tumblr.attrition.org

MSRC; Tell The Whole Story Please

Sun, 31 May 2026 11:00:11 -0400

Every so often, it seems that Microsoft Security Response Center (MSRC) likes to stick their proverbial foot in their mouth on the topic of vulnerability disclosure. The root issue is that collectively, MSRC does not seem to appreciate either their own history or the bigger picture. As such they have a myopic view on the topic. The latest comes in the form of a new blog titled “A shared…

MSRC; Tell The Whole Story Please

Mythos Needs to Shift Left

Tue, 26 May 2026 11:15:24 -0400

Over the years I have been part of many discussions around a classic debate around red team versus blue team, the value of penetration testing, and the value they each bring. I started my InfoSec career in 1996 doing pentesting (aka red teaming) a couple years before it really exploded. For nine years that was my life and it often meant working crazy hours. My final gig doing it was with BT-INS…

Mythos Needs to Shift Left

Vulnerability Embargos Are Dead

Mon, 25 May 2026 11:16:01 -0400

Introduction

When a researcher finds a security vulnerability that impacts more than one vendor, and they wish to coordinate disclosure with both, it creates a situation where an embargo must be put in place. In this context that simply means that all three parties agree not to make the information public until a given date. This is done to allow both vendors to have a fix ready before…

Vulnerability Embargos Are Dead

Calif’s Bold Claims; Missing Receipts

Wed, 20 May 2026 11:15:23 -0400

Here we go again, more Mythos rumors and claims to unpack. I wrote a lengthy blog on Anthropic, Glasswing, and Mythos just over a month ago but this is about a very specific event and set of claims. A significant reason I am writing this is due to what I believe are poorly written headlines that are based in misunderstanding and/or attempting to sound more dramatic than warranted. It looks like…

Calif’s Bold Claims; Missing Receipts

Noise2Signal Podcast: Which Does the Squirrel Bring?

Wed, 20 May 2026 00:22:59 -0400

For those not familiar, Mehul Revankar recently started a podcast named Noise2Signal. While there are a lot of podcasts out there and it is easy to lose track, this one stands out as Mehul has connections with a lot of folks that are significant in the history of information security. In fact, he interviewed Renaud Deraison who created Nessus and was one of the founders of Tenable. That is where…

Noise2Signal Podcast: Which Does the Squirrel Bring?

Amazon Auto-buy: A Slick New Feature

Thu, 14 May 2026 11:49:17 -0400

For half a year now, I have been using a third-party site (Keepa) to track movie prices on Amazon (and a few other sites), waiting for them to drop to the price I will pay. New movies are often released on physical media at fairly absurd rates. Almost fifty dollars for a new release when it was $17 in the theatre? No thanks! So I wait until they get down into a decent range before I do.

A few…

Amazon Auto-buy: A Slick New Feature

Security vs Security Theatre; A Lesson for Abbott

Fri, 08 May 2026 11:07:07 -0400

Security vs Security Theatre; A Lesson for Abbott

The NVD Shell Game & Schrödinger’s Enriched Vulnerability

Thu, 07 May 2026 11:56:21 -0400

The NVD Shell Game & Schrödinger’s Enriched Vulnerability

The Night I Almost Died

Sun, 03 May 2026 13:26:06 -0400

The Night I Almost Died

Starfleet Academy; The Review

Sat, 02 May 2026 11:30:45 -0400

Starfleet Academy (SA), the latest TV show in the Star Trek line, debuted this year with a lot of fanfare and a fair share of drama. The show almost immediately hit the news with cries of it being “too woke”. The Washington Times headline called it a “woke culture war casualty” and Outkick said the show hit “a new low” and that the franchise “just keeps getting worse“. Jonathan Frakes, best known…

Starfleet Academy; The Review

Why Data From So Many Breaches Never Sees the Light of Day

Fri, 01 May 2026 11:06:14 -0400

Months ago I was chatting with a colleague about a recent data leak (a.k.a. Data breach), as we tend to do in this industry. Those terms are defined by Microsoft as “an unauthorized disclosure of sensitive, confidential, or personal information from an organization’s systems or networks to an external party“. Any time I see an article about data breaches I have flashbacks, and fortunately not too…

Why Data From So Many Breaches Never Sees the Light of Day

InfoSec News (ISN) Mail List History

Thu, 30 Apr 2026 14:51:29 -0400

As early as 1996, I created a mail list called InfoSec News (ISN) which initially was to share news about the industry. At the time, there were no online news sites covering the topic with any regularity and most were hobbies at best. So the original list had many articles that I had typed in by hand from print InfoSec magazines. The list has mostly faded into obscurity; so much so that trying to…

InfoSec News (ISN) Mail List History

An AI agent destroyed … hey wait a minute!

