2025 - Stephan Segraves

Common Vulnerabilities and Exposures database funding ending

April 23, 2025April 23, 2025 ssegraves

The 25-year-old CVE program plays a huge role in vulnerability management. It is responsible overseeing the assignment and organizing of unique CVE ID numbers, such as CVE-2014-0160 and CVE-2017-5754, for specific vulnerabilities, in this case OpenSSL’s Heartbleed and Intel’s Meltdown, so that when referring to particular flaws and patches, everyone is agreed on exactly what we’re all talking about.

It is used by companies big and small, developers, researchers, the public sector, and more as the primary system for identifying and squashing bugs. When multiple people find the same hole, CVEs are useful for ensuring everyone is working toward that one specific issue.

It basically works like this: When an individual researcher or an organization discovers a new bug in some product, a CVE program partner — there are currently a few hundred across 40 countries — is asked to assess the vulnerability report and assign a unique CVE identifier for the flaw if and as necessary.

The program is sponsored, and largely funded by the Cybersecurity and Infrastructure Security Agency, aka CISA, under the umbrella of the US Department of Homeland Security. It appears MITRE has been paid roughly $30 million since 2023 to run CVE and associated programs.

This funding ended last week. Keeping developers informed about vulnerabilities in a central location is a national security issue as well as a business issue. If your product is exploited and costs you money as a business owner is one thing, but if the thing that was exploited was a tool that other companies use as well, then the exploit could be expanded and impact huge swaths of the U.S. economy, see Heartbleed.

Remember this date

March 3, 2025 ssegraves

I think March 3, 2025 will go down in the history books as the day a switch flipped in the United States. A turning point, an impetus, a peak before a cliff. I’m posting this mostly for myself so I can look back and remember the exact date of when it happened.

It feels like we are entering a part of American history that we might not be ready for or one that we truly understand until a historians examine it 50 or 60 years later.

A little travel photography

February 22, 2025 ssegraves

In January I had a work trip to Lisbon and at the end of that trip I met up with a few friends in Glasgow to explore the city and fly on a route that is famous in aviation geek circles, the Glasgow to Barra route where the runway in Barra is the low tide sand of the island. On the way home I had a half day in London and spent those hours walking around enjoying the people watching. These are a few of the photos I took and I’ve embedded a video of our departure from Glasgow and landing in Barra for your enjoyment.

I always enjoy walking around London. My mission on this trip was a visit to a couple of specific coffee shops and I was not disappointed.

The time in Glasgow was a little less rushed with the only commitment being the flight to Barra. I visited a few coffee shops, with a couple being fantastic and one being not so great.

Lastly, the video of the flight to Barra. The highlight of the trip.

CLEAR comes to PDX

February 10, 2025 ssegraves

CLEAR, the “secure identity company” that allows you to pay to bypass part of the security line, launched lanes at Portland International Airport on Friday —

Today, CLEAR (NYSE: YOU), the secure identity company, is launching its identity verification technology at Portland International Airport (PDX), bringing frictionless and predictable travel experiences to Oregon. CLEAR’s launch at PDX is expected to create 53 jobs and generate over $3 million annually in local economic impact.

We could get into CLEAR as a business and how it’s weird how they have to offer all of these extra services (AllTrails premium, etc.) but what I want to focus on is how unnecessary CLEAR is at PDX. Before Covid, I flew out of PDX every week and with PreCheck it never took me more than 10 minutes to get through security during the busiest time of day, 6:30am-9am. Maybe CLEAR benefits those who don’t have PreCheck but want to skip the long line for regular security?

Instead of bringing in CLEAR, I wish the Port of Portland and the TSA would have worked together to make sure the scanning machines were fully staffed during the busiest days and hours. That alone would save people tons of time.

This falls into one of those weird “privatization of a service that really shouldn’t even be a service” categories. Just make security better and we don’t need CLEAR.