Shostack + Friends Blog Archive

 

Black Hat Slides

My talk at Black Hat this year was “Elevation of Privilege, the Easy Way to Get Started Threat Modeling.” I covered the game, why it works and where games work. The link will take you to the PPTX deck.

 

Credit Scores and Deceptive Advertising

Frank Pasquale follows a Joe Nocera article on credit scores with a great roundup of issues that the credit system imposes on American citizens, including arbitrariness, discriminatory effects and self-fulfilling prophecies. His article is worth a look even if you think you understand credit scores. I’d like to add one more danger of credit scores: […]

 
 

Cisco's Artichoke of Attack

Cisco has their security report up – find it here.  My favorite part?  “The Artichoke of Attack”

 

Hacker Hide and Seek

Core Security Ariel Waissbein has been building security games for a while now. He was They were kind enough to send a copy of his their “Exploit” game after I released Elevation of Privilege. [Update: I had confused Ariel Futoransky and Ariel Waissbein, because Waissbein wrote the blog post. Sorry!] At Defcon, he and his […]

 

SOUPS Keynote & Slides

This week, the annual Symposium on Usable Privacy and Security (SOUPS) is being held on the Microsoft campus. I delivered a keynote, entitled “Engineers Are People Too:” In “Engineers Are People, Too” Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the […]

 

Society of Information Risk Analysts Webex/Meeting Tomorrow

Hey, just so you all know, SOIRA is having our lunch (or breakfast) Al-Desko Webex.  This month we have the pleasure of watching Chris Hayes show how to use quantitative risk analysis for real, pragmatic business purposes.  It’s going to be seriously useful. Join SOIRA here:  http://groups.google.com/group/InfoRiskSociety?hl=en for the invite.

 

Survey Results

First, thanks to everyone who took the unscientific, perhaps poorly worded survey. I appreciate you taking time to help out.  I especially appreciate the feedback from the person who took the time to write in: “Learn the proper definition of “Control Systems” as in, Distributed Control Systems or Industrial Control systems. These are the places […]

 

A Blizzard of Real Privacy Stories

Over the last week, there’s been a set of entertaining stories around Blizzard’s World of Warcraft games and forums. First, “World of Warcraft maker to end anonymous forum logins,” in a bid to make the forums less vitriolic: Mr Brand said that one Blizzard employee posted his real name on the forums, saying that there […]

 

Risk -> Operational Security Survey

Hi, I’m very interested right now in finding the quality of risk analysis as it relates to operational security. If you’re a risk analyst, a security executive, or operational security analyst, would you mind taking a one question survey? It’s on SurveyMonkey, here: http://www.surveymonkey.com/s/GCSXZ2Q”

 

Dear England, may we borrow Mr. Cameron for a bit?

Back when I commented on David Cameron apologizing for Bloody Sunday, someone said “It’s important to remember that it’s much easier to make magnanimous apologise about the behaviour of government agents when none of those responsible are still in their jobs.” Which was fine, but now Mr. Cameron is setting up an investigation into torture […]

 
 

The Next Unexpected Failure of Government

In looking at Frank Pasquale’s very interesting blog post “Secrecy & the Spill,” a phrase jumped out at me: I have tried to give the Obama Administration the benefit of the doubt during the Gulf/BP oil disaster. There was a “grand ole party” at Interior for at least eight years. Many Republicans in Congress would […]

 

GAO report on the state of Federal Cyber Security R&D

This GAO Report is a good overall summary of the state of Federal cyber security R&D and why it’s not getting more traction.    Their recommendations (p22) aren’t earth-shaking: “…we are recommending that the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, direct the Subcommittee on Networking and […]

 

In Congress Assembled, July 4, 1776

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]

 

ISACA CRISC – A Faith-Based Initiative? Or, I Didn't Expect The Spanish Inquisition

In comments to my “Why I Don’t Like CRISC” article, Oliver writes: CobIT allows to segregate what is called IT in analysable parts.  Different Risk models apply to those parts. e.g. Information Security, Architecture, Project management. In certain areas the risk models are more mature (Infosec / Project Management) and in certain they are not […]