A security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
…
continue reading
1
The NDS Show - An Intelligence Community Podcast covering Geospatial Intelligence, Open Source Intelligence OSINT, Human Intelligence HUMINT, Military & National Security
The NDS Show
Unlock a world of valuable insights and thought-provoking discussions related to the Intelligence Community (CIA, NSA, NGA, FBI, Military Intelligence). Join Nick, a successful entrepreneur and business leader, on his journey to discover a world of INTELLIGENCE in all facets of our lives. As an Army Veteran with expertise in geospatial Intelligence Operations, and multiple successful businesses and investments across a variety of industries, including technology, defense, real estate, crypto ...
…
continue reading
Josh and Kurt talk about a CWE Top 25 list from MITRE. The list itself is fine, but we discuss why the list looks the way it does (it's because of WordPress). We also discuss why Josh hates lists like this (because they never create any actions). We finish up running through the whole list with a few comments about the findings. Show Notes 2024 CWE…
…
continue reading
1
SUPERCHARGE Your Organization with SOFT SKILLS and Leadership Lessons from the CIA
1:59:05
1:59:05
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
1:59:05
In this episode, we dive into an inspiring conversation with CIA Leadership Executive Mike Mears, a seasoned leader with a fascinating background in intelligence, leadership development, and organizational transformation. Mike shares compelling stories from his career, explores the principles of effective leadership, and provides actionable advice …
…
continue reading
Josh and Kurt talk about the FBI telling everyone to use end to end encrypted messengers. This is a pretty drastic deviation from messages in the past. The reason for this is it appears the US telephone networks are pwnt beyond repair at this point, which is concerning. The only real solution now is to treat the phone network as untrusted and encry…
…
continue reading
Josh and Kurt talk about a serious D-Link security vulnerability in a bunch of end of life products. The crux of the discussion focuses on D-Link, but the reality is almost all consumer gear you plug into the internet is terrible. And there's little hope it will get better anytime soon. Show Notes China has utterly pwned 'thousands and thousands' o…
…
continue reading
1
Episode 456 - What if XZ happened to a company? The openness of open source
33:42
33:42
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
33:42
Josh and Kurt embark on a thought experiment to discuss how a commercial entity would handle something like the xz incident. It was very specific and difficult to understand. It's easy to claim just because source code being available doesn't matter. But the reality is when source code is needed, it can make a huge difference for everyone working t…
…
continue reading
Josh and Kurt talk about the way Wordpress vets their plugins. While Wordpress has been in the news lately, they do some clever things to get plugins approved. There's a static analyzer that runs against new submissions. We discuss using static analysis, securing open source, contributing and more. Show Notes Linus Torvalds Lands A 2.6% Performance…
…
continue reading
1
Episode 454 - The state of open source with Brian Fox from Sonatype and Donald Fischer from Tidelift
43:13
43:13
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
43:13
Josh and Kurt talk to Brian Fox from Sonatype and Donald Fischer from Tidelift about their recent reports as well as open source. There are really interesting connections between the two reports. The overall theme seems to be open source is huge, everywhere, and needs help. But all is no lost! There's some great ideas on what the future needs to lo…
…
continue reading
Josh and Kurt talk about three government activities happening around security. CISA has a request for comment, and an international strategic plan around cybersecurity. These are both good ideas, and hopefully will help drive change. But we also discuss an EU proposal that brings liability rules to software which sounds like a great way to force c…
…
continue reading
Josh and Kurt talk about the Meshtastic open source project. It's a really slick mesh radio system that runs on very cheap radio equipment. This episode isn't very security related (there are a few things), but it is very open source. Show Notes Meshtastic Heltec LoRa 32(V3) Radio 465 Rutgers University Confirmed: Meshtastic and LoRa are dangerous …
…
continue reading
1
Episode 451 - Python security with Seth Larson
36:24
36:24
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
36:24
Josh and Kurt talk to Seth Larson from the Python Software Foundation about security the Python ecosystem. Seth is an employee of the PSF and is doing some amazing work. Seth is showing what can be accomplished when we pay open source developers to do some of the tasks a volunteer might consider boring, but is super important work. Show Notes Seth …
…
continue reading
