2026-04-02T15:15:49Z https://yabu.me Adam Shostack :donor: :rebelverified: https://yabu.me/npub1s7cghayd6cuu7tnvxw6xlxq5ddz0grs956tzwsqj59v5vvucgd7sdgrcqn https://media.infosec.exchange/infosec.exchange/accounts/avatars/109/299/474/477/585/155/original/d3d7444dd9bfd136.jpg https://media.infosec.exchange/infosec.exchange/accounts/avatars/109/299/474/477/585/155/original/d3d7444dd9bfd136.jpg https://yabu.me/nevent1qqsz3alxc5rtcknfwydr0350wsrzunvcxj789cxd8nvwrw4fwmzq7zgzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6pqytzc In reply to <a href='/nevent1qqsrufwh3amqyy0d7k6rck6jd440npekls50q7j303m8hn5taljezcge0z96y'>nevent1q…z96y</a><br/>_________________________<br/><br/>... It&#39;s ... overinflated. 2026-03-11T23:57:15Z https://yabu.me/nevent1qqsv2z0mua8mn5s6x48yayg65yn8dgvmvgu2h04nvuzh8neldkc0lhgzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6j95pz8 In reply to <a href='/nevent1qqs2yxme2cjs5twafj0k6y4ay52m85cdms7k8qdmpky5zvwl8wxxrrgc4r2mt'>nevent1q…r2mt</a><br/>_________________________<br/><br/>I think your assessment of &#34;pretend to care, but don&#39;t&#34; is wrong. <br/><br/>20% of users have an ad blocker, 10% pick a 401k if not the default. 2025-10-15T15:31:11Z https://yabu.me/nevent1qqsfmxet3gcek2066u856899vxenf2r6ffge47ffz0zc6mazvae325szyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6pkf07d It won’t work. <br/><br/>(Dunking on mastodon here, not Don. ) <a href="https://techhub.social/@BrentD/115197950000197643">https://techhub.social/@BrentD/115197950000197643</a> 2025-09-13T16:43:41Z https://yabu.me/nevent1qqsv2j4n6ur97mnj8dj6e9rg7l7rek85c2265qlj3z9wg448s0z39ygzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6p9ghac One of the hats I wear is editor for the <span itemprop="mentions" itemscope itemtype="https://schema.org/Person"><a itemprop="url" href="/npub1dqdh3ta2uxg4wz5qf7h6j0qywrxryzcyjw4vhq0n0alu83d6mgnsxm8xy4" class="bg-lavender dark:prose:text-neutral-50 dark:text-neutral-50 dark:bg-garnet px-1"><span>DEF CON</span> (<span class="italic">npub1dqd…8xy4</span>)</a></span> Franklin Hackers&#39; Almanack. If you see talks that policymakers should know about, please let me know here, tag me, etc.<br/><br/>I&#39;m already seeing great stuff on voting security, resisting back doors, irresponsible behavior by thin-skinned vendors.. what else should I see?<br/><br/><a href="https://defconfranklin.com/">https://defconfranklin.com/</a><br/> <img src="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/999/396/386/034/314/original/d407ee005113c1db.webp"> <br/> 2025-08-09T14:59:33Z https://yabu.me/nevent1qqs2p4tgasw7uqafzuepx603vw54lydlxhreawjlr86lq3t7hx46g3szyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph68t2vvv The most important part of CVE is not the unique number, but the funding and expertise to run a credible program that assigns a unique number. The unique number was the center of what Dave Mann called a “concordance,” and I believe this is subtle but crucial: The value of CVE is not as a database, but as a stable way to cross-reference between databases and other tools. Dave and I have had many conversations about books having an ISBN, a UPC code, a Dewey number and a Library of Congress number. They serve different goals, and are managed by different groups.<br/><br/>I mention the books because assigning unique numbers in a stable way is harder than you&#39;d expect. 