Shostack + Friends Blog Archive



The Electronic Frontier Foundation has published a report on the State of HTTPS Security that promises to be the first in a series and is well worth reading on its own. The TL;DR version:  HTTPS adoption is growing rapidly, but the current system, especially the Certificate Authorities, has much room for improvement before it actually […]


Some random cloudy thinking

Thanks to the announcement of Apple’s iCloud, I’ve been forced to answer several inquiries about The Cloud this week.  Now, I’m coming out of hiding to subject all of you to some of it… The thing that you must never forget about The Cloud is that once information moves to The Cloud, you’ve inherently ceded […]


A Few Data Points

First, for those who might have missed it, Google has released Google Refine, a free tool for cleaning dirty data sets.  It allows you to pull in disparate data, then organize and clean it for consistency. Next, some interesting thoughts on how “anonymized” data sets aren’t, and some thoughts on the implications of this from […]


Measurement Priorities

Seth Godin asks an excellent question: Is something important because you measure it, or is it measured because it’s important? I find that we tend to measure what we can, rather than working toward being able to measure what we should, in large part because some variation of this question is not asked. I’m going […]


Can't measure love

But you can still evaluate the quality of the effort Likewise, there’s a lot that you can’t measure about security and risk, but you can still infer something from how the effort is pursued.


Be celebratory, be very celebratory

A reminder for those of you who haven’t read or watched “V for Vendetta” one time too many, it’s Guy Fawkes Day today: The plan was to blow up the House of Lords during the State Opening of Parliament on 5 November 1605… …Fawkes, who had 10 years of military experience fighting in the Spanish Netherlands in […]


Don't fight the zeitgeist, CRISC Edition

Some guy recently posted a strangely self-defeating link/troll/flame in an attempt to (I think) argue with Alex and/or myself regarding the relevance or lack thereof of ISACA’s CRISC certification.  Now given that I think he might have been doing it to drive traffic to his CRISC training site, I won’t show him any link love […]


CRISC? C-Whatever

Alex’s posts on Posts on CRISC are, according to Google, is more authoritative than the CRISC site itself: Not that it matters.  CRISC is proving itself irrelevant by failing to make anyone care.  By way of comparison, I googled a few other certifications for the audit and security world, then threw in the Certified Public […]


Friday Visualization: Wal-mart edition

I’ve seen some cool Walmart visualizations before, and this one at FlowingData is no exception. The one thing I wondered about as I watched was if it captured store closings–despite the seemingly inevitable march in the visualization, there have been more than a few.


Life without Certificate Authorities

Since it seems like I spent all of last week pronouncing that ZOMG!  SSL and Certificate Authorities is Teh Doomed!, I guess that this week I should consider the alternatives.  Fortunately, the Tor Project Blog, we learn what life is like without CA’s Browse to a secure website, like You should get the intentionally […]


More Bad News for SSL

I haven’t read the paper yet, but Schneier has a post up which points to a paper “Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow,” by Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang.about a new side-channel attack which allows an eavesdropper to infer information about the contents of an SSL […]


Smoke, Fire and SSL

Where there’s smoke, there’s fire, goes the adage. And in the case of an allegedly-theoretical exploit outlined in a new paper by Chris Soghoian and Sid Stamm (the compelled certificate creation attack), the presence of a product whose only use it to exploit it probably indicates that there’s more going on than one would like […]


Well that didn't take long…

The Guardian has reported the first official incident of misuse of full-body scanner information The police have issued a warning for harassment against an airport worker after he allegedly took a photo of a female colleague as she went through a full-body scanner at Heathrow airport. The incident, which occurred at terminal 5 on 10 […]


Asking the right questions

Schneier points me to lightbluetouchpaper, who note a paper analyzing the potential strength of name-based account security questions, even ignoring research-based attacks, and the findings are good: Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge […]


Human Error and Incremental Risk

As something of a follow-up to my last post on Aviation Safety, I heard this story about Toyota’s now very public quality concerns on NPR while driving my not-Prius to work last week. Driving a Toyota may seem like a pretty risky idea these days. For weeks now, weve been hearing scary stories about sudden […]


Human Error

In his ongoing role of “person who finds things that I will find interesting,” Adam recently sent me a link to a paper titled “THE HUMAN FACTORS ANALYSIS AND CLASSIFICATION SYSTEM–HFACS,” which discusses the role of people in aviation accidents.  From the abstract: Human error has been implicated in 70 to 80% of all civil […]


