Month: August 2013

  • Android & Granular Permissions

    For Android-based phone owners, you are no doubt passingly familiar with the permission system that governs applications and what they can do. Every time you install an application, the device will ask you if you accept a list of permissions that it says are required for it to run. If you want the app, you…

  • howdoireportavuln.com – Good intentions, needs fix-ups though

    [This was originally published on the OSVDB blog.] Tonight, shortly before retiring from a long day of vulnerability import, I caught a tweet mentioning a web site about reporting vulnerabilities. Created on 15-aug-2013 per whois, the footer shows it was written by Fraser Scott, aka @zeroXten on Twitter. http://howdoireportavuln.com/ I love focused web sites that…

  • Fine, let’s continue this “debate”. (was re: Active Defense)

    David Willson wants to continue this debate, but wants to keep saying the same crap via Twitter, or try to call me out on the things I called him out for (e.g. not reading the other’s blog). So, my turn… Background for those just joining: I wrote a serious blog with a tongue-in-cheek title on…

  • To the guy calling himself “David Willson”, you don’t get it (was re: Active Defense)

    Yesterday, I published a blog titled “Putting an end to ‘strike back’ / ‘active defense’ debate…”. While the title of the blog was tongue-in-cheek, the content certainly was not. Of course I don’t expect the debate to suddenly end over a single blog, but I did bring up a good great point about the idea…

  • Putting an end to ‘strike back’ / ‘active defense’ debate…

    The concept of “hack/strike back”, under any of its names, is decades old. Every year or three it surfaces again and makes news. Almost every time, it is a result of a new company claiming they do it to some degree. This extends to the related idea of “active defense”, which is equally absurd. Not…

  • Buying Into the Bias: Why Vulnerability Statistics Suck [Abstract]

    [This was originally published on the OSVDB blog.] Last week, Steve Christey and I gave a presentation at Black Hat Briefings 2013 in Las Vegas about vulnerability statistics. We submitted a brief whitepaper on the topic, reproduced below, to accompany the slides that are now available. Buying Into the Bias: Why Vulnerability Statistics SuckBy Steve…