Shostack + Friends Blog Archive

 

Visualization Monday: Storage

This is cool.  Visualization of relative storage capacities in terms of media and format. Notice that it goes all the way back into pre-digital forms, a subtle tweak that I’ll bet a lot of people miss on first inspection.  Too bad, too, since the ability to seamlessly compare seemingly-different things is a valuable skill when […]

 

2010 Security Prognosticators – Put Your Money Where Your Mouth Is!!!

Just saw where Symantec has released their 2010 Security Trends to watch.  Now not to pick on Symantec (I’m guilty of the same mess in the past myself over on my old blog) but usually these sorts of prognostication lists are full of the same horse@!@#$.  For example: 8.  Mac and Mobile Malware Will Increase […]

 

FBI Gets all New School

“Of the thousands of cases that we’ve investigated, the public knows about a handful,” said Shawn Henry, assistant director for the Federal Bureau of Investigation’s Cyber Division. “There are million-dollar cases that nobody knows about.” … “Keeping your head in the sand on filing a report means that the bad guys are out there hitting […]

 

Tifatul Sembiring Causes Disasters

The BBC reports that “Indonesia minister says immorality causes disasters:” A government minister has blamed Indonesia’s recent string of natural disasters on people’s immorality. Communication and Information Minister Tifatul Sembiring said that there were many television programmes that destroyed morals. Therefore, the minister said, natural disasters would continue to occur. His comments came as he […]

 
 

For Those Not In The US (or even if you are)

I’d like to wish US readers a happy Thanksgiving. For those outside of the US, I thought this would be a nice little post for today: A pointer to an article in the Financial Times, “Baseball’s love of statistics is taking over football“ Those who indulge my passion for analysis and for sport know that […]

 

An advance in the "balance" between security and privacy

Today on Thanksgiving, I’m thankful that the European Parliament has adopted what may be the first useful statement about the balance between security and privacy since Franklin: “… stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to […]

 

Less Is More

Great post today over on SecureThinking about a customer who used a very limited signature set for their IDS. Truth of the matter was that our customer knew exactly what he was doing. He only wanted to see a handful of signatures that were generic and could indicate that “something” was amiss that REALLY needed […]

 

Deny thy father and refuse thy gene sequence?

There’s a fascinating article in the NYTimes magazine, “Who Knew I Was Not the Father?” It’s all the impact of cheap paternity testing on conceptions of fatherhood. Men now have a cheap and easy way to discovering that children they thought were theirs really carry someone else’s genes. This raises the question, what is fatherhood? […]

 

Jail Time For ID Fraud

This past Friday, Baltimore resident, Michelle Courtney Johnson, was sentenced to 18 months in jail and a $200K fine for theft and use of PHI. According to her plea agreement and court documents, from August 2005 to April 2007, Johnson provided a conspirator with names, Social Security numbers and other identifying information of more than […]

 
 

Connecticut Attorney General On The March

It’s been a bad couple of weeks for residents of Connecticut and their personal health information. First Blue Cross Blue Shield had a laptop stolen with enough PHI that over 800K doctors were notified that their patients were at risk, including almost 19K in Connecticut. Connecticut’s attorney general said Monday that he’s investigating insurer Blue […]

 

Hackers treated as credible sources of information (D'oh!)

Contrary to popular belief, hackers are not credible sources of information that they themselves have stolen and leaked. Maybe they weren’t “hackers” at all. News organizations and bloggers should think more critically and do more investigation before they add to the “echo chamber effect” for such reports.

 

Poker Faced?

In “An Unstoppable Force Meets…” Haseeb writes about “we have just witnessed a monumental event in the history of online poker – the entrance of Isildur into our world of online poker.” Huh? Really? The post is jargon packed, and I’m not a poker player, but apparently this Isildur character has slaughtered all the best […]

 
 

Rational Ignorance: The Users' view of security

Cormac Herley at Microsoft Research has done us all a favor and released a paper So Long, And No Thanks for the Externalities:  The Rational Rejection of Security Advice by Users which opens its abstract with: It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore […]

 

UK Confused About Piracy

According to BoingBoing, “Leaked UK government plan to create “Pirate Finder General” with power to appoint militias, create laws:” What that means is that an unelected official would have the power to do anything without Parliamentary oversight or debate, provided it was done in the name of protecting copyright. Mandelson elaborates on this, giving three […]

 

"80 Percent of Cyber Attacks Preventable"

Threatlevel (aka 27B/6) reported yesterday that Richard Schaeffer, the NSA’s information assurance director testified to the Senate Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security on the issue of computer based attacks. If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could […]

 

Questions about Schaeffer's 80% improvement

According to Kim Zetter at Wired, in Senate testimony, Richard Schaeffer, the information assurance director at NSA, claimed that “If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented.” I’m trying to find if that’s the FDCC (Federal Desktop Core Configuration), […]

 

FTC Delays Red Flags Enforcement Yet Again

I missed this when it hit the newswires two weeks ago, but the FTC has delayed enforcement of the Red Flags Rule. This change was in response to the American Bar Association successfully suing the FTC and being granted an injunction to prevent the Red Flags Rule being applied to lawyers. Similarly, the American Institute […]

 

ICSA Labs report

In the book, Andrew and I wrote about trading data for credibility. If Verizon’s enthusiasm for sharing their learning is any indication, the approach seems to be paying off in spades. At the Verizon Business blog, Wade Baker writes: Today ICSA Labs (an independent division of Verizon Business) released a report based on testing results […]

 

Can't tell the players without a program

You can’t tell the good guys from the bad guys without knowing the color of their hat. I wish there were some sort of map of the Black Hat ecosystem because it’s hard for non-specialists to tell. Case in point: Virscan.org. Looks like a nice, simple service that scan uploaded files using multiple AV software with latest signatures. But it seems *much* more useful to bad guys (malware writers and distributors) than for good guys. Who does it serve?

