Shostack + Friends Blog Archive

 

Boyd Video: Patterns of Conflict

John Boyd’s ideas have had a deep impact on the world. He created the concept of the OODA Loop, and talked about the importance of speed (“getting inside your opponent’s loop”) and orientation, and how we determine what’s important. A lot of people who know about the work of John Boyd also know that he […]

 

Seattle event: Ada's Books

For Star Wars day, I’m happy to share this event poster for my talk at Ada’s Books in Seattle Technical Presentation: Adam Shostack shares Threat Modeling Lessons with Star Wars. This will be a less technical talk with plenty of discussion and interactivity, drawing on some of the content from “Security Lessons from Star Wars,” […]

 
 

Heaven Forbid the New York Times include Atheists

In “Is Your Religion Your Financial Destiny?,” the New York Times presents the following chart of income versus religion: Note that it doesn’t include the non-religious, which one might think an interesting group as a control. Now, you might think that’s because the non-religious aren’t in the data set. But you’d be wrong. In the […]

 

Black Hat Slides

My talk at Black Hat this year was “Elevation of Privilege, the Easy Way to Get Started Threat Modeling.” I covered the game, why it works and where games work. The link will take you to the PPTX deck.

 

How to Present

As I get ready to go to South Africa, I’m thinking a lot about presentations. I’ll be delivering a keynote and a technical/managerial talk at the ITWeb Security Summit. The keynote will be on ‘The Crisis in Information Security’ and the technical talk on Microsoft’s Security Development Lifecycle. As I think about how to deliver […]

 

My Wolfram Alpha Demo

I got the opportunity a couple days ago to get a demo of Wolfram Alpha from Stephen Wolfram himself. It’s an impressive thing, and I can sympathize a bit with them on the overblown publicity. Wolfram said that they didn’t expect the press reaction, which I both empathize with and cast a raised eyebrow at. […]

 

All atwitter

In re-reading my blog post on twittering during a conference I realized it sounded a lot more negative than I’d meant it to. I’d like to talk about why I see it as a tremendous positive, and will be doing it again. First, it engages the audience. There’s a motive to pay close attention and […]

 

Tweet, tweet

A few weeks back, Pistachio twittered about How to Present While People are Twittering. I picked it up, and with the help of Quine, was getting comments from Twitter as I spoke. It was a fun experiment, and it’s pretty cool to be able to go back and look at the back channel. [Update: I […]

 

How to Blog a Talk

Blogging about your own presentations is tough. Some people post their slides, but slides are not essays, and often make little sense without the speaker. I really like what Chris Hoff did in his blog post, “Security and Disruptive Innovation Part I: The Setup.” I did something similar after “Security Breaches Are Good for You: […]

 

Data on Data Breaches

At the FIRST conference in Seville, Spain, I delivered a presentation about “Data on Data Breaches” that Adam and I put together. The slides, with the notes I made to act as “cue cards” for me, are available as a large PDF file on a slow web server. The main points I tried to make […]

 

Why Johnny Can’t Bank Safely

Stuart E. Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer have written a paper which examines the behavior of persons doing on-line banking under various experimentally-manipulated conditions. The paper is getting some attention, for example in the New York Times and at Slashdot. What Schechter, et. al. find is that despite increasingly alarming indicators that […]

 

More on Godin and Tufte

There’s another good article on Juice Analytics, “Godin, Tufte, and Types of Infographics:” (hey, guys, where are the author names? Author names only show in RSS, not the web page?) Tufte frustrates on a number of levels. He is enormously influential in business. Businesses send people to his seminars and they come back energized with […]

 

Tufte, Godin, Juice Analytics

Juice Analytics comments on “Godin’s take on Tufte:” (Godin) I think this is one of the worst graphs ever made. He’s very happy because it shows five different pieces of information on three axes and if you study it for 15 minutes it really is worth 1000 words. I don’t think that is what graphs […]

 

One Graph, Zero Credibility

Let’s see..we’ve got shadows, random colors, and the colors are graduated, and so is the background. Displaying 13 digits takes 109,341 bytes (in the original), for a remarkable data density of .0001 digit per byte. Anti-phishing working group? You can, I hope, do better. Via the F-Secure blog, who don’t have per-post links.

 

A Picture (or Three) Is Worth A Thousand Words

Iang over at Financial Cryptography talks about the importance of not just which cryptographic algorithm to use, but which mode it is implemented with. He uses three pictures from Mark Pustilnik’s paper “Documenting And Evaluating The Security Guarantees Of Your Apps” that are such a great illustration of the problem, that I have to include […]

 

Presentations and the Web

It’s easy to put presentations on the web, just like it’s easy to create them. Neither is easy to do well. I’d like to talk not only about good slide creation, but how to distribute a presentation in a useful way. It’s not easy to create good presentations, even when you have good content. Simson […]

 

Tony Chor on Presenting at MIX

Tony Chor has a good post on “Backstage at MIX06.” The effort that goes into a good presentation, including the practice, the extra machines, the people to keep them in sync, etc, is really impressive: Normally, when I do a presentation and demo, both the demos and the presentation are on the same machine. I […]