Preview Mode Links will not work in preview mode

Feb 26, 2018

Topics on today's show:

NPM (Node Package Manager) - bug was introduced changing permissions on /etc, /boot, and /usr, breaking many systems, requiring full re-installs. Why was it allowed to be passed, and worse, why did so many run that version on production systems?

Code signing - a well known content management system does not sign it's code. What are the risks involved in not signing the code? And we talk about why you should verify the code before you use it.

Using code without testing - NPM released a 'not ready for primetime' version of it's package manager. We discuss the issues in running 'alpha', and 'beta'


Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at





#Youtube Channel:

#iTunes Store Link:

#Google Play Store:

Our main site:


Join our #Slack Channel! Email us at

or DM us on Twitter @brakesec

#iHeartRadio App:


Comments, Questions, Feedback:

Support Brakeing Down Security Podcast by using our #Paypal OR our #Patreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM :

#Stitcher Network:

#TuneIn Radio App:



Previous podcast referenced:


Using ‘pre-production’ software without testing is not advisable

Unfortunately, many assume all software is stable

A product of ‘devops’ - failing forward “we’ll just fix it in post”


Talked last podcast about ‘supply chain security’


Developers can leave a project, leaving code unmaintained… or dependencies


Also, a modicum of trust is required… verifying the code before you use it.

Verification that the code came from where it was supposed to


Many important code bases aren’t signed or have verification

Wordpress does not appear to publish file hashes

Can you always trust the download? Sure, they do TLS… but no integrity, or non-repudiation

Bsides NASH-