In this episode of the podcast (#190), sponsored by LastPass, Larry Cashdollar of Akamai joins us to talk about how finding his first CVE vulnerability, more than 20 years ago, nearly got him fired. Also: Katie Petrillo of LastPass joins us to talk about how some of the security adjustments we’ve made for COVID might not go away any time soon.
When the so-called Zerologon vulnerability in Microsoft Netlogon surfaced in late September word went out far and wide to patch the 10 out of 10 critical software hole. That job was made considerably easier by a number: 2020-1472, the unique Id assigned to the hole under the Common Vulnerabilities and Exposures – or CVE- system.
Created by MITRE more than 20 years ago, CVE acts as a kind of registry for software holes, providing a unique identifier, a criticality rating as well as other critical information about all manner of software vulnerabilities. Today, it is a pillar of the information security world. But it wasn’t always that way.
20 Years and 300 CVEs Later…
With another Cybersecurity Awareness month upon us, we decided to roll back the clock and talk about what life was like before the creation of the CVE system. To guide us, we reached out to Larry Cashdollar, a Senior Security Response Engineer at Akamai into the studio to talk. Larry is a veteran bug hunter with more than 300 CVEs to his name. In celebration of cybersecurity awareness month, Larry talked to me about the first CVE he received way back in 1998 for a hole in a Silicon Graphics Onyx/2 – and how discovering it almost got him fired. He also talks about what life was like before the creation of the CVE system and some of the adventures he’s had on the road to recording some of the 300 CVEs.
The New New Normal
Six months into a pandemic that most of us thought might last six weeks, its time to stop asking when things will return to normal and time to start asking what the new normal will look like when the COVID virus is finally beaten.