Shostack + Friends Blog Archive

There’s some really interesting leaked photos and analysis by Charles Goodman. “Leaked photos from the Rogue One sequel (Mainly Speculation – Possible Spoilers).”

Someone once asked me why I like Star Wars more than Star Trek. I was a bit taken aback, and he assumed that since I use it so much, I obviously prefer it. The real reason I use Star Wars is not that it’s better, but that there’s a small canon, and I don’t have […]

Image credit: Bill Anders, Apollo 8, launched this day, Dec 21, 1968.

[Dec 20 update: The first draft of this post ended up with both consumer and enterprise advice, which made it complex. The enterprise half is now on the IANS blog: Never Waste a Good Crisis: Yahoo Edition.] Yesterday, Yahoo disclosed that attackers broke into Yahoo in 2013 and stole details on a billion accounts. Brian […]

This quote from Bob Iger, head of Disney, is quite interesting for his perspective as a leader of a big company: There is a human side to it that I try to apply and consider. [But] the harder thing is to balance with the reality that not everything is perfect. In the normal course of […]

There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments Gamification of classroom assignments and online tools has grown significantly in recent years. There have been a number of card […]

Over the decade or so since The New School book came out, there’s been a sea change in how we talk about breaches, and how we talk about those who got breached. We agree that understanding what’s going wrong should be a bigger part of how we learn. I’m pleased to have played some part […]

[Dec 15: Note that there are 4 updates to the post with additional links after writing.] The Green Party is driving a set of recounts that might change the outcome in one or more swing states. Simultaneously, there is a growing movement to ask the Electoral College to choose a candidate other than Donald Trump […]

In September, we shared the news that for its 50th year, the people of Gävle paid an extra $100,000 to secure the goat. Sadly, it seems to have not helped. Today, the goat tweeted: Oh no, such a short amount of time with you my friends. The obvious lesson is that the Swedes have a […]

I moved to MacOS X because it offers both a unix command line and graphical interfaces, and I almost exclusively use the command line as I switch between tasks. If you use a terminal and aren’t familiar with the open command, I urge you to take a look. I tend to open documents with open […]

This election has been hard to take on all sorts of levels, and I’m not going to write about the crap. Everything to be said has been said, along which much that never should have been said, and much that should disqualify those who said it from running for President. I thought about endorsing Jill […]

Much of what Andrew and I wrote about in the New School has come to pass. Disclosing breaches is no longer as scary, nor as shocking, as it was. But one thing we expected to happen was the emergence of a robust market of services for breach victims. That’s not happened, and I’ve been thinking […]

In “Threat Modeling Crypto Back Doors,” I wrote: In the same vein, the requests and implementations for such back-doors may be confidential or classified. If that’s the case, the features may not go through normal tracking for implementation, testing, or review, again reducing the odds that they are secure. Of course, because such a system […]

[Update, Feb 20 2017: More reading: Trump and the ‘Society of the Spectacle’.]

“We’ll have more guards. We’re going to try to have a ‘goat guarantee’ the first weekend,” deputy council chief Helene Åkerlind, representing the local branch of the Liberal Party, told newspaper Gefle Dagblad. “It is really important that it stays standing in its 50th year,” she added to Arbetarbladet. Gävle Council has decided to allocate […]

There is a frequent claim that stock markets are somehow irrational and unable to properly value the impact of cyber incidents in pricing. (That’s not usually precisely how people phrase it. I like this chart of one of the largest credit card breaches in history: It provides useful context as we consider this quote: On […]

Steve Bellovin and I provided some “Input to the Commission on Enhancing National Cybersecurity.” It opens: We are writing after 25 years of calls for a “NTSB for Security” have failed to result in action. As early as 1991, a National Research Council report called for “build[ing] a repository of incident data” and said “one […]

When I think about how to threat model well, one of the elements that is most important is how much people need to keep in their heads, the cognitive load if you will. In reading Charlie Stross’s blog post, “Writer, Interrupted” this paragraph really jumped out at me: One thing that coding and writing fiction […]

Recently, some of my friends were talking about a report by Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports.” In that report, we see things like: More than three in five board members say they are both significantly or very “satisfied” (64%) and “inspired”(65%) after the typical presentation by IT and […]

There’s two major parts to the DNC/FBI/Russia story. The first part is the really fascinating evolution of public disclosures over the DNC hack. We know the DNC was hacked, that someone gave a set of emails to Wikileaks. There are accusations that it was Russia, and then someone leaked an NSA toolkit and threatened to […]

Nothing. No, seriously. Articles like “Microsoft Secure Boot key debacle causes security panic” and “Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea” draw on words in an advisory to say that this is all about golden keys and secure boot. This post is not intended to attack anyone; researchers, journalists or […]

Back in October, 2014, I discussed a pattern of “Employees Say Company Left Data Vulnerable,” and its a pattern that we’ve seen often since. Today, I want to discuss the consultant’s variation on the story. This is less common, because generally smart consultants don’t comment on the security of their consultees. In this case, it […]

“Better safe than sorry” are the closing words in a NYT story, “A Colorado Town Tests Positive for Marijuana (in Its Water).” Now, I’m in favor of safety, and there’s a tradeoff being made. Shutting down a well reduces safety by limiting the supply of water, and in this case, they closed a pool, which […]

U.S. President Barack Obama says he’s ”concerned” about the country’s cyber security and adds, ”we have to learn from our mistakes.” Dear Mr. President, what actions are we taking to learn from our mistakes? Do we have a repository of mistakes that have been made? Do we have a “capability” for analysis of these mistakes? […]

“My father likes to keep some anonymity. It’s who he is. It’s who he is as a person,” Eric Trump said. It should have been obvious. (Quote from Washington Post, July 6, 2016).

