Shostack + Friends Blog Archive

 

Why we need strong oversight & transparency

[The ACLU has a new] report, Policing Free Speech: Police Surveillance and Obstruction of First Amendment-Protected Activity (.pdf), surveys news accounts and studies of questionable snooping and arrests in 33 states and the District of Columbia over the past decade. The survey provides an outline of, and links to, dozens of examples of Cold War-era […]

 

Thinking about Cloud Security & Vulnerability Research: Three True Outcomes

When opining on security in “the cloud” we, as an industry, speak very much in terms of real and imagined threat actions.  And that’s a good thing: trying to anticipate security issues is a natural, prudent task. In Lori McVittie’s blog article, “Risk is not a Synonym for “Lack of Security”, she brings up an […]

 
 

RiskIT – Does ISACA Suffer From Dunning-Kruger?

Just to pile on a bit…. You ever hear someone say something, and all of the sudden you realize that you’ve been trying to say exactly that, in exactly that manner, but hadn’t been so succinct or elegant at it?  That someone much smarter than you had already thought about the subject a whole lot […]

 

CRISC? C-Whatever

Alex’s posts on Posts on CRISC are, according to Google, is more authoritative than the CRISC site itself: Not that it matters.  CRISC is proving itself irrelevant by failing to make anyone care.  By way of comparison, I googled a few other certifications for the audit and security world, then threw in the Certified Public […]

 

CRISC -O

PREFACE:  You might interpret this blog post as being negative about risk management here, dear readers.  Don’t. This isn’t a diatrabe against IRM, only why “certification” around information risk is a really, really silly idea. Apparently, my blog about why I don’t like the idea of CRISC has long-term stickiness.  Just today, Philip writes in […]

 

Between an Apple and a Hard Place

So the news is all over the web about Apple changing their privacy policy. For example, Consumerist says “Apple Knows Where Your Phone Is And Is Telling People:” Apple updated its privacy policy today, with an important, and dare we say creepy new paragraph about location information. If you agree to the changes, (which you […]

 

Bleh, Disclosure

Lurnene Grenier has a post up on the Google/Microsoft vunlerability disclosure topic. I commented on the SourceFire blog (couldn’t get the reminder from Zdnet about my password, and frankly I’m kind of surprised I already had an account – so I didn’t post there), but thought it was worth discussing my comments here a bit […]

 

Measuring The Speed of Light Using Your Microwave

Using a dish full of marshmallows.  We’re doing this with my oldest kids, and while I was reading up on it, I had to laugh out loud at the following: …now you have what you need to measure the speed of light. You just need to know a very fundamental equation of physics: Speed of […]

 

Alex on Science and Risk Management

Alex Hutton has an excellent post on his work blog: Jim Tiller of British Telecom has published a blog post called “Risk Appetite, Counting Security Calories Won’t Help”. I’d like to discuss Jim’s blog post because I think it shows a difference in perspectives between our organizations. I’d also like to counter a few of […]

 

High Impact Work

Perry Metzger recently drew this to my attention: The title of my talk is, “You and Your Research.” It is not about managing research, it is about how you individually do your research. I could give a talk on the other subject – but it’s not, it’s about you. I’m not talking about ordinary run-of-the-mill […]

 

On Politics

In “Jon Stewart on Obama’s executive power record” Glenn Greenwald writes: When ACLU Executive Director Anthony Romero last week addressed the progressive conference America’s Future Now, he began by saying: “I’m going to start provocatively . . . I’m disgusted with this president.” Last night, after Obama’s Oval Office speech, Jon Stewart began his show […]

 

Bleg: How to Delete Kindle Logs?

Well, Amazon has a new update for Kindle (with folders! OMG!), and I’m planning to apply it. However, last time I installed an update, I noticed that it lost the “wireless off” setting, and was apparently contacting Amazon. I don’t want it to do so, and leave wireless off. It’s safer that way, whatever promises […]

 

Breach Laws & Norms in the UK & Ireland

Ireland has proposed a new Data Breach Code of Practice, and Brian Honan provides useful analysis: The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small […]

 

Redesign BP's Logo

I like this one a lot. Go vote for your favorite at BP Logo Redesign contest.

 

Mobile Money for Haiti: a contest

This is cool: The Bill & Melinda Gates Foundation is using its financial clout to push the Haitian marketplace toward change by offering $10 million in prizes to the first companies to help Haitians send and receive money with their cell phones… The fund will offer cash awards to companies that initiate mobile financial services […]

 

Excellent Post On Maturity Scale for Log Management

http://raffy.ch/blog/2010/06/07/maturity-scale-for-log-management-and-analysis/ Raffael Marty’s great  post on how to measure the maturity level for your log management program.   Excellent as always.

 

Lady Ada books opening May 11

Ada’s Technical Books is Seattle’s only technical book store located in the Capitol Hill neighborhood of Seattle, Washington. Ada’s specifically carries new, used, & rare books on Computers, Electronics, Physics, Math, and Science as well as hand-picked inspirational and leisure reading, puzzles, brain teasers, and gadgets geared toward the technically minded customer. From the store’s […]

 

Thanks!

Andrew and I want to say thank you to Dave Marsh. His review of our book includes this: I’d have to say that the first few pages of this book had more of an impact on me that the sum of all the pages of any other security-related book I had ever read It’s really […]

 

Decision Making Not Analysis Paralysis

There’s been a lot of pushback against using Risk Management in Information Security because we don’t have enough information to make a good decision. Yet every security professional makes decisions despite a lack of information. If we didn’t we’d never get anything done. Hell we’d never get out of bed in the morning. There’s a […]

 

Facebook Links

Some worthwhile reads on Facebook and privacy: Facebook’s Privacy Reboot: Is That all You’ve Got for Us? “The devil is in the defaults” Entire Facebook Staff Laughs As Man Tightens Privacy Settings