Podcasts about Fuzzing

Episode 120: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner welcomes Eugene to talk (aka fanboy) about his new book, 'From Day Zero to Zero Day.' We walk through what to expect in each chapter, including Binary Analysis, Source and Sink Discovery, and Fuzzing everything.Then we give listeners a special deal on the book.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor - ThreatLocker User Storehttps://www.criticalthinkingpodcast.io/tl-userstoreToday's guest: https://x.com/spaceraccoonsec====== Resources ======Buy SpaceRaccoon's Book: From Day Zero to Zero Dayhttps://nostarch.com/zero-dayUSE CODE 'ZERODAYDEAL' for 30% OFFPwning Millions of Smart Weighing Machines with API and Hardware Hackinghttps://spaceraccoon.dev/pwning-millions-smart-weighing-machines-api-hardware-hacking/====== Timestamps ======(00:00:00) Introduction(00:04:58) From Day Zero to Zero Day(00:12:06) Mapping Code to Attack Surface(00:17:59) Day Zero and Taint Analysis(00:22:43) Automated Variant Analysis & Binary Taxonomy(00:31:35) Source and Sink Discovery(00:40:22) Hybrid Binary Analysis & Quick and Dirty Fuzzing(00:56:00) Coverage-Guided Fuzzing, Fuzzing Everything, & Beyond Day Zero(01:02:16) Bug bounty, Vuln research, & Governmental work(01:10:23) Source Code Review & Pwning Millions of Smart Weighing Machines

Fuzzing: Software-Stabilität durch Zufalls-generierte EingabedatenTesten, besonders automatisiertes Testen der eigenen Software, gilt als Best Practice in der Softwareentwicklung. Egal, ob wir dabei von Unit-Testing, Integration Testing, Funktions- oder Akzeptanztesting sprechen. Die Idee dabei ist, dass wir die Fehler in der Software gering halten. Auch wenn deine Tests zu einer 100%igen Code Coverage führen, heißt es nicht, dass dein Programm keine Bugs hat. Denn ein Problem gibt es bei all diesen Test-Arten: Die Input-Parameter sind i.d.R. nach einer gewissen Struktur erstellt worden. Und dies heißt noch lange nicht, dass diese Input-Parameter alle möglichen Fälle abdecken.Und genau da kommt das Thema Fuzzing bzw. Fuzz-Testing ins Spiel. Das Testen deiner Software mit zufällig generierten Input-Parametern. Das klingt erstmal wild, kann aber ganz neue Probleme in deiner Software aufdecken. Und das ist das Thema in dieser Episode.Zu Gast ist Prof. Dr. Andreas Zeller, Forscher im Bereich Softwaretesting und Autor des Fuzzing Books. Mit ihm klären wir, was Fuzzing eigentlich ist, woher es kommt und wie es sich gegenüber anderen Teststrategien, wie Unit-Testing, verhält. Er gibt uns einen Einblick in die Unterschiede von Search-Based Fuzzing, Grammar-Fuzzing, Symbolic Fuzzing sowie spezifikationsbasierten Fuzzern, wie komplexe Systeme mittels metamorphes Testen verbessert werden können, was das Orakel-Problem ist, wie z.B. Datenbanken gefuzzed werden können, aber auch wie das Ganze in der Praxis angewendet werden kann und wie du einfach mit Fuzzing starten kannst.Bonus: Was ein Orakel mit Testing zu tun hat.Unsere aktuellen Werbepartner findest du auf https://engineeringkiosk.dev/partnersDas schnelle Feedback zur Episode:

Sicherheitslücken in Computerprogrammen sind riskant. Mit Fuzzing sollen sie entdeckt werden, bevor sie Schaden anrichten können. Doch die Methode ist aufwendig — bis jetzt. Prof. Andreas Zeller vom CISPA in Saarbrücken will das ändern. Prof. Andreas Zeller verfolgt am CISPA Helmholtz-Zentrum für Informationssicherheit eine Vision: mit seinem Team Software-Bots entwickeln, die Softwaresysteme automatisch testen, debuggen und überwachen. Das Projekt heißt „S3 – Semantics of Software Systems“. >> Artikel zum Nachlesen: https://detektor.fm/wissen/forschungsquartett-wie-fuzzing-sicherheitsluecken-findet

Sicherheitslücken in Computerprogrammen sind riskant. Mit Fuzzing sollen sie entdeckt werden, bevor sie Schaden anrichten können. Doch die Methode ist aufwendig — bis jetzt. Prof. Andreas Zeller vom CISPA in Saarbrücken will das ändern. Prof. Andreas Zeller verfolgt am CISPA Helmholtz-Zentrum für Informationssicherheit eine Vision: mit seinem Team Software-Bots entwickeln, die Softwaresysteme automatisch testen, debuggen und überwachen. Das Projekt heißt „S3 – Semantics of Software Systems“. >> Artikel zum Nachlesen: https://detektor.fm/wissen/forschungsquartett-wie-fuzzing-sicherheitsluecken-findet

Sicherheitslücken in Computerprogrammen sind riskant. Mit Fuzzing sollen sie entdeckt werden, bevor sie Schaden anrichten können. Doch die Methode ist aufwendig — bis jetzt. Prof. Andreas Zeller vom CISPA in Saarbrücken will das ändern. Prof. Andreas Zeller verfolgt am CISPA Helmholtz-Zentrum für Informationssicherheit eine Vision: mit seinem Team Software-Bots entwickeln, die Softwaresysteme automatisch testen, debuggen und überwachen. Das Projekt heißt „S3 – Semantics of Software Systems“. >> Artikel zum Nachlesen: https://detektor.fm/wissen/forschungsquartett-wie-fuzzing-sicherheitsluecken-findet

