tumblr.attrition.org

NVD Gives Up

Fri, 17 Apr 2026 11:05:23 -0400

Since 2024, representatives from NIST’s National Vulnerability Database (NVD) have given a presentation at VulnCon with updates to the program. This has been where news broke about significant changes, admissions, and omissions. The talks, typically 30 minutes, are certainly not enough time to tell us what the industry needs to know and leaves no time for Q&A despite there being a considerable…

NVD Gives Up

Anthropic, Mythos, and the Dark Reality No One Is Talking About

Wed, 15 Apr 2026 11:47:40 -0400

If I had a nickel for every time Anthropic’s new Project Glasswing / Mythos initiative came up in conversation or I was asked directly about it in the last few days, I would have a shit ton of nickels! Let’s dive into it… first with brief observations about the announcements and available information, other’s opinions, then a broader opinion of my own on where this is all going.

Gemini prompt:…

Anthropic, Mythos, and the Dark Reality No One Is Talking About

Vulnerability Research Isn’t Cooked; It’s Burned Beyond Recognition

Mon, 06 Apr 2026 10:55:26 -0400

On March 30, 2026, Thomas & Erin Ptacek posted a blog titled “Vulnerability Research Is Cooked“. I don’t believe I know Erin, but I know of Thomas as an old-school vulnerability researcher who has been well respected for a long, long time. When he speaks about vulnerability research, I certainly listen. So this blog was of interest to me for a variety of reasons as it primarily talked about the…

Vulnerability Research Isn’t Cooked; It’s Burned Beyond Recognition

We Are Legion (We Are Bobservations); Answering a “Simple” Question

Sat, 04 Apr 2026 11:05:23 -0400

In late February, a friend linked an article about a science-fiction book and asked if I had read it. I told her that I hadn’t but after reading an abstract it sounded good. She asked if I would be her designated reader due to her workload, and report back. I said sure! She was particularly interested in it after reading an article by Rya Jetha in the The San Francisco Standard. The article,…

We Are Legion (We Are Bobservations); Answering a “Simple” Question

Wait… We Needed That CNA Rule?! A Complaint =)

Tue, 31 Mar 2026 11:45:15 -0400

It’s one of those rules you’d never think we needed until something happens…

On March 27, a VulnDB (not to be confused with VulDB) analyst noticed that a CVE description had a line appended that basically advertised the service of the assigning CNA. CVE-2026-4963 had a pretty standard description from VulDB (not to be confused with VulnDB!) using their lackluster templating:

“If you want to get…

Wait… We Needed That CNA Rule?! A Complaint =)

Miggo, KEV, and FUD; They Still Don’t Get It

Mon, 30 Mar 2026 11:36:10 -0400

[If the name ‘Miggo’ is familiar to you in the context of my blogging, you are thinking about one I wrote titled “Miggo Security’s AI Slop & Potential Trademark Infringement” in July, 2025. That was more around ‘corporate’ culture and bad lawyering. This blog is different, pointing out how they don’t seem to understand KEV at all.]

On November 18, 2025, Miggo published a report titled “Missing…

Miggo, KEV, and FUD; They Still Don’t Get It

NaClCON Talks I Am Excited For

Fri, 27 Mar 2026 14:12:24 -0400

Earlier this month, I published “My Unofficial NaClCON FAQ” talking about a new security conference that I am excited for. It’s still a bit surprising to myself that I am interested in one at all. I fully thought I was done with them, but here we are! After participating on the Call For Papers (CFP) team to help select speakers, I wanted to highlight some talks that sound great.

First, the…

NaClCON Talks I Am Excited For

YouTube: I Don’t Think You Understand Your Userbase

Tue, 24 Mar 2026 19:22:37 -0400

It’s pretty rare that I use YouTube on a television, typically only if in the mood for specific music. Even then it tends to be a handful of videos as my ‘go to’. Earlier this month I was in the mood for such a concert and loaded it. I am authenticated as my Google account, so YouTube knows exactly who I am. At the top of the screen are my recommendations:

You can probably see exactly where I am…

YouTube: I Don’t Think You Understand Your Userbase

The Jericho Blog Graveyard (2016 - 2020)

Wed, 18 Mar 2026 16:03:58 -0400

This is a continuing short run series of blogs summarizing old drafts and either declaring them dead, while listing them here, or keeping them as they are still relevant.

