Shostack + Friends Blog Archive

 

Big Brother Watch report on breaches

Over at the Office of Inadequate Security, Dissent says everything you need to know about a new report from the UK’s Big Brother Watch: Extrapolating from what we have seen in this country, what the ICO learns about is clearly only the tip of the iceberg there. I view the numbers in the BBW report […]

 

We Robot: The Conference

This looks like it has the potential to be a very interesting event: The University of Miami School of Law seeks submissions for “We Robot” – an inaugural conference on legal and policy issues relating to robotics to be held in Coral Gables, Florida on April 21 & 22, 2012. We invite contributions by academics, […]

 

Telephones and privacy

Three stories, related by the telephone, and their impact on privacy: CNN reports that your cell phone is being tracked in malls: Starting on Black Friday and running through New Year’s Day, two U.S. malls — Promenade Temecula in southern California and Short Pump Town Center in Richmond, Va. — will track guests’ movements by […]

 

"It's Time to Learn Like Experts" by Jay Jacobs

I want to call attention to a new, important and short article by Jay Jacobs. This article is a call to action to break the reliance on unvalidated expert opinions by raising awareness of our decision environment and the development of context-specific feedback loops. Everyone in the New School is a fan of feedback loops […]

 

Twitter Weekly Updates for 2011-11-27

MT @attractr Bejtlich: SEC Guidance Emphasizes Materiality for disclosing sec incidents: "new audience: shareholders" http://t.co/mlMts2Wd # RT @doctorow Just got to Occupy New School http://t.co/VjfVhFcN << I think Cory means something other than I would mean by this statement 🙂 # NYTimes reports man bites dog, I mean "Screening Still a Pain at Airports, Fliers […]

 

Relentless navel gazing, part MCXII

Two changes here at Emergent Chaos this weekend: first, a new, variable width theme which is a little tighter, so there’s more on a screen. Second, I’ve moved the twitter summary to weekly, as comments were running about 50-50 on the post asking for opinion. I think that may be a better balance. And a […]

 

The One Where David Lacey's Article On Risk Makes Us All Stupider

In possibly the worst article on risk assessment I’ve seen in a while, David Lacey of Computerworld gives us the “Six Myth’s Of Risk Assessment.”  This article is so patently bad, so heinously wrong, that it stuck in my caw enough to write this blog post.  So let’s discuss why Mr. Lacey has no clue […]

 

What's Wrong and What To Do About It?

Let me start with an extended quote from “Why I Feel Bad for the Pepper-Spraying Policeman, Lt. John Pike“: They are described in one July 2011 paper by sociologist Patrick Gillham called, “Securitizing America.” During the 1960s, police used what was called “escalated force” to stop protesters. “Police sought to maintain law and order often […]

 

Twitter Updates from Adam, 2011-11-25

RT @marciahofmann Carrier IQ backpedals on bogus legal threat, apologizes to security researcher. http://t.co/yY5o6JJk < Nice work Marcia! # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-24

RT @risktical #riskhose pocast, Episode 14 http://t.co/5hF9YKlZ @adamshostack & 'feedback loops' – great content! @jayjacobs @alexhutton # New "blog" points to Risk Hose podcast #14 with me, @alexhutton, @risktical @jayjacobs http://t.co/8zaBLD8x # RT @CYBERLAWRADIO About to go live on CLBR with CMU Proff @lorrietweet on Why Johnny Can't Opt Out – on webmasterradio.fm # RT […]

 

Risk Hose Podcast #14 with Adam and Alex

I’m on episode 14 of the Risk Hose podcast, with co-blogger Alex. Chris, Jay and Alex are joined by Adam Shostack and we dig into the topic of feedback loops within Information Security. You should check it out! Episode 14: Feedback Loops

 

