tumblr.attrition.org

2026 East Coast Drive (Part 3: VA / DC)

Mon, 22 Jun 2026 11:15:16 -0400

2026 East Coast Drive (Part 3: VA / DC)

2026 East Coast Drive (Part 2: North Carolina / Virginia)

Sun, 21 Jun 2026 11:15:56 -0400

2026 East Coast Drive (Part 2: North Carolina / Virginia)

2026 East Coast Drive (Part 1: NaClCON)

Sat, 20 Jun 2026 11:15:26 -0400

2026 East Coast Drive (Part 1: NaClCON)

My Quest for the White Squirrel!

Fri, 19 Jun 2026 11:16:20 -0400

My Quest for the White Squirrel!

Colorado Voting System Irregularities & Continued Rigging

Thu, 18 Jun 2026 11:15:29 -0400

Colorado Voting System Irregularities & Continued Rigging

MSRC; Tell The Whole Story Please

Sun, 31 May 2026 11:00:11 -0400

Every so often, it seems that Microsoft Security Response Center (MSRC) likes to stick their proverbial foot in their mouth on the topic of vulnerability disclosure. The root issue is that collectively, MSRC does not seem to appreciate either their own history or the bigger picture. As such they have a myopic view on the topic. The latest comes in the form of a new blog titled “A shared…

MSRC; Tell The Whole Story Please

Mythos Needs to Shift Left

Tue, 26 May 2026 11:15:24 -0400

Over the years I have been part of many discussions around a classic debate around red team versus blue team, the value of penetration testing, and the value they each bring. I started my InfoSec career in 1996 doing pentesting (aka red teaming) a couple years before it really exploded. For nine years that was my life and it often meant working crazy hours. My final gig doing it was with BT-INS…

Mythos Needs to Shift Left

Vulnerability Embargos Are Dead

Mon, 25 May 2026 11:16:01 -0400

Introduction

When a researcher finds a security vulnerability that impacts more than one vendor, and they wish to coordinate disclosure with both, it creates a situation where an embargo must be put in place. In this context that simply means that all three parties agree not to make the information public until a given date. This is done to allow both vendors to have a fix ready before…

Vulnerability Embargos Are Dead

Calif’s Bold Claims; Missing Receipts

Wed, 20 May 2026 11:15:23 -0400

Here we go again, more Mythos rumors and claims to unpack. I wrote a lengthy blog on Anthropic, Glasswing, and Mythos just over a month ago but this is about a very specific event and set of claims. A significant reason I am writing this is due to what I believe are poorly written headlines that are based in misunderstanding and/or attempting to sound more dramatic than warranted. It looks like…

Calif’s Bold Claims; Missing Receipts

Noise2Signal Podcast: Which Does the Squirrel Bring?

Wed, 20 May 2026 00:22:59 -0400

For those not familiar, Mehul Revankar recently started a podcast named Noise2Signal. While there are a lot of podcasts out there and it is easy to lose track, this one stands out as Mehul has connections with a lot of folks that are significant in the history of information security. In fact, he interviewed Renaud Deraison who created Nessus and was one of the founders of Tenable. That is where…

Noise2Signal Podcast: Which Does the Squirrel Bring?

Amazon Auto-buy: A Slick New Feature

Thu, 14 May 2026 11:49:17 -0400

For half a year now, I have been using a third-party site (Keepa) to track movie prices on Amazon (and a few other sites), waiting for them to drop to the price I will pay. New movies are often released on physical media at fairly absurd rates. Almost fifty dollars for a new release when it was $17 in the theatre? No thanks! So I wait until they get down into a decent range before I do.

A few…

Amazon Auto-buy: A Slick New Feature

Security vs Security Theatre; A Lesson for Abbott

Fri, 08 May 2026 11:07:07 -0400

Security vs Security Theatre; A Lesson for Abbott

The NVD Shell Game & Schrödinger’s Enriched Vulnerability

Thu, 07 May 2026 11:56:21 -0400

The NVD Shell Game & Schrödinger’s Enriched Vulnerability

The Night I Almost Died

Sun, 03 May 2026 13:26:06 -0400

The Night I Almost Died

Starfleet Academy; The Review

Sat, 02 May 2026 11:30:45 -0400

Starfleet Academy (SA), the latest TV show in the Star Trek line, debuted this year with a lot of fanfare and a fair share of drama. The show almost immediately hit the news with cries of it being “too woke”. The Washington Times headline called it a “woke culture war casualty” and Outkick said the show hit “a new low” and that the franchise “just keeps getting worse“. Jonathan Frakes, best known…

Starfleet Academy; The Review

Why Data From So Many Breaches Never Sees the Light of Day

Fri, 01 May 2026 11:06:14 -0400

Months ago I was chatting with a colleague about a recent data leak (a.k.a. Data breach), as we tend to do in this industry. Those terms are defined by Microsoft as “an unauthorized disclosure of sensitive, confidential, or personal information from an organization’s systems or networks to an external party“. Any time I see an article about data breaches I have flashbacks, and fortunately not too…

Why Data From So Many Breaches Never Sees the Light of Day

InfoSec News (ISN) Mail List History

Thu, 30 Apr 2026 14:51:29 -0400

As early as 1996, I created a mail list called InfoSec News (ISN) which initially was to share news about the industry. At the time, there were no online news sites covering the topic with any regularity and most were hobbies at best. So the original list had many articles that I had typed in by hand from print InfoSec magazines. The list has mostly faded into obscurity; so much so that trying to…

InfoSec News (ISN) Mail List History

An AI agent destroyed … hey wait a minute!

Wed, 29 Apr 2026 11:05:21 -0400

Yesterday many people ran across a headline that was shocking, and repetitive. This time it read “‘Gone in 9 seconds’: Claude-powered AI agent deletes startup’s entire database“. For myself, the first thing I had to do was check the date of the article because I swore I had just read about this recently. Yep, April 28 so it’s a new one! In a prior blog on the topic of so-called AI, or as I argued…

An AI agent destroyed … hey wait a minute!

Don’t Call Me Boss

Tue, 28 Apr 2026 11:09:18 -0400

I don’t remember when it started but it was easily five to ten years ago. I’d be in a restaurant typically and a server or cashier would call me ‘boss’. It bothered me from day one because it usually came from a younger kid who presumably didn’t understand all of the connotations behind the word in that context. I certainly felt it was inappropriate but only said something a few times when I felt…

Don’t Call Me Boss

Security Software: Holding the Vault Door Open for Criminals

Mon, 27 Apr 2026 11:08:28 -0400

I have been consistently tracking a fun metric around vulnerabilities since March 19, 2024. Before that I would occasionally mention it during talks or chat, but I don’t think I formally blogged about it before this and didn’t track the exact number. So here we are to discuss the prevalence of vulnerabilities in security software, the very thing designed to protect us. As best I recall, 10 – 20…

Security Software: Holding the Vault Door Open for Criminals