Shostack + Friends Blog Archive

 

What to do for randomness today?

In light of recent news, such as “FreeBSD washing Intel-chip randomness” and “alleged NSA-RSA scheming,” what advice should we give engineers who want to use randomness in their designs? My advice for software engineers building things used to be to rely on the OS to get it right. That defers the problem to a small […]

 

Gavle Goat Goes Later This Year

The Gavle Goat has burned again, according to The Local.Se, and of course, it’s Twitter account (yet one more way in which real name policies inhibit natural behavior). Two quick comments. First, the goat survived longer this year than usual. Second, I think it illustrates something. I’m not sure what. But my yule would be […]

 

What Price Privacy, Paying For Apps edition

There’s a new study on what people would pay for privacy in apps. As reported by Techflash: A study by two University of Colorado Boulder economists, Scott Savage and Donald Waldman, found the average user would pay varying amounts for different kinds of privacy: $4.05 to conceal contact lists, $2.28 to keep their browser history […]

 

Like the birds…

Emergent Chaos has migrated.  It’s a long story, and perhaps better left untold.  Please let us know if you see issues with the new site.

 

A Mini-Review of "The Practice of Network Security Monitoring"

Recently the kind folks at No Starch Press sent me a review copy of Rich Bejtlich’s newest book The Practice of Network Security Monitoring and I can’t recommend it enough. It is well worth reading from a theory perspective, but where it really shines is digging into the nuts and bolts of building an NSM […]

 

What will the archaeologists think?

Over at the BBC, we read that the “home of Anakin Skywalker threatened by dune,” with awesome pictures: So my question is, what will archaeologists think in 1,000 years when they dig this up? How many careers will be wasted trying to link the bizarre architecture to some real culture? How many anthropologists will be […]

 

Academic job opening at Cambridge

At Light Blue Touchpaper, Ross Anderson says “We have a vacancy for a postdoc to work on the psychology of cybercrime and deception for two years from October.” I think this role has all sorts of fascinating potential, and wanted to help get the word out in my own small way.

 

Which and That

Can we just agree that “which” and “that” are pretty much interchangable? If you’re relying on a modern audience to be able to perceive the difference in meaning between restrictive and non-restrictive clauses, you’ve pretty much already lost. Which, as they say, makes a mockery of that rule. Alternately, “That, as they say, makes a […]

 

Small thoughts on Doug Engelbart

I just re-read “A few words on Doug Engelbart.” If you’ve been reading the news lately, you’re probably seen a headline like “Douglas C. Engelbart, Inventor of the Computer Mouse, Dies at 88,” or seen him referred to as the fellow who gave the “mother of all demos.” But as Bret Victor points out, to […]

 

A Very Late Book Review

I have to start off by apologizing for how very late this review is, an embarrassing long time ago, the kind folks at No Starch Press very kindly gave me a copy of “Super Scratch Programming Adventure” to review. Scratch for those that aren’t familiar is a kids oriented programming language designed by Mitchel Resnick […]

 

Google Reader Going Away

Remarkably, some software that people host on your behalf, where you have no contract or just a contract of adhesion, can change at any time. This isn’t surprising to those who study economics, as all good New School readers try to do. However, this is a reminder/request that when you move, please resubscribe to New […]

 

Google Reader Going Away

Well, the world is full of chaos, some good and some bad, and today’s bad for those of you reading via Google Reader is that it’s going the way of Altavista (can you believe it was still around?) So as you migrate away, please consider including Emergent Chaos in your migration–we’ll have new content here […]

 
 

WordPress Update

I’ve updated to the latest WordPress for security fixes. Please let me know if you notice problems (blogname-at-gmail-com)

 

Privacy Enhancing Technologies Registration now open

The program for the 2013 Privacy Enhancing Technologies Symposium is up, and there’s a lot of fascinating looking papers and talks. If you’re interested, registration is also open. PETS is one of my favorite conferences of the year.

 

Replacing Flickr?

