Shostack + Friends Blog Archive

 

Passwords 2016

I’m excited to see the call for papers for Passwords 2016. There are a few exciting elements. First, passwords are in a category of problems that someone recently called “garbage problems.” They’re smelly, messy, and no one really wants to get their hands dirty on them. Second, they’re important. Despite their very well-known disadvantages, and […]

 

The Rhetorical Style of Drama

There is a spectre haunting the internet, the spectre of drama. All the powers of the social media have banded together to not fight it, because drama increases engagement statistics like nothing else: Twitter and Facebook, Gawker and TMZ, BlackLivesMatter and GamerGate, Donald Trump and Donald Trump, the list goes on and on. Where is […]

 

The Drama Triangle

As we head into summer conference season, drama is as predictable as vulnerabilities. I’m really not fond of either. What I am fond of, (other than Star Wars), as someone who spends a lot of time thinking about models, is the model of the “drama triangle.” First discussed by Stephen Karpman, the triangle has three […]

 

Hate-watching, breaking and building

Listening to the radio, there was a discussion of how the folks at NBC were worried that people were going to “hatewatch” their new version of Peter Pan. Hatewatch. Like it’s a word. It’s fascinating. They discussed how people wanted to watch it to tweet cynically at its expense. The builder/breaker split isn’t just present […]

 

Mail Chaos

The mail system I’ve been using for the last 19 years is experiencing what one might call an accumulation of chaos, and so I’m migrating to a new domain, shostack.org. You can email me at my firstname@shostack.org, and my web site is now at http://adam.shostack.org I am sorry for any inconvenience this may cause. [Update: […]

 

Getting Ready for a Launch

I’m getting ready for to announce a new project that I’ve been working on for quite a while. As I get ready, I was talking to friends in PR and marketing, and they were shocked and appalled that I don’t have a mailing list. It was a little like telling people in security that you […]

 

Happy Data Privacy Day! Go check out PrivacyFix

It’s Data Privacy Day, and there may be a profusion of platitudes. But I think what we need on data privacy day are more tools to let people take control of their privacy. One way to do that is to check your privacy settings. Of course, the way settings are arranged changes over time, and […]

 

What Kip Hawley Doesn't Understand About Terrorism

Former TSA Administrator Kip Hawley was on NPR a few minutes ago, opining on the 2nd panty bomber. He said two remarkable things. First, that the operators of nudatrons, who see thousands of naked people per day, would notice the bomb. Second, he didn’t understand why Al Qaeda would continue to focus on underwear bombs. […]

 

Study: More than 90% of Americans Take Action on Privacy

That’s my takeaway from a new study of 2,000 households by Consumer Reports: There are more than 150 million Americans using Facebook at this point, and that number is growing. … a new exhaustive study from Consumer Reports on social networking privacy found that 13 million American Facebook users have never touched their privacy settings. […]

 

CIA Reveals Identity of Bin Laden Hunter

In the Atlantic Wire, Uri Friedman writes “Did the CIA Do Enough to Protect Bin Laden’s Hunter?” The angle Friedman chose quickly turns to outrage that John Young of Cryptome, paying close attention, was able to figure out from public statements made by the CIA, what the fellow looks like. After you’re done being outraged, […]

 

Map of Where Tourists Take Pictures

Eric Fischer is doing work on comparing locals and tourists and where they photograph based on big Flickr data. It’s fascinating to try to identify cities from the thumbnails in his “Locals and Tourists” set. (I admit, I got very few right, either from “one at a time” or by looking for cities I know.) […]

 

I have a dream

It’s MLK Day. Here’s a pdf of the speech. Or watch it online:

 

Repeal Day Rant

Rachel Tayse over at Hounds In The Kitchen, has an awesome Repeal Day Rant on why repeal day isn’t as good as it sounds. Yet again I feel a lot less free.

 

You are being tracked

In this instance, it’s for science, helping a friend do some work on analyzing web traffic. If you don’t like it, please install software that blocks these 1 pixel images from tracking you. Edit: removed the web bug

 

Parkour Generations Video

I could pretend to tie this to information security, talking about risk and information sharing, but really, it’s just beautiful to watch these folks learn to play:

 

76% Organic

The back does explain that it’s 76% organic petite sirah, and 24% non-organic grapes. I just thought it was a pretty funny thing to put on the front label, and wonder which consumers are going to be more likely to buy it, knowing that it’s 76% organic.

 

Poker Faced?

In “An Unstoppable Force Meets…” Haseeb writes about “we have just witnessed a monumental event in the history of online poker – the entrance of Isildur into our world of online poker.” Huh? Really? The post is jargon packed, and I’m not a poker player, but apparently this Isildur character has slaughtered all the best […]

 

Happy Banned Books Week!

