Shostack + Friends Blog Archive

 

What does the MS Secure Boot Issue teach us about key escrow?

Nothing. No, seriously. Articles like “Microsoft Secure Boot key debacle causes security panic” and “Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea” draw on words in an advisory to say that this is all about golden keys and secure boot. This post is not intended to attack anyone; researchers, journalists or […]

 

Open Letters to Security Vendors

John Masserini has a set of “open letters to security vendors” on Security Current. Everyone involved in product or sales at a security startup should read them. John provides insight into what it’s like to be pitched by too many startups, and provides a level of transparency that’s sadly hard to find. Personally, I learned […]

 

The Evolution of Secure Things

One of the most interesting security books I’ve read in a while barely mentions computers or security. The book is Petroski’s The Evolution of Useful Things. As the subtitle explains, the book discusses “How Everyday Artifacts – From Forks and Pins to Paper Clips and Zippers – Came to be as They are.” The chapter […]

 

Towards a model of web browser security

One of the values of models is they can help us engage in areas where otherwise the detail is overwhelming. For example, C is a model of how a CPU works that allows engineers to defer certain details to the compiler, rather than writing in assembler. It empowers software developers to write for many CPU […]

 

Wassenaar Restrictions on Speech

[There are broader critiques by Katie Moussouris of HackerOne at “Legally Blind and Deaf – How Computer Crime Laws Silence Helpful Hackers” and Halvar Flake at “Why changes to Wassenaar make oppression and surveillance easier, not harder.” This post addresses the free speech issue.] During the first crypto wars, cryptography was regulated under the US […]

 

Cool Optics Flash Applets

Photographers should check out Flash applets on some technical aspects of photography at Stanford. The apps help you understand things like “Variables that Affect Exposure” (the aperture/time/ISO tradeoffs) as well as how lenses work, create depth of field, or how a telephoto lens bends the light. Very cool.

 

Microsoft Backs Laws Forbidding Windows Use By Foreigners

According to Groklaw, Microsoft is backing laws that forbid the use of Windows outside of the US. Groklaw doesn’t say that directly. Actually, they pose charmingly with the back of the hand to the forehead, bending backwards dramatically and asking, “ Why Is Microsoft Seeking New State Laws That Allow it to Sue Competitors For […]

 

Use crypto. Not too confusing. Mostly asymmetric.

A little ways back, Gunnar Peterson said “passwords are like hamburgers, taste great but kill us in long run wean off password now or colonoscopy later.” I responded: “Use crypto. Not too confusing. Mostly asymmetric.” I’d like to expand on that a little. Not quite so much as Michael Pollan, but a little. The first […]

 

SOUPS Keynote & Slides

This week, the annual Symposium on Usable Privacy and Security (SOUPS) is being held on the Microsoft campus. I delivered a keynote, entitled “Engineers Are People Too:” In “Engineers Are People, Too” Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the […]

 

Facebook, Here’s Looking at You Kid

The last week and a bit has been bad to Facebook. It’s hard to recall what it was that triggered the avalanche of stories. Maybe it was the flower diagram we mentioned. Maybe it was the New York Times interactive graphic of just how complex it is to set privacy settings on Facebook: Maybe it […]

 

Word!

We show that malicious TeX, BibTeX, and METAPOST files can lead to arbitrary code execution, viral infection, denial of service, and data exfiltration, through the file I/O capabilities exposed by TeX’s Turing-complete macro language. This calls into doubt the conventional wisdom view that text-only data formats that do not access the network are likely safe. […]

 
 

News from RSA: U-Prove

In “U-Prove Minimal Disclosure availability,” Kim Cameron says: This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills! But today, just for once, I’m going to pick up an actual […]

 

Rebuilding the internet?

Once apon a time, I was uunet!harvard!bwnmr4!adam. Oh, harvard was probably enough, it was a pretty well known host in the uucp network which carried our email before snmp. I was also harvard!bwnmr4!postmaster which meant that at the end of an era, I moved the lab from copied hosts files to dns, when I became […]

 

Color on Chrome OS

New things resemble old things at first. Moreover, people interpret new things in terms of old things. Such it is with the new Google Chrome OS. Very little I’ve seen on it seems to understand it. The main stream of commentary is comparisons to Windows and how this means that Google is in the OS […]

 

Building Security In, Maturely

While I was running around between the Berkeley Data Breaches conference and SOURCE Boston, Gary McGraw and Brian Chess were releasing the Building Security In Maturity Model. Lots has been said, so I’d just like to quote one little bit: One could build a maturity model for software security theoretically (by pondering what organizations should […]

 

SDL Threat Modeling Tool 3.1.4 ships!

On my work blog, I wrote: We’re pleased to announce version 3.1.4 of the SDL Threat Modeling Tool. A big thanks to all our beta testers who reported issues in the forum! In this release, we fixed many bugs, learned that we needed a little more flexibility in how we handled bug tracking systems (we’ve […]

 

Let’s Fix Paste!

Okay, this is a rant. Cut and paste is broken in most apps today. More specifically, it is paste that is broken. There are two choices in just about every application: “Paste” and “Paste correctly.” Sometimes the latter one is labeled “Paste and Match Style” (Apple) and sometimes “Paste Special” (Microsoft). However, they have it […]

 

Gary McGraw and Steve Lipner

Gary McGraw has a new podcast, “Reality Check” about software security practitioners. The first episode features Steve Lipner. It’s some good insight into how Microsoft is approaching software security. I’d say more, but as Steve says two or three good things about my threat modeling tool, you might think it some form of conspiracy. You […]

 

Cryptol Language for Cryptography

Galois has announced “” Cryptol is a domain specific language for the design, implementation and verification of cryptographic algorithms, developed over the past decade by Galois for the United States National Security Agency. It has been used successfully in a number of projects, and is also in use at Rockwell Collins, Inc. … Cryptol allows […]

 

Videos of me

The employer has been posting them at a prodigious rate. There’s: “Threat Modeling at EMC and Microsoft,” Danny Dhillon of EMC and myself at BlueHat. Part of the BlueHat SDL Sessions. Also on threat modeling, Michael Howard and I discuss the new SDL Threat Modeling Tool Michael Howard and I also discussed the new SDL […]

 

You versus SaaS: Who can secure your data?

