Shostack + Friends Blog Archive


Humans in Security, BlackHat talks

This is a brief response to Steve Christey Coley, who wrote on Twitter, “but BH CFP reads mostly pure-tech, yet infosec’s more human-driven?” I can’t respond in 140, and so a few of my thoughts, badly organized: BlackHat started life as a technical conference, and there’s certain expectations about topics, content and quality, which have […]


RSA Planning

Have a survival kit: ricola, Purell, gatorade, advil and antacids can be brought or bought on site. Favorite talk (not by me): I look forward to Sounil Yu’s talk on “Understanding the Security Vendor Landscape Using the Cyber Defense Matrix.” I’ve seen an earlier version of this, and like the model he’s building a great […]


Sneak peeks at my new startup at RSA

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]


The Drama Triangle

As we head into summer conference season, drama is as predictable as vulnerabilities. I’m really not fond of either. What I am fond of, (other than Star Wars), as someone who spends a lot of time thinking about models, is the model of the “drama triangle.” First discussed by Stephen Karpman, the triangle has three […]


Conference Etiquette: What’s New?

So Bill Brenner has a great article on “How to survive security conferences: 4 tips for the socially anxious .” I’d like to stand by my 2010 guide to “Black Hat Best Practices,” and augment it with something new: a word on etiquette. Etiquette is not about what fork you use (start from the outside, […]


Workshop on the Economics of Information Security (WEIS)

The 13th annual Workshop on the Economic of Information Security will be held at Penn State June 23-24, and the call for papers is now open. I’m on the program committee this year, and am looking forward to great submissions.


Privacy Enhancing Technologies Registration now open

The program for the 2013 Privacy Enhancing Technologies Symposium is up, and there’s a lot of fascinating looking papers and talks. If you’re interested, registration is also open. PETS is one of my favorite conferences of the year.


Workshop on the Economics of Information Security

The next Workshop on the Economics of Information Security will be held June 11-12 at Georgetown University, Washington, D.C. Many of the papers look fascinating, including “On the Viability of Using Liability to Incentivise Internet Security”, “A Behavioral Investigation of the FlipIt Game”, and “Are They Actually Any Different? Comparing 3,422 Financial Institutions’ Privacy Practices.” […]


AdaCamp: San Francisco June 8-9

(Posted for friends) AdaCamp is a conference dedicated to increasing women’s participation in open technology and culture: open source software, Wikipedia-related projects, open data, open geo, fan fiction, remix culture, and more. The conference will be held June 8 and 9th in San Francisco. There will be two tracks at the conference: one for people […]


Hacking Humans at BlackHat

Hacking humans is an important step in today’s exploitation chains. From “2011 Recruitment plan.xls” to instant messenger URL delivery at the start of Aurora, the human in the loop is being exploited just as much as the machine. In fact, with the right story, you might not even need an exploit at all. So I’m […]


Base Rate & Infosec

At SOURCE Seattle, I had the pleasure of seeing Jeff Lowder and Patrick Florer present on “The Base Rate Fallacy.” The talk was excellent, lining up the idea of the base rate fallacy, how and why it matters to infosec. What really struck me about this talk was that about a week before, I had […]


SOURCE Seattle

I’ll be at SOURCE Seattle this week. I’m really excited to be speaking on “Security Lessons from Star Wars” at 10AM today.


Smashing the Future for Fun and Profit

I’d meant to post this at BlackHat. I think it’s worth sharing, even a bit later on: I’m excited to have be a part of a discussion with others who spoke at the first Blackhat: Bruce Schneier, Marcus Ranum, Jeff Moss, and Jennifer Granick. We’ve been asked to think about what the future holds, and […]


My BlackHat Plans

I’ll be speaking twice at BlackHat. First on the “Smashing the Future” panel with Bruce Schneier, Marcus Ranum, Jeff Moss and Jennifer Granick (10AM Wednesday, main hall). My second talk is also on Wednesday, on a new game, Control-Alt-Hack. I’ve been helping Tamara Denning and Yoshi Kohno create Control-Alt-Hack, and we’ll be speaking Wednesday at […]


My AusCert Gala talk

At AusCert, I had the privilege to share a the gala dinner stage with LaserMan and Axis of Awesome, and talk about a few security lessons from Star Wars. I forgot to mention onstage that I’ve actually illustrated all eight of the Saltzer and Schroeder principles, and collected them up as a single page. That […]


Toorcamp: Gender Issues, Cognitive Psychology and Hacking

So the announcement for Toorcamp is out, and it looks like an exciting few days. A few talks already announced look very new school, including “How you can be an ally to us females” by Danielle Hulton and Leigh Honeywell, and “Cognitive Psychology for Hackers.” It’s in the far northwester corner of the US, and […]


A quick pointer

I wrote a blog post regarding the BSidesSF/RSA conf dust-up. (If I knew how to work Adam’s twitter integration thingy, you’d have been spared this)


We Robot: The Conference

This looks like it has the potential to be a very interesting event: The University of Miami School of Law seeks submissions for “We Robot” – an inaugural conference on legal and policy issues relating to robotics to be held in Coral Gables, Florida on April 21 & 22, 2012. We invite contributions by academics, […]


Photoblogging CHI2011

Last week, I had the pleasure of attending the ACM conference on Computer Human Interaction, CHI. As I mentioned in a work blog post, “Adding Usable Security to the SDL,” I’m now focused on usable security issues at work. I’m planning to say more about the conference in a little bit, but for right now, […]


The 1st Software And Usable Security Aligned for Good Engineering (SAUSAGE) Workshop

National Institute of Standards and Technology Gaithersburg, MD USA April 5-6, 2011 Call for Participation The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant […]


The 1st Software And Usable Security Aligned for Good Engineering (SAUSAGE) Workshop

National Institute of Standards and Technology Gaithersburg, MD USA April 5-6, 2011 Call for Participation The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant […]


"Towards Better Usability, Security and Privacy of Information Technology"

“Towards Better Usability, Security and Privacy of Information Technology” is a great survey of the state of usable security and privacy: Usability has emerged as a significant issue in ensuring the security and privacy of computer systems. More-usable security can help avoid the inadvertent (or even deliberate) undermining of security by users. Indeed, without sufficient […]


Black Hat Slides

My talk at Black Hat this year was “Elevation of Privilege, the Easy Way to Get Started Threat Modeling.” I covered the game, why it works and where games work. The link will take you to the PPTX deck.


Hacker Hide and Seek

Core Security Ariel Waissbein has been building security games for a while now. He was They were kind enough to send a copy of his their “Exploit” game after I released Elevation of Privilege. [Update: I had confused Ariel Futoransky and Ariel Waissbein, because Waissbein wrote the blog post. Sorry!] At Defcon, he and his […]


SOUPS Keynote & Slides

This week, the annual Symposium on Usable Privacy and Security (SOUPS) is being held on the Microsoft campus. I delivered a keynote, entitled “Engineers Are People Too:” In “Engineers Are People, Too” Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the […]


Elevation of Privilege: The Threat Modeling Game

In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.” After RSA, I’ll have more to say about how it came about, how it helps you and how very new school it is. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).


Podcast on ISM3

Last week, I spoke at the Open Group meeting here in Seattle, and then recorded a podcast with Dana Gardner, Jim Hietala and Vicente Aceituno about ISM3 Brings Greater Standardization to Security Measurement Across Enterprise IT (audio) or you can read the transcript. It was fun, and the podcast is short and to the point. […]


CFP: 9th Workshop on the Economics of Information Security (WEIS)

The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science.


Visual Notetaking

I’m a big fan of the book “Back of the Napkin” which is all about using pictures to help with problem solving. Yesterday, I was introduced to a related concept “visual notetaking” where you use images to support other notes you are taking during a meeting. I’m at a two day workshop and we have […]


Mini Metricon 4.5 Call for Participation

[Posting this here to help get the word out – Chris ] Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the […]


Mini Metricon 4.5 Call For Participation

Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the RSA Conference, to be held during the same week. Mini MetriCon attendees […]


Privacy Enhancing Technologies 2009

The organizers of the 9th Privacy Enhancing Technologies Symposium invite you to participate in PETS 2009, to be held at the University of Washington, Seattle, WA, USA, on Aug 5-7, 2009. PETS features leading research in a broad array of topics, with sessions on network privacy, database privacy, anonymous communication, privacy policies, and privacy offline. […]


SHB Session 8: How do we fix the world?

(Bruce Schneier has been running a successful prediction attack on my URLs, but the final session breaks his algorithm. More content to follow.) So as it turns out, I was in the last session, and didn’t blog it. Bruce Schneier and Ross Anderson did. Matt Blaze has the audio. I’ll turn my comments into an […]


Security & Human Behavior

I’m blogging the Security & Human Behavior Workshop at the New School blog. Bruce Schneier is also blogging it, as is Ross Anderson.