Josh and Kurt talk about the current Wordpress / WP Engine mess. In what is certainly a supply chain attack, the Advanced Custom Fields forking. This whole saga is weird and filled with chaos and stupidity. We have no idea how it will end, but we do know that the blog platform you use shouldn't be this exciting. The bad sort of exciting. Show Notes…
…
continue reading
Josh and Kurt talk about the recent CUPS issue. The vulnerability itself wasn't all that exciting, but the whole disclosure process was wild. There's a lot to talk about, many things didn't quite go as planned and it all leaked early. Let's talk about why and what it all means. Show Notes CUPS vulnerability Akamai report Wil Wheaton: being a nerd i…
…
continue reading
Josh and Kurt talk about a few things that have recently come out of CISA. They seem to be blaming the vendors for a lot of the problems, but there's also not any actionable advice telling the vendors what they should be doing. This feels like the classic case of "just security harder". We need CISA to be leading the way funding and defining securi…
…
continue reading
1
Episode 447 - The Tidelift 2024 open source maintainer report
38:52
38:52
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
38:52
Josh and Kurt talk about the 2024 Tidelift maintainer report. The report is pretty big and covers a ton of ground. We focus in a few of the statistics that should worry anyone who uses open source. We've known for a while developers are struggling, and the numbers back that up. This one feels like the old "we've tried nothing and we're all out of i…
…
continue reading
1
Episode 446 - Researchers took over .MOBI TLD
33:06
33:06
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
33:06
Josh and Kurt talk about some security researchers sort of taking over the .MOBI whois server. The story is a bit sensational, but we ask if it really matters? There are a lot of interesting possible attacks, but turning something like this into a good attack is really hard, maybe impossible. The researchers presented the findings in a very reasona…
…
continue reading
1
Beyond OSINT: Fusing Commercial Data Analysis for Digital ISR w/ Steve Loori
1:22:36
1:22:36
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
1:22:36
Steve Loori, a seasoned intelligence community professional, shares his incredible journey from the Marine Corps to becoming a leader in the world of commercial data analysis and Open Source Intelligence for surveillance and reconnaissance. Starting with his experiences as a young Marine during the Iraq War, Steve delves into how those early challe…
…
continue reading
Josh and Kurt talk to Jay Jacobs about Exploit Prediction Scoring System (EPSS). EPSS is a new way to view vulnerabilities. It's a metric for the likelyhood that a vulnerability will be exploited in the next 30 days. Jay explains how EPSS got to where it is today, how the scoring works, and how we can start to think about including it in our larger…
…
continue reading
Josh and Kurt talk about Chrome unexpectedly going EOL on Ubuntu 18. Keeping old things alive is really hard to do, and in open source it's becoming more common to just run the latest version rather than trying to keep old versions alive for long periods of time. Show Notes Chrome dumped support for Ubuntu 18.04 – but it'll be back Linus Torvalds t…
…
continue reading
1
Episode 443 - The Supply Chain Security Crisis
34:23
34:23
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
34:23
Josh and Kurt talk about a story that discusses a story from Black Hat that references supply chains. There's a ton of doom and gloom around our software supply chains and much of the advice isn't realistic. If we want to take this seriously we need to stop obsessing over the little problems and focus on some big problems. Show Notes Black Hat USA …
…
continue reading
1
Episode 442 - The foundation of society, TLS certificates are a mess
40:35
40:35
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
40:35
Josh and Kurt talk about a few stories around the TLS CA certificate world. It's all pretty dire sounding. There's not a lot of organization or process in the space, and the root CAs are literally the foundation of modern society, everything needs them to function. There's not a lot of positive ideas here, it's mostly a show where Kurt explains to …
…
continue reading
Josh and Kurt talk about CWE. What is it, and why does it matter. We cover some history, some shortcomings, and some ideas on how CWE could be used to make security a lot better. We frame the future discussion around the OWASP top 10 list. We should be putting more effort into removing removing entire classes of vulnerabilities. Show Notes CWE Epis…
…
continue reading
1
Episode 440 - "What is open source" talk Josh gave
34:36
34:36
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
34:36
Josh and Kurt talk about a presentation Josh recently gave that was supposed to be about how open source works. The talk was the wrong topic for a security crowd, but there's a lot of interesting details in the questions and comments that emerged. It's clear a lot of security people don't really care about the fine details about what open source is…
…
continue reading
1
Episode 439 - Where are all the youth in open source?