In “Cloud Providers Are Better At Securing Your Data Than You Are…” Chris Hoff presents the idea that it’s foolish to think that a cloud computing provider is going to secure your data better. I think there’s some complex tradeoffs to be made. Since I sort of recoiled at the idea, let me start with […]

 

Ephemeral Anniversary

Yesterday, Nov 17, was the sesquicentenary of the zero-date of the American Ephemeris. I meant to write, but got distracted. Astronomical ephemeris counts forward from this date. That particular date was picked because it was (approximately) Julian Day 1,000,000, but given calendar shifts and all, one could argue for other zero dates as well. The […]

 

Actually, Randall, We Tried That

And the reason it doesn’t work is that just because you’re allowed to own something doesn’t mean you’re allowed to export it. The use, ownership, production, etc. of crypto was never restricted, only its export. In an Intenet-enabled world, export control brings lots of hair with it, which is why it was important to fight […]

 

SDL Announcements

I’m in Barcelona, where my employer has made three announcements about our Security Development Lifecycle, which you can read about here: “SDL Announcements at TechEd EMEA.” I’m really excited about all three announcements: they represent an important step forward in helping organizations develop more secure code. But I’m most excited about the public availability of […]

 

The Skype Issue

According to The New York Times in, “Surveillance of Skype Messages Found in China,” the Chinese provider TOM has software in place that reads Skype text messages, and blocks ones that use naughty words and terms, like “Falun Gong,” “Independent Taiwan,” and so on. A group of security people and human rights workers not only […]

 

And I thought I didn't like Streisand

While Babs’ vocal stylings may be an “acquired taste”, today I have a new appreciation for the Streisand Effect. Thanks to Slashdot, I learned that Thomson Reuters is suing the Commonwealth of Virginia alleging that Zotero, an open-source reference-management add-on for Firefox, contains features resulting from the reverse-engineering of Endnote, a competing commercial reference management […]

 

Help fund historic computers at Bletchley Park

Bletchley Park, the site in the UK where WWII code-breaking was done, has a computing museum. The showpiece of that museum is Colossus, one of world’s first computers. (If you pick the right set of adjectives, you can say “first.” Those adjectives are apparently, “electronic” and “programmable.”) It has been rebuilt over the last fourteen […]

 

Diebold/Premier vote dropping

A voting system used in 34 states contains a critical programming error that can cause votes to be dropped while being electronically transferred from memory cards to a central tallying point, the manufacturer acknowledges. The problem was identified after complaints from Ohio elections officials following the March primary there, but the logic error that is […]

 

Uncle Harold and Open Source

Uncle Harold (not his real name, not our real relationship, and I never even called him “Uncle”) was a cool guy who always fixed his own cars. Most of my life, Uncle Harold has been complaining. It used to be you could actually fix a car. You could put things in, take them out, adjust […]

 

Microsoft Has Trouble Programming the Intel Architecture

Microsoft Office 2008 for the Macintosh is out, and as there is in any software release from anyone there’s a lot of whining from people who don’t like change. (This is not a criticism of those people; I am often in their ranks.) Most of the whining comes because Office 2008 does not include Visual […]

 

Encryption Is Security Theater

Last night I was talking with a certain analyst from a large company that we’ve all heard from and we got into a discussion about most security people not understanding encryption at all, to the point that it is assumed to be a cure-all. In fact, with the exception of encrypting data at rest (and […]

 

Backus Having Drinks with Hopper

John Backus, leader of the Fortran team has died at the age of 82, according to The New York Times. Fortran itself celebrates its fiftieth birthday this year, and you can still write it in any other language, even Haskell. Even Lisp. Back in the days when I would rather have died than work for […]

 

DRM, digitally coded music, and information

Arthur wrote recently about an NYT article about dangers of the iPhone. The NYT has a bizarre policy about articles which makes them available for only a few days, so likely you’ll have to take my word about that article. I liked this article a lot because it mentions eMusic. I’m an eMusic customer and […]

 

Joanna on Stealth Malware

Joanna Rutkowska of Blue Pill fame, gave a presentation at the recent Chaos Communication Congress on “Stealth malware – can good guys win?“. Unfortunately, I couldn’t make it to the presentation in person, but the powerpoint slides are a great read. I highly recommend it. Definitely food for thought. [Image is Hypervisorus Blue Pillus from […]

 

Google Code Search

Back in July, I posted about online code searching and static analysis in “Meet The Bugles“. Google has now seriously upped the ante and released Google Code Search which I am constitutionally required to mention includes full regular expression support. Now I was going to post an analysis of the cool things that one could […]

 

gcc -Wall -WeReallyMeanIt

Following up on a problem I mentioned long ago, (“Ranum on the Root of the Problem“) that gcc’s -Wall doesn’t actually run all the analysis it could. Apple has a great page “Improving Your Software With Xcode and Static Analysis Techniques” (I believe that this is a mirror of that page, see section 5) that […]

 

One more thing in the -We-really-mean-all department

Martin Pool says “gcc makes my day.” If the sentence “Generate traps for signed overflow on addition, subtraction, multiplication operations” means anything to you, read his post. (I’ve discussed gcc in the past here.