Profile

Cover photo
Jon Lin
Works at Comet Way, Inc.
Attended Carnegie Mellon University
137 followers|285,778 views
AboutPostsPhotosYouTube
People
Have him in circles
137 people
Akshar Patel's profile photo
June P's profile photo
Michael Malito's profile photo
Tristan Kromer's profile photo
Nima Patel's profile photo
Joshua Curtin's profile photo
Melissa Sarko's profile photo
vaishali patel's profile photo
afeez owolabi's profile photo
Work
Occupation
Software
Employment
  • Comet Way, Inc.
    Engineer, 1999 - present
Basic Information
Gender
Male
Story
Tagline
Hello every nyan
Bragging rights
I helped kill Kerafyrm on Rallos Zek
Education
  • Carnegie Mellon University
    Electrical Engineering, 1992 - 1996
  • Carnegie Mellon University
    Mathematics, 1996 - 1997

Stream

Jon Lin

Shared publicly  - 
 
A little while ago, I was talking to my old roommate (who's also into turntables) about the cartridge that came with the Technics SL-1200mk2 that I had bought, and how much I spent on it. The cartridge that came with it was the one that I was using, the Shure SC-35C, which is a budget cartridge ...
1
Add a comment...

Jon Lin

Shared publicly  - 
 
For posterity's sake and because of all the pictures posted, life on Comet (Way) via twitter.

And just a note: That wise man was found on the street painted black with the words "Colt 45 U" painted on the book, we just carved that bit out and added a digital clock.
“.@jonlin_ @busaichedelic #fathertime #lifeoncomet #lifeonacomet”
2
Add a comment...

Jon Lin

Shared publicly  - 
 
Pat Martino: "Consciousness" and "Footprints", two new vinyl records to add to my collection.
I picked up two old-school Pat Martino albums on e-bay earlier this month. One of the albums was on my mental "look for" list for a while and I'd poke around the usual places every now and then to see what there was. The usual going price for a good quality version was maybe $30-$50 or so.
1
Add a comment...

Jon Lin

Shared publicly  - 
 
+BS Entertainment Broke out an old, old friend. First time out of the case in almost 20 years. Put new strings on it and bought a tiny Fender amp.

Also, wow has affordable amps come a long way. This tiny Fender Mustang amp has built in programmable array of effects and presets, USB, tuner, etc. Problem is I have to keep the datasheet around so I know what settings are for what effects.
3
BS Entertainment's profile photo
 
I'm glad to see that survived. I saw it sitting in the corner, covered in a fairly thick layer of dust... and for a moment considered "liberating" it from what seemed like an assured fate of winding up in the dumpster... glad I restrained myself. Good stuff! 
Add a comment...
 
The numbers sound a little incredulous but that's social engineering for you, age old tried and true method
A cyberespionage campaign pulled off by pro-Syrian hackers against Assad opposition fighters used social engineering to steal military planning documents.
1
Add a comment...

Jon Lin

Shared publicly  - 
It used to be that a paltry 4 Mbps down and 1 Mbps was all it took for an internet connection to be considered "broadband," but the Federal Communication
1
Add a comment...

Jon Lin

Shared publicly  - 
 
Christmas Vinyl

Dave Brubeck - Jazz Goes To College
Julian Bream - Rodrigo, Vivaldi, Britten
Billie Holiday - Lady Day
Aerosmith - Draw the Line
Fats Domino - The Fabulous Mr. D
Beatles - Revolver
Led Zeppelin III
Over Christmas break, I found a bunch of good deals on Discogs (some seemed a little too good to be true, so I was skeptical) and put in a bunch of orders, expecting them to arrive after my flight back to New York. I spent Christmas with my parents where we got to share some big news, ...
1
Add a comment...
Have him in circles
137 people
Akshar Patel's profile photo
June P's profile photo
Michael Malito's profile photo
Tristan Kromer's profile photo
Nima Patel's profile photo
Joshua Curtin's profile photo
Melissa Sarko's profile photo
vaishali patel's profile photo
afeez owolabi's profile photo

Jon Lin

Shared publicly  - 
 
Busy Wednesday.

Made easier by going through my Pink Floyd collection. "A Nice Pair" is the bundled Piper and Saucer albums into a double LP. "Wish You Were Here" is the only recent pressing, a 120g remaster.
3
Add a comment...

Jon Lin

Shared publicly  - 
 
Playing (and tuning) Hugo's ukulele over at Pete and Jen's. Small ukulele on a tiny chair.
1
Wesley McQuiston's profile photo
 
Hi Jon,
My son plays the uke. Maybe you could jam with him next time you are in town
Add a comment...

