Jan Schaumann Profile picture
Oct 17, 2017 18 tweets 4 min read Twitter logo Read on Twitter
Since ancient times, members of the #infosec tribe have adhered to a set of rigid Rules of Branded Vulnerabilities across the cybersphere.
These rules apply equally regardless of actual merit, impact, or practicality of the vulnerability in question. They are:
1) After a vulnerability is discovered and confirmed, the first cause of action is to register a domain name.
2) A logo is drawn, preferably using MS Paint.
3) Vendors are contacted, embargo periods set, then extended.
4) OpenBSD patches silently anyway. Nobody notices. The embargo is extended a few more times.
5) As the publication date nears, abstracts, hints, and partial patches are leaked.
7) The Big Day! Branded site goes public. Tweets are tweeted. @dangoodin001 writes a quick summary. It's pretty good.
8) Everybody tweets. @cloudflare posts a blog post how everybody but them is vulnerable.
9) The #infosec chattosphere ridicules the branding, while at the same using it to mansplain the vulnerability to each other.
10) @matthew_d_green posts a blog entry, covering the important parts in just the right detail. @mattblaze makes apt & biting comments.
11) @SwiftOnSecurity and @thegrugq RT useful links 24/7, somehow manage to add actually interesting comments. Sleep is for the weak.
12) @erratarob disagrees with everybody, if not completely, then at least on some key aspect. Somehow he's right about that.
13) Time elapses. Some of the notified vendors push announcements. Most of the rest don't do anything.
14) "Cyber" vendors spread and exploit FUD around the vulnerability to hawk their products, although those wouldn't have helped at all.
15) Time elapses. People try to patch, realize that's work and stop halfway through.
16) Time elapses. Not much changes. #Infosec moves on to the next branded vuln.
The circle of cyber life continues. Hakuna matata. Eat Arby's.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Jan Schaumann

Jan Schaumann Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jschauma

Jun 14, 2018
So other than following up on shit that should have been done but wasn't, sifting through miles of forwarded emails (all with full quote below a statement saying "my comments in red” or “+cindy”), and cursing Slack "threads", I spend a good chunk of my day juggling Jira tickets.
So much of our work is ticket driven, yet many of us seem to lack basic best practices and habits that could make our (ok: my) life a lot easier. So let me present a quick primer:

Essential Ticket Skills - just because Jira sucks doesn't mean you have to!
(Note: most of this applies equally to Bugzilla, GNATS, or whatever bugtracking software; I just happen to use Jira at the moment, so that's what my examples are based on.

And don't you fucking start with Trello or sticky notes and "swimlanes". Those can fuck right off here.)
Read 24 tweets
Apr 27, 2018
Slack has been detrimental to my productivity; it seriously induces ADD. Let me rant for a moment...
When it works well, online chat allows for immersion in a team or group and absorption of tribal knowledge merely by hanging out there. I don’t know what specifically it is about Slack, but it seems to implicitly discourage this.
First: sooooo many channels. Right now, there are >50 security-related channels in our Slack. People are only half-jokingly asking if there should be a channel where it's on-topic to ask which channel to ask a question in.
Read 20 tweets
Jan 18, 2018
More and more, I'm coming around this this point of view: don't phish your employees. benthamsgaze.org/2017/08/22/sho…
Most users get a minimum of at least 10 mails a day or so that all basically say "click here, then log in" *and that are legit*. They're continually being _trained_ to do this.
Instead of phishing them (with overwhelming success, of course), we (the industry) should make sure that (1) clicking on things doesn't pwn you, and (2) legitimate mails are obviously legitimate.
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!