New "SparkCat" secret-stealing AI image scanner discovered in App and Play stores. The UK demands that Apple does the impossible: decrypting ADP cloud data. France moves forward on legislation to require backdoors to encryption. Firefox moves to 135 with a bunch of useful new features. The Five Eyes alliance publishes edge-device security guidance. Six NetGear routers contain CVSS 9.6 and 9.8 vulnerabilities. Sysinternals utilities allow malicious Windows DLL injection. Google removes restrictive do-gooder language from AI application policies. "AI Fuzzing" successfully jailbreaks the most powerful ChatGPT o3 model. Examining the well and deliberately hidden truth behind ransomware cyberattacks on U.S. K-12 schools Show Notes - https://www.grc.com/sn/SN-1012-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT zscaler.com/security uscloud.com 1password.com/securitynow

New "SparkCat" secret-stealing AI image scanner discovered in App and Play stores. The UK demands that Apple does the impossible: decrypting ADP cloud data. France moves forward on legislation to require backdoors to encryption. Firefox moves to 135 with a bunch of useful new features. The Five Eyes alliance publishes edge-device security guidance. Six NetGear routers contain CVSS 9.6 and 9.8 vulnerabilities. Sysinternals utilities allow malicious Windows DLL injection. Google removes restrictive do-gooder language from AI application policies. "AI Fuzzing" successfully jailbreaks the most powerful ChatGPT o3 model. Examining the well and deliberately hidden truth behind ransomware cyberattacks on U.S. K-12 schools Show Notes - https://www.grc.com/sn/SN-1012-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT zscaler.com/security uscloud.com 1password.com/securitynow

New "SparkCat" secret-stealing AI image scanner discovered in App and Play stores. The UK demands that Apple does the impossible: decrypting ADP cloud data. France moves forward on legislation to require backdoors to encryption. Firefox moves to 135 with a bunch of useful new features. The Five Eyes alliance publishes edge-device security guidance. Six NetGear routers contain CVSS 9.6 and 9.8 vulnerabilities. Sysinternals utilities allow malicious Windows DLL injection. Google removes restrictive do-gooder language from AI application policies. "AI Fuzzing" successfully jailbreaks the most powerful ChatGPT o3 model. Examining the well and deliberately hidden truth behind ransomware cyberattacks on U.S. K-12 schools Show Notes - https://www.grc.com/sn/SN-1012-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT zscaler.com/security uscloud.com 1password.com/securitynow

New "SparkCat" secret-stealing AI image scanner discovered in App and Play stores. The UK demands that Apple does the impossible: decrypting ADP cloud data. France moves forward on legislation to require backdoors to encryption. Firefox moves to 135 with a bunch of useful new features. The Five Eyes alliance publishes edge-device security guidance. Six NetGear routers contain CVSS 9.6 and 9.8 vulnerabilities. Sysinternals utilities allow malicious Windows DLL injection. Google removes restrictive do-gooder language from AI application policies. "AI Fuzzing" successfully jailbreaks the most powerful ChatGPT o3 model. Examining the well and deliberately hidden truth behind ransomware cyberattacks on U.S. K-12 schools Show Notes - https://www.grc.com/sn/SN-1012-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT zscaler.com/security uscloud.com 1password.com/securitynow

Robbie's programming journey began with early exposure to computers and the internet, where he explored bulletin board systems and platforms like Virtual Places. He quickly became immersed in creating bots, filters, and tools for clan wars and later transitioned his skills to AOL Instant Messenger. Known for reverse-engineering protocols and crafting exploits, Robbie's work left a mark on the underground programming scene, driven by creativity and the thrill of innovation.Guest: Robbie Saunders -https://www.linkedin.com/in/robbiesaunders/Host: Steve StonebrakerAudio Editor: Sam Fox (sam.fox.london@gmail.com⁠⁠⁠)CoverArt: Created by Broast (⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://broast.org⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠), original idea by LampGold.Extras:https://www.informationweek.com/it-leadership/w00w00-s-suggested-aim-fix-is-no-fix--AOL Underground PodcastFollow us on twitter -⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@AOLUnderground⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@brakertech⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Reddit -⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.reddit.com/r/AOLUnderground/⁠⁠⁠⁠⁠⁠⁠⁠⁠Youtube -⁠⁠⁠⁠⁠https://www.youtube.com/@AOLUndergroundPodcast⁠⁠⁠⁠⁠Merch -⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.redbubble.com/people/AOL-Underground/shop⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Donate -⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.buymeacoffee.com/AOLUnderground⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Contact the Host -⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ https://aolunderground.com/contact-host/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ReAOL Discord -⁠⁠https://discord.gg/p3ol⁠⁠Podcast Community Page -⁠⁠https://aolunderground.com/community/⁠⁠AOL 4.0 is working! -⁠⁠https://nina.chat/connect/aol/⁠⁠--OtherCheck out my wife's Etsy shop -⁠⁠⁠⁠⁠⁠https://www.etsy.com/shop/Snowbraker

Curl's oldest bug yet, RCPs (and more!) from AWS re:Invent, possible controls for NPM's malware proliferation, insights and next steps on protecting top 500 packages from the Census III report, the flawed design choice that made Microsoft's OTP (successfully) brute-forceable, and more! 00:00 - Intro & Cyber Resilience Insights 01:20 - The 25-Year-Old Curl Bug Story 04:17 - Fuzzing for Security: A Missed Opportunity? 08:46 - AWS re:Invent Security Highlights 11:54 - NPM Malware Surge 16:33 - Small Packages, Big Risks in NPM 19:55 - Open Source Security Trends 24:27 - Microsoft MFA Vulnerability Explained 28:28 - Hardware Hacking & DMA Exploits 30:55 - Auditing Ruby's Package Ecosystem 34:02 - Looking Ahead to 2025 Show Notes: https://securityweekly.com/asw-311

Observability is a lot more than just sprinkling printf statements throughout a code base. Adriana Villela explains principles behind logging, traceability, and metrics and how the OpenTelemetry project helps developers gather this useful information. She also provides suggestions on starting logging from scratch, how to avoid information overload, and how engaging users about their experience with solutions like OpenTelemetry makes for better software -- a lesson that appsec teams can apply to paved roads and security guardrails. Segment Resources: https://opentelemetry.io https://cncf.io https://adri-v.medium.com/ Fuzzing barcodes and getting projects onboarded with fuzzers, using AI to guide fuzzers, using AI to combat scammers, using CWEs for something, using malicious comments to ban repos, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-309

