Jericho

My Unofficial NaClCON FAQ As someone who has basically become disillusioned with most information security conferences, I didn't find myself to be excited about another, let alone a new one. Then along came NaClCON and it changed my mind. It was a matter of days before I volunteered to help with the Call For Papers (CFP) review. With the frequency of new conferences, in addition to the…

My Unofficial NaClCON FAQ

As someone who has basically become disillusioned with most information security conferences, I didn't find myself to be excited about another, let alone a new one. Then along came NaClCON and it changed my mind. It was a matter of days before I volunteered to help with…

It’s 2026 and Netscout Doesn’t Understand CVE Every year I hold out hope that the security industry will better understand the Common Vulnerabilities and Exposures (CVE) system. A surprising number in this industry barely know about it, let alone any meaningful details. It's one thing for a random security wonk in a back corner somewhere, laser-focused on their myopic work not to. It's another thing for a security company that offers "

It’s 2026 and Netscout Doesn’t Understand CVE

Every year I hold out hope that the security industry will better understand the Common Vulnerabilities and Exposures (CVE) system. A surprising number in this industry barely know about it, let alone any meaningful details. It's one thing for a random…

Domain Transfer Confirmation Email? No, It’s Not From ICANN. TL;DR: If you get an email from noreply@emailverification.info saying you must click a link and input a code to finalize a domain transfer, ignore it. It claims to be an ICANN accredited registrar, but per ICANN themselves, the mail is not legitimate. Any mails about transferring a domain should come from the registrar you are moving from, or the one you are moving to.

Domain Transfer Confirmation Email? No, It’s Not From ICANN.

TL;DR: If you get an email from noreply@emailverification.info saying you must click a link and input a code to finalize a domain transfer, ignore it. It claims to be an ICANN accredited registrar, but per ICANN themselves, the mail is…

NSA, Theft, and the Original Quantum Lazlo Back in November, 2009, Attrition.org staff (including me) finally got around to finalizing the name for our new mascot (archive.org), the angry squirrel firmly associated with Attrition and myself. In a cheeky letter from the mascot, it was signed 'Lazlo'. Since that date, the mascot has seen a wide variety of iterations as Lazlo was modified for various images and purposes, including presentations and stickers.

NSA, Theft, and the Original Quantum Lazlo

Back in November, 2009, Attrition.org staff (including me) finally got around to finalizing the name for our new mascot (archive.org), the angry squirrel firmly associated with Attrition and myself. In a cheeky letter from the mascot, it was signed…

Support Charity or Shatter Dreams A few days ago, a friend linked me to a contest that her daughter's art was entered in, where voting is done online. I'm sure we've seen this for a wide variety of things in our lives these days, so it is easy to miss some of the little details that render the competitions unfair. The original ones often had no mechanism to stop you from just clicking 'Vote' over and over.

Support Charity or Shatter Dreams

A few days ago, a friend linked me to a contest that her daughter's art was entered in, where voting is done online. I'm sure we've seen this for a wide variety of things in our lives these days, so it is easy to miss some of the little details that render the…

Abert’s Squirrels and Wonderful Variations After moving from Denver to the nearby mountains, I was quite happy to learn that I had four different kinds of squirrels in the area. The Golden Mantle Ground Squirrel, Least Chipmunk, Douglas Pine Squirrel, and the Abert's Squirrel. The last is also known as the tassel-eared squirrel. Native to the southern Rockies, they can also be found in New Mexico and Arizona.

Abert’s Squirrels and Wonderful Variations

After moving from Denver to the nearby mountains, I was quite happy to learn that I had four different kinds of squirrels in the area. The Golden Mantle Ground Squirrel, Least Chipmunk, Douglas Pine Squirrel, and the Abert's Squirrel. The last is also…

Random Movie/TV Thoughts and Reviews (February 2026) Reviews One Battle After Another (2025) is the kind of movie, to me, that seems to have everything right; good acting, interesting plot, good character development. And yet somehow it just doesn't click for me. I understand why it would win an award for any given acting role, but overall as a movie I think it breaks down at the end and turns into a more mundane, improbable action.

