tumblr.attrition.org

Security vs Security Theatre; A Lesson for Abbott

Fri, 08 May 2026 11:07:07 -0400

Security vs Security Theatre; A Lesson for Abbott

The NVD Shell Game & Schrödinger’s Enriched Vulnerability

Thu, 07 May 2026 11:56:21 -0400

The NVD Shell Game & Schrödinger’s Enriched Vulnerability

The Night I Almost Died

Sun, 03 May 2026 13:26:06 -0400

The Night I Almost Died

Starfleet Academy; The Review

Sat, 02 May 2026 11:30:45 -0400

Starfleet Academy (SA), the latest TV show in the Star Trek line, debuted this year with a lot of fanfare and a fair share of drama. The show almost immediately hit the news with cries of it being “too woke”. The Washington Times headline called it a “woke culture war casualty” and Outkick said the show hit “a new low” and that the franchise “just keeps getting worse“. Jonathan Frakes, best known…

Starfleet Academy; The Review

Why Data From So Many Breaches Never Sees the Light of Day

Fri, 01 May 2026 11:06:14 -0400

Months ago I was chatting with a colleague about a recent data leak (a.k.a. Data breach), as we tend to do in this industry. Those terms are defined by Microsoft as “an unauthorized disclosure of sensitive, confidential, or personal information from an organization’s systems or networks to an external party“. Any time I see an article about data breaches I have flashbacks, and fortunately not too…

Why Data From So Many Breaches Never Sees the Light of Day

InfoSec News (ISN) Mail List History

Thu, 30 Apr 2026 14:51:29 -0400

As early as 1996, I created a mail list called InfoSec News (ISN) which initially was to share news about the industry. At the time, there were no online news sites covering the topic with any regularity and most were hobbies at best. So the original list had many articles that I had typed in by hand from print InfoSec magazines. The list has mostly faded into obscurity; so much so that trying to…

InfoSec News (ISN) Mail List History

An AI agent destroyed … hey wait a minute!

Wed, 29 Apr 2026 11:05:21 -0400

Yesterday many people ran across a headline that was shocking, and repetitive. This time it read “‘Gone in 9 seconds’: Claude-powered AI agent deletes startup’s entire database“. For myself, the first thing I had to do was check the date of the article because I swore I had just read about this recently. Yep, April 28 so it’s a new one! In a prior blog on the topic of so-called AI, or as I argued…

An AI agent destroyed … hey wait a minute!

Don’t Call Me Boss

Tue, 28 Apr 2026 11:09:18 -0400

I don’t remember when it started but it was easily five to ten years ago. I’d be in a restaurant typically and a server or cashier would call me ‘boss’. It bothered me from day one because it usually came from a younger kid who presumably didn’t understand all of the connotations behind the word in that context. I certainly felt it was inappropriate but only said something a few times when I felt…

Don’t Call Me Boss

Security Software: Holding the Vault Door Open for Criminals

Mon, 27 Apr 2026 11:08:28 -0400

I have been consistently tracking a fun metric around vulnerabilities since March 19, 2024. Before that I would occasionally mention it during talks or chat, but I don’t think I formally blogged about it before this and didn’t track the exact number. So here we are to discuss the prevalence of vulnerabilities in security software, the very thing designed to protect us. As best I recall, 10 – 20…

Security Software: Holding the Vault Door Open for Criminals

Another Wave of Random Thoughts

Wed, 22 Apr 2026 11:15:24 -0400

ATM

ATMs have way too many options for many users, and definitely for most uses of the machines by volume. Sometimes, when I put my card in, why are you asking what language I want to use? The same one as last time maybe? And for someone who has the same exact transaction 95% of the time, give me a single button that just says “repeat last transaction” and display what it is. So much time would…

Another Wave of Random Thoughts

Death Bed Then vs Now; Societal Impact and Contentment

Tue, 21 Apr 2026 09:51:25 -0400

An abstract thought.

