[FD] So You Like Pain and Vulnerability Management? New Article.

coderman coderman at gmail.com
Mon May 12 20:47:04 PDT 2014

On Mon, May 12, 2014 at 9:09 AM, Pete Herzog <lists at isecom.org> wrote:
> "Hi, I’m your friend and security researcher, Pete Herzog.

we're almost family Pete, no need to introduce yourself!
  ... was starting to wonder how you've been...
   you never call, you rarely write,

regarding your piece published at:

this reply is a little long, as i took the time to respond in depth to
each of the issues i observed in your piece; i hope you view this as
the best of intentions and sincere desire for thoroughness it is.  any
criticism is entirely constructive.  if you feel despondent or
hopeless about the future where you have been so wrong and so ill
equipped to secure digital systems, see the end of this thread for
crisis hotline resources in your area.

> But I’m here today to take a moment and talk to you about the pain of
> neglect, isolation, abuse, and infection, better known as
> “vulnerability management”.

you might be interested in the other thread on treating addiction.  my
own empirical study linking INFOSEC/COMSEC responsibilities with
ethanol abuse, clandestine chemical poisonings, and a rapidly
escalating habit for high fiber lifestyle is progressing nicely, but
not yet ready for publication. (DWDM not ingested fiber)

> In many ways vulnerability management can
> be part of a healthy system and over-all good security.

agreed!  i find it very helpful to find vulns first, use them for
early signalling of adversary capabilities and interest, weaponize
them for great justice, and distribute them in limited fashion toward
end of life cycle to friends and peers, where again they serve as
useful feedback on third party OPSEC and integrity.

> That's how my new article starts. 5 points on the pain of
> vulnerability management and how to make it hurt less.

unfortunately in previous private vulnerability assessments all social
media platforms failed to survive our common criteria for credible
computing contract services.  at least you're not paying for them? ...

i will however provide my feedback via this medium:

0. "how to make it hurt less"
first off, you may be interested in my research on the best synth
routes for clandestine medicating and near term memory cleansing with
common chemicals or seedy suppliers.  this information was cultivated
during my research into INFOSEC/COMSEC professional who are clearly
exceptionally capable in this domain.

1. "You can’t manage vulnerabilities in closed software any more than
you can manage tunnel construction in an ant nest."
this is not true.  by actively managing the execution of all processes
on all your systems and the communication they make between each other
and remote (networked or bus connected services) peers.
blocking and altering shared library methods, system calls, and
network communication is effective against open source, closed source,
promiscuous source, and other development practices.

2. "Managing vulnerabilities will not get you security. Especially
since patched vulnerabilities is a subset of found vulnerabilities
which is assumed (for far too many) to be a subset of having
this is why it is critical to find as many vulnerabilities as possible
in the systems you use before others do.  use the vulnerabilities you
find as a model of class of weakness upon which to defend in depth.
more to do after this, but for another discussion... ;)

3. "But if you wanted to have all the domesticated animals on your new
arc you can’t do it by only looking house pets as that would exclude
goats, cows, horses, yetis, and many animals maybe you don’t know or
didn’t consider. So when scanning for vulnerabilities you can only, at
best, find the vulnerabilities the scanner knows about."
i for one wish they omitted the goats.  they make great work on the
blackberry bushes, but the pasture fences are challenge and escalating
war of attrition they so far show no difficulty defeating with clever
goat skillz.
more to the point above, this is why it is critical to employ not just
all existing scanners, fuzzers, frameworks, and toolsets but also to
improve them internally while also developing your own infrastructure
for vulnerability discovery, defense, and weaponization. (this is
called "big vuln" or "big vuln dev" by our team for lack of a better

4. "It Can Feel a Lot Like Doing Dishes. Vulnerability management is
an endless race that can’t be won."
so true! however, this is why complete and continuous automation is
mandatory at the moment of analyst discovery or developer prototype.
thus the repetitiveness is delegated to the machines who do our
bidding without tire or negligence.

5. "when you manage operational controls as part of vulnerability
management you can actually take yourself out of the rat race of patch
vs. exploit. That’s huge!"
patch vs. exploit is a false dichotomy.  if you're not solving for
both concurrently you're doing it wrong.
(don't feel bad, this is a common failure.)

6. "Filling a Hole Has Never Been So Dirty ... We think vulnerability
management is straight-forward: there’s a hole and you fill it and the
hole is gone."
who are these "we" you speak of?  the last time i saw that mindset in
play was a sales associate for a security consulting firm hawking some
weird devops / continuous integration like thing i don't remember too
anyone who thinks vulnerability management is easy is unaware of their
ignorance, risk, and update latencies in their organization.