2025-04-16T16:56:58Z https://yabu.me/nevent1qqs8t8ypz59y5q2axkmh43khx0qehdzynzh4qe3p47cy4yq2ywmhdqgzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph60kphz3 In reply to <a href='/nevent1qqs8ct0uaz6ymnu392253a47ez85l9ujf7f4jsyh3mm2ga5gjexl4qqd0m6uc'>nevent1q…m6uc</a><br/>_________________________<br/><br/>Sorry, this is ... not right.<br/><br/>&#34;“What the CVE lists really provide is a standardized way to describe the severity of that defect&#34;<br/><br/>CVSS provides that. CVSS analysis is typically provided by NVD, not CVE, CVE started as a naming system, and that&#39;s the program&#39;s most important role: identifiers. Severity is... priority 2. 2025-04-16T04:26:20Z https://yabu.me/nevent1qqs0kug24wygsjwkqravkrfumzvm409x0qxnv5g6tnps3tedj9jsvqczyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph60hnatl In reply to <a href='/nevent1qqs2a8etrkcsjsetyga8dqrvek7dastpv4uac93xh6auk93fuy7fr9ckajxct'>nevent1q…jxct</a><br/>_________________________<br/><br/>The variance in CVE funding, has been a crime, and the stability MITRE has provided has been quiet heroism. 2025-04-15T21:58:29Z https://yabu.me/nevent1qqs8dj8hqtdd30ztmwzys75klkxxc0zw70x6ezdma6uz72j37qj8v7szyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6d7emtg Judgement is an important facet of professionalism. There are areas where we need people to make judgement calls despite incomplete information, inconclusive or contradictory indicators, and other complications that lead us away from algorithms to human judgement.<br/><br/>In the traditional professions, including law, accounting, medicine and even engineering, we teach people to make those judgement calls as part of their education. That involves ensuring they have the available facts, that they can discuss how they came to a decision, and that they&#39;ll stand by it until those facts change. 2025-04-12T15:14:45Z https://yabu.me/nevent1qqsxtqnmu7wtl8wqnp7r2m7l4ej5yzkqtf5wj6027tz4tjm2c96wddqzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph68n0kwe Today&#39;s &#34;history is boring&#34; lesson: The Declaration of Independence lists &#34;For transporting us beyond Seas to be tried for pretended offences&#34; as one of the reasons Independence was important. 2025-04-07T23:14:03Z https://yabu.me/nevent1qqs9dut7f9anfyxdh28pnqvf5rjmkgmpcl99qjla8yvfwmhzxshnejczyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6y8yrfd In reply to <a href='/nevent1qqsfmassgmvkxmpyh05ljn5fq783yxfrf294ql0cc8d83lcdtldnyxg25566a'>nevent1q…566a</a><br/>_________________________<br/><br/>I’m not an attorney but that seems like thin gruel on which to ignore a problem. I hope you have it in writing for the plaintiffs attorneys 2025-04-03T15:54:32Z https://yabu.me/nevent1qqsrx3ektrfyudf98pwl3xz7nftdlg72txquvxs7q0723v68y38guxgzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6zrgu7x In reply to <a href='/nevent1qqs9nr9u6d9wdqst6tgh2x9lpha0xndw8p9rq8dkjrrgcgtrguy0dfg3whluy'>nevent1q…hluy</a><br/>_________________________<br/><br/>Is it normal for a university to memory hole a former professor&#39;s pages? I thought the norm was to keep scholarship present, but possibly mark it as an inactive page. 2025-03-29T15:38:32Z https://yabu.me/nevent1qqsxm87uucseglumu5r9xa854u6p4tmy75meuwhvyz5072xqurg20zczyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6g0cmgz In reply to <a href='/nevent1qqs9qtz93zcms4aer7flq6qta7z6p6d4waleffsvnq7amyfgz38wf4spu4x9h'>nevent1q…4x9h</a><br/>_________________________<br/><br/>I’ve heard (from someone I trust) that his university web pages were all taken down and colleagues don’t know where he is. 2025-03-29T14:23:21Z