Shostack + Friends Blog Archive

 

Diagrams in Threat Modeling

When I think about how to threat model well, one of the elements that is most important is how much people need to keep in their heads, the cognitive load if you will. In reading Charlie Stross’s blog post, “Writer, Interrupted” this paragraph really jumped out at me: One thing that coding and writing fiction […]

 

What does the MS Secure Boot Issue teach us about key escrow?

Nothing. No, seriously. Articles like “Microsoft Secure Boot key debacle causes security panic” and “Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea” draw on words in an advisory to say that this is all about golden keys and secure boot. This post is not intended to attack anyone; researchers, journalists or […]

 

Tacoma Narrows and Security

I always get a little frisson of engineering joy when I drive over the Tacoma Narrows bridge. For the non-engineers in the audience, the first Tacoma Narrows bridge famously twisted itself to destruction in a 42-mph wind. The bridge was obviously unstable even during initial construction (as documented in “Catastrophe to Triumph: Bridges of the […]

 

The Evolution of Apple’s Differential Privacy

Bruce Schneier comments on “Apple’s Differential Privacy:” So while I applaud Apple for trying to improve privacy within its business models, I would like some more transparency and some more public scrutiny. Do we know enough about what’s being done? No, and my bet is that Apple doesn’t know precisely what they’ll ship, and aren’t […]

 

"Think Like an Attacker" is an opt-in mistake

I’ve repeatedly spoken out against “think like an attacker.” Now I’m going to argue from authority. In this long article, “The Obama Doctrine,” the President of the United States says “The degree of tribal division in Libya was greater than our analysts had expected.” So let’s think about that statement and what it means. First, […]

 

Secure Code is Hard, Let's Make it Harder!

I was confused about why Dan Kaminsky would say CVE-2015-7547 (a bug in glbc’s DNS handling) creates network attack surface for sudo. Chris Rohlf kindly sorted me out by mentioning that there’s now a -host option to sudo, of which I was unaware. I had not looked at sudo in depth for probably 20 years, […]

 

Threat Modeling, Chinese Edition!

I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into Chinese. You can buy it from Amazon.cn.

 

Open Letters to Security Vendors

John Masserini has a set of “open letters to security vendors” on Security Current. Everyone involved in product or sales at a security startup should read them. John provides insight into what it’s like to be pitched by too many startups, and provides a level of transparency that’s sadly hard to find. Personally, I learned […]

 

Towards a model of web browser security

One of the values of models is they can help us engage in areas where otherwise the detail is overwhelming. For example, C is a model of how a CPU works that allows engineers to defer certain details to the compiler, rather than writing in assembler. It empowers software developers to write for many CPU […]

 

Adam's new startup

A conversation with an old friend reminded me that there may be folks who follow this blog, but not the New School blog. Over there, I’ve posted “Improving Security Effectiveness” about leaving Microsoft to work on my new company: For the last few months, I’ve been working full time and talking with colleagues about a […]

 

Wassenaar Restrictions on Speech

[There are broader critiques by Katie Moussouris of HackerOne at “Legally Blind and Deaf – How Computer Crime Laws Silence Helpful Hackers” and Halvar Flake at “Why changes to Wassenaar make oppression and surveillance easier, not harder.” This post addresses the free speech issue.] During the first crypto wars, cryptography was regulated under the US […]

 

Think Like An Attacker? Flip that advice!

For many years, I have been saying that “think like an attacker” is bad advice for most people. For example: Here’s what’s wrong with think like an attacker: most people have no clue how to do it. They don’t know what matters to an attacker. They don’t know how an attacker spends their day. They […]

 

CERT, Tor, and Disclosure Coordination

There’s been a lot said in security circles about a talk on Tor being pulled from Blackhat. (Tor’s comments are also worth noting.) While that story is interesting, I think the bigger story is the lack of infrastructure for disclosure coordination. Coordinating information about vulnerabilities is a socially important function. Coordination makes it possible for […]

 

Seattle event: Ada's Books

For Star Wars day, I’m happy to share this event poster for my talk at Ada’s Books in Seattle Technical Presentation: Adam Shostack shares Threat Modeling Lessons with Star Wars. This will be a less technical talk with plenty of discussion and interactivity, drawing on some of the content from “Security Lessons from Star Wars,” […]

 

RSA: Time for some cryptographic dogfood

One of the most effective ways to improve your software is to use it early and often.  This used to be called eating your own dogfood, which is far more evocative than the alternatives. The key is that you use the software you’re building. If it doesn’t taste good to you, it’s probably not customer-ready.  […]

 

What to do for randomness today?

