Vulnerability Research Isn’t Cooked; It’s Burned Beyond Recognition - jericho.blog/2026/04/06/v...

We Are Legion (We Are Bobservations); Answering a “Simple” Question In late February, a friend linked an article about a science-fiction book and asked if I had read it. I told her that I hadn't but after reading an abstract it sounded good. She asked if I would be her designated reader due to her workload, and report back. I said sure! She was particularly interested in it after reading an article by Rya Jetha in the The San Francisco Standard.

We Are Legion (We Are Bobservations); Answering a “Simple” Question

In late February, a friend linked an article about a science-fiction book and asked if I had read it. I told her that I hadn't but after reading an abstract it sounded good. She asked if I would be her designated reader due to her…

XenForo 2.3.9 (inc XFMG) & 2.2.18 Released (Security Fix) XenForo 2.3.9 Released Today we are releasing XenForo 2.3.9 to address some potential security vulnerabilities that were recently reported to us. This version only includes security fixes and any bug ...

Please share the actual vulnerability so others are better warned about it being under active exploitation. Based on your vague wording, it is the RCE fixed here:

xenforo.com/community/th...

Confirm?

Wait… We Needed That CNA Rule?! A Complaint =) It's one of those rules you'd never think we needed until something happens… On March 27, a VulnDB (not to be confused with VulDB) analyst noticed that a CVE description had a line appended that basically advertised the service of the assigning CNA. CVE-2026-4963 had a pretty standard description from VulDB (not to be confused with Vuln…

Wait… We Needed That CNA Rule?! A Complaint =)

It's one of those rules you'd never think we needed until something happens… On March 27, a VulnDB (not to be confused with VulDB) analyst noticed that a CVE description had a line appended that basically advertised the service of the assigning CNA.…

Miggo, KEV, and FUD; They Still Don’t Get It On November 18, 2025, Miggo published a report titled "Missing 88% of Exploits: Rethinking KEV in the AI Era". Their conclusion is that CISA's KEV is "missing" a significant number of vulnerabilities. However, that conclusion is based on a horrible misunderstanding of .. many things. Every time I write a sentence here I re-read their conclusion wondering if I am misreading it.

Miggo, KEV, and FUD; They Still Don’t Get It

On November 18, 2025, Miggo published a report titled "Missing 88% of Exploits: Rethinking KEV in the AI Era". Their conclusion is that CISA's KEV is "missing" a significant number of vulnerabilities. However, that conclusion is based on a horrible…

NaClCON Talks I Am Excited For Earlier this month, I published "My Unofficial NaClCON FAQ" talking about a new security conference that I am excited for. It's still a bit surprising to myself that I am interested in one at all. I fully thought I was done with them, but here we are! After participating on the Call For Papers (CFP) team to help select speakers, I wanted to highlight some talks that sound great.

NaClCON Talks I Am Excited For

Earlier this month, I published "My Unofficial NaClCON FAQ" talking about a new security conference that I am excited for. It's still a bit surprising to myself that I am interested in one at all. I fully thought I was done with them, but here we are! After…

YouTube: I Don’t Think You Understand Your Userbase It's pretty rare that I use YouTube on a television, typically only if in the mood for specific music. Even then it tends to be a handful of videos as my 'go to'. Earlier this month I was in the mood for such a concert and loaded it. I am authenticated as my Google account, so YouTube knows exactly who I am.

YouTube: I Don’t Think You Understand Your Userbase

It's pretty rare that I use YouTube on a television, typically only if in the mood for specific music. Even then it tends to be a handful of videos as my 'go to'. Earlier this month I was in the mood for such a concert and loaded it. I am…

The Jericho Blog Graveyard (2016 – 2020) This is a continuing short run series of blogs summarizing old drafts and either declaring them dead, while listing them here, or keeping them as they are still relevant. Part 1 - The Jericho Blog Graveyard (2010 – 2013)Part 2 - The Jericho Blog Graveyard (2014 - 2015) Part three: 2016 - Extensive notes from a group chat at RBS about how bad the 2016 DBIR report was, numerous errors in it, and more.

