Shostack + Friends Blog Archive


Security Blogger Awards

Voting for the 2016 Security Blogger Awards are now open, and this blog is nominated for most entertaining. Please don’t vote for us. Along with our sister blog, we’re aiming to dominate a new category next year, “most nominations without a win.”


The Web We Have to Save

Hossein Derakhshan was recently released from jail in Iran. He’s written a long and thoughtful article “The Web We Have to Save.” It’s worth reading in full, but here’s an excerpt: Some of it is visual. Yes, it is true that all my posts on Twitter and Facebook look something similar to a personal blog: […]


Like the birds…

Emergent Chaos has migrated.  It’s a long story, and perhaps better left untold.  Please let us know if you see issues with the new site.


Google Reader Going Away

Well, the world is full of chaos, some good and some bad, and today’s bad for those of you reading via Google Reader is that it’s going the way of Altavista (can you believe it was still around?) So as you migrate away, please consider including Emergent Chaos in your migration–we’ll have new content here […]


WordPress Update

I’ve updated to the latest WordPress for security fixes. Please let me know if you notice problems (blogname-at-gmail-com)


Security Blogger Awards

The Security Bloggers Awards were this week at RSA! Congratulations to Naked Security (best corporate blog), Paul DotCom (best podcast), Krebs on Security (Most educational, best represents the security industry), J4VV4D’s blog (most entertaining), Andy Greenberg’s “Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)” and Jack […]


A quick pointer

I wrote a blog post regarding the BSidesSF/RSA conf dust-up. (If I knew how to work Adam’s twitter integration thingy, you’d have been spared this)


Please vote New School

We’re honored to be nominated in three categories for the Security Bloggers Awards: Most Educational Most Entertaining Hall of Fame On behalf of all of us who blog here, we’re honored by the nomination, and would like to ask for your vote. We’d also like to urge you to vote for our friends at Securosis […]


Google+ is not a space for free expression

Earlier today I noticed something funny. My Google profile picture — the picture associated with my Gmail account, my GChat account, my Google+ account, etc — had vanished. A bug? Nope. It turns out, Google — without telling me — went into my account and deleted my profile picture. See “Dear Google+” for the details […]


Relentless navel gazing, part MCXII

Two changes here at Emergent Chaos this weekend: first, a new, variable width theme which is a little tighter, so there’s more on a screen. Second, I’ve moved the twitter summary to weekly, as comments were running about 50-50 on the post asking for opinion. I think that may be a better balance. And a […]


Twitter Tools? Feedback please

So about a month ago, I started flowing my tweets over here. I’d love your thoughts on if it’s helpful, hurtful, or you just ignore it in your reader. [Update: currently arguments run 3:2 against continuing Twitter in the main feed. More (and civil) debate is invited.]


Twitter updates

I’ve decided to experiment with pushing my Twitter feed onto the blog. What do you think? For non-Twitter users, the RT means “re-tweet,” amplifying things that others have said and MT means modified tweet, where the RT plus comment don’t quite fit. If someone has php code to resolve URLs into real URLs, that […]


News Round Up: New blog edition

I’ll be contributing to a new group blog, “I will opt out“. I think that concentrating and combining resources will help the people who care find all the news they want. My first post is at “More news from around the web”


Free Hossein Derakhshan

Apparently, the Iranian Government has sentenced Hossein “Hoder” Derakhshan to 19.5 years in jail for “collaborating with enemy states, creating propaganda against the Islamic regime, insulting religious sanctity, and creating propaganda for anti-revolutionary groups.” If you think putting bloggers or journalists in jail is wrong, please, please take a moment to sign the petition to […]


Bleg: Picture editor?

I used to use “Galerie” on my Mac to put nice pretty frames around pictures I posted here. (See some examples.) Galerie was dependent on … blah, blah, won’t work anymore without some components no longer installed by default. So I’m looking for a replacement that will, with little effort, put pictures in a nice […]


Malware reports? (A bleg)

I’m doing some work that involves seeing what people are saying about the state of malware in 2010, and search terms like “malware report” get a lot of results, they don’t always help me find thinks like the Symantec ISTR, the McAfee threats report or the Microsoft SIR. To date, I’ve found reports from Cisco, […]



Things are busy and chaotic, but while I’m unable to blog, here’s some audio and video I’ve done recently that you might enjoy: “Meeting of the Minds” with Andy Jaquith and myself in either text or audio. Face-Off with Hugh Thompson “Has social networking changed data privacy forever?” Video


Saltzer, Schroeder, and Star Wars

When this blog was new, I did a series of posts on “The Security Principles of Saltzer and Schroeder,” illustrated with scenes from Star Wars. When I migrated the blog, the archive page was re-ordered, and I’ve just taken a few minutes to clean that up. The easiest to read version is “Security Principles of […]


Security Blogger Awards

We’re honored to be nominated for “Most Entertaining Security Blog” at this years “2010 Social Security Blogger Awards.” Now, in a fair fight, we have no hope against Hoff’s BJJ, Mike Rothman’s incitefulness, Jack Daniel’s cynicism, or Erin’s sociability. But, really, there’s no reason for this to be a fair fight. So we’re asking our […]


Text Size (and testing)

Thank you for all the feedback in email & comments. Testing a new font size, feedback is again invited and welcome.



After more than 5 years, nearly 3,300 posts, and 6,300 comments on Movable Type, we’re migrating the blog to WordPress on a new host. Please let us know if I broke something. This is the new machine. Photo: Face the World with a Peaceful Mind, by Ting Hay.


