Shostack + Friends Blog Archive

 

Quantum Debate

The debate about Shor’s Algorithm (which I blogged about a couple days ago) continues. Rod Van Meter has a good blog post about it here. While there are plenty of people who have just wholesale dismissed the Hill/Viamontes paper outright, apparently because they know Shor’s algorithm works and that building a working quantum computer is […]

 

Bush’s Law — Less Safe, Less Free

I’d like to review two recent books on the war on terror: “Bush’s Law: The Remaking of American Justice” by by Eric Lichtblau, and “Less Safe, Less Free: Why America Is Losing the War on Terror” by David Cole and Jules Lobel. Both are well written assaults on the way in which the Bush administration […]

 

Everybody Run, Crispin's Got a Blog

My buddy, collaborator and co-worker Crispin Cowan has started a blog. The first post is “Security Is Simple: Only Use Perfect Software.” [Update: Added a link to Crispin’s home page, because some readers apparently have trouble with a search engine.]

 

Quantum Uncertainty

Technology Review has a pair of articles on D-Wave‘s adiabatic quantum computer. Quantum pioneer Seth Lloyd writes in “Riding D-Wave” about quantum computing in general, adiabatic quantum computing, and D-Wave’s efforts to show that they’ve actually built a quantum computer. Linked to that is Scott Aaronson’s article, “Desultory D-Wave,” in which Lloyd’s nail-biting is made […]

 

The messenger is the message

In a blog post entitled “Lending Tree A Little Late In Cutting Off Network Access?“, I read that in the recent Lending Tree breach: several former employees may have helped a handful of mortgage lenders gain access to Lending Tree’s customer information by sharing confidential passwords with the lenders. Later, the author describes “an obvious […]

 

Who Watches the Watchlists?

The idea of “watchlists” has proliferated as part of the War on Terror. There are now more than 63 of them: As part of its regular “risk management” service, which provides screening, tracing, and identity and background checks on potential clients or trading partners, MicroBilt will now offer a “watch list” service that checks these […]

 

5754463f

The ACM has a list of classic computer science works put together based on responses to a survey of the membership. I’m no computer scientist (though I’ve lived with my share…) but I’m shocked that none of Knuth’s works is on this list, even if it is basically a beauty contest.

 

Security Metric?

Ross Anderson has made PDF versions of several chapters of his Security Engineering (second edition) available on-line. The entire first edition has been available for some time. I am sure this second edition will be outstanding. I would rank the first edition as one of the top three technical books I’ve read. It would likely […]

 

Good problems to have

You don’t have much credibility looking for a publisher for a book on rum when you’re sailing in the Caribbean drinking the best rums you can find in the name of research. Most people just didn’t take me seriously that there was even a need for a book on rum. It took quite a while […]

 

University of Miami: Good for the body, bad for the soul?

The University of Miami has chosen to notify 41,000 out of 2.1 million patients whose personal information was exposed when thieves stole backup tapes. The other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there’s no financial […]

 

Point Break, Live

The starring role of Johnny Utah is selected from the audience each night, and reads their entire script off of cue-cards. This method manages to capture the rawness of a Keanu Reeves performance even from those who generally think themselves incapable of acting. The fun starts immediately with the “screen test” wherein the volunteer Keanus […]

 

Marty Lederman, on a roll

You see, the CIA apparently uses the less dangerous version of “waterboarding” — not the Spanish Inquisition method, but the technqiue popularized by the French in Algeria, and by the Khmer Rouge — involving the placing of a cloth or plastic wrap over or in the person’s mouth, and pouring or dripping water onto the […]

 

Microsoft Security Intelligence Report V4

Microsoft Security Intelligence Report (July – December 2007) This volume of the SIR focuses on the second half of the 2007 calendar year (from July through December) and builds upon the data published in the previously released volumes of the SIR. Using data derived from several hundred million Windows users, and some of the busiest […]

 

Quantum Cryptography Broken and Fixed

Researchers at Linköping University in Sweden have found flaws in quantum cryptography. They also supply a fix. The announcement is here; a FAQ is here; full paper is at the IEEE here (but requires an IEEE membership). The announcement says: Jan-Åke Larsson, associate professor of applied mathematics at Linköping University, working with his student Jörgen […]

 

Reality imitates the Onion

I’m somewhat sure this is a real AP story, “Al-Qaida No. 2 says 9/11 theory propagated by Iran.” The Onion scooped them, with “9/11 Conspiracy Theories ‘Ridiculous,’ Al Qaeda Says.” Unfortunately, no progress on the “fake tape” issue: The authenticity of the two-hour audio recording posted on an Islamic Web site could not be independently […]

 

Keynoting at ISSA tomorrow

I’ll be delivering the keynote at “ The Fourth Annual ISSA Northwest Regional Security Conference” tomorrow in Olympia, Washington. I’m honored to have been selected, and really excited to be talking about “the crisis in information security.” The topics will be somewhat familiar to readers of this blog, but in a longer, more coherent format […]

 

WEIS 2008: Register now

Registration is under way for the seventh Workshop on the Economics of Information Security , hosted by the Center for Digital Strategies at Dartmouth’s Tuck School of Business June 25-28, 2008 The call for papers, and archives of past workshops give a good sense of what you’ll find (and it is awesome and well worth […]

 

More New School Reviews

Gary McGraw says buy it for the cover: The New School of Information Security is a book worth buying for the cover alone. I know of no other computer security book with a Kandinski on the front. Even though I know Adam Shostack from way back (and never could have predicted that he would become […]

 

Why Aren’t there More Paul Grahams?

