There’s an interesting article by Phil Bull, “Why you can ignore reviews of scientific code by commercial software developers“. It’s an interesting, generally convincing argument, with a couple of exceptions. (Also worth remembering: What We Can Learn From the Epic Failure of Google Flu Trends.) The first interesting point is the difference between production code…
Read More Code: science and production
Post thumbnail
Earlier this year, I helped to organize a workshop at Schloss Dagstuhl on Empirical Evaluation of Secure Development Processes. I think the workshop was a tremendous success, we’ve already seen publications inspired by it, such as Moving Fast and Breaking Things: How to stop crashing more than twice, and I know there’s more forthcoming. I’m…
Read More Empirical Evaluation of Secure Development Processes
Post thumbnail
I’m happy to say that some new research by Jay Jacobs, Wade Baker, and myself is now available, thanks to the Global Cyber Alliance. They asked us to look at the value of DNS security, such as when your DNS provider uses threat intel to block malicious sites. It’s surprising how effective it is for…
Read More DNS Security
Post thumbnail
There’s a fascinating paper, “Tuning Out Security Warnings: A Longitudinal Examination Of Habituation Through Fmri, Eye Tracking, And Field Experiments.” (It came out about a year ago.) The researchers examined what happens in people’s brains when they look at warnings, and they found that: Research in the fields of information systems and human-computer interaction has…
Read More Polymorphic Warnings On My Mind“90% of attacks start with phishing!*” “Cyber attacks will cost the world 6 trillion by 2020!” We’ve all seen these sorts of numbers from vendors, and in a sense they’re April Fools day numbers: you’d have to be a fool to believe them. But vendors quote insane because there’s no downside and much upside. We…
Read More Leave Those Numbers for April 1stThere’s an interesting article in the CBC, where journalists took a set of flights, swabbed surfaces, and worked with a microbiologist to culture their samples. What they found will shock you! Well, airplanes are filthy. Not really shocking. What was surprising to me was that the dirtiest of the surfaces they tested was the headrest.…
Read More Airline Safety
Post thumbnail
I’m pleased to be able to share work that Shostack & Associates and the Cyentia Institute have been doing for the Global Cyber Alliance. In doing this, we created some new threat models for email, and some new statistical analysis of It shows the 1,046 domains that have successfully activated strong protection with GCA’s DMARC…
Read More Measuring ROI for DMARCThen he explained the name was important for inspiring the necessary fear. You see, no one would surrender to the Dread Pirate Westley. The DREAD approach was created early in the security pushes at Microsoft as a way to prioritize issues. It’s not a very good way, you see no one would surrender to the…
Read More The DREAD PiratesToday is John Harrison’s 352nd birthday, and Google has a doodle to celebrate. Harrison was rescued from historical obscurity by Dava Sobel’s excellent book Longitude, which documented Harrison’s struggle to first build and then demonstrate the superiority of his clocks to the mathematical and astronomical solutions heralded by leading scientists of the day. Their methods…
Read More John Harrison’s Struggle Continues