Newsletter

* The most clicked link from the last newsletter was Patrick Howell O’Neil’s interview with the NSA’s Gil Herrera on the cybersecurity challenges facing the powerful spy agency.  The transcript of my conversation with Google’s Heather Adkins was also quite popular.

The best things I read this week.

The best thing I read this week was David Rosenthal’s Stanford lecture on cryptocurrencies, the cypherpunks and how Silicon Valley’s libertarian culture leads to the ignoring of externalities. It’s long and chock-filled with data and links. The comments section is also a rabbit-hole of thought-provoking goodness.

The second best was news from Google Project Zero that vendors are getting better — and faster — at fixing high-risk security vulnerabilities.

TL/DR:

• In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago.
• In addition to the average now being well below the 90-day deadline, GPZ also saw a dropoff in vendors missing the deadline (or the additional 14-day grace period). In 2021, only one bug exceeded its fix deadline, though 14% of bugs required the grace period.

And the worst…

The worst thing on the entire Internet this week was the endless list of companies buying nonsense fake “cybersecurity excellence awards.”   Proofpoint even put out a press release to boast they “won” 35 of these dumb logos.  Some company called Irdeto won 23 awards, including the bizarrely named “best cybersecurity company.”  Make it stop, please.

The second worse is the realization there’s no respite from in-the-wild zero-day attacks this year.  Since we last spoke, Apple shipped an out-of-band patch for an “actively exploited” WebKit/iOS zero-day and Google followed suit a few days later with patches for an under-attack Android flaw.  Oh, Adobe too.

For those counting, we’ve discovered six (6) zero-days so far this year and it’s only the middle of February.

As usual, reboot those iPhones.

_ryan

Sponsored.

• Join us on Wednesday, February 23 for SecurityWeek’s Attack Surface Management Summit, presented by Randori. Learn from experienced CISOs, cloud software engineers, network architects, and security response engineers about  best practices, defense frameworks and actionable data and to reduce risk from exposed attack surfaces. Registration is open.

Podcast comin’.

I’m thrilled to welcome a few new faces (and episodes) to the podcast.  Look out for long-form conversations with these folks in the coming weeks:

• OG hacker and security researcher Chris Rohlf (currently at Facebook).
• Netskope CISO Lamont Orange.
• Pwn2Own co-founder Aaron Portnoy (currently working on exploitation at Randori).
• The return of Thinkst’s Haroon Meer (listen to previous episode).
• Chainguard CEO Dan Lorenc on securing software supply chains.

News headlines. 

Tangentially.

• The new hire who showed up is not the same person we interviewed.  <– I’ve heard of this happening at quite a few prominent cybersecurity programs.