There is a spectre haunting the internet, the spectre of drama. All the powers of the social media have banded together to not fight it, because drama increases engagement statistics like nothing else: Twitter and Facebook, Gawker and TMZ, BlackLivesMatter and GamerGate, Donald Trump and Donald Trump, the list goes on and on. Where is […]
I’ve repeatedly spoken out against “think like an attacker.” Now I’m going to argue from authority. In this long article, “The Obama Doctrine,” the President of the United States says “The degree of tribal division in Libya was greater than our analysts had expected.” So let’s think about that statement and what it means. First, […]
John Masserini has a set of “open letters to security vendors” on Security Current. Everyone involved in product or sales at a security startup should read them. John provides insight into what it’s like to be pitched by too many startups, and provides a level of transparency that’s sadly hard to find. Personally, I learned […]
John Boyd’s ideas have had a deep impact on the world. He created the concept of the OODA Loop, and talked about the importance of speed (“getting inside your opponent’s loop”) and orientation, and how we determine what’s important. A lot of people who know about the work of John Boyd also know that he […]
For many years, I have been saying that “think like an attacker” is bad advice for most people. For example: Here’s what’s wrong with think like an attacker: most people have no clue how to do it. They don’t know what matters to an attacker. They don’t know how an attacker spends their day. They […]
My friend Raquell Holmes is doing some really interesting work at using improv to unlock creativity. There’s some really interesting ties between the use of games and the use of improv to get people to approach problems in a new light, and I’m bummed that I won’t be able to make this event: Monday Dec […]
There’s a fascinating interview with Mark Templeton of Citrix in the New York Times. It closes with the question of advice he gives to business students: There are two strategies for your life and career. One is paint-by-numbers and the other is connect-the-dots. I think most people remember their aunt who brought them a gift […]
In “The Quest for French Fry Supremacy 2: Blanching Armageddon,” Dave Arnold of the French Culinary Institute writes: Blanching fries does a lot for you – such as: killing the enzymes that make the potatoes turn purpley-brown. Blanching is always necessary if the potatoes will be air-dried before frying. gelatinizing the starch. During frying, pre-cooked […]
Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science. For Lady Ada Day, I wanted to call out the inspiring work of Aleecia McDonald. In a privacy world full of platonic talk of the value of notice and consent, Aleecia did something very simple: […]
There’s a huge profusion of dating sites out there. From those focused on casual encounters to christian marriage, there’s a site for that. So from a product management and privacy perspectives I found this article very thought provoking: Bookioo does not give men any way to learn about or contact the female members of the […]
At Microsoft, there’s a very long history of ‘eating your own dogfood’ or using the latest and greatest daily builds. Although today, people seem to use the term “self-host,” which seems evidence that they don’t do either. Eating your own dogfood gives you a decent idea of when it starts to taste ok, which is […]
If you haven’t listened to Larry Lessig’s 23C3 talk, it’s worthwhile to listen to the argument he makes. As I was listening to it, I was struck by the term non-commercial, and, having given it some thought, think that we need a better word to describe the goals Creative Commons is pursuing. The term non-commercial […]
I posted last month about Bob Blakely’s podcast with Phil Windley. Now (by which I really mean last month, wow I’m running behind!) Bob posts that the “Relationship Paper Now Freely Available,” and I’m embarrassed to say I stole Bob’s opening sentence. Now that I’ve actually read the paper, I’d like to remix the ideas […]
Joseph Ratzinger (a/k/a Benedict XVI) made some comments recently made some comments that got some press. In particular, as Reuters reports: “Pope in Africa reaffirms ‘no condoms’ against AIDS.” Quoting the story, “The Church teaches that fidelity within heterosexual marriage, chastity and abstinence are the best ways to stop AIDS.” Many of you are likely […]
So the US Consulate in Jerusalem sold a file cabinet full of secret documents. What I found interesting about the story is the perception of the finder: Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. […]
Ethonomethodologists talk a lot about communities of practice. Groups of people who share some set of work that they do similarly, and where they’ll co-evolve ways of working and communicating. When everyone is part of a given community, this works really well. When we talk about “think like an attacker” within a community of security […]
I’m listening to this really interesting podcast by Bob Blakley and Phil Windley. What really struck me was where Bob said “thinking of identity as an artifact all by itself is unsatisfactory because we can talk about an identity and the attributes of an identity leaves out important details about how identities are created and […]
Chris Hoff pointed to an interesting blog post from Peter Shankman. Someone* tweeted “True confession but I’m in one of those towns where I scratch my head and say ‘I would die if I had to live here!’” Well it turns out that… Not only did an employee find it, they were totally offended by […]
Today is the 75th anniversary of the repeal of the blanket prohibition of alcohol sales in the United States. Go pour some Champagne, Cava, or fine California bubbly and read Radley Balko’s excellent “Lessons of Prohibition.” Photo: Jensen.Pernille. Thanks to Sama.