How to Present

As I get ready to go to South Africa, I’m thinking a lot about presentations. I’ll be delivering a keynote and a technical/managerial talk at the ITWeb Security Summit. The keynote will be on ‘The Crisis in Information Security’ and the technical talk on Microsoft’s Security Development Lifecycle. As I think about how to deliver […]


Security is about outcomes: RSA edition

So last week I asked what people wanted to get out of RSA, and the answer was mostly silence and snark. There are some good summaries of RSA at securosis and Stiennon’s network world blog, so I won’t try to do that. But I did I promise to tell you what I wanted to get […]


Registration now open for WEIS 2009

Registration for The Eighth Workshop on the Economics of Information Security (WEIS 2009) is now open. The deadline for the Early Bird registration is 1 June 2009. We’ve written here often (and favorably) about WEIS, and about papers delivered there.


Security is about outcomes, not process (RSA edition)

So I’m getting ready to head over to RSA, and I’m curious. If you believe that “security is about outcomes, not about process,” what outcomes do you want from RSA? How will you judge if the conference was worthwhile?


Off to the Moscone Center

Every year around this time, thousands of people converge on the Moscone Center in San Francisco for RSA. I had never given much thought to who Moscone was–some local politician I figured. I first heard about Harvey Milk in the context of the Dead Kennedys cover of I Fought The Law: The law don’t mean […]


Breaches Conference audio online

Back in March, the Berkeley Center for Law and Technology put on a great conference, the “Security Breach Notification Symposium.” It was a fascinating day, and the audio is now online.


Research Revealed Track at RSA

For the past few months, I’ve been working with the folks at the RSA Conference to put together a track entitled “Research Revealed.” Our idea is that security needs to advance by getting empirical, and bringing in a wide variety of analytic techniques. (Regular readers understand that Andrew Stewart and I brought these ideas together […]


Deadline extended: Computers, Freedom & Privacy Research Showcase

This year’s Computers, Freedom and Privacy Conference will feature a research showcase in the form of a research poster session as well as a research panel that includes the authors of the best research posters. CFP is the leading policy conference exploring the impact of the Internet, computers, and communications technologies on society. For more […]


Metricon 4.0 Call for Papers

I suspect at least some EC readers will be interested in the Call for Papers for Metricon 4.0, to be held in Montreal, August 11. Metricon 4 – The Importance of Context MetriCon 4.0 is intended as a forum for lively, practical discussion in the area of security metrics. It is a forum for quantifiable […]


All atwitter

In re-reading my blog post on twittering during a conference I realized it sounded a lot more negative than I’d meant it to. I’d like to talk about why I see it as a tremendous positive, and will be doing it again. First, it engages the audience. There’s a motive to pay close attention and […]


Security Breach Notification Symposium

Next Friday (March 6th) I’ll be speaking at the “Security Breach Notification Symposium:” A one-day symposium on identity theft and security breaches. Experts from law, government, computer science, and economics will discuss laws that protect personal information and suggest reforms to strengthen them. Although most agree that reforms are needed, leading thinkers clash on what […]


Black Hat (Live) Blog: Keynote

Ian Angell from the London School of Economics gave a great keynote on complexity in systems and how the desire to categorize, enumerate, and add technology can break things in interesting ways. An example of his: there’s an increasing desire among politicians and law enforcement to create huge DNA databases for forensic purposes, to aid […]


SOUPS 2008, summarized

I really appreciate the way that Richard Conlan has in-depth blogged all of the sessions from the 2008 Symposium on Usable Privacy and Security. The descriptions of the talks are really helpful in deciding which papers I want to dig into. More conferences should do this. There’s only one request I’d make: There’s no single […]


Congratulations to the PET Award Winners

Congratulations to Arvind Narayanan and Vitaly Shmatikov! Their paper, “Robust De-Anonymization of Large Sparse Datasets,” has been awarded the 2008 Award for Outstanding Research in Privacy Enhancing Technologies. My employer has a press release which explains how they re-identified data which had been stripped of identifiers in the Netflix dataset. In their acceptance remarks, they […]


Off to Belgium

I’m getting ready to leave for the 2008 Privacy Enhancing Technologies Symposium. I love this event, and I’m proud to have been involved since Hannes Federrath kicked it off as a workshop on design issues anonymity and unobservability. I’m also happy that Microsoft has continued to sponsor an award for outstanding research in Privacy Enhancing […]


Security & Human Behavior

There’s a huge amount of interesting stuff from a recent workshop on “Security & Human Behavior.” Matt Blaze has audio, and Ross Anderson has text summaries in the comments on his blog post. Also, see Bob Sullivan, “How magic might finally fix your computer”


8th Pet Symposium Early Registration Deadline

We kindly invite you to attend the next PET Symposium, that will take place in Leuven (Belgium) on July 23-25, 2008. The PET Symposium is the leading international event for the latest research on privacy and anonymity technologies. This year, four other events are co-located with PETS 2008, including the Workshop On Trustworthy Elections (WOTE […]


Please read more carefully.

