@mcnado I can't wait for our AI overlords because I hope they're like Skippy so degenerate fucksticks get instant, proportionate, repercussions for their actions

https://expeditionary-force-by-craig-alanson.fandom.com/wiki/Skippy

Apple vs Google
(only real answers)

✅ Apple phones are more Secure than Google Phones
✅ Google Computers are more Secure than Apple Computers, Apple are more usable (with any O/S running on them)
✅ " " " are the same Privacy as " " " the only difference is how you are taught to think (they both harvest your data, sell it for Ads, they have App controls that you are expected to understand and accept so Apps can harvest your data directly), the differences are so slight any of you likely have only 1 or 2 insignificantly tiny examples of differences
✅ Google Security Team/s are more Capable than Apple's who prefer to have brain washing and banning media do the work of keeping bad press away for them to stay out of headlines
✅ Google is more trust-worthy (focus on worthy, i.e. transparent) than Apple who prefer closed source, empty security patches, offensive treatment of researchers, lawsuits to prevent research and kill products that conduct said research which aims to enhance the Apple experience in ways Apple disagree with

macOS Sequoia is coming

It will further "secure" the platform

Security Vendors who should know better (like Palo Alto Networks) who rely on users to avoid macOS Gatekeeper (click to allow non-notarized binaries) will be completely locked out (like they are for customers who already prevent users on SOE's from accepting the prompts to run insecure programs)

If companies like PAN can't get this right, what hope are there for smaller apps?

Maybe that's a good thing for Apple?

When you buy the hardware you're barely renting it, you are more like an Apple employee, they manage your usage and monitor every micro activity you do, now they are controlling everything you plan to run on the device too - which makes the devices 100% in their control, the circle is now closed.

The only difference between consumers and employee's is the Apple employee doesn't pay (that is the next thing they will announce, employees to pay Apple seems to be the future plan at this rate)

VulnCheck are doing great work for us during the #NVD crisis

But what is next for us all in #infosec? Will the #CVE crisis of the last 20 years of #cybersecurity continue?

Patrick Garrity has been showing the best visualizations of this - but most of us know that CVE is barely a bucket of sand on a beach size scale of known #vulnerabilities

What "sources" should we as an industry trust? CISA? NVD? Private entities like VulnCheck who improve on the weaknesses of CISA and NVD?

What if I told you again that even these aren't really "sources" and are best described as metadata?

First of all NVD isn't even a source, it's clearly metadata on top of Mitre at best, and not even that lately. CISA vulnrichment will still NOT be a source once in full swing - it's also nothing more than metadata on top of Mitre

OSV is a database that aggregates sources of vuln data, it's the closest "source" that exists, CSA's GSD may come a close second, but not NVD or CISA which have no actual authoritative source, they just consumes Mitre sources, validate them, and add some extra properties

OSV is exponentially larger than NVD+CISA

NVD is like a grain of sand
OSV is a bucket of sand - on the beach of known vulnerabilities

In terms of "source" of what that beach is, such a source doesn't exist today

Known vulnerabilities are turned into a CVE less than 1 in 1M known vulns

You read that right, a CVE is less than 1 in 1M

The OSV shows that a CVE is maybe 1 in 100 of recorded vuln
The 1M comes from all the repos that create git commit saying they have fixed a security bug, that happens 10s of thousands of times a day in GitHub alone.
Then there are things that are exploitable which are not in GitHub or even source code at all; firmware, hardware, cloud, proprietary. - these are all known vuns too, because they are found in reports that are never "reported" to CVE

So I ask again, what source do we use? Who will try to build the first ever source of "known vulns"? Many have tried..

@ceresbzns after being at the beach she had pretty dark skin, unrecognisable

How's this racism?
Context iand intent s now meaningless or something? How ignorant is your wokeness?