Fuzzing barcodes and getting projects onboarded with fuzzers, using AI to guide fuzzers, using AI to combat scammers, using CWEs for something, using malicious comments to ban repos, and more! Show Notes: https://securityweekly.com/asw-309

Observability is a lot more than just sprinkling printf statements throughout a code base. Adriana Villela explains principles behind logging, traceability, and metrics and how the OpenTelemetry project helps developers gather this useful information. She also provides suggestions on starting logging from scratch, how to avoid information overload, and how engaging users about their experience with solutions like OpenTelemetry makes for better software -- a lesson that appsec teams can apply to paved roads and security guardrails. Segment Resources: https://opentelemetry.io https://cncf.io https://adri-v.medium.com/ Fuzzing barcodes and getting projects onboarded with fuzzers, using AI to guide fuzzers, using AI to combat scammers, using CWEs for something, using malicious comments to ban repos, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-309

Fuzzing barcodes and getting projects onboarded with fuzzers, using AI to guide fuzzers, using AI to combat scammers, using CWEs for something, using malicious comments to ban repos, and more! Show Notes: https://securityweekly.com/asw-309

Looking at vulnerable code in Ivanti (Perl) and Magento (PHP), fuzzing is perfect for parsers, handling tenant isolation when training LLMs, Microsoft's small steps towards secure design, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-303

Looking at vulnerable code in Ivanti (Perl) and Magento (PHP), fuzzing is perfect for parsers, handling tenant isolation when training LLMs, Microsoft's small steps towards secure design, and more! Show Notes: https://securityweekly.com/asw-303

Looking at vulnerable code in Ivanti (Perl) and Magento (PHP), fuzzing is perfect for parsers, handling tenant isolation when training LLMs, Microsoft's small steps towards secure design, and more! Show Notes: https://securityweekly.com/asw-303

The many lessons to take away from a 24-year old flaw in glibc and the mastery in crafting an exploit in PHP, changing a fuzzer's configuration to find more flaws, fuzzing LLMs for prompt injection and jailbreaks, security hardening of baseband code, revisiting the threat models in Microsoft's Recall, and more! Show Notes: https://securityweekly.com/asw-302

Ken and Seth return for Episode #263 and start with a discussion around web application fuzzing and the deficiencies of vulnerability and exploit-focused dynamic testing, a common thread in Seth's ranting. This is followed by a discussion on mobile testing and attempting to control security through client-side controls, spurred by an article that compares security in the McDonald's Android app to various banking apps. The final topic is around secrets management and use of the dotenv (.env) file for storing secrets.

The many lessons to take away from a 24-year old flaw in glibc and the mastery in crafting an exploit in PHP, changing a fuzzer's configuration to find more flaws, fuzzing LLMs for prompt injection and jailbreaks, security hardening of baseband code, revisiting the threat models in Microsoft's Recall, and more! Show Notes: https://securityweekly.com/asw-302

Fuzzing network traffic in OpenWRT, parsing problems lead to GitLab auth bypass, more fuzzing finds vulns in a JPEG parser, and more! Show Notes: https://securityweekly.com/asw-300

Fuzzing network traffic in OpenWRT, parsing problems lead to GitLab auth bypass, more fuzzing finds vulns in a JPEG parser, and more! Show Notes: https://securityweekly.com/asw-300

An automatic software bug and vulnerability discovery technique that inputs invalid, unexpected and/or random data or fuzz into a program and then monitors the program's reaction to it.

An automatic software bug and vulnerability discovery technique that inputs invalid, unexpected and/or random data or fuzz into a program and then monitors the program's reaction to it. Learn more about your ad choices. Visit megaphone.fm/adchoices

Max Ammann is a cybersecurity researcher at Trail of Bits, where he's recently been working on extending his Master's thesis work on fuzzing cryptographic protocols into an industrial-grade fuzzing tool. That work resulted in an S&P publication which is what he joined us to present today. This was a really good talk but also a great discussion, in large part because of the highly engaged audience (with representation from Galois, TwoSix, and academia!).

The GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more! Show Notes: https://securityweekly.com/asw-278

The GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more! Show Notes: https://securityweekly.com/asw-278