SearchSecurity Top Stories of 2009 Podcast

A few weeks ago, I joined the SearchSecurity team (Mike Mimoso, Rob Westervelt and Eric Parizo) to discuss the top cybersecurity stories of 2009. It was fun, and part 1 now available for a listen: part 1 (22:58), part 2 is still to come.


Comment Spam

We’ve been flooded with comment spam. I’ve added one of those annoying captcha things that don’t work, and a mandatory comment confirmation page. Please let me know if you have trouble. Blogname @, or adam @ I think comments are working, but most won’t show up immediately. I’m digging into more effective solutions.


The Presentation of Self and Everyday Photographs

With the kind help of our awesome readership, Amazon and Glazer’s, I’ve acquired a camera, some books, a tripod, a prime 50mm, a flash diffuser, a polarizing filter, a graduated neutral filter, and some other random photography toys tools. You might question this, but I can quit anytime. Really! I even offered to loan my […]


Podcasts with Amrit

I had fun recording Beyond the Perimiter Episode 48 and 49 with Amrit. I think Amrit asked some of the broadest, most complex questions I’ve been asked, and it was hard to keep the episodes short. Go have a listen!


Renaming the Blog to Emergent Chaos (II)

A little more seriously, the identity of a blog is constructed between the authors, commenters and readers, and I’m continually amazed by what emerges here. At the same time, what’s emerging is currently not very chaotic, and I’m wondering if it’s time for some mixing it up. Suggestions welcome.


What should the new czar do? (Tanji's Security Survey)

Over at Haft of the Spear, Michael Tanji asks: You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will? I think it’s a fascinating question, and posted my answer over […]


Hearsay podcast: Shostack on Privacy

Dennis Fisher talks with Microsoft’s Adam Shostack about the Privacy Enhancing Technologies Symposium, the definition of privacy in today’s world and the role of technology in helping to enhance and protect that privacy. As always, a fun conversation with Dennis Fisher. Ran longer than I think either of us expected at 41:15. And speaking of […]


Chris, I'm sorry

I hate the overuse of URL shortners like tinyurl. I like to be able to see what a link is before I click on it. I don’t like that these companies get to be yet another point of surveillance. (To be fair, tinyurl doesn’t seem to be taking advantage of that. I have cookies from […]


We Regret The New York Times’ Error

In “Kindling a Consumer Revolt,” I quoted the New York Times: But no, apparently the publisher changed its mind about offering an electronic edition, and apparently Amazon, whose business lives and dies by publisher happiness, caved. It electronically deleted all books by this author from people’s Kindles and credited their accounts for the price.” What […]


Up Again

We had some expected downtime this morning. Thanks for your notes and IMs. If you’re reading this, things are now working again.


Publius Outed

The pseudonymous blogger, Publius, has been outed. Ed Whelan of the National Review outed him in what appears to be nothing more than a fit of pique at a third blogger, Ed Volokh, and Publius commented on Volokh’s criticism of Whelen, so Whelen lashed out at Publius. Or so it seems from the nosebleed bleachers […]


Twitter Bankruptcy and Twitterfail

If you’re not familiar with the term email bankruptcy, it’s admitting publicly that you can’t handle your email, and people should just send it to you again. A few weeks ago, I had to declare twitter bankruptcy. It just became too, too much. I’ve been meaning to blog about it since, but things have just […]


Camera thanks!

An enourmous thank you to everyone who offered advice on what camera to get. I ended up with a Canon Rebel after heading to a local camera store and having a chance to play with the stabilization features. It may end up on ebay, but I’m confident I’ll get high quality pictures. If they’re great, […]


Security is about outcomes: RSA edition

So last week I asked what people wanted to get out of RSA, and the answer was mostly silence and snark. There are some good summaries of RSA at securosis and Stiennon’s network world blog, so I won’t try to do that. But I did I promise to tell you what I wanted to get […]


Congratulations to the Social Security Blog award winners!

A huge congratulations to the winners of the Social Security Awards [on Wednesday] PaulDotCom won the Best Podcast Award, the crew at the SANS Internet Storm Center won the best Technical Blog award, the best Non-Technical Blog went to Richard Bejtlich of the TaoSecurity Blog, Sunbelt Security won the Best Corporate Blog and Mike Rothman […]


The New School Blog

I’m really excited to announce, the blog inspired by the book. I’ll be blogging with Alex Hutton, Chandler Howell and Brooke Paul. And who knows, maybe we’ll even get a post or two from Andrew? Emergent Chaos will continue. My posts here will be a little more on the privacy, liberty and economics end […]


I Know What I Know

and I’ll sing what he said. Ethan Zuckerman has two great posts lately: “From protest to collaboration: Paul Simon’s “Graceland” and lessons for xenophiles” and “Argentine economics and maker culture.” The Paul Simon post talks about the deep history of the Apartheid boycott, Paul Simon’s approach to creating Graceland. Graceland was a collaboration of the […]


Twitter + Cats = Awesome

My smart friend James Thomson of TLA Systems has created a new benchmark in iPhone applications, Twitkitteh. Not only is it the first Twitter client for cats, but it might also be the first iPhone app for cats, as well. I’ve always accused my cats of playing the stereo when I’m not there, and it […]


All atwitter

In re-reading my blog post on twittering during a conference I realized it sounded a lot more negative than I’d meant it to. I’d like to talk about why I see it as a tremendous positive, and will be doing it again. First, it engages the audience. There’s a motive to pay close attention and […]


Tweet, tweet

A few weeks back, Pistachio twittered about How to Present While People are Twittering. I picked it up, and with the help of Quine, was getting comments from Twitter as I spoke. It was a fun experiment, and it’s pretty cool to be able to go back and look at the back channel. [Update: I […]


What Was Wrong With the Old FISA?