https://yabu.me/nevent1qqsd9nxn0s9apwpx3qcn8gnnx0uc0mh9nnvlme3zuj09q0ed0v0j5lqzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph64e6evr In reply to <a href='/nevent1qqsqwmcz743k5dtqgd8m9zzrqy7l28udpuxuqhwvqrlh2crkwtvfd7gd4ajpf'>nevent1q…ajpf</a><br/>_________________________<br/><br/>I&#39;m largely focused on the ones we can see, including side-effect-free code, migrating from filesystems to other data stores, immutable deployments, configuration as code, configuration in version control, getting away from spaghetti in legacy data centers... 2025-03-15T16:59:12Z https://yabu.me/nevent1qqsf2y4ued9km3c54umeqe3eqr5a7kjpy995tznu5r663p853fftd3qzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6lta3qf In reply to <a href='/nevent1qqsdy2caapd2nw6andcz3vy59qg7jm2wtsml9nmraaf290ljagykn0qaem5cc'>nevent1q…m5cc</a><br/>_________________________<br/><br/>The more I look at the amazing new security boundaries that cloud providers are building, the more amazed I am that anyone would think of building on classic patterns without them. <br/><br/>Why would anyone allow new (production) code to store data on a filesystem in 2025? There are better patterns. 2025-03-15T16:43:15Z https://yabu.me/nevent1qqs2ghk6xnklu8pn3fy6zymh38vkze25dsluexncj40lhh46szd9p5qzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6xjpm7x In reply to <a href='/nevent1qqsydxhavjn24cfwh30jugtr3le8v3lqrdnv783qae7ljz2vhyt463qfc6kn7'>nevent1q…6kn7</a><br/>_________________________<br/><br/>I mean, seems reasonable? If the Texas state lottery has the wrong odds table, how is that the fault of people who buy all the tickets? 2025-03-07T03:42:10Z https://yabu.me/nevent1qqsxtmzs23srg3dprs89dd9rjz032xkel0nr4y5tnt3x28dl03s5x7czyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6c835gl Remember when Barbara Streisand brought her lawyers into some dumb dispute and made the whole thing funnier?<br/><br/>Yeah, apparently you&#39;re not alone in having forgotten about that.<br/><br/>And no, I&#39;m subtooting someone else&#39;s client because it&#39;s a freaking target rich environment. 2025-02-25T00:33:33Z https://yabu.me/nevent1qqsgnuluqw34wxknuvtzxwd6apwvev33ekansemzpkdw2uduul3z68gzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6hgrtpt In reply to <a href='/nevent1qqsqzw6zaqprc6lf4gzw35j6hclall550wth97u2mzjvd2mazcera7sq9cyt4'>nevent1q…cyt4</a><br/>_________________________<br/><br/>I mean, Wired often puts their &#34;hyperbole&#34; in quotes attributed to named sources, who happen to be Federal contractors with armies of cleared staff. Don&#39;t you? 2025-02-09T00:16:32Z https://yabu.me/nevent1qqsw56mn5av0tdpfc748nztwncc8dynr880lyru2xrw2a0jycgly5lgzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6jkjytt In reply to <a href='/nevent1qqsrcxf2txg2edg9hs4st6z8cwe5ta3vgexvmc9nlgrzluveqylpt7qel2hle'>nevent1q…2hle</a><br/>_________________________<br/><br/>Is there a reason not to look?<br/><video controls width="100%" class="max-h-[90vh] bg-neutral-300 dark:bg-zinc-700"><source src="https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/880/007/206/882/107/original/a03690275549d0fd.mp4"></video><br/> 2025-01-23T22:23:31Z https://yabu.me/nevent1qqsr7wqa67lyhghhcxtatxg8tlspdwyxgww3nsnv4rz8dkrdelkdxdgzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph64nte9v In reply to <a href='/nevent1qqsweaemvqfz2eujmpsehpc27mrkp4j0sfj3n4z36sda9wuszsfnr5gpe9hd4'>nevent1q…9hd4</a><br/>_________________________<br/><br/>I would ask why it’s hard and can we fix those things? 