Shostack + Friends Blog Archive

 

FEAR AND LOATHING IN SAN FRANCISCO (RSA PRE-GAME)

So it’s early Sunday AM, and I’m getting my RSA Schedule together finally.  So here’s what I’m looking forward to this week, leave us stuff in the comments if you’ve identified other cool stuff: =============== Monday:  8 freaking AM – I’m talking with Rich Mogull of @securosis about Risk Management.  Fun! Monday is also Metricon, […]

 

Twitter Weekly Updates for 2012-02-26

RT @internetlibre Twitter Censors Accounts Unfavorable To Nicolas Sarkozy http://t.co/wMGMuifY #netfreedom #internetlibre #sarkoCensure # RT @Dakami Pretty cool: @joncallas looked at all public keys signed by Entrust; none of them had reused RSA primes http://t.co/8JOsYQ9e # New blog: "It's a Lie: Seattle Taxpayers Will Pay for a Stadium" http://t.co/tkg3JxZi (cc @seattletimes) # Help Find the […]

 

Admitting Mistakes

Tripwire’s blog has “25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them.” I’m glad to see attention paid to the simple reality that we all make mistakes. Extra points to Bill Brenner, Pete Lindstrom, Andrew Hay, Chris Wysopal, Rob Ton and Larry Ponemon for being willing to talk about mistakes that had […]

 

"Anonymized, of course"

I’ve noticed a couple of times lately that as people discuss talking about security incidents, they don’t only default to the idea of anonymization, they often insert an “of course” after it. But today I want to talk about the phrase “anonymized, of course”, what it means, why people might say it, and how members […]

 

Help Find the People Who Killed Ulf Möller

The family of Ulf Möller are asking for help in finding the people who murdered him, and asking for help spreading the word: They have a web site with details in English, German, Polish and Lithuanian: The two men are described as slim, both about 1.75 m to 1.80 m tall, between 20 and 30 […]

 

It's a Lie: Seattle Taxpayers Will Pay for a Staduim

The Seattle Times carries a press release: “Arena plan as solid as it looks?” The intricate plan offered for an NBA and NHL arena in Sodo hinges on the untested strategy of building a city-owned, self-supporting arena, without the aid of new taxes, and with team owners — not taxpayers — obligated to absorb any […]

 

Twitter Weekly Updates for 2012-02-19

RT @csoghoian If Path-like apps that pilfered user contact data suffered a data breach, existing laws wouldn't require disclosure to users. # New quickie blog: Bismark's Voice http://t.co/zk01Biec # RT @paulmadsen Sharingfreude, n. – pleasure derived from inadvertent sharing of personal information on social media by friends & colleagues # .@dakami @jeremiahg @tqbf see also […]

 

New Cyber Security Bill: Crowdsource Analysis?

A lot of people I trust are suggesting that the “Collins-Lieberman” bill has a substantial chance of passing. I have some really interesting (and time-consuming) work tasks right now, and so I’m even more curious than usual what you all think, especially how this According to the press release, the “Collins-Lieberman” bill would: The Department […]

 

Predictably Apathetic responses to Cyber Attack

Wh1t3Rabbit has a great post “Understanding the apathetic response to a cyber attack:” Look, Dana’s right. His business is the organizing and promotion of the UFC fights. Secondary to that business is the merchandising and other aspects of the UFC – but that probably is a significantly smaller portion of the overall company revenue. Now […]

 

Bismark's Voice

Tucked away for decades in a cabinet in Thomas Edison’s laboratory, just behind the cot in which the great inventor napped, a trove of wax cylinder phonograph records has been brought back to life after more than a century of silence. The cylinders, from 1889 and 1890, include the only known recording of the voice […]

 

Twitter Weekly Updates for 2012-02-12

RT @tkeanini Overcoming the fear of disclosure http://t.co/DZdkeyNh << TK is spot on. Our fear blocks feedback loops. # MT @qld_oic ..empowering young people to establish good cyber safety behaviour #oicprivacycomp http://t.co/vkr3VZ3A [$1000 prize for video] # RT @mortman Yet More On Threat Modeling: A Mini-Rant http://t.co/ZPxVa9HE cc @adamshostack @alexhutton #newschool # RT @securityskeptic @mortman […]

 

Book Review: Cloud Security Rules

A while back, Kai Roer graciously sent me an electronic copy of the book Cloud Security Rules that he co-authored with an all-start cast including luminaries Wendy Nather and our very own New School’s Alex Hutton. All in all, it’s a solid read covering the gamut of topics from Risk and Compliance to technology versus […]

 

Have You Seen The Little Piggies?

Apparently, the project manager who found a vendor for the Vermont State Police car decals failed to consider a few things. Such as the risk that prisoners might want to have a little fun at the expense of the police. You can see the fun if you study the image carefully here, or in a […]

 

Why Breach Disclosures are Expensive

Mr. Tripathi went to work assembling a crisis team of lawyers and customers and a chief security officer. They hired a private investigator to scour local pawnshops and Craigslist for the stolen laptop. The biggest headache, he says, was deciphering how much about the breach his nonprofit needed to disclose…Mr. Tripathi said he quickly discovered […]

 

Yet More On Threat Modeling: A Mini-Rant

Yesterday Adam responded to Alex’s question on what people thought about IanG’s claim that threat modeling fails in practice and I wanted to reiterate what I said on twitter about it: It’s a tool! No one claimed it was a silver bullet! Threat modeling is yet another input into an over all risk analysis. And […]

 

On Threat Modeling

Alex recently asked for thoughts on Ian Grigg’s “Why Threat Modeling Fails in Practice.” I’m having trouble responding to Ian, and have come to think that how Ian frames the problem is part of my problem in responding to him. So, as another Adam likes to say, “

 

Twitter Weekly Updates for 2012-02-05

RT @Entropologist Passwords should be a mix of letters, numbers, special characters and longer than 8 characters… like "' or 1=1;–" # RT @ioerror Researchers taking a stand against Elsevier: http://t.co/TMZqj2E9 # RT @ashk4n Even experts are having a hard time differentiating between android malware & mobile ads these days http://t.co/t5qAQANP # Tinker, Tailor is […]

 

Dear Verisign: Trust requires Transparency

On their blog, Verisign made the following statement, which I’ll quote in full: As disclosed in an SEC filing in October 2011, parts of Verisign’s non-production corporate network were penetrated. After a thorough analysis of the attacks, Verisign stated in 2011, and reaffirms, that we do not believe that the operational integrity of the Domain […]

 
 

Threat Modeling Fails In Practice

Would be interested in readers thoughts on Ian G’s post here: https://financialcryptography.com/mt/archives/001357.html

 

Pulling A Stiennon: In The Cloud, The DMZ Is Dead

Calling something in the cloud a DMZ is just weird. Realistically, everything is a DMZ. After all, you are sharing data center space, and if your provider is using virtualization, hardware with all of their other customers. As such, each and every network segment you have is (or should be) isolated and have only a […]

 

Time for an Award for Best Data?

Yesterday, DAn Kaminsky said “There should be a yearly award for Best Security Data, for the best collection and disbursement of hard data and cogent analysis in infosec.” I think it’s a fascinating idea, but think that a yearly award may be premature. However, what I think is sorta irrelevant, absent data. So I’m looking […]

 

More on Real Name Policies

There were a couple of excellent posts about Google+ which I wanted to link in, but the post took a different path: “Google+ and The Trouble With Tribbles” The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook […]