When I think about how to threat model well, one of the elements that is most important is how much people need to keep in their heads, the cognitive load if you will. In reading Charlie Stross’s blog post, “Writer, Interrupted” this paragraph really jumped out at me: One thing that coding and writing fiction […]
Bruce Schneier comments on “Apple’s Differential Privacy:” So while I applaud Apple for trying to improve privacy within its business models, I would like some more transparency and some more public scrutiny. Do we know enough about what’s being done? No, and my bet is that Apple doesn’t know precisely what they’ll ship, and aren’t […]
Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]
According to the CBC: “McDonald’s kale salad has more calories than a Double Big Mac” In a quest to reinvent its image, McDonald’s is on a health kick. But some of its nutrient-enhanced meals are actually comparable to junk food, say some health experts. One of new kale salads has more calories, fat and sodium […]
Happy New Year! The Pogues are Launching their own brand of whiskey, and whatever you think of the band or of drinking, it’s hard to think of a more “on brand” product creation than this.
John Masserini has a set of “open letters to security vendors” on Security Current. Everyone involved in product or sales at a security startup should read them. John provides insight into what it’s like to be pitched by too many startups, and provides a level of transparency that’s sadly hard to find. Personally, I learned […]
One of the most interesting security books I’ve read in a while barely mentions computers or security. The book is Petroski’s The Evolution of Useful Things. As the subtitle explains, the book discusses “How Everyday Artifacts – From Forks and Pins to Paper Clips and Zippers – Came to be as They are.” The chapter […]
As you may be aware, I’m a fan of using Star Wars for security lessons, such as threat modeling or Saltzer and Schroeder. So I was pretty excited to see Wade Baker post “Luke in the Sky with Diamonds,” talking about threat intelligence, and he gets bonus points for crossover title. And I think it’s […]
Today, most presentations on threat modeling talk about each phase of the process. They talk about how to model what you’re building, what can go wrong, and what to do about it. Those tightly coupled processes can be great if you’ve never heard of an approach to threat modeling. But they can add to the […]
One of the most effective ways to improve your software is to use it early and often. This used to be called eating your own dogfood, which is far more evocative than the alternatives. The key is that you use the software you’re building. If it doesn’t taste good to you, it’s probably not customer-ready. […]
One very important question that’s frequently asked is “what about threat modeling for operations?” I wanted to ensure that Threat Modeling: Designing for Security focused on both development and operations. To do that, I got help from Russ McRee. For those who don’t know Russ, he’s a SANS incident handler as well as a collegue […]
There’s an absolutely fascinating interview with Adam Back: “Let’s Talk Bitcoin Adam Back interview.” For those of you who don’t know Adam, he created Hashcash, which is at the core of Bitcoin proof of work. Two elements I’d like to call attention to in particular are: First, there’s an interesting contrast between Adam’s opinions and […]
I’m getting ready for to announce a new project that I’ve been working on for quite a while. As I get ready, I was talking to friends in PR and marketing, and they were shocked and appalled that I don’t have a mailing list. It was a little like telling people in security that you […]
There’s a new study on what people would pay for privacy in apps. As reported by Techflash: A study by two University of Colorado Boulder economists, Scott Savage and Donald Waldman, found the average user would pay varying amounts for different kinds of privacy: $4.05 to conceal contact lists, $2.28 to keep their browser history […]
So Flickr has launched a new redesign, and it’s crowded, jumbled and slow. Now on Flickr with its overlays, its fade-ins and loads, it’s unmoving side and top bars, Flickr’s design takes center stage, elbowing aside the photos that I’m there to see. So I’m looking for a new community site where the photo I […]
It’s common to hear that Facebook use means that privacy is over, or no longer matters. I think that perception is deeply wrong. It’s based in the superficial notion that people making different or perhaps surprising privacy tradeoffs are never aware of what they’re doing, or that they have no regrets. Some recent stories that […]
As I think more about the way people are likely to use a password manager, I think there’s real problems with the way master passwords are set up. As I write this, I’m deeply aware that I’m risking going into a space of “it’s logical that” without proper evidence. Let’s start from the way most […]
The folks at Hashcat have some interesting observations about 1Password. The folks at 1Password have a response, and I think there’s all sorts of fascinating lessons here. The crypto conversations are interesting, but at the end of the day, a lot of security is unavoidably contributed by the master password strength. I’d like to offer […]
Apparently, Playboy (possibly NSFW) has an app on iTunes. However, to get an app through the censors prudes “appropriate content” editors, there’s none of Playboy’s trademark nudes. There hasn’t been such good news for their writers since the braille edition. I’ll leave the jokes to you. It’s worth thinking about this as the sanitized future […]
…the new points system rates the driver’s ability to pilot the MINI with a sporty yet steady hand. Praise is given to particularly sprightly sprints, precise gear changes, controlled braking, smooth cornering and U-turns executed at well-judged speeds. For example, the system awards maximum Experience Points for upshifts carried out within the ideal rev range […]
Facebook’s new Graph search is a fascinating product, and I want to use it. (In fact, I wanted to use it way back when I wrote about “Single Serving Friend” in 2005.) Facebook’s Graph Search will incent Facebook users to “dress” themselves in better meta-data, so as to be properly represented in all those new […]
Apparently Twitter sent me some credits to use in their advertising program. Now, I really don’t like Twitter’s promoted tweets — I’d prefer to be the customer rather than the product. (That is, I’d like to be able to give Twitter money for an ad-free experience.) At the same time, I’m curious to see how […]
Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route. From the website: Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve […]
So as Facebook continues to trade at a little over half of their market capitalization of 3 months ago, I think we can learn a few very interesting things. My goal here is not to pick on Facebook, but rather to see what we can take away and perhaps apply elsewhere. I think there are […]
The fine folks at Mozilla have announced that they’ll be hosting a BBQ in Dallas to thank all their supporters. And the cool thing about that BBQ is it’s gonna be vegan by default. You know, vegan. No animal products. It’s good for you. It’s the right default. They’ll have dead cow burgers, but you’ll […]
Jan-Tilo Kirchhoff asked on Twitter for a printer (ideally in Germany) to print up some Elevation of Privilege card sets. Deb Richardson then suggested Kickstarter. I wanted to comment, but this doesn’t fit in a tweet, so I’ll do it here. I would be totally excited for someone to Kickstarter production of Elevation of Privilege. […]
I’m concerned about issues of research being locked behind paywalls. The core of my reason is that research builds on other research, and wide availability helps science move forward. There’s also an issue that a great deal of science is funded by taxpayers, who are prevented from seeing their work. One of the organizations which […]
Apparently, the project manager who found a vendor for the Vermont State Police car decals failed to consider a few things. Such as the risk that prisoners might want to have a little fun at the expense of the police. You can see the fun if you study the image carefully here, or in a […]
There were a couple of excellent posts about Google+ which I wanted to link in, but the post took a different path: “Google+ and The Trouble With Tribbles” The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook […]
One of the most common bits of feedback about my post “Google+ Failed Because of Real Names” is that Google+ is now a huge service, and that the word failed is an exaggeration, or a trick of the rhetorician. Some folks might advise me to stop digging a hole, put down the shovel and walk […]
It’s now been a few months since the launch of Google+, and it’s now fairly clear that it’s not a mortal threat to Facebook, or even Orkut. I think it’s worth thinking a bit about why Google+ isn’t doing better, despite its many advantages. Obviously, Google wants to link Google+ profiles to things in the […]
As Brad Feld says, this is the best auto-responder in a long time: I am currently out of the office on vacation. I know I’m supposed to say that I’ll have limited access to email and won’t be able to respond until I return — but that’s not true. My blackberry will be with me […]
There’s something important happening around Google+. It’s the start of a rebellion against the idea of “government authorized names.” (A lot of folks foolishly allow the other side to name this as “real names,” but a real name is a name someone calls you.) Let’s start with “Why Facebook and Google’s Concept of ‘Real Names’ […]
