2014

This is a lovely little story about pay phones on Whidbey Island. Warning: those who spent too much time with phone systems in their youth may feel inexplicable nostalgia.

Read More Phone Booths

There’s a recurring theme in data breach stories: The risks were clear to computer experts inside $organization: The organization, they warned for years, might be easy prey for hackers. But despite alarms as far back as 2008, $organization was slow to raise its defenses, according to former employees. The particular quote is from “Ex-Employees Say…

Read More Employees Say Company Left Data Vulnerable

All through the week of BSides/BlackHat/Defcon, people came up to me to tell me that they enjoyed my BSides Las Vegas talk. (Slides, video). It got some press coverage, including an article by Jon Evans of TechCrunch, “Notes From Crazytown, Day One: The Business Of Fear.” Mr. Evans raises an interesting point: “the computer security…

Read More BSides LV: Change Industry Or Change Professionals?

There’s been a lot said in security circles about a talk on Tor being pulled from Blackhat. (Tor’s comments are also worth noting.) While that story is interesting, I think the bigger story is the lack of infrastructure for disclosure coordination. Coordinating information about vulnerabilities is a socially important function. Coordination makes it possible for…

Read More CERT, Tor, and Disclosure Coordination

July 20, 1969. I’ve blogged about it before. There are people who can write eloquently about events of such significance.  I am not one of them.  I hope that doesn’t stand in the way of folks remembering the amazing accomplishment that the Apollo program was.  

Read More #Apollo45

Gabrielle Gianelli has pulled back the curtain on how Etsy threat modeled a new marketing campaign. (“Threat Modeling for Marketing Campaigns.”) I’m really happy to see this post, and the approach that they’ve taken: First, we wanted to make our program sustainable through proactive defenses. When we designed the program we tried to bake in…

Read More Etsy's Threat Modeling

The mail system I’ve been using for the last 19 years is experiencing what one might call an accumulation of chaos, and so I’m migrating to a new domain, shostack.org. You can email me at my firstname@shostack.org, and my web site is now at http://adam.shostack.org I am sorry for any inconvenience this may cause. [Update:…

Read More Mail Chaos

Stefan Larson talks about “What doctors can learn from each other:” Different hospitals produce different results on different procedures. Only, patients don’t know that data, making choosing a surgeon a high-stakes guessing game. Stefan Larsson looks at what happens when doctors measure and share their outcomes on hip replacement surgery, for example, to see which…

Read More What Security Folks Can Learn from Doctors