Get Proton Mail for FREE: https://davidbombal.wiki/protonmail2 Big thanks to Proton for Sponsoring the video! This is an amazing collection of books and resources - both free and paid. Big thanks to Jason Haddix for sharing his knowledge to help us learn in 2024! // Books and Resources // Web application hacker's handbook: https://amzn.to/48sUNYb Web security academy, Port Swigger: https://portswigger.net/web-security OWASP Web Security Testing Guide: https://owasp.org/www-project-web-sec... Web Security Testing Guide Ellie Saad and Rick Mitchell v4.2: https://owasp.org/www-project-web-sec... Real world bug hunting: https://amzn.to/3TK1mSd Bug Bounty Bootcamp: https://amzn.to/41DW38B Red Team Field Manual: https://amzn.to/48ul0pl Red Team Development and Operations: A practical guide: https://amzn.to/3vez1Jl Operator Handbook: Red Team + OSINT + Blue Team Reference: https://amzn.to/3vemAgC Tribe of Hackers Red Team: https://amzn.to/47ef8zv The Pentester Blueprint: https://amzn.to/3tvA8E6 OSINT Techniques: Resources for uncovering online information: https://amzn.to/3S6xw9j Evading EDR: https://amzn.to/3toESeL Attacking Network Protocols: https://amzn.to/3TEFvv7 Black Hat GraphQL: https://amzn.to/47gHl8C Hacking API's: https://amzn.to/3TzS0Z5 APISEC University: https://www.apisecuniversity.com/ Black Hat Go: https://amzn.to/3RXV13W Black Hat Python: https://amzn.to/3NHFnHo Black Hat Bash: https://nostarch.com/black-hat-bash Zseano's methodology: https://www.bugbountyhunter.com/metho... Breaking into information security: https://amzn.to/3TI4n5h Expanding your security horizons: https://amzn.to/3GU07Iq Wiki Book Pentest living document: https://github.com/nixawk/pentest-wik... HackTRICKS: https://book.hacktricks.xyz/welcome/r... Fuzzing lists: https://github.com/secfigo/Awesome-Fu... Sec Lists: https://github.com/danielmiessler/Sec... Payloads all the things: https://github.com/swisskyrepo/Payloa... Pentester Lab: https://pentesterlab.com/ Try Hack Me: Red Team Fundamentals: https://tryhackme.com/module/red-team... HTB Academy: https://academy.hackthebox.com/ Hacktivity: https://hackerone.com/hacktivity/over... Vulnerable U: https://vulnu.mattjay.com/ Grzegorz Niedziela: https://members.bugbountyexplained.co... Or https://www.youtube.com/c/BugBountyRe... Sharing what matters in security: https://securib.ee/newsletter/ Intigriti: https://www.intigriti.com/ tl;dr sec: https://tldrsec.com/ Unsupervised learning: https://danielmiessler.com/subscribe Pentest Book: https://pentestbook.six2dez.com/ Bugcrowd: https://bugcrowd.com/crowdstream Trickest: https://trickest.com/ // Jason Haddix SOCIAL // Youtube: https://www.youtube.com/c/jhaddix LinkedIn: https://www.linkedin.com/in/jhaddix Twitter: https://twitter.com/Jhaddix Github: https://github.com/jhaddix Boddobot: https://buddobot.com/ The Bug Hunters Methodology Live: https://tbhmlive.com/56 // David's SOCIAL // Discord: https://discord.com/invite/usKSyzb X / Twitter: https://www.twitter.com/davidbombal Instagram: https://www.instagram.com/davidbombal LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/davidbombal.co TikTok: http://tiktok.com/@davidbombal YouTube: https://www.youtube.com/@davidbombal // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com hacking books hack python linux Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! #hacking #hack #cybersecurity

CNCF's releases a handbook on fuzzing, OpenSSF and OWASP respond to CISA's Open Source Software Security RFI, 14 years of Go, lessons for today from an internet worm from 35 years ago, and more! Show Notes: https://securityweekly.com/asw-263

CNCF's releases a handbook on fuzzing, OpenSSF and OWASP respond to CISA's Open Source Software Security RFI, 14 years of Go, lessons for today from an internet worm from 35 years ago, and more! Show Notes: https://securityweekly.com/asw-263

The number of software vulnerabilities found in modern computing systems has been on the rise for some time now. As more and more software is being developed, software testing is increasingly becoming an important part of the software development cycle, with the goal of rooting out any and all vulnerabilities before public release. However, finding software vulnerabilities is not a trivial task, especially in complex software systems with thousands of lines of code and complicated system interactions. Just a single vulnerability making its way into a software product/service can have devastating consequences, if not discovered and patched in good time.Luckily, there is a plethora of available software testing tools and techniques. One such software testing approach is called fuzzing. Fuzzing is an automated program testing technique introduced in the late-1980s, and has become a critical tool in a software tester's toolkit. Fuzzing is based on the simple idea of feeding software lots of mutated inputs and monitoring the program state for any anomalous behavior. Fuzzers have had a long and successful track record of finding software vulnerabilities. This success brought forth new and innovative approaches to improve the overall fuzzing process in all aspects. However, despite its success and widespread use, fuzzing is not a "one size fits all" approach. Software testers still have to tailor their fuzzing methodology to the software under test. Therefore, understanding the inner workings of fuzzers is absolutely vital in order to determine when and how to use them most effectively. About the speaker: Derek Dervishian works as a cybersecurity research engineer at Lockheed Martin - Advanced Technology Laboratories, an advanced applied R&D division of the Lockheed Martin corporation, specializing in cyber, autonomy, data analytics and much more. In this role, Derek has worked on several R&D projects across multiple technical areas, including vulnerability research and binary analysis.Derek graduated from Purdue University with a Bachelor's degree in Computer Engineering in December 2020. Derek is currently pursuing a Master's degree in Computer Science from the Georgia Institute of Technology.

A binary summer-recap episode, looking at some vulnerabilities and research put out over the summer. Talking about what TPM really offers when it comes to full-disk encryption, some thoughts on AI in the fuzzing loop. Then into some cool bugs, kicking off with some ARM Memory Tagging Extension vulnerabilities, a `-fstack-protector` implementation failure and bypass, and then a look at a Android exploit that was found in-the-wild. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/216.html [00:00:00] Introduction [00:01:50] Spot the Vuln - Only One Domain [00:04:46] AI-Powered Fuzzing: Breaking the Bug Hunting Barrier [00:15:00] Summary: MTE As Implemented [00:38:21] TPM provides zero practical security [00:47:30] CVE-2023-4039: GCC's -fstack-protector fails to guard dynamic stack allocations on ARM64 [00:55:30] Analyzing a Modern In-the-wild Android Exploit [01:07:31] Various Vulnerabilities in Huawei Trustlets The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

In the Dark Side of Hacking, we take a look at how Russian Hackers have shifted their focus to attacking infrastructure rather than individuals after being identified and putting victims through panic. Google AI launches a new bug hunting strategy called Fuzzing, which uses a machine learning algorithm to search for flaws in software. Fuzzing is a more targeted approach to bug hunting that can be used to find vulnerabilities before they are exploited.   Article: https://exploitbrokers.com/hacking-news/hn-12-the-dark-side-of-hacking-russian-hackers-infrastructural-shift-and-google-ais-fuzzing/    

Amanda Rousseau, Offensive Security Engineer for the Microsoft Offensive Research and Security Engineering Team, joins Nic Fillingham and Wendy Zenone on this week's episode of The BlueHat Podcast. Amanda loves malware; she worked as an Offensive Security Engineer on the Red Team at Facebook, a Malware Researcher at Endgame, and the U.S. Department of Defense Cyber Crime Center. Amanda mainly focuses on vulnerability, research fuzzing, and security engineering and discusses with Nic and Wendy her time reviewing and analyzing offline digital devices, known as Dead-Box Forensics, reverse engineering malware, and how she finds success from her creative and artistic background. In This Episode You Will Learn: What "shift left" means as a security professional How to learn more about fuzzing and understand some of the tooling Why having a creative background helps when communicating with security teams Some Questions We Ask: How would you describe fuzzing for someone that's doesn't know the definition? What is Dead-Box Forensics, and can you share the investigative process? How can we make fuzzing and security more accessible and less intimidating for developers? Resources: View Amanda Rousseau on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Follow Amanda on Twitter and malwareunicorn.org Discover and follow other Microsoft podcasts at microsoft.com/podcasts Hosted on Acast. See acast.com/privacy for more information.