The Get FISA Right group is publicizing our need to re-think the laws. They have discussion going on on their site, as well as on The Daily Kos. I recommend catching up there, or reading Adam’s recent post here. I have to ask what was wrong with the old FISA? It wasn’t a bad system, […]


Congratulations, Justin!

Justin Mason has won the 2009 Irish Blog Award for Best Technology Blog/Blogger. I don’t know how Justin manages to stay engaged with his blog and others while getting so much work done. When I say others, I mean this blog. Justin found Emergent Chaos back when it was a solo gig and I was […]


Who Watches the FUD Watcher?

In this week’s CSO Online, Bill Brenner writes about the recent breaks at Kaspersky Labs and F-Secure. You can tell his opinion from the title alone, “Security Vendor Breach Fallout Justified” in his ironically named “FUD watch” column. Brenner watched the FUD as he spreads it. He moans histrionically, When security is your company’s business, […]


Let’s Fix Paste!

Okay, this is a rant. Cut and paste is broken in most apps today. More specifically, it is paste that is broken. There are two choices in just about every application: “Paste” and “Paste correctly.” Sometimes the latter one is labeled “Paste and Match Style” (Apple) and sometimes “Paste Special” (Microsoft). However, they have it […]


$450 per account? No.

So there’s a claim going around, which is that I believe that a breach costs $450 per account. That claim is not accurate. What was said (and the interview was in email, so I can quote exactly): (Interviewer) The Hannaford breach resulted in more than $318,000 in gross fraud losses, according to data reported by […]


That's some fine discourse, Professor Froomkin

I just wanted to draw attention to the comments in Michael Froomkin’s blog post on “Cabinet Confirmation Mechanics.” I am delighted to have had ‘Jim’ concur with my Constitutional analysis by quoting the closing lines of Ulysses. I’m in awe of your commenters, Michael.


Strange Maps

All from the Strange Maps blog. You could click on the pictures, but this blog is perfect Saturday afternoon “hey look at this” material.


Gary McGraw and Steve Lipner

Gary McGraw has a new podcast, “Reality Check” about software security practitioners. The first episode features Steve Lipner. It’s some good insight into how Microsoft is approaching software security. I’d say more, but as Steve says two or three good things about my threat modeling tool, you might think it some form of conspiracy. You […]


Eric Drexler blogging

At Way cool. I look forward to what he has to say. Unfortunately, one of his early posts falls into the trap of believing that “Computation and Mathematical Proof” will dramatically improve computer security: Because proof methods can be applied to digital systems, and in particular, will be able to verify the correctness (with […]


Experiences Threat Modeling at Microsoft

A little bit of cross-polination between blogs: Adam Shostack here. Last weekend, I was at a Security Modeling Workshop, where I presented a paper on “Experiences Threat Modeling at Microsoft,” which readers of [the Microsoft Security Development Lifecycle] blog might enjoy. So please, enjoy!


What's in a name(less)?

Me! I had a great time in a conversation with Dennis Fisher which is now up on his nameless security podcast: Adam Shostack on privacy, data breaches and “The New School of Information Security” Check it out. Update: Amazon seems to be having trouble keeping The New School in stock. (Thank you!!!) Addison Wesley has […]


Adam on CS TechCast

I did a podcast with Eric and Josh at CS Techcast. It was lots of fun, and is available now: link to the show Welcome to another podcast for IT professionals. This week we interview Adam Shostack, author of The New School of Information Security about the essentials IT organizations need to establish to […]


The Omnivore's Hundred

I find it interesting that security people and foodies are strongly correlated. Or at least are strongly correlated among the ones I know. Very Good Taste has a list of things called The Omnivore’s Hundred, a list of things worth trying, modulo this and that. You mark things you have tried, and mark things you […]


Black Hat (Live) Blog: Keynote

Ian Angell from the London School of Economics gave a great keynote on complexity in systems and how the desire to categorize, enumerate, and add technology can break things in interesting ways. An example of his: there’s an increasing desire among politicians and law enforcement to create huge DNA databases for forensic purposes, to aid […]


SOUPS 2008, summarized

I really appreciate the way that Richard Conlan has in-depth blogged all of the sessions from the 2008 Symposium on Usable Privacy and Security. The descriptions of the talks are really helpful in deciding which papers I want to dig into. More conferences should do this. There’s only one request I’d make: There’s no single […]


Silver Bullet podcast transcript

I know there’s a lot of people who prefer text to audio. You can skim text much faster. But there are also places where paper or screens are a pain (like on a bus, or while driving). So I’m excited that the Silver Bullet Podcast does both. It’s a huge investment in addressing a variety […]


Network Security Podcast #109, featuring Adam

I’m the guest on the latest episode of Martin McKeay and Rich Mogull’s Network Security podcast. It was a lot of fun to record, I hope you enjoy listening to it. [Link fixed.]


L'affaire Kozinski

Kim Zetter on Threat Level has written about Larry Lessig’s comments about Judge Alex Kozinski’s problems with having files on a personal server made public. Zetter has asked to hear people’s opinions about the issue. I thought I’d just blog about mine. Basically, I agree with Lessig. The major place that I disagree with Lessig […]


Open thread

What the heck. Let’s see what happens. Comment on what you will.


