Shostack + Friends Blog Archive


A New Way to Tie Security to Business

As security professionals, sometimes the advice we get is to think about the security controls we deploy as some mix of “cloud access security brokerage” and “user and entity behavioral analytics” and “next generation endpoint protection.” We’re also supposed to “hunt”, “comply,” and ensure people have had their “awareness” raised. Or perhaps they mean “training,” […]


Sneak peeks at my new startup at RSA

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]


Sneak peeks at my new startup at RSA

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]


Open Letters to Security Vendors

John Masserini has a set of “open letters to security vendors” on Security Current. Everyone involved in product or sales at a security startup should read them. John provides insight into what it’s like to be pitched by too many startups, and provides a level of transparency that’s sadly hard to find. Personally, I learned […]


Adam's new startup

A conversation with an old friend reminded me that there may be folks who follow this blog, but not the New School blog. Over there, I’ve posted “Improving Security Effectiveness” about leaving Microsoft to work on my new company: For the last few months, I’ve been working full time and talking with colleagues about a […]


Seeking a technical leader for my new company

We have a new way to measure security effectiveness, and want someone who’ll drive to delivering the technology to customers, while building a great place for developers to ship and deploy important technology. We are very early in the building of the company. The right person will understand such a “green field” represents both opportunity […]


Threat Modeling At a Startup

I’ve been threat modeling for a long time, and at Microsoft, had the lovely opportunity to put some rigor into not only threat modeling, but into threat modeling in a consistent, predictable, repeatable way. Because I did that work at Microsoft, sometimes people question how it would work for a startup, and I want to […]


Lessons from Facebook's Stock Slide

So as Facebook continues to trade at a little over half of their market capitalization of 3 months ago, I think we can learn a few very interesting things. My goal here is not to pick on Facebook, but rather to see what we can take away and perhaps apply elsewhere. I think there are […]


Calyx and the Market for Privacy

So there’s a new startup in town, The Calyx Institute, which is raising money to create a privacy-protecting ISP and phone company. I think that’s cool, and have kicked in a little cash, and I wanted to offer up some perspective on the market for privacy, having tried to do this before. From 1999 until […]


Fascinating Storyline around Instagram & Facebook

First, congratulations to the folks at Instagram, who built something that was so valuable to Facebook and managed to get a great exit. Me, I suspect that Facebook did it so they can gradually sepia-tone all your photos, but that’s not important right now. I was struck by the nature of this article by the […]


Lady Ada books opening May 11

Ada’s Technical Books is Seattle’s only technical book store located in the Capitol Hill neighborhood of Seattle, Washington. Ada’s specifically carries new, used, & rare books on Computers, Electronics, Physics, Math, and Science as well as hand-picked inspirational and leisure reading, puzzles, brain teasers, and gadgets geared toward the technically minded customer. From the store’s […]


Facebook, Here’s Looking at You Kid

The last week and a bit has been bad to Facebook. It’s hard to recall what it was that triggered the avalanche of stories. Maybe it was the flower diagram we mentioned. Maybe it was the New York Times interactive graphic of just how complex it is to set privacy settings on Facebook: Maybe it […]


How to Make Your Dating Site Attractive

There’s a huge profusion of dating sites out there. From those focused on casual encounters to christian marriage, there’s a site for that. So from a product management and privacy perspectives I found this article very thought provoking: Bookioo does not give men any way to learn about or contact the female members of the […]


Ten Years Ago: Reminiscing about Zero-Knowledge

Ten years ago, I left Boston to go work at an exciting startup called Zero-Knowledge Systems. Zero-Knowledge was all about putting the consumer in control of their privacy. Even looking back, I have no regrets. I’m proud of what I was working towards during the internet bubble, and I know a lot of people who […]


Origins of time-sync passwords

In “Who Watches the Watchman” there’s an interesting history of watchclocks: An elegant solution, designed and patented in 1901 by the German engineer A.A. Newman, is called the “watchclock”. It’s an ingenious mechanical device, slung over the shoulder like a canteen and powered by a simple wind-up spring mechanism. It precisely tracks and records a […]


