Readit News logoReadit News

Dead Comment

kseifried commented on Model Context Protocol   anthropic.com/news/model-... · Posted by u/benocodes
benocodes · a year ago
Good thread showing how this works: https://x.com/alexalbert__/status/1861079762506252723
kseifried · a year ago
Twitter doesn't work anymore unless you are logged in.

https://unrollnow.com/status/1861079762506252723

kseifried commented on Model Context Protocol   anthropic.com/news/model-... · Posted by u/benocodes
somnium_sn · a year ago
@jspahrsummers and I have been working on this for the last few months at Anthropic. I am happy to answer any questions people might have.
kseifried · a year ago
For additional context the PyPi package: https://pypi.org/project/mcp/

And the GitHub repo: https://github.com/modelcontextprotocol

kseifried commented on Intel stock dropping toward 50 year low amid restructuring news   marketwatch.com/livecover... · Posted by u/highwaylights
012673 · 2 years ago
Help me to understand this title... it's closer to the lowest price in a decade... where did we get 50 year low?
kseifried · 2 years ago
Stock splits.

https://www.intc.com/stock-info/stock-splits

They basically keep doubling the number of shares which halves the price.

kseifried commented on Switzerland mandates software source code disclosure for public sector   joinup.ec.europa.eu/colle... · Posted by u/coloneltcb
kseifried · 2 years ago
The EMBAG law stipulates that all public bodies must disclose the source code of software developed by or for them, unless precluded by third-party rights or security concerns.

"unless precluded by third-party rights"

Oh. Well then. Nothing to see here.

kseifried commented on CVE-2021-4440: A Linux CNA Case Study   grsecurity.net/cve-2021-4... · Posted by u/__bjoernd
kseifried · 2 years ago
k so I'm writing a blog post on the whole #Linux Kernel #CVE/#CNA thing. And I actually looked at the data. For those of you complaining about the Linux Kernel issuing improper CVEs my response is "cool. If they're not security vulns get them rejected".

So far in 2024 the Linux Kernel error rate is 3.21%.

Is that bad or good?

Let's compare to the top 25 CNA's by error rate for 2024:

f5 49.32%

atlassian 44.44%

Esri 43.75%

freebsd 40.00%

canonical 32.61%

Gallagher 25.00%

SNPS 25.00%

intel 19.74%

Anolis 18.75%

Dragos 18.18%

rapid7 14.29%

@huntr_ai 12.27%

Google 10.00%

directcyber 8.33%

CERTVDE 8.11%

Go 7.69%

lenovo 6.25%

mitre 5.53%

schneider 4.35%

GitHub_P 4.35%

Fluid Attacks 4.35%

Wordfence 3.56%

Linux 3.21%

snyk 2.94%

So... Linux is in at 24th place for error rate. But wait, surely those numbers are skewed towards some smaller CNAs that reject a handful of issues driving up their error rate?

Nope. Several of the mature CNAs like F5, Atlassian, Canonical, Google, Intel, Red Hat, Lenovo, MITRE all issue tens to hundreds to thousands of CVEs a year and have much higher error rates. Actually the worst CNA by raw numbers is MITRE (159).

Spamming this multiple times since people don't seem to read.

kseifried · 2 years ago
Turns out F5 and Intel were just clearing out old reservations, but the other data is correct.
kseifried commented on CVE-2021-4440: A Linux CNA Case Study   grsecurity.net/cve-2021-4... · Posted by u/__bjoernd
kseifried · 2 years ago
k so I'm writing a blog post on the whole #Linux Kernel #CVE/#CNA thing. And I actually looked at the data. For those of you complaining about the Linux Kernel issuing improper CVEs my response is "cool. If they're not security vulns get them rejected".

So far in 2024 the Linux Kernel error rate is 3.21%.

Is that bad or good?

Let's compare to the top 25 CNA's by error rate for 2024:

f5 49.32%

atlassian 44.44%

Esri 43.75%

freebsd 40.00%

canonical 32.61%

Gallagher 25.00%

SNPS 25.00%

intel 19.74%

Anolis 18.75%

Dragos 18.18%

rapid7 14.29%

@huntr_ai 12.27%

Google 10.00%

directcyber 8.33%

CERTVDE 8.11%

Go 7.69%

lenovo 6.25%

mitre 5.53%

schneider 4.35%

GitHub_P 4.35%

Fluid Attacks 4.35%

Wordfence 3.56%

Linux 3.21%

snyk 2.94%

So... Linux is in at 24th place for error rate. But wait, surely those numbers are skewed towards some smaller CNAs that reject a handful of issues driving up their error rate?

Nope. Several of the mature CNAs like F5, Atlassian, Canonical, Google, Intel, Red Hat, Lenovo, MITRE all issue tens to hundreds to thousands of CVEs a year and have much higher error rates. Actually the worst CNA by raw numbers is MITRE (159).

