Category: InfoSec
-
John Thomas Draper: Setting the Record Straight re: Blue Box
The tl;dr cliffnotes: John Draper was not invent the Blue Box. In April of 2015, several years after Phil Lapsley published “Exploding the Phone” giving a detailed history of the early days of phreaking, I wrote a blog largely based on that book to clear up long-standing rumors and mistakes in a variety of publications.…
-
Thoughts about CNNVD vs. US NVD
[This was originally published on RiskBasedSecurity.com in the 2017 Q3 Vulnerability QuickView report.] In October, Bill Ladd of Recorded Future released a study comparing CVE and the U.S. NationalVulnerability Database (NVD) with China’s National Vulnerability Database (CNNVD). This report, titled“The Dragon Is Winning: U.S. Lags Behind Chinese Vulnerability Reporting” was covered by John Leyden inThe…
-
Researchers Find One Million Vulnerabilities?!
[This was originally published on RiskBasedSecurity.com.] No researcher has yet claimed to find one million vulnerabilities, but we are sure to see that headline in the future. Every so often we see news articles touting a security researcher who found an incredible number of vulnerabilities in one product or vendor. Given that most disclosures involve…
-
That Vulnerability is “Theoretical”!
[This was originally published on the OSVDB blog.] A few days ago, while writing a draft of a different blog, I made reference to and said “we’re well aware of the pitfalls around calling a vulnerability ‘theoretical’“! I wanted to link off to what I was referencing, a case where security researchers found a vulnerability…
-
A View Into DEF CON 25 CFP…
First, this post is not sanctioned by DEF CON in any way. I am a member of the CFP team who decided to keep some rudimentary statistics on the submissions this year. I did this to give the team a feel for just how many submissions we got, how many talks we accepted, and primarily…
-
Analysis Of The RANDom Report on Zero-days and Vulnerability Rediscovery
[This was originally published on RiskBasedSecurity.com.] On March 9, 2017, RAND released a report (PDF) titled “Zero Days, Thousands of Nights; The Life and Times of Zero-Day Vulnerabilities and Their Exploits” by Lillian Ablon and Andy Bogart that received a fair amount of press. The RAND press release goes on to describe it as “the first publicly available research to…
-
Colorado Security Podcast Interview Episode #31
On July 17, 2017, I dud an interview for Robb Reck for the Colorado Security Podcast. In it he interviewed me about… me, rather than a current event or the world of vulnerabilities. The episode aired on September 4th, and is summarized as: Brian Martin (nom de plume – Jericho) is one of the most…
-
The Steady Rise of Bounty Programs, and the Counterpart
[This was originally published on RiskBasedSecurity.com.] Companies that once said they would not pay for vulnerability information seven years ago, have been steadily expanding their program to pay for more and more vulnerability information and recently made Edge bounties permanent. Service-oriented companies like Uber, that rely on a significant amount of user interaction and transactions via mobile apps, also utilize…
-
Your yearly reminder to post to Full-Disclosure, not Bugtraq
[This was originally published on the OSVDB blog.] [10/29/2020 Update: As of February 24, SecurityFocus has stopped moderating posts to the Bugtraq mail list without explanation or warning. This is apparently related to Broadcom acquiring Symantec, the owner of SecurityFocus.] This has been a long-recognized and proven thing, but every year we run into more…
-
2017 End-of-year Reports Based on CVE Data
[These were notes I took in 2017 and never got around to finishing. I have done some general formatting / cleanup to round out the sentences and such, but not much else. Given I made a prediction at the time, I am opting to publish this but backdate is accordingly. The general issue of CVE…