A paper by Sasha Romanosky, Rahul Telang, and Alessandro Acquisti to be presented at the upcoming WEIS workshop examines the impact of breach disclosure laws on identity theft. The authors find no statistically [significant] evidence that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce The folks at Bank […]


Keynoting at ISSA tomorrow

I’ll be delivering the keynote at “ The Fourth Annual ISSA Northwest Regional Security Conference” tomorrow in Olympia, Washington. I’m honored to have been selected, and really excited to be talking about “the crisis in information security.” The topics will be somewhat familiar to readers of this blog, but in a longer, more coherent format […]


WEIS 2008: Register now

Registration is under way for the seventh Workshop on the Economics of Information Security , hosted by the Center for Digital Strategies at Dartmouth’s Tuck School of Business June 25-28, 2008 The call for papers, and archives of past workshops give a good sense of what you’ll find (and it is awesome and well worth […]


Black Hat Speaker Selection

Black Hat USA News: We’re very proud to announce a new feature for paid Black Hat attendees starting with the USA show in August – delegate access to our CFP system! Paid delegates can now log into our CFP database, read and review our proposed presentations and share their ratings and comments with Black Hat. […]


Wendy Richmond’s Surreptitious Cellphone

At the International Association of Privacy Professionals meeting last week, I had the pleasure of meeting Wendy Richmond. Richmond is intrigued with the ways in which we share our public space. Some of us create invisible buffer zones for quiet reverie; others enhance or negate reverie through portable technology like iPods, cell phones and laptops. […]


Thank you, Usenix!

I’m delighted to report that USENIX, probably the most important technical society at which I publish (and on whose board I serve), has taken a long-overdue lead toward openly disseminating scientific research. Effective immediately, all USENIX proceedings and papers will be freely available on the USENIX web site as soon as they are published. (Previously, […]


WOOT08 Call for Papers

Progress in the field of computer security is driven by a symbiotic relationship between our understandings of attack and of defense. The USENIX Workshop on Offensive Technologies aims to bring together researchers and practitioners in system security to present research advancing the understanding of attacks on operating systems, networks, and applications. 2nd USENIX Workshop on […]


A Cha-cha all the way to the bank

On the beaches of Mexico, they’re talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons. First is the price. About €9,000. Second, there’s the performance. A complete DES keyspace sweep in a […]


WEIS 2008 Call for papers

The call for papers for the 2008 Workshop on Economics and Information Security, to be held at Dartmouth’s Tuck School of Business in late June, has just been issued. […] The 2008 Workshop on the Economics of Information Security invites original research papers focused on the economics of information security and the economics of privacy. […]


Welcome iouhgijudgviujs, please log in!

Ben Laurie has shown time and again that OpenID is Phishing Heaven. It’s also a huge boon for anyone who wants to start tracking on the web. I firmly agree that if you want to steal from people or invade their privacy, OpenID is for you. I also know that there are people I respect […]


Metricon 2.0 Registration Closes Friday

Metricon 2.0 looks to be a great set of papers. I’d tell you what I’m looking forward to, but really, I’m looking forward to the whole day. And it’s only $225, but you have to register by Friday.


Why Customers Don’t Flee

At Toorcon Seattle yesterday, I presented “Security Breaches are Good for You (like a root canal).” It’s similar to “Security Breaches Are Good for you” (my shmoocon talk) but added a number of points about people agreeing, but not wanting to change. “Psychology & Security & Breaches (Oh My!?)” and “When Do Customers Flee.” I […]


WOOT! Looks Exciting

Via Nate, “WOOT = Usenix + Blackhat:” The call for papers is now up for a new Usenix workshop, WOOT (Workshop On Offensive Technologies, but don’t think the name came before the acronym.) The workshop will be co-hosted with Usenix Security and will focus on new practical attacks. I was recently saying that vulnerability research […]


Security Breaches Are Good for You: My Shmoocon talk

At Shmoocon, I talked about how “Security Breaches are Good for You.” The talk deviated a little from the proposed outline. I blame emergent chaos. Since California’s SB 1386 came into effect, we have recorded public notice of over 500 security breaches. There is a new legal and moral norm emerging: breaches should be disclosed. […]