So Flickr has launched a new redesign, and it’s crowded, jumbled and slow. Now on Flickr with its overlays, its fade-ins and loads, it’s unmoving side and top bars, Flickr’s design takes center stage, elbowing aside the photos that I’m there to see. So I’m looking for a new community site where the photo I […]

 

Workshop on the Economics of Information Security

The next Workshop on the Economics of Information Security will be held June 11-12 at Georgetown University, Washington, D.C. Many of the papers look fascinating, including “On the Viability of Using Liability to Incentivise Internet Security”, “A Behavioral Investigation of the FlipIt Game”, and “Are They Actually Any Different? Comparing 3,422 Financial Institutions’ Privacy Practices.” […]

 

TrustZone and Security Usability

Cem Paya has a really thought-provoking set of blog posts on “TrustZone, TEE and the delusion of security indicators” (part 1, part 2“.) Cem makes the point that all the crypto and execution protection magic that ARM is building is limited by the question of what the human holding the phone thinks is going on. […]

 

3D-printed guns and the crypto wars

So there’s a working set of plans for the “Liberator.” It’s a working firearm you can print on a 3d printer. You can no longer get the files from the authors, whose site states: “DEFCAD files are being removed from public access at the request of the US Department of Defense Trade Controls. Until further […]

 

The Onion and Breach Disclosure

There’s an important and interesting new breach disclosure that came out yesterdau. It demonstrates leadership by clearly explaining what happened and offering up lessons learned. In particular: It shows the actual phishing emails It talks about how the attackers persisted their takeover by sending a fake “reset your password” email (more on this below) It […]

 

Security Lessons From Star Wars: Breach Response

To celebrate Star Wars Day, I want to talk about the central information security failure that drives Episode IV: the theft of the plans. First, we’re talking about really persistent threats. Not like this persistence, but the “many Bothans died to bring us this information” sort of persistence. Until members of Comment Crew are going […]

 

The Plateau Effect

The Plateau Effect is a powerful law of nature that affects everyone. Learn to identify plateaus and break through any stagnancy in your life— from diet and exercise, to work, to relationships. The Plateau Effect shows how athletes, scientists, therapists, companies, and musicians around the world are learning to break through their plateaus—to turn off […]

 

A Quintet of Facebook Privacy Stories

It’s common to hear that Facebook use means that privacy is over, or no longer matters. I think that perception is deeply wrong. It’s based in the superficial notion that people making different or perhaps surprising privacy tradeoffs are never aware of what they’re doing, or that they have no regrets. Some recent stories that […]

 

Weekend Photography

An amazing shot by Philipp Schmidli of a cyclist in front of the moon. PetaPixel explains the work involved in getting that shot in “Silhouettes in a Giant Moonrise, Captured Using a 1200mm Lens.” (Thanks to Bob Blakely). Also in the realm of impressive tool use is this: Orangutan from Borneo photographed using a spear […]

 

The Psychology of Password Managers

As I think more about the way people are likely to use a password manager, I think there’s real problems with the way master passwords are set up. As I write this, I’m deeply aware that I’m risking going into a space of “it’s logical that” without proper evidence. Let’s start from the way most […]

 

The Breach Trilogy: Assume, Confirm, Discuss

We’ve been hearing for several years that we should assume breach. Many people have taken this to heart (although today’s DBIR still says it’s still months to detect those breaches). I’d like to propose (predict?) that breach as a central concept will move through phases. Each of these phases will go through a hype cycle, […]

 

The best part of exploit kits

Following up on my post on exploit kit statistics (no data? really folks?), I wanted to share a bit of a head-shaker for a Friday with way too much serious stuff going on. Sometimes, researchers obscure all the information, such as this screenshot. I have no idea who these folks think they’re protecting by destroying […]

 

1Password & Hashcat

The folks at Hashcat have some interesting observations about 1Password. The folks at 1Password have a response, and I think there’s all sorts of fascinating lessons here. The crypto conversations are interesting, but at the end of the day, a lot of security is unavoidably contributed by the master password strength. I’d like to offer […]

 

Exploit Kit Statistics

On a fairly regular basis, I come across pages like this one from SANS, which contain fascinating information taken from exploit kit control panels: There’s all sorts of interesting numbers in that picture. For example, the success rate for owning XP machines (19.61%) is three times that of Windows 7. (As an aside, the XP […]

 

Celebrating 5 Years of New School: 40% off!

