SOLDIERX.COM Nobody Can Stop Information Insemination

Posted by toby via Dailydave on Jan 05

I don't think you are wrong but your comparison of CVSS and the multiple
(also separately bad) metrics for a WAF isn't effective or accurate.

The values going into CVSS have something in common; they are attempts to
characterize the importance of the vulnerability in question. You are
making (have made before) the claim that the importance of a vulnerability
is too variable and specific to an environment or an attack scenario to be...

Posted by Chuck McAuley via Dailydave on Jan 05

Throughput* is perhaps the wrong unit of measure. Most of the time you would be interested in measuring
“requests/second” or “transactions/second”. Aside from say a content ingesting site/repeater
(facebook/twitter/instagram), almost all content for a WAF to handle is inbound, using low amounts of available
bandwidth. The outbound content is rarely inspected by such a device, with the exception of 5xx error or similar
(headers).

A...

Posted by Dave Aitel via Dailydave on Jan 05

A thousand years ago I subscribed to the Security Metrics mailing list.
Metrics are important - or rather, I think good decision making is
important, and without metrics your decision making is essentially luck.
But we haven't seen any progress on this in a decade, and I wanted to talk
about the meta-reason why: Oversimplification in the hopes of scaling.

There's a theme in security metrics, a deep Wrong, that the community
cannot...

Posted by Dave Aitel via Dailydave on Dec 31

Today is my last day at Immunity. I don't know what to say about it that
everyone on this list doesn't already know or that isn't weighed down with
embarrassing secrets. At its best Immunity was a family, but also a machine
for producing absolute monsters, and not just in the technical arenas. Even
when it came to project management, we dropped people in the deep waters of
the Marianas Trench and expected them to build...

Posted by Arun Koshy via Dailydave on Dec 16

paper : http://geer.tinho.net/fgm/fgm.geer.2012.pdf
data-set : https://github.com/IQTLabs/software-supply-chain-compromises

Posted by Dave Aitel via Dailydave on Dec 11

https://twitter.com/JesseHeinig/status/1336913378564919297
https://twitter.com/ClipperChip/status/1337289319988473856

People seem to think you can use etymology as some clue to deciphering the
cyberpunk and cyber philosophy in general. You can read a whole Thomas Rid
book
<https://www.amazon.com/Rise-Machines-Cybernetic-Thomas-Rid/dp/0393286002>
on it, and it's weird when people stress "Cybernetics" as if they've found...

Posted by Dave Aitel via Dailydave on Dec 10

https://www.youtube.com/watch?v=pyE29pX9HBE&feature=emb_logo&ab_channel=TheHagueProgramforCyberNorms

(text:
https://www.internetgovernance.org/2020/11/13/hague-keynote-sovereignty-in-cyberspace/
)

Keynote by Milton Mueller, Professor at the Georgia Institute of Technology
(Atlanta, USA) in the School of Public Policy.

I lolled at this section which is so true it hurts:

Since publishing that book I explored the concepts of sovereignty...

Posted by Dave Aitel via Dailydave on Dec 08

I wanted everyone to browse here and enjoy this Microsoft Teams
vulnerability: https://github.com/oskarsve/ms-teams-rce/blob/main/README.md

I also enjoy the discussion
<https://twitter.com/taviso/status/1336365194071535617?s=20> it has
engendered when it comes to how to measure vulnerabilities that are "in the
cloud" or via "Auto-update". It would be good to get clarity on these
things.
[image: image.png]

Measurement...