nprofile1q…lkxk4 nprofile1q…fmdat something to keep in mind is that the NVD/CISA ...

kurtseifried (he/him) /

npub1lwy…p3k8

2024-12-15 17:08:04

in reply to nevent1q…lyvz

nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpqp450apv3j8jmqjct3ddfklzusxyfkkyqpzxx4p33u099xjzvfwwsjlkxk4 (nprofile…kxk4) nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpqy3qdl9xdwzhzhlml0xfmelauxq9gmnlxqja4569fazztsu0g3zdsufmdat (nprofile…mdat) something to keep in mind is that the NVD/CISA take a worst-case scenario approach of it could be used this way or it could be vulnerable this way because across the entire federal government, I guarantee you somebody is using it in some legacy system in a truly horrific way that it was not meant to be used. The other side is the economics of it. If they under estimate the severity, they’ll get in trouble for saying the sky wasn’t falling if an attacker does end up using it. If they say it’s worse than it is, well that’s a you problem, not a me problem. So the cost of the false positive prediction is externalized and the cost of a false negative prediction is internalized. And since nobody likes getting chewed out, well here we are with bad severity estimates of vulnerabilities.

Author Public Key

npub1lwywzux9cwdxcclfg0zf7jxn0fk5xm987s9jahsl8rjdcnt460cs3vp3k8

Show more details

Published at

2024-12-15 17:08:04

Kind type

1 Short Text Note

Event JSON

{ "id": "1b69760ad0e5926f41056809aa8a82d83ce79c306b090e73fb25083ea548e687", "pubkey": "fb88e170c5c39a6c63e943c49f48d37a6d436ca7f40b2ede1f38e4dc4d75d3f1", "created_at": 1734282484, "kind": 1, "tags": [ [ "p", "0d68fe859191e5b04b0b8b5a9b7c5c81889b5880088c6a8631e3ca53484c4b9d", "wss://relay.mostr.pub" ], [ "p", "2440df94cd70ae2bff7f7993bcffbc300a8dcfe604bb5a68a9e884b871e8889b", "wss://relay.mostr.pub" ], [ "p", "783f5e8607f5b88c53c6c6a334445e79376235013841bc40db7c59eeb7b9e94b", "wss://relay.mostr.pub" ], [ "p", "d197c6f18be27857298ca4ffda10c13fd03a2234fa7ec3905efc1951fedf0cf1", "wss://relay.mostr.pub" ], [ "e", "01bd9b653e5939026886883886a83213a5e719fa6d23a608c29646805b9de5b2", "wss://relay.mostr.pub", "reply" ], [ "proxy", "https://infosec.exchange/users/kurtseifried/statuses/113657936926679060", "activitypub" ] ], "content": "nostr:nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpqp450apv3j8jmqjct3ddfklzusxyfkkyqpzxx4p33u099xjzvfwwsjlkxk4 nostr:nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpqy3qdl9xdwzhzhlml0xfmelauxq9gmnlxqja4569fazztsu0g3zdsufmdat something to keep in mind is that the NVD/CISA take a worst-case scenario approach of it could be used this way or it could be vulnerable this way because across the entire federal government, I guarantee you somebody is using it in some legacy system in a truly horrific way that it was not meant to be used. The other side is the economics of it. If they under estimate the severity, they’ll get in trouble for saying the sky wasn’t falling if an attacker does end up using it. If they say it’s worse than it is, well that’s a you problem, not a me problem. So the cost of the false positive prediction is externalized and the cost of a false negative prediction is internalized. And since nobody likes getting chewed out, well here we are with bad severity estimates of vulnerabilities.", "sig": "319d94aa6818f5a41e5c70d93edfc13344ad6c14ccf6751ce38a39ce12215d643090042e85493efd36288125a9186bd1f4ca4df3baa43a248dd676ff217634c7" }