An update to https://mas.to/@analog_cafe/110787555795301891

The person got back to me expecting a bounty payment between 300-600 Eur to his PayPal account for the information. He did not reveal his identity in that email, even though I've asked in my reply.

I feel like I'm being extorted here as he's coming from a position of power (he knows something about me, but I don't know anything about him), and I'm not sure what his next steps may be.

Any advice? #security #osspodcast

@joshbressers Thanks, Josh!

#osspodcast is my favourite podcast, I look forward to it every week.

Got an email from a security researcher. Can’t find his email or name anywhere online. Email seems to demonstrate a legit vulnerability. Would you say it’s safe to engage/reply? #security #OSSPodcast

@joshbressers: I have a plan for this episode

@kurtseifried: Hold my diet soda.

#OSSPodcast

@joshbressers
@kurtseifried I would love for your listeners to know that we remove SEO spam from crates.io when we find/ are notified of it, and if there's anyone out there getting a bonus for the number of users or packages on crates.io, they owe me a cut 😝 #OSSPodcast #RustLang

Enjoyed episode 360 on memory safety. Glad Rust is causing some waves. The kind of push back against basic facts that you get on Reddit when you mention better ways than C is unreal. Totally agree that legislatiin might be the way from the Rust episode.

One thing you appear to be in the dark about though is Ada. It recently got tooling on par with Rust.

"https://alire.ada.dev"

It is also easier to use than Rust and safer. It's type system helps you even catch some logic errors before compilation, during compilation and at runtime. Yet it is as low level as C when needed. Actually Ada has better bare metal features than C such as record memory overlays to avoid bit shifting and excellent fixed point support. From the sound of it. I think it might be right upn both of yours street.

You can check it out without installing the above alire here.

"https://learn.adacore.com"

#OSSPodcast

@joshbressers
@kurtseifried

#OSSPodcast

@joshbressers

Old but interesting Episode 209 secure boot.

Blacklisting individual shims shouldn't be the way to do it. Whichever expanded key was used for shims for certain years should be blacklisted and a new key rolled and used going forward.

Interesting about GPL if true and I wish Linux had taken examJple from OpenBSD and dropped kernel modules years ago.9

@joshbressers I’d be really interested in hearing about Nix and it’s implications for software supply chains on the #OSSPodcast. Do you guys have any plans for that?

It was my honor to invite myself onto one of my favorite podcasts, #OSSPodcast, to chat with @joshbressers and @kurtseifried about #RustLang and shopvac attachments 😄 https://opensourcesecurity.io/2023/02/12/episode-362-a-lesson-in-rust-from-carol-nichols/

Can confirm that @joshbressers and @kurtseifried of #OSSPodcast are as pleasant to chat with as they are to listen to :)

When we ( @kurtseifried and @joshbressers) did the luggage tracking via airtags episode on #osspodcast https://opensourcesecurity.io/2022/10/30/episode-347-airtags-in-luggage-and-weasel-security-two-peas-in-a-suitcase/ we had no idea it would get this insane:

https://www.blogto.com/travel/2023/01/ontario-couple-tracking-lost-baggage-shocked-air-canada-gave-it-charity/

“They said they could hear AirTags beeping,” said Rees. “Cops are unimpressed [with] how Air Canada is handling this in that they are taking possession and ownership of our property and deciding what needs to be done with it and donating it.”

#AIX isn't dead, it's just pining for the fjords, much like #NOTAM which probably wants to die and be replaced with something modern, which might happen now that it had a little nap. Find out more with @kurtseifried and @joshbressers on the #osspodcast https://opensourcesecurity.io/2023/01/22/episode-359-the-notam-outage-and-other-legacy-technology/ TL;DR: Remember the #SCO lawsuit? It's all related.

Ok poll time. Tomorrow @kurtseifried and @joshbressers record an #osspodcast. Do you want:

This week's #OSSPodcast was fueled by @Di4na article "I am not a supplier"

We discuss open source in the context of being a natural resource that suffers from pollution and mismanagement (a bit like a forest or river)

We're probably currently a path to unsustainability

https://opensourcesecurity.io/2023/01/08/episode-357-is-open-source-being-overexploited/

How many companies are helping #opensource by putting eggs in the toaster? Find out on the #osspodcast https://opensourcesecurity.io/2023/01/08/episode-357-is-open-source-being-overexploited/ wit @kurtseifried and @joshbressers TL;DR: don't put eggs in your toaster, seriously. Also maybe companies and demanding users should stop strip mining OpenSource and burning our developers.

@bookwar So this came up on the #osspodcast Boxing day episode https://opensourcesecurity.io/2022/12/25/episode-355-security-boxing-day/ TL;DR: most people don't have the spare resources, so they can't to preventative work until it catches fire. In fairness, most people have infinite other piles of fire to put out right now as well like that printer on the third floor that keeps jamming.

I think we can all agree that #lastpass ducked up seriously, but what happens now? Find out on the #osspodcast with @kurtseifried and @joshbressers https://opensourcesecurity.io/2023/01/01/episode-356-lastpass-ducked-up-now-what/ TL;DR: #lastpass is a bag of weasels that still has a website that makes it sound like all your vault data is encrypted. It's not.

@hacks4pancakes For many of us with kids, especially kids with asthma or other medical conditions... yeah. I have a duty of care to my kids (both in that I want to avoid sickness, and I want to avoid making them sick). It would be a very different risk calculation if it were just me. The upside of conferences is also much lower for most of us. We actually covered the value of conferences on the #osspodcast https://opensourcesecurity.io/2020/06/28/episode-203-humans-conferences-and-security-let-me-think-and-get-back-to-you-in-a-bit/ TL;DR: it's not what most people think

If you didn't have enough money to get someone a gift you can give them the gift of the #osspodcast for free from @kurtseifried and @joshbressers https://opensourcesecurity.io/2022/12/25/episode-355-security-boxing-day/ TL;DR: we talk about the security poverty line and some practical things you can actually do with no or little budget if you're using OpenSource. And trust me, you're using OpenSource.

I just remembered I wrote a #Log4Shell parody poem based on The Night Before Christmas for #OSSPodcast last year. It was certainly a wild time a year ago. Thank goodness this year is way more boring

https://opensourcesecurity.io/2021/12/26/episode-303-log4j-christmas-spectacular/