So I have a very specific question about the “classified emails”, and it seems not to be answered by “Statement by FBI Director James B. Comey on the Investigation of Secretary Hillary Clinton’s Use of a Personal E-Mail System .” A few quotes: From the group of 30,000 e-mails returned to the State Department, 110 […]

Since 2005, this blog has had a holiday tradition of posting “The unanimous Declaration of the thirteen united States of America.” Never in our wildest, most chaotic dreams, did we imagine that the British would one day quote these opening words: When in the Course of human events, it becomes necessary for one people to […]

I’m excited to see the call for papers for Passwords 2016. There are a few exciting elements. First, passwords are in a category of problems that someone recently called “garbage problems.” They’re smelly, messy, and no one really wants to get their hands dirty on them. Second, they’re important. Despite their very well-known disadvantages, and […]

As security professionals, sometimes the advice we get is to think about the security controls we deploy as some mix of “cloud access security brokerage” and “user and entity behavioral analytics” and “next generation endpoint protection.” We’re also supposed to “hunt”, “comply,” and ensure people have had their “awareness” raised. Or perhaps they mean “training,” […]

Bruce Schneier comments on “Apple’s Differential Privacy:” So while I applaud Apple for trying to improve privacy within its business models, I would like some more transparency and some more public scrutiny. Do we know enough about what’s being done? No, and my bet is that Apple doesn’t know precisely what they’ll ship, and aren’t […]

C-3PO: Sir, the possibility of successfully navigating an asteroid field is approximately 3,720 to 1. Han Solo: Never tell me the odds. I was planning to start this with a C-3PO quote, and then move to a discussion of risk and risk taking. But I had forgotten just how rich a vein George Lucas tapped […]

There is a spectre haunting the internet, the spectre of drama. All the powers of the social media have banded together to not fight it, because drama increases engagement statistics like nothing else: Twitter and Facebook, Gawker and TMZ, BlackLivesMatter and GamerGate, Donald Trump and Donald Trump, the list goes on and on. Where is […]

I’ve repeatedly spoken out against “think like an attacker.” Now I’m going to argue from authority. In this long article, “The Obama Doctrine,” the President of the United States says “The degree of tribal division in Libya was greater than our analysts had expected.” So let’s think about that statement and what it means. First, […]

This is a brief response to Steve Christey Coley, who wrote on Twitter, “but BH CFP reads mostly pure-tech, yet infosec’s more human-driven?” I can’t respond in 140, and so a few of my thoughts, badly organized: BlackHat started life as a technical conference, and there’s certain expectations about topics, content and quality, which have […]

Have a survival kit: ricola, Purell, gatorade, advil and antacids can be brought or bought on site. Favorite talk (not by me): I look forward to Sounil Yu’s talk on “Understanding the Security Vendor Landscape Using the Cyber Defense Matrix.” I’ve seen an earlier version of this, and like the model he’s building a great […]

I was confused about why Dan Kaminsky would say CVE-2015-7547 (a bug in glbc’s DNS handling) creates network attack surface for sudo. Chris Rohlf kindly sorted me out by mentioning that there’s now a -host option to sudo, of which I was unaware. I had not looked at sudo in depth for probably 20 years, […]

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]

According to the CBC: “McDonald’s kale salad has more calories than a Double Big Mac” In a quest to reinvent its image, McDonald’s is on a health kick. But some of its nutrient-enhanced meals are actually comparable to junk food, say some health experts. One of new kale salads has more calories, fat and sodium […]

This is a superb owl, but its feathers are ruffled. It is certainly not a metaphor. Speaking of ruffled feathers, apparently there’s a kerfuffle about Super Bowl 1, where the only extant tape is in private hands, and there’s conflict over what to do with it. One aspect I haven’t seen covered is that 50 […]

I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into Chinese. You can buy it from Amazon.cn.

I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into Chinese. You can buy it from Amazon.cn.

Voting for the 2016 Security Blogger Awards are now open, and this blog is nominated for most entertaining. Please don’t vote for us. Along with our sister blog, we’re aiming to dominate a new category next year, “most nominations without a win.”

Offered up without comment: Star Wars Episode IV.1.d: The Pentesters Strike Back from CyberPoint International on Vimeo.

Happy New Year! The Pogues are Launching their own brand of whiskey, and whatever you think of the band or of drinking, it’s hard to think of a more “on brand” product creation than this.

In “The Galactic Empire Has Terrible Cybersecurity,” Alex Grigsby looks at a number of high-profile failures, covered in “A New Hope” and the rest of the Star Wars canon. Unfortunately, the approach he takes to the Galactic Empire obscures the larger, more dangerous issue is its cybersecurity culture. There are two errors in Grigsby’s analysis, […]

I had not seen this excellent presentation by the engineer who built the Death Star’s exhaust system. In it, he discusses the need to disperse energy from a battle station with the power draw to destroy planets, and the engineering goals he had to balance. I’m reminded again of “The Evolution of Useful Things” and […]

John Masserini has a set of “open letters to security vendors” on Security Current. Everyone involved in product or sales at a security startup should read them. John provides insight into what it’s like to be pitched by too many startups, and provides a level of transparency that’s sadly hard to find. Personally, I learned […]

Apparently, the CISO of US Homeland Security, a Paul Beckman, said that: “Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government” (Paul Beckman, quoted in Ars technica) Now, I’m sure being in the […]

This is a survey from Doug Hubbard, author of How To Measure Anything and he is currently writing another book with Richard Seiersen (GM of Cyber Security at GE Healthcare) titled How to Measure Anything in Cybersecurity Risk. As part of the research for this book, they are asking for your assistance as an information […]

As you may be aware, I’m a fan of using Star Wars for security lessons, such as threat modeling or Saltzer and Schroeder. So I was pretty excited to see Wade Baker post “Luke in the Sky with Diamonds,” talking about threat intelligence, and he gets bonus points for crossover title. And I think it’s […]

One of the values of models is they can help us engage in areas where otherwise the detail is overwhelming. For example, C is a model of how a CPU works that allows engineers to defer certain details to the compiler, rather than writing in assembler. It empowers software developers to write for many CPU […]

A conversation with an old friend reminded me that there may be folks who follow this blog, but not the New School blog. Over there, I’ve posted “Improving Security Effectiveness” about leaving Microsoft to work on my new company: For the last few months, I’ve been working full time and talking with colleagues about a […]

We have a new way to measure security effectiveness, and want someone who’ll drive to delivering the technology to customers, while building a great place for developers to ship and deploy important technology. We are very early in the building of the company. The right person will understand such a “green field” represents both opportunity […]

As we head into summer conference season, drama is as predictable as vulnerabilities. I’m really not fond of either. What I am fond of, (other than Star Wars), as someone who spends a lot of time thinking about models, is the model of the “drama triangle.” First discussed by Stephen Karpman, the triangle has three […]

There’s a great “long read” at CIO, “6 Software Development Lessons From Healthcare.gov’s Failed Launch.” It opens: This article tries to go further than the typical coverage of Healthcare.gov. The amazing thing about this story isn’t the failure. That was fairly obvious. No, the strange thing is the manner in which often conflicting information is […]

