Colorado Voting System Irregularities & Continued Rigging
Earlier this year I wrote about how the Colorado voting system is effectively "rigged" to enforce a two-party system. In that I said "In Colorado, if you are not registered with political affiliation, you are given two ballots; one Democrat…
MSRC; Tell The Whole Story Please
Every so often, it seems that Microsoft Security Response Center (MSRC) likes to stick their proverbial foot in their mouth on the topic of vulnerability disclosure. The root issue is that collectively, MSRC does not seem to appreciate either their own history or…
Mythos Needs to Shift Left
Over the years I have been part of many discussions around a classic debate around red team versus blue team, the value of penetration testing, and the value they each bring. I started my InfoSec career in 1996 doing pentesting (aka red teaming) a couple years before it…
Amazon Auto-buy: A Slick New Feature
For half a year now, I have been using a third-party site (Keepa) to track movie prices on Amazon (and a few other sites), waiting for them to drop to the price I will pay. New movies are often released on physical media at fairly absurd rates. Almost fifty…
Vulnerability Embargos Are Dead
Introduction When a researcher finds a security vulnerability that impacts more than one vendor, and they wish to coordinate disclosure with both, it creates a situation where an embargo must be put in place. In this context that simply means that all three parties…
Calif’s Bold Claims; Missing Receipts
Here we go again, more Mythos rumors and claims to unpack. I wrote a lengthy blog on Anthropic, Glasswing, and Mythos just over a month ago but this is about a very specific event and set of claims. A significant reason I am writing this is due to what I…
Noise2Signal Podcast: Which Does the Squirrel Bring?
For those not familiar, Mehul Revankar recently started a podcast named Noise2Signal. While there are a lot of podcasts out there and it is easy to lose track, this one stands out as Mehul has connections with a lot of folks that are significant…
@f5labs.bsky.social re: www.f5.com/labs/article... Are you using "AI" to do these? e.g. "Threat Details and IOCs" and "CVE-2026-35273, CVE-2026-46695, CVE-2026-46703, CVE-2026-48558, CVE-2026-50545" has nothing to do with the section above, and those CVEs are largely not for the software listed.
Security vs Security Theatre; A Lesson for Abbott
Security theater, as defined by Wikipedia, "is the practice of implementing security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it." This is a common term used by information…
I just realized that I'm personally "credited" in April's Microsoft Patch Tuesday with a CVE-less "Defense-in-depth" update.
The vulnerability?
CAB files downloaded from the internet do not write the MotW for files extracted from them.
I reported this to […]
[Original post on infosec.exchange]
These are the top threats you should know about this week.
Over the years I have been part of many discussions around a classic debate around red team versus blue team, the value of penetration testing, and the value they each bring. I started my InfoSec career in 1996 doing pentesting (aka red teaming) a couple years before it really exploded. For nine years that was my life and it often meant working crazy hours.
Every so often, it seems that Microsoft Security Response Center (MSRC) likes to stick their proverbial foot in their mouth on the topic of vulnerability disclosure. The root issue is that collectively, MSRC does not seem to appreciate either their own history or the bigger picture. As such they have a myopic view on the topic. The latest comes in the…
Earlier this year I wrote about how the Colorado voting system is effectively "rigged" to enforce a two-party system. In that I said "In Colorado, if you are not registered with political affiliation, you are given two ballots; one Democrat and one Republican. This forces you to vote along party lines even if you do not fully support either party.
For half a year now, I have been using a third-party site (Keepa) to track movie prices on Amazon (and a few other sites), waiting for them to drop to the price I will pay. New movies are often released on physical media at fairly absurd rates. Almost fifty dollars for a new release when it was $17 in the theatre?
Introduction When a researcher finds a security vulnerability that impacts more than one vendor, and they wish to coordinate disclosure with both, it creates a situation where an embargo must be put in place. In this context that simply means that all three parties agree not to make the information public until a given date. This is done to allow both vendors to have a fix ready before publication.
Here we go again, more Mythos rumors and claims to unpack. I wrote a lengthy blog on Anthropic, Glasswing, and Mythos just over a month ago but this is about a very specific event and set of claims. A significant reason I am writing this is due to what I believe are poorly written headlines that are based in misunderstanding and/or attempting to sound more dramatic than warranted.
For those not familiar, Mehul Revankar recently started a podcast named Noise2Signal. While there are a lot of podcasts out there and it is easy to lose track, this one stands out as Mehul has connections with a lot of folks that are significant in the history of information security. In fact, he interviewed Renaud Deraison who created Nessus and was one of the founders of Tenable.
Security theater, as defined by Wikipedia, "is the practice of implementing security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it." This is a common term used by information security professionals and has been a concept for a long, long time. I recently pointed it out in my interaction with CenturyLink when canceling service.
