• Box of Shit: The U.K. @w1bble Variety
    Box of Shit: The U.K. @w1bble Variety

    It’s been a while since I wrote up a ‘Box of Shit‘ but felt it was time after receiving one from Jamie (@w1bble). He sent it from that far away place trying to find an exit or something; U.K. politics are so weird, not like the U.S. They talk funny too. Speaking of weird, this […]

  • A Small Ask of @JerseyMikes For the Greater Good
    A Small Ask of @JerseyMikes For the Greater Good

    A proposal for Jersey Mike’s to cut as many as 31 billion calories from consumer diets a year.

  • “The History of CVE” and A Couple of Objections

    I just read “The History of Common Vulnerabilities and Exposures (CVE)” by Ary Widdes from Tripwire and found it to be a great summary of the 20+ years of the program. I say that as an outspoken CVE and MITRE critic even! I do have a couple of objections however, with the conclusion, and then […]

  • A String of Charity Auctions…

    Auction #1: Attrition.org 2020 Custom Swag Pack (limited edition)Auction #2: Attrition.org Six Acrylic Coins w/ Pouch (quantity: 15)Auction #3: 270 Unique Stickers (Miscellaneous, InfoSec, Pop Culture, More!) Starting this week, I will post the first of several charity auctions to eBay. I don’t know how many there will be exactly, but these will be bigger […]

  • Hunter Fans and Hidden Functionality

    Nothing exciting, just documenting two things about Hunter ceiling fans, at least one of which is not documented in their manual. My electrician had to call and sit on hold for almost two hours to get the information and be told that no, it wasn’t in the documenation. These apply to the Hunter Dempsey model […]

  • Why @anacondainc Doesn’t Fully Understand CVEs

    It’s worrisome that in 2020 we still have people in influential technical roles that don’t understand CVE. A friend told me earlier this year he was in a meeting where someone said that CVE IDs are assigned in order, so CVE-2020-9500 meant there were 9500 vulns in 2020 so far. Of course that is not […]

  • Disclosure Repair Timelines?

    For those in InfoSec, you have probably seen a vulnerability disclosure timeline. Part of that often includes the researcher’s interaction with the vendor including the vulnerability being fixed. After the issue is disclosed, the story typically ends there. Every so often, work needs to be done after that to ‘repair’ part of the disclosure. For […]

  • Electronic Voting Machines; That Old Redux…

    [This was originally published on RiskBasedSecurity.com in the 2019 End-of-year Vulnerability Report.] Integrity is one of the cornerstones to both the concept and the practice of Information Security. We want to make sure that the integrity of the systems we use remains intact. It doesn’t matter if it is your smart watch, smart IoT device, […]

  • WhiteSource on ‘Open Source Vulnerability Databases’ – Errata

    [This was originally published on the OSVDB blog.] On September 8, 2016, Jason Levy of WhiteSource Software published a blog titled “Open Source Vulnerability Database”. Almost two years later it came across my radar and I asked via Twitter if WhiteSource was interested in getting feedback on the blog, since it contained errata. They never […]

  • CVE and the matter of “unique” ID numbers

    Common Vulnerability Enumeration, now known as Common Vulnerabilities and Exposures (CVE) is a vulnerability database (ignore their silly claim to be a ‘dictionary’) that the information security industry relies on heavily, unfortunately. Per MITRE’s CVE page, “CVE® is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly […]