Category: InfoSec
-
Calif’s Bold Claims; Missing Receipts
Here we go again, more Mythos rumors and claims to unpack. I wrote a lengthy blog on Anthropic, Glasswing, and Mythos just over a month ago but this is about a very specific event and set of claims. A significant reason I am writing this is due to what I believe are poorly written headlines…
-
Noise2Signal Podcast: Which Does the Squirrel Bring?
For those not familiar, Mehul Revankar recently started a podcast named Noise2Signal. While there are a lot of podcasts out there and it is easy to lose track, this one stands out as Mehul has connections with a lot of folks that are significant in the history of information security. In fact, he interviewed Renaud…
-
Security vs Security Theatre; A Lesson for Abbott
Security theater, as defined by Wikipedia, “is the practice of implementing security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it.” This is a common term used by information security professionals and has been a concept for a long, long time. I recently pointed it…
-
The NVD Shell Game & Schrödinger’s Enriched Vulnerability
I know, yet another blog about the National Vulnerability Database’s (NVD) ever-changing numbers?! That’s right, and I am not talking about the changes between April 14 and 15th. The numbers changed significantly because of the way NVD displayed statistics on their dashboard before a dramatic change in their enrichment policy. At VulnCon 2026, Harold Booth…
-
InfoSec News (ISN) Mail List History
As early as 1996, I created a mail list called InfoSec News (ISN) which initially was to share news about the industry. At the time, there were no online news sites covering the topic with any regularity and most were hobbies at best. So the original list had many articles that I had typed in…
-
Security Software: Holding the Vault Door Open for Criminals
I have been consistently tracking a fun metric around vulnerabilities since March 19, 2024. Before that I would occasionally mention it during talks or chat, but I don’t think I formally blogged about it before this and didn’t track the exact number. So here we are to discuss the prevalence of vulnerabilities in security software,…
-
NVD Gives Up
Since 2024, representatives from NIST’s National Vulnerability Database (NVD) have given a presentation at VulnCon with updates to the program. This has been where news broke about significant changes, admissions, and omissions. The talks, typically 30 minutes, are certainly not enough time to tell us what the industry needs to know and leaves no time…
-
Anthropic, Mythos, and the Dark Reality No One Is Talking About
If I had a nickel for every time Anthropic’s new Project Glasswing / Mythos initiative came up in conversation or I was asked directly about it in the last few days, I would have a shit ton of nickels! Let’s dive into it… first with brief observations about the announcements and available information, other’s opinions,…
-
Vulnerability Research Isn’t Cooked; It’s Burned Beyond Recognition
On March 30, 2026, Thomas & Erin Ptacek posted a blog titled “Vulnerability Research Is Cooked“. I don’t believe I know Erin, but I know of Thomas as an old-school vulnerability researcher who has been well respected for a long, long time. When he speaks about vulnerability research, I certainly listen. So this blog was…
-
Wait… We Needed That CNA Rule?! A Complaint =)
It’s one of those rules you’d never think we needed until something happens… On March 27, a VulnDB (not to be confused with VulDB) analyst noticed that a CVE description had a line appended that basically advertised the service of the assigning CNA. CVE-2026-4963 had a pretty standard description from VulDB (not to be confused with…