Shostack + Friends Blog Archive

 

How to Make Your Dating Site Attractive

There’s a huge profusion of dating sites out there. From those focused on casual encounters to christian marriage, there’s a site for that. So from a product management and privacy perspectives I found this article very thought provoking: Bookioo does not give men any way to learn about or contact the female members of the […]

 

That's Some Serious Precision, or Watch Out, She's Gonna Go All Decimal!

So last night the family and I sat down and watched a little TV together for the first time in ages.  We happened to settle on the X-Games on ESPN, purely because they were showing a sport that I can only describe as Artistic Snowmobile Jumping.  Basically, these guys get on snowmobiles, jump them in […]

 

Today in Tyrranicide History

On January 30th, 1649, Charles I was beheaded for treason. He refused to enter a defense, asserting that as monarch, he was the law, and no court could try him. That same defense is raised today by Milošević, Hussien and other tyrants. The story of how John Cooke built his arguments against that claim is […]

 

Privacy and Security are Complimentary, Part MCIV

Privacy and security often complement each other in ways that are hard to notice. It’s much easier to present privacy and security as “in tension” or as a dependency. In this occasional series, we present ways in which they compliment each other. In this issue, the Financial Times reports that “Hackers target friends of Google […]

 

Quote For Today

Their judgment was based on wishful thinking rather than on sound calculation of probabilities; for the usual thing among men, is when they want something, they will, without any reflection, leave that to hope; which they will employ the full force of reasoning in rejecting what they find unpalatable. — Thucydides

 

The Lost Books of the Odyssey

You should go read The Lost Books of the Odyssey. You’ll be glad you did. I wrote this review in April of 2008, and failed to post it. Part of my reason is that I have little patience for, and less to say about most experimental fiction. I am in this somewhat like a luddite, […]

 

Help EFF Measure Browser Uniqueness

The EFF is doing some measurement of browser uniqueness and privacy. It takes ten seconds. Before you go, why not estimate what fraction of users have the same transmitted/discoverable browser settings as you, and then check your accuracy at https://panopticlick.eff.org. Or start at http://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-tracking for a bit more detail.

 

Text Size (and testing)

Thank you for all the feedback in email & comments. Testing a new font size, feedback is again invited and welcome.

 
 

Shameless Self-Promotion

Hi, If you like risk, risk management, and metrics, I’ll be giving an online presentation you might want to see tomorrow at 2 EST: Gleaning Risk Management Data From Incidents http://www.brighttalk.com/webcasts/8093/attend

 

Migration

After more than 5 years, nearly 3,300 posts, and 6,300 comments on Movable Type, we’re migrating the blog to WordPress on a new host. Please let us know if I broke something. This is the new machine. Photo: Face the World with a Peaceful Mind, by Ting Hay.

 
 

Emergent Planetary Detection via Gravitational Lensing

The CBC Quirks and Quarks podcast on “The 10% Solar System Solution” is a really interesting 9 minutes with Scott Gaudi on how to find small planets far away: We have to rely on nature to give us the microlensing events. That means we can’t actually pick and choose which stars to look at, and […]

 

People are People, Too!

Apparently, corporations and unions can now spend unlimited funds on campaign advertisements. I’m hopeful that soon the Supreme Court will recognize that people are people too, and have the same free speech rights as corporations. Maybe, too, the Court will recognize that Congress may not limit the right of people to freely associate, and perhaps […]

 

The Face of FUD

A vivid image of Fear, Uncertainty, and Doubt (FUD), from an email promotion by NetWitness.

 

Why I Don't Like CRISC, Day Two

Yesterday, I offered up a little challenge to suggest that we aren’t ready for a certification around understanding information risk.  Today I want to mention why I think this CRISCy stuff is dangerous. What if how we’re approaching the subject is wrong?  What if it’s mostly wrong and horribly expensive? I’m going to offer that […]

 

Why I Don't Like CRISC

Recently, ISACA announced the CRISC certification.  There are many reasons I don’t like this, but to avoid ranting and in the interest of getting to the point, I’ll start with the main reason I’m uneasy about the CRISC certification: We’re not mature enough for a certification in risk management. Don’t believe me?  Good for you, […]

 

Doing threat intelligence right

To improve threat intelligence, it’s most important to address the flaws in how we interpret and use the intelligence that we already gather. Intelligence analysts are human beings, and many of their failures follow from intuitive ways of thinking that, while allowing the human mind to cut through reams of confusing information, often end up misleading us.

 

The Dog That Didn't Bark at Google

So it’s been all over everywhere that “uber-sophisticated” hackers walked all over Google’s internal network. Took their source, looked at email interception tools, etc. What’s most fascinating to me is that: Google’s customers don’t seem to be fleeing Google stock fell approximately 4% on the news they were hacked, while the market was down 2% […]

 

Does it include a launchpad?

