The second video in my 60 second series!Read More Why Threat Model?
I’m thrilled that Juneteenth will be a Federal holiday. We need more holidays that celebrate freedom, and there’s few events that increase freedom as much as emancipating people who were enslaved. That is, freeing them from the threat violence would be used against them, and they would have no recourse. The United States also needs…Read More Juneteenth: A New Federal Holiday
I’m exploring the concept of very fast threat modeling videos, and have posted the first one. Feedback welcome!Read More Fast threat modeling videos
You know what’s not in my threat model? A meteor hitting a volcano…And that’s ok! Your threat modeling should be focused on the threats that are likely to impact your systems. So unless your system is your evil supervillain volcano lair, a meteor is likely out of scope. And unless you have giant space lasers,…Read More “Not in my threat model”?
There’s an infinite number of studies of ransomware lately, all breathlessly talking about how to fight this dangerous threat. They’re all dangerously wrong. Ransomware is not the problem. I’m being intentionally provocative in my latest Dark Reading ColumnRead More Ransomware is Not the Problem
Finally! A Cybersecurity Safety Review Board is a new article by Steve Bellovin and myself at Lawfare. One element of President Biden’s executive order on cybersecurity establishes a board to investigate major incidents involving government computers in somewhat the way that the National Transportation Safety Board investigates aviation disasters. The two of us, among many…Read More Thoughts on the Executive Order
The Supreme Court has ruled in the van Buren case, and there’s a good summary on the EFF’s blog: “The decision is a victory for all Internet users, as it affirmed that online services cannot use the CFAA’s criminal provisions to enforce limitations on how or why you use their service…” As I said at…Read More Van Buren
People sometimes ask me about my recording setup, and I wanted to share some thoughts about recording good learning content. The most important thing I’ve learned is the importance of conceptualizing what you want it to look like. The other thing I’ve learned is that the more expensive gear is usually more expensive for decent…Read More Recording Lectures
There’s an insightful comment, “Everybody has a testing environment. Some people are lucky enough enough to have a totally separate environment to run production in.” Similarly, everybody has both enterprise and product architecture. Some people are lucky enough to be able to design them. I have to say that because “architecture” is much maligned for…Read More Review: Practical Security Architecture
The National Science Foundation is looking for information on needs for datasets, Dear Colleague Letter: Request for Information on the specific needs for datasets to conduct research on computer and network systems. A draft of my responses is on Google Docs. Comments are due Friday at 5 PM EST. (I thought I’d posted this earlier.)Read More NSF Wants Data on Your Data Needs