May 2017

Security is hard in the real world. There’s an interesting story on Geekwire, “BMW’s ReachNow investigating cases of cars getting stuck on Washington State Ferries.” The story: a ReachNow customer was forced to spend four hours on the Whidbey Island ferry this weekend because his vehicle’s wheels were locked, making the vehicle immovable unless dragged.…

Read More The Ultimate Stopping Machine?

(Today) Wednesday, May 24th, 2017 at 1:00 PM EDT (17:00:00 UTC), Chris Wysopal and I are doing a SANS webcast, “Choosing the Right Path to Application Security.” I’m looking forward to it, and hope you can join us! Update: the webcast is now archived, and the white paper associated with it, “Using Cloud Deployment to…

Read More Adam & Chris Wysopal webcast

In his “ground rules” article, Mordaxus gives us the phrase “stone soup security,” where everyone brings a little bit and throws it into the pot. I always try to follow Warren Buffet’s advice, to praise specifically and criticize in general. So I’m not going to point to a specific talk I saw recently, in which…

Read More Certificate pinning is great in stone soup

When I saw that Wired had created a list, “20 People Who Are Creating the Future,” I didn’t expect to see anyone in security on it. I was proven wrong in a wonderful way — #1 on their list is Parisa Tabriz, under the headline “Put Humans First, Code Second.” A great choice, a well-deserved…

Read More Well-deserved accolades

[Update, May 22, added link to “Observing”.] Good posts by Ross Anderson, George Danezis and Steve Bellovin say much of what I’d wanted to say, and more. So go take a read. [Also worth reading “Observing the WannaCry fallout: confusing advice and playing the blame game.”] To what Bellovin says, I would add that 15…

Read More Hospital Ransomware

The Edge is an interesting site with in depth interviews with smart folks. There’s a long interview with Ross Anderson published recently. It’s a big retrospective on the changes over thirty years, and there’s enough interesting bits that I’ll only quote one: The next thing that’s happened is that over the past ten years or…

Read More Ross Anderson on Edge

IANS members should have access today to a new faculty report I wrote, entitled “Threat Modeling in An Agile World.” Because it’s May the Fourth, I thought I’d share the opening: As Star Wars reaches its climax, an aide approaches Grand Moff Tarkin to say, “We’ve analyzed their attack pattern, and there is a danger.”…

Read More Threat Modeling and Star Wars