So MySpace sold for $35 million, which is nice for a startup, and pretty poor for a company on which Rupert Murdoch spent a billion dollars. I think this is the way of centralized social network software. The best of them learn from their predecessors, but inevitably end up overcrowded. Social spaces change. You don’t […]
Science fiction author Walter John Williams wants to get his out of print work online so you can read it: To this end, I embarked upon a Cunning Plan. I discovered that my work had been pirated, and was available for free on BitTorrent sites located in the many outlaw server dens of former Marxist […]
Several weeks back, I was listening to the Technometria podcast on “Personal Data Ecosystems,” and they talked a lot about putting the consumer in the center of various markets. I wrote this post then, and held off posting it in light of the tragic events in Japan. One element of this is the “VRM” or […]
Someone wrote to me to ask: A few cards are not straightforward to apply to a webapp situation (some seem assume a proprietary client) – do you recommend discarding them or perhaps you thought of a way to rephrase them somehow? For example: “An attacker can make a client unavailable or unusable but the problem […]
Over at their blog, i.Materialise (a 3D printing shop) brags about not taking an order. The post is “ATTENTION: ATM skimming device.” It opens: There is no doubt that 3D printing is a versatile tool for materializing your 3D ideas. Unfortunately, those who wish to break the law can also try to use our technology. […]
In the past, I’ve been opposed to calling impersonation frauds “identity theft.” I’ve wondered why the term impersonation isn’t good enough. As anyone who’s read the ID Theft Resource Center’s ‘ID Theft Aftermath’ reports (2009 report) knows that a lot of the problem with longterm impersonation problems is the psychological impact of disassociation from your […]
You never cease to amaze me with your specialness. You’ve defined a way to send MMS on a network you own, with message content you control, and there’s no way to see the full message: In particular, I can’t see the password that I need to see the message.
From Dan Froomkin, “FBI Lab’s Forensic Testing Backlog Traced To Controversial DNA Database,” we see this example of the mis-direction of key funds: The pressure to feed results into a controversial, expansive DNA database has bogged down the FBI’s DNA lab so badly that there is now a two-year-and-growing backlog for forensic DNA testing needed […]
(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” […]
Over the last week, there’s been a set of entertaining stories around Blizzard’s World of Warcraft games and forums. First, “World of Warcraft maker to end anonymous forum logins,” in a bid to make the forums less vitriolic: Mr Brand said that one Blizzard employee posted his real name on the forums, saying that there […]
So the news is all over the web about Apple changing their privacy policy. For example, Consumerist says “Apple Knows Where Your Phone Is And Is Telling People:” Apple updated its privacy policy today, with an important, and dare we say creepy new paragraph about location information. If you agree to the changes, (which you […]
Well, Amazon has a new update for Kindle (with folders! OMG!), and I’m planning to apply it. However, last time I installed an update, I noticed that it lost the “wireless off” setting, and was apparently contacting Amazon. I don’t want it to do so, and leave wireless off. It’s safer that way, whatever promises […]
This is cool: The Bill & Melinda Gates Foundation is using its financial clout to push the Haitian marketplace toward change by offering $10 million in prizes to the first companies to help Haitians send and receive money with their cell phones… The fund will offer cash awards to companies that initiate mobile financial services […]
Waitress Is Fired for Her Complaint on Facebook: Lesson Learned for Employers?. From [German Consumer Protection] Minister Aigner to Mark Zuckerberg: the importance of privacy Farewell, Facebook “Why one super-connected internet enthusiast decided it was time to pull the plug” 5 WTFs: I quit Facebook Today Quit Facebook Day versus 10 Reasons You’ll Never Quit […]
The last week and a bit has been bad to Facebook. It’s hard to recall what it was that triggered the avalanche of stories. Maybe it was the flower diagram we mentioned. Maybe it was the New York Times interactive graphic of just how complex it is to set privacy settings on Facebook: Maybe it […]
In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.” After RSA, I’ll have more to say about how it came about, how it helps you and how it helps more chaos emerge. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).
