Shostack + Friends Blog Archive

A while back I wrote an article on reusable code for ThreatPost. Today’s Dilbert, has an alternate, equally useful take on reusable code.

From BoingBoing: Somali nautical pirates have established a stock-market where guns and cash are invested in upcoming hijackings, with shares of the proceeds returned to investors Emergent Chaos strikes again…

Chris Soghoian, who we’ve mentioned here extensively in the past, has posted some new research around just how much electronic surveillance is really going on here in the US. Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of […]

This past Friday, Baltimore resident, Michelle Courtney Johnson, was sentenced to 18 months in jail and a $200K fine for theft and use of PHI. According to her plea agreement and court documents, from August 2005 to April 2007, Johnson provided a conspirator with names, Social Security numbers and other identifying information of more than […]

It’s been a bad couple of weeks for residents of Connecticut and their personal health information. First Blue Cross Blue Shield had a laptop stolen with enough PHI that over 800K doctors were notified that their patients were at risk, including almost 19K in Connecticut. Connecticut’s attorney general said Monday that he’s investigating insurer Blue […]

I missed this when it hit the newswires two weeks ago, but the FTC has delayed enforcement of the Red Flags Rule. This change was in response to the American Bar Association successfully suing the FTC and being granted an injunction to prevent the Red Flags Rule being applied to lawyers. Similarly, the American Institute […]

I’m a big fan of the book “Back of the Napkin” which is all about using pictures to help with problem solving. Yesterday, I was introduced to a related concept “visual notetaking” where you use images to support other notes you are taking during a meeting. I’m at a two day workshop and we have […]

I just finished reading RSnake’s new book Detecting Malice and I can say without a doubt that it is one of the best technical books I have ever read. Furthermore, I can tell you that it is, without a doubt, the best web security book I have ever had the pleasure to read. Imagine a […]

or why RSnake will never be allowed to play video blackjat or poker at Blackhat ever again. Rsnake’s exploits with the game system on a recent flight are a fabulous read. Makes me wonder just how integrated these systems are with the regular flight systems though. Btw, RSnake, I expect a demo as part of […]

Yesterday, Luis Armando Peña Soltren was arrested after forty years on run for hijacking a plane to Cuba. Soltren “will finally face the American justice system that he has been evading for more than four decades,” said U.S. Attorney Preet Bharara. I understand that Woody Allen, Martin Scorsese and David Lynch are already circulating a […]

I am honored that the kind folks at threapost have asked me to write for them occasionally. My first post is about better security through diversity of thinking which was inspired by pastry chef Shuna Fish Lydon. From her post (which I quoted in mine as well) It is my experience that unless you push […]

Jennifer Granick reports that in Massachusetts, Cops Can’t Convert Car Into Tracking Device Without Court’s OK. Connolly decided that the installation of the GPS device was a seizure of the suspect’s vehicle. “When an electronic surveillance device is installed in a motor vehicle, be it a beeper, radio transmitter, or GPS device, the government’s control […]

There was a lot of news when Henry Lewis Gates was arrested back in July, essentially for mouthing off to a cop. What happened was a shame, but what is more of a shame is that this sort of thing isn’t that rate. Time magazine had a recent article about this, Do You Have the […]

Statistically speaking, 6 out of 7 dwarves are not happy. [via zem42]

Quarter of a million Welsh profiles added to DNA database since 2000. [I forget who linked to this one.] CCTV in the spotlight: one crime solved for every 1,000 cameras [Via the security metrics mailing list.]

Quick follow up to Adam’s Monday post New on SSRN. Rob Westervelt over at SearchSecurity.com tells us about a social network privacy study finds identity link to cookies. Turns out that passing unique identifiers in referring URLs isn’t such a smart idea after all. Color me shocked. The full paper is linked to from Rob’s […]

Today is amazingly enough the fifth anniversary of Adam starting this blog. It’s amazing how fast time flies when things are chaotic. Seems like just yesterday Adam was doing the initial Star Wars posts. Appropriately enough the most recent in the category was just this past Saturday. Thank you to all of our readers for […]

John Viega recently published a new book: The Myths of Security: What the Computer Security Industry Doesn’t Want You to Know. It’s a great read, especially if you are new to or are interested in the security industry as a whole. However, even if you are a long term security veteran, you will find it […]

Keeping a database of all of your ATM PINs in a clear (or possibly encrypted but easily reversible) text database is not a good idea. I honestly can’t see any use value for this, especially when they won’t tell you what your PIN is even if you have multiple forms of government issued identification. No […]

Remember Identity Theft isn’t getting your credit card stolen, that’s fraud. Having the records that define who you are to an entire country and determine whether you can get a relatively high paying job get stolen. That’s identity theft…

Iang’s posts are, as a rule, really thought provoking, and his latest series is no exception. In his most recent post, How many rotten apples will spoil the barrel, he asks: So we are somewhere in-between the extremes. Some good, some bad. The question then further develops into whether the ones that are good are […]

aka it’s not nearly as funny when you are the subject of the probe. At a recent conference Justice Scalia said “”Every single datum about my life is private? That’s silly,” Well, a professor at Fordham University decided to take Mr Scalia at his word, and had one of his classes collect a dossier on […]

(26 Apr 2009)

If you can read this, you are now reading Emergent Chaos on its new server. We’ve also upgraded to the 4.x train of MovableType. Let us know what you think. We’re also considering a site redesign, so let us know any feature requests or design suggestions. Thanks!

(h/t to Concurring Opinions) The Daily Show With Jon StewartM – Th 11p / 10c Bill O’Reilly’s Right to Privacy Daily Show Full EpisodesImportant Things With Demetri Martin Funny Political NewsJoke of the Day

Iang recently indicted the entire audit industry with “Two Scary Words: Sarbanes-Oxley”. I’ve excerpted several chunks below: Let’s check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis? No. Not one, not even a single one! Yet, the basic […]

Now it’s no secret to those of you who know me that I’m a big believer in using risk management in the security space. Iang over at Financial Cryptography think’s it is “a dead duck”: The only business that does risk management as a core or essence is banking and insurance (and, banking is debatable […]

As long as I have been lecturing on security I have used the “Threat Hierarchy” that lists threats in ascending order of seriousness. It goes like this: 1. Exploratory hacking 2. Vandalism 3. Hactivism 4. Cyber crime 5. Information Warfare It turns out that this hierarchy is also a predictive time line. Obviously we are […]

The frequent loss of laptops and data disks by outside auditors in recent months has caused me to think about best practices for controlling auditors. The latest case involved the laptop of the auditor for Wellsfargo Bank. The laptop was stolen from the trunk of the auditor’s car and contained confidential information on bank employees. […]

OK. Right off I am *not* advocating physical destruction of old recycled cell phones. This post (Mangle those hard drives!) at my primary security blog, ThreatChaos, got a lot of reactions when I suggested that physical destruction of hard drives was the best policy in lieu of a well managed data wiping process. That was […]

Well, yeah. Of course. The perfect storm for a new wave of attacks: 1. New protocol catching on fast that involves completely trusting clients. 2. Insecure servers maintained by inexpereinced sys-admins. 3. A vulnerable RSS reader tied directly to the OS. (Can you say IE7.0?) A report out of SpiDynamics at BlackHat this week: Attackers […]

Thanks for the kind introduction Adam. This has been an interesting summer as I reach out to various security bloggers. I hope my “Meet The Bloggers” podcast series will help people to get to know the various “personalities” out there. We are an interesting bunch. The one question I have for everyone, bloggers and blog […]