Kendra Albert gave an excellent talk at USENIX Security this year, pointing out that the legal agreements surrounding vulnerability disclosure muzzle researchers while allowing companies to not fix the vulnerabilities—exactly the opposite of what the responsible disclosure movement of the early 2000s was supposed to prevent. This is the talk. > Thirty years ago, a debate raged over whether vulnerability disclosure was > good for computer security. On one side, full disclosure advocates argued that > software bugs weren’t getting fixed and wouldn’t get fixed if companies that > made insecure software wasn’t called out publicly. On the other side, > companies argued that full disclosure led to exploitation of unpatched > vulnerabilities, especially if they were hard to fix. After blog posts, public > debates, and countless mailing list flame wars, there emerged a compromise > solution: coordinated vulnerability disclosure, where vulnerabilities were > disclosed after a period of confidentiality where vendors can attempt to fix > things. Although full disclosure fell out of fashion, disclosure won and > security through obscurity lost. We’ve lived happily ever after since...

This is bad: > F5, a Seattle-based maker of networking software, disclosed the breach on > Wednesday. F5 said a “sophisticated” threat group working for an undisclosed > nation-state government had surreptitiously and persistently dwelled in its > network over a “long-term.” Security researchers who have responded to similar > intrusions in the past took the language to mean the hackers were inside the > F5 network for years. > > During that time, F5 said, the hackers took control of the network segment the > company uses to create and distribute updates for BIG IP, a line of server > appliances that F5 ...

Interesting analysis: > When cyber incidents occur, victims should be notified in a timely manner so > they have the opportunity to assess and remediate any harm. However, providing > notifications has proven a challenge across industry. > > When making notifications, companies often do not know the true identity of > victims and may only have a single email address through which to provide the > notification. Victims often do not trust these notifications, as cyber > criminals often use the pretext of an account compromise as a phishing lure. > > […] > > This report explores the challenges associated with developing the > native-notification concept and lays out a roadmap for overcoming them. It > also examines other opportunities for more narrow changes that could both > increase the likelihood that victims will both receive and trust notifications > and be able to access support resources...

A new Australian law requires larger companies to declare any ransomware payments they have made.