Shows
Security & GRC DecodedFrom Compliance to SBOMs: Josh Bressers’ Take on SecurityIn this episode, Raj Krishnamurthy sits down with Josh Bressers, VP of Security at Anchore and longtime leader in the open source security space. With decades of experience, Josh brings a candid and compelling perspective on everything from the chaos of early cybersecurity days to the nuanced challenges of SBOMs and compliance in today’s world.Josh reflects on how he entered the security world before there were formal certifications or programs, how community and curiosity fuel innovation in open source, and why the relationships you build are often the most va...2025-05-011h 05
Open Source SecurityCWE Top 25 ListJosh and Kurt talk about a CWE Top 25 list from MITRE. The list itself is fine, but we discuss why the list looks the way it does (it's because of WordPress). We also discuss why Josh hates lists like this (because they never create any actions). We finish up running through the whole list with a few comments about the findings. Show Notes 2024 CWE Top 25 Most Dangerous Software Weaknesses Set of 9 Unusual Odd Sided dice - D3, D5, D7, D9, D11, D13, D15, D17 & D19 2024-12-1636 min
Open Source SecurityAll about MeshtasticJosh and Kurt talk about the Meshtastic open source project. It's a really slick mesh radio system that runs on very cheap radio equipment. This episode isn't very security related (there are a few things), but it is very open source. Show Notes Meshtastic Heltec LoRa 32(V3) Radio 465 Rutgers University Confirmed: Meshtastic and LoRa are dangerous Meshtastic Routing Issues & Deployment Scenarios TC2-BBS-mesh The Comms Channel Josh's BBS Heltec T114 bug 2024-10-2839 min
Open Source SecurityThe foundation of society, TLS certificates are a messJosh and Kurt talk about a few stories around the TLS CA certificate world. It's all pretty dire sounding. There's not a lot of organization or process in the space, and the root CAs are literally the foundation of modern society, everything needs them to function. There's not a lot of positive ideas here, it's mostly a show where Kurt explains to Josh what's going on, because Josh doesn't want to care (and will continue to ignore all of this going forward). Show Notes Firefox's Mozilla follows Google in losing trust in Entrust's TLS certificates DigiCert...2024-08-1940 min
Open Source Security"What is open source" talk Josh gaveJosh and Kurt talk about a presentation Josh recently gave that was supposed to be about how open source works. The talk was the wrong topic for a security crowd, but there's a lot of interesting details in the questions and comments that emerged. It's clear a lot of security people don't really care about the fine details about what open source is, their primary goal is to help keep development secure. Show Notes Grassr00tz Pamela Chestek copyright paper Josh's presentation 2024-08-0534 min
Security Weekly Podcast Network (Audio)Whose Vulnerability Is It Anyway? - Josh Bressers - PSW #831Josh comes on the show to discuss all things related to vulnerability tracking and scoring, including the current issues with various systems and organizations including NIST, CVE, Mitre, CVSS, NVD, and more! Segment Resources: NVD blog post Josh wrote: https://anchore.com/blog/navigating-the-nvd-quagmire/ Josh's Latest post: https://opensourcesecurity.io/2024/06/03/why-are-vulnerabilities-out-of-control-in-2024/ Josh's podcasts: https://opensourcesecurity.io/category/podcast/ https://hackerhistory.com/ This week: Take on the upstream, how hard is it to patch end-of-life software, hack millions of routers, take over millions of routers, 0-days, and no responses, hack Taylor Swift wristbands, can...2024-06-062h 43
Paul's Security Weekly (Audio)Whose Vulnerability Is It Anyway? - Josh Bressers - PSW #831Josh comes on the show to discuss all things related to vulnerability tracking and scoring, including the current issues with various systems and organizations including NIST, CVE, Mitre, CVSS, NVD, and more! Segment Resources: NVD blog post Josh wrote: https://anchore.com/blog/navigating-the-nvd-quagmire/ Josh's Latest post: https://opensourcesecurity.io/2024/06/03/why-are-vulnerabilities-out-of-control-in-2024/ Josh's podcasts: https://opensourcesecurity.io/category/podcast/ https://hackerhistory.com/ This week: Take on the upstream, how hard is it to patch end-of-life software, hack millions of routers, take over millions of routers, 0-days, and no responses, hack Taylor Swift wristbands, can...2024-06-062h 43
Paul's Security Weekly (Video)Whose Vulnerability Is It Anyway? - Josh Bressers - PSW #831Josh comes on the show to discuss all things related to vulnerability tracking and scoring, including the current issues with various systems and organizations including NIST, CVE, Mitre, CVSS, NVD, and more! Segment Resources: NVD blog post Josh wrote: https://anchore.com/blog/navigating-the-nvd-quagmire/ Josh's Latest post: https://opensourcesecurity.io/2024/06/03/why-are-vulnerabilities-out-of-control-in-2024/ Josh's podcasts: https://opensourcesecurity.io/category/podcast/ https://hackerhistory.com/ Show Notes: https://securityweekly.com/psw-8312024-06-061h 07
Resilient CyberS6E11: Josh Bressers & Dan Lorenc - Untangling the NVD Chaos- First off, for folks that don't know you can you give them a brief overview of your background/organizations?- Josh, let's start with you. Can you explain some of what is going on with the drama around NVD and what happened that caught everyone's attention?- Dan - I know you've raised concerns around the implications for the community when it comes to the lack of CVE enrichment, how do you see this impacting the vulnerability management ecosystem?- Josh - Your team has started providing some accompanying resources to try...2024-03-2229 min