I was irked to see a tweet “Learned a new word! Pseudoarboricity: the number of pseudoforests needed to cover a graph. Yes, it is actually a word and so is pseudoforest.” The idea that some letter combinations are “actual words” implies that others are “not actual words,” and thus, that there is some authority who […]

Hossein Derakhshan was recently released from jail in Iran. He’s written a long and thoughtful article “The Web We Have to Save.” It’s worth reading in full, but here’s an excerpt: Some of it is visual. Yes, it is true that all my posts on Twitter and Facebook look something similar to a personal blog: […]

For the last few months, I’ve been working full time and talking with colleagues about a new way for security executives to measure the effectiveness of security programs. In very important ways, the ideas are new and non-obvious, and at the same time, they’re an evolution of the ideas that Andrew and I wrote about […]

I want to discuss some elements of the OPM breach and what we know and what we don’t. Before I do, I want to acknowledge the tremendous and justified distress that those who’ve filled out the SF-86 form are experiencing. I also want to acknowledge the tremendous concern that those who employ those with clearances […]

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]

This was a story back around RSA, but I missed it until RSnake brought it up on Twitter: “[A default password] can hack nearly every credit card machine in the country.” The simple version is that Charles Henderson of Trustwave found that “90% of the terminals of this brand we test for the first time […]

[There are broader critiques by Katie Moussouris of HackerOne at “Legally Blind and Deaf – How Computer Crime Laws Silence Helpful Hackers” and Halvar Flake at “Why changes to Wassenaar make oppression and surveillance easier, not harder.” This post addresses the free speech issue.] During the first crypto wars, cryptography was regulated under the US […]

Today, the Open Technology Institute released an open letter to the President of the United States from a broad set of organizations and experts, and I’m pleased to be a signer, and agree wholeheartedly with the text of the letter. (Some press coverage.) I did want to pile on with an excerpt from chapter 9 […]

So Bill Brenner has a great article on “How to survive security conferences: 4 tips for the socially anxious .” I’d like to stand by my 2010 guide to “Black Hat Best Practices,” and augment it with something new: a word on etiquette. Etiquette is not about what fork you use (start from the outside, […]

John Boyd’s ideas have had a deep impact on the world. He created the concept of the OODA Loop, and talked about the importance of speed (“getting inside your opponent’s loop”) and orientation, and how we determine what’s important. A lot of people who know about the work of John Boyd also know that he […]

The Washington Post reports that there will be a “New agency to sniff out threats in cyberspace.” This is my first analysis of what’s been made public. Details are not fully released, but there are some obvious problems, which include: “The quality of the threat analysis will depend on a steady stream of data from […]

If you listen to the security echo chamber, after an embarrassing failure like a data breach, you lose your job, right? Let’s look at Seahawks Coach Pete Carroll, who made what the home town paper called the “Worst Play Call Ever.” With less than a minute to go in the Superbowl, and the game hanging […]

It didn’t take long for the Seahawk’s game-losing pass to get a label. But as Ed Felten explains, there’s actually some logic to it, and one of his commenters (Chris) points out that Marshawn Lynch scored in only one of his 5 runs from the one yard line this season. So, perhaps in a game […]

Paul Gowder has an interesting post over at Prawfblog, “In Defense of Facebook Copyright Disclaimer Status Updates (!!!).” He presents the facts: …People then decide that, hey, goose, gander, if Facebook can unilaterally change the terms of our agreement by presenting new ones where, theoretically, a user might see them, then a user can unilaterally […]

Lately I’ve noted a lot of people quoted in the media after breaches saying “X was Security 101. I can’t believe they didn’t do X!” For example, “I can’t believe that LinkedIn wasn’t salting passwords! That’s security 101!” Now, I’m unsure if that’s “security 101” or not. I think security 101 for passwords is “don’t […]

I’m having a problem where the “key identifier” displayed on my ios device does not match the key fingerprint on my server. In particular, I run: % openssl x509 -in keyfile.pem -fingerprint -sha1 and I get a 20 byte hash. I also have a 20 byte hash in my phone, but it is not that […]

Looking for something festive, holiday-like and chaotic for the blog, I came across color-changing cats. The history of color-changing cats is a fascinating one, involving Carl Sagan and accurate predictions of unfathomable chaos over the next ten thousand years. Because while we don’t know what life will be like that far in the future, consider […]

Today’s “the future is cool” entry is the cliffs of insanity: Actually, I’m lying to you, they’re the Cliffs of Comet Churyumov–Gerasimenko, as photographed by the Rosetta spacecraft. I just think its cool similar they look, and how the physical processes which created the Cliffs of Moher may also have been at work on a […]

When you were growing up, 2014 was the future. And it’s become cliche to bemoan that we don’t have the flying cars we were promised, but did get early delivery on a dystopian surveillance state. So living here in the future, I just wanted to point out how cool it is that you can detect […]

When people don’t take their drugs as prescribed, it’s for very human reasons. Typically they can’t tolerate the side effects, the cost is too high, they don’t perceive any benefit, or they’re just too much hassle. Put these very human (and very subjective) reasons together, and they create a problem that medicine refers to as […]

Listening to the radio, there was a discussion of how the folks at NBC were worried that people were going to “hatewatch” their new version of Peter Pan. Hatewatch. Like it’s a word. It’s fascinating. They discussed how people wanted to watch it to tweet cynically at its expense. The builder/breaker split isn’t just present […]

At BruCon 0x06, I was awoken from a nap to the sound of canons, and looked out my window to see soldiers marching through the streets. It turns out they were celebrating the 200th anniversary of the Treaty of Ghent. As I’m sure you’ll recall from history class Wikipedia, the Treaty of Ghent ended the […]

I’ve been threat modeling for a long time, and at Microsoft, had the lovely opportunity to put some rigor into not only threat modeling, but into threat modeling in a consistent, predictable, repeatable way. Because I did that work at Microsoft, sometimes people question how it would work for a startup, and I want to […]

For many years, I have been saying that “think like an attacker” is bad advice for most people. For example: Here’s what’s wrong with think like an attacker: most people have no clue how to do it. They don’t know what matters to an attacker. They don’t know how an attacker spends their day. They […]

There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. You should look at the reports for facts you can use to assess your systems, such as filenames, hashes and IP addresses. Most readers should, at most, skim their analysis of the perpetrators. Read on […]

This is a lovely little story about pay phones on Whidbey Island. Warning: those who spent too much time with phone systems in their youth may feel inexplicable nostalgia.