Adam on "Silver Bullet Security" Podcast

The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book […]


Check out these great blogs!

I’m excited and grateful to the Industry Standard for including us in their “Top 25 B-to-Z list blogs.” There’s some great stuff in there which I read, like “Information Aesthetics


Everybody Run, Crispin's Got a Blog

My buddy, collaborator and co-worker Crispin Cowan has started a blog. The first post is “Security Is Simple: Only Use Perfect Software.” [Update: Added a link to Crispin’s home page, because some readers apparently have trouble with a search engine.]


Ain’t Nobody’s Business But My Own

A year ago, I discussed stupid email disclaimers in, “If I Screw Up, It’s Your Fault!” This week, Brian Krebs of the Washington Post comes over the same issue, indirectly, in his “They Told You Not To Reply.” Krebs tells the story of Chet Faliszek, who owns the domain, which he bought in 2000 […]


Belva's got a brand new blog

Ken Belva has a new blog at Looks like it is more “formal” and magazine-like than the typical blog, which many people will appreciate. There seems to be a pretty solid collection of contributors, and the hunt is on for additional qualified writers. There’s even a raffle for an iPod (but I already have […]


Threat Modeling Blog Series

Over on my work blog, I just wrapped up a series on threat modeling. Because blogs display the content backwards, I’ve put the entire series up as a Word doc: The Trouble With Threat Modeling. [Update: If you want to see all the threat modeling posts, they’re at Threat Modeling SDL blog posts. They’re displayed […]


Saying it loud — OpenID leads to phishing

Kim Cameron not only admits what Ben Laurie has said here, here, and here, but he says it succinctly: OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies – the more it succeeds, the more dramatically phishable it will become. There you have it. It has long been […]


Economist Debates Security V Privacy

The Economist emails: Our second series of three debates kicks off today and the first proposition raises important questions about civil rights and the trade-off between Privacy vs. Security. As a blogger and member of the community that The Economist aims to serve with this lively debate, we wanted to extend an invitation to you […]


Welcome, SecurityFocus readers

The inclusion of Emergent Chaos among the blogs featured at Security Focus happened, one might say, “on Internet time”. Specifically, it was a cool idea that people talked about for a while, and then it got implemented very quickly and surprised us. Quite apropos, given this blog’s title. Anyway, Adam, EC’s bandleader, is away from […]


How to Blog a Talk

Blogging about your own presentations is tough. Some people post their slides, but slides are not essays, and often make little sense without the speaker. I really like what Chris Hoff did in his blog post, “Security and Disruptive Innovation Part I: The Setup.” I did something similar after “Security Breaches Are Good for You: […]


FEMA’s Fake News Conference

In light of FEMA using our tax dollars to stage a fake news conference, I’d like to take a moment to assure you that none of the Emergent Chaos combo works for the Burton Group, and any softball questions in our interviews are just because we like them. Photo: FEMA news conference, AP. [Update: We […]


How to Better Cite Blogs

Via BoingBoing, we learn that the NIH has a guide to citing blogs. Cool! Respectworthy! And a little lacking as a citation format. Here’s their first sample: Bernstein M. Bioethics Discussion Blog [Internet]. Los Angeles: Maurice Bernstein. 2004 Jul – [cited 2007 May 16]. Available from: There are at least two major problems with […]


Blogging @ Work: Blue Hat and Threat Modeling

BlueHat 6 was a great event. I had a really good time listening and talking with the attendees and speakers. The team is also looking to share a lot more about what’s happening, and one way they’ve done that is to open up their blog to speakers. There are posts from Rain Forest Puppy, Halvar […]


Transparency in Government

The Privacy Commissioner of Canada is blogging. Welcome to the blogosphere! In unrelated news, the Canadian dollar reached parity with the US dollar for the first time in thirty years. See the Canadian Broadcasting Company, “$1 Cdn = $1 US.”


NYT Reporter Has Never Heard of Descartes

Or perhaps more correctly, did not internalize Descartes when he heard of him. In “Our Lives, Controlled From Some Guy’s Couch,” John Tierney writes: Until I talked to Nick Bostrom, a philosopher at Oxford University, it never occurred to me that our universe might be somebody else’s hobby. I hadn’t imagined that the omniscient, omnipotent […]


Examining Wikipedia Anonymous Edits

It’s recently been amusing to look at where Wikipedia’s anonymous edits come from. There have been many self-serving edits from obvious places, as well as selfless ones from unexpected sources. I am most amused by this selfless edit which came from IP address, which translates to I can only think that had the […]


Pseudonyms in the News: Fake Steve Jobs Outed

Brad Stone of the New York Times is a killjoy. Geez. Part of the joy of reading The Secret Diary of Steve Jobs is was thinking of him as Fake Steve Jobs, and nothing more. Sure, it’s all good that his employer was so delighted that FSJ is going to be hosted by them, now, […]


Obligation to Secure

Chronicles of Dissent has a good article on this topic, “If you don’t secure your data, it’s not unauthorized access.” A court in Pennsylvania ruled that it’s not illegal to get information you really shouldn’t have if you got it from a search engine or the search engine’s caches. This is important because there have […]


Pseudonyms In The News

The Wall Street Journal reports that the CEO of Whole Foods, John Mackey, posted on the Yahoo! Finance board for Whole Foods under the pseudonym Rahodeb, which is an anagram of Mackey’s wife’s given name. (It’s also an anagram of “A Bread Ho,” but since the WSJ doesn’t stoop to that sort of cheap joke, […]


