Josh and Kurt talk about a database of game cheaters. Cheating in games has many similarities to security problems. Anti cheat rootkits are also terrible. The clever thing however is using statistics to identify cheaters. Statistics don't lie.

The Notepad++ Parasite Website

11 days ago 35m 22s

Josh and Kurt talk about a Notepad++ fake website. It's possibly not illegal, but it's certainly ethically wrong. We also end up discussing why it seems like all these weird and wild things keep happening. It's probably due to the massive size

FCC cybersecurity label for consumer devices

18 days ago 32m 9s

Josh and Kurt talk about a new FCC program to provide a cybersecurity certification mark. Similar to other consumer safety marks such as UL or CE. We also tie this conversation into GrapheneOS, and what trying to claim a consumer device is secu

XZ Bonus Spectacular Episode

25 days ago 1h 1m

Josh and Kurt talk about the recent events around XZ. It's only been a few days, and it's amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these details will change quickly over the coming

Do you have a security.txt file?

25 days ago 30m 13s

Josh and Kurt talk about the security.txt file. It's not new, but it's not something we've discussed before. It's a great idea, an easy format, and well defined. It's not high on many of our todo lists, but it's something worth doing. Show Note

CISA's new SSDF attestation form

Mar 25th, 2024 41m 3s

Josh and Kurt talk about the new SSDF attestation form from CISA. The current form isn't very complicated, and the SSDF has a lot of room for interpretation. But this is the start of something big. It's going to take a long time to see big chan

What's going on at NVD

Mar 18th, 2024 39m 4s

Josh and Kurt talk about what's going on at the National Vulnerability Database. NVD suddenly stopped enriching vulnerabilities, and it's sent shock-waves through the vulnerability management space. While there are many unknowns right now, the

Malicious GitHub repositories

Mar 11th, 2024 34m 6s

Josh and Kurt talk about an attack against GitHub where attackers are creating malicious repositories then artificially inflating the number of stars and forks. This is really a discussion about how can we try to find signal in all the noise of

Being right all the time is hard

Mar 4th, 2024 30m 17s

Josh and Kurt talk about recent stories about data breaches, flipper zero banning, and realistic security. We have a lot of weird challenges in the world of security, but hard problems aren't impossible problems. Sometimes we forget that. Show

Linux Kernel security with Greg K-H

Feb 26th, 2024 42m 40s

Josh and Kurt talk to GregKH about Linux Kernel security. We most focus on the topic of vulnerabilities in the Linux Kernel, and what being a CNA will mean for the future of Linux Kernel security vulnerabilities. The future of Linux Kernel secu

Thomas Depierre on open source in Europe

Feb 19th, 2024 42m 45s

Josh and Kurt talk to Thomas Depierre about some of the European efforts to secure software. We touch on the CRA, MDA, FOSDEM, and more. As expected Thomas drops a huge amount of knowledge on what's happening in open source. We close the show w

Reducing attack surface for less security

Feb 12th, 2024 31m 8s

Josh and Kurt talk about a blog post explaining how to create a very very small container image. Generally in the world of security less is more, but it's possible to remove too much. A lot of today's security tooling relies on certain things t

The exploited ecosystem of open source

Feb 5th, 2024 32m 26s

Josh and Kurt talk about open source projects proving builds, and things nobody wants to pay for in open source. It's easy to have unrealistic expectations for open source projects, but we have the open source capitalism demands. Show Notes Op

PyTorch and NPM get attacked, but it's OK

Jan 29th, 2024 35m 19s

Josh and Kurt talk about an attack against PyTorch and NPM. The PyTorch attack shows the difficulty of trying to operate a large open source project. The NPM problem is one of the difficulty in trying to backdoor open source. A lot of people ar

Blame the users for bad passwords!

Jan 22nd, 2024 33m 3s

Josh and Kurt talk about the 23andMe compromise and how they are blaming the users. It's obviously the the fault of the users, but there's still a lot of things to discuss on this one. Every company has to care about cybersecurity now, even if

The security tools that started it all

Jan 15th, 2024 29m 27s

Josh and Kurt talk about a grab bag of old technologies that defined the security industry. Technology like SELinux, SSH, Snort, ModSecurity and more all started with humble beginnings, and many of them created new security industries. Show Not

Package identifiers are really hard

Jan 8th, 2024 31m 52s

Josh and Kurt talk about package identifiers. We break this down in the context of an OpenSSF response to a CISA paper on software identifications. The identifiers that get all the air time are purl, CPE, SWID, and OmniBOR. This is a surprising

Episode 409 - You wouldn't hack a train?

Jan 1st, 2024 35m 35s

Josh and Kurt talk about how some hackers saved the day with a Polish train. We delve into a discussion about how we don't really own anything anymore if you look around. There's a great talk from the Blender Conference about this and how GPL m

Does Kubernetes need long term support?

Dec 25th, 2023 32m 15s

Josh and Kurt talk about a story asking for a Kubernetes LTS. Should open source projects have LTS versions? What does LTS even mean? Why is maintaining software so hard? It's a lively discussion all about the past, present, and future of open

Should Santa use AI?

Dec 18th, 2023 36m 23s

It's the 2023 Christmas Spectacular! Josh and Kurt talk about what would happen if Santa starts using AI to judge which children are naughty and nice. There's some fun in this one, but it does get pretty real. While we tried to discuss Santa us

The security of radio

Dec 11th, 2023 34m 41s

Josh and Kurt talk about a few security stories about radio. The TETRA:BURST attack on police radios, spoofing GPS for airplanes near Iran, and Apple including cellular radios in the macbooks. The common thread between all these stories is look

Modding games isn't cheating and security isn't fair

Dec 4th, 2023 31m 47s

Josh and Kurt talk about Capcom claiming modding a game is akin to cheating. The arguments used are fundamentally one of equity vs equality. Humans love to focus on equality instead of equity when we deal with most problems. This is especially

Does the government banning apps work?

Nov 27th, 2023 35m 4s

Josh and Kurt talk about the Canadian Government banning WeChat and Kaspersky. There's a lot of weird little details in this conversation. It fundamentally comes down to a conversation about risk. It's easy to spout nonsense about risk, but hav

Episode 402 - The EU's eIDAS regulation is a terrible idea

Nov 20th, 2023 30m 29s

Josh and Kurt talk about the new EU eIDAS regulation. This is a bill that will force web browsers to add root certificates based on law instead of technical merits, which is how it's currently done. This is concerning for a number of reasons th

Security skills shortage - We've tried nothing and the same thing keeps happening

Nov 13th, 2023 40m 9s

Josh and Kurt talk about security skills shortage. We start out on the topic of cybersecurity skills and weave our way around a number of human related problems in this space. The world of tech has a lot of weird problems and there's not a lot