Our grandparent’s generation seemed content on their deathbed, some with religion, some without. In TV, movies, and books, you see one in a hospital or at home surrounded by loved ones, with a gentle smile. I wonder if that will get much more difficult in today’s age, as society declines and the sense of accomplishing something meaningful declines as well. Two generations…

Death Bed Then vs Now; Societal Impact and Contentment

NVD Gives Up

Fri, 17 Apr 2026 11:05:23 -0400

Since 2024, representatives from NIST’s National Vulnerability Database (NVD) have given a presentation at VulnCon with updates to the program. This has been where news broke about significant changes, admissions, and omissions. The talks, typically 30 minutes, are certainly not enough time to tell us what the industry needs to know and leaves no time for Q&A despite there being a considerable…

NVD Gives Up

Anthropic, Mythos, and the Dark Reality No One Is Talking About

Wed, 15 Apr 2026 11:47:40 -0400

If I had a nickel for every time Anthropic’s new Project Glasswing / Mythos initiative came up in conversation or I was asked directly about it in the last few days, I would have a shit ton of nickels! Let’s dive into it… first with brief observations about the announcements and available information, other’s opinions, then a broader opinion of my own on where this is all going.

Gemini prompt:…

Anthropic, Mythos, and the Dark Reality No One Is Talking About

Vulnerability Research Isn’t Cooked; It’s Burned Beyond Recognition

Mon, 06 Apr 2026 10:55:26 -0400

On March 30, 2026, Thomas & Erin Ptacek posted a blog titled “Vulnerability Research Is Cooked“. I don’t believe I know Erin, but I know of Thomas as an old-school vulnerability researcher who has been well respected for a long, long time. When he speaks about vulnerability research, I certainly listen. So this blog was of interest to me for a variety of reasons as it primarily talked about the…

Vulnerability Research Isn’t Cooked; It’s Burned Beyond Recognition

We Are Legion (We Are Bobservations); Answering a “Simple” Question

Sat, 04 Apr 2026 11:05:23 -0400

In late February, a friend linked an article about a science-fiction book and asked if I had read it. I told her that I hadn’t but after reading an abstract it sounded good. She asked if I would be her designated reader due to her workload, and report back. I said sure! She was particularly interested in it after reading an article by Rya Jetha in the The San Francisco Standard. The article,…

We Are Legion (We Are Bobservations); Answering a “Simple” Question

Wait… We Needed That CNA Rule?! A Complaint =)

Tue, 31 Mar 2026 11:45:15 -0400

It’s one of those rules you’d never think we needed until something happens…

On March 27, a VulnDB (not to be confused with VulDB) analyst noticed that a CVE description had a line appended that basically advertised the service of the assigning CNA. CVE-2026-4963 had a pretty standard description from VulDB (not to be confused with VulnDB!) using their lackluster templating:

“If you want to get…

Wait… We Needed That CNA Rule?! A Complaint =)

Miggo, KEV, and FUD; They Still Don’t Get It

Mon, 30 Mar 2026 11:36:10 -0400

[If the name ‘Miggo’ is familiar to you in the context of my blogging, you are thinking about one I wrote titled “Miggo Security’s AI Slop & Potential Trademark Infringement” in July, 2025. That was more around ‘corporate’ culture and bad lawyering. This blog is different, pointing out how they don’t seem to understand KEV at all.]

On November 18, 2025, Miggo published a report titled “Missing…

Miggo, KEV, and FUD; They Still Don’t Get It

NaClCON Talks I Am Excited For

Fri, 27 Mar 2026 14:12:24 -0400

Earlier this month, I published “My Unofficial NaClCON FAQ” talking about a new security conference that I am excited for. It’s still a bit surprising to myself that I am interested in one at all. I fully thought I was done with them, but here we are! After participating on the Call For Papers (CFP) team to help select speakers, I wanted to highlight some talks that sound great.

First, the…

NaClCON Talks I Am Excited For

YouTube: I Don’t Think You Understand Your Userbase

Tue, 24 Mar 2026 19:22:37 -0400

It’s pretty rare that I use YouTube on a television, typically only if in the mood for specific music. Even then it tends to be a handful of videos as my ‘go to’. Earlier this month I was in the mood for such a concert and loaded it. I am authenticated as my Google account, so YouTube knows exactly who I am. At the top of the screen are my recommendations:

You can probably see exactly where I am…

YouTube: I Don’t Think You Understand Your Userbase

The Jericho Blog Graveyard (2016 - 2020)

Wed, 18 Mar 2026 16:03:58 -0400

This is a continuing short run series of blogs summarizing old drafts and either declaring them dead, while listing them here, or keeping them as they are still relevant.

Part 1 – The Jericho Blog Graveyard (2010 – 2013)Part 2 – The Jericho Blog Graveyard (2014 – 2015)

Part three:

2016 – Extensive notes from a group chat at RBS about how bad the 2016 DBIR report was, numerous errors in it, and…

The Jericho Blog Graveyard (2016 - 2020)