-
Why Data From So Many Breaches Never Sees the Light of Day
Months ago I was chatting with a colleague about a recent data leak (a.k.a. Data breach), as we tend to do in this industry. Those terms are defined by Microsoft as “an unauthorized disclosure of sensitive, confidential, or personal information from an organization’s systems or networks to an external party“. Any time I see an…
-
InfoSec News (ISN) Mail List History
As early as 1996, I created a mail list called InfoSec News (ISN) which initially was to share news about the industry. At the time, there were no online news sites covering the topic with any regularity and most were hobbies at best. So the original list had many articles that I had typed in…
-
An AI agent destroyed … hey wait a minute!
Yesterday many people ran across a headline that was shocking, and repetitive. This time it read “‘Gone in 9 seconds’: Claude-powered AI agent deletes startup’s entire database“. For myself, the first thing I had to do was check the date of the article because I swore I had just read about this recently. Yep, April…
-
Don’t Call Me Boss
I don’t remember when it started but it was easily five to ten years ago. I’d be in a restaurant typically and a server or cashier would call me ‘boss’. It bothered me from day one because it usually came from a younger kid who presumably didn’t understand all of the connotations behind the word…
-
Security Software: Holding the Vault Door Open for Criminals
I have been consistently tracking a fun metric around vulnerabilities since March 19, 2024. Before that I would occasionally mention it during talks or chat, but I don’t think I formally blogged about it before this and didn’t track the exact number. So here we are to discuss the prevalence of vulnerabilities in security software,…
-
Another Wave of Random Thoughts
ATM ATMs have way too many options for many users, and definitely for most uses of the machines by volume. Sometimes, when I put my card in, why are you asking what language I want to use? The same one as last time maybe? And for someone who has the same exact transaction 95% of…
-
Death Bed Then vs Now; Societal Impact and Contentment
An abstract thought. Our grandparent’s generation seemed content on their deathbed, some with religion, some without. In TV, movies, and books, you see one in a hospital or at home surrounded by loved ones, with a gentle smile. I wonder if that will get much more difficult in today’s age, as society declines and the…
-
NVD Gives Up
Since 2024, representatives from NIST’s National Vulnerability Database (NVD) have given a presentation at VulnCon with updates to the program. This has been where news broke about significant changes, admissions, and omissions. The talks, typically 30 minutes, are certainly not enough time to tell us what the industry needs to know and leaves no time…
-
Anthropic, Mythos, and the Dark Reality No One Is Talking About
If I had a nickel for every time Anthropic’s new Project Glasswing / Mythos initiative came up in conversation or I was asked directly about it in the last few days, I would have a shit ton of nickels! Let’s dive into it… first with brief observations about the announcements and available information, other’s opinions,…
-
Vulnerability Research Isn’t Cooked; It’s Burned Beyond Recognition
On March 30, 2026, Thomas & Erin Ptacek posted a blog titled “Vulnerability Research Is Cooked“. I don’t believe I know Erin, but I know of Thomas as an old-school vulnerability researcher who has been well respected for a long, long time. When he speaks about vulnerability research, I certainly listen. So this blog was…