Shostack + Friends Blog Archive

 
 

Quick Quotes For Your Morning

From Krugman (commentary is his): “Without metrics, you’re just another guy with an opinion. — Stephan Leschka, Hewlett Packard When I hear words from almost anyone about how their approach is better than some other approach, I think of this quote. And as Daniel Patrick Moynihan said: Every man is entitled to his own opinion, […]

 

Why Do Outsiders Detect Breaches?

So I haven’t had a chance to really digest the new DBIR yet, but one bit jumped out at me: “86% were discovered by a third party.” I’d like to offer up an explanatory story of why might that be, and muse a little on what it might mean for the deployment of intrusion detection […]

 

Data driven pen tests

So I’m listening to the “Larry, Larry, Larry” episode of the Risk Hose podcast, and Alex is talking about data-driven pen tests. I want to posit that pen tests are already empirical. Pen testers know what techniques work for them, and start with those techniques. What we could use are data-driven pen test reports. “We […]

 

VERIS Community Data

Seriously. Interesting.  Go check this out: http://securityblog.verizonbusiness.com/2011/04/12/veris-community-project-update/ Take a look, impact information!

 

Why Do You Write The Way You Do?

Hey Kids, Reader Mark Wallace wrote in a comment to the blog yesterday, and I wanted to answer the comment in an actual blog post. So here goes: — Mark, Thanks for reading! There’s a point where publicly writing forces me to answer a few questions that I’m not ready to make a quick decision […]

 

Happy Yuri's Night!

Today, April 12, 2011 is the 50th Anniversary of Yuri Gagarin’s historic first flight. Why not join a celebration? Invite to the Kremlin event via Xeni Jardin.

 

What is Risk (again)?

The thread “What is Risk?” came up on a linkedin Group. Thought you might enjoy my answer: ———————- Risk != uncertainty (unless you’re a Knightian frequentist, and then you don’t believe in measurement anyway), though if you were to account for risk in an equation, the amount of uncertainty would be a factor. risk != […]

 

What's the PIN, Kenneth?

There’s a story in the New York Times, “To Get In, Push Buttons, or Maybe Swipe a Magnet” which makes interesting allusions to the meaning of fair trade in locks, implied warranties and the need for empiricism in security: In court filings, Kaba argued that it had “never advertised or warranted in any way that […]

 
 

Ahem: The New School is more than Data

In “Why The New School Is Important,” Alex writes: Being New School won’t solve your problems. What a New School mindset will do for you is help you begin to understand what your problems actually are. So without arguing with the rest of Alex’s post, I’m forced to beg to differ. The New School is […]

 

Why The New School Is Important

I participated in another security metrics and risk discussion yesterday (yeah, me talk about metrics & risk –  you don’t say).  As part of this discussion someone echoed a sentiment I’ve been hearing more and more of recently.  A casual acceptance of the logic of metrics and data followed quickly by a dismissive, skeptical statement […]

 

NewSchool Zombies, Moneyball, & Metrics

Hey!   Tomorrow at 1pm ET reg now: @joshcorman & I redux our (in)famous ‘Metrics are Bunk!?’ debate from RSAC 2011: http://bit.ly/i6z1BL              

 

Hey! SourceBoston is going to be CRAZY!

Not crazy like Sammy-Hagar-has-clearly-abused-his-brain-and-its-giving-him-bad-information-to-come-out-of-his-mouth crazy, but crazy like, there-are-so-many-good-talks-you-can’t-possibly-not-get-value-out-of-the-conference crazy. For example, I’ll be talking twice. Once with Dan Geer and Greg Shannon about Prediction Markets in InfoSec.  Then I’ll be giving one of THE FIRST EVER (!) debriefings of the 2011 DBIR (which is going to be crazy like both of the above). I’m […]