In light of recent news, such as “FreeBSD washing Intel-chip randomness” and “alleged NSA-RSA scheming,” what advice should we give engineers who want to use randomness in their designs? My advice for software engineers building things used to be to rely on the OS to get it right. That defers the problem to a small […]

 

TSA Approach to Threat Modeling, Part 3

It’s often said that the TSA’s approach to threat modeling is to just prevent yesterday’s threats. Well, on Friday it came out that: So, here you see my flight information for my United flight from PHX to EWR. It is my understanding that this is similar to digital boarding passes issued by all U.S. Airlines; […]

 

Please Kickstart Elevation of Privilege

Jan-Tilo Kirchhoff asked on Twitter for a printer (ideally in Germany) to print up some Elevation of Privilege card sets. Deb Richardson then suggested Kickstarter. I wanted to comment, but this doesn’t fit in a tweet, so I’ll do it here. I would be totally excited for someone to Kickstarter production of Elevation of Privilege. […]

 

Does 1Password Store Passwords Securely?

In ““Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?” Andrey Belenko and Dmitry Sklyarov write quite a bit about a lot of password management tools. This is admirable work, and I’m glad BlackHat provided a forum for it. However, as a user of 1Password, I was concerned to read the following about that […]

 

Browser Privacy & Fingerprinting

Ivan Szekely writes in email: A team of young researchers – my colleagues – at the Budapest University of Technology and Economics developed a cross-browser fingerprinting system in order to demonstrate the weaknesses of the most popular browsers. Taking Panopticlick’s idea as a starting point, they developed a new, browser-independent fingerprinting algorithm and started to […]

 

The output of a threat modeling session, or the creature from the bug lagoon

Wendy Nather has continued the twitter conversation which is now a set of blog posts. (My comments are threat modeling and risk assessment, and hers: “That’s not a bug, it’s a creature. “) I think we agree on most things, but I sense a little semantic disconnect in some things that he says: The only […]

 

Threat Modeling and Risk Assessment

Yesterday, I got into a bit of a back and forth with Wendy Nather on threat modeling and the role of risk management, and I wanted to respond more fully. So first, what was said: (Wendy) As much as I love Elevation of Privilege, I don’t think any threat modeling is complete without considering probability […]

 

Elevation of Privilege (Web Edition) Question

Someone wrote to me to ask: A few cards are not straightforward to apply to a webapp situation (some seem assume a proprietary client) – do you recommend discarding them or perhaps you thought of a way to rephrase them somehow? For example: “An attacker can make a client unavailable or unusable but the problem […]

 

The 1st Software And Usable Security Aligned for Good Engineering (SAUSAGE) Workshop

National Institute of Standards and Technology Gaithersburg, MD USA April 5-6, 2011 Call for Participation The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant […]

 

6502 Visual Simulator

In 6502 visual simulator, Bunnie Huang writes: It makes my head spin to think that the CPU from the first real computer I used, the Apple II, is now simulateable at the mask level as a browser plug-in. Nothing to install, and it’s Open-licensed. How far we have come…a little more than a decade ago, […]

 

Use crypto. Not too confusing. Mostly asymmetric.

A little ways back, Gunnar Peterson said “passwords are like hamburgers, taste great but kill us in long run wean off password now or colonoscopy later.” I responded: “Use crypto. Not too confusing. Mostly asymmetric.” I’d like to expand on that a little. Not quite so much as Michael Pollan, but a little. The first […]

 

Black Hat Slides

My talk at Black Hat this year was “Elevation of Privilege, the Easy Way to Get Started Threat Modeling.” I covered the game, why it works and where games work. The link will take you to the PPTX deck.