Wed, 29 Apr 2026 11:05:21 -0400

Yesterday many people ran across a headline that was shocking, and repetitive. This time it read “‘Gone in 9 seconds’: Claude-powered AI agent deletes startup’s entire database“. For myself, the first thing I had to do was check the date of the article because I swore I had just read about this recently. Yep, April 28 so it’s a new one! In a prior blog on the topic of so-called AI, or as I argued…

An AI agent destroyed … hey wait a minute!

Don’t Call Me Boss

Tue, 28 Apr 2026 11:09:18 -0400

I don’t remember when it started but it was easily five to ten years ago. I’d be in a restaurant typically and a server or cashier would call me ‘boss’. It bothered me from day one because it usually came from a younger kid who presumably didn’t understand all of the connotations behind the word in that context. I certainly felt it was inappropriate but only said something a few times when I felt…

Don’t Call Me Boss

Security Software: Holding the Vault Door Open for Criminals

Mon, 27 Apr 2026 11:08:28 -0400

I have been consistently tracking a fun metric around vulnerabilities since March 19, 2024. Before that I would occasionally mention it during talks or chat, but I don’t think I formally blogged about it before this and didn’t track the exact number. So here we are to discuss the prevalence of vulnerabilities in security software, the very thing designed to protect us. As best I recall, 10 – 20…

Security Software: Holding the Vault Door Open for Criminals

Another Wave of Random Thoughts

Wed, 22 Apr 2026 11:15:24 -0400

ATM

ATMs have way too many options for many users, and definitely for most uses of the machines by volume. Sometimes, when I put my card in, why are you asking what language I want to use? The same one as last time maybe? And for someone who has the same exact transaction 95% of the time, give me a single button that just says “repeat last transaction” and display what it is. So much time would…

Another Wave of Random Thoughts

Death Bed Then vs Now; Societal Impact and Contentment

Tue, 21 Apr 2026 09:51:25 -0400

An abstract thought.

Our grandparent’s generation seemed content on their deathbed, some with religion, some without. In TV, movies, and books, you see one in a hospital or at home surrounded by loved ones, with a gentle smile. I wonder if that will get much more difficult in today’s age, as society declines and the sense of accomplishing something meaningful declines as well. Two generations…

Death Bed Then vs Now; Societal Impact and Contentment

NVD Gives Up

Fri, 17 Apr 2026 11:05:23 -0400

Since 2024, representatives from NIST’s National Vulnerability Database (NVD) have given a presentation at VulnCon with updates to the program. This has been where news broke about significant changes, admissions, and omissions. The talks, typically 30 minutes, are certainly not enough time to tell us what the industry needs to know and leaves no time for Q&A despite there being a considerable…

NVD Gives Up

Anthropic, Mythos, and the Dark Reality No One Is Talking About

Wed, 15 Apr 2026 11:47:40 -0400

If I had a nickel for every time Anthropic’s new Project Glasswing / Mythos initiative came up in conversation or I was asked directly about it in the last few days, I would have a shit ton of nickels! Let’s dive into it… first with brief observations about the announcements and available information, other’s opinions, then a broader opinion of my own on where this is all going.

Gemini prompt:…

Anthropic, Mythos, and the Dark Reality No One Is Talking About

Vulnerability Research Isn’t Cooked; It’s Burned Beyond Recognition

Mon, 06 Apr 2026 10:55:26 -0400

On March 30, 2026, Thomas & Erin Ptacek posted a blog titled “Vulnerability Research Is Cooked“. I don’t believe I know Erin, but I know of Thomas as an old-school vulnerability researcher who has been well respected for a long, long time. When he speaks about vulnerability research, I certainly listen. So this blog was of interest to me for a variety of reasons as it primarily talked about the…

Vulnerability Research Isn’t Cooked; It’s Burned Beyond Recognition