Shostack + Friends Blog Archive


Test post

Over the summer, Adam and I were talking and I said that I’d like a place to do some personal blogging as opposed to things I normally do, which are targeted at one place or another. I’d like to be able to blither about security, but also about whatever. Photography, cooking, you know, things that […]


New breach blog

Evan Francen is maintaining a breach blog with more structure and commentary than either PogoWasRight or Attrition. As I looked at it, I had a couple of thoughts. The first is that he doesn’t reference Attrition DLDOS numbers. (Then again, Pogo doesn’t either.) I think this is a mistake. When we founded CVE, it was […]


"Security Vulnerability Research & Defense"

My co-workers in SWI have a new blog up, “Security Vulnerability Research & Defense.” They’re planning to…well, I’ll let them speak for themselves: …share more in-depth technical information about vulnerabilities serviced by MSRC security updates and ways you can protect your organization from security vulnerabilities… The two posts below are examples of the type of […]


Announcing…The Security Development Lifecycle Blog

My team at work announced the launch of “The Security Development Lifecycle” blog today. After the intro post, Michael Howard leads off with “Lessons Learned from the Animated Cursor Security Bug.” I’m pretty excited. We’re focused on transparency around what we’re learning as we continue to develop the SDL.


How to Treat Customers

My friend Austin Hill has a new blog, Billions With Zero Knowledge. He’s got a really good post up “Crowdsourcing or Community Production – An Interview with Hugh McGuire from Librivox.” What’s most interesting to me is how new companies are trying to tap into customer enthusiasm to build not only value for their customers, […]


Blog finds

I’ve come across some blogs I find interesting. Maybe others will, too. Statistical Modeling, Causal Inference, and Social Science Weblog of a Syrian Diplomat in America Decision Science News Social Science Data and Software (SSDS) Blog SecuritySauce (Marty “Snort” Roesch’s blog) Plus, a special bonus non-blog: UCSB’s Cylinder Preservation and Digitization Project


In every dream home, a heartache

Barry Ritholz, an NYC hedge fund manager, blogs about a WSJ story. The gist: On Sept. 21, 2001, rescuers dug through the smoldering remains of the World Trade Center. Across town, families buried two firefighters found a week earlier. At Fort Drum, on the edge of New York’s Adirondacks, soldiers readied for deployment halfway across […]


Metasploit blogging

“Official blog of the Metasploit Project.” Either you know who Metasploit is, in which case you’ve already clicked through, or you’re unlikely to understand their subject matter. PS to Vinnie: Where’s the Smallpox-making post?


"Security To The Core"

In a post titled “self-evidently wrong post title” “Blog Posts Do Not Include The Words ‘dizzying array of talent,’” Tom Ptacek points out that Arbor Networks has a blog. Jose Nazario’s “The Market-Driven (Vulnerability) Economy” post is pretty good. However, I think we need video of Dug Song reading this text, which in “News Flash: […]


Risk aggregation and the living dead

Light blue touchpaper is a new web log written by researchers in the Security Group at the University of Cambridge Computer Laboratory. You should read it. As for the headline, zombies eat brains. There’s plenty of ’em [edited to add: brains, that is!!] in close proximity in Ross Anderson’s group. ’nuff said.


Nick Szabo Blogging

Nick is a premier thinker about history, law and economics, and the lessons they have for security. Take this brief sample from “Origins of the joint-stock corporation:” The modern joint-stock corporation has many sources in medieval Europe. First among these was corporate law itself. Although the era is commonly referred to as “feudalism,” for the […]


Wilcox Memorial Hospital (Kauai), 120,000 SSNs+ Medical Records, misplaced computer disk

Last month, Wilcox Memorial Hospital in Kauai had to inform 120,000 past and present patients that their private information had been misplaced. Their names, addresses, Social Security numbers, even medical record numbers had been placed on one of those tiny USB flash drives — and now, according to a letter sent home, the drive was […]


Introducing Arthur

I’d like to introduce Arthur, our newest guest. I was going to say Arthur is not his real name, but that would be a lie. It is his real name for purposes of this blog. It might, however, not be what his wife calls him. (“Sweetie.”) Arthur is, however, the chief information security officer for […]


The Importance of Attitude

Tom Peters has a blog, and in “The Days of Our Lives,” writes about the importance of being present for your customers, not for yourself. I really like his blog. It has a good mix of hubris and humility: This may be day 45 and mile 76,000 for me, but for the Client it is […]


Flogging The Simian Is Back

In “A Life, Observed,” I mentioned that I’d been enjoying “Flogging The Simian,” and that she’d left due to privacy issues. Well, she’s back, and so are her “PDBs,” her summaries of what’s interesting: ‘” read approximately 50 newspapers every morning and report what I find there, with an emphasis on foreign or international events.” […]


Delicious Offload

I’ve set up a Delicious feed for stuff that I want to point to, but don’t have either anything to add, or time to add it. I feel sort of bad doing this; I’d like to discuss John Gilmore on the New York Times, but all I have to say is bravo!


