About

Adam Shostack & friends is the successor to both the Emergent Chaos blog and the New School of Information Security blog. Set up for different purposes, over time, they converged. Archives for both are maintained here.

Emergent Chaos

Emergent Chaos is a group blog on security, privacy, liberty, and economics. We declared ourselves the Emergent Chaos jazz combo here.

We’ve gotten a bunch of awards over the years, including “The Industry Standard’s Top 25 B-to-Z list blogs.

Adam Shostack is bandleader, and founded the blog. His homepage is here. He’s also the author of Threat Modeling: Designing for Security and co-author of The New School of Information Security

Chris Walsh is longtime contributor, and motivated us to turn into a combo,

Arthur’s bio is too long to fit in the margin of this page.

Mordaxus is a sharp-tongued Valley technologist who got into security when it became trendy. He’s been there since.

When speaking here, we speak for the President of the United States more often than we speak for our employers. We speak for each other only when we say so. You can speak to us by mailing bloggername@emergentchaos.com

The image in our header is a cropped version of an untitled Creative commons licensed image by Dave Mathis. The original is here.

New School

The New School of Information Security is a book by Adam Shostack and Andrew Stewart, published by Addison-Wesley Professional in 2008. (Amazon page, Addison Wesley page)

The blog is inspired by the book and the movement towards a New School. We have a page on the book itself, including reviews and some podcasts which Adam has done.  Writing for the New School blog is our roster of resident writers, as well as guest bloggers who appear from time to time (if you think you’re New School and would like to guest blog – please get in touch with us by emailing nssbloggers at Google’s mail service.)

Resident & Guest Bloggers on NewSchoolSecurity.com are speaking only for themselves, not their employers, the other bloggers, Addison-Wesley, or for Adam Shostack or Andrew Stewart or their employers.

Additionally, this site is insecure, and is probably hosting the 0day of the week, to pwn you. We recommend not trusting it or putting it into your whitelist.

Lastly, the bloggers here collectively have decades of experience and spend a great deal of time deeply understanding problems which are presented to them in their professional capacities. What they write here is generalized perspective, and you would be foolish to believe that it is customized for your situation.

We agree with resident blogger Chandler Howell when he says, “biographies are hard…how to self-promote enough that I sound like I’m worth reading, yet not so much that it sounds like BS or something the marketing folks would write…”

So with that in mind, here’s a bit about who we are:

Adam Shostack is co-author of the New School of Information Security (the book).  He helped found the CVE, the International Financial Cryptography Association, and the Privacy Enhancing Technologies Symposium.  He has been a leader at several successful startups including Netect, Zero-Knowledge Systems and Reflective.  He currently works for a software company in the pacific northwest. His personal site is Adam Shostack’s home page.

Chandler Howell was one of the first bloggers to focus on Information Risk rather than IT Security.  Prior to moving into Information Protection, he spent time as a *NIX Admin and coded risk management models for a global investment bank.  He has formed and led the Information and IT Security functions at both start-ups and Fortune 500 companies.

Currently, he lives in Chicago where he leads the Information & IT Security functions for a mid-size gaming machine manufacturer.

Alex Hutton has been involved in InfoSec in some capacity since 1994 when he was asked to educate customers as to why they needed these expensive “firewall things”.  Sometimes his role has been marketing, sometimes management, sometimes consultant, sometimes analyst.  Alex likes blogging about risk and security management (both in their more traditional, non-industry connotations).  He works in Risk Intelligence for a Fortune-something company.

David Mortman is the CSO-in-Residence for Echelon One, where he is responsible for their Research and Analysis program and also writes regularly for SearchSecurity.com. Formerly, the CISO for Siebel Systems, David and his team were responsible for both IT and Product Security as well as Siebel’s Privacy program. He was also heavily involved in Siebel’s compliance efforts. David sits on several advisory boards and is a well known speaker with regular appearances at RSA, Blackhat and Defcon to name a few conferences. Currently residing in Columbus, OH, David is an alumnus of the University of Chicago.

Brooke Paul is the former Senior Vice President and Chief Information Security Officer of American Financial Group (AFG), a Fortune 500 insurance company.  He has also been CEO & President of Neohapsis, one of the premier information security and IT risk management service organizations in the world.