Thanks to Addison Wesley, who are offering 40% off the book. Apply code NEWSCHOOL40 to get your discounted copy. (You apply the code after proceeding to checkout.)

 

By looking for evidence first, the Brits do it right

As it happens, both the US Government and the UK government are leading “cyber security standards framework” initiatives right now.  The US is using a consensus process to “incorporate existing consensus-based standards to the fullest extent possible”, including “cybersecurity standards, guidelines, frameworks, and best practices” and “conformity assessment programs”. In contrast, the UK is asking […]

 

5 Years of New School

Five years ago Friday was the official publication date of The New School of Information Security. I want to take this opportunity to look back a little and look forward to the next few years. Five years ago, fear of a breach and its consequences was nearly universal, and few people thought anything but pain […]

 

I swear, I'm just looking at the articles!

Apparently, Playboy (possibly NSFW) has an app on iTunes. However, to get an app through the censors prudes “appropriate content” editors, there’s none of Playboy’s trademark nudes. There hasn’t been such good news for their writers since the braille edition. I’ll leave the jokes to you. It’s worth thinking about this as the sanitized future […]

 

Analyzing The Army's Accidental Test

According to Wired, “Army Practices Poor Data Hygiene on Its New Smartphones, Tablets.” And I think that’s awesome. No, really, not the ironic sort of awesome, but the awesome sort of awesome, because what the Army is doing is a large scale natural experiment in “does it matter?” Over the next n months, the Pentagon’s […]

 

AdaCamp: San Francisco June 8-9

(Posted for friends) AdaCamp is a conference dedicated to increasing women’s participation in open technology and culture: open source software, Wikipedia-related projects, open data, open geo, fan fiction, remix culture, and more. The conference will be held June 8 and 9th in San Francisco. There will be two tracks at the conference: one for people […]

 

Hacking Humans at BlackHat

Hacking humans is an important step in today’s exploitation chains. From “2011 Recruitment plan.xls” to instant messenger URL delivery at the start of Aurora, the human in the loop is being exploited just as much as the machine. In fact, with the right story, you might not even need an exploit at all. So I’m […]

 

Bicycling & Risk

While everyone else is talking about APT, I want to talk about risk thinking versus outcome thinking. I have a lot of colleagues who I respect who like to think about risk in some fascinating ways. For example, there’s the Risk Hose and SIRA folks. I’m inspired by To Encourage Biking, Cities Lose the Helmets: […]

 

MD5s, IPs and Ultra

So I was listening to the Shmoocon presentation on information sharing, and there was a great deal of discussion of how sharing too much information could reveal to an attacker that they’d been detected. I’ve discussed this problem a bit in “The High Price of the Silence of Cyberwar,” but wanted to talk more about […]

 

New School Thinking At Davos

This week I have experienced an echo of this pattern at the 2013 WEF meeting. But this time my unease does not revolve around any financial threats, but another issue – cyber security. … [The] crucial point is this: even if some companies are on top of the issue, others are not, and without more […]

 

The Death Star: An Inside Job?

Here’s a Friday Star Wars video for you. As Austin Hill tweeted, “Conspiracy revealed! 7 min video that will change the way you think about one of the important events of our lifetime”

 

On Cookie Blocking

It would not be surprising if an article like “Firefox Cookie-Block Is The First Step Toward A Better Tomorrow” was written by a privacy advocate. And it may well have been. But this privacy advocate is also a former chairman of the Internet Advertising Bureau. (For their current position, see “Randall Rothenberg’s Statement Opposing Mozilla’s […]

 

Indicators of Impact — Ground Truth for Breach Impact Estimation

One big problem with existing methods for estimating breach impact is the lack of credibility and reliability of the evidence behind the numbers. This is especially true if the breach is recent or if most of the information is not available publicly.  What if we had solid evidence to use in breach impact estimation?  This […]

 

New paper: "How Bad Is It? — A Branching Activity Model for Breach Impact Estimation"

Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event.  As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact estimation method that might apply to Adam’s question.  We use the WTP approach in a […]

 

Paying for Privacy: Enterprise Breach Edition

We all know how companies don’t want to be named after a breach. Here’s a random question: how much is that worth to a CEO? What would a given organization be willing to pay to keep its name out of the press? (A-priori, with at best a prediction of how the press will react.) Please […]

 

Lunar Oribter Image Recovery Project

The Lunar Orbiter Image Recovery Project needs help to recover data from the Lunar Orbiter spacecraft. Frankly, it’s a bit of a disgrace that Congress funds, well, all sorts of things, over this element of our history, but that’s besides the point. Do I want to get angry, or do I want to see this […]

 

Army Calhamer to Heaven

Allan Calhamer, the inventor of the game Diplomacy, has passed away. The NYTimes has an obituary.

 

Gamifying Driving

…the new points system rates the driver’s ability to pilot the MINI with a sporty yet steady hand. Praise is given to particularly sprightly sprints, precise gear changes, controlled braking, smooth cornering and U-turns executed at well-judged speeds. For example, the system awards maximum Experience Points for upshifts carried out within the ideal rev range […]

 

Security Blogger Awards

The Security Bloggers Awards were this week at RSA! Congratulations to Naked Security (best corporate blog), Paul DotCom (best podcast), Krebs on Security (Most educational, best represents the security industry), J4VV4D’s blog (most entertaining), Andy Greenberg’s “Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)” and Jack […]

 

2013 PET Award for Outstanding Research in Privacy Enhancing Technologies

You are invited to submit nominations to the 2013 PET Award. The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Symposium (PETS). The PET Award carries a prize of 3000 […]

 

How to Ask Good Questions at RSA

So this week is RSA, and I wanted to offer up some advice on how to engage. I’ve already posted my “BlackHat Best Practices/Survival kit. First, if you want to ask great questions, pay attention. There are things more annoying than a question that was answered while the questioner was tweeting, but you still don’t […]

 

Is there "Room for Debate?" in Breach Disclosure?

The New York Times has a “Room for Debate” on “Should Companies Tell Us When They Get Hacked?” It currently has 4 entries, 3 of which are dramatically in favor of more disclosure. I’m personally fond of Lee Tien’s “ We Need Better Notification Laws.” My personal preference is of course (ahem) fascinating to you, […]

 

HIPAA's New Breach Rules

Law firm Proskauer has published a client alert that “HHS Issues HIPAA/HITECH Omnibus Final Rule Ushering in Significant Changes to Existing Regulations.” Most interesting to me was the breach notice section: Section 13402 of the HITECH Act requires covered entities to provide notification to affected individuals and to the Secretary of HHS following the discovery […]

 

New School Blog Attacked with 0day

We were hacked again. The vuln used was 0day, and has now been patched, thanks to David Mortman and Matt Johansen, and the theme has also been updated, thanks to Rodrigo Galindez. Since we believe in practicing the transparency we preach, I wanted to discuss what happened and some options we considered. Let me dispense […]

 

Guns, Homicides and Data

I came across a fascinating post at Jon Udell’s blog, “Homicide rates in context ,” which starts out with this graph of 2007 data: Jon’s post says more than I care to on this subject right now, and points out questions worth asking. As I said in my post on “Thoughts on the Tragedies of […]

 

Privacy, Facebook and Fatigue

Facebook’s new Graph search is a fascinating product, and I want to use it. (In fact, I wanted to use it way back when I wrote about “Single Serving Friend” in 2005.) Facebook’s Graph Search will incent Facebook users to “dress” themselves in better meta-data, so as to be properly represented in all those new […]

 

HHS & Breach Disclosure

There’s good analysis at “HHS breach investigations badly backlogged, leaving us in the dark” To say that I am frequently frustrated by HHS’s “breach tool” would be an understatement. Their reporting form and coding often makes it impossible to know – simply by looking at their entries – what type of breach occurred. Consider this […]

 

