Some notes on NSA’s 0day handling process

The EFF got (via FOIA) the government's official policy on handling/buying 0days. I thought I'd write up some notes on this, based on my experience. The tl;dr version of this post is (1) the bits they redacted are the expected offensive use of 0days, and (2) there's nothing surprising in the redacted bits.


Before 2008, you could sell 0days to the government many times, to different departments ranging from the NSA to Army to everybody else. These government orgs would compete against each other to see who had the biggest/best cyber-arsenal.

In 2008, there came an executive order to put a stop to all this nonsense. Vuln sellers now only sold 0days once to the government, and then the NSA would coordinate them with everyone else.

That's what this "VEP" (Vuln Equities Process) document discusses -- how the NSA distributes vulnerability information to all the other "stakeholders".

I use "stakeholders" loosely, because there are a lot of government organizations who feel entitled to being part of the 0day gravy train, but who really shouldn't be. I have the impression the NSA has two processes, the real one that is tightly focused on buying vulns and deploying them in the field, Continue reading

iPexpert’s Newest “CCIE Wall of Fame” Additions 9/18/2015

Please join us in congratulating the following iPexpert students who have passed their CCIE lab!

This Week’s CCIE Success Stories

  • Ajay Edara, CCIE #36424 (R&S & Wireless)
  • Shiv Shankar, CCIE #43675 (Routing & Switching)
  • Andy Harrison, CCIE #50052 (Routing & Switching)
  • Mike Burk, CCIE #50207 (Wireless)
  • Tony Ilorah, CCIE #50210 (Security)
  • Ahmad Nawid Azizi, CCIE #50254 (Routing & Switching)

We Want to Hear From You!

Have you passed your CCIE lab exam and used any of iPexpert’s self-study products, or attended a CCIE Bootcamp? If so, we’d like to add you to our CCIE Wall of Fame!

F5 Certification Path – How to become F5 Certified

Original content from Roger's CCIE Blog Tracking the journey towards getting the ultimate Cisco Certification. The Routing & Switching Lab Exam
The F5 certification path is a series of exams administered by pearsonvue where you start of by passing 2 exams to become an F5 Certified Administrator and then depending on your specialist area you can add to that by becoming an F5 Certified Technology Specialist. The certification cost is $135 per exam which would be $170 […]

Other pages of interest:

Post taken from CCIE Blog

Original post F5 Certification Path – How to become F5 Certified

Stuff The Internet Says On Scalability For September 18th, 2015

Hey, it's HighScalability time:


This is how you blast microprocessors with high-energy beams to test them for space.

  • terabits: Facebook's network capacity; 56.2 Gbps: largest extortion DDoS attack seen by Akamai; 220: minutes spent usings apps per day; $33 billion: 2015 in-app purchases; 2334: web servers running in containers on a Raspberry Pi 2; 121: startups valued over $1 billion

  • Quotable Quotes:
    • A Beautiful Question: Finding Nature's Deep Design: Two obsessions are the hallmarks of Nature’s artistic style: Symmetry—a love of harmony, balance, and proportion Economy—satisfaction in producing an abundance of effects from very limited means
    • : ad blocking Apple has done to Google what Google did to MSFT. Added a feature they can't compete with without breaking their biz model
    • @shellen: FWIW - Dreamforce is a localized weather system that strikes downtown SF every year causing widespread panic & bad slacks. 
    • @KentBeck: first you learn the value of abstraction, then you learn the cost of abstraction, then you're ready to engineer
    • @doctorow: Arab-looking man of Syrian descent found in garage building what looks like a bomb 
    • @kixxauth: Idempotency is not something you take a pill for. -- ZeroMQ
    • Continue reading

What Does It Mean When A Project Has Been Forked?

Open source projects that involve lots of folks sometimes run into conflicts. Should the project go in direction X, or direction Y? Is feature A more important, or feature B? And so on. Sometimes the concerns around an open source project are more pragmatic than pedantic. Should we, as a commercial entity, continue to use this open source project as is, or go in our own direction with it? The keyword to look for in these circumstances is fork.

Cyber Supply Chain Security Is Increasingly Difficult for Critical Infrastructure Organizations

As the old cybersecurity adage states, ‘the cybersecurity chain is only as strong as its weakest link.’  Smart CISOs also understand that the proverbial weak link may actually be out of their control. U.S. retailer Target certainly experienced this lack of cybersecurity control in 2013.  The now infamous Target data breach that exposed the personal information of 110 million people began with a spear phishing attack on one of the company’s HVAC contractors, Fazio Mechanical of Sharpsburg, PA.  Cyber-criminals compromised a Fazio Mechanical system, gained credentialed access to Target, and proceeded to wreak havoc on Target’s data, customers, and reputation.To read this article in full or to leave a comment, please click here

PlexxiPulse—A Funding Frenzy

This week, we announced that we have raised a $35 million round of financing. The round was led by a new investor with participation from our existing investors (Lightspeed Venture Partners, Matrix Partners and North Bridge Venture Partners) bringing our total funding to $83 million. The capital raised will fuel the expansion of our sales, marketing, customer support, and research and development efforts. We’re so proud of what we’ve accomplished in this year and are eager to see what the rest of 2015 has in store for us. Take a look at this week’s blog post from our CEO Rich Napolitano on Plexxi’s continued momentum on the heels of our funding announcement.

Social media has been buzzing this week, see below! Have a great weekend.

The post PlexxiPulse—A Funding Frenzy appeared first on Plexxi.

When in Mexico, don’t use the ATMs

Security expert Brian Krebs, who has made a specialty of exposing ATM scams over the years, has a doozy of a three-part series this week uncovering a widespread scheme in Mexico based on sophisticated Bluetooth technology and old-fashioned cash bribes.In part one, Krebs describes being tipped off by an employee of a Mexican ATM company, explains how the scam works – bribe-enabled physical access to the machines is key -- and embarks on a trip to Cancun to attempt to gauge the scope of the illegal operation first-hand.Part two reads like a detective novel as Krebs moves about Mexican tourist establishments checking for a telltale Bluetooth signal emanating from ATMs. He has no trouble finding them.To read this article in full or to leave a comment, please click here

1 3,293 3,294 3,295 3,296 3,297 3,819