Shostack + Friends Blog Archive

 

Threat Modeling the PASTA Way

There’s a really interesting podcast with Robert Hurlbut Chris Romeo and Tony UcedaVelez on the PASTA approach to threat modeling. The whole podcast is interesting, especially hearing Chris and Tony discuss how an organization went from STRIDE to CAPEC and back again. There’s a section where they discuss the idea of “think like an attacker,” […]

 

Learning from Our Experience, Part Z

One of the themes of The New School of Information Security is how other fields learn from their experiences, and how information security’s culture of hiding our incidents prevents us from learning. Today I found yet another field where they are looking to learn from previous incidents and mistakes: zombies. From “The Zombie Survival Guide: […]

 

Current Reading

[Update, Feb 20 2017: More reading: Trump and the ‘Society of the Spectacle’.]

 

Tacoma Narrows and Security

I always get a little frisson of engineering joy when I drive over the Tacoma Narrows bridge. For the non-engineers in the audience, the first Tacoma Narrows bridge famously twisted itself to destruction in a 42-mph wind. The bridge was obviously unstable even during initial construction (as documented in “Catastrophe to Triumph: Bridges of the […]

 

Threat Modeling, Chinese Edition!

I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into Chinese. You can buy it from Amazon.cn.

 

The Evolution of Secure Things

One of the most interesting security books I’ve read in a while barely mentions computers or security. The book is Petroski’s The Evolution of Useful Things. As the subtitle explains, the book discusses “How Everyday Artifacts – From Forks and Pins to Paper Clips and Zippers – Came to be as They are.” The chapter […]

 

On Language

I was irked to see a tweet “Learned a new word! Pseudoarboricity: the number of pseudoforests needed to cover a graph. Yes, it is actually a word and so is pseudoforest.” The idea that some letter combinations are “actual words” implies that others are “not actual words,” and thus, that there is some authority who […]

 

Usable Security: History, Themes, and Challenges (Book Review)

Simson Garfinkel and Heather Lipford’s Usable Security: History, Themes, and Challenges should be on the shelf of anyone who is developing software that asks people to make decisions about computer security. We have to ask people to make decisions because they have information that the computer doesn’t. My favorite example is the Windows “new network” […]

 

Thanks, Bruce!

Bruce Schneier says nice things about my latest book.

 

Seattle event: Ada's Books

For Star Wars day, I’m happy to share this event poster for my talk at Ada’s Books in Seattle Technical Presentation: Adam Shostack shares Threat Modeling Lessons with Star Wars. This will be a less technical talk with plenty of discussion and interactivity, drawing on some of the content from “Security Lessons from Star Wars,” […]

 

Threat Modeling: Designing for Security

I am super-excited to announce that my new book, Threat Modeling: Designing for Security (Wiley, 2014) is now available wherever fine books are sold! The official description: If you’re a software developer, systems manager, or security professional, this book will show you how to use threat modeling in the security development lifecycle and the overall […]

 

What's Copyright, Doc?

I blogged yesterday about all the new works that have entered the public domain as their copyright expired in the United States. If you missed it, that’s because exactly nothing entered the public domain yesterday. Read more — but only commentary, because there’s no newly free work — at “What Could Have Entered the Public […]

 

A Mini-Review of "The Practice of Network Security Monitoring"

Recently the kind folks at No Starch Press sent me a review copy of Rich Bejtlich’s newest book The Practice of Network Security Monitoring and I can’t recommend it enough. It is well worth reading from a theory perspective, but where it really shines is digging into the nuts and bolts of building an NSM […]

 

A Very Late Book Review

I have to start off by apologizing for how very late this review is, an embarrassing long time ago, the kind folks at No Starch Press very kindly gave me a copy of “Super Scratch Programming Adventure” to review. Scratch for those that aren’t familiar is a kids oriented programming language designed by Mitchel Resnick […]

 

The Plateau Effect

The Plateau Effect is a powerful law of nature that affects everyone. Learn to identify plateaus and break through any stagnancy in your life— from diet and exercise, to work, to relationships. The Plateau Effect shows how athletes, scientists, therapists, companies, and musicians around the world are learning to break through their plateaus—to turn off […]

 

Why the Star Wars Prequels Sucked

It is a truism that the Star Wars prequels sucked. (Elsewhere, I’ve commented that the franchise being sold to Disney means someone can finally tell the tragic story of Anakin Skywalker’s seduction by the dark side.) But the issue of exactly why they sucked is complex and layered, and most of us prefer not to […]

 

What story was that?