Wretched Word of the Week: Killer

The word “killer” gets used in two wretched ways. The first is Killer Application, and the second is product-killer. They’re each wretched in their own special way. It’s not only cliché to use each term, but in using it, you are nearly guaranteed to be wrong. The original killer application was Lotus 1, 2, 3. […]


Emergent Downtime

We had some downtime after a failure at our hosting facility. We would like to address the power loss which occurred in our Virginia Datacenter on Wednesday, June 13th. We are still investigating the root cause, but in the interest of full disclosure, here are the facts as we know them today. A more complete […]


DVD Player

[Substantially more than] a week ago, I asked what DVD player I should get. I didn’t get the answer, but I did get a lot of “I’d like to know.” I wanted to share that I ended up with a Philips DVP-5140. It was cheap, there’s an easy fix for the region bug explained in […]


TSA on PBJ: No way

United States congressman Tim Ryan is interested in bringing attention to the meager allotment the U.S. food stamp program provides. This program, for those who don’t know, provides what amounts to scrip which can be used for qualified food purchases to persons who meet a certain needs test. The average food stamp recipient receives $21.00 […]


Reading, Writing, and Arithmetic

I’ve been encountering some really silly software lately. I was trying to visit the homeland stupidity blog, with Safari and the most-excellent pithhelmet, and I get this message: We’re sorry, but we could not fulfill your request for /2007/04/21/astroglide-data-breach-exposes-customer-information/ on this server. An invalid request was received from your browser. This may be caused by […]


Shock Horror! Ashcroft Am Not Devil Incarnate!

In 27 B Stroke 6 Threat Level, Kevin Poulsen writes, “News from Bizzaro World: Ashcroft Opposed Taps.” Kevin, your reality tunnel is showing. There are many things that Ashcroft was (I apologize for using the past tense), starting with prig and prude. I’m not particularly a fan of his, but the Venn diagram of what […]


Facebook Hangover

On Dave Farber’s list, Brock Meeks pointed us to a delightful Facebook Smackdown. Brock says, What do Facebook, the CIA and your magazine subscription list have in common? Maybe more than you think… Trust me, it’s worth the look. And indeed it is worth looking at, along with Patrick Schitt’s contribution of the background […]


Interesting Stuff From Microsoft

My colleague Dave Ladd has a post “Security Education v. Security Training:” Unfortunately, there’s an assumption held by many in our (IT) community that the road to better security leads to “drinking from the fire hose” – that is to say, employees are rocketed through week long training classes, then drilled and tested on security […]


Daft Bloggers’ Code of Conduct

Tim O’Reilly with the help of others has posted a “Draft Blogger’s Code of Conduct” in reaction to l’affaire Sierra. Forgive me the pedantry, but I’ve corrected the plural in my derivative topic line above. There have been other comments about this in many other places. I’m not a friend of Sierra’s, but I have […]


See, it can be done

I’ll keep this short since you should all be reading Mordaxus’ latest, not this, but speaking of data… This breach report [pdf] from Community National Bank wasn’t sent to consumers, but you can’t say it was short on details.


Names Don’t Matter, Accountability Does

Riffing on what Arthur has said, I’ll take a slightly different exception to Mike Rothman’s rant on anonymity. Kathy Sierra’s been treated pretty shabbily. The problem isn’t anonymity, it’s a lack of accountability. These people are behaving unacceptably, and we don’t know who they are. However, there are cases where people have acted in similarly […]


Ptacek scores, Pre-Blogging Department with the assist!

Matasano’s Thomas Ptacek had a Groucho-like reaction to being included as a “Top 59” infosec influencer in’s recent list. EC’s Pre-Blogging Department was initially caught flat-footed on this, but predicted in an update that Tom’s view would gain traction. And it has. Meanwhile, Mark Curphey has stirred the pot by leaving the Security Bloggers’ […]


"You Don’t Need to See His Identification"

Well, here we are, on a list of top influencers in information security, and we’ve barely said welcome to any new readers! Welcome! If you’re just showing up, we’d like to influence you to understand that identification rarely solves security problems by itself. I posted “You Don’t Need to See His Identification,” using a famous […]


We're number 18, but we try harder…

Adam (or perhaps EC?) is one of the top 59 infosec influencers, sayeth Cool. 18. Adam Shostack Emergent Chaos is a group blog on security, privacy, liberty and economics – a self-declared “Emergent Chaos jazz combo of the blogosphere. ” While the EC bloggers tend to drift off topic with political posts, they […]


"ist nicht verfgbar"

So we had some random DNS trouble recently. I believe everything should be back to normal, but DNS issues can take a while to propagate and be fixed. So apologies for the non-availability. We’ve made procedural changes to make these less likely in the future. Oh, and we lost the SSNs of everyone who had […]


Mordaxus, redux

We’ve enjoyed having Mordaxus with us for the last month or so, and are pleased that he’ll be a sticking around as a permanent member of the Combo. A few quick comments on my pseudonomys co-horts. First, why do I have pseudonymous co-bloggers? There’s a long history of artists appearing under names not their own, […]


Speaking of Secret Events You’re Not Invited To

There’s a blogger get together at the Foreign Cinema Wednesday night of RSA. 5PM – 8PM. We’ve been trying to coordinate via email, I but figured we should publicize our secret conference now. Remember, this will be the most blogged event of RSA. If you want in, blog about the event and trackback Martin McKeay. […]


A Request

My latest request for documents under New York State’s freedom of information law was just responded to. There are 1289 pages of documents covering the period 6/2006 to 12/2006. By way of comparison, my two previous requests covered the period 12/2005 to 5/2006, and yielded 400 pages or so. The nice folks in NY made […]


Five Things You Don't Know About Me

Dear Bob, You may think I’ve been ignoring your post, but I’ve been trying to decide how to approach it. This morning, courtesy of Scoble, I found Hugh McLead’s post on the subject: I dislike you intensely. I love it when bad things happen to you. When your name is mentioned I immediately try to […]


Would You Do Me A Favor?