Open Source SecurityWhat's going on at NVDJosh and Kurt talk about what's going on at the National Vulnerability Database. NVD suddenly stopped enriching vulnerabilities, and it's sent shock-waves through the vulnerability management space. While there are many unknowns right now, the one thing we can count on is things won't go back to the way they were. Show Notes Anchore's Blog Grype Josh's Cyphercon Talk Ecosyste.ms Episode 266 – The future of security scanning with Debricked 2024-03-1839 min
Open Source SecurityPyTorch and NPM get attacked, but it's OKJosh and Kurt talk about an attack against PyTorch and NPM. The PyTorch attack shows the difficulty of trying to operate a large open source project. The NPM problem is one of the difficulty in trying to backdoor open source. A lot of people are watching and it only takes one person to notice a problem and we all benefit. Show Notes Peanut Butter the dog plays Gyromite The Wizard movie PyTorch supply chain attack npm Package Found Delivering Sophisticated RAT Deceptive Deprecation: The Truth About npm Deprecated Packages Changing a lightbulb Spelunking the Bitcoin Blockchain...2024-01-2935 min
The MonkCastA RedMonk Conversation: SBOMs (With Josh Bressers from Anchore)It's not all that often that specific technologies are standards are called out by the White House, but that's exactly what happened with SBOMs. But while there's a lot of chatter on SBOMs, many people still have questions about what they are, what they're for and how to use them. Josh Bressers of Anchore joined us to answer just that question.
This RedMonk Conversation was originally published in video form on November 30, 2022.2023-12-0411 min
Open Source SecurityThe curl and glibc vulnerabilitiesJosh and Kurt talk about a curl and glibc bug. The bugs themselves aren't super interesting, but there are other conversations around the bugs that are interesting. Why don't we just rewrite everything in Rust? Why can't we just train developers to stop writing insecure code. How can AI solve this problem? It's a marvelous conversation that ends on the very basic idea: we already have the security the market demands. Unless we change that demand, security won't change. Show Notes Curl vulnerability glibc vulnerability Josh's Badge Project Bob Lord's phishing message 2023-10-1634 min
Open Source SecurityCurl and the calamity of CVEJosh and Kurt talk about why CVE is making the news lately. Things are not well in the CVE program, and it's not looking like anything will get fixed anytime soon. Josh and Kurt have a unique set of knowledge around CVE. There's a lot of confusion and difficulty in understanding how CVE works. Show Notes Curl blog post Now it's PostgreSQL's turn to have a bogus CVE GitHub Advisory Database Josh's "CVE tried to get me fired" story 2023-09-1146 min
Open Source SecurityWhat would HashiCorp do?Josh and Kurt talk about the HashiCorp license change and copyright problems in open source. This isn't the first and won't be the last time we see this, but it's very likely open source developers and communities will view any project that has a contributor license agreement as a problem moving forward. Show Notes Josh's BSidesLV talk Hacker News marked site as malware HashiCorp license change A Theory of Joint Authorship for Free and Open Source Software Projects 2023-08-2142 min
Open Source SecurityRed Hat, you were the chosen one!Josh and Kurt talk about Red Hat closing up the RHEL source code. Kurt and Josh both worked at Red Hat in the past. This isn't a show that bashes Red Hat, and it's not a show praising them. We take an honest look at the past, present, and future of Linux. There's a lot to talk about in this one. TL;DR, Red Hat was the chosen on, and we all feel betrayed. Show Notes Red Hat's first blog post Red Hat's honest post DeWitt clause 2023-07-0337 min
Open Source SecurityOpen Source Summit, who built your open source, and AIJosh and Kurt talk about the Open Source Summit in Vancouver. Josh was there and we pick on two observations. Firstly that security keeps trying to use fear as a feature, except it doesn't work. Secondly we discuss AI and how people are talking about it. It is changing things, how much is yet to be seen. Show Notes SLSA FRSCA S2C2F MSI leak Intel microcode Tom Scott AI Video 2023-05-2236 min
Open Source SecurityOpen Source is bigger than you can imagineJosh and Kurt talk about some data on the size of NPM. Josh wrote a blog post and a report about the amount of SEO spam in NPM was released. Open source is enormous, and it's mostly one person. It's hard to imagine how this all works sometimes and this lack of understanding can create challenges. Show Notes Josh's blog on the size of NPM One In Two New Npm Packages Is SEO Spam Right Now Linux Kernel power distribution graph 2023-04-1034 min
Open Source SecurityOpenAI broke ChatGPT then tried to blame open sourceJosh and Kurt talk about OpenAI having a bug in ChatGPT, then they tried to blame open source. It didn't go very well. In this episode Josh and Kurt argue a lot, maybe someday we'll know who was the least wrong. Show Notes ChatGPT Tweet ChatGPT Blog redis bug 2023-04-0330 min
Open Source SecurityIs open source being overexploited?Josh and Kurt talk about how to think about open source in the context of society. Open source is more like a natural resource than a supplier. It's common to think of open source projects as delivered to us, but it's more like acquiring raw materials from the forest. The problem is we're harvesting the raw materials in an unsustainable manner at the moment. Show Notes I am not a supplier Josh's question about the environment sjvn Gorilla toolkit article Gorilla Web Toolkit Awesome Games Done Quick GeoGuessr Awesome Games Done Quick 2023 2023-01-0934 min