A friend is trying to track down a science fiction story in which the president had a death sentence at the end of their term. I know you’re all smart and good looking and at least one of you will know the exact author and title.

 

Dennis Fisher's Novel ("Motherless Children") is out

You probably know Dennis Fisher because of his writings on Threatpost or his Digital Underground podcast, where I’ve appeared several times. I wanted to help him spread the news that his first novel “Motherless Children” is now available. You should check it out. I’ll get my review done shortly, but I wanted to help spread […]

 

Book Review: Cloud Security Rules

A while back, Kai Roer graciously sent me an electronic copy of the book Cloud Security Rules that he co-authored with an all-start cast including luminaries Wendy Nather and our very own New School’s Alex Hutton. All in all, it’s a solid read covering the gamut of topics from Risk and Compliance to technology versus […]

 

Book review: "The Human Contribution"

James Reason’s entire career was full of mistakes. Most of them were other people’s. And while we all feel that way, in his case, it was really true. As a professor of psychology, he made a career of studying human errors and how to prevent them. He has a list of awards that’s a full […]

 

Lady Ada books opening May 11

Ada’s Technical Books is Seattle’s only technical book store located in the Capitol Hill neighborhood of Seattle, Washington. Ada’s specifically carries new, used, & rare books on Computers, Electronics, Physics, Math, and Science as well as hand-picked inspirational and leisure reading, puzzles, brain teasers, and gadgets geared toward the technically minded customer. From the store’s […]

 

Nelson Mandela

Twenty years ago today, Nelson Mandela was released from prison on Robben Island, where he was imprisoned for 27 years for considering violence after his rights to free speech and free association were revoked by the government. I learned a lot about the stories when I visited South Africa, and then more when my mom […]

 

Today in Tyrranicide History

On January 30th, 1649, Charles I was beheaded for treason. He refused to enter a defense, asserting that as monarch, he was the law, and no court could try him. That same defense is raised today by Milošević, Hussien and other tyrants. The story of how John Cooke built his arguments against that claim is […]

 

The Lost Books of the Odyssey

You should go read The Lost Books of the Odyssey. You’ll be glad you did. I wrote this review in April of 2008, and failed to post it. Part of my reason is that I have little patience for, and less to say about most experimental fiction. I am in this somewhat like a luddite, […]

 

Visual Notetaking

I’m a big fan of the book “Back of the Napkin” which is all about using pictures to help with problem solving. Yesterday, I was introduced to a related concept “visual notetaking” where you use images to support other notes you are taking during a meeting. I’m at a two day workshop and we have […]

 

Detecting Malice

I just finished reading RSnake’s new book Detecting Malice and I can say without a doubt that it is one of the best technical books I have ever read. Furthermore, I can tell you that it is, without a doubt, the best web security book I have ever had the pleasure to read. Imagine a […]

 

Tetraktys is the Best Cryptographic Novel Ever

I’ve been remiss in not posting a review of Tetraktys, by Ari Juels. Short review: It’s better written and has better cryptographers than the ones in any Dan Brown novel, but that’s really damning it with faint praise, which it doesn’t deserve. It’s a highly readable first novel by Ari Juels, who is Chief Scientist […]

 

Podcasts with Amrit

I had fun recording Beyond the Perimiter Episode 48 and 49 with Amrit. I think Amrit asked some of the broadest, most complex questions I’ve been asked, and it was hard to keep the episodes short. Go have a listen!

 
 

Kindle Brouhaha Isn't About DRM

In case you haven’t heard about it, there is a brouhaha about Amazon un-selling copies of two Orwell books, 1984 and Animal Farm. There has been much hand-wringing, particularly since it’s deliciously amusing that that it’s Orwell. The root cause of the issue is that the version of the Orwell novels available on the Kindle […]

 

Mr. Bureaucrat, Please Report to Room 101

As I’ve said before, all non-trivial privacy warnings are mocked and then come true. Sixty years ago today, George Orwell published 1984. He unfortunately failed to include a note that the book was intended as a warning, not a manual. Today, in England, there are an unknown number of surveillance cameras, including many around Orwell’s […]

 

Would Anne Fadiman buy a Kindle?

If you like books, if you like to read, you need a copy of Anne Fadiman’s “Ex Libris: Confessions of a Common Reader.” You especially need to read it if you care an iota about identity management, because the major themes in her essays are not only about books, but about identity. (In case you’re […]

 

Applied Security Visualization

Our publisher sent me a copy of Raffael Marty‘s Applied Security Visualization. This book is absolutely worth getting if you’re designing information visualizations. The first and third chapters are a great short intro into how to construct information visualization, and by themselves are probably worth the price of the book. They’re useful far beyond security. […]

 

Congratulations to Raffy!