Some days the snark just writes itself: The group that created Smokey Bear and McGruff the Crime Dog has a new potential icon: Stephanie the airport screener. A $1.3 million ad campaign launched this month teams the Ad Council and the Transportation Security Administration trying to change behavior of passengers who no longer automatically accept […]
…Armed with my favorite govie (who is actually the lead on this, I’m just a straphanger), The New School of Information Security (Hi Adam and Andrew), some government policy directives, and the National Strategy to Secure Cyberspace, I am teaching an Information Security Management and Public Policy class for Carnegie Mellon’s Heinz School. The more […]
We’ve been talking a lot lately about confirmation bias. It turns out that newspaper endorsements are more influential when they are unexpected. The degree of this influence, however, depends upon the credibility of the endorsement. In this way, endorsements for the Democratic candidate from left-leaning newspapers are less influential than are endorsements from neutral or […]
There’s a place in de Tocqueville where he talks about America’s civic strength coming from the way we organize: those voluntary organizations which come together to solve a problem as a community. He pointed out that what we got from that was not merely that particular problem solved, but a sense of community and a […]
In “The product manager’s lament,” Eric Ries writes about his view of product managers: Let’s start with what the product manager does. He’s supposed to be the person who specifies what the product will do. He writes detailed specs which lay out exactly what features the team should build in its next iteration. These specs […]
Stephan Bugaj has a fascinating article up, “Steve Kurtz: Tactical Art.” I wanted to tie this to my post “The Discipline of ‘think like an attacker’” Kurtz only briefly mentioned his four year ordeal with the Department of Justice (this is also a good article about it), and only as a single exemplar of his […]
Security continues to be crippled by a conspiracy of silence. The ongoing costs of not talking about what’s going wrong are absolutely huge, and today, we got insight into just how huge. Richard Clayton and Tyler Moore of Cambridge University have a new paper on phishing, “The consequence of non-cooperation in the fight against phishing.” […]
In reading Mordaxus’ post “Quantum Crypto Broken Again,” I was struck by his comment: It is a serious flaw because one of the main arguments about quantum cryptography is that because it is “physics” based as opposed to “computer” based, that it is more secure than software cryptography.” Firstly, security is almost always an outcome […]
John Kelsey had some great things to say a comment on “Think Like An Attacker.” I’ve excerpted some key bits to respond to them here. Perhaps the most important is to get the designer to stop looking for reasons attacks are impossible, and start looking for reasons they’re possible. That’s a pattern I’ve seen over […]
One of the problems with being quoted in the press is that even your mom writes to you with questions like “And what’s wrong with “think like an attacker?” I think it’s good advice!” Thanks for the confidence, mom! Here’s what’s wrong with think like an attacker: most people have no clue how to do […]
Devan Desai has a really interesting post, Baffled By Community Organizing: First, it appears that hardcore left-wing and hardcore right-wing folks don’t process new data. An fMRI study found that confirmation bias — “whereby we seek and find confirmatory evidence in support of already existing beliefs and ignore or reinterpret disconfirmatory evidence” — is real. […]
There are a couple of blog posts that I’ve read lately that link together for me, and I’m still working through the reasons why. I’d love your feedback or thoughts. A blogger by the name of Lhooqtius ov Borg has a long screed on why he doesn’t like the “Social Futilities.” Tyler Cowan has a […]
Aero News Network has a fascinating story, “ANN Special Report: TSA Memo Suggests That Agency ‘Encourages’ Damaging Behavior.” It covers how a TSA goon climbed up a plane using equipment marked “not a handhold,” damaging it and putting the flying public at risk. It continues: While this may be terrifying on a number of levels, […]
There’s a huge amount of interesting stuff from a recent workshop on “Security & Human Behavior.” Matt Blaze has audio, and Ross Anderson has text summaries in the comments on his blog post. Also, see Bob Sullivan, “How magic might finally fix your computer”
There’s a fascinating article at The Long Now Foundation, “Richard Feynman and The Connection Machine,” by Danny Hillis. It’s a fun look into the interactions of two of the most interesting scientist/engineers of the last 40 years.