Bruce Schneier says nice things about my latest book.

There’s a recurring theme in data breach stories: The risks were clear to computer experts inside $organization: The organization, they warned for years, might be easy prey for hackers. But despite alarms as far back as 2008, $organization was slow to raise its defenses, according to former employees. The particular quote is from “Ex-Employees Say […]

I am super-pleased to report that Threat Modeling: Designing for Security has been named a Jolt Finalist, the first security-centered book to make that list since Schneier’s Secrets and Lies in 2001. My thanks to the judges, most especially to Gastón Hillar for the constructive criticism that “Unluckily, the author has chosen to focus on […]

All through the week of BSides/BlackHat/Defcon, people came up to me to tell me that they enjoyed my BSides Las Vegas talk. (Slides, video). It got some press coverage, including an article by Jon Evans of TechCrunch, “Notes From Crazytown, Day One: The Business Of Fear.” Mr. Evans raises an interesting point: “the computer security […]

There’s been a lot said in security circles about a talk on Tor being pulled from Blackhat. (Tor’s comments are also worth noting.) While that story is interesting, I think the bigger story is the lack of infrastructure for disclosure coordination. Coordinating information about vulnerabilities is a socially important function. Coordination makes it possible for […]

July 20, 1969. I’ve blogged about it before. There are people who can write eloquently about events of such significance.  I am not one of them.  I hope that doesn’t stand in the way of folks remembering the amazing accomplishment that the Apollo program was.  

Gabrielle Gianelli has pulled back the curtain on how Etsy threat modeled a new marketing campaign. (“Threat Modeling for Marketing Campaigns.”) I’m really happy to see this post, and the approach that they’ve taken: First, we wanted to make our program sustainable through proactive defenses. When we designed the program we tried to bake in […]

The mail system I’ve been using for the last 19 years is experiencing what one might call an accumulation of chaos, and so I’m migrating to a new domain, shostack.org. You can email me at my firstname@shostack.org, and my web site is now at http://adam.shostack.org I am sorry for any inconvenience this may cause. [Update: […]

Stefan Larson talks about “What doctors can learn from each other:” Different hospitals produce different results on different procedures. Only, patients don’t know that data, making choosing a surgeon a high-stakes guessing game. Stefan Larsson looks at what happens when doctors measure and share their outcomes on hip replacement surgery, for example, to see which […]

For Star Wars day, I’m happy to share this event poster for my talk at Ada’s Books in Seattle Technical Presentation: Adam Shostack shares Threat Modeling Lessons with Star Wars. This will be a less technical talk with plenty of discussion and interactivity, drawing on some of the content from “Security Lessons from Star Wars,” […]

I’m planning to be on the East Coast from June 16-27, giving threat modeling book talks. (My very popular “Threat Modeling Lessons from Star Wars.”) I’m reaching out to find venues which would like me to come by and speak. My plan is to arrive in Washington DC on the 16th, and end in Boston, […]

Today, most presentations on threat modeling talk about each phase of the process. They talk about how to model what you’re building, what can go wrong, and what to do about it. Those tightly coupled processes can be great if you’ve never heard of an approach to threat modeling. But they can add to the […]

It has to be said that no one in the Princess Bride is great at threat modeling. But one scene in particular stands out. It’s while they’re planning to attack the castle and rescue Buttercup: Westley: I mean, if we only had a wheelbarrow, that would be something. Inigo: Where we did we put that […]

I’m getting ready to announce an East coast book tour. In planning my Silicon Valley tour, I learned that between scheduling, getting the details needed out, making sure I knew where I was sleeping, there was a large amount of administrative work involved. So I’d like to hire someone to take care of all that […]

George Hulme interviewed me for Devops.com, and the article is at “Q&A: Speaking DevOps and Threat Modeling.” Its obvious that devops is an important trend, andit’s important to understand how to align threat modeling to that world.

A couple of reviewers have commented that they have different perspective on assets. For example, in a review I very much appreciated, Gunnar Peterson says: I have slightly a different perspective on Shostack’s view on assets. The book goes into different views that launch the threat model, the approach advocated for in the book is […]

Via Poynter, we learn that the word “massive” has been banned on Gawker. We want to sound like regular adult human beings, not Buzzfeed writers or Reddit commenters,” new Gawker Editor Max Read says in a memo to the publication’s writers. Words like “epic,” “pwn” and “derp” are no longer welcome on the site. Read […]

One of the most effective ways to improve your software is to use it early and often.  This used to be called eating your own dogfood, which is far more evocative than the alternatives. The key is that you use the software you’re building. If it doesn’t taste good to you, it’s probably not customer-ready.  […]

One very important question that’s frequently asked is “what about threat modeling for operations?” I wanted to ensure that Threat Modeling: Designing for Security focused on both development and operations. To do that, I got help from Russ McRee. For those who don’t know Russ, he’s a SANS incident handler as well as a collegue […]

When Wiley asked me about a technical editor for Threat Modeling: Designing for Security, I had a long list of requirements. I wanted someone who could consider the various scenarios where threat modeling is important, including software development and operations. I wanted someone who understood the topic deeply, and had the experience of teaching threat […]

I am super-excited to announce that my new book, Threat Modeling: Designing for Security (Wiley, 2014) is now available wherever fine books are sold! The official description: If you’re a software developer, systems manager, or security professional, this book will show you how to use threat modeling in the security development lifecycle and the overall […]

I am super-excited to announce that my new book, Threat Modeling: Designing for Security (Wiley, 2014) is now available wherever fine books are sold! The official description: If you’re a software developer, systems manager, or security professional, this book will show you how to use threat modeling in the security development lifecycle and the overall […]

I fell victim to an interesting attack, which I am recounting here so that others may avoid it. In a nutshell, I fell victim to a trojan, which the malefactor was able to place in a trusted location in my search path. A wrapper obscured the malicious payload. Additionally, a second line of defense did […]

There’s an absolutely fascinating interview with Adam Back: “Let’s Talk Bitcoin Adam Back interview.” For those of you who don’t know Adam, he created Hashcash, which is at the core of Bitcoin proof of work. Two elements I’d like to call attention to in particular are: First, there’s an interesting contrast between Adam’s opinions and […]

Yesterday, I announced that I’ve set up a mailing list. You may have noticed an unusual feature to the announcement: a public commitment to it being low volume, with a defined penalty ($1,000 to charity) for each time I break the rule. You might even be wondering why I did that. In the New School, […]

I’m getting ready for to announce a new project that I’ve been working on for quite a while. As I get ready, I was talking to friends in PR and marketing, and they were shocked and appalled that I don’t have a mailing list. It was a little like telling people in security that you […]

Alan Shimmy has the nominations for the 2014 Social Security bloggers award! New School has been nominated for most entertaining, while Emergent Chaos has been nominated for best representing the security industry and the hall of fame.