Twitter Updates from Adam, 2011-11-23

NYTimes reports man bites dog, I mean "Screening Still a Pain at Airports, Fliers Say" http://t.co/vlPAH1n0 # New School blog post, "AT&T Hack Attempt" I'm looking for polling software http://t.co/d4YooBv9 # I missed a great opportunity in a recent podcast to say "controls implemented in a way that makes both auditors & attackers happy" # […]

 

AT&T Hack Attempt

First, good on AT&T for telling people that there’s been an attempt to hack their account. (My copy of the letter that was sent is after the break.) I’m curious what we can learn by discussing the attack. An AT&T spokesperson told Fox News that “Fewer than 1 percent of customers were targeted.” I’m currently […]

 

Twitter Updates from Adam, 2011-11-22

RT @doctorow Just got to Occupy New School http://t.co/VjfVhFcN << I think Cory means something other than I would mean by this statement 🙂 # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-21

MT @attractr Bejtlich: SEC Guidance Emphasizes Materiality for disclosing sec incidents: "new audience: shareholders" http://t.co/mlMts2Wd # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-20

New School blog post "Privacy is Security, Part LXII: The Steakhouse" http://t.co/cEjWix7N # MT @_nomap More on [obvious] Saudi airport fingerprint fail. It was mostly immigrant workers stranded for 12 hours. http://t.co/g3ih69Sk # MT @dgwbirch Heard on BBC that poor people use cash, end up paying up to £185 per annum more for utilities << […]

 

Privacy is Security, Part LXII: The Steakhouse

But in the last year and a half, at least 50 diners at restaurants like the Capital Grille, Smith & Wollensky, JoJo and Wolfgang’s Steakhouse ended up paying for more than just a fine piece of meat. Their card information — and, in effect, their identities [sic] — had been stolen by waiters in a […]

 

Twitter Updates from Adam, 2011-11-19

RT @alexhutton @adamshostack @bobblakley @threatpost I thought blogging was dead? << apparently! # RT @dostlund: NYPD has sidewalk checkpoints requiring ID to pass down Broadway. Iranian-born co-worker said "they used to do that in Tehran" # New Blog: Emergent Chaos endorses @wimremes for ISC(2) Board http://t.co/oAWTljcC # This post by Steve Bellovin reminded me of […]

 
 

Emergent Chaos endorses Wim Remes for ISC(2) Board

Today, we are sticking our noses in a place about which we know fairly little: the ISC(2) elections. We’re endorsing a guy we don’t know, Wim Remes, to shake stuff up. Because, really, we ought to care about the biggest and oldest certification in security, but hey, we don’t. And really, that’s a bit of […]

 

Twitter Updates from Adam, 2011-11-18

MT @ashk4n Most [Android?] Phones Ship w/ CarrierIQ "Rootkit" that allows carrier to keylog & record browser history http://t.co/90vYRCHR # MT @bobblakley @threatpost Orgs that ban social networks on company PCs ++more likely to be hacked http://t.co/z7oy4rYF http://t.co/9iIb4BBg # New School blog, "Block Social Media, Get Pwned" http://t.co/dWzuCyzz quick comments on @TELUSBusiness report. (Thanks @bobblakley!) […]

 

Block Social Media, Get Pwned

At least, that’s the conclusion of a study from Telus and Rotman. (You might need this link instead) A report in IT security issued jointly by Telus and the Rotman School of Management surveyed 649 firms and found companies that ban employees from using social media suffer 30 percent more computer security breaches than ones […]

 

Twitter Updates from Adam, 2011-11-17

RT @timoreilly TSA Puts Off Safety Study of X-ray Body Scanners http://t.co/GO4uHLN0 Meanwhile, Europe has banned them http://t.co/rmK3ZSTc # Powered by Twitter Tools

 

And there may be many others but they haven't been discovered

Three newly discovered elements were given names on Friday by the General Assembly of the International Union of Pure and Applied Physics at a meeting in London. They are Darmstadtium, or Ds, which has 110 protons in its nucleus and was named after the town in which it was discovered; Roentgenium, or Rg, with 111 […]