Open Source SecurityLet's chat about Let's Encrypt with Josh AasJosh and Kurt talk with Josh Aas from the Internet Security Research Group about Let's Encrypt, Prossimo, and Divvi Up. A lot has changed since the last time we spoke with Josh. Let's Encrypt won, and the ISG are working on some really cool new projects. Show Notes Josh Aas Internet Security Research Group (ISRG) Let's Encrypt Episode 87 – Chat with Let’s Encrypt co-founder Josh Aas New Major Funding from the Ford Foundation ISRG annual reports Peter Eckersley 2022-09-1233 min
Open Source SecurityIs a network problem a security vulnerabilityJosh and Kurt talk about really weird networking bugs. Josh tells a story about his home network problems that made no sense. There was also a qt5 bug that affected wireless networks that made virtually no sense. What should count as a security vulnerability? Show Notes Resolving an unusual wifi issue Hacker News thread Global Security Database IdeaPad 5 14ARE05 2022-09-0538 min
Open Source SecurityGPG, but nothing makes senseJosh and Kurt talk about their very silly GPG key management from the past. This is sadly a very true story that details how both Kurt and Josh protected their GPG keys. Josh's setup is like something out of a very bad spy novel. It was very over the top for a key that really didn't matter. Show Notes XKCD signed email Shire calendar Guardian editors destroy Snowden laptop 2022-07-1135 min
Open Source SecurityIs one open source maintainer enough?Josh and Kurt talk about a recent OpenSSF issue that asks the question how many open source maintainers should a project have that's "healthy"? Josh did some research that shows the overwhelming majority of packages have one maintainer. What does that mean? Show Notes OpenSSF TAC Issue 101 2022-05-3035 min
Open Source SecurityThe lack of compromise in security Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there's not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not to let security turn into your identity, it ends up making a mess. Show Notes Josh's Twitter thread How to install week old npm packages 2022-04-0432 min
Open Source SecurityWelcome to the jungle - How to talk about open source securityJosh and Kurt talk about how to get attention for security problems. Recent research around Twitter credentials checked into GitHub showed us how to get a lot of attention when compared to a problem like Log4Shell which took years before anyone really picked up on the problem. It's hard to talk about security sometimes. Show Notes Josh's computer vision code Twitter secrets Qualys pwnkit 2022-01-3131 min
Open Source SecurityOpen source security isn't freeJosh and Kurt talk about Josh's electric car and new job. We then talk about the recent UAParser.js malware incident. There have been a lot of calls to do more to secure open source, but nobody seems to have any concrete proposals or suggestions to fund any of these activities. Show Notes UAParser.js CISA announcement 2021-11-0133 min
Open Source SecurityThe security of Rust: who left all this awesome in here?Josh and Kurt talk about a story from Microsoft declaring Rust the future of safe programming, replacing C and C++. We discuss how tooling affects progress and why this isn't always obvious when you're in the middle of progress. Show Notes Microsoft: Rust Is the Industry’s ‘Best Chance’ at Safe Systems Programming Josh's devopsdays talk Microsoft moved font handling out of the kernel Atari 2600 emulator in Minecraft Rate of technology adoption 2021-08-0230 min
Future of TechThe Future of Cybersecurity, Josh Bressers, Product Security Lead, ElasticEven though Josh Bressers says that security itself is meant to be boring, there are no dull moments when discussing the evolution of the world of cybersecurity, especially because security is truly a never-ending journey. Josh leads the Product Security Group at Elastic, and in his previous role at Red Hat he was a Cybersecurity Strategist & Product Manager, leading the security strategy in Red Hat's Platform Business Unit. On this episode of Future of Tech, Josh dives into every corner of the cybersecurity world, including how working in open source has finally emerged as the winner in t...2021-03-2200 min
Open Source SecurityWhat even is open source anymore?Josh and Kurt talk about the question "what is open source?" Why do we think it's broken today, and what sort of ideas about what should come next. Show Notes OSI Bruce Perens Post Open Source Josh's community blog post Corey Doctorow Uber Twitter thread 2021-02-2233 min
Open Source SecuritySecurity Signals: What are you telling the worldJosh and Kurt talk about how your actions can tell the world if you actually take security seriously. We frame the discussion in the context of Slack paying a very low bug bounty and discover some ways we can look at Slack and decide if they do indeed take our security very seriously. Show Notes Reddit carbon monoxide Part 1 Part 2 GCP Grey minus infinity Josh's blog post 2020-09-0732 min
Open Source SecurityThe only thing harder than signing files is managing usersJosh and Kurt talk about the Microsoft 2 year old signature bug and Github no longer processing MFA resets for free users. Signing things is hard, but trying to manage users and infrastructure at scale is even harder. Show Notes Microsoft signed jar bug GitLab Support is no longer processing MFA resets for free users Someone Is Hijacking Tor Exit Nodes to Conduct MITM Attacks 2020-08-2429 min
Open Source SecurityCult of Information SecurityJosh and Kurt talk about the current state of information security. There are aspects that resemble a cult more than we would like. It's not all bad though, there are some things we can do to help move things forward. This episode shouldn't be taken too seriously. Show Notes "cult of information security" How to start a cult 2020-08-1728 min
