Threat Model Thursday: Legible Architecture

The image above is the frequency with which streets travel a certain orientation, and it’s a nifty data visualization by Geoff Boeing. What caught my attention was not just the streets of Boston and Charlotte, but the lack of variability shown for Seattle, which is a city with two grids.

But then there was this really interesting tidbit, which relates to threat modeling:

Kevin Lynch defined “legible” cities as those whose patterns lend themselves to coherent, organized, recognizable, and comprehensible mental images. These help us organize city space into cognitive maps for wayfinding and a sense of place.

One of the questions I get all the time is ‘what’s the right way to model this system?’ And the answer is the right way is the way that helps you find threats. A good system model balances detail with abstraction. It’s laid out in a way that uses space and relative position to help the viewer follow a story.

Sometimes the underlying physical or logical reality makes that easy. Other times, the reality is more like the streets of Boston, and the official map draws a simple picture with the southern Red Lines being the same length, and similar visual portrayal of the Green Line. But the second map, from, shows a very different picture.

Boston Subway Map official
Boston map geographic

What’s the right model? What’s the legible architecture of a system?

Modeling a system that’s grown organically over decades is a very challenging task. That’s true of Windows, that’s true of many large enterprise systems, that’s true of the air traffic system. One of the advantages that cloud architectures bring is the opportunity to sweep away some of that historical complexity, and to create comprehensible models. That simplification carries value in terms of architectural consistency, makes it easier to impose checkpoints, and will be augmented over time with the accretion of complexity, inflexibility and eventually need to be swept away itself. That’s rarely easy even when computers are like crops, rather than like pets.

As your threat modeling evolves, it’s important to ask: what’s the legible architecture of these systems?

That’s emphatically not because legible architecture is a goal. It’s a tool. Having understandable models of your systems makes it easier for everyone to interact with them, and that makes design easier, it makes evolution easier. Legible architecture is a property that makes other properties easier to achieve.

Toolbox: After a Conference

Wow. Blackhat, Defcon, I didn’t even make the other conferences going on in Vegas. And coming back it seems like there’s a sea of things to follow up on. I think a little bit of organization is helping me manage better this year, and so I thought I’d share what’s in my post-conference toolbox. I’m also sharing because I don’t think my workflow is optimal, and would love to learn from how others are working through this in 2018 with its profusion of ways to stay in touch.

First, I have a stack of queues to process:

  1. Email. My inbox, but I also have a folder called “followup.” I move a lot out of my inbox to the followup folder so I can see it when I’m back from travel. (I also have a set of monthly sub-folders: followup/august, followup/september, they let me say “I’ll get back to you in three months.”)
  2. Signal
  3. iMessage. For both of these, I go back through the conversations I’ve had, see if I had followups or if I dropped the ball on someone.
  4. Linkedin. I get a lot of linkedin requests, and I’m a fairly open networker. Sadly, the UI works very poorly for me. I would love to hear about tools that allow me to effectively move messages to something other than a LIFO queue.
  5. Workflowy. I’m experimenting with this as a note taking tool, and it’s not bad. It’s a bit of a pain to extract the data (for example, I can’t email myself a branch of the tree), but copy and paste from the website is decent. It turns out the website has great export, but still learning.
  6. Business cards. I go through the whole stack of cards for todo items. I try to write notes on business cards. I discovered I did that on one of 6 cards where I remembered something. That’s not very good odds, and forces me to consider what I might have missed. Still exploring how to make best use of cards without notes. Advice really welcome here.
  7. Slack channels. Go through, look at DMs and channels. I suppose I should use some feature to note that I intend to followup. Is the Slack way to say “come back to this” to star a message?
  8. Calendar. For each meeting, think about the meeting, check my notes, see if I remember followups or things that didn’t make it to an email/workflowy note. And yes, there were several discussions that I know we discussed followups that I re-discovered by looking at my calendar.
  9. Photos. Photographs are the new note-taking, and so going back through pictures you took is important.
  10. Twitter, Facebook. I’m trying to break from Twitter, and don’t use Facebook, but I figured I’d include them here because they’re maybe worth remembering.

After the queues, as a consultant, I have customer work to get back to and sales contacts to followup on. I have expenses. I haven’t found an expense app that I really like, and so I stuff receipts in an envelope each evening, and then deal with them when I get home.

If I missed any followups, I’m sorry. Please reach out!

But more, I’m curious what works for you? What’s in your toolbox?

Photo: Patrick Perkins.

Aretha Franklin

I remember an interview I read with Ahmet Ertegün, the founder of Atlantic Records. He was talking about Aretha, and he said that one of his producers came in, saying that she wasn’t measuring up. He asked the producer what was up, and was told that they were trying to get her to sing like the other successful soul singers, and it wasn’t working out.

Ertegün told the producer that he saw the problem, sitting right there. The fellow didn’t want to let Aretha do what she knew, which was gospel.

There’s a lot of wisdom in that short story, from not wanting to impose our vision of what people should be, to seeing the root of a problem.

In the meanwhile, I just hope that she pulls through. She’s given a lot of joy to a lot of people, and she deserves a long, happy retirement.

Congratulations to the 2016 winners!

  • Dan Geer, Chief Information Security Officer at In-Q-Tel;
  • Lance J. Hoffman, Distinguished Research Professor of Computer Science, The George Washington University;
  • Horst Feistel, Cryptographer and Inventor of the United States Data Encryption Standard (DES);
  • Paul Karger, High Assurance Architect, Prolific Writer and Creative Inventor;
  • Butler Lampson, Adjunct Professor at MIT, Turing Award and Draper Prize winner;
  • Leonard J. LaPadula, Co-author of the Bell-LaPadula Model of Computer Security; and
  • William Hugh Murray, Pioneer, Author and Founder of the Colloquium for Information System Security Education (CISSE)

In a world where influence seems to be measured in likes, re-tweets and shares, the work by these 7 fine people really stands the test of time. For some reason this showed up on Linkedin as “Butler was mentioned in the news,” even though it’s a few years old. Again, test of time.

Threat Modeling Thursday: 2018

Since I wrote my book on the topic, people have been asking me “what’s new in threat modeling?” My Blackhat talk is my answer to that question, and it’s been taking up the time that I’d otherwise be devoting to the series.

As I’ve been practicing my talk*, I discovered that there’s more new than I thought, and I may not be able to fit in everything I want to talk about in 50 minutes. But it’s coming together nicely.

The current core outline is:

  • What are we working on
    • The fast moving world of cyber
    • The agile world
    • Models are scary
  • What can go wrong? Threats evolve!
    • STRIDE
    • Machine Learning
    • Conflict

And of course, because it’s 2018, there’s cat videos and emoji to augment logic. Yeah, that’s the word. Augment. 🤷‍♂️

Wednesday, August 8 at 2:40 PM.

* Oh, and note to anyone speaking anywhere, and especially large events like Blackhat — as the speaker resources say: practice, practice, practice.

Half the US population will live in 8 states

That’s the subject of a thought-provoking Washington Post article, “In about 20 years, half the population will live in eight states,” and 70% of Americans will live in 15 states. “Meaning 30 percent will choose 70 senators. And the 30% will be older, whiter, more rural, more male than the 70 percent.” Of course, as the census shows the population shifting, the makeup of the House will also change dramatically.

Maybe you think that’s good, maybe you think that’s bad. It certainly leads to interesting political times. Maybe even a bit of chaos, emerging.