Claudio Criscione
@criscio.net
Security Robot Overlord @ Google.
Vulnerability Management
Vulnerability Management
After a few days in Thailand.
Me: takes picture of "interesting" engineering solution in the streets
Wife: are you prepping for that slide deck *again*?
Me: ....
Wife: you promised you'd stop
Me: sorry love, this narrative basically writes itself!
Me: takes picture of "interesting" engineering solution in the streets
Wife: are you prepping for that slide deck *again*?
Me: ....
Wife: you promised you'd stop
Me: sorry love, this narrative basically writes itself!
April 27, 2025 at 3:46 AM
After a few days in Thailand.
Me: takes picture of "interesting" engineering solution in the streets
Wife: are you prepping for that slide deck *again*?
Me: ....
Wife: you promised you'd stop
Me: sorry love, this narrative basically writes itself!
Me: takes picture of "interesting" engineering solution in the streets
Wife: are you prepping for that slide deck *again*?
Me: ....
Wife: you promised you'd stop
Me: sorry love, this narrative basically writes itself!
Guess we are about to find out if we can prop up OSV fast enough.
April 15, 2025 at 10:13 PM
Guess we are about to find out if we can prop up OSV fast enough.
My kneejerk reaction to CVEs for EOL software is reasonably positive. It's clearly abusing the system, but would most likely have a net positive security impact in many cases.
January 23, 2025 at 6:03 PM
My kneejerk reaction to CVEs for EOL software is reasonably positive. It's clearly abusing the system, but would most likely have a net positive security impact in many cases.
I recently had to walk someone through their concerns of being targeted by hackers, and take steps to defend. One of the things we considered was "how much money will they spend on you", assessing the cost of 0days for a few software.
That got me wondering: do we have a handy, accepted pricelist?
That got me wondering: do we have a handy, accepted pricelist?
January 6, 2025 at 10:34 AM
I recently had to walk someone through their concerns of being targeted by hackers, and take steps to defend. One of the things we considered was "how much money will they spend on you", assessing the cost of 0days for a few software.
That got me wondering: do we have a handy, accepted pricelist?
That got me wondering: do we have a handy, accepted pricelist?
Reposted by Claudio Criscione
On the fifth day of Christmas, Thucydides sent to me
Tragic irony!
Four hundred oligarchs,
Fear, honour and interest,
A bipolar conflict
And a κτῆμά ἐς αἰεὶ.
Tragic irony!
Four hundred oligarchs,
Fear, honour and interest,
A bipolar conflict
And a κτῆμά ἐς αἰεὶ.
December 25, 2024 at 3:04 PM
On the fifth day of Christmas, Thucydides sent to me
Tragic irony!
Four hundred oligarchs,
Fear, honour and interest,
A bipolar conflict
And a κτῆμά ἐς αἰεὶ.
Tragic irony!
Four hundred oligarchs,
Fear, honour and interest,
A bipolar conflict
And a κτῆμά ἐς αἰεὶ.
Reposted by Claudio Criscione
CVE-2024-12727 Sophos coming in with an unauthenticated SQLi in their firewall appliance 👏
December 22, 2024 at 8:43 AM
CVE-2024-12727 Sophos coming in with an unauthenticated SQLi in their firewall appliance 👏
Repeat after me: I will not talk about vulnerability management until I've at least read CVSSv4 and understood it.
December 20, 2024 at 12:33 PM
Repeat after me: I will not talk about vulnerability management until I've at least read CVSSv4 and understood it.
Reposted by Claudio Criscione
Most fucking definitely.
We are almost certainly going to find out that "Show me your smile" is this woman's tried and true way to make sure men end up on the surveillance camera in case they pull some shenanigans at the hostel
December 6, 2024 at 4:53 AM
Most fucking definitely.
I can't quite believe it but I woke up this morning with the distinct feeling we might actually have a real, no BS usage for formally written down threat models.
My 24y old self pentester would laugh so hard at me I'd break a rib.
My 24y old self pentester would laugh so hard at me I'd break a rib.
December 1, 2024 at 4:58 PM
I can't quite believe it but I woke up this morning with the distinct feeling we might actually have a real, no BS usage for formally written down threat models.
My 24y old self pentester would laugh so hard at me I'd break a rib.
My 24y old self pentester would laugh so hard at me I'd break a rib.
Reposted by Claudio Criscione
Picard management tip: Try your best to speak in a way the other person will understand, even when it seems nearly impossible.
December 1, 2024 at 4:04 PM
Picard management tip: Try your best to speak in a way the other person will understand, even when it seems nearly impossible.
Reposted by Claudio Criscione
All jokes aside, I think cyber warfare would be tough as the baseline reliability of many critical IT systems isn't that great anyway.
December 1, 2024 at 10:49 AM
All jokes aside, I think cyber warfare would be tough as the baseline reliability of many critical IT systems isn't that great anyway.
Reposted by Claudio Criscione
#warhammer enjoyers and other hobbyists: Vallejo workers are on strike. Please try not to get any Vallejo product until the situation changes!
🔴⚫ Los trabajadores y trabajadoras de Acrylicos Vallejo están en huelga, conoce los motivos 👇
November 28, 2024 at 8:14 PM
#warhammer enjoyers and other hobbyists: Vallejo workers are on strike. Please try not to get any Vallejo product until the situation changes!