 

In the Proudest Traditions of the Royal Navy

The Royal Fleet Auxiliary ship Wave Knight watched a yacht be hijacked for fear of harming its passengers. All stand for a rousing round of “Ain’t gonna study war no more.”

 

Rich Mogull's Divine Assumptions

Our friend Rich Mogull has an interesting post up on his blog called “Always Assume“.  In it, he offers that “assumption” is part of a normal scenario building process, something that is fairly inescapable when making business decisions.  And he offers a simple, pragmatic process for assumptions which is mainly scenario development, justification, and action.    […]

 
 

Best Practices in Tax Management

Someone sent me a link to “How to Audit-Proof Your Tax Return: Don’t e-File,” by Paul Caron. In it he quotes a plausible theory that “you are giving the IRS easy electronic access to information it would otherwise have to enter, enabling the agency to examine your return and mine the data more easily than […]

 

CFP: 9th Workshop on the Economics of Information Security (WEIS)

The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science.

 

Practices: Proven vs. Standard?

In comments yesterday, both Kyle Maxwell and Nicko suggested that “standard” is a better adjective than “proven:” I like Kyle’s “standard” practice, since it makes it clear that you are just following the flock for safety by sticking to them. Perhaps we should call them “flocking standard practice” I do think there’s an important difference, […]

 

How to Use the "Think" Best Practice

After I posted the new Best Practice: Think, Dennis Fisher tweeted “Never catch on. Nothing for vendors (or Gartner) to sell.” Which is true, but that’s not the point. The point is to be able to ju-jitsu your best-practice cargo-culter into submission. For example: Cargo-culter: We don’t need a review, this project complied with all […]

 

Quick Thought: Scenario Planning

I spent yesterday in a workshop learning about and practicing scenario planning. It’s a really great tool for planning for (as opposed to predicting) the future. It feels like it’s a great addition to the risk assessment/management process. Check it out.

 

Visual Notetaking

I’m a big fan of the book “Back of the Napkin” which is all about using pictures to help with problem solving. Yesterday, I was introduced to a related concept “visual notetaking” where you use images to support other notes you are taking during a meeting. I’m at a two day workshop and we have […]

 

"As far as I know, effective immediately"

Asked about the timing, the unbriefed propaganda minister mumbled: “As far as I know, effective immediately.” When that was reported on television, the Berliners were off. Baffled border guards who would have shot their “comrades” a week earlier let the crowd through—and a barrier that had divided the world was soon being gleefully dismantled. West […]

 

Mini Metricon 4.5 Call for Participation

[Posting this here to help get the word out – Chris ] Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the […]

 
 

2 Proposed Breach Laws move forward

See George Hulme, “National Data Breach Law Steps Closer To Reality ” and Dennis Fisher “http://threatpost.com/en_us/blogs/two-data-breach-notification-bills-advance-senate-110609.” Dennis flags this awe-inspiring exception language: “rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.” […]

 

On smelly goats, unicorns, and FUD

Unicorns (of some sort) are not impossible in principle, only non-existent in recent times. As evidence, I offer Tsintaosaurus spinorhinus, a real dinosaur found in China. Though we may be comfortable with our current “smelly, ugly goat” practices, including the ethically questionable FUD tactic, they only perpetuate the problems and, at worst, are like peeing in the swimming pool.

 

Apologies to Richard Bejtlich

The previous blog post, “Just say ‘no’ to FUD”, described Richard Bejtlich’s post at Tao of Security as “FUD in other clothing”. That was over-reaching. I apologize. There was an element of FUD, but my main objection to Richard’s post was due to other reasons.

 

Mini Metricon 4.5 Call For Participation

Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the RSA Conference, to be held during the same week. Mini MetriCon attendees […]

 

"A Call for Evidence-Based Security Tools"

Via Schneier: From the Open Access Journal of Forensic Psychology, by a large group of authors: “A Call for Evidence-Based Security Tools“: Abstract: Since the 2001 attacks on the twin towers, policies on security have changed drastically, bringing about an increased need for tools that allow for the detection of deception. Many of the solutions […]

 

Pay for your own dog food

At Microsoft, there’s a very long history of ‘eating your own dogfood’ or using the latest and greatest daily builds. Although today, people seem to use the term “self-host,” which seems evidence that they don’t do either. Eating your own dogfood gives you a decent idea of when it starts to taste ok, which is […]

 

Thank you!

For the opportunity to do this:

 

Detecting Malice

I just finished reading RSnake’s new book Detecting Malice and I can say without a doubt that it is one of the best technical books I have ever read. Furthermore, I can tell you that it is, without a doubt, the best web security book I have ever had the pleasure to read. Imagine a […]

 

Tabletop Science

Mordaxus emailed some of us and said “I hope this doesn’t mean MG has jumped the shark.” What was he talking about? Apparently, ThinkGeek now has a “Molecular Gastronomy Starter Kit.” For those of you who’ve been hiding in a Cheesecake Factory for the past few years, molecular gastronomy is the art of using science […]