Open Source SecuritySecure Boot isn't SecureJosh and Kurt talk about Secure Boot. The conversation uses the recent "Boot Hole" vulnerability to frame a conversation about what Secure Boot is and isn't. Why the Boot Hole flaw doesn't really matter, and why Secure Boot was very scary for Linux users back when it came out. Show Notes Boot Hole 2020-08-1033 min
Open Source SecurityPasswords are pollutionJosh and Kurt talk about some of the necessary evils of security. There are challenges we face like passwords and resource management. Sometimes the problem is old ideas, sometimes it's we don't have metrics. Can you measure not getting hacked? Show Notes Clearing checks FAIR Institute Factorio 2020-08-0332 min
Open Source SecurityWeaponized attentionJosh and Kurt start this one by explaining how the Twitter hacker was just a dumb criminal (most criminals are dumb). We then discuss the new GPT-3 AI that can create text. How we create, and how social media is doing everything it can to weaponize our attention. It's not a fight humanity is winning. Show Notes GPT-3 AI Blipverts 2020-07-2733 min
Open Source SecurityConfidential Virtual Machines; The future of cloud computingJosh and Kurt talk about Google's new confidential VMs. The AMD Secure Encrypted Virtualization is the technology that makes it all possible. What is SEV, how does it work, and why should you care? This technology is going to be the future of the cloud. Show Notes Google confidential VMs AMD SEV SEV vs SGX 2020-07-2031 min
Open Source SecurityThe State of Open Source Security with Alyssa Miller from SnykJosh and Kurt talk to Alyssa Miller from Snyk about the State of Open Source Security 2020 report. Alyssa was the report author and has some great insight into the current trends we're seeing in open source security. Some of the challenges developers face. We discuss the difficulty static and composition analysis scanners face. It's a great conversation! Show Notes The State of Open Source Security 2020 Alyssa's Twitter 2020-07-1331 min
Open Source SecurityWhat Would Apple Do?Josh and Kurt talk about some recent security actions Apple has taken. Not all are good, but in general Apple is doing things to benefit their customers (their customers are not advertisers). We also discuss some of the challenges when your customers are advertisers. Show Notes Apple one year certificates Apple declines to implement 16 new APIs Apple is tracking unsigned executables 2020-07-0632 min
Open Source SecurityHumans, conferences, and security: let me think and get back to you in a bitJosh and Kurt talk about human behavior. The conversation makes its way to conferences and the perpetual question of if a conference is useful or not. We come to the agreement the big shows aren't what they used to be, but things like BSides are great experiences. Show Notes Security and Human Behaviour Josh's blog post Mudge's Twitter thread 2020-06-2932 min
Open Source SecurityThe convergence of application security Josh and Kurt talk about the security of applications. We talk about the security of infrastructure all the time, but what happens when we combine infrastructure into an application or solution? Show Notes Picture of Kurt's security check-up Dragon controls 2020-06-2229 min
Open Source SecurityWe broke CVSSv3, now how do we fix it?Josh and Kurt talk about CVSSv3 and how it's broken. We started with a blog post to explain why the NVD CVSS scores are so wrong, and we ended up researching CVSSv3 and found out it's far more broken than any of us expected in ways we didn't expect. NVD isn't broken, CVSSv3 is. How did we get here? Are there any options that work today? Where should we go next? Show Notes Josh's blog post NVD Red Hat security data Josh's CVE data project Microsoft security ratings scale 2020-06-1531 min
Open Source SecurityTalking Container Security with Liz Rice Josh and Kurt talk to Liz Rice from Aqua Security about container security and her new book on the same topic. What does container security look like today? What are some things you can do now? What will container security look like in the future? Show Notes Container Security download Pictures of elephants Kubernetes Security book Starboard project Dynamic threat analysis 2020-06-0828 min
Open Source SecuritySpecial cases are special: DNS, Websockets, and CSVJosh and Kurt talk about a grab bag of topics. A DNS security flaw, port scanning your machine from a web browser, and CSV files running arbitrary code. All of these things end up being the result of corner cases. Letting a corner case be part of a default setup is always a mistake. Yes always, not even that one time. Show Notes Bind advisory Robustness Principal eBay port scanning localhost OWASP CSV injection 2020-06-0129 min
Open Source SecurityGood advice or bad advice? Hang up, look up, and call backJosh and Kurt talk about the Krebs blog post titled "When in Doubt: Hang Up, Look Up, & Call Back". In the world of security there isn't a lot of actionable advice, it's worth discussing if something like this will work, or ever if it's the right way to handle these situations. Show notes When in Doubt: Hang Up, Look Up, & Call Back Tech Support Scam podcast: Part 1, Part 2 STIR/SHAKEN Drill the wrong safe deposit box 2009 Bank of Ireland robbery 2020-05-2533 min