Alan Shimmy has the nominations for the 2014 Social Security bloggers award! New School has been nominated for most entertaining, while Emergent Chaos has been nominated for best representing the security industry and the hall of fame. Now, I have no idea what it means that Emergent Chaos would represent the security industry. I’m hopeful […]

I’d like to nominate Xfinity’s “walled garden” for the worst user experience in computer security. For those not familiar, Xfinity has a “feature” called “Constant Guard” in which they monitor your internet for (I believe) DNS and IP connections for known botnet command and control services. When they think you have a bot, you see […]

The 13th annual Workshop on the Economic of Information Security will be held at Penn State June 23-24, and the call for papers is now open. I’m on the program committee this year, and am looking forward to great submissions.

Rich Mogul over at Securosis (N.B. I’m a contributing analyst there) has a great post on how, due to human error, some of his AWS credentials got nabbed by some miscreants and abused. We here at the New School love it when folks share how they were compromised and what they did about it. It […]

I blogged yesterday about all the new works that have entered the public domain as their copyright expired in the United States. If you missed it, that’s because exactly nothing entered the public domain yesterday. Read more — but only commentary, because there’s no newly free work — at “What Could Have Entered the Public […]

In light of recent news, such as “FreeBSD washing Intel-chip randomness” and “alleged NSA-RSA scheming,” what advice should we give engineers who want to use randomness in their designs? My advice for software engineers building things used to be to rely on the OS to get it right. That defers the problem to a small […]

The Gavle Goat has burned again, according to The Local.Se, and of course, it’s Twitter account (yet one more way in which real name policies inhibit natural behavior). Two quick comments. First, the goat survived longer this year than usual. Second, I think it illustrates something. I’m not sure what. But my yule would be […]

There’s a new study on what people would pay for privacy in apps. As reported by Techflash: A study by two University of Colorado Boulder economists, Scott Savage and Donald Waldman, found the average user would pay varying amounts for different kinds of privacy: $4.05 to conceal contact lists, $2.28 to keep their browser history […]

Emergent Chaos has migrated.  It’s a long story, and perhaps better left untold.  Please let us know if you see issues with the new site.

Recently the kind folks at No Starch Press sent me a review copy of Rich Bejtlich’s newest book The Practice of Network Security Monitoring and I can’t recommend it enough. It is well worth reading from a theory perspective, but where it really shines is digging into the nuts and bolts of building an NSM […]

Over at the BBC, we read that the “home of Anakin Skywalker threatened by dune,” with awesome pictures: So my question is, what will archaeologists think in 1,000 years when they dig this up? How many careers will be wasted trying to link the bizarre architecture to some real culture? How many anthropologists will be […]

At Light Blue Touchpaper, Ross Anderson says “We have a vacancy for a postdoc to work on the psychology of cybercrime and deception for two years from October.” I think this role has all sorts of fascinating potential, and wanted to help get the word out in my own small way.

Can we just agree that “which” and “that” are pretty much interchangable? If you’re relying on a modern audience to be able to perceive the difference in meaning between restrictive and non-restrictive clauses, you’ve pretty much already lost. Which, as they say, makes a mockery of that rule. Alternately, “That, as they say, makes a […]

I have to start off by apologizing for how very late this review is, an embarrassing long time ago, the kind folks at No Starch Press very kindly gave me a copy of “Super Scratch Programming Adventure” to review. Scratch for those that aren’t familiar is a kids oriented programming language designed by Mitchel Resnick […]

Remarkably, some software that people host on your behalf, where you have no contract or just a contract of adhesion, can change at any time. This isn’t surprising to those who study economics, as all good New School readers try to do. However, this is a reminder/request that when you move, please resubscribe to New […]

Well, the world is full of chaos, some good and some bad, and today’s bad for those of you reading via Google Reader is that it’s going the way of Altavista (can you believe it was still around?) So as you migrate away, please consider including Emergent Chaos in your migration–we’ll have new content here […]

Please let us know if you see anything strange

I’ve updated to the latest WordPress for security fixes. Please let me know if you notice problems (blogname-at-gmail-com)

The program for the 2013 Privacy Enhancing Technologies Symposium is up, and there’s a lot of fascinating looking papers and talks. If you’re interested, registration is also open. PETS is one of my favorite conferences of the year.

So Flickr has launched a new redesign, and it’s crowded, jumbled and slow. Now on Flickr with its overlays, its fade-ins and loads, it’s unmoving side and top bars, Flickr’s design takes center stage, elbowing aside the photos that I’m there to see. So I’m looking for a new community site where the photo I […]

The next Workshop on the Economics of Information Security will be held June 11-12 at Georgetown University, Washington, D.C. Many of the papers look fascinating, including “On the Viability of Using Liability to Incentivise Internet Security”, “A Behavioral Investigation of the FlipIt Game”, and “Are They Actually Any Different? Comparing 3,422 Financial Institutions’ Privacy Practices.” […]

Cem Paya has a really thought-provoking set of blog posts on “TrustZone, TEE and the delusion of security indicators” (part 1, part 2“.) Cem makes the point that all the crypto and execution protection magic that ARM is building is limited by the question of what the human holding the phone thinks is going on. […]

So there’s a working set of plans for the “Liberator.” It’s a working firearm you can print on a 3d printer. You can no longer get the files from the authors, whose site states: “DEFCAD files are being removed from public access at the request of the US Department of Defense Trade Controls. Until further […]

There’s an important and interesting new breach disclosure that came out yesterdau. It demonstrates leadership by clearly explaining what happened and offering up lessons learned. In particular: It shows the actual phishing emails It talks about how the attackers persisted their takeover by sending a fake “reset your password” email (more on this below) It […]

To celebrate Star Wars Day, I want to talk about the central information security failure that drives Episode IV: the theft of the plans. First, we’re talking about really persistent threats. Not like this persistence, but the “many Bothans died to bring us this information” sort of persistence. Until members of Comment Crew are going […]

The Plateau Effect is a powerful law of nature that affects everyone. Learn to identify plateaus and break through any stagnancy in your life— from diet and exercise, to work, to relationships. The Plateau Effect shows how athletes, scientists, therapists, companies, and musicians around the world are learning to break through their plateaus—to turn off […]

