fsebugoutzone.org:9999

       Posts by adamshostack@infosec.exchange
 (DIR) Post #At88CLXd9Dea9nvC2i by adamshostack@infosec.exchange
       2025-04-15T22:27:58Z
       
       0 likes, 1 repeats
       
       CVE funding is apparently not being renewed. I’m not alone in having strong feelings, and I want to talk about some of the original use cases that informed us as we set up the system. (You might also enjoy my thoughts on 25 Years of CVE for some context.) Those included comparing between vulnerability posts. It’s a lot of work to decide if two vulns are the same. Tagging both with a name was an important use case in 1997, and one that I got to revisit around 2010 when I was doing work to understand how malware got into PCs. Most of the attacks in exploit kits were not CVE-labeled. So deciding what they were was hours per vuln, with a high failure rate, versus minutes when they had a CVE assigned.CVE achieved public good status exceptionally quickly, in part because of support from thoughtful leaders like Tony Sager while he was at NSA. Finding support from outside the government was, as I recall, harder because MITRE is Congressionally chartered and has difficulty taking money from anyone but the US Government.There are other used cases, and I want to mention them because I was talking in private to friends, and they weren’t aware of these. All vendor names are used as examples.Did redhat fix this python bug or do we need to find a patch is way easier with cves.Did Apple fix this OpenSSL bug after getting version locked to OpenSSL .9.8?Having a name lets you discuss “did Microsoft fix this yet?” and if there’s a tool that tests it, you can cross-check the bug, the proof of concept, and the patch.Having an authoritative public timetable, including issuance, helped everyone understand when a vendor was slow-rolling a fix.
       
 (DIR) Post #AtlDPXONZs7sMbmfHk by adamshostack@infosec.exchange
       2025-05-04T19:27:31Z
       
       0 likes, 1 repeats
       
       This May the Fourth, remember that rebellions are built on hope.
       
 (DIR) Post #AuNFNlPXwRmXpFtHm4 by adamshostack@infosec.exchange
       2025-05-23T03:03:55Z
       
       0 likes, 1 repeats
       
       You can still opt out of the #biometric exit permission machines at #SeaTac, and it’s faster than being photographed. They do lie and claim you need to go to the desk before boarding begins in loud announcements.  Thanks to the #acluwa and @ehasbrouck who fought for those rights to be preserved.
       
 (DIR) Post #AvKTcn4Z2AVcuiLCNc by adamshostack@infosec.exchange
       2025-06-20T17:48:13Z
       
       0 likes, 0 repeats
       
       I am so grateful we saved a few million bucks by DOGEing the Voice of America&#39;s Farsi service. There&#39;s no possible value in having a way to send the Iranian people a message.Oh, wait, maybe it was incredibly stupid and shortsighted.  Yeah, I&#39;m going with that. DOGEy, even.
       
 (DIR) Post #AvND5VhJb5Uhg4SGzQ by adamshostack@infosec.exchange
       2025-06-22T01:35:53Z
       
       0 likes, 1 repeats
       
       With his party in control of both houses of Congress, the President didn’t bother to get a declaration of war, nor did he bother to explain his reasons to the American people.
       
 (DIR) Post #AwhyTLyobDHWN5KRDU by adamshostack@infosec.exchange
       2025-07-30T23:04:43Z
       
       0 likes, 0 repeats
       
       Are there sshd state machines? I&#39;m looking for one that covers &quot;root,&quot; &quot;running as user&quot; and &quot;spawning shell&quot;*?I&#39;ve found https://www.researchgate.net/figure/Abstract-description-of-SSH2-with-Diffie-Hellman-key-exchange_fig2_241880255 and Figure 5 of https://www.cs.ru.nl/bachelors-theses/2017/Toon_Lenaerts___4321219___Improving-protocol-state-fuzzing-of-SSH.pdf) (*This assumes my recollection that sshd replaced /bin/login is accurate)
       
 (DIR) Post #AwhyTP5J3XFy05OAFc by adamshostack@infosec.exchange
       2025-07-31T22:27:16Z
       
       0 likes, 0 repeats
       
       @msw Yeah, that! cc @mwl
       
 (DIR) Post #AwhyTQIoWnehmGiSwa by adamshostack@infosec.exchange
       2025-07-31T22:29:16Z
       