His book, Applied Security Visualization, is now out: Last Tuesday when I arrived at BlackHat, I walked straight up to the book store. And there it was! I held it in my hands for the first time. I have to say, it was a really emotional moment. Seeing the product of 1.5 years of work […]

 

Solove’s Understanding Privacy

Dan Solove sent me a review copy of his new book, “Understanding Privacy.” If you work in privacy or data protection either from a technology or policy perspective, you need to read this book and understand Solove’s approach. That’s not to say it’s perfect or complete, but I think it’s an important intellectual step forward, […]

 

Aleksandr Solzhenitsyn, RIP

The author of The Gulag Archipelago and other important works on the barbarity of the Soviet Union passed away today. Aleksandr Solzhenitsyn was 89. My sympathies to his family and friends.

 

How much work is writing a book?

There’s a great (long) post by Baron Schwartz, “What is it like to write a technical book?” by the lead author of “High Performance MySQL.” There’s a lot of great content about the process and all the but I wanted to respond to this one bit: I can’t tell you how many times I asked […]

 

To the moon!

In name only, but NASA will be sending a database of names to the moon on the forthcoming Lunar Reconnaissance Orbiter. You can add yours. Oh, the name? seemed right when I wanted one with a quote in it. [Update: Securology posted “ Sending Bobby Tables to the Moon,” which is funnier, if more likely […]

 

Fasilyce, upon Reading

Dear Mr. Banks, Much as I enjoy your work, it is entirely dis-congruous to your readers to insert words known to neither the Oxford English Dictionary or the internet (as indexed here, here or here) whose meanings are not rapidly comprehensible. Thank you for your future attention to this matter. I remain, etc, etc.

 

Bush’s Law — Less Safe, Less Free

I’d like to review two recent books on the war on terror: “Bush’s Law: The Remaking of American Justice” by by Eric Lichtblau, and “Less Safe, Less Free: Why America Is Losing the War on Terror” by David Cole and Jules Lobel. Both are well written assaults on the way in which the Bush administration […]

 

Good problems to have

You don’t have much credibility looking for a publisher for a book on rum when you’re sailing in the Caribbean drinking the best rums you can find in the name of research. Most people just didn’t take me seriously that there was even a need for a book on rum. It took quite a while […]

 

More New School Reviews

Gary McGraw says buy it for the cover: The New School of Information Security is a book worth buying for the cover alone. I know of no other computer security book with a Kandinski on the front. Even though I know Adam Shostack from way back (and never could have predicted that he would become […]

 

Generativity, Emergent Chaos and Adam Thierer

Jonathan Zittrain, a professor at Oxford, has a new book, “The Future of The Internet.” He’s adapted some of the ideas into a long and worthwhile essay, “Protecting the Internet Without Wrecking It.” In that essay, he uses the term “generativity” to refer to a system which has what I would call ’emergent chaos.’ A […]

 

Dan Solove's books free and online

Dan Solove has put his two current books, “The Future of Reputation” and “The Digital Person” online for free. I’ve felt bad in not reviewing The Future of Reputation, because I really enjoyed it, and have been trying to figure out what to say. Solove does a great job of surveying reputation in its many […]

 

Dan Geer: Economics and Strategies of Data Security

Speaking of books: This book explores the dramatic shift from infrastructure protection to information protection, explaining why data security is critical to business today. It describes how implementing successful data security solutions across sophisticated global organizations requires a new data-centric, risk based and strategic approach, and defines the concepts and economics of a sound data […]

 

The New School of Information Security

A few days ago, we turned in the very last edits to The New School of Information Security to Addison-Wesley. My co-author, Andrew Stewart, and I are both really excited. The New School is a systemic look at dysfunction within information security, and a look at some of the ways people are looking to make […]

 

Scott Page’s The Difference

A lot of people think of calls for diversity as fuzzy headed liberalism at its worst. If you’re one of them, please keep reading. Or you could click here and just

 

Computer Capers and Progress

We’re coming up on the 30th anniversary of the publication of “Computer Capers: Tales of electronic thievery, embezzlement, and fraud,” by Thomas Whiteside. What, might you ask, can we learn from a 30 year old text? Nothing has changed. Except, for some of the names. Donn Parker is in there, as are a melange of […]

 

How taxing is it to read a tape?