The New York Times is reporting that there’s a “Deep Discount on Space Shuttles ,” they’re down to $28.8 million. But even more exciting than getting one of the 3 surviving monstrosities is that the main engines are free: As for the space shuttle main engines, those are now free. NASA advertised them in December […]

 

Wondering about Phenomenon

Yesterday, Russell posted in our amusements category about the avoidance of data sharing. He gives an anecdote about “you,” presumably a security professional, talking to executives about sharing security information. I’d like to offer an alternate anecdote. Executive: “So we got the audit report in, and it doesn’t look great. I was talking to some […]

 
 

Blogs worth reading, an occasional series

Dan Lohrmann’s “Why Do Security Professionals Fail?” So what works and what doesn’t seem to make much difference in getting consistently positive results? My answers will probably surprise you. I’m not the first person to ask this question. Conventional wisdom says we need more training and staff with more security certifications. Others say we need […]

 

Terrorism Links and quotes

Ed Hasbrouck on “Lessons from the case of the man who set his underpants on fire” A Canadian woman who’s been through the new process is too scared to fly. “Woman, 85, ‘terrified’ after airport search.” Peter Arnett reported “‘It became necessary to destroy the town to save it,’ a TSA major said today. He […]

 

Another Week, Another GSM Cipher Bites the Dust

Orr Dunkelman, Nathan Keller, and Adi Shamir have released a paper showing that they’ve broken KASUMI, the cipher used in encrypting 3G GSM communications. KASUMI is also known as A5/3, which is confusing because it’s only been a week since breaks on A5/1, a completely different cipher, were publicized. So if you’re wondering if this […]

 

Ignorance of the 4 new laws a day is no excuse

The lead of this story caught my eye: (CNN) — Legislatures in all 50 states, the District of Columbia, Guam, the Virgin Islands and Puerto Rico met in 2009, leading to the enactment of 40,697 laws, many of which take effect January 1. That’s an average of 753 laws passed in each of those jurisdictions. […]

 
 

Is Quantified Security a Weak Hypothesis?

I’ve recently read “Quantified Security is a Weak Hypothesis,” a paper which Vilhelm Verendel published at NSPW09. We’re discussing it in email, and I think it deserves some broader attention. My initial note was along these lines: I think the paper’s key hypothesis “securtity can be correctly represented with quantitative information” is overly broad. Can […]

 

768-bit RSA key factored

The paper is here. The very sane opening paragraph is: On December 12, 2009, we factored the 768-bit, 232-digit number RSA-768 by the number field sieve (NFS, [19]). The number RSA-768 was taken from the now obsolete RSA Challenge list [37] as a representative 768-bit RSA modulus (cf. [36]). This result is a record for […]

 

Comments on the Verizon DBIR Supplemental Report

On December 9th, Verizon released a supplement to their 2009 Data Breach Investigations Report. One might optimistically think of this as volume 2, #2 in the series. A good deal of praise has already been forthcoming, and I’m generally impressed with the report, and very glad it’s available and free. But in this post, I’m […]

 

Things Darwin Didn't Say

There’s a great line attributed to Darwin: “It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.” The trouble is, he never said it. Background here. Original sources are important and fun.

 

Hello world!

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!

 

How not to do security, Drone Video Edition

This is probably considered to be “old news” by many, but I’m high-latency in my news at the moment. Much was made of the fact that the US Military’s enemies are now eavesdropping on the video feeds from US Drones on the battlefield using cheaply available commercial technology.  But it’s OK, because according to the […]

 

A Way Forward

Since writing the New School, I’ve been thinking a lot about why seems so hard to get there. There are two elements which Andrew and I didn’t explicitly write about which I think are tremendously important. Both of them have to do with the psychology of information security. The first is that security experts are […]

 

SearchSecurity Top Stories of 2009 Podcast

A few weeks ago, I joined the SearchSecurity team (Mike Mimoso, Rob Westervelt and Eric Parizo) to discuss the top cybersecurity stories of 2009. It was fun, and part 1 now available for a listen: part 1 (22:58), part 2 is still to come.

 

The Spectacle of Street View

Street with a View is an art project in Google Street View, with a variety of scenes enacted for the camera, either to be discovered in Street View, or discovered via the project web site. via David Fraser.

 

Comment Spam

We’ve been flooded with comment spam. I’ve added one of those annoying captcha things that don’t work, and a mandatory comment confirmation page. Please let me know if you have trouble. Blogname @ gmail.com, or adam @ blogname.com I think comments are working, but most won’t show up immediately. I’m digging into more effective solutions.