2024-12-20T04:20:09Z https://yabu.me/nevent1qqs0kzyzavxxaqhl8zg0uzx3af6f4rnp8hekdrw092vj5jhsyv4mk0qzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6ysn55u In reply to <a href='/nevent1qqs03rkrj6qgjz3qq3prp78lhtul2geg89u3thlrydsx82ljg6dwzccrskxme'>nevent1q…kxme</a><br/>_________________________<br/><br/>We used to get data like that from the malicious software removal tool and Defender... it wouldn&#39;t surprise me if there was a ~50% drop from version to version.. we saw that order of improvement from XP to Vista to 7. Some of it&#39;s better code and architecture. some of it is the folks who upgrade are more likely to be on top of other parts of managing their systems. 2024-11-28T20:22:02Z https://yabu.me/nevent1qqsgvnrpd06m3j5mfveu2lsy4vk8nczky07hz2jnpyn0cffgkknasngzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6wh5smu In reply to <a href='/nevent1qqspu5xjmf49gj70c3a8a23xep0sxg4c4gxpwmgdcj33lsc7frx5tgczn3wmj'>nevent1q…3wmj</a><br/>_________________________<br/><br/>I mean, &#34;our wifi was hacked&#34; goes back to other umm, Target attacks? 2024-11-22T15:40:45Z https://yabu.me/nevent1qqs0phd9y4huavgn5cglv5l7cnyt3rlgw03s5tmmgvqw4xuzawxgjfgzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6g9amlh new blog, Is Cybersecurity Awareness Month Worth the Money?<br/><br/>As we wrap up another cybersecurity awareness month, I’d like to ask: Is it worth the money and effort? If it is, we should be able to see evidence of that in reductions of successful attacks in October/November, slowly rising over time as the effect of the awareness campaign drips evaporates, and then renewing the next year. The shifts should be bigger than the variance the data shows.<br/><br/>I am quite serious about this. Cybersecurity awareness month was invented by Microsoft’s marketing department, and it now absorbs a huge amount of time and energy: <br/><br/>(1/4) 2024-11-18T18:59:54Z https://yabu.me/nevent1qqsfyj4t568thn7rdl434tjjjmkagxzg4lacrch6m236kq0l399xhwszyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6gzydwt I&#39;m old enough to remember when Americans voted for the candidate they thought would do the best job. 2024-11-03T22:20:18Z https://yabu.me/nevent1qqsf5d7ru4ej2sq6wcj6dklgfju9t4kklp2wepvej6vyyw89rwjg2tqzyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph6ze0w7w In reply to <a href='/nevent1qqsqx3k2vamr3uhqx27rmz8hh6urf9w9794x00yfrwnlp6kucx8r2hqvnl9s2'>nevent1q…l9s2</a><br/>_________________________<br/><br/>&#34;interest based advertising agreement?&#34; Is your monitor talking to the internet by itself? 2024-10-20T23:23:55Z https://yabu.me/nevent1qqsgv2krnkdpcs5nz9qq8hurvfn8yx2anvhnhextzl36d6altxutxmszyzrmpzl53htrnnewdsemgmucz345faqwqknfvf6qz2s4j33nnpph64zkda5 I find myself really irked by the headline here. The problem is not a &#34;simple website bug&#34;, the problem is that they wrote thousands of lines of code without ever thinking about what the trust boundaries are, or should be.<br/><br/>This is a massive design flaw. The idea that cars should be controllable from some mothership is bizarre (and not needed for app control - have a digital signature from the mobile device). The idea that cars are enrolled even if the user didn&#39;t set up an account is similarly broken. This isn&#39;t a &#34;simple website bug&#34; but a massive failure to consider the security implications of features.<br/> <img src="https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/221/567/638/929/617/original/87a84b902bd02b53.png"> <br/> 2024-09-29T15:34:15Z