Post thumbnail
So Chris Romeo has a blog post, “Threat modeling: better caught than taught.” In it, he advocates for threat modeling being a skill passed on informally. And, like many things in threat modeling, that’s attractive, sounds fun, and is utterly wrong. Let’s threat model this: What are we working on? Scaling threat modeling across all…
Read More Better Taught Than Caught!
Post thumbnail
At Blackhat this summer, I’ll be offering threat modeling training at Blackhat. Last year, these sold out quickly, so don’t wait! This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start threat modeling early on day 1, followed by an understanding of traps that they…
Read More Threat Modeling Training at Blackhat 2020
NorthSec CTF 2019 in Montreal
Looking at what is popular with smaller niche crowds can give greater insight into the “next thing”. This natural selection of attention can inspire an evolution of methods and practices. Capture the Flag Events (CTFs) and electronic Sports (eSports) are good examples of a relatively new trend. I’ve had the chance to be front row…
Read More Capture the Flag events and eSports
Post thumbnail
Chris Eng said “Someone should set up a GoFundMe to send whoever wrote the hit piece on password managers to a threat modeling class.” And while it’s pretty amusing, you know, I teach threat modeling classes. I spend a lot of time crafting explicit learning goals, considering and refining instructional methods, and so when a…
Read More What Should Training Cover?
Post thumbnail
SANS has announced a new boardgame, “Pivots and Payloads,” that “takes you through pen test methodology, tactics, and tools with many possible setbacks that defenders can utilize to hinder forward progress for a pen tester or attacker. The game helps you learn while you play. It’s also a great way to showcase to others what…
Read More Pivots and PayloadsI’d like to nominate Xfinity’s “walled garden” for the worst user experience in computer security. For those not familiar, Xfinity has a “feature” called “Constant Guard” in which they monitor your internet for (I believe) DNS and IP connections for known botnet command and control services. When they think you have a bot, you see…
Read More The Worst User Experience In Computer Security?My buddy Curt Hopkins is writing about the Patraeus case, and asked: I wonder, in addition to ‘it’s safe if it’s in the draft folder,’ how many additional technically- and legally-useless bits of sympathetic magic that people regularly use in the belief that it will save them from intrusion or discovery, either based on the…
Read More Email Security MythsMany times when computers are compromised, the compromise is stealthy. Take a moment to compare that to being attacked by a lion. There, the failure to notice the lion is right there, in your face. Assuming you survive, you’re going to relive that experience, and think about what you can learn from it. But in…
Read More Effective training: Wombat's USBGuruBack in October, I posted on “Maria Klawe on increasing Women in Technology.” Now the New York Times has a story, “Giving Women The Access Code:” “Most of the female students were unwilling to go on in computer science because of the stereotypes they had grown up with,” said Zachary Dodds, a computer scientist at…
Read More How Harvey Mudd Brings Women into CS