Category: Links

Elevation of Privilege news

I wanted to let people know that Microsoft is making the source files for the Elevation of Privilege game available. They are Adobe Illustrator and InDesign files, and are now on the EoP download site. They’re the 85mb of zipped goodness. They can be used under the same Creative Commons Attribution 3.0 US license under which we released the game.

If you’re not familiar with it, Elevation of Privilege is the easy way to get started threat modeling, and you can read about it here.

Lazy Sunday, Lazy Linking

Hey, remember when blogging was new and people would sometimes post links instead of making “the $variable Daily” out of tweets?  Well even though I’m newschool with the security doesn’t mean I can’t kick it oldschool every so often.  So here are some links I thought you might enjoy, probably worth discussion and review even if I don’t have time to blog about how I think about the topics discussed in the context of Information Security.

GUNNAR PETERSON GIVES GOOD PDF

First, in case you haven’t read Gunnar’s article “Reference Monitor For The Internet Of Things (.pdf)” in the latest IQT Quarterly, you really should.  Gunnar smart, Alex head hurt.

CHECKLISTS, KNOWLEDGE AND EXPLODING AIRBUS ENGINES

The Daily Speculations Blog has an interesting link/blog/discussion about the recent Quantas Airbus problems.   What caught me especially was this point – “Over-riding systematic considerations in favour of discretionary controls”. The actual interview they link to is here.

SOMETHING NICELY DONE DISCUSSING PRO’S & CON’S OF BEHAVIORAL ECONOMICS

Here’s an article in FundStrategy webzine called “DefiesLogic” that discusses behavioral economics, biases, market actors and so forth. Ben Hunt (the author) seems a little down on (or at least wants to curb the enthusiasm over) Behavioral Economics.  I’m OK identifying the limitations of any applied tool.

NOT RELATED – GOOGLE CHROME

The “computer guy” part of me finds Google Chrome to be interesting.  The “security management / risk guy” in me thinks the platform has  fascinating potential.  Here’s the TechCrunch review of the new laptops.

ABSOLUTELY NOTHING TO DO WITH INFOSEC BUT I LAUGHED

Awkward Pregnancy Photos.

Doing threat intelligence right

To improve threat intelligence, it’s most important to address the flaws in how we interpret and use the intelligence that we already gather. Intelligence analysts are human beings, and many of their failures follow from intuitive ways of thinking that, while allowing the human mind to cut through reams of confusing information, often end up misleading us.

Continue reading

Links To Interesting Stuff

I have a ton of tabs open in Firefox about stuff I thought would be some sweet newschool-esque reading for everybody out there.

1.) Threat and Risk Mapping Analysis in Sudan
Not really about measurement and progress, but a fascinating look at “physical risk management” nonetheless:

http://irevolution.wordpress.com/2009/04/09/threat-and-risk-mapping-analysis-in-sudan/

2.)  I thought Gunnar did a great job on these two posts:

Begin The Begin, Cloud Security : http://1raindrop.typepad.com/1_raindrop/2009/06/begin-the-begin-cloud-security.html

Enterprise Security Priorities : http://1raindrop.typepad.com/1_raindrop/2009/06/enterprise-security-priorities.html

3.)  Simlar to Gunnar’s Security Priorities is this link from CIO mag (it’s pretty dry until the second page, so I linked to that one):

Valuing an IT Service : http://www.cioupdate.com/trends/article.php/11047_3821986_2/How-to-Assign-Value-to-an-IT-Service.htm

4.)  If Physics is simply the act of observing the world around us and building mathematical models to describe it, then here’s a fun little post on Love

from the NYT (SFW): http://judson.blogs.nytimes.com/2009/05/26/guest-column-loves-me-loves-me-not-do-the-math/?em

5.)  Talk about NewSchool in practice, if you’re not subscribing to Chris Hayes Risktical blog, you’re missing out.  Here’s something he did this week that  I really liked:

The Risk Is Right http://risktical.com/2009/05/21/the-risk-is-right/ – one word, hardcore.

6.)  Finally, I’ve often said that even if you hate risk analysis, you’re doing it anyway.  Just in a bad, ad-hoc manner.  Here’s something from Gelman’s blog that suggests that you’re gonna have to eventually be “New School”:

Those who don’t know statistics are doomed to . . . rely on statistics anyway :  http://www.stat.columbia.edu/~cook/movabletype/archives/2009/06/those_who_dont.html It’s even got a Bill James mention!

Navigation