In this episode, Nathan sits down with Tanishq Mathew Abraham, 19-year-old UC Davis grad and one of the youngest people in the world to receive a Ph.D, with a degree in biomedical engineering. Tanishq is the founder of the Medical AI Research Center (MedARC), and with his teammates, recently published a paper: Reconstructions of the Mind's Eye, which encompasses their breakthrough research on reconstructing visual perceptions from fMRI scans into images. In this episode, Nathan and Tanishq talk about the technology behind the fMRI-to-image project, developing the model, and future applications for this research. Part 2 with Tanishq will be released as the next episode. RECOMMENDED PODCAST: The HR industry is at a crossroads. What will it take to construct the next generation of incredible businesses – and where can people leaders have the most business impact? Hosts Nolan Church and Kelli Dragovich have been through it all, the highs and the lows – IPOs, layoffs, executive turnover, board meetings, culture changes, and more. With a lineup of industry vets and experts, Nolan and Kelli break down the nitty-gritty details, trade offs, and dynamics of constructing high performing companies. Through unfiltered conversations that can only happen between seasoned practitioners, Kelli and Nolan dive deep into the kind of leadership-level strategy that often happens behind closed doors. Check out the first episode with the architect of Netflix's culture deck Patty McCord. https://link.chtbl.com/hrheretics The Cognitive Revolution is a part of the Turpentine podcast network. To learn more: Turpentine.co TIMESTAMPS: (00:00) Episode Preview (05:43) The MindEye Project (09:06) Resemblance between AI reconstruction of mind's eye and visual presented (10:00) What is a voxel and which regions of the brain were studied? (10:23) What would the raw data of a voxel be? (11:44) Is there a time dimension to voxels? (15:00) Sponsor: Omneky (17:50) Goals for the MindEye project (25:57) What is the starting point of the model? (31:15) Aligning the model: reconstruction vs retrieval (40:34) Would doing a full end-to-end training be fine for the reconstruction? (42:15) The role of a limited data set (43:09) Training separate models per subject (45:07) Generalizability with a limited dataset (47:20) Mapping from one high-dimensional space to another (50:47) Stable Diffusion VAE encoding (1:00:50) How long does it take to train the model? (1:03:14) How similar or different are the subjects and their individual models? (1:05:59) The future of this research: custom models for your brain? (1:07:34) How much does this research contribute to brain research and wearables? (1:11:15) Fuzzing data and future research applications LINKS: MedARC: medarc.ai MindEye Paper: https://www.researchgate.net/publication/371136623_Reconstructing_the_Mind's_Eye_fMRI-to-Image_with_Contrastive_Learning_and_Diffusion_Priors MP3 of this episode: https://chrt.fm/track/993DGA/traffic.megaphone.fm/RINTP1584997572.mp3?updated=1687271014 TWITTER: @iScienceLuvr (Tanishq) @MedARC_AI (MedARC) @CogRev_Podcast @labenz (Nathan) @eriktorenberg (Erik) SPONSOR: Thank you Omneky (www.omneky.com) for sponsoring The Cognitive Revolution. Omneky is an omnichannel creative generation platform that lets you launch hundreds of thousands of ad iterations that actually work, customized across all platforms, with a click of a button. Omneky combines generative AI and real-time advertising data. Mention "Cog Rev" for 10% off. MUSIC CREDIT: MusicLM

This week's episode features an interview between Patrick Collins and a Web3 Security Engineer at Trail of Bits. They cover:- testing methodologies- fuzzing- static analysisWith Trail of Bits Security Engineer, Troy!Timestamps3:10 - Exploring Smart Contract Testing Methodologies with Trail of Bits5:37 - Testing Strategies for Smart Contracts8:10 - Fuzz Testing and Invariant-Based Testing Explained10:56 - Coverage Guided Fuzzing Explained13:50 - The Benefits of Coverage Guided Fuzzing and the Differences between Echidna, Foundry, & Others16:27 - Using Coverage Guided Fuzzing with Optic and Echidna19:12 - Symbolic execution and coverage-guided fuzzing in Echidna21:57 - Testing Philosophies: Dynamic vs. Static Testing24:24 - Dynamic vs Static Analysis and the trade-offs of each approach27:10 - The Importance of Efficient Testing and Using a Variety of Testing Methods29:57 - The Role of Security Firms and Testing Philosophies32:33 - Balancing Cost and Efficiency in Security Audits35:15 - The Importance of Code Reuse in Building Tools and Languages38:04 - The pitfalls of focusing on language intricacies in programming and the benefits of prioritizing language design and philosophy40:41 - The Need for More Open Source Tools and Communication in the Ethereum Community43:22 - Advice for becoming more security-minded in smart contract coding45:51 - Discussion with Alpha Rush on Testing Compilers and Security Focus Journeys

