Month: February 2013

  • CVSSv2 Shortcomings, Faults, and Failures Formulation

    [This was originally published on the OSVDB blog.] The Open Security Foundation (OSF) and Risk Based Security wrote an open letter to FIRST regarding the upcoming Common Vulnerability Scoring System (CVSS) version 3 proposal. While we were not formally asked to provide input, given the expertise of managing vulnerability databases, along with the daily use…

  • Why I Don’t Attend the RSA Conference

    For years now, I am asked if I will be at the RSA Conference (RSAC). Invariably, I answer no because I will not subject myself to it, or support the conference in any way. The short answer as to why, is that it is basically the “Comdex” of InfoSec. Overly large, full of flash, and…

  • Subway, the Missing Inch, and Karma

    In case you hadn’t heard, Subway is embroiled in a lawsuit over them serving up 11″ sandwiches, while advertising them to be 12″. While it doesn’t sound like much, those missing inches add up over time. There is also the whole truth in advertising issue. I’ve been going to Subway for a long, long time.…

  • Selling out, a bit at a time…

    I sold out when I signed up for Google, Gmail, Facebook, Twitter… might as well sell out a bit more and use WordPress. While guest-blogging recently, I found out that the managed WP site is actually pretty well done for a stable, mostly intuitive blogging platform. This will also help ensure my spew stays around…

  • CVE Vulnerabilities: How Your Dataset Influences Statistics

    [This was originally published on the OSVDB blog.] Readers may recall that I blogged about a similar topic just over a month ago, in an article titled Advisories != Vulnerabilities, and How It Affects Statistics. In this installment, instead of “advisories”, we have “CVEs” and the inherent problems when using CVE identifiers in the place…