Notices by kurtseifried (he/him) (kurtseifried@infosec.exchange)

@allanfriedman @joshbressers Don't forget the weird sub group of companies offering binary patches for Windows either solving issues the vendor hasn't yet, or providing "non reboot" fixes:

0patch: Operated by Acros Security, 0patch specializes in delivering "micropatches"—small, in-memory fixes for software vulnerabilities. They have addressed various Windows security issues, including the SMBGhost vulnerability, before Microsoft's official patches were released. Additionally, 0patch has extended support for Windows versions beyond their official end-of-life dates by providing security patches for Windows 7 and plans to do the same for Windows 10 after its support ends in October 2025.
https://www.techspot.com/news/103593-windows-10-get-five-extra-years-support-courtesy.html

there's others as well, Shavlik, I can't recall any other names. Also a bunch in the Linux space, like KernelCare.

@joshbressers @allanfriedman 13 years. https://access.redhat.com/support/policy/updates/errata

Although to be honest the extended life phase support is for stuff like shellshock, think low single digit patches per year, not a steady stream (unless something has changed, I imagine it hasn't).

@joshbressers @allanfriedman I'm guessing the whole "we didn't make it but we try to support it", so literally every MSP on the planet trying to fix your messed up Windows network.....

@joshbressers what’s the expiry date on it? I’m asking for a friend.

@GossiTheDog What do people actually do with this data? Like do they use it to justify budgets for specific tech/services? I've never really understood how people meaningfully use this data beyond some security theatre type stuff.

@joshbressers I tried.

https://cve.mitre.org/data/board/archives/2017-03/msg00016.html

https://cve.mitre.org/data/board/archives/2018-11/msg00003.html

and so on. I was ahead of my time or something.

With respect to services we'll get whatever the service providers give us with respect to CPE/CWE/etc. there's no way to reliably figure this out externally.

@joshbressers Did they ever enrich any cloud CVEs?

@joshbressers I’ll send more cheezies.

@patrickcmiller my sons cat says hi. Also he says if you see one of these, it’s ok, they’ll give you treats for going in it.

@tinker this is why I keep a file called PROCESS.md where I cut and paste commands and things I run when doing a job like that. For one thing it helps me recall what the heck I did if I need to figure it out the next day, but also lets me see how scriptable or how much work it would be to automate this if I do end up having to do it again and again.

@GossiTheDog @mattburgess I like how the whole #infosec world largely ignore the fact of the teenagers can completely stomp these large companies, let alone organized crime, let alone a nation state.

@gregkh actually 3000 is not a lot. I’m looking at the data and there’s some interesting trends with other CNAs.

There’s also also two CVE ecosystems now: the open source and the closed source. Most People are used to dealing with the closed source involves applying patches, made available by the vendor products that they have deployed.

But now they’re having to deal with the open source, and they have to do their own homework as it were, figuring out if they use this source in anything ( they likely have because of dependency chains), and remediating it on their own.

So far this year the Linux Kernel has done 3000 CVEs even. This means we can expect roughly 4500 for this year in total. Bu I have good news: they only started in Feb so we can expect another 10-15% on top of that for 2025, so with any luck that'll be about 5000. In other words 12.5% or so of TOTAL CVE activity.

So when @gregkh says run current, you need to listen.

You can spend several thousand hours a year trying to triage Linux Kernel vulns, or you can invest that effort into automation (updates, builds, testing, etc.) and stay current and answer "did you fix CVE foo" with either a "yes" or a "that will go out in the next update at future time X".

@patrickcmiller @jerry the Chevron decision will affect everything as it opens up the possibility that “if I spend enough money on a court case I can maybe change how the regulations are applied to my company” and spending a few million to save tens of millions or more in compliance costs is a no brainer for some firms.

@thomasfuchs First off.. who says this is "stealing"? Copyright fair use is a thing.

Also in Japan it's not stealing:

“regardless of whether it is for non-profit or commercial purposes, whether it is an act other than reproduction, or whether it is content obtained from illegal sites or otherwise.”

https://www.biia.com/japan-goes-all-in-copyright-doesnt-apply-to-ai-training/

@thomasfuchs Serious question: how do we support smaller companies or individuals training LLM's (e.g. Open Source LLMs) if we have strict copyright enforcement and licensing? There are precious few up-to-date training data sets that are licensed under an Open Source license or Public Domain.

Enforcing copyright and licensing for training data will 100% make training larger or up-to-date LLMs impossible for anyone without lawyers and tens of millions of dollars. I don't think that's a good long-term outcome.

@ariadne @goatsarah worse than useless, even I struggle to solve them and I have no (major) impairments. My son with autism would find most of them impossible. Captchas are inherently exclusionary and I’m guessing also violate laws like the Americans with Disabilities Act. And now they don’t work, in the sense of keeping computers out but letting people in. Even @cloudflare figured this out last year https://blog.cloudflare.com/end-cloudflare-captcha/ before the AIs took over.