Over at Zero in a Bit, Chris Eng has a post, “Art vs. Science“: A client chastised me once for making a statement that penetration testing is a mixture of art and science. He wanted to believe that it was completely scientific and could be distilled down to a checklist type approach. I explained that […]
The TSA apparently is issuing itself badges in its continuing search for authority. The attire aims to convey an image of authority to passengers, who have harassed, pushed and in a few instances punched screeners. “Some of our officers aren’t respected,” TSA spokeswoman Ellen Howe said. … A.J. Castilla, a screener at Boston’s Logan Airport […]
Can Sips at Home Prevent Binges? is a fascinating article in the New York Times. It turns out there’s very solid evidence about this: “The best evidence shows that teaching kids to drink responsibly is better than shutting them off entirely from it,” he told me. “You want to introduce your kids to it, and […]
There’s an article in the New York Times, “‘Mad Pride’ Fights a Stigma” “It used to be you were labeled with your diagnosis and that was it; you were marginalized,” said Molly Sprengelmeyer, an organizer for the Asheville Radical Mental Health Collective, a mad pride group in North Carolina. “If people found out, it was […]
“Let’s play ‘airport security’,” says Foriegn Policy. It’s like playing Doctor, only with latex gloves and inappropriate touching. In an effort to help children understand and be comfortable and confident in the need and process of higher security protocols we’ve developed a new play and learning toy and resource web site to promote and educate […]
Frans Osinga’s book on Boyd, “Science, Strategy and War: The Strategic Theory of John Boyd” has been issued in paperback. Previously, it was $90 for a copy. The new paperback edition is $35.95, and is easily worthwhile at that price. Science, Strategy and War is an academic analysis of the John Boyd’s thinking and its […]
Portuguese seafarer Christopher de Mendonca led a fleet of four ships into Botany Bay in 1522. No one noticed before because the map was oriented wrong when it was copied. This is a nice article from news.com.au.
I’ve been meaning to blog about “The Far Enemy: Why Jihad Went Global ” by Fawaz Georges for quite some time. The book is a fascinating look at the internal debates of the various Jihadist sub-groups, and takes its title from an argument over targeting the “near enemy,” or local government, or the “far enemy,” […]
When Larry Ellison said “We have the security problem solved,” a lot of jaws dropped. A lot of people disagree strongly with that claim. (Ed Moyle has some good articles: “Oracle’s Hubris: Punishment is Coming,” “Oracle to World: ‘Security Mission Accomplished…’“) That level of dripping sarcasm is fairly widespread amongst the security experts I talk […]
In a jargon-rich yet readable essay, (“Cryptographic Commitments“) David Molnar discusses the assumptions that he brings to his work as a cryptographer. Its fascinating to me to see someone lay out the assumptions portion of their orientation like this, and I think readers can ignore the specifics and get a lot out of the essay. […]
John Robb has a fascinating post on how networked organizations learn and improve their orientation as they engage with their worlds. In “Emergent Intelligence,” Robb focuses on the Iraqi insurgency, but draws important and general lessons. He says there are five factors needed for emergent intelligence: A critical mass of participation. I’d suggest that a […]
In “Six Messages From the New Bin Laden Tape,” Walid Phares transcribes, translates, and comments on the new Bin Laden tape.
The study, which followed more than 1,300 adults over 2 years, found that those who consistently used a mobile phone or pager throughout the study period were more likely to report negative “spillover” between work and home life — and, in turn, less satisfaction with their family life. From “Cell phones tied to family tension,” […]
This is a followup to Gunnar Peterson’s comments on “Epstein, Snow and Flake: Three Views of Software Security.” His comments are in an update to the original post, “The Road to Assurance:” None of these views, by themselves are adequate. The combination of horizontal and vertical views is what yields the most accurate picture. Obviously, […]
Among those who understand that software is, almost without exception, full of security holes, there are at least three major orientations. I’ve recently seen three articles, all of which I wanted to talk about, but before I do I should explain how I’m using the word orientation, and the connotations it carries. As used by […]
Over at Volokh, Orin Kerr has a beautiful analogy which illustrates orientation issues in reading Supreme Court cases. By orientation, I mean the sum of cultural, educational, and training experience that come together to influence the way people interpret the things they observe. (In other words, what Boyd meant.) Kerr writes (emphasis mine): I think […]