In this episode we bring you with us to Southern California Linux Expo, or SCaLE20x in Pasadena, California. We interviewed several attendees about their experience at the conference. Featuring: Robin Phantomhive, attendee at SCaLE and community member Mofi Rahman, Developer Advocate at Google Fatima Sarah Khalid, Dev Evangelist at GitLab Bryan Behrenshausen, Open Source Program Manager at GitLab Laura Santamaria, Geek with an achievement streak at Dell Jeff Deifik, Cybersecurity at Aerospace Corp Jill Bryant Ryniker of LWDW and the Destination Linux Podcast Bill Schouten of Tux Digital and the Sudo Show Podcast   Do you have something cool to share? Some questions? Let us know: - web: kubernetespodcast.com - mail: kubernetespodcast@google.com - twitter: @kubernetespod   News of the week Chainguard contributes Rekor Search Project to Sigstore Docker and Ambassador Labs Announce Telepresence for Docker, Improving the Kubernetes Development Experience Docker, Inc. Celebrates 10th Anniversary With Alliances Oracle Cloud Infrastructure to Increase the Reliability, Efficiency, and Simplicity of Large-Scale Kubernetes Environments at Reduced Costs cdCon / GitOpsCon Schedule Crossplane Security Audit Crossplane completes fuzzing security audit Improving Security by Fuzzing the CNCF landscape Report   Links from the interview Destination Linux Podcast LWDW LinuxChix LA Sudo Show Podcast Tux Digital Creating a cluster with kubeadm  

Just one vulnerability this week about hacking the Nintendo DSi browser, but we have a good discussion about fuzzing and a new paper "autofz". Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/194.html [00:00:00] Introduction [00:00:27] Spot the Vuln - Checking your Numbers [00:03:23] autofz: Automated Fuzzer Composition at Runtime [00:14:52] Alex Plaskett - Fuzzing Insights [00:23:08] Hacking the Nintendo DSi Browser [00:29:56] Espressif ESP32: Breaking HW AES with Electromagnetic Analysis [00:32:08] Finding 10x+ Performance Improvements in C++ with CodeQL – Part 2/2 on Combining Dynamic and Static Analysis for Performance Optimisation The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Today's guest is with Devtooligan - a pseudonymous smart contract engineer and auditor. Devtooligan is a mainstay in the Huff community and just recently landed a job as a security engineer at Trail of Bits. In this episode we went deep into Huff & why so many Huffoors have had lots of success. We also discussed Devtooligan's career path and his journey leveling up with smart contract security.00:00 Intro3:33 How devtooligan got into crypto6:48 Working at Yield Protocol, Ethernaut, Getting into Huff, 12:30 Why learn Huff?16:35 What has Solidity done well?20:02 What should the Huff community work on?23:00 Why have Huffors had success?27:40 Getting better with smart contract security37:55 What does Devtooligan's audit process look like?43:53 What can smart contract devs be better at? (Documentation)48:31 AI tooling & auditing51:45 Tinkering is what drives innovationUseful Links:-Devtooligan on Twitter: https://twitter.com/devtooligan-Security reference, exercises, and tips: http://secure-contracts.com-Huff main site: www.huff.sh-Statecharts and state machines: https://stately.ai/docs/state-machines-and-statecharts-ToB Youtube channel: https://www.youtube.com/@trailofbits-Fuzzing workshop: https://www.youtube.com/watch?v=QofNQxW_K08&list=PLciHOL_J7Iwqdja9UH4ZzE8dP1IxtsBXI-How to prepare for an audit: https://blog.trailofbits.com/2018/04/06/how-to-prepare-for-a-security-audit/

This week we talk about more Rust pitfalls, and fuzzing cURL. Then we have a couple bugs, one involving messing with the TCP stack to reach the vulnerable condition. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/190.html [00:00:00] Introduction [00:00:27] Spot the Vuln - Insecure by Default [00:02:20] cURL audit: How a joke led to significant findings [00:09:45] Rustproofing Linux (Part 4/4 Shared Memory) [00:11:25] Rustproofing Linux (Part 4/4 Shared Memory) [00:17:22] Exploiting a remote heap overflow with a custom TCP stack [00:34:20] mast1c0re: Part 3 - Escaping the emulator The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

