Josh and Kurt talk about the way Wordpress vets their plugins. While Wordpress has been in the news lately, they do some clever things to get plugins approved. There's a static analyzer that runs against new submissions. We discuss using static analysis, securing open source, contributing and more.

• Linus Torvalds Lands A 2.6% Performance Improvement With Minor Linux Kernel Patch
• Kurt's Plugin

Josh and Kurt talk to Brian Fox from Sonatype and Donald Fischer from Tidelift about their recent reports as well as open source. There are really interesting connections between the two reports. The overall theme seems to be open source is huge, everywhere, and needs help. But all is no lost! There's some great ideas on what the future needs to look like.

• Donald Fischer
• Brian Fox
• Tidelift
• Sonatype
• The 2024 Tidelift state of the open source maintainer report
• Sonatype State of the Software Supply Chain
• Anchore 2024 Software Supply Chain Security Report
• OpenSSF TAC issue 101

Josh and Kurt talk about three government activities happening around security. CISA has a request for comment, and an international strategic plan around cybersecurity. These are both good ideas, and hopefully will help drive change. But we also discuss an EU proposal that brings liability rules to software which sounds like a great way to force change to happen.

• Request for Comment on Product Security Bad Practices Guidance
• FY2025-2026 CISA International Strategic Plan
• EU brings product liability rules in line with digital age and circular economy
• CSA Cloud Controls Matrix

Josh and Kurt talk about the Meshtastic open source project. It's a really slick mesh radio system that runs on very cheap radio equipment. This episode isn't very security related (there are a few things), but it is very open source.

• Meshtastic
• Heltec LoRa 32(V3) Radio
• 465 Rutgers University Confirmed: Meshtastic and LoRa are dangerous
• Meshtastic Routing Issues & Deployment Scenarios
• TC2-BBS-mesh
• The Comms Channel
• Josh's BBS
• Heltec T114 bug

Josh and Kurt talk to Seth Larson from the Python Software Foundation about security the Python ecosystem. Seth is an employee of the PSF and is doing some amazing work. Seth is showing what can be accomplished when we pay open source developers to do some of the tasks a volunteer might consider boring, but is super important work.

• Seth Larson
• XKCD PGP Signature
• Seth's Blog
• Python and Sigstore
• Deprecating PGP - PEP 761
• Python SBOMs

Josh and Kurt talk about the current Wordpress / WP Engine mess. In what is certainly a supply chain attack, the Advanced Custom Fields forking. This whole saga is weird and filled with chaos and stupidity. We have no idea how it will end, but we do know that the blog platform you use shouldn't be this exciting. The bad sort of exciting.

• WordPress.org’s latest move involves taking control of a WP Engine plugin
• Wordpress / WP Engine timeline
• Knorr German Recipes

Josh and Kurt talk about the recent CUPS issue. The vulnerability itself wasn't all that exciting, but the whole disclosure process was wild. There's a lot to talk about, many things didn't quite go as planned and it all leaked early. Let's talk about why and what it all means.

• CUPS vulnerability
• Akamai report
• Wil Wheaton: being a nerd is not about what you love; it’s about how you love it

Josh and Kurt talk about a few things that have recently come out of CISA. They seem to be blaming the vendors for a lot of the problems, but there's also not any actionable advice telling the vendors what they should be doing. This feels like the classic case of "just security harder". We need CISA to be leading the way funding and defining security, not blaming vendors for giving the market what it demands.

• iCloud Photos Downloader
• CISA boss: Makers of insecure software must stop enabling today's cyber villains
• A Security Market for Lemons
• CISA and FBI Release Secure by Design Alert on Eliminating Cross-Site Scripting Vulnerabilities
• CISA Secure by Design Pledge
• Railroad Newsletter
• CISA Secure Software Development Attestation Form

Josh and Kurt talk about the 2024 Tidelift maintainer report. The report is pretty big and covers a ton of ground. We focus in a few of the statistics that should worry anyone who uses open source. We've known for a while developers are struggling, and the numbers back that up. This one feels like the old "we've tried nothing and we're all out of ideas".

• THE 2024 TIDELIFT STATE OF THE OPEN SOURCE MAINTAINER REPORT
• Canadian passport
• Changelog Interviews #433
• Pandas CVE

Josh and Kurt talk about some security researchers sort of taking over the .MOBI whois server. The story is a bit sensational, but we ask if it really matters? There are a lot of interesting possible attacks, but turning something like this into a good attack is really hard, maybe impossible. The researchers presented the findings in a very reasonable way.

• We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI
• Heinz says sorry for ketchup QR code that links to porn site

Josh and Kurt talk to Jay Jacobs about Exploit Prediction Scoring System (EPSS). EPSS is a new way to view vulnerabilities. It's a metric for the likelyhood that a vulnerability will be exploited in the next 30 days. Jay explains how EPSS got to where it is today, how the scoring works, and how we can start to think about including it in our larger risk equations. It's a really fun discussion.

• Jay Jacobs on LinkedIn
• EPSS
• Jay's graph animation
• Cyentia's A Visual Exploration of Exploits in the Wild