Month: December 2012

  • Rebuttal: Worst Anecdote …EVER.

    [This was originally published on attrition.org. This is a rebuttal piece to Worst April Fools’ Joke …EVER. (2010-04-01) by @wh1t3rabbit (Rafal Los).] To kick off this month of colossal “whoops-es” I thought I would tell you guys a story from way, way back when the web was young, and “developers” used notepad to write “web sites”. It was…

  • Advisories != Vulnerabilities, and How It Affects Statistics

    [This was originally published on the OSVDB blog.] I’ve written about the various problems with generating vulnerability statistics in the past. There are countless factors that contribute to, or skew vulnerability stats. This is an ongoing problem for many reasons. First, important numbers are thrown around in the media and taken as gospel, creating varying…

  • 2012 End of the Year Updates

    [This was originally published on the OSVDB blog.] We had the best intentions to post more frequently on this blog but haven’t had an update since August. While we would have loved to post more frequently, quiet on the blog is actually of great benefit to you. Every minute we don’t update here, we’re updating…

  • Rebuttal: Put Up or Shut Up Rafal

    [This was originally published on attrition.org. This is a rebuttal piece to Small Office, Big [Software/eHealth] Problems (2010-11-18) by @wh1t3rabbit (Rafal Los).] I’m not saying that open source sofware [sic] has more issues than commercial, closed-source code …but I don’t think I’ll find anyone to argue against that it’s more difficult to find corporate-level accountability with open-source software…

  • Rebuttal: phpMyAdmin XSS – A Quick Commentary

    [This was originally published on attrition.org. This is a rebuttal piece to phpMyAdmin XSS – A Quick Commentary (2010-08-30) by @wh1t3rabbit (Rafal Los).] Wake up phpMyAdmin users – if you haven’t updated to the latest version yet… what are you waiting for? Haven’t you seen the advisory the YEHG released? Advisory, complete with some interesting screen shots here.…

  • Rebuttal: eBay’s Sub-Domains Vulnerable to XSS …again

    [This was originally published on attrition.org. This is a rebuttal piece to eBay’s Sub-Domains Vulnerable to XSS …again (2010-08-27) by @wh1t3rabbit (Rafal Los).] Sometimes, old attack vectors re-appear in places we wouldn’t expect as security professionals. The re-emergence of XSS (Cross-Site Scripting) on eBay’s domains isn’t something you’d expect to see from a company that works so hard…

  • Rebuttal: Yes, I have. Have you really? (on Cyberwar)

    [This was originally published on attrition.org. This is a rebuttal piece to Cyber War – Fact from Fiction in the shadow of the Tallinn Manual (2012-09-14) by @wh1t3rabbit (Rafal Los).] I was asked to provide comment on this blog piece because of my involvement with Josh Corman in presenting on the topic of Cyberwar (PPT) at BruCON in September, 2012.…