Advances in Conference Usability

A little bird reports that at the Usable Security Conference they handed out conference proceedings in PDF form on a flash drive. I’m told that the flash drive was cheaper than printing on paper. I hope this trend spreads, as I’m always lugging back paper from conferences along with the inevitable bag or t-shirt. Flash […]


Professional Ethics

Cutaway’s post about ethics at RSA reminded me that I wanted to post about this as well. Like Cutaway, I attended “Professional Ethics in the Security Disciplines” which was chaired by Howard Schmidt and the panelists were representatives of SANS, (ISC) , ASIS and ISACA. All in all, despite Howard’s expert moderation, I remain under-whelmed […]


Ignite Seattle

I attended Ignite Seattle last night. It was awful. Don’t attend next time. No, just kidding. It was great, and very crowded. There were some really awesome talks. I’m inspired to put a talk together for next time. My favorites from last night were: Elisabeth Freeman gave a great talk on how the Head First […]


Coviello: RSA 2010 Will be Last Conference

Okay, that’s not precisely what he said. What he said was that in “two to three years” there will be no more “standalone security solutions.” Meanwhile, the tradeshow floor of the RSA conference seems to be enjoying something of a renaissance, which is good to know, as the theme of the conference is, well, The […]


Speaking of Secret Events You’re Not Invited To

There’s a blogger get together at the Foreign Cinema Wednesday night of RSA. 5PM – 8PM. We’ve been trying to coordinate via email, I but figured we should publicize our secret conference now. Remember, this will be the most blogged event of RSA. If you want in, blog about the event and trackback Martin McKeay. […]


Secrecy is not Privacy

So, I’m really irked by headlines like “Microsoft’s ‘Secret’ Security Summit.” First, it wasn’t Microsoft’s summit. It was an ISOTF meeting that had public web pages. Microsoft provided conference facilities and lunch. I don’t think we even bought the beer. Second, it wasn’t a secret. It has web pages: “Internet Security Operations and Intelligence II […]


Mike Howard beats me to the punch

His posts on “Microsoft hosts OEM partners for a crash-course in SDL (Day Two)” and “Microsoft hosts OEM partners for a crash-course in SDL (Day Three)” cover much of what I wanted to say: My biggest observation was these guys were utterly engaged, and by that I mean writing copious notes and asking some very […]


Talking to OEMs

My co-worker Mike Howard posted “Microsoft hosts OEM partners for a crash-course in SDL (Day One)” As part of our ongoing SDL efforts, we are hosting a 2.5 day event here in Redmond for our OEM partners – over 50 senior technical experts from the biggest names in the computer industry. Out of respect for […]


Detecting Election Fraud

Thanks to my lovely spouse, I came across a series of fascinating papers by Walter R. Mebane, Jr. a professor of Government at Cornell. These papers use statistics, specifically Benford’s Law, to detect election fraud. Now I know statisticians, and I am no statistician (and boy howdy is my higher level math rusty), but the […]


Less than zero-day

[This was prepared the morning of October 1, but not posted because I expected more to come of the story rather quickly. It now appears that 1. is true.] OK, so at Toorcon a couple of guys — one of whom works at SixApart — reported on a Firefox 0day. These gents claim to have […]


CfP: 19th Annual FIRST Conference

The Forum of Incident Response and Security Teams (FIRST) has put out a call for papers for its nineteenth annual conference.  The theme for 2007 is “Private Lives and Corporate Risk: Digital Privacy – Hazards and Responsibilities”. Full details at: FIRST 19th Annual Conference, June 17 – 22, 2007, Melia Seville hotel, Seville, Spain […]


Metricon 1.0 Papers and Digest Available

Metricon 1.0 papers and a remarkable digest are available at the security metrics web site. Dan Geer took extensive notes, and has turned them into a very useful document for those who weren’t able to make it.


Dear Hooters Hotel, Las Vegas

Whadda ya mean, you won’t pre-fill the bathtub with jello? (Actually, I stayed at the San Remo for Defcon last year. It was a long walk, but walkable, to the Alexis Park, and it was a great little dive hotel. I did find the rent-a-cops roughing up the vagrant a little disturbing. Maybe now they […]


Dear Sandman Hotel, Vancouver

Thanks for understanding that after a day and a half hiking through Garibaldi Provincial Park, all I want is a quiet room that doesn’t cost an arm and a leg, and a shower. At first I shuddered at having a room between the elevators and the ice machine, but it was quiet as a tomb. […]


Dear Fairmont Hotel Vancouver,

Please stop sucking. For $250 a night, give me a shower which doesn’t fluctuate in temperature and pressure. Give me a door which keeps out hallway noise and light. Don’t have your cleaning staff re-arrange my things so your things (like the room-service menu) can take up space on the desk I rented from you. […]


Metricon 1.0

Yesterday at Metricon, Gunnar Peterson felt a need to mock me over not blogging from the conference. I really enjoyed Metricon. There was a lot of good discussion, and because Dan Geer took extensive notes, I didn’t have to. I was able to pay attention and consider the talks as I heard them. Gunnar, however, […]


Don’t Cross the Streams?