 

Hacker Hide and Seek

Core Security Ariel Waissbein has been building security games for a while now. He was They were kind enough to send a copy of his their “Exploit” game after I released Elevation of Privilege. [Update: I had confused Ariel Futoransky and Ariel Waissbein, because Waissbein wrote the blog post. Sorry!] At Defcon, he and his […]

 

SOUPS Keynote & Slides

This week, the annual Symposium on Usable Privacy and Security (SOUPS) is being held on the Microsoft campus. I delivered a keynote, entitled “Engineers Are People Too:” In “Engineers Are People, Too” Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the […]

 

Lady Ada books opening May 11

Ada’s Technical Books is Seattle’s only technical book store located in the Capitol Hill neighborhood of Seattle, Washington. Ada’s specifically carries new, used, & rare books on Computers, Electronics, Physics, Math, and Science as well as hand-picked inspirational and leisure reading, puzzles, brain teasers, and gadgets geared toward the technically minded customer. From the store’s […]

 

Facebook, Here’s Looking at You Kid

The last week and a bit has been bad to Facebook. It’s hard to recall what it was that triggered the avalanche of stories. Maybe it was the flower diagram we mentioned. Maybe it was the New York Times interactive graphic of just how complex it is to set privacy settings on Facebook: Maybe it […]

 

Elevation of Privilege: the Threat Modeling Game

In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.” After RSA, I’ll have more to say about how it came about, how it helps you and how it helps more chaos emerge. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).

 

Saltzer, Schroeder, and Star Wars

When this blog was new, I did a series of posts on “The Security Principles of Saltzer and Schroeder,” illustrated with scenes from Star Wars. When I migrated the blog, the archive page was re-ordered, and I’ve just taken a few minutes to clean that up. The easiest to read version is “Security Principles of […]

 

Brian W Kernighan & Dennis M Ritchie & HP Lovecraft

I never heard of C Recursion till the day before I saw it for the first and– so far– last time. They told me the steam train was the thing to take to Arkham; and it was only at the station ticket-office, when I demurred at the high fare, that I learned about C Recursion. […]

 

RSnakes On A Plane

or why RSnake will never be allowed to play video blackjat or poker at Blackhat ever again. Rsnake’s exploits with the game system on a recent flight are a fabulous read. Makes me wonder just how integrated these systems are with the regular flight systems though. Btw, RSnake, I expect a demo as part of […]

 

Caster Semenya, Alan Turing and "ID Management" products

South African runner Caster Semenya won the womens 800-meter, and the attention raised questions about her gender. Most of us tend to think of gender as pretty simple. You’re male or you’re female, and that’s all there is to it. The issue is black and white, if you’ll excuse the irony. There are reports that: […]

 

Color on Chrome OS

New things resemble old things at first. Moreover, people interpret new things in terms of old things. Such it is with the new Google Chrome OS. Very little I’ve seen on it seems to understand it. The main stream of commentary is comparisons to Windows and how this means that Google is in the OS […]

 

Origins of time-sync passwords

In “Who Watches the Watchman” there’s an interesting history of watchclocks: An elegant solution, designed and patented in 1901 by the German engineer A.A. Newman, is called the “watchclock”. It’s an ingenious mechanical device, slung over the shoulder like a canteen and powered by a simple wind-up spring mechanism. It precisely tracks and records a […]

 

I wrote code for a botnet today

There’s a piece of software out there trying to cut down on blog spam, and it behaves annoyingly badly. It’s bad in a particular way that drives me up the wall. It prevents reasonable behavior, and barely blocks bad behavior of spammers. In particular, it stops all requests that lack an HTTP Referer: header. All […]

 

Security is about outcomes, not process (RSA edition)

So I’m getting ready to head over to RSA, and I’m curious. If you believe that “security is about outcomes, not about process,” what outcomes do you want from RSA? How will you judge if the conference was worthwhile?

