Google Docs has chosen to red-underline the word “feasible,” which, as you can see, is in its dictionary, to suggest “possible.” “Possible,” possibly, was not the word I selected, because it means something different. Good writing is direct. Good writing respects the reader. Good writing doesn’t tax the reader accidentally. It uses simple words when…Read More The Road to Mediocrity
“90% of attacks start with phishing!*” “Cyber attacks will cost the world 6 trillion by 2020!” We’ve all seen these sorts of numbers from vendors, and in a sense they’re April Fools day numbers: you’d have to be a fool to believe them. But vendors quote insane because there’s no downside and much upside. We…Read More Leave Those Numbers for April 1st
As we head into RSA, I want to hold the technical TM Thursday post, and talk about how we talk to others in our organizations about particular threat models, and how we frame those conversations. I’m a big fan of the whiteboard-driven dialogue part of threat modeling. That’s where we look at a design, find…Read More Threat Model Thursday: Talking, Dialogue and Review
Lately I’ve noted a lot of people quoted in the media after breaches saying “X was Security 101. I can’t believe they didn’t do X!” For example, “I can’t believe that LinkedIn wasn’t salting passwords! That’s security 101!” Now, I’m unsure if that’s “security 101” or not. I think security 101 for passwords is “don’t…Read More Security 101: Show Your List!
So this week is RSA, and I wanted to offer up some advice on how to engage. I’ve already posted my “BlackHat Best Practices/Survival kit. First, if you want to ask great questions, pay attention. There are things more annoying than a question that was answered while the questioner was tweeting, but you still don’t…Read More How to Ask Good Questions at RSA
The New York Times has a “Room for Debate” on “Should Companies Tell Us When They Get Hacked?” It currently has 4 entries, 3 of which are dramatically in favor of more disclosure. I’m personally fond of Lee Tien’s “ We Need Better Notification Laws.” My personal preference is of course (ahem) fascinating to you,…Read More Is there "Room for Debate?" in Breach Disclosure?
A little ways back, I was arguing [discussing cyberwar] with thegrugq, who said “[Cyberwar] by it’s very nature is defined by acts of espionage, where all sides are motivated to keep incidents secret.” I don’t agree that all sides are obviously motivated to keep incidents secret, and I think that it’s worth asking, is there…Read More The High Price of the Silence of Cyberwar
There was a story recently on NPR about kitchen waste, “No Simple Recipe For Weighing Food Waste At Mario Batali’s Lupa.” Now, normally, you’d think that a story on kitchen waste has nothing to do with information security, and you’d be right. But as I half listened to the story, I realized that it in…Read More Infosec Lessons from Mario Batali's Kitchen