Shostack + Friends Blog Archive

 

Gamifying Driving

…the new points system rates the driver’s ability to pilot the MINI with a sporty yet steady hand. Praise is given to particularly sprightly sprints, precise gear changes, controlled braking, smooth cornering and U-turns executed at well-judged speeds. For example, the system awards maximum Experience Points for upshifts carried out within the ideal rev range […]

 

Now Available: Control Alt Hack!

Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route. From the website: Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve […]

 

Black Hat Slides

My talk at Black Hat this year was “Elevation of Privilege, the Easy Way to Get Started Threat Modeling.” I covered the game, why it works and where games work. The link will take you to the PPTX deck.

 

Some Chaotic Thoughts on Healthcare

Passage of this bill is too big for my little brain, and therefore I’ll share some small comments. I’m going to leave out the many anecdotes which orient me around stupid red tape conflicts in the US, how much better my health care was in Canada (and how some Canadian friends flew to the US […]

 

A sociologist reads a Twitter feed

So, Adam retweets a hysterical reference to a viral email about an absolute genius of a Xmas light display made to look like an accident with a ladder, and the hapless homeowner left hanging from the gutter of his house. The email explains that the display was taken down after two days in large part […]

 

Poker Faced?

In “An Unstoppable Force Meets…” Haseeb writes about “we have just witnessed a monumental event in the history of online poker – the entrance of Isildur into our world of online poker.” Huh? Really? The post is jargon packed, and I’m not a poker player, but apparently this Isildur character has slaughtered all the best […]

 

Regulations, Risk and the Meltdown

There are obviously a large set of political questions around the 700+ billion dollars of distressed assets Uncle Sam plans to hold. If you care about the politics, you’re already following in more detail than I’m going to bother providing. I do think that we need to act to stem the crisis, and that we […]

 

Write Keyloggers Professionally!

GetAFreelancer.com has a job for you if you need some high-paid work — write a remote keylogger. Here are the project requirements: We need a keylogger that can be installed remotely. Description: The main purpose is that the user A can send an email with a program to install (example: a game or a funny […]

 

I’m Certifiably Wrong

So there’s some great discussion going on in the comments to “Certifiably Silly,” and I’d urge you to read them all. I wanted to respond to several, and I’ll start with Frank Hecker: Could we take the cost issue out of this equation please … [Adam: I’m willing to set it aside, because the conversation […]

 

Certifiably Silly

Over at “The Security Practice,” Michael Barrett writes about “Firefox 3.0 and self-signed certificates.” Neither he or I are representing our respective employers. …almost everyone who wants to communicate securely using a browser can afford an SSL certificate from CAs such as GoDaddy, Thawte, etc. The cost of single certificates from these sources can only […]

 

Game Theory and Poe

Julie Rehmeyer of Science News writes in, “The Tell-Tale Anecdote: An Edgar Allan Poe story reveals a flaw in game theory” about a paper Kfir Elias and Ariel Rubenstein called, “Edgar Allan Poe’s Riddle: Do Guessers Outperform Misleaders in a Repeated Matching Pennies Game? The paper discusses a game that Poe describes in The Purloined […]

 

Because it is the weekend and I am lazy

Chris’s beach reading recommendations John Maynard Smith, Evolution and the Theory of Games James S. Coleman, Foundations of Social Theory Ken Binmore, Natural Justice

 

A++++ Fast and Professional!! Would Read Again!

In “Crowd control at eBay,” Nick Carr writes: EBay has been struggling for some time with growing discontent among its members, and it has rolled out a series of new controls and regulations to try to stem the erosion of trust in its market. At the end of last month, it announced sweeping changes to […]

 

How dumb do we think spammers are?

Why is it we easily admit that spammers are people smart enough to run massive bot nets, design custom malware, create rootkits, and adapt to changing protection technologies but we still think that they’re unable to write a pattern to match “user at domain dot com”? Kudos to the first person who puts such a […]

 

Measuring the Wrong Stuff

There’s a great deal of discussion out there about security metrics. There’s a belief that better measurement will improve things. And while I don’t disagree, there are substantial risks from measuring the wrong things: Because the grades are based largely on improvement, not simply meeting state standards, some high-performing schools received low grades. The Clove […]

 

