-
Another Wave of Random Thoughts
ATM ATMs have way too many options for many users, and definitely for most uses of the machines by volume. Sometimes, when I put my card in, why are you asking what language I want to use? The same one as last time maybe? And for someone who has the same exact transaction 95% of…
-
Death Bed Then vs Now; Societal Impact and Contentment
An abstract thought. Our grandparent’s generation seemed content on their deathbed, some with religion, some without. In TV, movies, and books, you see one in a hospital or at home surrounded by loved ones, with a gentle smile. I wonder if that will get much more difficult in today’s age, as society declines and the…
-
NVD Gives Up
Since 2024, representatives from NIST’s National Vulnerability Database (NVD) have given a presentation at VulnCon with updates to the program. This has been where news broke about significant changes, admissions, and omissions. The talks, typically 30 minutes, are certainly not enough time to tell us what the industry needs to know and leaves no time…
-
Anthropic, Mythos, and the Dark Reality No One Is Talking About
If I had a nickel for every time Anthropic’s new Project Glasswing / Mythos initiative came up in conversation or I was asked directly about it in the last few days, I would have a shit ton of nickels! Let’s dive into it… first with brief observations about the announcements and available information, other’s opinions,…
-
Vulnerability Research Isn’t Cooked; It’s Burned Beyond Recognition
On March 30, 2026, Thomas & Erin Ptacek posted a blog titled “Vulnerability Research Is Cooked“. I don’t believe I know Erin, but I know of Thomas as an old-school vulnerability researcher who has been well respected for a long, long time. When he speaks about vulnerability research, I certainly listen. So this blog was…
-
We Are Legion (We Are Bobservations); Answering a “Simple” Question
In late February, a friend linked an article about a science-fiction book and asked if I had read it. I told her that I hadn’t but after reading an abstract it sounded good. She asked if I would be her designated reader due to her workload, and report back. I said sure! She was particularly…
-
Wait… We Needed That CNA Rule?! A Complaint =)
It’s one of those rules you’d never think we needed until something happens… On March 27, a VulnDB (not to be confused with VulDB) analyst noticed that a CVE description had a line appended that basically advertised the service of the assigning CNA. CVE-2026-4963 had a pretty standard description from VulDB (not to be confused with…
-
Miggo, KEV, and FUD; They Still Don’t Get It
[If the name ‘Miggo’ is familiar to you in the context of my blogging, you are thinking about one I wrote titled “Miggo Security’s AI Slop & Potential Trademark Infringement” in July, 2025. That was more around ‘corporate’ culture and bad lawyering. This blog is different, pointing out how they don’t seem to understand KEV…
-
What Do 2025 CVE Numbers Mean? An Intro.
[This was originally my proposed introduction for Flashpoint’s 2026 Global Threat Intelligence Report. Due to the style of the report and covering a lot more intelligence sectors than vulnerabilities, only pieces of this were used. So I am publishing the entire original draft here for posterity.] The fact that there were over 48,000 CVEs published…
-
NaClCON Talks I Am Excited For
Earlier this month, I published “My Unofficial NaClCON FAQ” talking about a new security conference (NaClCON) that I am excited for. It’s still a bit surprising to myself that I am interested in one at all. I fully thought I was done with them, but here we are! After participating on the Call For Papers…