So this week I’m off to Metricon and Usenix Security. Many of my co-workers are off (to present an entire track) at Blackhat. What I find really interesting is that there are these two separate streams of security research, one academic and one hacker, in the most positive sense of the word. Both have produced […]


Fu-Sec, Dunbar Numbers, and Success Catastrophes

In “I Smell a Movement,” Chris talks about the City-sec movement, of security people getting together for beer, and about groups like ISSA. So the question I’d like to ask is why do these groups keep emerging so chaotically? Why can’t the extant groups, usually formed for the same reasons, succeed? I think there are […]


Usable Security: SOUPS Blog posts

There are about twenty good posts talking about the Symposium on Usable Security and Privacy (SOUPS) over at Ka-Ping Yee’s Usable Security blog. If you’re reading this in the archives, start here and go forward, or here and go back. Some favorites: How will the scourge really be killed? (Panel) Decision Strategies and Susceptibility to […]


Adam Travel Plans: Cambridge, England

June 26-July 1, I’ll be at the the Workshop on Economics of Information Security, and then Privacy Enhancing Technologies next week. Mindless ranting on the blog will be replaced by mindless ranting over beer.


Metricon: The Agenda

Andrew Jaquith has posted the Metricon Agenda. We had a lot of good papers, and couldn’t accept them all. (We’ll provide, umm, numbers, at the workshop.) If you’ve submitted a paper, you should have heard back by now. Thanks to all the submitters, and we look forward to seeing you at the workshop.


6th Workshop On Privacy Enhancing Technologies

We’ve announced the program for the 6th Workshop on Privacy Enhancing Technologies, and space is still available for registrants. The program is so cool that I’m not going to try to summarize it, but rather quote Kim Cameron (“SEE IF YOU CAN MAKE PET 2006“): Here’s one conference I definitely won’t miss. I’ve been lucky […]



Because of the lack of proceedings, we have removed the no-dual-submission rule. That is, work submitted elsewhere is ok. Best: Submit a short position paper or description of work done/ongoing. Your submission must be no longer than five(5) paragraphs or presentation slides. Author names and affiliations should appear first in/on the submission. Submissions may be […]


Data Surveillance Workshop

On June 3, 2006 Harvard University’s Center for Research on Computation and Society will hold a day-long workshop on Data Surveillance and Privacy Protection. Although there has been significant public attention to the civil liberties issues of data surveillance over the past few years, there has been little discussion of the actual techniques that could […]


Thoughts on Metricon

I was talking to a CISO friend recently about Metricon, and encouraging him or his team to submit a paper. He told me about a concern, which was that it sounded like we’re looking for “how do we give indications so we can pat ourselves on the back,” or “how can we terrify execs?” He’d […]


Two on Presenting

“Making a (Power)Point of Not Being Tiresome,” in the LA Times, via Paul Kedrosky. But more usefully, “The Many Uses of Power Point”


Tony Chor on Presenting at MIX

Tony Chor has a good post on “Backstage at MIX06.” The effort that goes into a good presentation, including the practice, the extra machines, the people to keep them in sync, etc, is really impressive: Normally, when I do a presentation and demo, both the demos and the presentation are on the same machine. I […]



I’m in Montreal at SIGCHI. (Pronounced “Kai.” Who knew?) I realize haven’t gotten in touch with a slew of people I’d like to see. If you’re one of them, or think you’re one of them, or would like to be one of them, let me know!


Metricon 1.0 Call For Papers

MetricCon 1.0 – Announcement and Call for Participation First Workshop on Security Metrics (MetriCon 1.0)August 1, 2006 Vancouver,B.C., Canada Overview Ever feel like Chicken Little? Wonder if letter grades, color codes, and/or duct tape are even a tiny bit useful? Cringe at the subjectivity applied to security in every manner? If so, MetriCon 1.0 may […]


HotSec, 31 July (Or, Vancouver is shaping up very interestingly)

HotSec is intended as a forum for lively discussion of aggressively innovative and potentially disruptive ideas in all aspects of systems security. Surprising results and thought-provoking ideas will be strongly favored; complete papers with polished results in well-explored research areas are discouraged. Papers will be selected for their potential to stimulate discussion in the workshop. […]