Nick Owen posts his favorite blog posts of the year. I have my favorites, but I’m curious. What are yours? What do you remember? We’d love to know.


Relentless Navel Gazing, Part 10

I’ve made explicit that that email addresses are optional when commenting. I’ve added easy links to, Digg, Reddit, Furl, YahooMyWeb and NewsVine.     If you have a bookmark system you’d like me to add, let me know. [Update: More navel gazing: added dates to post footers, and fixed underlining for links in the […]


Million Dollar Blog Post

My friend Austin Hill has put up the Million Dollar Blog Post. They, and their sponsors, will donate up to a million dollars to charity, at $1 per comment. I think charity is tremendously important. I’ve been lucky enough to have a set of skills that are well rewarded in today’s world. (I’m reminded of […]


Introducing Mordaxus

Mordaxus is a longtime former cypherpunk with interests in anonymity, security and usability. He’s been involved in some of the biggest brands in security, and has entertaining stories about some of the most interesting events in information security history. He can’t tell those without giving away his secret identity, and so will focus on adding […]


Corruption-Free Anguilla?

There’s a new blog, “Corruption-free Anguilla.” Long time cypherpunks will remember the joys of the Cable and Wireless contract with Anguilla. From the blog’s inaugural post: The need for such a site is based on the perception that there is much discussion in hushed tones about corruption. No one discusses the matter publicly. The press […]


You Make Me Look Good. Thanks!

In “Our Tax Dollars at Work,” Phil writes: After half an hour I gave up on figuring out how to do my civic duty, and leveraged Adam for some help. He’s my go-to guy for this kind of thing. He has the kind of readership that provides answers in as little as forty earth minutes, […]


RSS Feeds

Thanks for the emails. We’re aware of some problems with the RSS and comments feeds, and will be working through them asap. [Update: Should be fixed, as of Oct 05, 2006 at 05:01:36PM -0400. cw] [Update 2: When Chris said “fixed,” he was of course using the term in the sense of a Vegas prize […]


Chris Walsh on Dark Reading

Our very own Chris Walsh was featured today on Dark Reading. In “Financial Firms Losing Data”, they profile Chris and his research using the Freedom of Information Act to better quantify the nature of privacy breaches in New York. The results may surprise you…


Mea Maxima Culpa

In posting yesterday about Debix, I should have disclosed that I have personal and financial relationships with the company. In addition, I was one of the 54 people in the test, and my fraud alerts did not set properly. I should have disclosed that as well. I apologize for the oversight. My thanks to Mr. […]


Nick Szabo is on a Roll

When I started blogging, I wanted to say one interesting and insightful thing per day. I still do, and so say several things in the hopes that one of them is interesting. Nick Szabo, on the other hand, has apparently been storing them up, and is on a roll lately: “Book consciousness,” on the effects […]


New (Oracular) Blogs

While we’re celebrating, let me tip the hat to three new bloggers: Mary Ann Davidson has a blog, confusingly headlined “Sandra Vaz Blog (en Portuguese!)” I suspect it’s a template issue, but then again, I’ve seen Mary Ann with–oh, I shouldn’t tell you what she put on her name badge at the Exec Women’s Forum […]


Happy Birthday to Us!

Emergent Chaos was launched two years ago today. My very first post was “Why Did Google Pop.” I could go through and talk about my favorite posts, but I’m more interested in your favorites. In the 2 years of operation, we’ve averaged just over 2.5 posts per day, and I think we’ve only been silent […]


Ed Moyle is on a Roll

“Why’s Everybody Pissed at Consumer Reports?” and “Thoughts About OpenOffice” are both great posts.


Emerging from Network Black Holes

Sorry about the downtime. The fine folks who host this blog for us have been having hardware troubles. They’re swapping components around, and we hope it all heals up soon. Photo: Waiting to Breathe, from Stock.xchng.


Anyone Can Be An Expert, All It Takes Is…

In “More Thoughts On Blogging,” Richard wrote about the upsides and downsides: The upside, there’s great information, the downside, there’s more to sift through. It feels to me, before I run to Metricon, that that’s exactly the value: The filters are in everyone’s hands. You do have to look at more, but in doing so, […]


Introducing Richard Stiennon

I’m pleased to introduce the Jazz Combo’s first actual rocket scientist guest blogger, Richard Stiennon. Before founding IT Harvest, a startup dedicated to re-inventing IT research, Richard worked at Gartner and PriceWaterHouseCoopers. He usually blogs at Threat Chaos, and was kind enough to feature Chris and I as his first podcast, in Meet The Security […]


ThreatChaos Podcast Featuring Emergent Chaos

This week marks the first installment of a series of podcasts I am producing called “Meet The Security Bloggers”. I asked Adam Shostack and Chris Walsh to be the guinea pigs for the first one and it turned out really well. These guys write for EmergentChaos, a blog that Adam started. When he got it […]


Questions about 'Ignoring The "Great Firewall of China"'

Later today at the Privacy Enhancing Technologies workshop, , Richard Clayton will be presenting a talk on “Ignoring the Great Firewall of China.” I’ll be the ‘session chair’ for the session, which usually means I make sure the speaker is in the room, has some slides on a computer, and knows how much time they […]


Spammers Win? 6Apart Loses? TrackBacks are Off

To a first approximation, all inbound trackbacks here have been spam for a while. As such, they’ve been turned off, and I’ve now made that official by turning them off in the MT layer, so you should no longer see trackback URLs. I thought about this a while back in “Trackbacks vs. Technorati?”