7. "In the end, playing dirty is the only way most vulnerability
managers can keep their heads above water. But let’s just call that a
risk decision."
what you call "playing dirty" is just decision making in the midst of
a series of one crises after another in an endless procession.  crisis
mitigation and resolution should not be cast in a negative air of
"playing dirty".  rather, take this as opportunity to find the
exceptionally rare operations crew who runs a ship so tight there are
no crises, only prioritized opportunities for even further

8. "closely followed by NATO, NIST, FBI, NASA, NSA, all branches of
armed forces, and the White House."
this is just awefull! i suffered through a number of years with a
stalker intent on making me into a skin cover for a realdoll in some
psychotic delusion he was compelled by.  i know the unease and fear
and stress that a malicious stalker can have on the psyche.  i presume
you've looked into local resources to prosecute or order to be
restrained.  if they're unable or unwilling to resolve the issue,
contact me off list for more extreme methods to handle this.  i got
your back Pete; and we'll get these rogue's off your back one way or

9. "don’t forget to see me in Richmond, VA from June 4 – 6 at RVAse"
sorry Pete, i quit going east of the mississippi given the fallout
that inevitably follows.  as a US tax payer, i try to limit the
resources expended to violate my privacy and presume a threat where
none exists.  and frankly it diminishes the intimacy of my memories
knowing that they've surveiled my masturbatory sessions in remote

i am taking this moment to segue into one last observation in your
piece, but it deals with adult subject matter that may not be
appropriate for all audiences.  if you are not mature enough for the
discussion below, please don't read it!


 - this break intentionally inserted for decency -


Z. "... the adult film star process which pretty much gets you from
film star to adult film star by doing just one thing on film."
i don't often discuss my personal past in these lists or online in general.
for a while i had a career in INFOSEC but came to a realization that
there must other line of work supporting a upper middle class salary
which were not so terribly detrimental to my mental and physical
health.  i transitioned into gonzo group gay porn which met the cost
of living requirements but still had above average physical demands
even if a great improvement over the dark INFOSEC years. after five
years building a library of over 1,782 different scenes stretching to
12 days of continuous copulation my career in porn was ended in a
crippling accident while testing a prototype manbian machine fucking
investment that was my doom rather than return on investment.  don't
write me, the rights have already been sold for a moving drama with A
list cast.
my point is that i published a greatest "best-of coderass at 1.75 FPS,
abridged" anthology as career end salute on a 180 minute collector
s edition BluRay paid for by the sale of creative rights mentioned
above.  this video release rocketed to the top of all the best seller
lists and made me a household name and continues to feed me a torrent
of franchise fees, recurring profit share, and ongoing royalties which
can only be described as obscene and ridiculous.  for some reason
every other effort was just not enough to bump me up above obscure D
list status...  it's a funny world.

TL;DR: my adult film star process required 1,782 scenes, 45,000
minutes of film, and spanned 73%* of known sex acts possible to act
out between two or more humans but less than twenty humans at once.
this is as far removed from "doing just one thing" as i can imagine,
and frankly it disrespects the strenuous effort and creative acting
myself and other sex workers practice in mostly thankless service to
others. you should be ashamed!

 [* automatic identification and categorization of sex acts is
surprisingly complicated! the corresponding language theoretic effort
to map 1 to 20 human bodies in movement for 15 minutes or less into a
formal language to exhaustively delineate all the possible perversions
possible to commit under the sun was gargantuan in terms of earth
human hours and the resulting corpus. we are close to proving that not
everything which can be done has been. if you would be interested in
performing a provably unique sex act for a large sum of money and only
modest surgical modification, please get in touch]

P.P.S. some people ask me what i do now for a living since confined to
robotic wheelchair and bed rest. the truth is, i could never turn my
back entirely on the INFOSEC community in which i started my first
career and sojourn into the great world alone.
so now i am busking at conferences doing INFOSEC comedy routines,
selling nerdcore rap put to chiptunes on independent labels, and
manning the crisis hotlines for substance abuse and domestic violence
victims, who strangely enough overlap to a non trivial degree with the
set of self confessed INFOSEC professionals.

my time spent replying to INFOSEC threads on mailing lists is gratis,
as no one pays me for it, and no one like what i say enough to tip me.

"have you hugged your data spill incident responder today?"

best regards,
   friend of Pete and former pr0n star,

More information about the cypherpunks mailing list