Part 1 – The Jericho Blog Graveyard (2010 – 2013)Part 2 – The Jericho Blog Graveyard (2014 – 2015)

Part three:

2016 – Extensive notes from a group chat at RBS about how bad the 2016 DBIR report was, numerous errors in it, and…

The Jericho Blog Graveyard (2016 - 2020)

The Jericho Blog Graveyard (2014 - 2015)

Tue, 17 Mar 2026 11:46:25 -0400

After my last blog on the draft graveyard, which was the first, I am down to 117 that go back to 2014. Twelve years is a bit too long to sit on a blog typically. So like before, here are ideas I had to write about but never did.

2014 – “Android Annoyances” is as the title describes, centered around upgrading and importing stuff I didn’t want, auto-correcting me still after fixing something back…

The Jericho Blog Graveyard (2014 - 2015)

Reason #42 Why InfoSec Has Failed

Mon, 16 Mar 2026 11:45:44 -0400

Building on a prior post, with an admittedly arbitrary number that seems to be about right as far as the number of reasons, and more in this series coming in the future…

This is a quick story to give readers an idea of just how bad our industry really is. This is not anecdotal either, I was present for this one as it impacted Risk Based Security. In addition to regular customers who consumed our…

Reason #42 Why InfoSec Has Failed

My Lego Build: The Revolt

Sun, 15 Mar 2026 11:45:21 -0400

My Lego Build: The Revolt

My Pledge re: so-called AI and this Blog

Sat, 14 Mar 2026 12:06:05 -0400

With the prevalence of so-called artificial intelligence (AI), the amount of people turning to it to the technology to help them write, or fully write, content is growing quickly. While it may be getting more difficult to detect assisted writing and generative images, it is still fairly easy and reliable. Regardless, I want to be very clear about my use of this technology past, present, and…

My Pledge re: so-called AI and this Blog

Zero Day Clock - All The Pieces Matter

Thu, 12 Mar 2026 11:30:22 -0400

Zero Day Clock - All The Pieces Matter

My Unofficial NaClCON FAQ

Thu, 05 Mar 2026 15:18:48 -0500

As someone who has basically become disillusioned with most information security conferences, I didn’t find myself to be excited about another, let alone a new one. Then along came NaClCON and it changed my mind. It was a matter of days before I volunteered to help with the Call For Papers (CFP) review. With the frequency of new conferences, in addition to the staggering number of existing ones,…

My Unofficial NaClCON FAQ

It’s 2026 and Netscout Doesn’t Understand CVE

Tue, 03 Mar 2026 13:22:11 -0500

Every year I hold out hope that the security industry will better understand the Common Vulnerabilities and Exposures (CVE) system. A surprising number in this industry barely know about it, let alone any meaningful details. It’s one thing for a random security wonk in a back corner somewhere, laser-focused on their myopic work not to. It’s another thing for a security company that offers…

It’s 2026 and Netscout Doesn’t Understand CVE

Domain Transfer Confirmation Email? No, It’s Not From ICANN.

Thu, 26 Feb 2026 16:20:48 -0500

TL;DR: If you get an email from noreply@emailverification.info saying you must click a link and input a code to finalize a domain transfer, ignore it. It claims to be an ICANN accredited registrar, but per ICANN themselves, the mail is not legitimate. Any mails about transferring a domain should come from the registrar you are moving from, or the one you are moving to.

It feels weird to write…

Domain Transfer Confirmation Email? No, It’s Not From ICANN.

NSA, Theft, and the Original Quantum Lazlo

Mon, 23 Feb 2026 14:31:35 -0500

NSA, Theft, and the Original Quantum Lazlo

Support Charity or Shatter Dreams

Sun, 22 Feb 2026 13:07:12 -0500

A few days ago, a friend linked me to a contest that her daughter’s art was entered in, where voting is done online. I’m sure we’ve seen this for a wide variety of things in our lives these days, so it is easy to miss some of the little details that render the competitions unfair. The original ones often had no mechanism to stop you from just clicking ‘Vote’ over and over. Then they added…

Support Charity or Shatter Dreams

Abert’s Squirrels and Wonderful Variations

Sat, 14 Feb 2026 11:16:53 -0500

Abert’s Squirrels and Wonderful Variations