#nist

[Kormorane nisten auf Ästen in einem See.]

Subway refuses to answer my questions about whether it's an International Footlong or a US Survey Footlong. A milligram of sandwich is at stake!

US Survey Foot [Explained]

Transcript

[Closeup on Cueball.] Cueball: We thought it was over. After 60 years of struggle, the US survey foot was dead, deprecated by NIST in 2023.

[Cueball is shown to be talking to Ponytail, Hairy, and Megan. He has a presentation behind him.] Cueball: We thought architects and engineers could rest east, free of the headaches of having two conflicting definitions of the foot that differ by 610 nanometers. International foot: 0.304 800 000 m US survey foot [crossed over in gray] R.I.P.: 0.304 800 609... m

[Cueball points at an image of Black Hat] Cueball: But I bring dire news: Cueball: Someone has started using the US survey foot again.

[Closeup on Cueball again.] Off-panel voice: Why!? Cueball: We don't know. Cueball: Some people just want to drag the world 610nm closer to madness.

[Farther view of Cueball only. He clenches a fist.] Off-panel voice: What can we do!? Cueball: A NIST team is already in the air. We will capture the scofflaw and end this nightmare.

[Two helicopters flying, with mountains in the background.]

Caption: 8,000 miles away [Two operatives in a forest with "NIST" helmets. One talks on a walkie-talkie.] Operative: We've reached the coordinates of the target's device. There's no one here. Voice from walkie-talkie: How!?

Vulnerability tracking shifts dramatically as NIST stops fully enriching most CVEs, leaving many records without critical scoring or technical metadata. The change follows a surge in vulnerability submissions that has overwhelmed analysis capacity, forcing a strict risk-based filtering model.

Source: Socket

A perfect storm is defined as being ‘a situation where a calamity is caused by the convergence and amplifying interaction of a number of factors’ by the American Heritage Dictionary. In October, I talked about the first round of layoffs and shuffles in CISA. In February, I wrote about the partial DHS shutdown that further reduced CISA’s working staff, noting at that time that cybersecurity workers should look forward to more work, frustration and burnout due to the conditions. A week ago, I reported on the proposed budget cuts to the agency.

Today, I’ve read an article from The Record’s Future Reported News blog about the National Institute of Standards and Technology (NIST), regarding an announcement that the agency will undergo significant changes to the system that tracks cybersecurity vulnerabilities. In short, they can’t keep up with submissions. So, in order to keep some functionality going, they will no longer be updating the metadata of records older than March 1 – called enrichment in the industry – and focus instead on critical vulnerabilities as they appear in KEV catalog maintained by CISA.

Except that, because of all of the above references, CISA is barely able to keep up with the KEV catalog themselves.

NIST states that submissions of bugs and vulnerabilities are a third higher in this first quarter of 2026 than they were at the same time in 2025. And that enrichment of records in 2025 was 45% higher than in 2024. Threats are growing at an exponential rate, due in large part to automated campaigns often underpinned or even orchestrated by AI tools. Human hands simply cannot compete with machine speed. While many corporate entities look at that and say that’s why they want automation, so that they can get more results, faster, there is an adage about wanting things fast and cheap: you sacrifice quality.

And that is a component of this perfect storm too. Why is there such an upsurge in reported bugs and vulnerabilities? Because the products being released these days fall under that category of fast and cheap, but poorly made. There is a word for that: enshitiffication. And it’s everywhere. AAA games that are released without optimization and require huge patches immediately after launch. Constant fixes and patches for software that has been in use for decades. Planned obsolescence in hardware and/or firmware so that users are forced to replace otherwise functional devices. Improper limits on AI tools that lead to widely publicized controversies like Grok’s deepfakes. Do tech developers think those of us watching can’t tell they’re using LLM’s to write their code? Some of the vulnerabilities I’ve covered are so obviously missed parameter settings that it’s laughable. Or it would be, if the consequences weren’t so broad reaching and still spreading.

Have you noticed that I’ve stopped referring to OpenCTI as a source? The machine the server is on needs repairs, and I can’t get the components because prices have gone through the roof from AI speculation. Sure, I could trawl Reddit or LinkedIn looking for reputable headlines myself, but there are only so many hours in the day, and only so much mental energy to spend between the research and the writing. Thankfully I still have access to a good, compiled source, CyberSecBrief. But I fully understand the limitations NIST and CISA are experiencing.

Taken together, all of these pieces are combining together into a veritable stew of calamity, and we haven’t seen the final result yet. Alongside the article about NIST’s changes are reports on a prompt injection hijack in GitHub, remote code execution via an MCP protocol flaw, the latest XWorm campaign, another flaw, another misconfiguration. This isn’t a unique set of headlines; it’s my daily. The last cybersecurity ‘win’ I wrote about was 6 weeks ago, one of only a bare handful of reports like it. Good news is hard to come by in an industry necessitated by the predilection for threats.

The pattern I currently see is every bit as ominous as an exploited vulnerability. We’re headed for a disaster, a perfect storm of factors that could potentially wipe out the security of our entire online infrastructure. I try to raise awareness of what’s out there, but I’m just one voice. And I’m tired. The rock is dropping. How many of us will get caught in the splash? How far will its ripples go?

(via NIST proposes barring some of the most nonsensical password rules | Ars Technica)

A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.

Since then, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember.

Another requirement that often does more harm than good is the required use of certain characters, such as at least one number, one special character, and one upper- and lowercase letter. When passwords are sufficiently long and random, there’s no benefit from requiring or restricting the use of certain characters. And again, rules governing composition can actually lead to people choosing weaker passcodes.

The latest NIST guidelines now state that:

Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords and

Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Have you heard of the "body farm" in Knoxville, Tennessee? Well, there are several of them all over the country by now, but the one run by the University of Tennessee was the first. The University of Tennessee Anthropological Research Facility is not a tourist site; it's where donated cadavers are left in various conditions to have a standard to assess real incidents against.

(Not a photo of the body farm because ew)

But I'm not writing about that today, not the least because any photos would be horrific. Instead I am writing about the much, much more boring version: Rocks! Minerals. Stone, whatever.

In particular, it's a stone wall constructed by the National Institute of Standards and Technology, creatively named the NIST Stone Test Wall. It contains 2353 individual samples of stone from all over the world, but mostly from American quarries. The wall's purpose is to see how stone from various places holds up to the weather over decades. The experiment has been running for over 70 years now.

It's important to know how stone from a particular location wears down when exposed to the weather, because even if stone from different sites is the same type, it could have inclusions that make it slightly different (this is how you get legendary-ish materials like Roman concrete and Damascus steel: The highly-valued originals used materials from a specific location with special properties).

Thus, a standardized test needs to be done to compare them all in the same conditions. So you get a big stone wall that looks very tacky. Despite appearances, it was made with expert craftsmanship to handle water drainage evenly and cement everything together. Stone can also be rapidly weathered in a lab with chemicals to test durability, but it's good to see the real thing.

The actual stones used in the wall date back to 1880, when the Census Office and National Museum collected a massive set of stone blocks from as many quarries as they could for study. After displaying them at the Philadelphia Centennial Exposition in 1876 to promote quarries and stone construction, nobody was quite sure what to do with them. They were just blocks, after all.

June 14, 2024

166/366 Days of Growth

Some NIST 800-53 today to finish my MITRE ATT&CK learning path on AttackIQ Academy.

I am so tired, but happy for this productive week. Thank Odin in Friday 🙌🏾