The Jericho Blog Graveyard (2016 – 2020)

This is a continuing short run series of blogs summarizing old drafts and either declaring them dead, while listing them here, or keeping them as they are still relevant. Part 1 - The Jericho Blog Graveyard (2010 – 2013)Part 2 - The Jericho Blog Graveyard…

The Jericho Blog Graveyard (2014 – 2015) After my last blog on the draft graveyard, which was the first, I am down to 117 that go back to 2014. Twelve years is a bit too long to sit on a blog typically. So like before, here are ideas I had to write about but never did. 2014 - "Android Annoyances" is as the title describes, centered around upgrading and importing stuff I didn't want, auto-correcting me still after fixing something back the way I wanted three times, and how stupid it censors me as an adult.

The Jericho Blog Graveyard (2014 – 2015)

After my last blog on the draft graveyard, which was the first, I am down to 117 that go back to 2014. Twelve years is a bit too long to sit on a blog typically. So like before, here are ideas I had to write about but never did. 2014 - "Android Annoyances"…

Reason #42 Why InfoSec Has Failed Building on a prior post, with an admittedly arbitrary number that seems to be about right as far as the number of reasons, and more in this series coming in the future... This is a quick story to give readers an idea of just how bad our industry really is. This is not anecdotal either, I was present for this one as it impacted Risk Based Security.

Reason #42 Why InfoSec Has Failed

Building on a prior post, with an admittedly arbitrary number that seems to be about right as far as the number of reasons, and more in this series coming in the future... This is a quick story to give readers an idea of just how bad our industry really is. This…

My Lego Build: The Revolt It started with an amusing meme of a Lego squirrel about to cut a park ranger. That 10x10 tiny build was the inspiration for a much bigger version of it, that kept expanding. Trying to recreate even the small version provided a challenge, going through BrickLinks to find the ranger top, hat, knife, and even the worried expression face. When I realized that Lego had more than one color squirrel, it started with a fun little build to celebrate the squirrels and that I found a 'nut' piece:

My Lego Build: The Revolt

It started with an amusing meme of a Lego squirrel about to cut a park ranger. That 10x10 tiny build was the inspiration for a much bigger version of it, that kept expanding. Trying to recreate even the small version provided a challenge, going through BrickLinks to find…

My Pledge re: so-called AI and this Blog With the prevalence of so-called artificial intelligence (AI), the amount of people turning to it to the technology to help them write, or fully write, content is growing quickly. While it may be getting more difficult to detect assisted writing and generative images, it is still fairly easy and reliable. Regardless, I want to be very clear about my use of this technology past, present, and future.

My Pledge re: so-called AI and this Blog

With the prevalence of so-called artificial intelligence (AI), the amount of people turning to it to the technology to help them write, or fully write, content is growing quickly. While it may be getting more difficult to detect assisted writing and…

Charity auction alert!

NolaCon 2025 Badge & Stickers

www.ebay.com/itm/26760512...

#InfoSec #Hacker #BadgeLife #NolaCon

Charity auction up!

2019 ShmooCon Staff Badge w/ Lanyard

www.ebay.com/itm/26760511...

#ShmooCon #Hacker #InfoSec #Charity

Zero Day Clock – All The Pieces Matter Last week, a colleague shared a link to the "Zero Day Clock", a web site that has a substantial number of signatories, including some big names. I want to talk extensively about the clock because it makes at least one significant mistake and points out what the data means along with a comparison to another dataset, and then a bit about a few signatories.

Zero Day Clock – All The Pieces Matter

Last week, a colleague shared a link to the "Zero Day Clock", a web site that has a substantial number of signatories, including some big names. I want to talk extensively about the clock because it makes at least one significant mistake and points out what…

Charity Auction!

DEF CON 33 Human Badge w/ Lanyard

www.ebay.com/itm/26760163...

