Tuesday, July 20, 2010

Eureka! It's supply and demand, stupid!

I've been twisting for a very long time over the whole 'vendors should pay for vulns' mantra that has recently been enthusiastically revived by a bunch of independent security researchers who, to the best of my knowledge, have never actually worked for a software vendor to understand the engineering realities of developing enterprise software.

Tonight I realized why vendors don't need to pay a dime, and it has nothing to do with vendors buying silence or two researchers finding the same bug independently and the second researcher going Full Disclosure on the vendor because the first researcher already collected the bounty.

We can all stop debating what a critical remote code execution bug is going to be worth when there is an open market for vulnerabilities. An open market requires competition. And there will not be competition. Who is going to buy Apple bugs? Apple. Microsoft sure as hell isn't going to buy them, not without a whole lot of up close and personal attention from the nice folks at the DOJ. So let's say Apple offers $10 per RCE. Whaddya gonna do about it? Whine? Go sell it to iDefense? YOU CAN DO THAT TODAY.

So simple it makes me giggle that I didn't see it before. Econ101.


Labels: , , ,

Sunday, July 04, 2010

We're All Gonna Die Someday

That title wouldn't typically be associated with optimism. Bear with me here. Lately I have had a number of reminders of my mortality, all in the span of about two months. It has been a bit overwhelming and has forced me to consider how I am living, and what is important to me. The time I have left is shorter than the time I have traveled. The 'how would you live your life if you knew you only had a short amount of time left' theory is popular in movies and books, and even something easy to say you are going to do. It is hard to live though. It is really easy to allow fear to lead you to settle for the known, for something comfortable, something good enough. Fear can make you run, but fear can also make you stand still. I spent 2009 standing still. I was so afraid I would never find what I want, so afraid I had made mistakes, so afraid I would settle, I was too afraid to even try.

I am not afraid of dying. I am afraid of dying with regrets for the things I didn't do, I am afraid of settling for 'good enough'. I don't want to look back in regret on the time I had, and wonder if i wasted it. A tolerable life is not enough. I've thrown my world into total upheaval to find more than that. I want bliss, I want joy, I want growth and new experiences and exploration. I want to see the world, I want to experience all life has to offer. That is going to take time and is almost certainly be a hard road and I can't do it if I am too afraid to go outside and expose myself to it. If I don't get on the road, I'll NEVER get to where I want to go. And where I want to go will be worth it. And that is why I am optimistic. Don't get me wrong, I destabilize a bit every time I get a visceral reminder of the fact that time is moving quickly and there is still a lot left that I want to do with my life. I'm scared I won't get there. But I look with a new respect at what I have, the happiness I have, and find opportunities to experience new things every day. And I owe it to myself to continue actively living my life as best I can to achieve my dreams.

I'm going to get there. And if there is some unforseen tragic accident in which I die tomorrow, it will be knowing that I lived as fully as I could to achieve my dreams.


Labels: ,

Friday, July 02, 2010


I notice I am swearing a lot lately. A lot more than I used to. It actually makes me a little uncomfortable, and I'm working on cutting back on the F-bombs. But dammit Jim, I'm an analyst, not a linguist, so I broke down my last blogpost and discovered the following things:

1,222 words
16 swear words*

that means just 1.3% cussing. That doesn't seem so bad.

I copied my last blogpost and pasted it into a Word doc to get the wordcount and GODDAMMIT IE8 SUCKS ASS for not having a spellcheck function. Hello, it's a 2009 product, who keeps cutting this goddamned feature? Why do I have to write my blog in Word so I can have a spellcheck feature and then copy it into the browser? I can't possibly be the only person generating content on the web.

Workaround: Use FireFox. *sigh* I just wish FF didn't crash so damn often.


*douchebag not counted as swearing

(this blogpost contains 3% cussing)

Labels: , ,