Open Source SecurityBeer, security, and consistency; the newer, better, triadJosh and Kurt talk about what beer and reproducible builds have in common. It's a lot more than you think, and it mostly comes down to quality control. If you can't reproduce what you do, you're not a mature organization and you need maturity to have quality. Show Notes Reinheitsgebot Josh's Blog Post Ken Thompson's reflections on trusting trust Tor Browser Deterministic Builds One line package broke npm create Donkey Kong 64 memory leak 2020-05-1829 min
Open Source SecurityPounding square solutions into round holes: forced updates from UbuntuJosh and Kurt talk about automatic updates. Specifically we discuss a recent decision by Ubuntu to enable forced automatic updates. There are lessons here for the security community. We have a history of jumping to solutions rather than defining and understanding problems. Sometimes our solutions aren't the best. Also murder bees. Show Notes The Oatmeal giant bee comic Honeybees cook giant hornet Ubuntu 20.04 LTS’ snap obsession has snapped me off of it Forum discussion 2020-05-1132 min
Open Source SecurityIs BPG actually insecure? Josh and Kurt talk about the uproar around Cloudflare's "Is BGP safe yet" site. It's always interesting watching how much people will push back on new things, even if the new things is probably a step in the right direction. The clever thing Cloudflare is doing in this instance is they are making the BGP problem something anyone can understand. Also send us your funny dog stories. Show Notes Is BGP safe yet? Reddit BGP conversation Hacker News BGP conversation Stealing cryptocurrency with BGP 2020-05-0431 min
Open Source SecurityWorking from home security: resistance is futileJosh and Kurt talk about the new normal that's working away from an office. It's not exactly working from home as there are some unforeseen challenges that we just took for granted in the past. There are a lot of new and strange security problems we have to adapt to, everyone is doing amazing work with very little right now. Show Notes Microsoft buys corp.com Hijack computer network traffic with a Pi Zero 2020-04-2731 min
Open Source SecuritySecurity lessons from space: Apollo 13 editionJosh and Kurt talk about space. We intended to focus on Apollo 13 but as usual we have no ability to stay on topic. There is a lot of fun space discussions in this one though. Do you think you can hack Voyager 1? Only if you have a big enough satellite dish. Show Notes Eavesdropping on Apollo 11 Apollo 11 classified weather satellite The pen that saved Apollo 11 2020-04-2035 min
Open Source SecurityWork without progress - what Infosec can learn from treadmillsJosh and Kurt talk about Kurt's recent treadmill purchase and the lessons we can lean in security from the consumer market. The consumer market has learned a lot about how to interact with their customers in the last few decades, the security industry is certainly behind in this space today. Once again we display our ability to tie even the seemingly mundane things back to a discussion about security. Show Notes Eating goldfish off the treadmill 2020-04-1333 min
Open Source SecuritySecurity scanners are all terrible Josh and Kurt talk about security scanners. They're all pretty bad today, but there are some things we can do to make them better. Step one is to understand the problem. Do you know why you're running the scanner and what the reports mean? Show Notes Edmonton freeze thaw cycles Josh's security scanner blog series 2020-04-0635 min
Open Source SecurityBuilding a talent "ecosystem" Josh and Kurt talk about building a talent ecosystem. What starts out as an attempt by Kurt to talk about Canada evolves into a discussion about how talent can evolve, or be purposely grown. Canada's entertainment industry and Unit 8200 are good examples of this. Show Notes SCTV Red Team Project Moon Shot book AvE channel Turning a tree root into a bowl Mailing the Hope Diamond2020-04-0632 min
Open Source SecurityVideo game hackers - speedrunning Josh and Kurt talk about video games and hacking. Specifically how speed runners are really just video game hackers. Show Notes Developer speedrun commentary Super Mario World end credits glitch explained Mario 3 RCE Breath of the Wild speedrun Super Metroid reverse boss order TMR beats every NES game 2020-03-3033 min
Open Source SecurityDepressing news sucks, we're talking about cheating in video games Josh and Kurt talk about video games. Yeah, video games. Specifically about cheating in video games. There's a lot of other security themes in the discussion. With the news being horrible these days, we needed to talk about something fun. Show Notes Penny Arcade Banned from Fortnite Apollo Robbins, world's best pickpocket 2020-03-2331 min
Open Source SecurityWireguard vs IPsec: the OK Boomer of securityJosh and Kurt talk about Wireguard. There have been a lot of recent conversations about it and if it's better or worse than other VPN solutions. It's safe to say in our modern age, less is usually more, especially when it comes to security. Wireguard has a lot going for it, it can't be ignored. Show Notes Replacing a Nintendo Switch fan WireGuard Hacker News discussion 2020-03-1630 min
Open Source SecurityEndpoint security with Tony Meehan Josh and Kurt talk to Tony Meehan from Elastic (formerly Endgame) about endpoint detection, response, protection, and even SIEM. Tony has a great history coming from the NSA and has a number of great stories to help understand the topics. Show Notes Tony Meehan Rob Joyce on Disrupting Nation State Hackers Bobby Filar living off the land blog Dwell time graph Snowboarder vs Tree 2020-03-0930 min
Open Source SecurityIs it even possible to fix open source security? Josh and Kurt talk about the Linux Foundation Census 2. There is a lot of talk around how to fix open source security, but the reality is we can't fix it. We need to stop trying to fix what isn't broken and engineering around the system we have, not the system we want. Show Notes Linux Foundation Census 2 Core Infrastructure Initiative 2020-03-0231 min