Metricon 1.0 Announced

At this year’s RSA show, a decent portion of the securitymetrics mailing list (about 30 people) convened for lunch. I enjoyed meeting my colleagues immensely, and I received good feedback from others who attended. One thing everyone agreed on is there is enough activity in the security metrics area to merit convening the group a […]


Slightly Unique Identifiers

One of the neat things about Blue Hat is that people get pulled aside and introduced to people who have problems that they’d like your thoughts on. In one of those meetings, it came out that the person I was meeting with was destroying lots of data before it came to his group. Very cool. […]


Security & Usability, Workshops

This was supposed to be a part of my book review post, but early user testing showed us confusion and a desire for a more tightly focused blog post experience… It may also help to attend events like the “Security User Studies Workshop at SOUPS 2006” or the “Workshop on Psychological Acceptability and How to […]


Blue Hat Pictures

J. in the Windows Build room, and some labels on a cabinet. And baby, that’s all you’re gonna see of the pictures. We value everyone else’s privacy, unless you were there. In which case, its all groovy. Drop me a note and you’ll get the super-double-secret URL. As to the picture honoring ‘patch Tuesday,’ I […]


Reflections on the Microsoft CSO Summit

Adam’s Private Thoughts on Blue Hat, reminds me that I’ve been meaning to post about Microsoft’s recent CSO Summit. This was an invitation-only spin off of Microsoft’s Executive Circle, and was a mix of MS product presentations, round table discussions, and non-MS folks speaking on how they dealt with real world scenarios in their various […]


Private Thoughts on Blue Hat

As I mentioned, I was out at Microsoft’s Blue Hat conference last week. As it was a private event, speakers’ names are being kept private right now. I’m all in favor of privacy. Unfortunately, that makes it hard to properly attribute this bit of genius: 1 bottle of beer on the wall, 1 bottle of […]


Workshop on the Economics of Securing the Information Infrastructure

Workshop on the Economics of Securing the Information Infrastructure October 23-24, 2006 Arlington, VA Submissions Due: August 6, 2006 (11:59PM PST) Has just been announced. There’s a great topics list, and a great list for the program committee. It should be quite the workshop.


CodeCon 2006

The program for CodeCon 2006 has been announced. CodeCon is the premier showcase of innovative software projects. It is a workshop for developers of real-world applications with working code and active development projects. All presentations will given by one of the lead developers, and accompanied by a functional demo. Early registration ends Jan 31.


Conference News

Shmoocon has announced their 2006 speaker list. Today is the last day to submit to Codecon.


BlackHat Pwned!

MANHASSET, N.Y., Nov. 15 /PRNewswire/ — CMP Media, a marketing solutions company serving the technology, healthcare and entertainment markets, announced today that it has acquired Black Hat Inc., a producer of information security conferences and training that includes Black Hat Briefings and Conferences. Jeff Moss, founder and owner, will continue to run Black Hat and […]


Pop!Tech ('Pointer' post by Adam)

I don’t know how Ethan Zuckerman is finding time to enjoy the conference, but his series of posts from Pop!Tech make me jealous that I’m missing it.


Liability for bugs is part of the solution

Recently, Howard Schmidt suggested that coders be held personally liable for damage caused by bugs in code they write. The boldness of this suggestion is exceeded only by its foolhardiness, but its motivation touches an important truth — alot of code stinks, and people are damaged by it. The reason good programs (which means those […]


First Shmoocon Speaker List

Shmoocon was a great get-together last year, and I look forward to being there this year, especially now that they’ve announced a first batch of speakers. Via the Shmoocon RSS feed. No, just kidding, they don’t have an RSS feed.


Blue Hat Report

The other thing I did at Microsoft last week was I participated in Blue Hat. Microsoft invites a selection of interesting researchers to come to Redmond and present a talk to a variety of people within the company. Blue Hat is organized by Kymberlee Price, who works with Andrew Cushman, and they did a great […]


Small Travel Annoyances

I’ve slept in three different hotels in the last ten days or so, and noticed a number of things that (seemingly) could be done a lot better. The first is voice mail spam. I get no warm fuzzy from picking up a pre-recorded voice mail welcoming me to the hotel. But I do get to […]


Codecon 2006 Call For Papers

February 10-12, 2006 San Francisco CA, USA codecon is the premier showcase of cutting edge software development. It is an excellent opportunity for programmers to demonstrate their work and keep abreast of what’s going on in their community. All presentations must include working demonstrations, ideally accompanied by source code. Presentations must be done by one […]