NYT Reporter Has Never Heard of Descartes

Or perhaps more correctly, did not internalize Descartes when he heard of him. In “Our Lives, Controlled From Some Guy’s Couch,” John Tierney writes: Until I talked to Nick Bostrom, a philosopher at Oxford University, it never occurred to me that our universe might be somebody else’s hobby. I hadn’t imagined that the omniscient, omnipotent […]

 

Emergent Chaos and Pirates

… pirate ships limited the power of captains and guaranteed crew members a say in the ship’s affairs. The surprising thing is that, even with this untraditional power structure, pirates were, in Leeson’s words, among “the most sophisticated and successful criminal organizations in history.” Leeson is fascinated by pirates because they flourished outside the state—and, […]

 

Astronauts and Terrorists: Limits of Screening

So we here at Emergent Chaos have carefully refrained from using the phrase “astronaut in diapers” not because we think that it is now incumbent apon the blogosphere to maintain what little dignity remains in American journalism, but because, within about nine minutes of the arrest of Lisa Nowak, the blogosphere had thoroughly digested the […]

 

When a 0% Success Rate is Worthwhile

There’s an article in Zaman.com, about “Turkish Hacker Depletes 10,000 Bank Accounts ” A criminal enterprise comprised of 10 individuals who drained the accounts of 10,580 customers by sending virus-infected e-mails was busted in Istanbul. … The suspects reportedly sent virus-infected emails to 3,450,000 addresses, and subsequently drained 10,850 bank accounts. That’s a hit rate […]

 

Halvar on Vulnerability Economics

Back in July, I wrote: If fewer outbreaks are evidence that things are getting worse, are more outbreaks evidence things are getting better? Now, I was actually tweaking F-Secure a little, in a post titled “It’s Getting Worse All The Time?” I didn’t expect Halvar Flake would demonstrate that the answer is yes. Attacks getting […]

 

Vulnerability Game Theory

So a few days ago, I attended the Vista RTM party. I spent time hanging out with some of the pen testers, and they were surprised that no one had dropped 0day on us yet. These folks did a great job, but we all know that software is never perfect, and that there are things […]

 

BOOM, there it is

If, as is being suggested, North Korea has tested a nuke, things will be getting mighty interesting. I don’t know what to make of it, frankly. Update, 2350 CDT: Looks increasingly like there was, indeed, a test.

 

The "Box Switching" Game

I have two boxes. Each has some positive amount of money in it, but I will give you no information about the possible dollar amounts other than the fact that one box has exactly twice the amount of money in it as the other. You randomly select one of the two boxes, open it, and […]

 

More on Risk Tolerance

There’s a number of good comments on “Risk Appetite or Volatility Appetite,” and I’d like to respond to two of the themes. The first is “risk appetite is an industry-standard term.” I don’t dispute this. I do question if I should care. On the one hand, terms that an industry picks up and uses tend […]

 

Risk Appetite or Volatility Appetite?

Over at “Not Bad For A Cubicle,” Thurston (who is always worth reading) manages to tickle a pet-peeve of mine in “A super-size risk appetite?” No rational business has a risk appetite. They accept risk. They may even buy risk in fairly explicit ways (some financial derivatives) if they think that those risks are mis-priced […]

 

Avant-Garde: A game for three players

(From Bram Cohen and Nick Mathewson.) The players are three reclusive artists. Their real names are Anaïs, Benoît, and Camille, but they sign their works as “A,” “B,” and “C” respectively in order to cultivate an aura of mystery. Every week, each artist paints a new work in one of two styles: X and Y. […]

 

Man Charged For Notifying USC of Vulnerability

Federal prosecutors charged a San Diego-based computer expert on Thursday with breaching the security of a database server at the University of Southern California last June and accessing confidential student data. A statement from the U.S. Attorney for the Central District of California names 25-year-old Eric McCarty as the person who contacted SecurityFocus last June […]

 

Book Review: The Stag Hunt and the Evolution of Social Structure

Brian Skyrms’ The Stag Hunt and the Evolution of Social Structure addresses a subject lying at the intersection of the social sciences, philosophy, and evolutionary biology — how it is possible for social structures to emerge among populations of selfishly-acting individuals. Using Rousseau’s example of a Stag Hunt, in which hunters face a decision between […]

 

The Wallet Game

At lunch after Shmoocon, Nick Mathewson said he’d like to pay something between zero and the amount of money in his wallet. I think this suggests a fascinating game, which is that Alice asks Bob for some amount of money. If Bob has that much money in his wallet, he pays. Otherwise, Alice pays him […]