Category: InfoSec
-
Compassion Fatigue in an industry largely devoid of compassion.
A few days ago, Bruce Schneier actually wrote a slightly interesting piece for Fusion. I say that with surprise because most of his articles are engaging and well-written, but he rarely shares new ideas or concepts. Most of my professional circle is already very familiar with a given topic, and Schneier largely enjoys a reputation…
-
Ruminations on David Weinstein’s “Ruminations on App CVEs”
[This was originally published on the OSVDB blog.] David Weinstein, a researcher at NowSecure, has posted a blog titled “Ruminations on App CVEs“. Thanks to Will Dormann’s Tweet it came to our attention, and he is correct! We have opinions on this. Quoted material below is from Weinstein’s blog unless otherwise attributed. CVE is well-positioned…
-
A quick, factual reminder on the value and reality of a “EULA”… (aka MADness)
[This was originally published on the OSVDB blog.] This post is in response to the drama the last few days, where Mary Ann Davidson posted an inflammatory blog about security researchers that send Oracle vulnerabilities while violating their End-user License Agreement (EULA… that thing you click without reading for every piece of software you install).…
-
Exotic Liability Podcast #82 – Holidays are Errata funz
On August 6, 2015, I joined Chris Nickerson and Lizzy Borden to talk about Attrition.org, Security Errata, and more. The show is summarized as: The story behind securityerrata.eu/errata/index.html, attrition.org/errata, writing based on facts, the tough road of accountability and a whole bunch of other shit we didnt make notes of. Oh yea. a bunch of…
-
BSidesLV, two boxes-of-shit up for charity auction…
For those not familiar, last year I created a new-and-improved Box-of-Shit that was put for charity auction at BSidesLV 2014. Wow, lot of dashes there, go Engrish! For those not familiar with the absolutely legendary attrition.org boxes-of-shit, take a minute to familiarize yourself with it. The box last year was the center of a heated…
-
John Thomas Draper: Setting the Record Straight re: Cap’n Crunch Whistle
The tl;dr cliffnotes: John Draper was not the first to discover that a Cap’n Crunch whistle could be used for phreaking. It is almost a ‘fact’ that John Draper, also known as Captain Crunch, discovered that a toy whistle in a box of cereal could be used to make free phone calls. I say ‘almost’…
-
A Note on the Verizon DBIR 2015, “Incident Counting”, and VDBs
[This was originally published on the OSVDB blog.] Recently, the Verizon 2015 Data Breach Investigations Report (DBIR) was released to much fanfare as usual, prompting a variety of media outlets to analyze the analysis. A few days after the release, I caught a Tweet linking to a blog from Rory McCune that challenged one aspect…
-
Reviewing the Secunia 2015 Vulnerability Review (A Redux)
It’s that time of year again! Vulnerability databases whip up reports touting statistics and observations based on their last year of collecting data. It’s understandable, especially for a commercial database, to show why your data source is the best. In the past, we haven’t had a strong desire to whip up a flashy PDF with…
-
Vendors sure like to wave the “coordination” flag… (revisiting the ‘perfect storm’)
[This was originally published on the OSVDB blog.] I’ve written about coordinated disclosure and the debate around it many times in the past. I like to think that I do so in a way that is above and beyond the usual old debate. This is another blog dedicated to an aspect of “coordinated” disclosure that…
-
2013 Superdome Outage a Hack? The Value of Post-Incident Investigations.
[This was originally published on the OSVDB blog.] As we approach the pinnacle of U.S. sportsball, I am reminded of the complete scandal from a past Superbowl. No, not the obviously-setup wardrobe malfunction scandal. No, not the one where we might have been subjected to a pre-recorded half-time show. The one in 2013 where hackers…