Month: December 2020

  • Box of Shit: The Kat Variance

    For those who know about the sordid history of the Box of Shit, you know where the name comes from. While some may have thoughtful touches and some personalized items, they are generally fun junk. Behold, the Kat variance! After sending a true box of shit to her, a couple months pass and I get…

  • Sitting on Undisclosed Vulnerabilities (e.g. SolarWinds Stragglers)

    The company SolarWinds is in the news, victims of an attack that compromised their Orion Platform software by inserting a backdoor into it, allowing for remote code execution. Like most big breaches, we hear the term “sophisticated” used for the attack. And like many breaches, we quickly learn that it might not have been so…

  • Review Player Two

    TL;DR Ready Player Two is an enjoyable read that keeps the spirit and overall feel of the first book, with a few chapters in the middle that are a bit difficult to slog through. Worth a read though. Summary Ready Player Two is the aptly named sequel to Ready Player One. It picks up shortly…

  • Not all CVEs are Created Equal. Or even valid…

    [I wrote this early 2019 and it was scheduled for January 7 but it apparently did not actually publish and then got lost in my excessive drafts list. I touched it up this week to publish because the example that triggered this blog is old but the response is evergreen. Apologies for the long delay!]…

  • Thoughts on 0-days and Risk in 2020

    [Stupid WordPress. This was scheduled to publish Nov 23 but didn’t for some reason. Here it is, a bit late…] On Friday, Maddie Stone from the Google P0 team Tweeted about the 0-day exploits her team tracks. As someone who checks that sheet weekly and tracks vulnerabilities, including ones ‘discovered in the wild’, this is…

  • Why EVM Security Hasn’t Changed For More Than 15 Years

    [This was originally published on RiskBasedSecurity.com in the 2020 Q3 Vulnerability Quickview Report. It was authored with Curtis Kang.] In our 2019 Year End Vulnerability QuickView Report, we presented a detailed history of public Electronic Voting Machine (EVM) vulnerabilities. We’ve seen little change to the overall EVM security picture since then. With the Presidential elections…

  • Dec 3 – Breckenridge Ski Report

    The Good The people on the mountain are mostly good about social distancing in on the lift rides (two people for a four-chair lift), but not so much in line. You get a stark reminder of this when it is 10 degrees and you can see everyone’s breath. While not much of the terrain is…

  • The Hacker Jeopardy That Never Was

    Many years ago, at early DEF CONs before 2000, I became a critic of Hacker Jeopardy after some of the questions had wrong answers. The host had written the questions and answers but got some wrong. The next year I offered to sanity check them before the game and did so, finding a few errors…