 

Twitter Updates from Adam, 2011-11-16

New School blog post "Breach disclosure and Moxie’s Convergence" http://t.co/mu5iLU2n (cc @moxie__ ) # New School blog post "Breach disclosure and Moxie’s Convergence" http://t.co/mu5iLU2n # Powered by Twitter Tools

 

Breach disclosure and Moxie's Convergence

Two weeks ago I finally got a chance to see Moxie’s Convergence/Trust Agility talk in person. (Since this was at work, let me just re-iterate that this blog is my personal opinions about what I saw.) It’s very good stuff, and Moxie and I had a good side chat about enhancing the usability of Convergence […]

 

Twitter Updates from Adam, 2011-11-15

RT @exiledsurfer @KforKallisti: Dan Siegel, Mayor Jean Quan's legal adviser quits over #OccupyOakland police raid http://t.co/c5brsq5u #ows # MT @mikko Somebody forgot a vacuum cleaner in a Swedish nuke plant, causing $267M in damages: http://t.co/kLRbV90h << someone tell stuxnet! # RT @dgwbirch was it a Freeman Dyson? (retires to cheers for making first ever physicist/vacuum […]

 

Twitter Updates from Adam, 2011-11-14

RT @WC2A_2AE Indian Communist Party General Sectry 'Let's fingerprint all Americans entering the country, like Brazil' http://t.co/GRBoQfYC # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-12

Nice of Apple to fix CVE-2011-0997, published in April (http://t.co/kOh6kTvs) # RT @jeremiahg "Steam Web sites hacked, gamer data exposed" http://t.co/daqkExWj < anyone see an attack vector? << Probably social eng 🙂 # RT @josephmenn @daveweigel The winner. RT @KagroX: Why didn't we just make 10/10/10 louder? # RT @WC2A_2AE Anyone interested in border security […]

 

Twitter Tools? Feedback please

So about a month ago, I started flowing my tweets over here. I’d love your thoughts on if it’s helpful, hurtful, or you just ignore it in your reader. [Update: currently arguments run 3:2 against continuing Twitter in the main feed. More (and civil) debate is invited.]

 

Twitter Updates from Adam, 2011-11-11

MT @normative How Far Will the Government Go in Collecting and Storing Data about us? New FBI Documents Shed Light http://t.co/zylCo3ES # RT @tqbf If the infosec community was a real influencer in crypto, we'd all be using Twofish instead of AES because of http://t.co/e21kDcwM # .@tqbf has the crypto or vuln community given us […]

 

Twitter Updates from Adam, 2011-11-10

MT @samablog More States Accept [fail to arrest?] TSA VIPR Teams at Transportation Hubs http://t.co/h3wdaQ3N via @zite # Are others seeing ICMP timeouts for http://t.co/y2uU0Qvt? /cc @moxie__ # RT @arj: @chenxiwang busts out her dog-eared copy of the Orange Book … < I've never seen a dog-eared copy of the Orange Book! # RT @dakami […]

 

Twitter Updates from Adam, 2011-11-09

RT @Fiona: Go watch The Muppets hang out on Google+. Me: Thank you: http://t.co/HacZWzBA << Is "Cookie Monster" an approved name? # RT @Jim_Harper When I describe @Cato's argument–"reasonable expectation of #privacy quot; FAIL–lawyers steeped in doctrine get confused. #Jones # New blog: "Slow thoughts on Occupy Seattle" http://t.co/13RTo5NE # RT @csoghoian Jones oral argument […]

 

Slow Thoughts on Occupy Seattle

I headed down to Occupy Seattle before a recent vacation, and have been mulling a bit on what I saw, because the lack of a coherent message or leadership or press make it easy to project our own opinions or simply mis-understand what the “Occupy” protests mean, and I wanted to avoid making that mistake. […]

 