29:27
29:27
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
29:27
Josh and Kurt talk about a story talking about the "graying" of open source. There doesn't seem to be many young people working on open source, but we don't really know why that is. There are many thoughts, but a better question is why should anyone get involved in open source anymore? The world has changed quite a lot since open source was created…
…
continue reading
1
Episode 438 - CISA's bad OSS advice vs the Whitehouse good advice
34:52
34:52
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
34:52
Josh and Kurt talk about two documents from the US government that discuss open source in very different ways. The CISA document lays out a way to measure open source, but we take issue with the idea of trying to measure which open source projects are "good". The Whitehouse on the other hand takes an approach that is very open source, get involved.…
…
continue reading
1
Episode 437 - CocoPods and proper funding for open source
36:50
36:50
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
36:50
Josh and Kurt talk about a pretty big bug found in CocoPods ownership. We also touch on a paper that discusses the technical debt that open source should have. We discuss what the long term sustainability of open source. There aren't any good solutions for open source today, but talking about these problems is important, we have to start to underst…
…
continue reading
1
Episode 436 - OpenSSH and node-ip - it's all exponential growth
32:10
32:10
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
32:10
Josh and Kurt talk about the recent OpenSSH vulnerability and the node-ip project owner taking their project private. They're quasi related in the context of two open source projects handled bugs very differently. The OpenSSH bug isn't really as serious as it seems, but you still want to patch. The node-ip bug is a very different story. The relatio…
…
continue reading
1
Episode 435 - polyfill.io - open source is too big to fix
38:50
38:50
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
38:50
Josh and Kurt talk about the latest polyfill.io mess. Apparently someone took over a very popular project and started to serve malware. First XZ, now this. What does it mean for open source? We don't have any answers, and it's hard to even talk about this problem because it's so big. The thing is though, even if we can't fix open source, it's here …
…
continue reading
1
Episode 434 - Unreported vulnerabilities and everyone is getting hacked
31:17
31:17
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
31:17
Josh and Kurt talk about three wangles of responsibility. We start with a story about a bike theft ring, bike theft doesn't usually get any attention, but this one is special. Then we ask why it seems like everyone is getting hacked, it's because they have to tell us now. And finally we have a story about the huge number of unreported vulnerabiliti…
…
continue reading
1
Episode 433 - Should OpenSSH block misbehaving clients?
31:40
31:40
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
31:40
Josh and Kurt talk about a new proposal from OpenSSH to add a timeout to penalize clients misbehaving. But this then brings up the typical security conversation of "if it's not perfect we shouldn't do it". Trying new things is a good thing, even if something fails, we learn a lesson that we can use in the future. Show Notes OpenSSH introduces optio…
…
continue reading
Josh and Kurt talk to Alex Kulagin from Flipper about the Flipper Zero. It's one of the coolest hacker devices that exists on the market. We talk about what it is, how it started, what it can (and can't) do. It's a really fun conversation. Show Notes Flipper Zero Website Headphone jack radio capture Flipper Zero on Tik Tok…
…
continue reading
Josh and Kurt talk about a blog post titled "Your API Shouldn't Redirect HTTP to HTTPS". It's an interesting idea, and probably a good one. There is however a lot of baggage in this space as you'll hear in the discussion. There's no a simple solution, but this is certainly something to discuss. Show Notes Your API Shouldn't Redirect HTTP to HTTPS H…
…
continue reading
Josh and Kurt talk about a blog post about frozen kernels being more secure. We cover some of the history and how a frozen kernel works and discuss why they would be less secure. A frozen kernel is from when things worked very differently. What sort of changes will we see in the future? Show Notes Kurt's strange coffee Why a 'frozen' distribution L…
…
continue reading
1
Episode 429 - The autonomy of open source developers
32:06
32:06
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
32:06
Josh and Kurt talk about open source and autonomy. This is even related to some recent return to office news. The conversation weaves between a few threads, but fundamentally there's some questions about why do people do what they do, especially in the world of open source. This also is a problem we see in security, security people love to tell dev…
…
continue reading
Josh and Kurt talk about a new to sign artifacts on GitHub. It's in beta, it's not going to be easy to use, it will have bugs. But that's all OK. This is how we start. We need infrastructure like this to enable easier to use features in the future. Someday, everything will be signed by default. Show Notes GitHub artifact attestation…
…
continue reading
1
Why Synthetic Aperture Radar (SAR) is CRUCIAL for Earth Observation w Umbra Space's Gabe Dominocielo
1:06:17
1:06:17
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
1:06:17
Gabe Dominocielo, co-founder of Umbra Space, discusses the challenges and excitement of launching SAR satellites and the unique capabilities of synthetic aperture radar. He shares insights into the process of developing satellites, the choice of SAR technology, and the importance of precision in radar imagery. Gabe also talks about the diverse rang…
…
continue reading
Josh and Kurt talk about a sudo replacement going into systemd called run0. It sounds like it'll get a lot right, but systemd is a pretty big attack surface and not everyone is a fan. We shall have to see if this ends up replacing sudo. Show Notes Conan O'Brien on Hot Ones Lennart's Mastodon thread xkcd automation…
…
continue reading
