REcon 2012

I’ve just recently returned from REcon 2012 and while I heard a couple people express that they had “heard” that some people were more disappointed with this year’s conference compared to prior ones, I personally really enjoyed it and felt it was the best one yet.  I saw and enjoyed more of the lectures this year than I have in the past and seemed to have better interactions with the [...]

ExploitHub

A few years ago, following the failure of WabiSabiLabi’s 0day auction site, I gave some thought to how to create a public marketplace for exploits that actually works.  Obviously given the example of WabiSabiLabi and a little common sense that any vulnerability researcher worth their salt would know, you can’t have a public market for 0day vulnerabilities.  As WabiSabiLabi quickly found out, by disclosing enough information about the vulnerability so [...]

By |2012-02-29T13:42:15+00:00February 29th, 2012|business, security, software, technology|0 Comments

The Folly of a Scheduled Patch Release Cycle

A number of years ago, Microsoft led the charge by moving away from a dynamic patch release schedule to a monthly patch release schedule, essentially creating an imposed monthly patch cycle for their customers.  Since then, many other vendors have followed suit.  There are opinions and arguments supporting both a release schedule philosophy as well as a release upon completion philosophy, and today I’m going to outline where I stand [...]

The Internet is a Dirty, Dirty Mistress

It’s been quite a while since I wrote or updated DFW, the I)ruidic FireWall.  Included with that utility is a default iptables firewall policy which the user can use directly, tweak to their liking, or completely throw away and start over from scratch.  NetFilter (iptables) has come a long way since I was actively working in the firewall space and regularly maintaining the DFW utility, so I thought it high [...]

By |2008-06-27T17:28:50+00:00June 27th, 2008|attack, perimeter security, security, software|0 Comments

Vulnerability Disclosure, Cryptography Research, and Open Source

Today, Bruce Schneier posted an essay to his blog arguing the case for full disclosure of software vulnerabilities, which I am also in favor of. It’s apparently a side-bar to an article in CSOOnline entitled “The Chilling Effect” which is about some of the growing issues surrounding vulnerability research in web software. There’s also two other side-bars arguing the case for keeping vulnerability information secret or only telling the software [...]

By |2007-01-23T02:25:16+00:00January 23rd, 2007|cryptography, security, software|0 Comments