SQL Injections: Eine der weitverbreitetsten Sicherheitslücken im Web, auch im Jahr 2022Der Großteil aller Applikationen interagiert in irgendeiner Art und Weise mit einer Datenbank. Deswegen werden die meisten Entwicklerinnen und Entwickler bereits von der Sicherheitslücke "SQL Injection" gehört haben. Seit 24 Jahren ist dies eine der weitverbreitetsten Sicherheitslücken im Internet und es ist kein Ende in Sicht. Was ist eigentlich eine SQL-Injection im Detail? Welche verschiedenen Arten gibt es? Was ist der Grund, dass uns dieses Einfallstor so lange beschäftigt? Woher kommt diese und wer hat sie entdeckt? Wie kann man sich schützen und seine Anwendung ausreichend testen? All das und noch viel mehr in dieser Episode.Bonus: Der Kontrast zwischen Duisburg und Berlin und wie die SQL-Injektion als Nebenprodukt entdeckt wurde.Feedback (gerne auch als Voice Message)Email: stehtisch@engineeringkiosk.devTwitter: https://twitter.com/EngKioskWhatsApp +49 15678 136776Gerne behandeln wir auch euer Audio Feedback in einer der nächsten Episoden, einfach Audiodatei per Email oder WhatsApp Voice Message an +49 15678 136776LinksPhrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 08 of 12: http://www.phrack.org/archives/issues/54/8.txtOWASP Top Ten 2021: https://owasp.org/www-project-top-ten/CVE Details - Security Vulnerabilities Published In 2022(SQL Injection): https://www.cvedetails.com/vulnerability-list/year-2022/opsqli-1/sql-injection.htmlAnalyzing Prepared Statement Performance: https://orangematter.solarwinds.com/2014/11/19/analyzing-prepared-statement-performance/SQL Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.htmlOWASP Top 10 (2021) - A03:2021 – Injection: https://owasp.org/Top10/A03_2021-Injection/CVE Details - Heartbleed (CVE-2014-0160): https://www.cvedetails.com/cve/CVE-2014-0160/CVE Details - Log4Shell (CVE-2021-44228): https://www.cvedetails.com/cve/CVE-2021-44228/xkcd "Exploits of a Mom": https://xkcd.com/327/HackerOne-Programm von trivago: https://hackerone.com/trivagoOwncloud: https://owncloud.com/TYPO3: https://typo3.org/Wordpress: https://wordpress.com/de/SQL-Proxy: https://github.com/sysown/proxysqlGitHub CodeQL: https://codeql.github.com/sqlmap: https://sqlmap.org/SQLi-Fuzzer: A SQL Injection Vulnerability Discovery Framework Based on Machine Learning: https://ieeexplore.ieee.org/document/9657925OWASP Zed Attack Proxy (ZAP): https://www.zaproxy.org/PlanetScale: https://planetscale.com/Awesome static analysis: https://github.com/analysis-tools-dev/static-analysisSprungmarken(00:00:00) Intro(00:00:42) SQL-Injections aus den 90ern und die Vielfalt in Berlin(00:02:49) Das heutige Thema: Web-Security SQL-Injections in der Tiefe(00:05:07) Was sind SQL-Injections?(00:08:48) Sind SQL-Injections auch im Jahr 2022 noch ein Problem?(00:10:56) Wann gab es die erste SQL-Injection? Woher stammt diese Sicherheitslücke?(00:13:22) Was sind die Gründe, dass SQL-Injections noch so ein großes Problem sind?(00:19:37) Verschiedene Arten von SQL-Injections: Output-Based, Error-Based, Blind-SQL-Injections, Time-Based-SQL-Injections, Out-of-Band-SQL-Injections(00:27:42) Bug Bounty: 2-Channel SQL Injection-Attacke in Kombination mit Cross-Site-Scripting (XSS) bei trivago(00:29:42) Mehrstufige Attacken und Ausnutzung mehrerer Lücken nacheinander(00:33:16) Möglicher Schaden durch eine SQL-Injection: Daten verändern, Befehle auf dem Server ausführen, lokale Dateien lesen und schreiben, SQL-Funktionen ausführen, Denial of Service (DoS)(00:39:09) Gegenmaßnahmen um SQL-Injections zu verhindern: Prepared Statements, Datenbank-Komponenten updaten, limitierte Rechte für Datenbank-User, Web Application Firewalls (WAF)(00:56:42) Möglichkeiten um deine Anwendung automatisch zu testen: Unit-Tests, statische Analyse, dynamische Analyse mit sqlmap und Fuzzing(01:02:51) Maßnahmen um Sicherheit zu gewährleisten von Datenbank as a Service-Providern(01:06:51) OutroHostsWolfgang Gassler (https://twitter.com/schafele)Andy Grunwald (https://twitter.com/andygrunwald)Feedback (gerne auch als Voice Message)Email: stehtisch@engineeringkiosk.devTwitter: https://twitter.com/EngKioskWhatsApp +49 15678 136776

Josh and Kurt talk about programming language ecosystems tracking and publishing security advisory details. We are at a point in the language ecosystems where they are giving us services that have historically been reserved for operating systems. Show Notes Kelsey Hightower tweet OSS-Fuzz

This week in the AppSec News: Lessons learned from fuzzing, OT:ICEFALL report on insecure designs, CSA's Top Threats to Cloud Computing, Twitter apologizes for misusing data collection, & State of Open Source Security report!   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw202