UnClear where the data will go

So Clear’s Verified Line Jumper service has shut down. Aviation Week has a blog post, “ Clear Shuts Down Registered Traveler Lanes.” Clear collected a lot of data: The information that TSA requires us to request is full legal name, other names used, Social Security number (optional), citizenship, Alien Registration Number (if applicable), current home […]


Covering the Verizon Breach Report

As you probably know by now, the pattern of 1s and 0s on the cover of the 2009 Verizon Data Breach Investigations Report contains a hidden message. I decided to give it a whirl and eventually figured it out. No doubt plenty of people managed to beat me to it, as evidenced by the fact […]


Seattle Tech Universe

The Washington Technology Industry Association has released a very cool map of the Puget Sound Tech Universe. Here’s an excerpt:


CTOs, Product Management and Program Management

In “The product manager’s lament,” Eric Ries writes about his view of product managers: Let’s start with what the product manager does. He’s supposed to be the person who specifies what the product will do. He writes detailed specs which lay out exactly what features the team should build in its next iteration. These specs […]


Why Aren’t there More Paul Grahams?

Paul Graham has an interesting essay “Why There Aren’t More Googles.” In it, he talks about how VC are shying away from doing lots of little deals, and how the bold ideas are the ones that are hardest to fund: And yet it’s the bold ideas that generate the biggest returns. Any really good new […]


SmartHippo Launches

Have you ever wondered how banks make so much money in the mortgage business? If you stop to think about it, mortgages are the ultimate commodity product these days. The bank collects information from you, gives you a loan, outsources the customer service to a loan servicing company, and securitizes your loan. So how do […]


"Whatever happened to Zero-Knowledge Systems?"

Zero-Knowledge Systems was one of the hottest startups of the internet bubble. Unlike internet companies selling pet food or delivering snacks to stoners, Zero-Knowledge was focused on bringing privacy to all internet users. We had some fantastic technology which was years ahead of its time. And people often ask me “whatever happened to them?” The […]


Carole King said it best

“It’s too late, baby” Yeah, I’m dating myself, but Tapestry was huge, and she and Goffin had some serious songwriting chops. Anyway, the “it” about which it’s too late is, yes, a relationship. An important relationship. A relationship which, while admittedly not exclusive, is “open” in a hopefully honest, fulfilling, respectful way. That relationship is […]


How to Treat Customers

My friend Austin Hill has a new blog, Billions With Zero Knowledge. He’s got a really good post up “Crowdsourcing or Community Production – An Interview with Hugh McGuire from Librivox.” What’s most interesting to me is how new companies are trying to tap into customer enthusiasm to build not only value for their customers, […]


Congratulations to Counterpane and Bruce Schneier

Even though Chris got the news before me, I wanted to add my congratulations. I was involved in Counterpane very early, and made the choice to go to Zero-Knowledge Systems. I stayed involved on the technical advisory board, and was consistently impressed by the quality of the many Counterpane employees and executives who I met. […]


Long Term Impact of Youthful Decisions

There’s a fascinating article in the New York Times last week, “Expunged Criminal Records Live to Tell Tales” about how companies like Choicepoint which collect and sell public records don’t pick up orders to expunge those records. I didn’t have much to add, and figured the Times doesn’t need me to pimp their articles (they […]


Debix Launches

I’m also really excited to share the news that my friends at Debix have launched their service, and it’s now available to the public. It is, in my opinion, the best identity theft preventative measure available today, and you should seriously consider signing up. The way it works is that they put a lock on […]


10-second MBA, por favor?

I have read repeatedly, most recently at Bejtlich’s blog, that with the IBM-ISS and now Secureworks/LURHQ deals, Counterpane “must” be looking to get bought out. Why? As with management consultancies, could there not be room for a boutique that does one thing really well? Help me out, here.


Who's next?

                            Now that ISS has been purchased by IBM? Or is consolidation not really happening?


