Shostack + Friends Blog Archive


Emergent Bits of Security

(Updated shortly after posting with Eric Rescorla’s evidence presentation.)

  • Nick Owen has a post about Net Present Value and Annual Average Loss Expectancy. If you think security is all about vulns and 0day, you probably don’t need to read this post, and your boss is going to keep rejecting your spending proposals.
  • Carrie Kirby argues in the San Francisco Chronicle that “Security breaches not on rise :”

    Yet consumer-privacy watchdogs say that contrary to appearances, there has probably not been an increase in security breaches.

    Instead, there has been more disclosure, precipitated by the same California law that forced ChoicePoint to come clean, they said. The law requires data-holding organizations — from universities to banks to data aggregators like ChoicePoint — to notify Californians if anyone gains unauthorized access to unencrypted data, such as driver’s license, Social Security and account numbers.

  • This Is London reports on the British Military network being brought to its knees…by people emailing a video.

    So many officers downloaded the four-minute 52 megabyte file that the system – designed to withstand attacks by hackers, came to a halt under the strain. Computer screens controlling British air defences and warplanes around the world are reported to have gone blank for five hours.

  • Another jet was diverted to Bangor because of the name of a passenger. At ScaredMonkeys, Red asks, “Why y can’t this be done when the plane is on the ground?” It’s a great question, my guess is that there are multiple lists, and they’re not properly synchronized. (Actually, we know that to be true, given the troubles that Johnnie Thomas and Don Young have had getting off the list. We don’t know if that’s causing these diversions.)
  • Eric Rescorla has posted slides (pdf) about “What can the evidence tell us about information security?” from the Information Security Decision Conference.
  • Finally, Caffinated Security brings us “Security Carnival #1.” Carnivals are regular/semi-regular roundups of posts in a theme. I’m glad to see there’s one for security, and hope it takes an open-tent approach.

6 comments on "Emergent Bits of Security"

  • The Aggregation of Duties Attack

    Over at Educated Guessword, Eric points to the MPAA’s new effort to Revive the Broadcast Flag.
    Basically, the courts ruled that the FCC lacked the power to mandate the Broadcast Flag. In response, the MPAA is now lobbying for legislation which woul…

  • I was in the audience at Security Decisions for Eric’s talk and it rocked. While some people around me had a look like he was slaughtering their personal Sacred Cows, I was really disappointed when he ran out of time. I wish we saw more rational discussions like his about the reality of the network security threat.
    It was definitely one of the best presentations I saw at the conference. Other than maybe all the free beer I was presented with down on the show floor…

  • Kyle says:

    If by “open tent” you mean “being open to pretty much anything that’s related”, that’s absolutely what I want to do. Any involvement from anybody – from rotating the hosting to post nomination – is welcomed and I’d like to include just about anything that’s related to the overall topic.

  • Adam says:

    Thats exactly what I mean. Staying away from the “If you don’t know X, you’re not doing security” approach, where X is sploits, or IDS, or risk management, or process, or …

  • Bram says:

    It’s so good to see the ‘maybe we should just stop using C’ theory finally making it into the mainstream of computer security. That one is *long* overdue.

  • Information Security and Forensic Oriented Architectures (Part One)

    Been busy thinking about the original work done by RedMonk on Compliance Oriented Architectures and figured I would take the opportunity to expand the community of knowledge with something I am labelling Forensic Oriented Architectures……

Comments are closed.