I came home and now my Yubikey is held together with some tape. Is this OK?
Notices by Josh Bressers (joshbressers@infosec.exchange)
-
Embed this notice
Josh Bressers (joshbressers@infosec.exchange)'s status on Wednesday, 04-Sep-2024 11:32:38 JST Josh Bressers -
Embed this notice
Josh Bressers (joshbressers@infosec.exchange)'s status on Tuesday, 19-Dec-2023 07:20:58 JST Josh Bressers I was in a meeting today and I realized something profound
We are currently in a post #CVE world
That probably don’t make sense to a lot of people, and I need to think about it more
But here’s the basics of it
The CVE data is so comically bad, nobody actually doing #vulnerability work can use it. The ID is all we use. We have to look in other databases and collect or own facts
Automated tools rely on sources like #GitHub, #GitLab, and #OSV. Other than the ID, CVE doesn’t really matter anymore
-
Embed this notice
Josh Bressers (joshbressers@infosec.exchange)'s status on Thursday, 23-Nov-2023 00:20:00 JST Josh Bressers I've yet to find minizip in any zlib packages (I'm trying to find it)
But even if it was there, you can make the argue this affects zlib, which is technically correct
But zlib is special, it's in literally every computing device on the planet
This is going to waste literally millions of dollars with people either patching to get rid of the vulnerability absolutists, or justifying why it's not a problem over and over again
Rigidly following rules and policy without exception either means your policy is terrible, or you don't understand what's going on (or both)
Additionally, this shouldn't have a critical severity. So even if your broken policy makes you keep the data in the system, at least mark the severity appropriately
-
Embed this notice
Josh Bressers (joshbressers@infosec.exchange)'s status on Wednesday, 22-Nov-2023 20:30:14 JST Josh Bressers A lot of folks are going to have a bad time with this
https://nvd.nist.gov/vuln/detail/CVE-2023-45853
It’s a critical #CVE in zlib
Except it’s not critical
And doesn’t affect zlib
The whole CVE system is too broken to fix
-
Embed this notice
Josh Bressers (joshbressers@infosec.exchange)'s status on Wednesday, 20-Sep-2023 08:11:32 JST Josh Bressers I fixed the XKCD open source cartoon to be more accurate
-
Embed this notice
Josh Bressers (joshbressers@infosec.exchange)'s status on Friday, 30-Jun-2023 01:54:38 JST Josh Bressers @silverwizard @BleepingComputer Oh my goodness. I'm totally stealing that quote
"these bugs are a tradition"
-
Embed this notice
Josh Bressers (joshbressers@infosec.exchange)'s status on Friday, 30-Jun-2023 01:48:56 JST Josh Bressers OK, I want to rant about something for a bit
This story from @BleepingComputer cover the topic of top most dangerous #security #vulnerabilities from 2021/2022
The problem isn't the story, the story is good
The problem is these lists
MITRE is a group that runs #CVE, the host the MITRE ATT&CK framework, #CWE is under their umbrella, and countless other things related to security
#OWASP has a similar list and they are considered one of the primary authorities on secure development
And what do these lists show us? That nothing changes. The lists are the same every year. A few things might move around, but functionally we have the same security problems we did a decade ago, heck, 20 years ago.
These are groups that can hand out advice that will be followed, and what do they give us? Nothing of substance
The secret is because they have no idea how to change anything
I think there are two overly simplistic ways to look at this
First, we have the security the free market demands. There's nothing to fix, these lists are all stupid and pointless. It's just ego stroking for organizations that don't actually matter but want to pretend they are relevant.
OR
The people running these groups have no idea what to do. Many haven't written a line of code in over a decade, and rather than try to work with the next generation, they make lists and complain
I have no grand solution, I'm just complaining. And I'm old. So clearly I fit in the second category. Thank you for coming to my conference talk. I should probably go make a list now
-
Embed this notice
Josh Bressers (joshbressers@infosec.exchange)'s status on Tuesday, 20-Jun-2023 18:59:26 JST Josh Bressers Today I had the pleasure of going through the #rust training @liw offers
I was really impressed by it all. If your company is looking for some Rust training, this is a great option