       0 likes, 0 repeats
       
       @msw @mwl Also cc @bsdphk @jawnsy @ricci
       
 (DIR) Post #AwhyTS2a47rJAV8Wv2 by adamshostack@infosec.exchange
       2025-07-31T22:47:36Z
       
       0 likes, 0 repeats
       
       @msw These are really useful, thank you! Do you know of more modern examples?(cc @mwl @bsdphk @jawnsy @ricci )
       
 (DIR) Post #AwhyTToTTXlOfKYID2 by adamshostack@infosec.exchange
       2025-07-31T23:02:45Z
       
       0 likes, 0 repeats
       
       @msw @mwl @bsdphk @jawnsy @ricci Any system whose security matters where the system is depicted with a state machine.
       
 (DIR) Post #AyBFdSCjgsm5B4ayP2 by adamshostack@infosec.exchange
       2025-09-13T16:43:41Z
       
       0 likes, 0 repeats
       
       It won’t work. (Dunking on mastodon here, not Don. ) https://techhub.social/@BrentD/115197950000197643
       
 (DIR) Post #AyBFdWBosEPzXOCIWu by adamshostack@infosec.exchange
       2025-09-13T16:46:10Z
       
       0 likes, 0 repeats
       
       The issue is you cannot control clients. The clients are under the control of the people who write them and are on the far side of a boundary from you. Maybe you can limit (at the server) posts that contain links to other posts, images of other posts, url shortners that link to other posts, but you’re in an arms race and you’re not deploying effective controls.
       
 (DIR) Post #AyBFdaSH0zxMlZvUjQ by adamshostack@infosec.exchange
       2025-09-13T16:51:36Z
       
       0 likes, 0 repeats
       
       Another way to say this: What, precisely, is the policy language or algorithm you&#39;re going to deploy, and where will it be enforced?
       
 (DIR) Post #B08vwYet1qIZQMuy3s by adamshostack@infosec.exchange
       2025-11-11T17:39:54Z
       
       0 likes, 0 repeats
       
       @ricci @greatquux  What a cool find! Also, I hope y&#39;all have a very strong fireproof box. :)
       
 (DIR) Post #B2zLEePNBQV0iuXGU4 by adamshostack@infosec.exchange
       2026-02-04T19:21:56Z
       
       0 likes, 0 repeats
       
       @dangoodin I think they can force your finger onto the sensor (much like they can force fingerprints on an ink pad) and force you to open your eyes. Those are &quot;non-testimonial&quot; where if your password was, I dunno, &quot;IkilledBob&quot; then that&#39;s testimonial and the courts can&#39;t force you to self-incriminate.
       
 (DIR) Post #B3cRNm3GJO6FvPMdG4 by adamshostack@infosec.exchange
       2026-02-23T16:27:46Z
       
       0 likes, 0 repeats
       
       @josephcox To be fair, maybe &quot;delete my inbox&quot; is acting in accordance with human interests? 🤣
       
 (DIR) Post #B4UBmRNEJ96Q1WQHTc by adamshostack@infosec.exchange
       2026-03-21T15:02:35Z
       
       0 likes, 0 repeats
       
       To introspect, or not to introspect?That is the question.Whether tis nobler in the mind to suffer the slings and arrows of outrageous innovation, or, by introspecting, not push that next feature on customer&#39;s who&#39;ll hate it?Aye, there&#39;s the rub.
       
 (DIR) Post #B4re3TEZuUDC4KMaiv by adamshostack@infosec.exchange
       2026-04-01T22:49:52Z
       
       0 likes, 0 repeats
       
       @simplenomad I think, like the ethernet ports on the Mars rovers, that if you get to them, you deserve to win. Also, why the &amp;*()(% is there a password on flight gear?
       
 (DIR) Post #B4xTvprq2jYpM3CucS by adamshostack@infosec.exchange
       2026-04-04T16:36:01Z
       
       3 likes, 5 repeats
       
       
       
 (DIR) Post #B5Mrt516W5RbK4l4eu by adamshostack@infosec.exchange
       2026-04-16T21:55:02Z
       
       3 likes, 3 repeats
       
       First day on the Bluesky infrastructure team! I hooked up OpenClaw, and it has some amazing ideas about scaling and optimization!