Month: October 2013

  • More tricks than treats with today’s Metasploit blog disclosures?

    [This was originally published on the OSVDB blog.] Today, Tod Beardsley posted part one and part two on the Metasploit blogs titled “Seven FOSS Tricks and Treats. Unfortunately, this blog comes with as many tricks as it does treats. In part one, he gently berates the vendors for their poor handling of the issues. In…

  • OSVDB – We’re offering a bounty… of sorts!

    [This was originally published on the OSVDB blog.] In our pursuit of a more complete historical record of vulnerabilities, we’re offering a bounty! We don’t want your 0-day really. OK sure we do, but we know you are stingy with that, so we’ll settle on your ~ 12,775 day exploits! First, the bounty. This is…

  • An Open Letter to @InduSoft

    [This was originally published on the OSVDB blog.] InduSoft, When referencing vulnerabilities in your products, you have a habit of only using an internal tracking number that is kept confidential between the reporter (e.g. ICS-CERT, ZDI) and you. For example, from your HotFix page (that requires registration): WI2815: Directory Traversal Buffer overflow. Provided and/or discovered…

  • Quit volunteering my time.

    Every week someone, or several people, think their 140 characters is worth me spending an hour+ writing an article for them. They noticed some plagiarized text or think someone is a fraud, and they turn around and expect me to research and document it. For years now, I get mail to Errata with a single…

  • Any wonder why people use images without attribution?

    Found the perfect image for my @BSidesDE talk. Noticed in the corner a tiny ‘GettyImages’ watermark, so I went to their site to see how much it would cost to license. Because I happen to know they require a license… which I imagine 99.9% of the modern Internet world does not. The auto-pricing options did…

  • Seeing those EULAs in a different context.

    Many years ago I realized that the End User License Agreements (EULA) that we are forced to endure for web sites and software was out of hand. There have been a lot of good points made in the past about them and how they are rarely read. I had written notes about an article but…

  • We’re Doing the Unthinkable

    [This was originally published on the OSVDB blog.] Anyone who knows me in the context of vulnerability databases will find this post a tad shocking, even if they have endured my rants about it before. For the first time ever, I am making it policy that we will no longer put any priority on Vulnerability…