 

Mr Laurie – Don’t do that

Ben Laurie has a nice little post up “More Banking Stupidity: Phished by Visa:” Not content with destroying the world’s economies, the banking industry is also bent on ruining us individually, it seems. Take a look at Verified By Visa. Allegedly this protects cardholders – by training them to expect a process in which there’s […]

 

Understanding Users

Paul Graham has a great article in “Startups in 13 Sentences:” Having gotten it down to 13 sentences, I asked myself which I’d choose if I could only keep one. Understand your users. That’s the key. The essential task in a startup is to create wealth; the dimension of wealth you have most control over […]

 

SDL Threat Modeling Tool 3.1.4 ships!

On my work blog, I wrote: We’re pleased to announce version 3.1.4 of the SDL Threat Modeling Tool. A big thanks to all our beta testers who reported issues in the forum! In this release, we fixed many bugs, learned that we needed a little more flexibility in how we handled bug tracking systems (we’ve […]

 

Don't put Peter Fleischer on Ice

Peter Fleischer is Google’s chief privacy counsel. I met Peter once at a IAPP event, and spoke pretty briefly. We have a lot of friends and colleagues in common. He’s now threatened with three years of jail in Italy. Google took under 24 hours to remove a video which invaded the privacy of someone with […]

 

Boundary Objects and Threat Modeling

Ethonomethodologists talk a lot about communities of practice. Groups of people who share some set of work that they do similarly, and where they’ll co-evolve ways of working and communicating. When everyone is part of a given community, this works really well. When we talk about “think like an attacker” within a community of security […]

 

Gary McGraw and Steve Lipner

Gary McGraw has a new podcast, “Reality Check” about software security practitioners. The first episode features Steve Lipner. It’s some good insight into how Microsoft is approaching software security. I’d say more, but as Steve says two or three good things about my threat modeling tool, you might think it some form of conspiracy. You […]

 

Cryptol Language for Cryptography

Galois has announced “” Cryptol is a domain specific language for the design, implementation and verification of cryptographic algorithms, developed over the past decade by Galois for the United States National Security Agency. It has been used successfully in a number of projects, and is also in use at Rockwell Collins, Inc. … Cryptol allows […]

 

Working Through Screens

Jacob Burghardt has a very interesting new ebook, “Working Through Screens.” If one was to summarize the status quo, it might sound something like this: when it comes to interactive applications for knowledge work, products that are considered essential are not always satisfactory. In fact, they may be deeply flawed in ways that we commonly […]

 

Eric Drexler blogging

At Metamodern.com. Way cool. I look forward to what he has to say. Unfortunately, one of his early posts falls into the trap of believing that “Computation and Mathematical Proof” will dramatically improve computer security: Because proof methods can be applied to digital systems, and in particular, will be able to verify the correctness (with […]

 

You versus SaaS: Who can secure your data?

In “Cloud Providers Are Better At Securing Your Data Than You Are…” Chris Hoff presents the idea that it’s foolish to think that a cloud computing provider is going to secure your data better. I think there’s some complex tradeoffs to be made. Since I sort of recoiled at the idea, let me start with […]

 

SDL Announcements

I’m in Barcelona, where my employer has made three announcements about our Security Development Lifecycle, which you can read about here: “SDL Announcements at TechEd EMEA.” I’m really excited about all three announcements: they represent an important step forward in helping organizations develop more secure code. But I’m most excited about the public availability of […]

 

Buffer Overflows and History: a request

One of my long-term interests in security is the ongoing cost of secrecy. My current favorite example is the stack smashing buffer overflow. These were known and understood no later than 1972, and clearly documented in James P. Anderson’s Computer Security Technology Planning Study: The code performing this function does not check the source and […]

 

Experiences Threat Modeling at Microsoft

A little bit of cross-polination between blogs: Adam Shostack here. Last weekend, I was at a Security Modeling Workshop, where I presented a paper on “Experiences Threat Modeling at Microsoft,” which readers of [the Microsoft Security Development Lifecycle] blog might enjoy. So please, enjoy!