Twitter Updates from Adam, 2011-11-08

New blog: "Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)" http://t.co/yXdAPMqv # New School blog: "Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)" http://t.co/yXdAPMqv # Powered by Twitter Tools

 

Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)

So Verizon has recently released their 2011 DBIR. Or perhaps more accurately, I’ve managed to pop enough documents off my stack that my scribbled-on notes are at the top, and I wanted to share some with you. A lot have gone to the authors, in the spirit of questions only they can answer. Here, I […]

 

Twitter Updates from Adam, 2011-11-07

RT @moxie__ Sarah's reflections on solitary confinement: http://t.co/z46aZjgM # RT @marcan42 RSA keys generated by Ruby didn't actually encrypt anything (e=1). "Oops". http://t.co/9vYNFVlI << I Ruby-encrypted this tweet # RT @ioerror We demand a vapid, condescending, meaningless, politically safe response to this petition: http://t.co/ndtf8tI4 # RT @bratling @mrkoot @adamshostack @ioerror Broken URL, not site. Here's […]

 

Twitter Updates from Adam, 2011-11-06

RT @k8em0 Thanks to speakers, attendees, organizers & volunteers for a fantastic & memorable #bluehat ! # RT @bengoldacre I'm leaving journalism for 6 months. Here's what I've learnt from writing about nonsense for 8 years http://t.co/GZlDnQ18 # RT @AdasBooks Book signing with @johncsh tomorrow at 1pm! http://t.co/pHqhbTv3 # RT @normative Profoundly depressed this is […]

 

Twitter Updates from Adam, 2011-11-05

RT @StephieShaver They say there's no rest for the wicked but at least there's espresso! FridayWHAT? << friday at BlueHat! # RT @Beaker: Congrats to @mortman on joining @enstratus! First @jamesurquhart then @botchagalupe and now Dave! All good friends together # As I watch @moxie__ give his trust talk at BlueHat, I realize how valuable […]

 

Twitter Updates from Adam, 2011-11-04

RT @at1as: Instead of useless Presidential Debates, how about a #wargame where we get to see how candidates respond to crisis situations? # RT @wikidsystems @adamshostack @at1as Kobayashi Maru! << Cyberyashi Maru! # Getting ready to give my #BlueHat talk on "How Computers Are Compromised." # Oooh, @jeremiahg wants us to play a game at […]

 

Twitter Updates from Adam, 2011-11-03

MT @samablog TSA Ignored Cancer Risks from TSA Scanners http://t.co/r72RAw2d via @zite # RT @k8em0 This year's #bluehat should be exciting, check out the lineup – http://t.co/Ee1LoHVK # RT @k8em0 #bluehat is on! Andrew Cushman reflects on past and future threats. http://t.co/w0GpjTQC # What do the comments from ISS World(http://t.co/51Z5ULNQ) mean for surveillance law in […]

 

Twitter Updates from Adam, 2011-11-02

RT @ioerror IEEE Global Humanitarian Technology Conference in Seattle http://t.co/VefGa4yy < Looks very exciting, wish I'd known sooner # Follow @ioerror for reporting of Patrick Ball, @alexvans for London Cyber-security event # New blog because my main email is down: "Email chaos: How to reach Adam Shostack" http://t.co/to9lKHKK # RT @GamingPrivacy reflecting on game design […]

 

Email chaos: How to reach Adam Shostack

The servers that host my personal email have been taken offline by a surprise attack by the evil forces of snow and ice, and my email is likely to start bouncing soon. If you need to reach me, you can use nameofthisblog @ google, or first.last @ microsoft. You can also ask me to follow […]

 

Twitter Updates from Adam, 2011-11-01

Short blog: "McWrap Chevre" http://t.co/K1LkXnFU # RT @lorrietweet Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising http://t.co/5DDWfhVd # My personal email server is down because of the snow on the east coast. # RT @STRATFOR If #Anonymous does #OpCartel it will almost certainly lead to deaths for members: […]