Paul Graham has an interesting essay “Why There Aren’t More Googles.” In it, he talks about how VC are shying away from doing lots of little deals, and how the bold ideas are the ones that are hardest to fund: And yet it’s the bold ideas that generate the biggest returns. Any really good new […]

 

Edward Lorenz, 1917-2008

Edward Lorenz, most famous for research concerning the sensitivity of high-level outcomes to seemingly insubstantial variations in initial conditions (the so-called “butterfly effect“), died April 16 in Cambridge, Massachusetts. Much more information concerning Lorenz’s life and work is available via Wikipedia.

 

Congratulations to the CVE team!

The CVE Web site now contains 30,000 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a […]

 

Center for Innovative Financial Technology Launches at Berkeley

Congratulations to Berkeley on setting up a “Center for Innovative Financial Technology“, but I wonder why their mission is so conservative? The mission of the Center is to conduct and facilitate innovative research and teaching on how new technologies impact global electronic markets, investment strategies, and the stability of the financial system. The information people […]

 

User Friendly Gets It

In his inimitable way, Illiad has hi-lighted that the miscreants have moved from the operating system to the applications.

 

Virginia gets it

[…]an individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay. Virginia’s […]

 

One Nation Under CCTV

Banksy has done a wonderful service. The well-known artist has given us delightful commentary on surveillance. Better than that, he did it in a site above a Post Office yard in London (Newman Street, near Oxford Circus), behind a security fence and under surveillance by CCTV. His team erected three stories of scaffolding on Saturday, […]

 

Bot construction kit for non-programmers

We all know that ID theft and extortion bots are ubiquitous. Perhaps it is some consolation that a modicum of technical skill is needed to construct such things. That has changed. I (a complete non-programmer) have just built not one but two “bots” using materials available here and here! With these templates, any 8 year-old […]

 

Generativity, Emergent Chaos and Adam Thierer

Jonathan Zittrain, a professor at Oxford, has a new book, “The Future of The Internet.” He’s adapted some of the ideas into a long and worthwhile essay, “Protecting the Internet Without Wrecking It.” In that essay, he uses the term “generativity” to refer to a system which has what I would call ’emergent chaos.’ A […]

 
 

Privacy Act and "actual damages"

Lauren Gelman writes: I’m breaking blog silence to report on an amazing decision out of the DC Circuit holding that the federal Privacy Act’s requirement that Plaintiffs show actual damages does not require pecuniary harm but can be met by a showing of emotional distress. Am. Fed’n of Gov’t Employees v. Hawley, D.D.C., No. 07-00855, […]

 

Attrition ends Dataloss — NOT!

UPDATE: This was a belated April Fools’ from the Attrition people, which clearly suckered me in. Attrition.org’s Lyger has announced the end of Attrition’s Dataloss project (presumably including both the DLDOS and Dataloss mailing list). In the past few weeks, it has come to our attention that too many people are more concerned with making […]

 
 

41 and counting

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma) See More Breach Notification Laws — 42 States and Counting at […]

 

RSA Crazy Busy, book notes

I’m sorry blogging has been light, but RSA has been really busy. I did want to post a quick reminder, I’ll be doing a book singing at 2.30 at the RSA bookstore. PS: I know, that should really say “signing,” not “singing” but I decided I like the typo. If enough people show up and […]

 

Amazon and The New School

Several of you have mailed or commented about the New School being “delayed” from Amazon. I apologize, this was a surprise to me. What our publisher says: Because of their set-up, Amazon has been taking longer to get a book available for shipping. As you can see this causes problems when they list the pub […]

 

New School of Information Security: book signing at RSA

I’ll be at RSA next week, and have a book signing scheduled for 2:30 PM Wednesday (April 9) at the RSA bookstore. To be more clear: The RSA bookstore will have copies for sale. I know many of you are waiting for copies. Many of our reviewers emailed me in the last day or two […]

 

The FDIC's Cyber Fraud Report

The FDIC’s Division of Supervision and Consumer Protection didn’t release a report titled “Cyber Fraud and Financial Crime” on November 9, 2007. That release was left to Brian Krebs, a reporter with the Washington Post, in early March, who blogged about it in “Banks: Losses From Computer Intrusions Up in 2007” and “The FDIC Computer […]

 

94% of Philippine IT Professionals Endorse Breach Disclosure

“LOCAL SURVEY SHOWS: Private sector wants breach of information systems reported :” MANILA, Philippines — Local organizations want the breach of information systems and theft of personal information reported, a survey conducted by the Cyberspace Policy Center for Asia Pacific (CPCAP) showed. “A surprising 94 percent favored the imposition by law of [an] obligation upon […]

 

Do you feel like we do?

As many EC readers realize, press reports about data breaches involving lost or stolen computers often contain statements something like “The actual risk is thought to be minimal, since a password is required to login to the missing computer”. Such statements are sufficiently numerous that the pre-eminent source of breach data, Attrition.org, have issued a […]

 

I see you stand like greyhounds in the slips…

…straining upon the start. The game’s afoot! Follow your spirit; and upon this charge Cry ‘God for Harry, England, and Saint George!’ So closes the speech before battle which Shakespeare wrote for Henry V. You know, the one which opens, ““Once more into the breach:” (Thoughts on the cumulative effects of notification letters).” I seem […]