Category: Gripes

  • CVE ID Created Date != Much of Anything

    CVE ID Created Date != Much of Anything

    Yesterday, SanSec published a blog post discussing the recent Adobe Commerce / Magento Open Source vulnerability that was discovered being exploited in the wild. In the blog, they said: Adobe has been aware of the issue since at least January 27th but decided to issue a patch on Sunday, which is highly unusual. They draw […]

  • An 83 Word Excuse Instead of a 1 Character Fix (NCSC.nl)

    The National Cyber Security Center of the Netherlands (NCSC.nl) has a curious take on sharing security information. On October 25, 2021 I contacted them to inform them of a simple typo in one of their advisories. I send mails or Tweets like this several times a week to researchers, vendors, and news outlets as CVE […]

  • Redscan’s Curious Comments About Vulnerabilities

    As a connoisseur of vulnerability disclosures and avid vulnerability collector, I am always interested in analysis of the disclosure landscape. That typically comes in the form of reports that analyze a data set (e.g. CVE/NVD) and draw conclusions. This seems straight-forward but it isn’t. I have written about the varied problems with such analysis many […]

  • Search Speak for Automaton

    Search Speak for Automaton

    Alternate titles for this blog could be “Doodle Transition for Machina” perhaps! For at least a decade I have thought about just such an application and today I have Google Translate for Android. Load, aim, and it will process the text and translate on screen for you. Given the state of technology you would think […]

  • Twitter, Companies, and your Complaints

    The rise of social media has been interesting to say the least. Many on twitter have found it to give them a type of power as they can voice their complaints directly to a company that has wronged them. Everything from bad customer service, bad prices, minor inconvenience, or even perceived slights that likely never […]

  • How Many Trees Are You Celebrating @arborday?

    The Arbor Day Foundation is a 501c(3) nonprofit organization founded in 1972 that seeks to “inspire people to plant, nurture, and celebrate trees“. I received a “Colorado Tree Survey” from them today, part of what is a never-ending stream of snail-mail spam that I have written about before. For this envelope, the thing that caught […]

  • “The History of CVE” and A Couple of Objections

    I just read “The History of Common Vulnerabilities and Exposures (CVE)” by Ary Widdes from Tripwire and found it to be a great summary of the 20+ years of the program. I say that as an outspoken CVE and MITRE critic even! I do have a couple of objections however, with the conclusion, and then […]

  • Why @anacondainc Doesn’t Fully Understand CVEs

    It’s worrisome that in 2020 we still have people in influential technical roles that don’t understand CVE. A friend told me earlier this year he was in a meeting where someone said that CVE IDs are assigned in order, so CVE-2020-9500 meant there were 9500 vulns in 2020 so far. Of course that is not […]

  • Disclosure Repair Timelines?

    For those in InfoSec, you have probably seen a vulnerability disclosure timeline. Part of that often includes the researcher’s interaction with the vendor including the vulnerability being fixed. After the issue is disclosed, the story typically ends there. Every so often, work needs to be done after that to ‘repair’ part of the disclosure. For […]

  • Microsoft, CVE, MITRE, ETERNALBLUE, Headache…

    2019-02-14 Update: Thanks to Chris Mills @ MSRC (@TheChrisAM), who has been working behind the scenes since this blog was published, he has brought clarity to these assignments! MSRC is still potentially touching up some additional documentation to make it easier to see these associations, but here is the definitive answer from him: CVE-2017-0143 ShadowBrokers […]