I have now set the TCP evil bit to 1 for all outbound traffic from my home router. #osspodcast

I don't think I can, in good faith, recommend the #osspodcast anymore. There was no mention of curl OR potholes in the latest episode. My disappointment is immeasurable and my day is ruined. @joshbressers @kurtseifried

In the olden days if you had a 1000+ software packages to manage you were a fully fledged operating system with software, nowadays we call this a "web app."

Find out some hard lessons learned over the year from @kurtseifried and @joshbressers on the #osspodcast https://opensourcesecurity.io/2023/03/12/episode-366-software-liability-is-coming/ TL;DR: counting vulnerabilities is both completely stupid, and completely neccesary. The trick is to think about them the right way (hint: statistics, not pets. Except when they are pets like #log4j. Who's a good vulnerability? You are!).

Ok so @kurtseifried and @joshbressers were lucky enough to have @Di4na on the #osspodcast aka the "I am not a supplier" person. TL;DR:... normally we cut the episode to 30 minutes. This one is 52 minutes. It's good. Really good. Suggestion: first go read https://www.softwaremaxims.com/blog/not-a-supplier and then stare at the image below for a few minutes and think about what you just read, and then load the podcast up at https://opensourcesecurity.io/2023/03/05/episode-365-i-am-not-your-supplier-with-thomas-depierre/ and listen to the author clarify it, and explain several other things. TL;DR You need to listen to Thomas. He's sharp.

Episode 364 of the #osspodcast in which Kurt had bad shwarma, @joshbressers agrees that good shwarma is great, and we learn that it's also hard to know what's in your software even if you do #SBOM https://opensourcesecurity.io/2023/02/26/episode-364-using-sboms-is-hard/ TL;DR: We got different kinds of SBOM, SBOM drift, services and APIs, and then there some complicated problems on top of all that. Also legal obligations.

Episode 362 of the #osspodcast in which @carol not only teaches @kurtseifried and @joshbressers about #rust, both at a high level (catching things at compile time makes for some magic) and some very clever low-level things (like borrowing and lending) but also asks one of the best guest questions I've ever heard, find out at the https://opensourcesecurity.io/2023/02/12/episode-362-a-lesson-in-rust-from-carol-nichols/ TL;DR: the crevice tool is good, but if you live in Canada and have a garage you want the water on floor cleaning tool for your garage.

In last week's news discussed after the fact by @kurtseifried ad @joshbressers on the #osspodcast https://opensourcesecurity.io/2023/02/05/episode-361-github-got-pwnt-but-it-wasnt-very-exciting/ @github got hacked a little bit and it was mostly boring. In exciting news, it's also clear that @githubsecurity is staying on top of things and not only noticed themselves getting a little bit hacked, but then checked and noticed others getting hacked the same way and fixed them, and notified them. At least that's what we speculate (with reasonable evidence and a bit of Occam's Razor).

RT GitHub Security
Tune into this week's #osspodcast to hear @thejillboss chat about GitHub’s bug bounty program, including what’s in scope and why we love partnering with researchers
https://opensourcesecurity.io/2022/12/11/episode-353-jill-mone-corallo-on-githubs-bug-bounty-program/

:sys_twitter: https://twitter.com/GitHubSecurity/status/1603517571319341057

RT by @github: Tune into this week's #osspodcast to hear @thejillboss chat about GitHub’s bug bounty program, including what’s in scope and why we love partnering with researchers https://opensourcesecurity.io/2022/12/11/episode-353-jill-mone-corallo-on-githubs-bug-bounty-program/

Tune into this week's #osspodcast to hear @thejillboss chat about GitHub’s bug bounty program, including what’s in scope and why we love partnering with researchers https://opensourcesecurity.io/2022/12/11/episode-353-jill-mone-corallo-on-githubs-bug-bounty-program/

@malanalysis @jerry @fuzztech @boblord Another observation: the term "password manager" never occurs in this thread (at least not that I saw). How many people are using a password manager to generate very entropic, secure passwords, that the password manager then manages securely, and only allows you to put into the correct website, or manually into an app (thus reducing a lot of the phishing attack surface/mistake potential).

Also, it's wild to see the value people assign to Mastodon accounts, "2fa is table stakes", ignoring the fact they're on a completely random service hosted by someone they may have never heard of, and the account really may not be that valuable/important to them... For all we know 70% of accounts on infosec.exchange are idle/moved/bots which means over 50% of active accounts use MFA...

This isn't 0 or 1. This is a rich nuanced world. Heck we covered this ages ago on the #osspodcast https://opensourcesecurity.io/2022/07/03/episode-330-the-sliding-scale-of-risk-seeing-the-forest-for-the-trees/

@akselmo You may like the open source security podcast! #osspodcast

Listening to #osspodcast , @joshbressers "people complain."

My favorite podcast moment recently is @joshbressers somehow being aware of real-life NCIS, but being blown away by the existence of the multiple very popular TV shows based on it

#OSSPodcast

My favorite podcast moment recently is @joshbressers somehow being aware of real-life NCIS, but being blown away by the existence of the multiple very popular TV shows based on it

#OSSPodcast