Open Source Security Podcast Josh Bressers & Kurt Seifried

Josh and Kurt talk about three wangles of responsibility. We start with a story about a bike theft ring, bike theft doesn't usually get any attention, but this one is special. Then we ask why it seems like everyone is getting hacked, it's because they have to tell us now. And finally we have a story about the huge number of unreported vulnerabilities in open source projects. This statistic probably affects all software, but there's some numbers for open source specifically.
Show Notes The West Coast’s Fanciest Stolen Bikes Are Getting Trafficked by One Mastermind in Jalisco, Mexico $5 million worth of stolen tools recovered thanks to Apple's AirTag — 12 secret storage facilities had around 15,000 construction tools Vulnerability fixes in plain sight: How your scanners are missing hundreds of vulnerabilities

Josh and Kurt talk about a new proposal from OpenSSH to add a timeout to penalize clients misbehaving. But this then brings up the typical security conversation of "if it's not perfect we shouldn't do it". Trying new things is a good thing, even if something fails, we learn a lesson that we can use in the future.
Show Notes OpenSSH introduces options to penalize undesirable behavior Hacker News comments

Josh and Kurt talk to Alex Kulagin from Flipper about the Flipper Zero. It's one of the coolest hacker devices that exists on the market. We talk about what it is, how it started, what it can (and can't) do. It's a really fun conversation.
Show Notes Flipper Zero Website Headphone jack radio capture Flipper Zero on Tik Tok

Josh and Kurt talk about a blog post titled "Your API Shouldn't Redirect HTTP to HTTPS". It's an interesting idea, and probably a good one. There is however a lot of baggage in this space as you'll hear in the discussion. There's no a simple solution, but this is certainly something to discuss.
Show Notes Your API Shouldn't Redirect HTTP to HTTPS Hacker News discussion HSTS Section 5.1

Josh and Kurt talk about a blog post about frozen kernels being more secure. We cover some of the history and how a frozen kernel works and discuss why they would be less secure. A frozen kernel is from when things worked very differently. What sort of changes will we see in the future?
Show Notes Kurt's strange coffee Why a 'frozen' distribution Linux kernel isn't the safest choice for security

Josh and Kurt talk about open source and autonomy. This is even related to some recent return to office news. The conversation weaves between a few threads, but fundamentally there's some questions about why do people do what they do, especially in the world of open source. This also is a problem we see in security, security people love to tell developers what to do. Developers don't like being told what to do.
Show Notes pycurl issue Apple, SpaceX, Microsoft return-to-office mandates drove senior talent away RSA ANIMATE: Drive: The surprising truth about what motivates us Sudo-rs dependencies: when less is better phishing webcomic Debian OpenSSL Bug (16 years)