Fu-Sec, Dunbar Numbers, and Success Catastrophes

In “I Smell a Movement,” Chris talks about the City-sec movement, of security people getting together for beer, and about groups like ISSA. So the question I’d like to ask is why do these groups keep emerging so chaotically? Why can’t the extant groups, usually formed for the same reasons, succeed? I think there are […]


Palestinian TV and Regulatory Capture

There’s an article about the chaos of Palestinian TV on Wired News, “Live From the West Bank,” which starts: Helga Tawil Souri reclines on the couch at a friend’s house in the Palestinian West Bank, getting sucked into an Egyptian movie about a woman in an insane asylum. Right before the climactic face-off, though, the […]


The Pursuit of Wow and the Virtue of Shipping

I’ve just finished reading “The Pursuit of Wow!” by Tom Peters. The essential message is that if you’re not enthused by what you’re doing, change things until you’re enthused. It’s a great reminder of the importance of passion for delivering great products and services. Unfortunately, as a startup veteran, there’s a conflict that I run […]


Software That Works

Ethan Zuckerman did a great job of blogging from TED. The most interesting post for me was his summary of David Pogue’s talk: But he’s a big fan of the iPod and the “cult of simplicity”. Despite violating every rule of product design – going up against Microsoft, having fewer features, having a proprietary, closed […]


Patents and Comments

The comments on “Patents and Innovation” and “New Products, Emerging from Chaos” have been really good. I want to draw your attention to them, because I’m impressed at how much has been added. I’m really enjoying the feedback, and the ability to continue a thread that’s emerged from a comment. I’m also curious what I […]


Patents and Innovation

In responding to “New Products, Emerging from Chaos,” Albatross makes a good comment about how the RSA patent expiry didn’t lead to an immediate outpouring of new products. Albratross also mentions how transaction costs encourage people to look for new ways to solve a problem. Mordaxus says there has been an explosion in the use […]


New Products, Emerging From Chaos

In a trenchant comment on “Secretly Admiring,” Victor Lighthill writes: Not to disrespect Ron Rivest or Credentica’s Stefan Brands, but patenting your ideas in crypto is, historically, a great way to ensure that it takes them 15 years to go from concept to use. While there may be important grains of truth in this, and […]


Managing and the Red Cross

The other day on “On Point,” I heard some astoundingly clear exposition of executive management, in the words of Dr. Bernadine Healy, the former CEO of the Red Cross. The program, Examining The Red Cross was promoted as: When 9/11 came, the Red Cross was there — with mountains of Americans’ donations and support for […]


Hey, Look, It's Matasano!

Tom Ptacek’s blog is full of smart people introducing themselves, and their new company, Matasano. They’re talking about the new mix, which is to be consultants while you build your startup and look for funding. I hope that Window, Dave, and Jeremy all get the blogging bug. Heck, I hope Dino does too, because with […]


Speaking of Ethical: Brad Feld on Philanthropy

I’d like to draw attention to venture capitalist Brad Feld’s post, “Doing Good By Doing Well:” I’ve strongly encouraged my portfolio companies to incorporate “philanthropic activities” into their businesses early in their life. I don’t advocate any particular focus – I simply encourage founders and leadership teams to think about what they can do to […]


Congrats to Brent Simmons

NewsGator Technologies has acquired NetNewsWire, along with Ranchero Software founder Brent Simmons. Simmons joins NewsGator as product architect. I discovered this via Brent’s NetNewsWire, and am blogging it with his MarsEdit. See the interview with Brent and Greg Reinacker. For consistency’s sake, I ought to be confusing Newsgator with someone else.


Small Bits: Adam Sah on Startups, RECon, Irony and Biometrics

Adam Sah (hi Adam!) has a great page of startup advice I hadn’t seen before. Presentations from RECon are now online. The University of Connecticut will be offering a Masters in Homeland Security. That’s a database I’d like to steal. Thanks to Chris Walsh for pointing it out. I’ve been meaning to followup on Juxtaposition’s […]