Random Movie/TV Thoughts and Reviews (February 2026)

Reviews One Battle After Another (2025) is the kind of movie, to me, that seems to have everything right; good acting, interesting plot, good character development. And yet somehow it just doesn't click for me. I understand why it would win an…

Bob’s “CVE Quality-by-Design Manifesto” – The Hit and Misses Almost every time Bob Lord blogs, I feel the need to write a rebuttal to what is arguably abject stupidity and shortsightedness. One he published a couple days ago, titled "CVE Quality-by-Design Manifesto", is missing several core concepts in the realm of vulnerability intelligence. While his overall point is certainly valid, the order in which he declares our needs is wrong, on top of missing some not-so-subtle points about the CVE ecosystem to which he speaks.

Bob’s “CVE Quality-by-Design Manifesto” – The Hit and Misses

Almost every time Bob Lord blogs, I feel the need to write a rebuttal to what is arguably abject stupidity and shortsightedness. One he published a couple days ago, titled "CVE Quality-by-Design Manifesto", is missing several core…

Shadow, Ghost, and Phantasmawhatever Vulnerabilities – The Reality Back in September of 2024, I took some notes on a blog I wanted to write about "Shadow" vulnerabilities, based on a corporate blog with a poor concept and misunderstanding of CVE. The title was to be "Shadow Vulnerabilities - Rebuttal" and pretty straight-forward. Vulnerability life is crazy when you help manage a true vulnerability database (VDB) that isn't a clone of CVE, and operates independently.

Shadow, Ghost, and Phantasmawhatever Vulnerabilities – The Reality

Back in September of 2024, I took some notes on a blog I wanted to write about "Shadow" vulnerabilities, based on a corporate blog with a poor concept and misunderstanding of CVE. The title was to be "Shadow Vulnerabilities -…

For historical nerds and anthropologists... is the Q/A there real, or tongue-in-cheek to go with the excellent quote above?

Vulnerability Disclosure Forensics: /cgi-bin/upload.cgi Yesterday, Chris Sullo of Nikto fame, asked me a simple question; in so many words, what was the "first web vuln". To be clear, he is asking about the first vulnerability in a web server / service / program. Seems relatively straight-forward but I challenge anyone to answer it with their own data set, especially CVE. One reason I have it a bit easier is that at the time, OSVDB (now VulnDB) actually had a metadata point called the "web related" classification.

Vulnerability Disclosure Forensics: /cgi-bin/upload.cgi

Yesterday, Chris Sullo of Nikto fame, asked me a simple question; in so many words, what was the "first web vuln". To be clear, he is asking about the first vulnerability in a web server / service / program. Seems relatively straight-forward…

Rest In Peace IBM X-Force Vulnerability Database Within the vulnerability ecosystem, the CVE project / vulnerability database is certainly the most well-known. Over the past 30 years many others have come and gone, and others are still around. Some of you will recognize SecurityFocus BID, Open Sourced Vulnerability Database (OSVDB), Secunia, VulnDB, OSV, and others. Started in 1997, there is another that has spent three decades flying under most security professional's radar, despite being one of the best free databases for almost that entire time.

Rest In Peace IBM X-Force Vulnerability Database

Within the vulnerability ecosystem, the CVE project / vulnerability database is certainly the most well-known. Over the past 30 years many others have come and gone, and others are still around. Some of you will recognize SecurityFocus BID, Open…

Squirrel Goes Down the Rabbit Hole (Security Podcast) On November 17, I joined the three hosts of the Down the Security Rabbithole (DtSR) podcast to talk about CVSS, CVE, and how they play into risk and defending networks. My time followed Robert "RSnake" Hansen's podcast where he had a pretty controversial take on risk management. One of the hosts, Rafal Los, asked my thoughts and after I listened I shared enough to prompt him to ask me to do the next.

Squirrel Goes Down the Rabbit Hole (Security Podcast)

On November 17, I joined the three hosts of the Down the Security Rabbithole (DtSR) podcast to talk about CVSS, CVE, and how they play into risk and defending networks. My time followed Robert "RSnake" Hansen's podcast where he had a pretty…

The image shows a collection of stickers scattered on a light-colored, speckled kitchen counter (which appears to be a white or light grey quartz/granite). The stickers feature a variety of whimsical, cartoonish, and often humorous designs. Here are some of the notable stickers and details: * Humorous Text Stickers: * One large, dark sticker reads: "Russ left the FBI and all I got was this lousy sticker." * Another green rectangular sticker says: "CVES ARE FOR SNITCHES." * A small white one near the top says: "ATTITUDE." * Another sticker says: "INTROVERTED BUT WILLING TO DISCUSS ANIMALS." * Animal/Character Designs: * Several feature various animals like raccoons, a squatted pig (center), a cartoon cat with large eyes, and a couple of other stylized animals. * One sticker has a large, purple fist. * Another features a green, stylized character with large hands (possibly a monster or alien).