Charity auction!

Derbycon 5 (2015) Attendee Badge w/ Lanyard

www.ebay.com/itm/26760161...

Charity auctions are back! Over the coming month or more, there will be a steady stream of InfoSec swag items, primarily con badges, with 100% of proceeds going to the charity of choice of the person who donated the item. First item coming up...

#Charity #InfoSec

My Unofficial NaClCON FAQ As someone who has basically become disillusioned with most information security conferences, I didn't find myself to be excited about another, let alone a new one. Then along came NaClCON and it changed my mind. It was a matter of days before I volunteered to help with the Call For Papers (CFP) review. With the frequency of new conferences, in addition to the…

My Unofficial NaClCON FAQ

As someone who has basically become disillusioned with most information security conferences, I didn't find myself to be excited about another, let alone a new one. Then along came NaClCON and it changed my mind. It was a matter of days before I volunteered to help with…

It’s 2026 and Netscout Doesn’t Understand CVE Every year I hold out hope that the security industry will better understand the Common Vulnerabilities and Exposures (CVE) system. A surprising number in this industry barely know about it, let alone any meaningful details. It's one thing for a random security wonk in a back corner somewhere, laser-focused on their myopic work not to. It's another thing for a security company that offers "

It’s 2026 and Netscout Doesn’t Understand CVE

Every year I hold out hope that the security industry will better understand the Common Vulnerabilities and Exposures (CVE) system. A surprising number in this industry barely know about it, let alone any meaningful details. It's one thing for a random…

Domain Transfer Confirmation Email? No, It’s Not From ICANN. TL;DR: If you get an email from noreply@emailverification.info saying you must click a link and input a code to finalize a domain transfer, ignore it. It claims to be an ICANN accredited registrar, but per ICANN themselves, the mail is not legitimate. Any mails about transferring a domain should come from the registrar you are moving from, or the one you are moving to.

Domain Transfer Confirmation Email? No, It’s Not From ICANN.

TL;DR: If you get an email from noreply@emailverification.info saying you must click a link and input a code to finalize a domain transfer, ignore it. It claims to be an ICANN accredited registrar, but per ICANN themselves, the mail is…

NSA, Theft, and the Original Quantum Lazlo Back in November, 2009, Attrition.org staff (including me) finally got around to finalizing the name for our new mascot (archive.org), the angry squirrel firmly associated with Attrition and myself. In a cheeky letter from the mascot, it was signed 'Lazlo'. Since that date, the mascot has seen a wide variety of iterations as Lazlo was modified for various images and purposes, including presentations and stickers.

NSA, Theft, and the Original Quantum Lazlo

Back in November, 2009, Attrition.org staff (including me) finally got around to finalizing the name for our new mascot (archive.org), the angry squirrel firmly associated with Attrition and myself. In a cheeky letter from the mascot, it was signed…

Support Charity or Shatter Dreams A few days ago, a friend linked me to a contest that her daughter's art was entered in, where voting is done online. I'm sure we've seen this for a wide variety of things in our lives these days, so it is easy to miss some of the little details that render the competitions unfair. The original ones often had no mechanism to stop you from just clicking 'Vote' over and over.

Support Charity or Shatter Dreams

A few days ago, a friend linked me to a contest that her daughter's art was entered in, where voting is done online. I'm sure we've seen this for a wide variety of things in our lives these days, so it is easy to miss some of the little details that render the…

Abert’s Squirrels and Wonderful Variations After moving from Denver to the nearby mountains, I was quite happy to learn that I had four different kinds of squirrels in the area. The Golden Mantle Ground Squirrel, Least Chipmunk, Douglas Pine Squirrel, and the Abert's Squirrel. The last is also known as the tassel-eared squirrel. Native to the southern Rockies, they can also be found in New Mexico and Arizona.

