Shostack + Friends Blog Archive


Phishing and Clearances

Apparently, the CISO of US Homeland Security, a Paul Beckman, said that: “Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government” (Paul Beckman, quoted in Ars technica) Now, I’m sure being in the […]


Virtual assistant services?

I’m getting ready to announce an East coast book tour. In planning my Silicon Valley tour, I learned that between scheduling, getting the details needed out, making sure I knew where I was sleeping, there was a large amount of administrative work involved. So I’d like to hire someone to take care of all that […]


Follow your passion?

Growing up, we were told by guidance counselors, career advice books, the news media and others to “follow our passion.” This advice assumes that we all have a pre-existing passion waiting to be discovered. If we have the courage to discover this calling and to match it to our livelihood, the thinking goes, we’ll end […]


Two Models of Career Planning

There’s a fascinating interview with Mark Templeton of Citrix in the New York Times. It closes with the question of advice he gives to business students: There are two strategies for your life and career. One is paint-by-numbers and the other is connect-the-dots. I think most people remember their aunt who brought them a gift […]


Fascinating Job at PayPal

Someone reached out to me about a job that looks really interesting: The Director of Security Experience, Education & Research (SEER) will be responsible for defining the customer-facing security strategy for PayPal , define product roadmaps to enhance feature security and usability, drive customer security best practices adoption throughout our industry, and drive customer security […]


Emergent Chaos endorses Wim Remes for ISC(2) Board

Today, we are sticking our noses in a place about which we know fairly little: the ISC(2) elections. We’re endorsing a guy we don’t know, Wim Remes, to shake stuff up. Because, really, we ought to care about the biggest and oldest certification in security, but hey, we don’t. And really, that’s a bit of […]


Punditry: Better Security Through Diversity Of Thinking

I am honored that the kind folks at threapost have asked me to write for them occasionally. My first post is about better security through diversity of thinking which was inspired by pastry chef Shuna Fish Lydon. From her post (which I quoted in mine as well) It is my experience that unless you push […]


Ten Years Ago: Reminiscing about Zero-Knowledge

Ten years ago, I left Boston to go work at an exciting startup called Zero-Knowledge Systems. Zero-Knowledge was all about putting the consumer in control of their privacy. Even looking back, I have no regrets. I’m proud of what I was working towards during the internet bubble, and I know a lot of people who […]


Double-take Department, Madoff Division

The Daily Beast has a fascinating article that is a tell-all from a Madoff employee. I blinked as I read: The employee learned the salaries of his colleagues when he secretly obtained a document listing them. “A senior computer programmer would make $350,000, where in most comparable firms they would be getting $200,000 to $250,000….” […]


The Twain Meeting

Some time ago, was on an extended stay in Tokyo for work. When one is living there, there are things one must do, like make an effort to live up to being a henna gaijin. I must disagree with those who translate that as “strange foreigner.” The proper translation is “crazy foreigner.” I’d never heard […]


Write Keyloggers Professionally! has a job for you if you need some high-paid work — write a remote keylogger. Here are the project requirements: We need a keylogger that can be installed remotely. Description: The main purpose is that the user A can send an email with a program to install (example: a game or a funny […]


Welcome, Crispin!

Michael Howard has broken the news: “Crispin Cowan joins Windows Security: I am delighted to announce that Crispin Cowan has joined the core Windows Security Team! For those of you who don’t know Crispin, Crispin is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the Immunix Linux distro, SubDomain […]


Looking for a challenge? Life dull?

If you need a change in your life, consider this job posting: Title: IT Security Architecture Manager Needed Company: TJX Companies Location: Framingham, MA Skills: Very strong technical security background in both the mainframe and distributed environments. Term: Full Time Pay: DOE Length: Full Time Detail: TJX Companies is seeking an IT Security Architecture Manager […]


Movie Plot Threat No Longer a Metaphor

Director Mike Figgis flew into LAX airport and was detained for five hours because he oopsed. He said, “I’m here to shoot a pilot.” On the one hand, yes indeed, on the list of things you shouldn’t say while in Immigration, “I’m here to shoot a pilot” is right up there with being careful how […]


Rootkit on a Stick

The SnoopStick offers full realtime monitoring of another computer. It’s Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both. Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they […]


The Price of Nothing and the Value of Everything

In the Christmas double issue of The Economist, there is an interesting article about Google’s new domain-level email services and their applicability to business. I’m traveling, so I listened to the podcast version. I’m not going to criticize Google today. I think Gmail is a good service. I have several Gmail accounts. I am personally […]


Radialpoint Needs People

My friends at Radialpoint are looking for a few great people to help drive their service delivery platform. They need a database development architect, a software architect, and a senior Java developer: These are leadership level positions in a growing company with great financial resources. Each of these team members will have the chance to […]


Congratulations to Mozilla

EWeek has the story: Window Snyder has joined Mozilla as Security Chief. Congratulations all around. PS: Just when Window and I were gonna live in the same city, again, too. Bugger. PPS: Apparently, it’s from Mike Schroepfer’s blog post.


I’m Joining Microsoft

I’m very pleased to announce that I’ve accepted a position with Microsoft. I’ll talk in a bit about the work I’ll be doing, but before I do, I’d like to talk a bit about the journey that’s brought me here, and the change I’ve seen in Microsoft that makes me feel really good about this […]


Startup Opportunity: Revive Systems

My friend Robert Stratton has taken the CTO role at Revive Systems. He’s both a serial startup guy (Wheel Group and UUNet) and has been on the investor side In-Q-Tel. We’ve spent some time talking about the technology, too, and it sounds very intriguing. The remainder of this post is his job description for their […]


Congratulations, Professor Ian!

I’m very happy to report that Ian Goldberg has accepted a position, starting in the fall, at the University of Waterloo. I had the privilege of working with Ian while he was Chief Scientist and Head Cypherpunk for Zero-Knowledge Systems, and he spans academic and practical computer security in a way that’s all too rare. […]


Dear Recruiter

Hi, My name is () and I am a recruiter for (). I came across your name on an internet search and wanted to tell you about our opportunities available within our NYC and Houston locations. (), a key component of the firm’s () practice, provides the building blocks for a secure and protected business […]


Director, Malicious Code and Malware

My friend and former boss at Radialpoint is looking for a malicious code and malware expert: The Director of Malicious Code and Malware will be responsible for being the leading authority on the security and protection of more than 14 million broadband subscribers, the largest community of broadband subscribers in the world. This high profile, […]


Job Openings

My friend and colleague Scott Blake is looking for smart people: I have openings for 5 information security analysts. Level of seniority is negotiable, but I prefer senior-level folks. I’m looking for the following specialties: security awareness training/communications, secure application development, risk assessment, network architecture, and security policy development. I also have an opening for […]