Interesting Tidbits (Adam)

John Gruber has an interesting article on the economics of being a one-man software shop, “The Life.” He uses the case of Brent Simmons and NetNewsWire to shed light on why the life of a small software development shop is so hard. Jeff Veen of Adaptive Path has announced “MeasureMap,” a new blog-focused log analysis […]


Concurring Opinions Has a Privacy Policy

Daniel Solove and company have launched a new blog, “Concurring Opinions.” Today, they posted their privacy policy. I think they’ll be sued shortly by Experian, for copyright infringement.


Small Bits: Alex Haislip, Chinese Censorship, TSA Xrays

Alex Haislip is blogging up a storm at VC Action. I love journalist bloggers; there’s so much interesting backstory that they talk about. And working at Red Herring, Alex has more dirt than he could dish and stay in business. 😉 Curt Hopkins points to a fascinating story about the folks who run the great […]


Demand Your Records

In her “On the Record” blog, Ann Harrison (Hi Ann!) covers how to use the privacy act to request the records TSA collected, illegally, on millions of innocent people. Incidentally, Arthur Anderson was shut down for destroying data like this.


New Blog Pointers

Frequent commenter Allan Friedman has started Geek/Wonk. In “Speaking of duct tape,” he links to an interesting essay Duct Tape Risk Communication. And Mario’s comments on tor vs the Freedom Network are interesting: Interestingly, the usability issues are _exactly_ the same as they were ~5 years ago! It’s sometimes s-l-o-w! While I agree with this, […]


David Cowan Blogging

David Cowan (Hi David!) is the partner at Bessemer Ventures who is responsible for their security portfolio. So I’m hoping that he sticks with his new blog, “Who has time for this.” His post about Too Many Security Startups? is fascinating: The night I closed our investment in my 12th data security deal, Cyota, my […]


New Security Blogs

Jeff Moss takes blogging into thematically and visually new territory with The Black Pages, with Jeff posting on a theme, and then his speakers adding details. Now if only they had an RSS feed. Or my post. I wonder which they’ll get first? I have a soft spot for the word “chaos.” I like the […]


Small Bits of Chaos: Hal Stern, Lexis-Nexis Hackers, UK ID Cards, Bolton

Hal Stern has a blog! Hi, Hal! Wired News has a long story, “Database Hackers Reveal Tactics,” about the kids who broke into Lexis-Nexis. There’s some interesting bits. Most interesting to me is that none of these kids seem to have lawyers telling them to shut up. The BBC has an article on British reactions […]


Small Bits of Chaos: Airports, Junk Mail and Employment Law (Context-free)

Scared Monkeys asks “Could Iris Scanning be Coming To an Airport Near You?” (As if the TSA hadn’t wasted enough money on machines that don’t work, or seizing zippo lighter cameras.) Maybe the camera in their iris scanner was busted? New blog “The Dunning Letter” claims to be from a long-time junk mailer, now repentant. […]


Well, Hello Nurse!

The fine folks over at NCircle seem to have been given a directive from on high: Let there be blogs! And there were. And ncircle saw, and they were good. And someone said, let the bloggers be prolific, and behold, they were, with 18 or more posts in 5 days. Great coverage of CanSecWest, and […]


Zabbo Blogs (again!)

I’m very excited to discover that my friend Zach Brown is blogging again. Zach was one of a group of friends who introduced me to blogs in, maybe late ’99? Early 2000? He’d been on haitus, and I’m glad he’s back. But I realized that my excitement felt a little odd, and so I’ve been […]



Speaking of distributed innovation, the Open Source Vulnerability Database is a great project, dedicated to accumulating deep technical knowledge about computer security vulnerabilities, and making it freely available. And now it turns out, they have a blog! Mark Ward has an interesting article, “Predicting Vulnerabilities, Quotes and more.” When the patch comes out, many people […]



I’ve added Screendiscussion to the blogroll. I don’t always agree with Geoff, but he seems insightful, interesting, and genuinely willing to grapple with the questions that his profession raises. He also posts actual posts, rather than a clipblog. For example, this morning’s post is “Background Checks Must Be Relevant, and points out a case where […]


New Security Blog

I like the cynicism displayed at, by a squinty fellow who seems to want to remain anonymous.


Security Planning

Gunnar Peterson (who has a new blog) points to the public release of the worksheets from “Misson Critical Security Planner.” I haven’t read that book, but the worksheets look like useful planning documents.


Stefan Brands Blogging

Stefan Brands has a new blog. Stefan is not only one of the top two or three folks in the world in privacy enhancing cryptography, but he writes eloquently about the social reasons privacy is important. We worked together at ZKS, and I’m very sad we didn’t get further selling his technology. I look forward […]