There’s a huge profusion of dating sites out there. From those focused on casual encounters to christian marriage, there’s a site for that. So from a product management and privacy perspectives I found this article very thought provoking: Bookioo does not give men any way to learn about or contact the female members of the […]
At Microsoft, there’s a very long history of ‘eating your own dogfood’ or using the latest and greatest daily builds. Although today, people seem to use the term “self-host,” which seems evidence that they don’t do either. Eating your own dogfood gives you a decent idea of when it starts to taste ok, which is […]
Mordaxus emailed some of us and said “I hope this doesn’t mean MG has jumped the shark.” What was he talking about? Apparently, ThinkGeek now has a “Molecular Gastronomy Starter Kit.” For those of you who’ve been hiding in a Cheesecake Factory for the past few years, molecular gastronomy is the art of using science […]
In a lawsuit filed Sept. 28 in Los Angeles Superior Court, Amber Duick claims she had difficulty eating, sleeping and going to work during March and April of last year after she received e-mails for five days from a fictitious man called Sebastian Bowler, from England, who said he was on the run from the […]
Ten years ago, I left Boston to go work at an exciting startup called Zero-Knowledge Systems. Zero-Knowledge was all about putting the consumer in control of their privacy. Even looking back, I have no regrets. I’m proud of what I was working towards during the internet bubble, and I know a lot of people who […]
Well, by now it’s all over the blogo/twitter spheres, and everything that might be said has already been said about Eric Blair, a publisher and Amazon: This morning, hundreds of Amazon Kindle owners awoke to discover that books by a certain famous author had mysteriously disappeared from their e-book readers. These were books that they […]
In “Who Watches the Watchman” there’s an interesting history of watchclocks: An elegant solution, designed and patented in 1901 by the German engineer A.A. Newman, is called the “watchclock”. It’s an ingenious mechanical device, slung over the shoulder like a canteen and powered by a simple wind-up spring mechanism. It precisely tracks and records a […]
So I’m getting ready to head over to RSA, and I’m curious. If you believe that “security is about outcomes, not about process,” what outcomes do you want from RSA? How will you judge if the conference was worthwhile?
Paul Graham has a great article in “Startups in 13 Sentences:” Having gotten it down to 13 sentences, I asked myself which I’d choose if I could only keep one. Understand your users. That’s the key. The essential task in a startup is to create wealth; the dimension of wealth you have most control over […]
Galois has announced “” Cryptol is a domain specific language for the design, implementation and verification of cryptographic algorithms, developed over the past decade by Galois for the United States National Security Agency. It has been used successfully in a number of projects, and is also in use at Rockwell Collins, Inc. … Cryptol allows […]
Silver has devised a pair of glasses which rely on the principle that the fatter a lens the more powerful it becomes. Inside the device’s tough plastic lenses are two clear circular sacs filled with fluid, each of which is connected to a small syringe attached to either arm of the spectacles. The wearer adjusts […]
“There are no hot segments,” said George Pipas, Ford’s market analyst. “And there really are no hot products.” So closes an article, “Automakers Report Grim October Sales.” GM, sales down 45%. Ford, -30%. Chrysler, -34.9%. Toyota, -23%. Honda -25%, Nissan -33%. MINI Cooper: Up 56.4%. Soon, Ford will be caring about MINI’s market of “only” […]
So Obama wants a CTO for the United States. The job description: Obama will appoint the nation’s first Chief Technology Officer (CTO) to ensure that our government and all its agencies have the right infrastructure, policies and services for the 21st century. The CTO will ensure the safety of our networks and will lead an […]
You forget all the bits in the old one. Via JWZ, who has links which will explain the irony if you don’t remember Exodus.
El Reg writes that the India Times writes that RIM has “blackballed” (El Reg’s words) the Indian Government’s requests to get BB keys, saying what we suspected, that there are no keys to give. The India times says: BlackBerry vendor Research-In-Motion (RIM) said it cannot hand over the message encryption key to the government as […]
There’s a bunch of press around Ask.com’s marketing of their new privacy service. I applaud them for thinking about this, and for drawing attention to the issue of search privacy. The New York Times had a story, “Ask.com Puts a Bet on Privacy” and now Slashdot jumps in with “Will Privacy Sell?” This is the […]