Josh and Kurt talk about a few things that have recently come out of CISA. They seem to be blaming the vendors for a lot of the problems, but there's also not any actionable advice telling the vendors what they should be doing. This feels like the classic case of "just security harder". We need CISA to be leading the way funding and defining security, not blaming vendors for giving the market what it demands.

• iCloud Photos Downloader
• CISA boss: Makers of insecure software must stop enabling today's cyber villains
• A Security Market for Lemons
• CISA and FBI Release Secure by Design Alert on Eliminating Cross-Site Scripting Vulnerabilities
• CISA Secure by Design Pledge
• Railroad Newsletter
• CISA Secure Software Development Attestation Form

Josh and Kurt talk about the 2024 Tidelift maintainer report. The report is pretty big and covers a ton of ground. We focus in a few of the statistics that should worry anyone who uses open source. We've known for a while developers are struggling, and the numbers back that up. This one feels like the old "we've tried nothing and we're all out of ideas".

• THE 2024 TIDELIFT STATE OF THE OPEN SOURCE MAINTAINER REPORT
• Canadian passport
• Changelog Interviews #433
• Pandas CVE

Josh and Kurt talk about some security researchers sort of taking over the .MOBI whois server. The story is a bit sensational, but we ask if it really matters? There are a lot of interesting possible attacks, but turning something like this into a good attack is really hard, maybe impossible. The researchers presented the findings in a very reasonable way.

• We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI
• Heinz says sorry for ketchup QR code that links to porn site