Quoting Michael Zimmer: [Yesterday was] the start of Banned Books Week 2009, the 28th annual celebration of the freedom to choose what we read, as well as the freedom to select from a full array of possibilities. Hundreds of books are challenged in schools and libraries in the United States each year. Here’s a great […]

 

Make the Smart Choice: Ignore This Label

He said the criteria used by the Smart Choices™ Program™ were seriously flawed, allowing less healthy products, like sweet cereals and heavily salted packaged meals, to win its seal of approval. “It’s a blatant failure of this system and it makes it, I’m afraid, not credible,” Mr. Willett said. […] Eileen T. Kennedy, president of […]

 

We Live In Public, The Movie

One of the best ways to upset someone who cares about privacy is to trot out the “nothing to hide, nothing to worry about” line. It upsets me on two levels. First because it’s so very wrong, and second, because it’s hard to refute in a short quip. I think what I like most about […]

 

Television, Explained

So I’m not sure if Michael Pollan’s “Out of the Kitchen, Onto the Couch” is supposed to be a movie review, but it’s definitely worth reading if you think about what you eat. I really like this line: The historical drift of cooking programs — from a genuine interest in producing food yourself to the […]

 

Off to the Moscone Center

Every year around this time, thousands of people converge on the Moscone Center in San Francisco for RSA. I had never given much thought to who Moscone was–some local politician I figured. I first heard about Harvey Milk in the context of the Dead Kennedys cover of I Fought The Law: The law don’t mean […]

 

Double-take Department, Madoff Division

The Daily Beast has a fascinating article that is a tell-all from a Madoff employee. I blinked as I read: The employee learned the salaries of his colleagues when he secretly obtained a document listing them. “A senior computer programmer would make $350,000, where in most comparable firms they would be getting $200,000 to $250,000….” […]

 

Understanding Users

Paul Graham has a great article in “Startups in 13 Sentences:” Having gotten it down to 13 sentences, I asked myself which I’d choose if I could only keep one. Understand your users. That’s the key. The essential task in a startup is to create wealth; the dimension of wealth you have most control over […]

 

Who Watches the FUD Watcher?

In this week’s CSO Online, Bill Brenner writes about the recent breaks at Kaspersky Labs and F-Secure. You can tell his opinion from the title alone, “Security Vendor Breach Fallout Justified” in his ironically named “FUD watch” column. Brenner watched the FUD as he spreads it. He moans histrionically, When security is your company’s business, […]

 

The Presentation of Self in Everyday Tweeting

Chris Hoff pointed to an interesting blog post from Peter Shankman. Someone* tweeted “True confession but I’m in one of those towns where I scratch my head and say ‘I would die if I had to live here!’” Well it turns out that… Not only did an employee find it, they were totally offended by […]

 

Ridiculing the Ridiculous: Terrorist Tweets

A group of soldiers with the US Army’s 304th Military Intelligence Battalion have managed to top previous military research on terrorist use of World of Warcraft. Realizing that mentioning the word “terrorist” can allow researchers to acquire funding to play the popular MMOG, they turned attention to the popular, if architecturally unscalable micro-blogging system, Twitter. […]

 

Monsieur Vuitton, I’m ready for my closeup!

This is the window of a Louis Vuitton store. I found it tremendously striking, and so took some pictures. Setting aside the direct message of “everyone will look at this bag,” I thought what’s interesting is the technological replacement of self with avatar. As if the designer is saying “we no longer want to be […]

 

Help fund historic computers at Bletchley Park

Bletchley Park, the site in the UK where WWII code-breaking was done, has a computing museum. The showpiece of that museum is Colossus, one of world’s first computers. (If you pick the right set of adjectives, you can say “first.” Those adjectives are apparently, “electronic” and “programmable.”) It has been rebuilt over the last fourteen […]

 

No Privacy Chernobyls

Over at the Burton Identity and Privacy Strategies blog, there’s a post from Ian Glazer, “Trip report from the Privacy Symposium,” in which he repeats claims from Jeff Rosen: I got to hear Jeffery Rosen share his thoughts on potential privacy “Chernobyls,” events and trends that will fundamentally alter our privacy in the next 3 […]

 

Write Keyloggers Professionally!

GetAFreelancer.com has a job for you if you need some high-paid work — write a remote keylogger. Here are the project requirements: We need a keylogger that can be installed remotely. Description: The main purpose is that the user A can send an email with a program to install (example: a game or a funny […]

 

One Nation Under CCTV

Banksy has done a wonderful service. The well-known artist has given us delightful commentary on surveillance. Better than that, he did it in a site above a Post Office yard in London (Newman Street, near Oxford Circus), behind a security fence and under surveillance by CCTV. His team erected three stories of scaffolding on Saturday, […]

 

Do you feel like we do?

As many EC readers realize, press reports about data breaches involving lost or stolen computers often contain statements something like “The actual risk is thought to be minimal, since a password is required to login to the missing computer”. Such statements are sufficiently numerous that the pre-eminent source of breach data, Attrition.org, have issued a […]

 
 

Damn You, Beaker!

Yesterday Hoff blogged about McGovern’s “Ten Mistakes That CIOs Consistently Make That Weaken Enterprise Security” and added ten more of his own. I’m particularly annoyed at him for #4: Awareness initiatives are good for sexual harassment and copier training, not security. Why? Because, damn that really sums it up. I wish that I had thought […]

 

Invasion Of The Password Snatchers

As I’ve mentioned in the past my wife is a linguistics professor. Yesterday she came home from work with the following poster. A little research revealed that it and several others were originally commissioned in 2005 by Indiana University as part of their security awareness program that they assembled for national cyber security awareness month. […]

 
 

Obscenities in Passwords

El Reg reports that “Pipex invites customer to get ‘c**ted’” in which the generated passwords that the Pipex system suggested contained a rude word. A screenshot is available on the Register article. There is, however, a second obscenity here that is far more subtle. That obscenity is in the password selection advice and suggestions. The […]

 

Awareness

Last Friday, Amrit again said that no wars are won through awareness and although he repeatedly claims that he’s not against user awareness training, he doesn’t really tell us where he thinks it should fit in. Instead he shows his bias as a former product manager and Gartner analyst and focuses purely on tools by […]