FEATURED VOICES IN THIS EPISODEDan GuidoDan Guido is the CEO of Trail of Bits, a cybersecurity firm he founded in 2012 to address software security challenges with cutting-edge research. In his tenure leading Trail of Bits, Dan has grown the team to 80 engineers, led the team to compete in the DARPA Cyber Grand Challenge, built an industry-leading blockchain security practice, and refined open-source tools for the endpoint security market. In addition to his work at Trail of Bits, he's active on the boards of four early-stage technology companies. Dan contributes to cybersecurity policy papers from RAND, CNAS, and Harvard. He runs Empire Hacking, a 1,500-member meetup group focused on NYC-area cybersecurity professionals. His latest hobby coding project -- AlgoVPN -- is the Internet's most recommended self-hosted VPN. In prior roles, Dan taught a capstone course on software exploitation at NYU as a faculty member and the Hacker in Residence, consulted at iSEC Partners (now NCC Group), and worked as an incident responder for the Federal Reserve System.Nat ChinNat Chin is a security engineer 2 at Trail of Bits, where she performs security reviews of blockchain projects, and develops tools that are useful when working with Ethereum. She is the author of solc-select, a tool to help switch Solidity versions. She worked as a smart contract developer and taught as a Blockchain Professor at George Brown College, before transitioning to blockchain security when she joined Trail of Bits.Opal WrightOpal Wright is a cryptography analyst at Trail of Bits. Two of the following three statements about her are true: (a) she's a long-distance unicyclist; (b) she invented a public-key cryptosystem; (c) she designed and built an award-winning sex toy.Jim MillerJim Miller is the cryptography team lead at Trail of Bits. Before joining Trail of Bits, Jim attended graduate programs at both Cambridge and Yale, where he studied and researched both Number Theory and Cryptography, focusing on topics such as lattice-based cryptography and zero-knowledge proofs. During his time at Trail of Bits, Jim has led several security reviews across a wide variety of cryptographic applications and has helped lead the development of multiple projects, such as ZKDocs and PrivacyRaven.Josselin FeistJosselin Feist is a principal security engineer at Trail of Bits where he participates in assessments of blockchain software and designs automated bug-finding tools for smart contracts. He holds a Ph.D. in static analysis and symbolic execution and regularly speaks at both academic and industrial conferences. He is the author of various security tools, including Slither - a static analyzer framework for Ethereum smart contracts and Tealer - a static analyzer for Algorand contracts.Peter GoodmanPeter Goodman is a Staff Engineer in the Research and Engineering practice at Trail of Bits, where he leads all de/compilation efforts. He is the creator of various static and dynamic program analysis tools, ranging from the Remill library for lifting machine code into LLVM bitcode, to the GRR snapshot/record/replay-based fuzzer. When Peter isn't writing code, he's mentoring a fleet of interns to push the envelope. Peter holds a Master's in Computer Science from the University of Toronto.Host: Nick SelbyAn accomplished information and physical security professional, Nick leads the Software Assurance practice at Trail of Bits, giving customers at some of the world's most targeted companies a comprehensive understanding of their security landscape. He is the creator of the Trail of Bits podcast, and does everything from writing scripts to conducting interviews to audio engineering to Foley (e.g. biting into pickles). Prior to Trail of Bits, Nick was Director of Cyber Intelligence and Investigations at the NYPD; the CSO of a blockchain startup; and VP of Operations at an industry analysis firm.Production StaffStory Editor: Chris JulinAssociate Editor: Emily HaavikExecutive Producer: Nick SelbyExecutive Producer: Dan GuidoRecordingRocky Hill Studios, Ghent, New York. Nick Selby, EngineerPreuss-Projekt Tonstudio, Salzburg, Austria. Christian Höll, EngineerRemote recordings:Whistler, BC, Canada; (Nick Selby) Queens, NY; Brooklyn, NY; Rochester, NY (Emily Haavik);Toronto, ON, Canada. TAPES//TYPES, Russell W. Gragg, EngineerTrail of Bits supports and adheres to the Tape Syncers United Fair Rates CardEdited by Emily Haavik and Chris JulinMastered by Chris JulinMusicDISPATCHES FROM TECHNOLOGY'S FUTURE, THE TRAIL OF BITS THEME, Chris JulinOPEN WINGS, Liron MeyuhasNEW WORLD, Ian PostFUNKYMANIA, Omri Smadar, The Original OrchestraGOOD AS GONE, INSTRUMENTAL VERSION, Bunker Buster ALL IN YOUR STRIDE, AbeBREATHE EASY, Omri SmadarTREEHOUSE, LingerwellLIKE THAT, Tobias BergsonSCAPES,  Gray NorthReproductionWith the exception of any Copyrighted music herein, Trail of Bits Season 1 Episode 0; Immutable © 2022 by Trail of Bits is licensed under Attribution-NonCommercial-NoDerivatives 4.0 International. This license allows reuse: reusers may copy and distribute the material in any medium or format in unadapted form and for noncommercial purposes only (noncommercial means not primarily intended for or directed towards commercial advantage or monetary compensation), provided that reusers give credit to Trail of Bits as the creator. No derivatives or adaptations of this work are permitted. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.Meet the Team:CHRIS JULINChris Julin has spent years telling audio stories and helping other people tell theirs. These days he works as a story editor and producer for news outlets like APM Reports, West Virginia Public Broadcasting, and Marketplace. He has also taught and mentored hundreds of young journalists as a professor. For the Trail of Bits podcast, he serves as story and music editor, sound designer, and mixing and mastering engineer.EMILY HAAVIKFor the past 10 years Emily Haavik has worked as a broadcast journalist in radio, television, and digital media. She's spent time writing, reporting, covering courts, producing investigative podcasts, and serving as an editorial manager. She now works as an audio producer for several production shops including Us & Them from West Virginia Public Broadcasting and PRX, and APM Reports. For the Trail of Bits podcast, she helps with scripting, interviews, story concepts, and audio production.

Why Google's new open-source security effort might fall a bit short, the Arch snag this week, a big win for Right to Repair, and why you might soon have a new favorite filesystem.

 Go was created at Google in 2007 to improve programming productivity in an era of multi-core networked machines and large codebases. Since then, engineering teams across Google, as well as across the industry, have adopted Go to build products and services at massive scale, including the Cloud Native Computing Foundation which has over 75% of the projects written in the language.In this episode of The New Stack Makers podcast, Steve Francia, Head of Product: Go Language, Google and alumni of MongoDB, Docker and Drupal board member discusses the programming language, the new features in Go 1.18 and why Go is continuing on a path of accelerated adoption with developers. Darryl Taft, News Editor of The New Stack hosted this podcast.In the State of Developer Ecosystem 2021, Go ranked in the top five languages that developers planned to adopt and continues to be one of the fastest growing languages. According to Francia, it was created with the motivation to see if a new system programming language could be built and compile quick with security as the top focus. With developers coming and going at Google, the simplicity and scalability of the language enabled many to contribute across several projects at any given time.“The influences that separates Go from most languages is the experience of the creators behind it who all came to build it with their collective experience,” Francia said.  Today “Go is influencing a lot of the mainstream languages. Elements of it can be found in a tool that formats everyone's source code to be identical and more readable. Since then, a lot of languages have adopted that same practice,” said Francia. “And then there's rust. Go and rust are on parallel tracks and we're learning from each other. There's also a new language called V that has recently been open sourced which is the first major language inspired by Go,” Francia said.The latest release of Go 1.18 was Google's biggest yet. “It included four major features, each of which you could build a release around,” said Francia. In this release, “Generics is the biggest change of the Go language which has been in the works for 10 years,” Francia added. “Because we knew that generics have the potential to make a language more complicated, we spent a long time going through different proposals,” he said. Fuzzing, workspaces and performance were three other features released in this past version of Go.“From improving our documentation and learning – which you can go to go.dev/learn/ to get the latest resources – we're really focused on the broad view of the developer experience,” Francia said. “And in the future, we're seeing not our team so much as the community taking Go in new ways,” he added.    

In the AppSec News: Okta breach, fuzzing Rust find ReDos, SQL injection and the age of code, Log4j numbers paint a not-pretty picture   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw190

For some people, crypto means cryptography. For others, it means cryptocurrency. Fortunately, in this episode, we're discussing vulnerabilities in both. Guido Vranken returns to The Hacker Mind to discuss his CryptoFuzz tool on GitHub, as well as his experience fuzzing and finding vulnerabilities in cryptographic libraries and also within cryptocurrencies such as Ethereum.

Fuzzing makes it possible to locate vulnerabilities even in “safe” environments like Erlang, a language designed for high availability and robust services. Jonathan Knudsen from Synopsys joins The Hacker Mind to discuss his presentation at SecTor 2021 on fuzzing common message brokers such as RabbitMQ and VerneMQ, both written in Erlang, demonstrating that any type of software in any environment can still be vulnerable.