Oops. My bad, I’d turned off comments on a bunch of posts. I think its fixed.


Destructive Chaos

Sorry about the unavailability over the last (unknown time period) My DNS registrar, was under DDOS attack. If you’re reading this, you either have a cache, or the attack has been mitigated in some way. We now return you to your regularly scheduled list of stolen laptops, lost backup tapes, and who knows, maybe […]


Relentless Navel Gazing, Pt 9

I’ve made the text darker, and hope its a tad easier to read, and thanks to N, have finally added a closing quote to blockquotes: blockquote { background: url(“”) no-repeat bottom right; } blockquote:before { content: url(“”); display: run-in ; padding-right: 10px;} The tricky part was to ensure that the closing quotation mark stayed within […]


I find your faith disturbing

Adam, I learned of the flick via a blog unrelated to either Star Wars or computing, so no need for Google. Not to get all “vi vs. emacs” on you, but I never understood the fascination with Star Wars. :^) Photo cred: kemikore


"Worth Reading" (Elements of Blogging Style)

The phrase worth reading is a crutch for lazy writers. I use it a lot, and shall use it less. Please call me, and anyone else you read on this bit of spinelessness in our writing. At least, I’ll endeavor to say why I find something worth reading, and try to suggest which readers might […]


Patents and Comments

The comments on “Patents and Innovation” and “New Products, Emerging from Chaos” have been really good. I want to draw your attention to them, because I’m impressed at how much has been added. I’m really enjoying the feedback, and the ability to continue a thread that’s emerged from a comment. I’m also curious what I […]


Relentless Navel Gazing, Part 8

We made a few changes yesterday. There’s now a special archive page for the “Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars” series of posts. I’ve gotten more kudos for that series than anything else, so added a way for you to read them all in the order they were presented. […]


Ameriprise, 230,000 SSNs, Stolen Laptop

On Wednesday, Ameriprise Financial, an investment advisor firm, said that a company laptop stolen from an employee’s parked car in December contained the personal information of some 230,000 customers and company advisors, The New York Times reports. The sensitive information contained in the laptop included the names and Social Security numbers of roughly 70,000 current […]


Anonymous Blogging Wiki!

The Blog Safer Wiki was announced by the Spirit of America’s Anonymous Blogging project. There’s a lot of technology know how, and a lot of cultural issues that go into this, and Curt is doing a great job at bringing the technical knowledge to those who need it, and helping them help each other: Spirit […]



I realized today that Chris Hoofnagle’s blog at EPIC West wasn’t on my blogroll. He’s had lots of important posts up lately, from the informational (“ CA OPP: 13 New Privacy Laws in Effect“) to the amusingly disgusting (“Pretexting Isn’t Lying, According to“) California’s Office of Privacy Protection just released an announcement that 13 […]


How to Blog for Your Company

Here at SiteAdvisor, we strongly believe in the importance of this feature. But we admit that so far we’ve done a mediocre job explaining our motivation and our initial implementation. So writes Chris Dixon in “The Role of Affiliates in Spyware, Adware, and Spam.” Chris is using the Siteadvisor blog as an extended discussion of […]


Two Quick Notes

I’d like to remind everyone that Emergent Chaos now has three people posting, not just Adam. I see comments and links that assume I’m writing everything here, which is a little demeaning to Chris and Arthur. Also, I’d like to remind people that I maintain bookmarks of things I find interesting, but don’t have […]


Relentless Navel Gazing, Part 6

I’ve made a bunch of changes to style and template stuff. Most noticeable should be that post titles are now links to the posts. There’s also a whole lot of consistency improvements for the Moveable Type 3.2 software. The one remaining change is to bring full (extended) entries into the RSS feed. That Mt3.2 software […]


Snarfer RSS Reader

Some friends have just launched Snarfer, a new Windows RSS reader, designed to be fast, efficient, and easy to use. Check it out! If you’re not familiar with RSS Really Simple Syndication, it’s a way to bring lots of content, like blogs, into one place. If I didn’t have NetNewsWire (a Mac client) I couldn’t […]


Elements of Blogging Style

I’ve often thought that I over-analyze some things. But as I enjoy blogging, I’ve come to realize that having standards about the little things helps me write faster and more effectively. More importantly, I hope, they allow you to skim here faster, and retain more of what you’re reading. Bloggers who want to be read […]


Hoder's Denial

Recently, Hossein Derakhshan blogged about his denial of entry into the United States. (“Goodbye to America.”) This is really too bad. Hoder’s an insightful fellow, and even if he happened to be one of the 15 or so million living in the United States without official permission, we profited from his visits. I believe that […]


No Friday Star Wars Security Blogging Today

Blame Tom Ptacek for ignoring my heroic efforts. My being off with family this week has nothing to do with it. Friday Star Wars Security posts will return next week, with the principle of Least Common Mechanism.