1
REIMAGINE Geospatial Intelligence w/ former NGA Director Robert Sharp
1:40:46
1:40:46
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
1:40:46
Robert (Bob) Sharp shares his journey in the military and as the director of the National Geospatial-Intelligence Agency (NGA). He discusses how he accidentally became an admiral and the joy he found in changing jobs and working with different people. He also talks about the importance of specialization and generalization in the intelligence commun…
…
continue reading
1
Episode 426 - Automatically exploiting CVEs with AI
37:31
37:31
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
37:31
Josh and Kurt talk about a paper describing using a LLM to automatically create exploits for CVEs. The idea is probably already happening in many spaces such as pen testing and intelligence services. We can't keep up with the number of vulnerabilities we have, there's no way we can possibly keep up with a glut of LLM generated vulnerabilities. We r…
…
continue reading
1
Episode 425 - Video game cheaters, also pretendo
30:36
30:36
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
30:36
Josh and Kurt talk about a database of game cheaters. Cheating in games has many similarities to security problems. Anti cheat rootkits are also terrible. The clever thing however is using statistics to identify cheaters. Statistics don't lie. Also, we discuss the Pretendo project sitting on a vulnerability for a year, is this ethical? Show Notes H…
…
continue reading
Josh and Kurt talk about a Notepad++ fake website. It's possibly not illegal, but it's certainly ethically wrong. We also end up discussing why it seems like all these weird and wild things keep happening. It's probably due to the massive size of open source (and everything) now. Things have gotten gigantic and we didn't really notice. Show Notes H…
…
continue reading
1
Episode 423 - FCC cybersecurity label for consumer devices
32:09
32:09
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
32:09
Josh and Kurt talk about a new FCC program to provide a cybersecurity certification mark. Similar to other consumer safety marks such as UL or CE. We also tie this conversation into GrapheneOS, and what trying to claim a consumer device is secure really means. Some of our compute devices have an infinite number of possible states. It's a really wei…
…
continue reading
Josh and Kurt talk about the recent events around XZ. It's only been a few days, and it's amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these details will change quickly over the coming week. We can't fix this problem as it stands, we don't know where to start yet. But that's not a reason t…
…
continue reading
1
Episode 422 - Do you have a security.txt file?
30:13
30:13
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
30:13
Josh and Kurt talk about the security.txt file. It's not new, but it's not something we've discussed before. It's a great idea, an easy format, and well defined. It's not high on many of our todo lists, but it's something worth doing. Show Notes RFC 9116
…
continue reading
1
Episode 421 - CISA's new SSDF attestation form
41:03
41:03
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
41:03
Josh and Kurt talk about the new SSDF attestation form from CISA. The current form isn't very complicated, and the SSDF has a lot of room for interpretation. But this is the start of something big. It's going to take a long time to see big changes in supply chain security, but we're confident they will come. Show Notes Secure Software Development A…
…
continue reading
Josh and Kurt talk about what's going on at the National Vulnerability Database. NVD suddenly stopped enriching vulnerabilities, and it's sent shock-waves through the vulnerability management space. While there are many unknowns right now, the one thing we can count on is things won't go back to the way they were. Show Notes Anchore's Blog Grype Jo…
…
continue reading
Josh and Kurt talk about an attack against GitHub where attackers are creating malicious repositories then artificially inflating the number of stars and forks. This is really a discussion about how can we try to find signal in all the noise of a massive ecosystem like GitHub. Show Notes GitHub besieged by millions of malicious repositories in ongo…
…
continue reading
1
Episode 418 - Being right all the time is hard
30:17
30:17
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
30:17
Josh and Kurt talk about recent stories about data breaches, flipper zero banning, and realistic security. We have a lot of weird challenges in the world of security, but hard problems aren't impossible problems. Sometimes we forget that. Show Notes Mon Dieu! Nearly half the French population have data nabbed in massive breach Feds move to ban auto…
…
continue reading
1
Episode 417 - Linux Kernel security with Greg K-H
42:40
42:40
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
42:40
Josh and Kurt talk to GregKH about Linux Kernel security. We most focus on the topic of vulnerabilities in the Linux Kernel, and what being a CNA will mean for the future of Linux Kernel security vulnerabilities. The future of Linux Kernel security vulnerabilities is going to be very interesting. Show Notes Greg K-H Linux Kernel is a CNA Machine le…
…
continue reading
1
Episode 416 - Thomas Depierre on open source in Europe
42:45
42:45
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
42:45
Josh and Kurt talk to Thomas Depierre about some of the European efforts to secure software. We touch on the CRA, MDA, FOSDEM, and more. As expected Thomas drops a huge amount of knowledge on what's happening in open source. We close the show with a lot of ideas around how to move the needle for open source. It's not easy, but it is possible. Show …
…
continue reading
1
Episode 415 - Reducing attack surface for less security
31:08
31:08
「あとで再生する」
「あとで再生する」
リスト
気に入り
気に入った
31:08
Josh and Kurt talk about a blog post explaining how to create a very very small container image. Generally in the world of security less is more, but it's possible to remove too much. A lot of today's security tooling relies on certain things to exist in a container image, if we remove them we could actually result in worse security than leaving it…
…
continue reading