It’s common to hear that Facebook use means that privacy is over, or no longer matters. I think that perception is deeply wrong. It’s based in the superficial notion that people making different or perhaps surprising privacy tradeoffs are never aware of what they’re doing, or that they have no regrets. Some recent stories that […]

An amazing shot by Philipp Schmidli of a cyclist in front of the moon. PetaPixel explains the work involved in getting that shot in “Silhouettes in a Giant Moonrise, Captured Using a 1200mm Lens.” (Thanks to Bob Blakely). Also in the realm of impressive tool use is this: Orangutan from Borneo photographed using a spear […]

As I think more about the way people are likely to use a password manager, I think there’s real problems with the way master passwords are set up. As I write this, I’m deeply aware that I’m risking going into a space of “it’s logical that” without proper evidence. Let’s start from the way most […]

We’ve been hearing for several years that we should assume breach. Many people have taken this to heart (although today’s DBIR still says it’s still months to detect those breaches). I’d like to propose (predict?) that breach as a central concept will move through phases. Each of these phases will go through a hype cycle, […]

Following up on my post on exploit kit statistics (no data? really folks?), I wanted to share a bit of a head-shaker for a Friday with way too much serious stuff going on. Sometimes, researchers obscure all the information, such as this screenshot. I have no idea who these folks think they’re protecting by destroying […]

The folks at Hashcat have some interesting observations about 1Password. The folks at 1Password have a response, and I think there’s all sorts of fascinating lessons here. The crypto conversations are interesting, but at the end of the day, a lot of security is unavoidably contributed by the master password strength. I’d like to offer […]

On a fairly regular basis, I come across pages like this one from SANS, which contain fascinating information taken from exploit kit control panels: There’s all sorts of interesting numbers in that picture. For example, the success rate for owning XP machines (19.61%) is three times that of Windows 7. (As an aside, the XP […]

Thanks to Addison Wesley, who are offering 40% off the book. Apply code NEWSCHOOL40 to get your discounted copy. (You apply the code after proceeding to checkout.)

As it happens, both the US Government and the UK government are leading “cyber security standards framework” initiatives right now.  The US is using a consensus process to “incorporate existing consensus-based standards to the fullest extent possible”, including “cybersecurity standards, guidelines, frameworks, and best practices” and “conformity assessment programs”. In contrast, the UK is asking […]

Five years ago Friday was the official publication date of The New School of Information Security. I want to take this opportunity to look back a little and look forward to the next few years. Five years ago, fear of a breach and its consequences was nearly universal, and few people thought anything but pain […]

Apparently, Playboy (possibly NSFW) has an app on iTunes. However, to get an app through the censors prudes “appropriate content” editors, there’s none of Playboy’s trademark nudes. There hasn’t been such good news for their writers since the braille edition. I’ll leave the jokes to you. It’s worth thinking about this as the sanitized future […]

According to Wired, “Army Practices Poor Data Hygiene on Its New Smartphones, Tablets.” And I think that’s awesome. No, really, not the ironic sort of awesome, but the awesome sort of awesome, because what the Army is doing is a large scale natural experiment in “does it matter?” Over the next n months, the Pentagon’s […]

(Posted for friends) AdaCamp is a conference dedicated to increasing women’s participation in open technology and culture: open source software, Wikipedia-related projects, open data, open geo, fan fiction, remix culture, and more. The conference will be held June 8 and 9th in San Francisco. There will be two tracks at the conference: one for people […]

Hacking humans is an important step in today’s exploitation chains. From “2011 Recruitment plan.xls” to instant messenger URL delivery at the start of Aurora, the human in the loop is being exploited just as much as the machine. In fact, with the right story, you might not even need an exploit at all. So I’m […]

While everyone else is talking about APT, I want to talk about risk thinking versus outcome thinking. I have a lot of colleagues who I respect who like to think about risk in some fascinating ways. For example, there’s the Risk Hose and SIRA folks. I’m inspired by To Encourage Biking, Cities Lose the Helmets: […]

So I was listening to the Shmoocon presentation on information sharing, and there was a great deal of discussion of how sharing too much information could reveal to an attacker that they’d been detected. I’ve discussed this problem a bit in “The High Price of the Silence of Cyberwar,” but wanted to talk more about […]

This week I have experienced an echo of this pattern at the 2013 WEF meeting. But this time my unease does not revolve around any financial threats, but another issue – cyber security. … [The] crucial point is this: even if some companies are on top of the issue, others are not, and without more […]

Here’s a Friday Star Wars video for you. As Austin Hill tweeted, “Conspiracy revealed! 7 min video that will change the way you think about one of the important events of our lifetime”

It would not be surprising if an article like “Firefox Cookie-Block Is The First Step Toward A Better Tomorrow” was written by a privacy advocate. And it may well have been. But this privacy advocate is also a former chairman of the Internet Advertising Bureau. (For their current position, see “Randall Rothenberg’s Statement Opposing Mozilla’s […]

Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event.  As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact estimation method that might apply to Adam’s question.  We use the WTP approach in a […]

We all know how companies don’t want to be named after a breach. Here’s a random question: how much is that worth to a CEO? What would a given organization be willing to pay to keep its name out of the press? (A-priori, with at best a prediction of how the press will react.) Please […]

The Lunar Orbiter Image Recovery Project needs help to recover data from the Lunar Orbiter spacecraft. Frankly, it’s a bit of a disgrace that Congress funds, well, all sorts of things, over this element of our history, but that’s besides the point. Do I want to get angry, or do I want to see this […]

Allan Calhamer, the inventor of the game Diplomacy, has passed away. The NYTimes has an obituary.