Spamming this multiple times since people don't seem to read.

kseifried · 2 years ago
Turns out F5 and Intel were just clearing out old reservations, but the other data is correct.
kseifried commented on CVE-2021-4440: A Linux CNA Case Study   grsecurity.net/cve-2021-4... · Posted by u/__bjoernd
hvenev · 2 years ago
(2024).

Assigning a CVE to every second commit and refusing to assign CVEs to unfixed issues doesn't seem like correct usage of the CVE system. I expect that most Linux CVEs will never get a proper analysis or a CVSS rating.

To me it sounds plausible that the design goal of the Linux CNA is to show that CVEs don't meaningfully apply to the Linux kernel. Given how dependent on context the impact of some kernel bugs can be, if we were assigning CVSS scores for the worst case, practically all kernel bugs would be at least a 9.8/10.

kseifried · 2 years ago
k so I'm writing a blog post on the whole #Linux Kernel #CVE/#CNA thing. And I actually looked at the data. For those of you complaining about the Linux Kernel issuing improper CVEs my response is "cool. If they're not security vulns get them rejected".

So far in 2024 the Linux Kernel error rate is 3.21%.

Is that bad or good?

Let's compare to the top 25 CNA's by error rate for 2024:

f5 49.32%

atlassian 44.44%

Esri 43.75%

freebsd 40.00%

canonical 32.61%

Gallagher 25.00%

SNPS 25.00%

intel 19.74%

Anolis 18.75%

Dragos 18.18%

rapid7 14.29%

@huntr_ai 12.27%

Google 10.00%

directcyber 8.33%

CERTVDE 8.11%

Go 7.69%

lenovo 6.25%

mitre 5.53%

schneider 4.35%

GitHub_P 4.35%

Fluid Attacks 4.35%

Wordfence 3.56%

Linux 3.21%

snyk 2.94%

So... Linux is in at 24th place for error rate. But wait, surely those numbers are skewed towards some smaller CNAs that reject a handful of issues driving up their error rate?

Nope. Several of the mature CNAs like F5, Atlassian, Canonical, Google, Intel, Red Hat, Lenovo, MITRE all issue tens to hundreds to thousands of CVEs a year and have much higher error rates. Actually the worst CNA by raw numbers is MITRE (159).

Spamming this multiple times since people don't seem to read.

kseifried commented on CVE-2021-4440: A Linux CNA Case Study   grsecurity.net/cve-2021-4... · Posted by u/__bjoernd
nikic · 2 years ago
Huh, this is interesting. Normally the reason to become a CNA is to reduce the amount of bogus CVEs that are issued for your project due to security researchers trying to pad their portfolio.

Linux seems to have taken the reverse approach, by just filing their own bogus CVEs instead. One for every bug fix going into the kernel, rendering the CVE system useless.

kseifried · 2 years ago
k so I'm writing a blog post on the whole #Linux Kernel #CVE/#CNA thing. And I actually looked at the data. For those of you complaining about the Linux Kernel issuing improper CVEs my response is "cool. If they're not security vulns get them rejected".

So far in 2024 the Linux Kernel error rate is 3.21%.

Is that bad or good?

Let's compare to the top 25 CNA's by error rate for 2024:

f5 49.32%

atlassian 44.44%

Esri 43.75%

freebsd 40.00%

canonical 32.61%

Gallagher 25.00%

SNPS 25.00%

intel 19.74%

Anolis 18.75%

Dragos 18.18%

rapid7 14.29%

@huntr_ai 12.27%

Google 10.00%

directcyber 8.33%

CERTVDE 8.11%

Go 7.69%

lenovo 6.25%

mitre 5.53%

schneider 4.35%

GitHub_P 4.35%

Fluid Attacks 4.35%

Wordfence 3.56%

Linux 3.21%

snyk 2.94%

So... Linux is in at 24th place for error rate. But wait, surely those numbers are skewed towards some smaller CNAs that reject a handful of issues driving up their error rate?

Nope. Several of the mature CNAs like F5, Atlassian, Canonical, Google, Intel, Red Hat, Lenovo, MITRE all issue tens to hundreds to thousands of CVEs a year and have much higher error rates. Actually the worst CNA by raw numbers is MITRE (159).

Spamming this multiple times since people don't seem to read.

kseifried commented on Entrust Certificate Distrust   security.googleblog.com/2... · Posted by u/iancarroll
kseifried · 2 years ago
Entrust has BIMI certs which use a different root (CN = Entrust Verified Mark Root Certification Authority - VMCR1) and for which your choices of a BIMI certificate are: Entrust or Digicert. I doubt it makes as much money as their web certs (BIMI certs are not super common, and they are expensive to issue since there's an actual validation process that typically involves a public notary validating the ID of a corporate officer). If you believe https://bimiradar.com/glob

it looks like Entrust is selling on the order of a few dozen certs a week to maybe upwards of 100-200.

EDIT: I've asked Google if Gmail will be discontinuing support for Entrusts VMC certificate (and thus BIMI logos), I would guess not since BIMI has some actual requirements, but assumptions are not the best way to make decisions about risk (like our BIMI logo not working later this fall).

k

u/kseifried

KarmaCake day138July 19, 2012View Original