tumblr.attrition.org FAQ

Navigation

Tags

Links

Tools

1. @postmodern_mod3: osvdb.org doesn't support SSL. #irony

   @OSVDB: Login is over SSL, the public data we maintain is not.

   @postmodern_mod3: Ah ha. The link to login should probably be https.

   @attritionorg: Did you notice http://postmodern.github.com/ isn't HTTPS? Maybe complain to them first...

   @postmodern_mod3: You never submit credentials to postmodern.github.com. Also, why are you replying? @osvdb made their point, issue closed.

   @attritionorg: saying OSVDB should be 100% HTTPS and running a site that isn't is #hypocrisy

   @attritionorg: because OSVDB uses HTTPS for creds, no reason to use it for the rest of the site. You wasted 15 mins of their lives.

   @postmodern_mod3: To clarify, I said 100% https would be "ideal". http is fine for a static site.

   @postmodern_mod3: I guess your right. Someone on the internet was wrong.

   @jcran: am i wrong in thinking i could grab a cookie over http & use that to change pass?

   @attritionorg: possibly. then what? you make changes to a database that require moderation to go live? annoyance at best it seems?

   @jcran: but yeah, annoyance at best, it seems #wikipediastillfuctions

   @jcran: yeah, i'm behind ssl only where it makes sense, but unless @osvdb reqs old pass to change pass, accounts can be comp'd

   @attritionorg: doesn't require an old pass to change, will open a ticket on that. overall, the mods consider HTTP for that site acceptable risk

   @jcran: thanks!

   @attritionorg: no thank you, hadn't noticed that or I would have ticketed it long ago (begin the mocking)

   @jcran: no worries, anyone effing w/ it gets the wrath of a thousand rabid squirrels anyway. #notadvisable

   @postmodern_mod3: sorry if I'm wasting more of your time, but could you allow https URLs for /show/osvdb/:id ? It redirects me back to http.

   @OSVDB: Can you provide a good reason for this? Again, that is part of the public database, nothing sensitive.

   @postmodern_mod3: Also, web.nvd.nist.gov seems to support https requests. So I would think OSVDB should too.

   @attritionorg: NVD has a lot of bad habits too, doesn't mean @OSVDB should follow them...

   @jkouns: maybe best to just use NVD then if it meets your needs =)
   8 months ago 

   • Tagged:
   • chat
   • osvdb
2. SAP released 500+ security notes!

   Man up SAP, make them public…

   1 year ago 

   • Tagged:
   • sap
   • osvdb
   • disclosure
3. "Dear Sun/Oracle, making bulletins with 1-26-xxxxxx IDs no longer easily available? Fuck you. Sincerely, OSVDB"
   - OSVDB
   1 year ago 

   • Tagged:
   • quote
   • osvdb
4. @gdead: How many CVE's are the result of "in the wild" discoveries vs. vuln research? or MS bulletins for that matter. Anyone know?

   @attritionorg: http://osvdb.org/search/advsearch check "Discovered in the Wild".

   @gdead: Oh @attritionorg, how I love you.

   @attritionorg: it may not be historically complete, but we're mindful of that classification when adding entries the last few years.

   @shitroamersays: REPORTED is the key word in that 20:1 ratio. Just because someone didn't report it doesn't mean they didn't find it.

   @gdead: you think that 20x as many exploits are seen in the wild as reported? Seems unlikely.

   @attritionorg: remember, we flag "Discovered in the wild", key word 'discovered'. if exploited after disclosure, doesn't count
   1 year ago 

   • Tagged:
   • chat
   • osvdb
   • vulns
5. OSVDB: Vendors with the longest "time to patch"
   2 years ago 

   • Tagged:
   • osvdb
   • link
6. OSVDB: Author of 'ClearBudget' mangled an unspecified issue with more details. We need more vendors like this!
   2 years ago 

   • Tagged:
   • osvdb
   • link
7. Open Security Foundation - State of the Union 2010
   2 years ago 

   • Tagged:
   • link
   • osvdb
8. OSVDB: Microsoft, Aurora, forest and trees?
   2 years ago 

   • Tagged:
   • osvdb
9. OSVDB: Help us meet our goal!
   2 years ago 

   • Tagged:
   • osvdb
10. Challenge: OSVDB Winter 2010 Fundraising Goal

    lyger:

    OSVDB has just announced its Winter 2010 Fundraising Goal , which currently hopes to raise $9,000 before April 1, 2010. Looking back over the last couple of years of advances in the project, it’s easy to see not only how the project has evolved, but also how operational costs have increased to cover software development, content development, server hosting costs, and other assorted expenses to help keep OSVDB interesting, timely, and functional.

    On an average, OSVDB has promoted 10,000 to 12,000 vulnerabilites per year for the last the last few years. Breaking that down to about 1,000 per month, the vulnerabilities in the database are gathered from a variety of sources, such as CVE, Secunia and various vendor changelogs and advisories. Keeping up a pace of about 1,000 newly listed vulerabilities per month hasn’t always been easy… but it’s about to get interesting.

    I recently resigned my position as Chief Communications Officer with Open Security Foundation to focus more on the “content” aspect of OSVDB and DataLossDB. The extra time gained from giving up administrative duties will hopefully help the sites keep content fresh and accurate. Jericho, CJI, and I are going to keep working on new vulnerabilities as we can and keep the ball rolling.

    With that said, I’m issuing a challenge: For every new vulnerability issued an OSVDB ID from January 1, 2010 through April 1, 2010, I will donate $0.50 (fiddy cents) of my own money to the OSVDB fundraiser. I challenge anyone who feels that OSVDB is a valuable resource to the security community to match my donation.

    To make a few points clear:

    1. I am no longer an OSF officer. My donation comes out of my own pocket, not the OSF coffers, and I will accept no compensation from OSF for this offer. If I have to sell a kidney, I hear you only need one anyway.
    2. Since Jericho, CJI, and I are the ones who generally push new vulnerabilities to “live” status, there will be no slacking to save my bank account. If anything, I’ll be more motivated to push the potential donations higher and they’ll be motivated to watch me suffer on April 2. That’s how we roll.
    3. At an average of 1,000 vulnerabilities a month, over three months I expect to donate $1,500. It may be less, it may be more. There will be a maximum cap of $2,500 donated by myself and anyone who matches it. If we can push 5,000 vulns in three months, something is either very wrong or very great. YMMV.
    4. If five other people and/or groups take me up on the challenge and we meet our average, OSF will meet its goal. We still hope everyone else will contribute not only time but *effort* to help the project.
    5. This is not a gimmick. It’s not smoke and mirrors. You can see what OSVDB pushes on a daily basis on our Twitter page and on our contributors page. We will push all legitimate vulnerabilities just as we have been doing for years. If we’re slow for a few days, don’t worry. We’ll catch up.

    So, that’s the challenge. If anyone wants to play and match my offer, please contact us at moderators[at]osvdb.org. I’m going back to work now.

    2 years ago 

    • Tagged:
    • osvdb
11. 

    Open Security Foundation Wins the SC Magazine 2009 Editor’s Choice Award

    Thank you, everyone.

    2 years ago 

    • Tagged:
    • osf
    • osvdb
    • datalossdb
    • photo
    • news