Rants of a deranged squirrel. – Rants of a Deranged Squirrel

Thoughts on CISA’s “Vulnrichment” Initiative

As many in the vulnerability disclosure ecosystem are now aware, the Cybersecurity & Infrastructure Security Agency (CISA), announced a new program called “Vulnrichment” on LinkedIn yesterday. News about the program spread rapidly via news sites and private companies. In this statement and elsewhere, there are definitely some general questions to be asked out loud since…

May 9, 2024
Thoughts on Tom Alrich’s “Global Vulnerability Database”

Tom Alrich published a blog last year titled “The Global Vulnerability Database won’t be a “database” at all“. It is basically his outline for how to make an international database that many can contribute to, to replace the inadequate CVE / NVD database. He said he welcomes any comments and when it comes to vulnerability…

May 6, 2024
MITRE Got Popped; A Bit of Irony and Perspective

I know, “don’t kick someone when they are down“, but I have a history of working on a project that catalogs just such incidents. Yesterday, MITRE announced that they had been compromised by a nation-state actor, but didn’t provide much detail. Bleeping Computer reported that the compromise was due to a zero-day vulnerabilities in an…

April 20, 2024
A Glimpse Into the CISA KEV

On March 27, Elizabeth Cardona and Tod Beardsley gave a presentation at VulnCon 2024 about CISA’s KEV, or ‘Known Exploited Vulnerabilities’ list. This initiative was created as a result of BOD 22-01, which is a ‘Binding Operational Directive’ aimed at reducing the risk due to vulnerabilities that are known to be exploited in the wild,…

April 14, 2024
VulnCon: NVD Symposium, Answers, and More Concerns

Yesterday, at the first inaugural VulnCon, Tanya Brewer from the NVD gave a presentation that was listed on the agenda as “NVD Symposium”. At the talk, her slides began with a header “The National Vulnerability Database: Exploring Opportunities”. However, neither the symposium nor the opportunities were the primary topics that most people were interested in.…

March 28, 2024
The Linux CNA – Red Flags Since 2022

[2/28/2024 Update: A bit more info added at end regarding “almost any bug might exploitable“.] MITRE announced that The Linux Kernel Organization (Kernel.org, hereafter referred to as ‘Linux’) was officially a CVE Numbering Authority (CNA) on February 13, 2024 and via the CVE web site, that their advisories would be posted here. That means they…

February 26, 2024
No one will burn a zero day on you…?

For at least two decades, a common mantra in the Information Security industry is that “no one will burn a zero day on you!” This is typically said to a person, often someone that comes across as overly paranoid, or perhaps a small hobby website. This term refers to zero day vulnerabilities, ones that are…

February 3, 2024
2024 and Some Still Don’t Understand the CVE Ecosystem

[Update: Even before I publish this, I want to keep everything I wrote for now. But I believe this rebuttal is in response to trash written by SpiceWorks and a GPT.] The world of vulnerability disclosures is growing fast, for a variety of reasons I won’t get into. Suffice it to say my time is…

January 11, 2024
Puzzling the Community a Bit!

Earlier this year I drove by a fire station in the foothills and noticed it had a Little Free Library. Before driving by completely I realized there was a big tub on a bench next to it with something written inside. Wow… a community puzzle swap! If you happened to read my last blog, you’ll…

November 6, 2023
The Fine Art of Wooden Puzzles

Growing up as a kid, I did puzzles with my mom and grandmom, especially around Christmas. It was standard to have a puzzle going on a card table near the kitchen and whenever someone walked by, they did a couple pieces. After the big feast, we all sat around and worked to complete it. Between…

October 18, 2023