Open Source Security Podcast Josh Bressers & Kurt Seifried

Josh and Kurt talk about Capcom claiming modding a game is akin to cheating. The arguments used are fundamentally one of equity vs equality. Humans love to focus on equality instead of equity when we deal with most problems. This is especially true in the world of security. Rather than doing something that has a net positive, we ignore the details and focus on doing something that feels "right".
Show Notes Why Capcom thinks PC game modding is akin to “cheating” Ben Heck

Josh and Kurt talk about the Canadian Government banning WeChat and Kaspersky. There's a lot of weird little details in this conversation. It fundamentally comes down to a conversation about risk. It's easy to spout nonsense about risk, but having an honest discussion about it is REALLY complicated. But the government plays by a very different set of rules.
Show Notes Canada bans WeChat, Kaspersky applications on government devices Fitness tracking app Strava gives away location of secret US army bases Phishing emails increase over 1,200 percent since ChatGPT launch FedRAMP Rev 5 FAIR Institute

Josh and Kurt talk about the new EU eIDAS regulation. This is a bill that will force web browsers to add root certificates based on law instead of technical merits, which is how it's currently done. This is concerning for a number of reasons that we discuss on the show. This proposal is not a good idea.
Show Notes Mozilla site Root CA mailing list UK eIDAS regulation EFF statement on eIDAS Fixed XKCD comic

Josh and Kurt talk about security skills shortage. We start out on the topic of cybersecurity skills and weave our way around a number of human related problems in this space. The world of tech has a lot of weird problems and there's not a lot of movement to fix many of them. Tech is weird and hard, and with the almost complete lack of regulation creates some of these challenges. In the world of security we need a better talent pipeline, but that takes actual efforts, not just complaining on the internet.
Show Notes Schneier on security skill shortage British Airways flight smoke The Password Game Tesla accidents Lawn darts

Josh and Kurt talk about a proposed Dutch proposal that would allow the intelligence services to hack victims of adversaries they are in the process of infiltrating. The purpose of this discussion isn't to focus on the Dutch specifically, but rather to discuss the larger topic of government oversight. These are all very new concepts and nobody knows how things should work.
Show Notes Dutch hacking proposal Give Me Toilet Paper! by Asuka424 in 9:54 - Summer Games Done Quick 2023 Flipper Zero Smart Meter Frequency Hopping Teri Kanfield

Josh and Kurt talk to Daniel Stenberg about curl. Daniel is the creator of curl, we chat with him about the security of curl. Daniel tells us how curl is kept secure, we learn about some of the historical reasons curl works the way it does. We hear the story about the curl CVE situation firsthand. We also touch on the importance of curating the community of a popular open source project.
Show Notes Daniel's Mastodon account Curl The curl CVE blog Broken curl on PowerShell wolfSSL