Wiz really is a very serious player in vuln management. I like a number of things about dazz's tech. Well done.
November 22, 2024 at 11:26 PM
Wiz really is a very serious player in vuln management. I like a number of things about dazz's tech. Well done.
@geffner.bsky.social I see you are working in scanning these days :+)
November 18, 2024 at 9:31 PM
@geffner.bsky.social I see you are working in scanning these days :+)
oss-security - Fwd: wget-1.25.0 released [fixes CVE-2024-10524]
www.openwall.com
November 18, 2024 at 9:29 PM
Reposted by Claudio Criscione
Oh, I never posted my gotofail story on here.
Early 2014, someone came to me about a catastrophic vulnerability in Apple's TLS implementation.
I shit you not, they'd overheard someone at a bar drunkenly bragging about how they were going to sell it to a FVEY intelligence agency for six figures.
Early 2014, someone came to me about a catastrophic vulnerability in Apple's TLS implementation.
I shit you not, they'd overheard someone at a bar drunkenly bragging about how they were going to sell it to a FVEY intelligence agency for six figures.
November 17, 2024 at 11:22 PM
Oh, I never posted my gotofail story on here.
Early 2014, someone came to me about a catastrophic vulnerability in Apple's TLS implementation.
I shit you not, they'd overheard someone at a bar drunkenly bragging about how they were going to sell it to a FVEY intelligence agency for six figures.
Early 2014, someone came to me about a catastrophic vulnerability in Apple's TLS implementation.
I shit you not, they'd overheard someone at a bar drunkenly bragging about how they were going to sell it to a FVEY intelligence agency for six figures.
Reposted by Claudio Criscione
Vimes Boot Theory (2024):
-Shitty boots that fall apart, but at least they're cheap.
-Shitty boots that fall apart, but you get them replaced on a subscription model.
-Shitty boots that fall apart, but they upload your walking metadata to an ad server that recommends future boots
-Shitty boots that fall apart, but at least they're cheap.
-Shitty boots that fall apart, but you get them replaced on a subscription model.
-Shitty boots that fall apart, but they upload your walking metadata to an ad server that recommends future boots
I feel like I every time I bemoan shitty things falling apart, people tell me about Vimes Boot Theory, and guys: the billionaires know about Vimes Boot Theory, and they’re trying to dismantle it.
They don’t want there to be any more good boots.
They don’t want there to be any more good boots.
I used to be a tech enthusiast. I am becoming a tech dethusiast. I don’t want any more tech to buy. I don’t want smart appliances. I don’t want smart pants. I don’t want smart dumbbells.
I just want things that I can buy and that work for 20 years.
I just want things that I can buy and that work for 20 years.
April 5, 2024 at 2:25 AM
Vimes Boot Theory (2024):
-Shitty boots that fall apart, but at least they're cheap.
-Shitty boots that fall apart, but you get them replaced on a subscription model.
-Shitty boots that fall apart, but they upload your walking metadata to an ad server that recommends future boots
-Shitty boots that fall apart, but at least they're cheap.
-Shitty boots that fall apart, but you get them replaced on a subscription model.
-Shitty boots that fall apart, but they upload your walking metadata to an ad server that recommends future boots
Reposted by Claudio Criscione
Remembering Oppy, who we lost otd 2019
February 13, 2024 at 1:32 PM
Remembering Oppy, who we lost otd 2019
My kitchen robot is vulnerable to CVE-2011-0997.
Dependency vulns have won, I give up.
Dependency vulns have won, I give up.
January 10, 2024 at 6:33 PM
My kitchen robot is vulnerable to CVE-2011-0997.
Dependency vulns have won, I give up.
Dependency vulns have won, I give up.
Cvss v4 seems to be out.
Absolutely the worst scoring system except every other that we tried before.
Absolutely the worst scoring system except every other that we tried before.
November 1, 2023 at 8:41 PM
Cvss v4 seems to be out.
Absolutely the worst scoring system except every other that we tried before.
Absolutely the worst scoring system except every other that we tried before.
Reposted by Claudio Criscione
the objectively funniest period in history was just after the fall of the soviet union because neoliberal academics all got so tremendously fucking high that they wrote shit like "history is over" or "it is physically impossible for two countries to go to war if both have a McDonald's"
November 1, 2023 at 2:19 AM
the objectively funniest period in history was just after the fall of the soviet union because neoliberal academics all got so tremendously fucking high that they wrote shit like "history is over" or "it is physically impossible for two countries to go to war if both have a McDonald's"
Reposted by Claudio Criscione
Heads up! On October 11 we ship curl 8.4.0. We cut the release cycle short for this "emergency release" with a fix for a severity HIGH CVE (and one LOW). Buckle up. And my apologies for this inconvenience.
October 3, 2023 at 7:13 AM
Heads up! On October 11 we ship curl 8.4.0. We cut the release cycle short for this "emergency release" with a fix for a severity HIGH CVE (and one LOW). Buckle up. And my apologies for this inconvenience.
Oof. Very sad about the news at Google. Again. I don't have much of a network for recruiters, but if I can help, I will. There are good people being let go :(
September 13, 2023 at 9:58 PM
Oof. Very sad about the news at Google. Again. I don't have much of a network for recruiters, but if I can help, I will. There are good people being let go :(