Shostack + Friends Blog Archive


More thoughts on blogging

Thanks for the kind introduction Adam. This has been an interesting summer as I reach out to various security bloggers. I hope my “Meet The Bloggers” podcast series will help people to get to know the various “personalities” out there. We are an interesting bunch.
The one question I have for everyone, bloggers and blog readers alike, is what is the impact of blogging on the security space? Obviously bloggers are doing a better job in general than journalists in exposing what is happening in the security space. But it is still disjoint. You have to tune into at least four or five and maybe ten blogs on security just to stay in touch. In the mean time you have to check in on reddit, digg, techmeme, a couple of times a day and subscribe to a bunch of feeds from Haval Daar. Are bloggers adding to or helping reduce the chaos? I hope it is the latter.
As I see it security bloggers are accomplishing three things. First they are disseminating information. By sifting through all of those feeds and posting on the “important” stuff they help filter out the good bits from the bad for the security professional. Second, they take a stand. They are advocates for good security and typically defenders of digital rights. They do not let topics die. I for one will be blogging about the Sumitomo Bank Heist and asking my questions until I get answers. And finally, they sway decision making. Through the forum created between bloggers and their commenters, actionable advise is derived that I believe helps individuals and corporate IT departments ultimately improve their security posture.
Comments? Concerns? Are there three things that security bloggers don’t do but they should?

6 comments on "More thoughts on blogging"

  • Securty bloggers perform a very valuble service, they move information and in many cases suggestions. No one person can know everything that is happening in the world, but we collectivly know the vast majority.
    The filtering through the blogosphere means the important stuff tends to rise to the surface.

  • Good podcast Adam, and no swearing either!

  • Richard,
    in my paper on silver bullets, I characterise the market as one of both suppliers and buyers lacking the knowledge to make an informed decision. This is a controversial statement, but assuming this is true, Michael Spence predicts the arisal of “signals” in such a market. Such signals he characterises as metrics that do not relate to the productivity question at hand, but everyone accepts as important.
    We might point to the recurring waves of must-have security tools as evidence of this, such as the current roll-out of 2-factor authentication tools. We see big companies pushing schlock, alongside private comments that these tools won’t do what they claim. Hence, silver bullets.
    In this role, the blogs can call the silver bullets for what they are. Over time, people are more looking to the informal, non-corporate related market for advice on security, and blogs are one resource in that. Another might be the informal security groups with no big brand that have been popping up; places where crackers, activists and bankers mix with rules of “no attribution, no names”.

  • Stiennon says:

    While I agree that blogs can fill the information void I cannot agree that two factor authentication is a fad. I think the current rush to roll out 2FA is a real response to a real liability issue. Simple username/passwords are not sufficient to protect real assets.
    2FA is not a silver bullet it is a requirement to meet bare minimum standards of security.
    Now, if you want to talk about NAC as a silver bullet I am with you!

Comments are closed.