Open Source SecurityIt’s DNS. It's always DNS Josh and Kurt talk about the sale of the corp.com domain. Is it going to be the end of the world, or a non event? We disagree on what should happen with it. Josh hopes an evildoer buys it, Kurt hopes for Microsoft. We also briefly discuss the CIA owning Crypto AG. Show Notes corp.com is for sale CIA owned Crypto AG 2020-02-2433 min
Open Source SecurityEpisode 183 - The great working from home experiment Josh and Kurt talk about a huge working from home experiment because of the the Coronavirus. We also discuss some of the advice going on around the outbreak, as well as how humans are incredibly good at ignoring good advice, often to their own peril. Also an airplane wheel falls off. Show Notes Work from home Hacker News discussion CDC advice How to wash your hands Air Canada flight without running wather Airplane wheel falling off 2020-02-1732 min
Open Source SecurityDoes open source owe us anything? Josh and Kurt talk about open source maintainers and building communities. While an open source maintainer doesn't owe anyone anything, there are some difficult conversations around holding back a community rather than letting it flourish. Show Notes Actix-web story Lodash Possible Lodash security issue Javascript libraries are almost never updated Ularn 2020-02-1028 min
Open Source SecurityThe security of SIM swapping Josh and Kurt talk about SIM swapping. What is it, how does it work. Why should you care? There's not a ton you can do to protect yourself, but we go over some of the basic concepts and what to watch out for. It's unfortunate this is still a problem. Show Notes Five Major US Wireless Carriers Are Vulnerable to SIM Swapping Edmonton Police SIM swap website 2020-02-0332 min
Open Source SecurityA Tale of Two Vulnerabilities Josh and Kurt talk about two recent vulnerabilities that have had very different outcomes. One was the Citrix remote code execution flaw. While the flaw is bad, the handling of the flaw was possibly worse than the flaw itself. The other was the Microsoft ECC encryption flaw. It was well handled even though it was hard to understand and it is a pretty big deal. As all these things go, fixing and disclosing vulnerabilities is hard. Show Notes Microsoft flaw CVE-2020-0601 Citrix flaw CVE-2019-19781 Citrix mitigation instructions 2020-01-2731 min
Open Source SecurityGoogle Project Zero and the 90 day clockJosh and Kurt talk about the updated Google Project Zero disclosure policy. What's the new policy, what does it mean, and will it really matter? We suspect it will improve some things, but won't drastically change much. Show Notes Google and 90 day patch disclosure Upgrading all Windows versions 2020-01-2031 min
Open Source SecurityAre CVEs important and will ransomware put you out of business?Josh and Kurt talk about a discussion on Twitter about if discovering CVE IDs is important for a resume? We don't think it is. We also discuss the idea of ransomware putting a company out of business. Did it really? Possibly but it probably won't create any substantial change in the industry. Show Notes Games Done Quick Ransomware puts company out of business 1 in 5 companies shut down due to ransomware Laura Shin SIM Swap Podcast 2020-01-1332 min
Open Source SecurityFake or real? The security of counterfeit goodsJosh and Kurt talk about marketplace safety and security. Will we ever see an end to the constant flow of counterfeit goods? The security industry has the same problem the marketplace industry has, without substantial injury we don't see movement towards meaningful change. Show Notes BrickLink Cars in Canada lighting on fire President Roosevelt used Al Capone's Limo Dangerous car seats Fake external hard drive 2020-01-0629 min
Open Source SecurityThe 'predictions are stupid' prediction episodeJosh and Kurt talk about security predictions for 2020. None of the predictions are even a bit controversial or unexpected. We're in a state of slow change, without disruptive technology next year will look a lot like this year. Show Notes The Rising Speed of Technological Adoption Slack Certified GDPR Fines and Notices 2019-12-3032 min
Open Source SecurityDefenders will always be one step behindJosh and Kurt talk about the opportunistic nature of crime. Defenders have to defend, which means the adversaries are by definition always a step ahead. We use the context of automobile crimes to frame the discussion. Show Notes Stealing cars with radio relays RTL Software Defined Radio Canada most stolen car 2019-12-2330 min
Open Source SecurityGitHub turns security up to 11; A discussion with Rob SchultheisJosh and Kurt talk to Rob Schultheis from GitHub about some of the amazing projects GitHub is working on. We discuss GitHub security advisories, getting a CVE from GitHub, and what the new GitHub Security Lab is doing. It's a great conversation about how GitHub is working to make security better for all of us. Show Notes GitHub Security Advisories GitHub CVE requests GitHub Security Lab GitHub Security Lab Slack GitHub Security Lab Twitter 2019-12-1629 min
Open Source SecurityHo Ho Homeland SecurityJosh Santa and Kurt talk the border nightmare Santa Clause has to deal with as he traverses the globe. Questions we explore include: Are the reindeer farm animals? Is the North Pole a farm? Is Santa an intellectual property thief? Does Krampus eat politicians? Does Santa have a passport? Does Santa have an emergency radio? Show Notes Pirate Joes 2019-12-0934 min