Jon Lin

Shared publicly  - 
 
 
Vulnerability counting is a horrible metric (and the security industry needs to stop pretending it isn't)

A few times a year I see a report lamenting all the vulnerabilities found in a class of major software, somehow trying to equate raw numbers in public reports to effective security. I get the appeal of this approach. There's an inherent perception of rigor and objectivity when you slap a bunch of numbers on a page, and it just feels like it should mean something. But the truth is it's mostly just noise when you’re looking at a single product, and outright harmful for comparing between products.

First, you should understand that if you're not seeing vulnerability reports against a piece of software it almost always means the software is either trivial from a security perspective or (more likely) no one is looking at its security. That may not seem like a great reality, but the fact is that any sufficiently complex piece of software is going to have security bugs. And given the tradeoffs that are typically made in terms of runtime performance and developer productivity, we have a good sense of how and where those security bugs are going to show up. So a lack of signal more often than not indicates a lack of effective investigation.

The next thing to appreciate is that that there’s wide variability in what a vulnerability report exactly means and what a software maker chooses to report. This is easier to see if you look at large, publicly developed, open source software project like Chrome or Firefox. When you do, you'll find the lion’s share of the “vulnerabilities” are internally found bugs that typically fall into the rather broad class of possible memory corruption.

Of course, for Chrome and Firefox the vast majority of these bugs haven’t been verified as being genuinely dangerous. Some may be bad, but many are going to be very difficult (or impossible) to reliably exploit. And while it’s certainly possible to work out a full exploitability analysis on every bug found, it is immensely more expedient to just fix the problem and push a timely update to users. (On Chrome we actually used to assign CVEs to all of these bugs, but was tremendous hassle and a net negative to our users, because the information was so prone to misinterpretation.)

The interesting corollary in closed source software is that it also has similarly large numbers of internal finds like these. However, the associated bug trackers aren't public and closed source software makers don't often see a reason to disclose any details on internal reports. So, if a potential security bug is found internally or through a partner, you most likely will never know. A fix will get shipped at some point, but you're almost certainly not going to see a timeline or breakdown of vulnerabilities for anything outside of verified reports from external parties.

That of course brings us to how external reports are verified. If you've reported a vulnerability to e.g. Microsoft you're probably familiar with the dance that typically ensues with MSRC (or the many other vendors who operate similarly). You report the vulnerability and get push back for delivering anything short of a full, working PoC (proof of concept). And even when you deliver a PoC, there’s often still back and forth over how reliable an exploit would be in the wild, or how severe the impact really is. So, it ends up as a bit of a negotiation, because the software maker is: 1) concerned with filtering out the noise (from often a huge volume) of junk reports; and 2) focusing on details they believe will best inform their consumers' patch deployment strategies. The downside here is that the strategy might be preventing real vulnerabilities from getting reported because it places a large burden on the bug reporter.

On the opposite end of the spectrum you have the reporting process for e.g. Chrome. The exploitability and impact assessment are very cursory, and the tendency is to just assume the worst potential impact, push a fix, and pay out a bounty. (The process is actually so permissive that I've seen Chrome list bugs as a vulnerabilities and pay out bounties in cases where I was certain the bugs were not exploitable.) The upside here is that a legitimate vulnerability is extremely unlikely to slip through the cracks. But, the downside is that the vulnerability details are less curated, so this process puts the onus on the end consumer to apply patches or accept updates more aggressively than they might otherwise.

Accepting the wide variance in what gets counted as a vulnerability, it gets worse when you realize that there’s essentially no consistency in how vulnerabilities are scored by anyone. Attempts have been at made with things like CVSS (common vulnerability scoring system), but in the end the scoring systems are very subjective and open to wide interpretation. So, most big software makers have gravitated toward simpler scales that generally don't align with other software in the same class. And even if we could get the rankings to align, the whole point is really to help the consumer answer the question of how quickly they need to patch—an answer which is almost always ASAP, so why bother with complicated rankings?

tl;dr: Vendor provided vulnerability information covers a very broad spectrum, where the quantity of vulnerabilities listed and the details included within vary wildly, are heavily influenced by the approach of the vendor itself, and can change regularly over the lifetime of a given product. Simply put, it’s just not possible to use that information to make qualitative statements about the relative security of a single product, much less for comparing different products or different vendors. In the end, it’s going to be an apples-to-bowling-balls comparison at best and an apples-to-interstellar-warcraft comparison at worst.

In closing... Please, in the name of everyone’s sanity, just don’t play the vulnerability counting game. It doesn't do anyone any good.

#chrome #security
View original post
1
Add a comment...
 
Stack Exchange sent me a bunch of free stuff for reaching 100k on Stack Overflow. Stickers, marker, T-shirt, and a really large mug.
3
candice lin's profile photo
 
For irish coffee
Add a comment...

Jon Lin

Shared publicly  - 
 
One of the 550PP non-racer online seasonal events in #granturismo6 using a tuned Honda NSX Type S. The question is, does a 56 flat also get you the gold?
1
Add a comment...