Stickers from @attrition.org

Time to start a new layer of stickers on my laptop. 😎

Charity listing up! DEF CON 33 Human Badge w/ Lanyard [NEW]

www.ebay.com/itm/26741144...

#DEFCON #DEFCON33

Leave AI Slop out of CVE; Humans Make Mistakes Just Fine I was recently asked, again, if so-called AI could help CVE. My reply was quick and direct; no. At least, not right now, and to me not for the immediate foreseeable future. Anyone that knows me is probably aware of my disdain for so-called AI. The fact that I preface it with "so-called" should be a good clue because what people call "AI" right now certainly isn't.

Leave AI Slop out of CVE; Humans Make Mistakes Just Fine

I was recently asked, again, if so-called AI could help CVE. My reply was quick and direct; no. At least, not right now, and to me not for the immediate foreseeable future. Anyone that knows me is probably aware of my disdain for so-called…

Charity Auction Up!

DEF CON 33 AI Jack Badge by TechNick

ebay.com/itm/26738131...

#DEFCON #DEFCON33 #BADGELIFE

2025 BSidesLV CVE Panel – My Comments This year at BSides Las Vegas, a panel discussing the CVE program and crisis occurred. I watched the panel discussion after the fact, since I did not attend. For full transparency, something MITRE isn't fond of, I almost attended as a keynote speaker on the subject of CVE. I was invited to, but personally did not feel I had enough time to prepare a presentation with my current work/life load.

2025 BSidesLV CVE Panel – My Comments

This year at BSides Las Vegas, a panel discussing the CVE program and crisis occurred. I watched the panel discussion after the fact, since I did not attend. For full transparency, something MITRE isn't fond of, I almost attended as a keynote speaker on the…

Charity Auction!

Three (3) BlackHat Briefings USA Badges (2015/2016/2018)

www.ebay.com/itm/26734175...

#BlackHat #BlackHatBriefings #BlackHatUSA #Hacker #InfoSec

Charity Auction!

BSides Las Vegas 2019 Participant Badge

www.ebay.com/itm/26734174...

#Hacker #InfoSec #BSides #BsidesLV

Charity Auction!

BSides Las Vegas 2017 Participant Badge

www.ebay.com/itm/26734174...

#Hacker #InfoSec #BSides #BsidesLV

Charity Auction!

BSides Las Vegas 2014 Rock Badge (Supporter)

www.ebay.com/itm/26734174...

#Hacker #InfoSec #BSides #BsidesLV

Charity Auction!

BSides Las Vegas 2014 Participant Badge

www.ebay.com/itm/26734174...

#Hacker #InfoSec #BSides #BSidesLV

So far, thanks to DaKahuna and his badge donations, we have raised $705.28 for the American Heart Association!

There are already more badges listed, with more BSdidesLV and BlackHat badges coming this week. After summer camp, there will be more from other cons.

Charity Auction!

BSides Las Vegas 2018 Participant Badge

www.ebay.com/itm/26733926...

#Hacker #BsidesLV #Bsides #InfoSec #LasVegas

Charity Auction!

BSides Las Vegas 2014 Speaker Badge w/ Pangaea Social Engineering Contest Badge

www.ebay.com/itm/26733925...

#Hacker #BSidesLV #BSides #SocialEngineering #LasVegas

Charity Auction!

BSides Las Vegas 2022 Participant Badge w/ 303 Bling Badge

www.ebay.com/itm/26733924...

#BSidesLV #Bsides #Hacker #InfoSec #303

Charity Auction!

BSides Las Vegas 2010 Badge

www.ebay.com/itm/26733921...

#BSidesLV #BSides #Hacker #InfoSec

Charity Auction!

DEFCON Skytalks Enforcer Badge w/ Hacker

www.ebay.com/itm/26733920...

#HACKER #INFOSEC #DEFCON #SKYTALKS

Charity Auction!

DEFCON Skytalks Enforcer Badge w/ Android Thingy

ebay.com/itm/26733920...

#DEFCON #SKYTALKS #HACKER #INFOSEC