Open Source SecurityThe security of planned obsolescenceJosh and Kurt talk about the security implications of planned obsolescence. We use Intel's recent decision to remove old drivers from their website as the start of the conversation. By the end we realize this is more of a decision society needs to understand and make more than anything. Is constantly throwing out technology OK? Show Notes Intel removes old drivers Upgrading all versions of Windows Sniffing your Smart TV 2019-12-0232 min
Open Source SecurityMeasuring cybersecurity with Kathryn Waldron Josh and Kurt talk to Kathryn Waldron of the R Street Institute about a paper she recently published that collects a number of cybersecurity measuring devices in one place. Show Notes Kathryn Waldron Kathryn's Twitter account Resources for Measuring Cybersecurity There are 14 standards 2019-11-2530 min
Open Source SecurityUntil that quantum computer is cracking RSA keys, go sit back down!Josh and Kurt talk about banking and privacy. It's very likely nothing will get better anytime soon, humans will continue to be terrible at understanding certain risks. We also discuss what quantum supremacy means (or doesn't mean) for security. Show Notes National Bank Privacy Issues Quantum Supremecy Claims Hype Cycle Scottish person talking to Siri SMBC Quantum Comic 2019-11-1831 min
Open Source SecurityWhat happens when leadership doesn't care about security?Josh and Kurt talk about government security incidents. The security concerns at the government level often have real life and death consequences. What happens when the leadership knowingly disregards security policy? Show Notes Breaking into a SCIF Whitehouse cybersecurity team Bugged typewriter 2019-11-1131 min
Open Source SecurityThe draconian draconians of DRMJosh and Kurt talk about the social norms of security. We also discuss security coprocessors and the reasons behind adding them to hardware. Is DRM a draconian security measure or do we need it to secure the future? We also touch on the story of NordVPN getting hacked. The real story isn't they got hacked, the story is they responded like clowns. The actual problem was one of leadership, there are certain leadership skills you can't be taught, you can only learn. Show Notes Before Windows boots protections 2019-11-0430 min
Open Source SecuritySecurity is terrible because digital literacy is terribleJosh and Kurt talk about the horrid state of digital literacy in the US. We start out talking about broken Phillips Hue light bulbs, then discuss research from Pew on the digital literacy of Americans. We may have accidentally discovered a use for all the cookie warnings every web site has. Show Notes Pew Research on American's Digitcal Literacy 2019-10-2835 min
Open Source SecurityEvery day should be cybersecurity awareness month!Josh and Kurt about cybersecurity awareness month. What's our actionable advice we can give out? There isn't much which is a fundamental part of the problem. Show Notes Cybersecurity awareness month Polar bear sized pigs 2019-10-2124 min
Open Source SecurityGrab Bag of Microsoft Security NewsJosh and Kurt about a number of Microsoft security news items. They've changed how they are handling encrypted disks and are now forcing cloud logins on Windows users. Show Notes Microsoft KB 4516071 A Security Market for Lemons Kurt's file wiping advisory Lock Picking Lawyer vs Consumer Reports Sun Ray Linux Gamers: 20% of auto reported crashes 2019-10-1427 min
Open Source SecurityDNS over HTTPS: Probably not the end of the worldJosh and Kurt about DNS over HTTPS and how it may or may not destroy civilization. We also discuss the disruption of cloud in the context of security and touch on the news that GitHub is now a CVE CNA! Show Notes DNS over HTTPS California Privacy Law Defensive Security Podcast GitHub is a CNA 2019-10-0730 min
Open Source SecurityDeath to Python 2Josh and Kurt about the upcoming Python 2 EOL. What does it mean, why does it matter, and what you can you do? Show Notes Python Clock Python's statement about sunsetting Python 2 wifi 6 2019-09-3033 min
Open Source SecuritySBOM with Allan FriedmanJosh and Kurt speak with Allan Friedman of the US National Telecommunications and Information Administration about Software Bill of Materials. Where are we today, where are things going, and how you can help. Show Notes Allan Friedman NTIA NTIA Software Component Transparency 2019-09-2330 min
Open Source SecurityHuman nature and ad powered open sourceJosh and Kurt start out discussing human nature and how it affects how we view security. A lot of things that look easy are actually really hard. We also talk about the npm library Standard showing command line ads. Are ads part of the future of open source? Show Notes thegrugq secure android DoD JEDI program Firefox privacy settings Standard ads Max Headroom 2019-09-1629 min
Open Source SecurityDisclosing security issues is insanely complicated: Part 2Josh and Kurt talk about disclosing security flaws in open source. This is part two of a discussion around how to disclose security issues. This episode focuses on some expectations and behaviors for open source projects as well as researchers trying to disclose a problem to a project. Show Notes webmin backdoor Github security advisories 2019-09-0931 min
Open Source SecurityDisclosing security issues is insanely complicated: Part 1Josh and Kurt talk about disclosing security flaws. It's a topic that's come up a few times in the last few weeks and it's more complicated than it's ever been. We certainly ask more questions than we answer in this episode, there will be a part 2 that focuses on open source disclosure. Show Notes Lock Picking Lawyer Tavis' Windows flaw 2019-09-0229 min
Open Source SecurityThe mess that we call credit agencies in the USJosh and Kurt talk about the current state of credit security freezes in the US. We recount a thrilling tale of all the things Josh had to do to get new Internet service. It was all quite silly really. Show Notes Weak security freeze pins 'null' license plate 2019-08-2627 min
