Archive for the 'Random' Category

Announcing: The Month of No Bugs (MONB)!

Posted on September 1 2010 by Pete Lindstrom

It is with great excitement and anticipation that I announce the Month of No Bugs (MONB)!
This month, I promise NOT to look for any new bugs out there, NOT to artificially elevate my bugs above all others, NOT to complain that vendors should give me the attention I deserve, NOT to pound my chest and [...]

Disclosing the Elephant in the Room of the Disclosure Debate

Posted on July 23 2010 by Pete Lindstrom

There has been a lot of discussion lately about vulnerability disclosure, with Google and Microsoft respectively weighing in with their latest opinions on the topic.
There is really nothing new here, as evidenced by the Google folks referencing a 9-year-old Bruce Schneier essay on the topic. I have written extensively on the topic and the related [...]

There is no such thing as *Real* Value

Posted on May 26 2010 by Pete Lindstrom

Rich Mogull has started a fire on his Securosis blog addressing questions of value and loss. I would like to provide some feedback.
Most importantly, I would like to address this point:
“I consider that an implied or assumed value, which may bear no correlation to the real value”
Rich’s reference to something called a real value [...]

Charlie Miller’s “Teach a Man to Fish” approach to disclosure: the happy medium?

Posted on April 29 2010 by Pete Lindstrom

Pre-eminent bugfinder Charlie Miller mentioned an interesting approach to disclosure after he compromised another Apple system - demonstrate the attack, describe how the vulnerability was found, and let the chips fall where they may. (Actually, I think his “teach a man to fish” approach might have been ancillary to the pwn2own contest…)
At this stage of [...]

Rudeness, risk and vulnerability disclosure

Posted on April 26 2010 by Pete Lindstrom

Robert Graham at Errata Security has yet another thoughtful post - this one on the “rudeness” of vulnerability disclosure. His key point:
“However, vuln disclosure isn’t friendly. It is an inherently rude act.”
It is an interesting post, primarily focused on the psychological relationship between bugfinders and vendors, but the thing I find the most puzzling is [...]

Security Budget Planning in Three Easy Steps

Posted on March 10 2010 by Pete Lindstrom

Gunnar Peterson has a great post on security budgeting. His essential point is to apply a “flat tax” to all IT spending. The value is in its simplicity. We can get a lot more complex (and often do), but this is an excellent starting point.
Don’t forget the business and don’t forget we are “optimizing” our [...]

RSA Conference 2010 - Ghost of Conference Past

Posted on March 4 2010 by Pete Lindstrom

I was talking with my buddy Ben Rothke tonight about the security graveyard - companies that are no longer with us (he’s been a part of a number of them, but I’m not making any connections ;-). He also challenged me to find an old list of companies exhibiting at RSA. Herewith is a list [...]

Addressing the Advanced Persistent Threat (APT)

Posted on February 1 2010 by Pete Lindstrom

In the past few weeks, the Advanced Persistent Threat (APT) has been all the rage in the infosec world.  Security professionals everywhere are taking sides about whether APT is new or not, despite (or perhaps due to) the lack of a clear and consistent definition.
It started with Google suggesting (but not explicitly stating) that the [...]

Page 1 of 3123»