Abert’s Squirrels and Wonderful Variations

After moving from Denver to the nearby mountains, I was quite happy to learn that I had four different kinds of squirrels in the area. The Golden Mantle Ground Squirrel, Least Chipmunk, Douglas Pine Squirrel, and the Abert's Squirrel. The last is also…

Random Movie/TV Thoughts and Reviews (February 2026) Reviews One Battle After Another (2025) is the kind of movie, to me, that seems to have everything right; good acting, interesting plot, good character development. And yet somehow it just doesn't click for me. I understand why it would win an award for any given acting role, but overall as a movie I think it breaks down at the end and turns into a more mundane, improbable action.

Random Movie/TV Thoughts and Reviews (February 2026)

Reviews One Battle After Another (2025) is the kind of movie, to me, that seems to have everything right; good acting, interesting plot, good character development. And yet somehow it just doesn't click for me. I understand why it would win an…

Bob’s “CVE Quality-by-Design Manifesto” – The Hit and Misses Almost every time Bob Lord blogs, I feel the need to write a rebuttal to what is arguably abject stupidity and shortsightedness. One he published a couple days ago, titled "CVE Quality-by-Design Manifesto", is missing several core concepts in the realm of vulnerability intelligence. While his overall point is certainly valid, the order in which he declares our needs is wrong, on top of missing some not-so-subtle points about the CVE ecosystem to which he speaks.

Bob’s “CVE Quality-by-Design Manifesto” – The Hit and Misses

Almost every time Bob Lord blogs, I feel the need to write a rebuttal to what is arguably abject stupidity and shortsightedness. One he published a couple days ago, titled "CVE Quality-by-Design Manifesto", is missing several core…

Shadow, Ghost, and Phantasmawhatever Vulnerabilities – The Reality Back in September of 2024, I took some notes on a blog I wanted to write about "Shadow" vulnerabilities, based on a corporate blog with a poor concept and misunderstanding of CVE. The title was to be "Shadow Vulnerabilities - Rebuttal" and pretty straight-forward. Vulnerability life is crazy when you help manage a true vulnerability database (VDB) that isn't a clone of CVE, and operates independently.

Shadow, Ghost, and Phantasmawhatever Vulnerabilities – The Reality

Back in September of 2024, I took some notes on a blog I wanted to write about "Shadow" vulnerabilities, based on a corporate blog with a poor concept and misunderstanding of CVE. The title was to be "Shadow Vulnerabilities -…

For historical nerds and anthropologists... is the Q/A there real, or tongue-in-cheek to go with the excellent quote above?

Vulnerability Disclosure Forensics: /cgi-bin/upload.cgi Yesterday, Chris Sullo of Nikto fame, asked me a simple question; in so many words, what was the "first web vuln". To be clear, he is asking about the first vulnerability in a web server / service / program. Seems relatively straight-forward but I challenge anyone to answer it with their own data set, especially CVE. One reason I have it a bit easier is that at the time, OSVDB (now VulnDB) actually had a metadata point called the "web related" classification.

Vulnerability Disclosure Forensics: /cgi-bin/upload.cgi

Yesterday, Chris Sullo of Nikto fame, asked me a simple question; in so many words, what was the "first web vuln". To be clear, he is asking about the first vulnerability in a web server / service / program. Seems relatively straight-forward…

Rest In Peace IBM X-Force Vulnerability Database Within the vulnerability ecosystem, the CVE project / vulnerability database is certainly the most well-known. Over the past 30 years many others have come and gone, and others are still around. Some of you will recognize SecurityFocus BID, Open Sourced Vulnerability Database (OSVDB), Secunia, VulnDB, OSV, and others. Started in 1997, there is another that has spent three decades flying under most security professional's radar, despite being one of the best free databases for almost that entire time.

Rest In Peace IBM X-Force Vulnerability Database

Within the vulnerability ecosystem, the CVE project / vulnerability database is certainly the most well-known. Over the past 30 years many others have come and gone, and others are still around. Some of you will recognize SecurityFocus BID, Open…