Open Source SecurityBackdoors and snake oil in our cryptographyJosh and Kurt talk about snakeoil cryptography at Black Hat and the new backdoored cryptography fight. Both of these problems will be with us for a very long time. These are fights worth fighting because it's the right thing to do. Show Notes Time AI video Kurt's Tweet about technical explanations Josh's blog post about bug training Schneier on Barr's encryption discussion 2019-08-1930 min
Open Source SecurityWhat if we MitM a whole country?Josh and Kurt talk about Kazakhstan requiring citizens to place a government controlled root CA certificate on their computers. How does this work. What does it mean for the citizens of Kazakhstan, and why we all should be paying attention. Show Notes Kazakhstan MitM all TLS traffic Mozilla bug 2019-07-2929 min
Open Source SecurityStealing cars and ransomwareJosh and Kurt talk about a new way to steal cars because a service didn't do proper background checks. We also discuss how this relates to working with criminals, such as ransomware, and what it means for the future of the ransomware industry. Show Notes Car2go theft Alberta driver's license security Albertosaurus Las Vegas won't pay a ransom 2019-07-2227 min
Open Source SecurityChat with the authors of the book "The Fifth Domain"Josh and Kurt talk to the authors of a new book The Fifth Domain. Dick Clarke and Rob Knake join us to discuss the book, cybersecurity, US policy, how we got where we are today and what the future holds for cybersecurity. Show Notes The Fifth Domain Dick Clarke Rob Knake Future State Podcast 2019-07-1631 min
Open Source SecurityThe unexpected security of AI, photographs, and VPNJosh and Kurt talk about user expectations around Facebook's AI. Normal people are starting to see the capabilities and potential risk with all these services. We also cover the topic of China owning a number of VPN services.2019-07-0834 min
Open Source SecurityTavis breaks the world ... againJosh and Kurt talk about the disclosure of security vulnerabilities. It's still not a settled topic, we frame the conversation around a recent disclosure from Tavis Ormandy of Google Project Zero.2019-07-0130 min
Open Source SecurityPasswords, AI, and cloud strategyJosh and Kurt talk about change your password day (what a terrible day). Google's password checkup (not a terrible idea), an AI finding new spice flavors we expect will one day take over the world, and we finish up on a new DoD cloud strategy. Also Josh burnt his finger, but is going to be OK.2019-02-2530 min
The ElasticastEpisode 13: The Elastic Stack and the Bitcoin Ledger with Josh BressersIn the news; Elastic Common Schema, 7.0.0-beta1, .Net APM clients, Go clients, oh my! Aaron talks with Josh Bressers (@joshbressers) about his unique pastime, ingesting the Bitcoin Ledger into the Elastic Stack and searching for cake recipes. Mike tells us the difference between different Elasticsearch node types.
Links and additional notes found at https://theelasticast.com/episodes/0013-bitcoin/2019-02-2000 min
Open Source SecurityOSCon and actionable adviceJosh and Kurt talk about phishing training and how it doesn't really matter. Josh spoke at OSCon and comes back with some fun observations and advice. People want practical actionable advice and we're not good at that.2018-08-1334 min
The John Poelstra Show48: Practical Password Security with Josh BressersEnjoy this conversation with Josh Bressers, product security at Elastic and former colleague at Red Hat. Josh answers my questions about password management, general computer security and what matters (or doesn't) in today's predominantly online world.
The post 48: Practical Password Security with Josh Bressers appeared first on John Poelstra.2018-04-2834 min
Open Source SecurityChat with Let's Encrypt co-founder Josh AasJosh and Kurt talk about Let's Encrypt with co-founder Josh Aas. We discuss the past, present, and future of the project.2018-03-1238 min
Open Source SecurityEpisode 56 - Devil's Advocate and other fuzzy topicsJosh and Kurt talk about forest fires, fuzzing, old time Internet, and Net Neutrality. Listen to Kurt play the Devil's Advocate and manage to change Josh's mind about net neutrality.2017-07-1858 min
Open Source SecurityEpisode 10 - The Super Botnet That Nobody Can StopKurt and Josh discuss Dirty COW, the big IoT DDoS, and Josh can't pronounce Mirai or Dyn.2016-10-2449 min
Dave & Gunnar ShowEpisode 126: #126: Defense In Depth 2016This week Dave and Josh Bressers pregame Red Hat Defense in Depth 2016!
October 6: Red Hat Defense in Depth
Josh’s secure supply chain talk
USBGuard
Josh’s Red Hat security roadmap talk w/public sector spin
Steve Grubb on application whitelisting with fapolicyd (File Access Policy Daemon)
Robin Price and Martin Preisler’s OpenSCAP lab
Lucy Kerner on compliance automation with OpenSCAP, Ansible, Satellite, and CloudForms
Dan Walsh on container security w/coloring books
Subscribe to Josh and Kurt Seifried’s new podcast: Open Source Security Podcast
...2016-09-2715 minDave & Gunnar Show#109: I Blame Open SourceThis week, Gunnar talk to Josh Bressers, Security Strategist for Red Hat Enterprise Linux, about how product security teams work, the difference between engineering and product management, and how he became the change he wanted to see in the world.
Start here for Red Hat security.
Everything you needed to know about Red Hat Security Advisories.
A staggering amount of security response data from Mark Cox’s team.
The 2004 Red Hat Security phishing scam.
Red Hat Insights
OpenSCAP in Satellite and CloudForms
Special Guest: Josh Bressers.2016-03-2332 min