loader from loading.io

Episode 425 - Video game cheaters, also pretendo

Open Source Security Podcast

Release Date: 04/22/2024

Episode 428 - GitHub artifact attestation show art Episode 428 - GitHub artifact attestation

Open Source Security Podcast

and talk about a new to sign artifacts on GitHub. It's in beta, it's not going to be easy to use, it will have bugs. But that's all OK. This is how we start. We need infrastructure like this to enable easier to use features in the future. Someday, everything will be signed by default. Show Notes

info_outline
Episode 427 - Will run0 replace sudo? show art Episode 427 - Will run0 replace sudo?

Open Source Security Podcast

and talk about a sudo replacement going into systemd called run0. It sounds like it'll get a lot right, but systemd is a pretty big attack surface and not everyone is a fan. We shall have to see if this ends up replacing sudo. Show Notes

info_outline
Episode 426 - Automatically exploiting CVEs with AI show art Episode 426 - Automatically exploiting CVEs with AI

Open Source Security Podcast

and talk about a paper describing using a LLM to automatically create exploits for CVEs. The idea is probably already happening in many spaces such as pen testing and intelligence services. We can't keep up with the number of vulnerabilities we have, there's no way we can possibly keep up with a glut of LLM generated vulnerabilities. We really need to rethink how we handle vulnerabilities. Show Notes

info_outline
Episode 425 - Video game cheaters, also pretendo show art Episode 425 - Video game cheaters, also pretendo

Open Source Security Podcast

and talk about a database of game cheaters. Cheating in games has many similarities to security problems. Anti cheat rootkits are also terrible. The clever thing however is using statistics to identify cheaters. Statistics don't lie. Also, we discuss the Pretendo project sitting on a vulnerability for a year, is this ethical? Show Notes

info_outline
Episode 424 - The Notepad++ Parasite Website show art Episode 424 - The Notepad++ Parasite Website

Open Source Security Podcast

and talk about a Notepad++ fake website. It's possibly not illegal, but it's certainly ethically wrong. We also end up discussing why it seems like all these weird and wild things keep happening. It's probably due to the massive size of open source (and everything) now. Things have gotten gigantic and we didn't really notice. Show Notes

info_outline
Episode 423 - FCC cybersecurity label for consumer devices show art Episode 423 - FCC cybersecurity label for consumer devices

Open Source Security Podcast

and talk about a new FCC program to provide a cybersecurity certification mark. Similar to other consumer safety marks such as UL or CE. We also tie this conversation into GrapheneOS, and what trying to claim a consumer device is secure really means. Some of our compute devices have an infinite number of possible states. It's a really weird and hard problem. Show Notes

info_outline
XZ Bonus Spectacular Episode show art XZ Bonus Spectacular Episode

Open Source Security Podcast

and talk about the recent events around XZ. It's only been a few days, and it's amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these details will change quickly over the coming week. We can't fix this problem as it stands, we don't know where to start yet. But that's not a reason to lose hope. We can fix this if we want to, but it won't be flashy, it'll be hard work. Show Notes

info_outline
Episode 422 - Do you have a security.txt file? show art Episode 422 - Do you have a security.txt file?

Open Source Security Podcast

and talk about the security.txt file. It's not new, but it's not something we've discussed before. It's a great idea, an easy format, and well defined. It's not high on many of our todo lists, but it's something worth doing. Show Notes

info_outline
Episode 421 - CISA's new SSDF attestation form show art Episode 421 - CISA's new SSDF attestation form

Open Source Security Podcast

and talk about the new SSDF attestation form from CISA. The current form isn't very complicated, and the SSDF has a lot of room for interpretation. But this is the start of something big. It's going to take a long time to see big changes in supply chain security, but we're confident they will come. Show Notes

info_outline
Episode 420 - What's going on at NVD show art Episode 420 - What's going on at NVD

Open Source Security Podcast

and talk about what's going on at the National Vulnerability Database. NVD suddenly stopped enriching vulnerabilities, and it's sent shock-waves through the vulnerability management space. While there are many unknowns right now, the one thing we can count on is things won't go back to the way they were. Show Notes

info_outline
 
More Episodes

Josh and Kurt talk about a database of game cheaters. Cheating in games has many similarities to security problems. Anti cheat rootkits are also terrible. The clever thing however is using statistics to identify cheaters. Statistics don't lie. Also, we discuss the Pretendo project sitting on a vulnerability for a year, is this ethical?

Show Notes