…the new points system rates the driver’s ability to pilot the MINI with a sporty yet steady hand. Praise is given to particularly sprightly sprints, precise gear changes, controlled braking, smooth cornering and U-turns executed at well-judged speeds. For example, the system awards maximum Experience Points for upshifts carried out within the ideal rev range […]

The Security Bloggers Awards were this week at RSA! Congratulations to Naked Security (best corporate blog), Paul DotCom (best podcast), Krebs on Security (Most educational, best represents the security industry), J4VV4D’s blog (most entertaining), Andy Greenberg’s “Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)” and Jack […]

You are invited to submit nominations to the 2013 PET Award. The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Symposium (PETS). The PET Award carries a prize of 3000 […]

So this week is RSA, and I wanted to offer up some advice on how to engage. I’ve already posted my “BlackHat Best Practices/Survival kit. First, if you want to ask great questions, pay attention. There are things more annoying than a question that was answered while the questioner was tweeting, but you still don’t […]

The New York Times has a “Room for Debate” on “Should Companies Tell Us When They Get Hacked?” It currently has 4 entries, 3 of which are dramatically in favor of more disclosure. I’m personally fond of Lee Tien’s “ We Need Better Notification Laws.” My personal preference is of course (ahem) fascinating to you, […]

Law firm Proskauer has published a client alert that “HHS Issues HIPAA/HITECH Omnibus Final Rule Ushering in Significant Changes to Existing Regulations.” Most interesting to me was the breach notice section: Section 13402 of the HITECH Act requires covered entities to provide notification to affected individuals and to the Secretary of HHS following the discovery […]

We were hacked again. The vuln used was 0day, and has now been patched, thanks to David Mortman and Matt Johansen, and the theme has also been updated, thanks to Rodrigo Galindez. Since we believe in practicing the transparency we preach, I wanted to discuss what happened and some options we considered. Let me dispense […]

I came across a fascinating post at Jon Udell’s blog, “Homicide rates in context ,” which starts out with this graph of 2007 data: Jon’s post says more than I care to on this subject right now, and points out questions worth asking. As I said in my post on “Thoughts on the Tragedies of […]

There’s good analysis at “HHS breach investigations badly backlogged, leaving us in the dark” To say that I am frequently frustrated by HHS’s “breach tool” would be an understatement. Their reporting form and coding often makes it impossible to know – simply by looking at their entries – what type of breach occurred. Consider this […]

So there’s a New York Times front page story on how “Hackers in China Attacked The Times for Last 4 Months.” I just listened to the NPR story with Nicole Perlroth, who closed out saying: “Of course, no company wants to come forward and voluntarily say `hey we were hacked by China, here’s how it […]

Bob Rudis has an fascinating and important post “Once More Into The [PRC Aggregated] Breaches.” In it, he delves into the various data sources that the Privacy Rights Clearinghouse is tracking. In doing so, he makes a strong case that data source matters, or as Obi-Wan said, “Luke, you’re going to find that many of […]

It’s Data Privacy Day, and there may be a profusion of platitudes. But I think what we need on data privacy day are more tools to let people take control of their privacy. One way to do that is to check your privacy settings. Of course, the way settings are arranged changes over time, and […]

It is a truism that the Star Wars prequels sucked. (Elsewhere, I’ve commented that the franchise being sold to Disney means someone can finally tell the tragic story of Anakin Skywalker’s seduction by the dark side.) But the issue of exactly why they sucked is complex and layered, and most of us prefer not to […]

In my post on gun control and schools, I asserted that “I worry that reducing privacy around mental health care is going to deter people who need health care from getting it.” However, I didn’t offer up any evidence for that claim. So I’d like to follow up with some details from a report that […]

There’s a fascinating article on PropertyCasualty360 “ As Cyber Coverage Soars, Opportunity Clicks” (thanks to Jake Kouns and Chris Walsh for the pointer). I don’t have a huge amount to add, but wanted to draw attention to some excerpts that drew my attention: Parisi observes that pricing has also become more consistent over the past […]

I started this post on December 14th, and couldn’t finish it. I’m going to leave the opening as I wrote it then: By now, everyone has heard of the tragic school shooting in Connecticut. My heart goes out to everyone touched by the events. But this isn’t the first school shooting on a December 14th. […]

The Phoenix Project as an important new novel, and it’s worth reading if you work in technology. As I read it, I was awfully uncomfortable with one of the characters, John. John is the information security officer in the company, and, to be frank, John does not come off well at the start of the […]

[This guest article is by thegruq. I’ve taken the liberty of HTML-ifying it from his original, http://pastie.org/5673568.] On Disclosure of Intrusion Events in a Cyberwar The Nation State’s guide to STFU In a cyberwar (such as the ongoing events on the Internet), all actors are motivated to remain silent about incidents that they detect. However, […]

There’s a giant rubber duck in Sydney Harbor right now: It’s apparently by Florentijn Hofman, who does this sort of thing. My only other comment? Seattle, you’re doing it wrong. Where’s our rubber duckie? Via “Sydney Festival Launches Giant Rubber Duck in the Harbor“, Pedestrian TV. (I believe there’s a typo, and the duck is […]

A little ways back, I was arguing [discussing cyberwar] with thegrugq, who said “[Cyberwar] by it’s very nature is defined by acts of espionage, where all sides are motivated to keep incidents secret.” I don’t agree that all sides are obviously motivated to keep incidents secret, and I think that it’s worth asking, is there […]

Absolute zero is often thought to be the coldest temperature possible. But now researchers show they can achieve even lower temperatures for a strange realm of “negative temperatures.” Oddly, another way to look at these negative temperatures is to consider them hotter than infinity, researchers added. (“Atoms Reach Record Temperature, Colder than Absolute Zero“, Charles […]

I was pretty excited to see this: An EU official said the aim of the report was to get companies to be more open about cyber attacks and help them fend off such disruption. “We want to change the culture around cyber security from one where people are sometimes afraid or ashamed to admit a […]

What more do you want on a Friday? Ok, here’s details.

In the holiday spirit I wanted to share an academic-style paper on the Elevation of Privilege Threat Modeling card game (EoP_Whitepaper.pdf) The paper describes the motivation, experience and lessons learned in creating the game. As we’ve shared the game at conferences, we’ve seen people’s eyes light up at the idea of a game. We think […]

Earlier this month, I spoke with Derek Slater: In early 2008, Adam Shostack and Andrew Stewart released the book The New School of Information Security. And they launched a blog in support of the book and its message. I wondered about how Shostack perceives the state of IT risk management now, and whether he thinks […]

Gävlebocken har brunnit: Webbkamerabilder visade hur bocken snabbt blev övertänd och totalförstördes innan brandkåren hann fram. Or you can check the webcam: http://www.merjuligavle.se/Bocken/Bockenkamera/

There’s a fascinating set of claims in Foreign Affairs “The Fog of Cyberward“: Our research shows that although warnings about cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match popular perception. Only 20 of 124 active rivals — defined as the most conflict-prone pairs of states in the system […]

My friend Raquell Holmes is doing some really interesting work at using improv to unlock creativity. There’s some really interesting ties between the use of games and the use of improv to get people to approach problems in a new light, and I’m bummed that I won’t be able to make this event: Monday Dec […]