In “Athenian Economy and Society: a banking perspective,” Edward Cohen uses the fascinating technique of trusting in offhand comments. He uses the technique to analyze court records to reconstruct banking. You might not be able to trust the main testimony in a trial, but no one will offhandedly say something shocking and strange, because it […]

 

Book on Boyd

Frans Osinga’s book on Boyd, “Science, Strategy and War: The Strategic Theory of John Boyd” has been issued in paperback. Previously, it was $90 for a copy. The new paperback edition is $35.95, and is easily worthwhile at that price. Science, Strategy and War is an academic analysis of the John Boyd’s thinking and its […]

 

A quick pointer

Adam has made several posts about it being ‘good for you’ to open up about data breaches. Unfortunately, keeping a lid on the info is a stable equilibrium. This situation is what economists would call an Assurance Game. A quick pointer to a post I made reviewing a very good book on how to get […]

 

She’s Such A Geek

Longtime geek author Annalee Newitz and Charlie Anders, published She’s Such A Geek last year. I’ve been meaning to blog about this for a while It’s a collection of over 20 essays by women geeks. These essays cover the trials, tribulations and joys of being a female geek. At times entertaining and other times depressing, […]

 

Cleaning Up

If you haven’t read Steven Johnson’s The Ghost Map, you should. It’s perhaps the most important book in print today about the next decade of computer security. John Snow was a physician who was a pioneer in anaesthesia who turned his attention to cholera when the worst epidemic hit the London where he lived in […]

 

Pragmatic Redux

Late on Friday night, Mike Rothman finally posted a response to some of my questions from last week. Most notably he reveals who the Mike in his “Ad” is: The answers are pretty straightforward. Mike, the Pragmatic CSO, is a fictional character. For those of you a little slow on the uptake, that means he […]

 

The Pragmatic Reviewer

Today Mike Rothman launched his new book “The Pragmatic CSO” at the astounding price of $97. I took the plunge and downloaded the introduction and it isn’t half bad, but aside from a cute dialogue at the beginning it doesn’t really read differently than any number of other security books I have on my shelf. […]

 

My Advice for the Pragmatic CSO

Mike Rothman writes: On the Wikid blog, they tackle the mess of incentive plans in this post (h/t to Emergent Chaos). I can see the underlying thought process, but I have a fundamental issue with the idea of capping information security expenses to about 1/3 of the expected loss. Now I haven’t read Gordon & […]

 

Read any good books lately?

Do share your opinions and suggestions. Personally, I don’t read enough, and I stay within a too-narrow comfort zone of UNIX geek material. Help me, and other EC readers similarly situated. It’d be nice if the techie side of infosec was not the subject (Rich Bejtlich has that covered anyway) I wrote up a review […]

 

A Moment of Silence

Ahmet Ertegun has passed away. Ertegun founded Atlantic Records because he loved music, and at 83, the BBC reports: He suffered a head injury when he fell at a Rolling Stones concert at New York’s Beacon Theatre in October, and died after slipping into a coma. (Emphasis added.) His book “What I’d Say: The Atlantic […]

 

Security Development Lifecycle, the Book

Michael Howard announces the imminent availability of his new book, “The Security Development Lifecycle” by Michael Howard and Steve Lipner: This time the book documents the Security Development Lifecycle (SDL), a process that we’ve made part of the software development process here at Microsoft to build more secure software. Many customers, press, analysts, and, to […]

 

"The Far Enemy"

I’ve been meaning to blog about “The Far Enemy: Why Jihad Went Global ” by Fawaz Georges for quite some time. The book is a fascinating look at the internal debates of the various Jihadist sub-groups, and takes its title from an argument over targeting the “near enemy,” or local government, or the “far enemy,” […]

 

How New Ideas Emerge From Chaos

There’s an interesting contrast between “The Problem With Brainstorming” at Wired, and “Here’s an Idea: Let Everyone Have Ideas” at the New York Times. The Problem with Brainstorming starts out with some history of brainstorming, and then moves to its soft underbelly: The tendency of groupthink to emerge from groups: Thinking in teams, and pitching […]

 

Beautiful Evidence

Edward Tufte’s new book, Beautiful Evidence, is now at the printer and should be available in May 2006. The book is 214 pages, full color, hard cover, and at the usual elegant standards of Graphics Press. (Thanks, Mr. X!)

 

Security and Usability

Simson Garfinkel sent me a copy of “Security and Usability: Designing Secure Systems that People Can Use,” which he co-edited with Lorrie Faith Cranor. [Updated spelling of Lorrie’s name. Sorry!] I was really hesitant when I got it because I tend to hate collections of academic papers. They’re often hard to read, heavily redundant, and […]