Tag: OSVDB

  • 2013 Superdome Outage a Hack? The Value of Post-Incident Investigations.

    [This was originally published on the OSVDB blog.] As we approach the pinnacle of U.S. sportsball, I am reminded of the complete scandal from a past Superbowl. No, not the obviously-setup wardrobe malfunction scandal. No, not the one where we might have been subjected to a pre-recorded half-time show. The one in 2013 where hackers…

  • We’re “critical”, not “immature”.

    [This was originally published on the OSVDB blog.] Recently, we got feedback via Twitter that we come across as “immature”. On the surface, perhaps. Not all of our Tweets are critical of CVE though. I replied pretty quickly that said criticism is also us “pushing for them to improve since so much of the industry…

  • SQLi Disclosures and the Last Five Years (Transparent Statistics)

    [This was originally published on the OSVDB blog.] Nothing like waking up to a new article purporting to show vulnerability statistics and having someone ask us for comment. But hey, we love giving additional perspective on such statistics since they are often without proper context and disclaimers. This morning, the new article comes from Help…

  • Microsoft’s latest plea for CVD is as much propaganda as sincere.

    [This was originally published on the OSVDB blog.] Earlier today, Chris Betz, senior director of the Microsoft Security Response Center (MSRC), posted a blog calling for “better coordinated vulnerability disclosure“. Before I begin a rebuttal of sorts, let me be absolutely clear. The entire OSVDB team is very impressed with Microsoft’s transition over the last…

  • CVE Is Baffling Some Nights

    [This was originally published on the OSVDB blog.] CVE, managed by MITRE, a ‘sole-source’ government contractor, who gets as much as one million dollars a year from the government (or more) to run the project, is a confusing entity. Researchers who have reached out to CVE for assignment or clarification on current assignments, have gone…

  • The Five High-level Types of Vulnerability Reports

    [This was originally published on the OSVDB blog.] Based on a Twitter thread started by Aaron Portnoy that was replied to by @4Dgifts asking why people would debunk vulnerability reports, I offer this quick high-level summary of what we see, and how we handle it. Note that OSVDB uses an extensive classification system (that is…

  • The Scraping Problem and Ethics

    [This was originally published on the OSVDB blog.] [2014-05-09 Update: We’d like to thank both McAfee and S21sec for promptly reaching out to work with us and to inform us that they are both investigating the incident, and taking steps to ensure that future access and data use complies with our license.] Every day we…

  • The problem with SCADA goes deeper…

    [This was originally published on the OSVDB blog.] We know SCADA is virtual swiss cheese, ready to be owned if someone can reach a device. We have preached airgaps for decades, even before we knew how bad the software was. Back then it was just, “this is so critical, it has to be separate!” The…

  • The Death and Re-birth of the Full-Disclosure Mail List

    [This was originally published on the OSVDB blog.] After John Cartwright abruptly announced the closure of the Full Disclosure mail list, there was a lot of speculation as to why. I mailed John Cartwright the day after and asked some general questions. In so many words he indicated it was essentially the emotional wear and…

  • Missing Perspective on the Closure of the Full-Disclosure Mail List

    [This was originally published on the OSVDB blog.] This morning I woke to the news that the Full-Disclosure mail list was closing its doors. Assuming this is not a hoax (dangerously close to April 1st) and not spoofed mail that somehow got through, there seems to be perspective missing on the importance of this event.…