Delicious, Feed Me! is a ‘social bookmark manager.’ It’s a way to bookmark things, and let you see that I’ve bookmarked, and perhaps commented on them. I’m using it more like a “clip blog,” with short commentary on many of the things dropped there. If you read it via the RSS feed, you get my commentary. But […]


What I Want From A Log Analyzer

I’m becoming less and less satisfied with AWStats as a log analyzer. There are some things that it does reasonably well. But I’d really like a lot more. I’d like to be able to see how things have changed day to day (for example, how many new unique visitors did I get today?) I’d like […]


Under The Weather

I’m feeling under the weather today, and so I’m sitting on the morning posts until I have a chance to re-read them. Expect posting to be heavy today, because I can’t do much real work, and have to entertain myself somehow. I’m hopeful that you’ll either be entertained as well, or forgive me for what […]


Thanks, Adam

I’ll confess to some stage fright, since this blog’s readership is probably two or three orders of magnitude larger than what my fortnightly rants over at my place probably garner. Anyway, I hope to have posts forthcoming about a few things, among them CVSS, and research into estimating the impact of security events (variously defined) […]


Introducing Chris Walsh

One of the things that happens as a blog takes on a personality is that readers start to send you links to things that are “more your blog than theirs.” Over the last few months, Chris has fed me something between a third and a half of the breaches listed in my breaches archive. At […]


Now Headlining: The Emergent Chaos Jazz Combo

As I experiment with bringing in guest bloggers, the old subtitle of the blog, ‘Musings from Adam Shostack on security, privacy, and economics’ is now inaccurate. Now I could simply declare this “Adam Shostack and friends,” but that is both boring and, with no offense to my invitees, inaccurate. (I’ve never met the fellow who […]


AOL and DHS: Where's the Proof?

Several folks have sent me a link to a Free Market News article “HOMELAND SEC. SURVEIL ALL AOL FILES,” with a suggestion I link to it. I thought it was squirrelly, but when the normally quality Chief Security Officer Magazine picks it up, I felt a need to respond. And frankly, I call bull. by […]


Blue Hat

I’m at Microsoft’s ‘Blue Hat’ event, and it’s been fascinating. Very senior folks got briefed today while I sat in the back of the room and (mostly) listened. I’ll blog some thoughts shortly, but I expect to continue to be mostly unresponsive through Sunday.


Editorial Parameters?

One of the things that I’ve meant to do here is have a little chaos now and then, and see what emerges. One type of chaos that I’ve been aiming for is carefully selected guest bloggers. In talking to someone about that, he asked: What are the editorial parameters? Looking to avoid a possible “I […]


"A Reader Writes…"

Rob Sama IM’d me a link to some Mac launch rumors at “” He then commented: Rob: I was the one who pointed that out to Cringley, and Calzone had pointed it out to me Adam: and you got no cred? Rob: I guess. I mean, columnists like that often say “a reader told me…” […]


The Memory Hole

As an aside in a longer article, Dan Markel writes: As a matter of blogging ethics, I think the way to handle it is to post an apology and clarification and to remove the inaccurate material, with a followup email that clarified the situation. This is dangerously wrong. The inaccurate material needs to stay, because […]


Thoughts on RSS Feeds

I spent a lot of energy to make Emergent Chaos look nice. And how do you all repay me? You read the RSS feeds. Most of my readership (85% or so) are reading via RSS. Which is nice. It says that there’s a core of folks who are interested in what I have to say, […]


Blogroll Rolls On

I’ve deleted Geoff’s ScreenDiscussion for negligent posting, and added Mario’s blog, Ed and Diana at Security Curve and TQBF and his service-oriented chargen 19/udp.


300,000 words and counting

It’s my one year blogiversary. In that time, about 300,000 words including comments and trackbacks have been posted in 957 articles. That’s a little over 2.6 articles a day, some of which some of you seem to have enjoyed reading. Moveable type added about 40,000 words of html tags, colon tagged junk etc. So, really, […]


Your Questionable Content (redux)

Thanks for your patience, I think we’ve solved the problem. Some comments may be moderated, but the rejection should be done. Please email if there’s any more rejections.


Your Questionable Content

A couple of people have mentioned that something in the comment posting code is rejecting their comments for “questionable content.” I’m very sorry, and am working with my fine technical support staff to try to solve it. If this happens to you, please email me: emergentchaos & gmail & com, and I’ll try to post […]


Gaze Into Navels!

There’s a new feed, of posts + comments, available here: RSS. (It’s also on in the little “blog tech stuff” list, if you want to come back to see it later.) Thanks to Lisa for setting this up!


Ping Flood

Over at Usable Security, Ping is blogging about the SOUPS conference, which I’m unfortunately missing. Alan Schiffman is also blogging a little. However, Ping is posting so much that his first posts today have already scrolled off the top of his blog. Who knew he’d invent a new denial of service attack?


Hoder, US: Ahmadinejad not Hostage Taker

On June 30th, Hoder says: “As much as I dislike Ahmadinejad, I don’t think the guy in this picture is him. They look similar, but have differenet eyes and eyebrows.” The LA Times. I reported on the story in “Iran’s New President a “Moderate”.”


Why I Read Blogs

In a post titled “Why Blog, Anyway, Mark makes a really good point: And what about the audience? Readers who don’t blog may not be aware of how much bloggers want readers. Part (I suspect a very big part for most) of it’s an ego thing, like people on soapboxes at the town square with […]