Episode 419 - Malicious GitHub repositories
On this page
Episode 360 - Memory safety and the NSA
enJanuary 30, 2023
About this Episode
Josh and Kurt talk about the NSA guidance on using memory safety issues. The TL;DR is to stop using C. We discuss why C has so many problem, why we can't fix C, and what some alternatives looks like. Even the alternatives have their own set of issues and there are many options, but the one thing we can agree on is we have to stop using C.
Show Notes
Recent Episodes from Open Source Security Podcast
Episode 418 - Being right all the time is hard
Episode 417 - Linux Kernel security with Greg K-H
Josh and Kurt talk to GregKH about Linux Kernel security. We most focus on the topic of vulnerabilities in the Linux Kernel, and what being a CNA will mean for the future of Linux Kernel security vulnerabilities. The future of Linux Kernel security vulnerabilities is going to be very interesting.
Show Notes
Episode 416 - Thomas Depierre on open source in Europe
Josh and Kurt talk to Thomas Depierre about some of the European efforts to secure software. We touch on the CRA, MDA, FOSDEM, and more. As expected Thomas drops a huge amount of knowledge on what's happening in open source. We close the show with a lot of ideas around how to move the needle for open source. It's not easy, but it is possible.
Show Notes
Episode 415 - Reducing attack surface for less security
Josh and Kurt talk about a blog post explaining how to create a very very small container image. Generally in the world of security less is more, but it's possible to remove too much. A lot of today's security tooling relies on certain things to exist in a container image, if we remove them we could actually result in worse security than leaving it in. It's a weird topic, but probably pretty important.
Show Notes
Episode 414 - The exploited ecosystem of open source
Episode 413 - PyTorch and NPM get attacked, but it's OK
Josh and Kurt talk about an attack against PyTorch and NPM. The PyTorch attack shows the difficulty of trying to operate a large open source project. The NPM problem is one of the difficulty in trying to backdoor open source. A lot of people are watching and it only takes one person to notice a problem and we all benefit.
Show Notes
- Peanut Butter the dog plays Gyromite
- The Wizard movie
- PyTorch supply chain attack
- npm Package Found Delivering Sophisticated RAT
- Deceptive Deprecation: The Truth About npm Deprecated Packages
- Changing a lightbulb
- Spelunking the Bitcoin Blockchain with Josh Bressers | CypherCon 4.0
- Operation Triangulation - What You Get When Attack iPhones of Researchers
- 9th Annual State of the Software Supply Chain
Episode 412 - Blame the users for bad passwords!
Episode 411 - The security tools that started it all
Episode 410 - Package identifiers are really hard
Josh and Kurt talk about package identifiers. We break this down in the context of an OpenSSF response to a CISA paper on software identifications. The identifiers that get all the air time are purl, CPE, SWID, and OmniBOR. This is a surprisingly complex problem space. It feels easy, but it's not.