New York Times gets Pwned, Responds all New School

So there’s a New York Times front page story on how “Hackers in China Attacked The Times for Last 4 Months.” I just listened to the NPR story with Nicole Perlroth, who closed out saying: “Of course, no company wants to come forward and voluntarily say `hey we were hacked by China, here’s how it […]

 

Breach Analysis: Data Source biases

Bob Rudis has an fascinating and important post “Once More Into The [PRC Aggregated] Breaches.” In it, he delves into the various data sources that the Privacy Rights Clearinghouse is tracking. In doing so, he makes a strong case that data source matters, or as Obi-Wan said, “Luke, you’re going to find that many of […]

 

Happy Data Privacy Day! Go check out PrivacyFix

It’s Data Privacy Day, and there may be a profusion of platitudes. But I think what we need on data privacy day are more tools to let people take control of their privacy. One way to do that is to check your privacy settings. Of course, the way settings are arranged changes over time, and […]

 

Why the Star Wars Prequels Sucked

It is a truism that the Star Wars prequels sucked. (Elsewhere, I’ve commented that the franchise being sold to Disney means someone can finally tell the tragic story of Anakin Skywalker’s seduction by the dark side.) But the issue of exactly why they sucked is complex and layered, and most of us prefer not to […]

 

Privacy and Health Care

In my post on gun control and schools, I asserted that “I worry that reducing privacy around mental health care is going to deter people who need health care from getting it.” However, I didn’t offer up any evidence for that claim. So I’d like to follow up with some details from a report that […]

 

"Cyber" Insurance and an Opportunity

There’s a fascinating article on PropertyCasualty360 “ As Cyber Coverage Soars, Opportunity Clicks” (thanks to Jake Kouns and Chris Walsh for the pointer). I don’t have a huge amount to add, but wanted to draw attention to some excerpts that drew my attention: Parisi observes that pricing has also become more consistent over the past […]

 

Thoughts on the Tragedies of December 14th

I started this post on December 14th, and couldn’t finish it. I’m going to leave the opening as I wrote it then: By now, everyone has heard of the tragic school shooting in Connecticut. My heart goes out to everyone touched by the events. But this isn’t the first school shooting on a December 14th. […]

 

“The Phoenix Project” may be uncomfortable

The Phoenix Project as an important new novel, and it’s worth reading if you work in technology. As I read it, I was awfully uncomfortable with one of the characters, John. John is the information security officer in the company, and, to be frank, John does not come off well at the start of the […]

 

On Disclosure of Intrusion Events in a Cyberwar

[This guest article is by thegruq. I’ve taken the liberty of HTML-ifying it from his original, http://pastie.org/5673568.] On Disclosure of Intrusion Events in a Cyberwar The Nation State’s guide to STFU In a cyberwar (such as the ongoing events on the Internet), all actors are motivated to remain silent about incidents that they detect. However, […]

 

Giant Rubber Ducks

There’s a giant rubber duck in Sydney Harbor right now: It’s apparently by Florentijn Hofman, who does this sort of thing. My only other comment? Seattle, you’re doing it wrong. Where’s our rubber duckie? Via “Sydney Festival Launches Giant Rubber Duck in the Harbor“, Pedestrian TV. (I believe there’s a typo, and the duck is […]

 

The High Price of the Silence of Cyberwar

A little ways back, I was arguing [discussing cyberwar] with thegrugq, who said “[Cyberwar] by it’s very nature is defined by acts of espionage, where all sides are motivated to keep incidents secret.” I don’t agree that all sides are obviously motivated to keep incidents secret, and I think that it’s worth asking, is there […]

 

Negative temperatures?

Absolute zero is often thought to be the coldest temperature possible. But now researchers show they can achieve even lower temperatures for a strange realm of “negative temperatures.” Oddly, another way to look at these negative temperatures is to consider them hotter than infinity, researchers added. (“Atoms Reach Record Temperature, Colder than Absolute Zero“, Charles […]

 

New School Thinking at the European Union

I was pretty excited to see this: An EU official said the aim of the report was to get companies to be more open about cyber attacks and help them fend off such disruption. “We want to change the culture around cyber security from one where people are sometimes afraid or ashamed to admit a […]