacked, but it's OK
35:19
35:19
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
35:19
Josh and Kurt talk about an attack against PyTorch and NPM. The PyTorch attack shows the difficulty of trying to operate a large open source project. The NPM problem is one of the difficulty in trying to backdoor open source. A lot of people are watching and it only takes one person to notice a problem and we all benefit. Show Notes Peanut Butter t…
…
continue reading
1
Episode 412 - Blame the users for bad passwords!
33:03
33:03
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
33:03
Josh and Kurt talk about the 23andMe compromise and how they are blaming the users. It's obviously the the fault of the users, but there's still a lot of things to discuss on this one. Every company has to care about cybersecurity now, even if they don't want to. Show Notes Security leaders weigh in on 23andme hack Don't need a gun when you have a …
…
continue reading
1
Episode 411 - The security tools that started it all
29:27
29:27
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
29:27
Josh and Kurt talk about a grab bag of old technologies that defined the security industry. Technology like SELinux, SSH, Snort, ModSecurity and more all started with humble beginnings, and many of them created new security industries. Show Notes SELinux AppArmor SSH ModSecurity Snort Nmap Nessus What comes after open source…
…
continue reading
1
Episode 410 - Package identifiers are really hard
31:52
31:52
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
31:52
Josh and Kurt talk about package identifiers. We break this down in the context of an OpenSSF response to a CISA paper on software identifications. The identifiers that get all the air time are purl, CPE, SWID, and OmniBOR. This is a surprisingly complex problem space. It feels easy, but it's not. Show Notes OpenSSF CISA response purl CPE OmniBOR S…
…
continue reading
1
Episode 409 - You wouldn't hack a train?
35:35
35:35
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
35:35
Josh and Kurt talk about how some hackers saved the day with a Polish train. We delve into a discussion about how we don't really own anything anymore if you look around. There's a great talk from the Blender Conference about this and how GPL makes a difference in the world of software ownership. It's sort of a dire conversation, but not all hope i…
…
continue reading
1
Episode 408 - Does Kubernetes need long term support?
32:15
32:15
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
32:15
Josh and Kurt talk about a story asking for a Kubernetes LTS. Should open source projects have LTS versions? What does LTS even mean? Why is maintaining software so hard? It's a lively discussion all about the past, present, and future of open source LTS. Show Notes Why Kubernetes needs an LTS Linux gives up on 6-year LTS kernels, says they’re too …
…
continue reading
It's the 2023 Christmas Spectacular! Josh and Kurt talk about what would happen if Santa starts using AI to judge which children are naughty and nice. There's some fun in this one, but it does get pretty real. While we tried to discuss Santa using AI, the reality is this sort of AI is coming for many of us. AI will be making decisions for all of us…
…
continue reading
Josh and Kurt talk about a few security stories about radio. The TETRA:BURST attack on police radios, spoofing GPS for airplanes near Iran, and Apple including cellular radios in the macbooks. The common thread between all these stories is looking at the return on investment for security. Sometimes good enough security is fine, sometimes it's not w…
…
continue reading
1
Episode 405 - Modding games isn't cheating and security isn't fair
31:47
31:47
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
31:47
Josh and Kurt talk about Capcom claiming modding a game is akin to cheating. The arguments used are fundamentally one of equity vs equality. Humans love to focus on equality instead of equity when we deal with most problems. This is especially true in the world of security. Rather than doing something that has a net positive, we ignore the details …
…
continue reading
1
Episode 403 - Does the government banning apps work?
35:04
35:04
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
35:04
Josh and Kurt talk about the Canadian Government banning WeChat and Kaspersky. There's a lot of weird little details in this conversation. It fundamentally comes down to a conversation about risk. It's easy to spout nonsense about risk, but having an honest discussion about it is REALLY complicated. But the government plays by a very different set …
…
continue reading