Announcing: The Month of No Bugs (MONB)!

Wednesday, September 1, 2010

Announcing: The Month of No Bugs (MONB)!

It is with great excitement and anticipation that I announce the Month of No Bugs (MONB)! This month, I promise NOT to look for any new bugs out there, NOT to artificially elevate my bugs above all others, NOT to complain that vendors should give me the attention I deserve, NOT to pound my chest and [...]
Continue Reading...
Disclosing the Elephant in the Room of the Disclosure Debate

Friday, July 23, 2010

Disclosing the Elephant in the Room of the Disclosure Debate

There has been a lot of discussion lately about vulnerability disclosure, with Google and Microsoft respectively weighing in with their latest opinions on the topic. There is really nothing new here, as evidenced by the Google folks referencing a 9-year-old Bruce Schneier essay on the topic. I have written extensively on the topic and the related [...]
Continue Reading...
There is no such thing as *Real* Value

Wednesday, May 26, 2010

There is no such thing as *Real* Value

Rich Mogull has started a fire on his Securosis blog addressing questions of value and loss. I would like to provide some feedback. Most importantly, I would like to address this point: “I consider that an implied or assumed value, which may bear no correlation to the real value” Rich’s reference to something called a real value [...]
Continue Reading...
Charlie Miller’s “Teach a Man to Fish” approach to disclosure: the happy medium?

Thursday, April 29, 2010

Charlie Miller’s “Teach a Man to Fish” approach to disclosure: the happy medium?

Pre-eminent bugfinder Charlie Miller mentioned an interesting approach to disclosure after he compromised another Apple system - demonstrate the attack, describe how the vulnerability was found, and let the chips fall where they may. (Actually, I think his “teach a man to fish” approach might have been ancillary to the pwn2own contest…) At this stage of [...]
Continue Reading...
Rudeness, risk and vulnerability disclosure

Monday, April 26, 2010

Rudeness, risk and vulnerability disclosure

Robert Graham at Errata Security has yet another thoughtful post - this one on the “rudeness” of vulnerability disclosure. His key point: “However, vuln disclosure isn’t friendly. It is an inherently rude act.” It is an interesting post, primarily focused on the psychological relationship between bugfinders and vendors, but the thing I find the most puzzling is [...]
Continue Reading...
Security Budget Planning in Three Easy Steps

Wednesday, March 10, 2010

Security Budget Planning in Three Easy Steps

Gunnar Peterson has a great post on security budgeting. His essential point is to apply a “flat tax” to all IT spending. The value is in its simplicity. We can get a lot more complex (and often do), but this is an excellent starting point. Don’t forget the business and don’t forget we are “optimizing” our [...]
Continue Reading...
prev next
Posted on November 3 2004 Read more...

Stolen computers have Wells Fargo customer data">Stolen computers have Wells Fargo customer data

Thousands of Wells Fargo & Co. mortgage and student-loan customers may be at risk for identity theft after four computers were stolen last month from a vendor that prints loan statements. The computers were taken from the Atlanta office of Regulus Integrated Solutions LLC contained customer names, addresses, and social security and account numbers. As the third ...
Posted on November 3 2004 Read more...

Computer Hacker Charged">Computer Hacker Charged

Three days worth of business - should be easy to calculate. A precedent could be set for Internet hackers in the area if a Wausau man is convicted. This is the first time the Wausau Police Department is charging someone with a crime like this. Twenty-nine-year-old Matthew Schuster is accused of transmitting a program causing damage to ...
Posted on November 2 2004 Read more...

UC Berkeley Hacker Story

I know this is old news, but I am trying to track down the difference in estimated impact numbers (600,000 or 1.4 million Californians?) so I decided I would blog my research: Reuters, 10/19/04: Hacker Hits California University Computer - Names, SSNs, Home Addresses, Dates of Birth of 1.4 million Californians - Breach identified end of August; Feds ...
Posted on November 1 2004 Read more...

Who Shot JR?

Who wrote Sobig? There is a new theory in town, and adding to the mystery is the anonymity of those that espouse it... So here it is: http://authortravis.tripod.com/WhoWroteSobig.pdf. Pretty interesting stuff, actually. Update: The Russian programmer denies it: Russian Denies Authoring "SoBig" Worm - Now, if only the authors of the analysis had started with "He'll of ...
Posted on October 31 2004 Read more...

Halloween Costumes

Figured I would blog the halloween characters I see tonight: 6:10pm - one Red Power Ranger 6:18pm - one evil fairy, one black angel, one fifties girl 6:19pm - Jack Skellington (nightmare before christmas) and something "I didn't know what to be" 6:20pm - one 3-yr old bad witch who wondered why I didn't have shoes and socks on 6:21pm ...
Posted on October 30 2004 Read more...

Identity Management Backstory

The latest story on Identity Management from Computerworld.
Posted on October 30 2004 Read more...

The Horror

I am in shock. And here I thought that only Microsoft products were vulnerable to security bugs. Looks like this is the end of innocence for Mac users.
Posted on October 29 2004 Read more...

P-Voting Attack

Ampersand describes and Schneier comments on how Ampersand's mailbox was knocked over on the same day as some ballots were due in the mail. Umm, this "P-Voting" attack - that is, Physical voting - worries me not even a little bit... slightly inefficient if its interest is to change the tide of the election. Risks like ...
Page 100 of 102« First...«9899100101102»