Shostack + Friends Blog Archive


Some Stuff You Might Find Interesting 9-8-2009


Hey,  because of the holiday, I missed posting some stuff for you all about security & visualization last week. So I thought I’d make it up to you today (plus, I’m about to declare Firefox tab bankruptcy, as I tend to find things to mention on the blog here and then leave the tabs open indefinitely.  I have about 47 tabs open right now).


All about a cool gov’t dashboard from Down Under:

Flowing Data has a visualization tool discussion:

At The Intersection of Security & Visualization?

VizSec 2009 in Atlantic City, NJ (USA)

Not to denigrate the choice of Bill Cheswick too much, because I’d jump at the chance to see him speak, but if I can get on my soapbox – why is this conference so myopically focused on InfoSec practicioners?  With all apologies to Raffy, we (as an industry) have no freaking *CLUE* how to go about creating useful information visualization.  Look at our SIEMs.  Look at our so-called GRC dashboards.  How many CISSPs do you know that have read Stephen Few?  Is Ben Fry in your RSS reader?

At the risk of repeating myself our (InfoSec) problems are just not that unique.  But we, as a community, continue to exhibit this bias that we’re this amazingly special discipline that nobody understands and the rest of the world has nothing to offer us. It’s like we’re IT’s version of emo teenagers.

Visualization Folks on Twitter in case you’re interested:


Does Minimalism Contribute to Security?

Wonderful quote there from Colin Percival.  The problem of striving for a minimal code base (esp. in web apps) is balancing the simple with the desire for a relatively rich user experience (Seriously? Cool AJAX effects do not lend themselves to “minimalism”).  It’s not trivial using a Total Quality Management “Kansei” process (understanding how the user uses software), but one can create a great application that also reduces the cost of maintenance.


Hey, it’s the Senate introduced Cybersecurity Act of 2009 (S. 773).  Read it and weep!

The Cloud

Craig Balding writes up his views on Cloud Security research paper (link to paper – ).  It’s a great read if you’re interested in applied threat models.

Cool Post from Bejtlich

Extreme Asymmetry in Network Attack & Defense:

Gunnar on an OWASP Podcast

Recorded or in person, I’ve never found a conversation with Gunnar to not be insightful.

Innovation in Search and Artificial Intelligence:

You want the future of InfoSec?  It’s buried somewhere in there.  And Here (  Plus Game Theory.

One comment on "Some Stuff You Might Find Interesting 9-8-2009"

Comments are closed.