Today, I Publicly Praised Microsoft

On the “Meet the Bloggers” panel at the Detroit IT Security Summit, I publicly heaped praise on Microsoft for their investment in security, the results of which include some really cool tools in Visual Studio 2005. Also on the panel, Ed Vielmetti brought up a really good point that I hadn’t heard recently, that of […]


Privacy Enhancing Technologies Workshop call for papers

6th Workshop on Privacy Enhancing Technologies will be held at Robinson College, Cambridge, United Kingdom, June 28 – June 30, 2006. Paper submissions are due March 3, 2006. See for more details. [Also note that this will be colocated with the workshop on economics and information security. Thanks to Allan Friedman for reminding me.]


Shmoocon 2006

Today is the last day to get the stunningly low $75 rate for Shmoocon in Washington DC Jan 13-15, 2006. Remember to bow to Bruce’s firewall (largish video download). I understand this years con will culminate in a deathmatch between a new, armed Shmoo robot and the speaker who gets the worst ratings. The speaker […]


"Protecting Society By Protecting Information"

Today, I’m at the National Institute of Justice’s National Conference on Science, Technology, and the Law, and am participating in a panel on “Balancing Information Sharing and Privacy.” I’ll present “Protecting Society By Protecting Information: Reducing Crime by Better Information Sharing” (Or get the powerpoint slides. I don’t know why Powerpoint makes all the speaker […]


Balancing Information Sharing and Privacy Concerns

I’ll be at the National Conference on Science, Technology and the Law, A National Institute of Justice Conference sponsored by the National Clearinghouse for Science, Technology, and the Law, September 12-14, 2005, St. Petersburg, Florida. I’m on a panel with a great group of folks on “Balancing Information Sharing and Privacy Concerns.” We haven’t put […]


Defcon Coverage?

Defcon is better experienced than read about. How could I argue with a slogan like “What happens in Vegas gets posted to thousands of blogs? stays in Vegas?” But when those involved blog about it, I’ll admit to a little involvement: I recruited Brian Krebs onto team Shmoo. Because everyone knows I’m a Shmoo wannabe. […]


The Fifth Workshop on the Economics of Information Security (WEIS 2006)

Ross Anderson has announced that the fifth WEIS will be held in Cambridge (England) 26-28 June 2006. Papers due March of next year. I’m sad that I’ve only made one of the WEIS workshops so far. (Life keeps interfering.) What’s there is amongst the most interesting bits being done in security. I hope they continue […]


105°. But It's a Dry Heat

It’s going to be 105 (or so) in Las Vegas for Blackhat, and, as always, a little hotter for Defcon. Tickets for the DC702 Summit/EFF Benefit are for sale online through Monday. As a smaller, private event, I expect the AC will work. So you should be there, instead of say, lolling about by the […]


Pre-Defcon Summit, Get Your Tickets Now

The fine folks at DC702 are going to be hosting a “pre-Defcon Summit” and fundraiser for the EFF. I’m pleased to be a featured guest, and urge you to show up, contribute to the EFF, and hang out. According to email organizers sent, they’re fast running out of tickets, so get your tickets now, and […]


Blind Signature Patent Expiration Party

Friends, colleagues, and co-conspirators, It has been 17 long years and now the time is finally here to celebrate at the: BLIND SIGNATURE PATENT EXPIRATION PARTY WHAT: A party to celebrate the expiration of the Blind Signature patent. WHY: U.S. Patent 4,759,063 (“Blind Signature Systems“) to David Chaum is the core invention enabling privacy-protecting electronic […]


Pre-Defcon Summit, and some small bits

The fine folks at DC702 are going to be hosting a “pre-Defcon Summit” and fundraiser for the EFF. I’m pleased to be a featured guest, and urge you to show up, contribute to the EFF, and hang out. Hmmm, this needs some extra text to balance the icon. Dumb stylesheet. Who the heck wrote that […]


Ping Flood

Over at Usable Security, Ping is blogging about the SOUPS conference, which I’m unfortunately missing. Alan Schiffman is also blogging a little. However, Ping is posting so much that his first posts today have already scrolled off the top of his blog. Who knew he’d invent a new denial of service attack?


Small Bits: Adam Sah on Startups, RECon, Irony and Biometrics

Adam Sah (hi Adam!) has a great page of startup advice I hadn’t seen before. Presentations from RECon are now online. The University of Connecticut will be offering a Masters in Homeland Security. That’s a database I’d like to steal. Thanks to Chris Walsh for pointing it out. I’ve been meaning to followup on Juxtaposition’s […]