 

Blaming the Victim, Yet Again

John Timmer of Ars Technica writes about how we ignore dialog boxes in, “Fake popup study sadly confirms most users are idiots.” The article reports that researchers at the Psychology Department of North Carolina State University created a number of fake dialog boxes had varying sorts of clues that they were not real dialog boxes, […]

 

SDL Press Tour Announcements

Steve Lipner and I were on the road for a press tour last week. In our work blog, he writes: Last week I participated in a “press tour” talking to press and analysts about the evolution of the SDL. Most of our past discussions with press and analysts have centered on folks who follow security, […]

 

The Difference Between Knowledge and Wisdom

If you haven’t heard about this, you need to. All Debian-based Linux systems, including Ubuntu, have a horrible problem in their crypto. This is so important that if you have a Debian-based system, stop reading this and go fix it, then come back to finish reading. In fact, unless you know you’re safe, I’d take […]

 

5754463f

The ACM has a list of classic computer science works put together based on responses to a survey of the membership. I’m no computer scientist (though I’ve lived with my share…) but I’m shocked that none of Knuth’s works is on this list, even if it is basically a beauty contest.

 

Security Metric?

Ross Anderson has made PDF versions of several chapters of his Security Engineering (second edition) available on-line. The entire first edition has been available for some time. I am sure this second edition will be outstanding. I would rank the first edition as one of the top three technical books I’ve read. It would likely […]

 

Programming World Going to Hell Because of Java and Grace Hopper

Ekinoderm writes in “Who did Kill the Software Engineer?” that schools today are ruining software engineering by teaching people Java. He references Joel Spolsky’s rant on the same. I agree completely, except neither went far enough! Java is just the replacement for Pascal, a pedagogical language designed because it was more fun and understandable than […]

 

Evolve or Die

Or at least become more vulnerable. I’ve recently been helping a client with their secure coding initiative and as a result I’ve been reading Mike Howard and Dave LeBlanc’s Writing Secure Code which reminded me of an important aspect of maintaining a secure code base which often gets overlooked: That is that as code ages […]

 

Weak Crypto Contest

The 2007 Underhanded C Contest has a marvelous theme — weak crypto. The object of this year’s contest: write a short, simple C program that encrypts/decrypts a file, given a password on the command line. Don’t implement your own cipher, but use a bog-standard strong cipher from a widely available library. […] Your challenge: write […]

 

Backus Having Drinks with Hopper

John Backus, leader of the Fortran team has died at the age of 82, according to The New York Times. Fortran itself celebrates its fiftieth birthday this year, and you can still write it in any other language, even Haskell. Even Lisp. Back in the days when I would rather have died than work for […]

 

TRUSTing Mary Ann Davidson

Yesterday, Mary Ann Davidson had a fascinating post about the classics of Western literature. As usual for Mary Ann, the apparent basis of the post is really just exposition for her main point. In this case, the thrust of her post is the need for developers to have more training in secure coding at the […]

 

On Requirements

Roger Cauvin has some really interesting points on “Requirements and Apple’s “Time Machine”:” CRUD requirements assume that users actually want to create, update, and delete information. But users don’t really want to create, update, and delete information. They want to access it to achieve some larger goal. Enabling the user to create, update, and delete […]

 

gcc -Wall -WeReallyMeanIt

Following up on a problem I mentioned long ago, (“Ranum on the Root of the Problem“) that gcc’s -Wall doesn’t actually run all the analysis it could. Apple has a great page “Improving Your Software With Xcode and Static Analysis Techniques” (I believe that this is a mirror of that page, see section 5) that […]

 

A Few More Thoughts on Disclosure

Reading Arthur’s “What Me Data Share?” and Chris’ “CSI/FBI Survey considered harmful,” I realized that what they’re discussing may not be common knowledge. I also realized that my posts about how valuable disclosure laws are assumed that everyone knows what Chris and Arthur said, and that ain’t so. The lack of information sharing that plagues […]

 

Security Development Lifecycle, the Book

Michael Howard announces the imminent availability of his new book, “The Security Development Lifecycle” by Michael Howard and Steve Lipner: This time the book documents the Security Development Lifecycle (SDL), a process that we’ve made part of the software development process here at Microsoft to build more secure software. Many customers, press, analysts, and, to […]

 

One more thing in the -We-really-mean-all department

Martin Pool says “gcc makes my day.” If the sentence “Generate traps for signed overflow on addition, subtraction, multiplication operations” means anything to you, read his post. (I’ve discussed gcc in the past here.