V-22 Osprey Metrics

Metrics seem to be yet another way in which Angry Bear noticed that the V-22 Osprey program has hidden from its failure to deliver on its promises: Generally, mission capability runs 20% higher than availability, but availability is hidden on new stuff, while shouted about on older stuff, because there would be severe embarrassment if you […]


How not to do security, Drone Video Edition

This is probably considered to be “old news” by many, but I’m high-latency in my news at the moment. Much was made of the fact that the US Military’s enemies are now eavesdropping on the video feeds from US Drones on the battlefield using cheaply available commercial technology.  But it’s OK, because according to the […]


Airplane Terrorism, Data-Driven Edition

I’m just off a flight from London back to the United States and I’m hesitant to attempt to think while jet-lagged.  I’ll have some more thoughts and first-hand observations once my head clears, however. In the meantime, Nate Silver has broken down the risk of terror attacks on airplanes so I don’t have to.  Summarizing […]


All in the Presentation

America’s Finest News Source teaches an excellent lesson on how to spin data: Labor Dept: Available Labor Rate Increases To 10.2% WASHINGTON—In what is being touted by the Labor Department as extremely positive news, the nation’s available labor rate has reached double digits for the first time in 26 years, bringing the total number of […]


Engineers vs. Scammers

Adam recently sent me a link to a paper titled, “Understanding scam victims: seven principles for systems security.”  The paper examines a number of real-world (i.e. face-to-face) frauds and then extrapolates security principles which can be applied generically to both face-to-face and information or IT security problems. By illustrating these principles with examples taken from […]


Visualization Monday: Storage

This is cool.  Visualization of relative storage capacities in terms of media and format. Notice that it goes all the way back into pre-digital forms, a subtle tweak that I’ll bet a lot of people miss on first inspection.  Too bad, too, since the ability to seamlessly compare seemingly-different things is a valuable skill when […]


Rational Ignorance: The Users' view of security

Cormac Herley at Microsoft Research has done us all a favor and released a paper So Long, And No Thanks for the Externalities:  The Rational Rejection of Security Advice by Users which opens its abstract with: It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore […]


Cures versus Treatment

A relevant tale of medical survival over at The Reality-Based Community: Three years ago a 39-year-old American man arrived at the haematology clinic of Berlin’s sprawling Charité hospital. (The venerable Charité, one of the great names in the history of medicine, used to be in East Berlin, but it’s now the brand for the merged […]


More Friday Skepticism

Since Adam started it, I’ll add a link to a nice YouTube video about how to be a good skeptic h/t BoingBoing


Death-related items

I’m cleaning out my pending link list with couple morbidly-thematic links. Old-but-interesting (2007 vintage) list of relative likelihoods of death compared to dying in a terrorist attack.  For example… You are 1048 times more likely to die from a car accident than from a terrorist attack You are 12 times more likely to die from […]


Green Dam

Update 26 June 2009: The status of Green Dam’s optionality is still up in the air.  See, for example, this news story on PC makers’ efforts to comply, which points out that Under the order, which was given to manufacturers in May and publicly released in early June, producers are required to pre-install Green Dam […]


The Art of Living Dangerously

I haven’t had a chance to read it, but I’ll probably pick up “Absinthe and Flamethrowers: Projects and Ruminations on the Art of Living Dangerously” at some point, if only because of the author’s writing on the relationship between risk and happiness says something I’ve always suspected, that risk takers are happier than risk avoiders […]


Pirates, Inc.

I found this short documentary about piracy around the Straits of Malaca to be an interesting view of the reality of pirate life as a last refuge of the unemployed fisherman to be an interesting counterpoint to the NPR Story, “Behind the Business Plan of Pirates, Inc.” which provides an altogether different view of the […]


Definitions: cloudenfreude

cloudenfreude — Feeling of happiness at watching the discomfort of others, especially senior management, as they accept in aggregate for *aaS the same risks which were easily accepted piecemeal over time for the analgous service internally.


Standing Still

Following up on Ben’s comment to s/green/secure/g, infosec generally makes life /harder/ for people (at least in the short-term), all to keep bad things from happening. I’ll argue it’s even worse than that. Since “secure” is neither achievable nor a static state, it can never be done and standing still means falling behind.  One of […]


How to be Cyberscary

The intersection of cime and technology is a fascinating place.  Innovation of fraud, theft, and industrial espionage is occurring at a phenomenal pace and is producing no shortage of real problems that Information Risk and Security professionals need to be learning about and addressing.  Unfortunately, the noise coming from journalists in this space is so […]