There was a story recently on NPR about kitchen waste, “No Simple Recipe For Weighing Food Waste At Mario Batali’s Lupa.” Now, normally, you’d think that a story on kitchen waste has nothing to do with information security, and you’d be right. But as I half listened to the story, I realized that it in […]

Hoff’s blog post “Why Amazon Web Services (AWS) Is the Best Thing To Happen To Security & Why I Desperately Want It To Succeed” is great on a whole bunch of levels. If you haven’t read it, go do that. The first thing I appreciated is that he directly confronts the possibility of his own […]

The Telegraph reports that the Gavle Goat for 2012 is up, and surrounded by guards, cameras, flame retardants, and arsonists. Emergent Chaos has reporters on the ground internet, ready to report on this holiday story of a town, a goat, and an international conspiracy of drunken arsonists. Stay tuned! This years goat is shown in […]

It’s easy to feel sympathy for the many folks impacted by the hacking of South Carolina’s Department of Revenue. With 3.6 million taxpayer social security numbers stolen, those people are the biggest victims, and I’ll come back to them. It’s also easy to feel sympathy for the folks in IT and IT management, all the […]

Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route. From the website: Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve […]

Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route. From the website: Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve […]

My buddy Curt Hopkins is writing about the Patraeus case, and asked: I wonder, in addition to ‘it’s safe if it’s in the draft folder,’ how many additional technically- and legally-useless bits of sympathetic magic that people regularly use in the belief that it will save them from intrusion or discovery, either based on the […]

So there’s a pair of stories on choosing good passwords on the New York Times. The first is (as I write this) the most emailed story on the site, “How to Devise Passwords That Drive Hackers Away.” It quotes both Paul Kocher and Jeremiah Grossman, both of whom I respect. There’s also a follow-on story, […]

Several commenters on my post yesterday have put forth some form of the argument that hackers are humans, humans are unpredictable, and therefore, information security cannot have a Nate Silver. This is a distraction, as a moment’s reflection will show. Muggings, rapes and murders all depend on the actions of unpredictable humans, and we can, […]

So by now everyone knows that Nate Silver predicted 50 out of 50 states in the 2012 election. Michael Cosentino has a great picture: Actually, he was one of many quants who predicted what was going to happen via meta-analysis of the data that was available. So here’s my question. Who’s making testable predictions of […]

Many times when computers are compromised, the compromise is stealthy. Take a moment to compare that to being attacked by a lion. There, the failure to notice the lion is right there, in your face. Assuming you survive, you’re going to relive that experience, and think about what you can learn from it. But in […]

I’m having a camera issue that’s become more and more noticeable with recent software changes. The raw previews coming out of the camera appear substantially more exposed than when Aperture is finished processing them. The difference is hard to measure (there’s no easy undo for raw processing), but appears to be about a full stop […]

Over the summer, Adam and I were talking and I said that I’d like a place to do some personal blogging as opposed to things I normally do, which are targeted at one place or another. I’d like to be able to blither about security, but also about whatever. Photography, cooking, you know, things that […]

There’s a story over at Bloomberg, “Experian Customers Unsafe as Hackers Steal Credit Report Data.” And much as I enjoy picking on the credit reporting agencies, what I really want to talk about is how the story came to light. The cyberthieves broke into an employee’s computer in September 2011 and stole the password for […]

Sebastian Deterding’s Microsoft research talk is now online: “9.5 Theses on the Power and Efficacy of Gamification“. You may recall that this talk inspired me to blog about “Running a game at work.” It’s worth an hour if you’re interested in serious games, persuasive games, or playful design.

Ben Goldacre talks about how physicians are only getting data on tests that come out positive: I look forward to the day when infosec standards are set based on some tests or evidence, and we have to fight to extract more data. The talk is here: here.

Not too long ago, I blogged about “Compliance Lessons from Lance.” And now, there seems to be dramatic evidence of a massive program to fool the compliance system. For example: Team doctors would “provide false declarations of medical need” to use cortisone, a steroid. When Armstrong had a positive corticosteroid test during the 1999 Tour […]

It’s often said that the TSA’s approach to threat modeling is to just prevent yesterday’s threats. Well, on Friday it came out that: So, here you see my flight information for my United flight from PHX to EWR. It is my understanding that this is similar to digital boarding passes issued by all U.S. Airlines; […]

Something about this story just grabs me. I want to hear him saying “I am the dread pirate Roberts! I am here, but soon you will not be here!” Also, I’m sad that he wasn’t in Galve-ston. Photo by GreyChr

There’s a really interesting article by Toby Stevens at Computer Weekly, “Proof of age comes of age:” It’s therefore been fascinating to be part of a new initiative that seeks to address proof of age using a Privacy by Design approach to biometric technologies. Touch2id is an anonymous proof of age system that uses fingerprint […]

Friday, I had the pleasure of seeing Sebastian Deterding speak on ‘9.5 Theses About Gamification.’ I don’t want to blog his entire talk, but one of his theses relates to “playful reframing”, and I think it says a lot to how to run a game at work, or a game tournament at a conference. In […]

There is, yet again, someone in the news talking about a cyber Pearl Harbor. I wanted to offer a few points of perspective. First, on December 6th, 1941, the United States was at peace. There were worries about the future, but no belief that a major attack was imminent, and certainly not a sneak attack. […]

In “New System for Patients to Report Medical Mistakes” the New York Times reports: The Obama administration wants consumers to report medical mistakes and unsafe practices by doctors, hospitals, pharmacists and others who provide treatment. Hospitals say they are receptive to the idea, despite concerns about malpractice liability and possible financial penalties for poor performance. […]

Stamford Police said Jevene Wright, 29, created a fictitious company called “Choice Point Screening” and submitted false invoices for background checks that were submitted to Noble Americas Corporation, an energy retailer firm located in Stamford. (Patrick Barnard, “The Stamford (CT) Patch“) I don’t want to minimize the issue here. Assuming the allegations are correct, the […]

Growing up, we were told by guidance counselors, career advice books, the news media and others to “follow our passion.” This advice assumes that we all have a pre-existing passion waiting to be discovered. If we have the courage to discover this calling and to match it to our livelihood, the thinking goes, we’ll end […]

There’s a fascinating interview with Mark Templeton of Citrix in the New York Times. It closes with the question of advice he gives to business students: There are two strategies for your life and career. One is paint-by-numbers and the other is connect-the-dots. I think most people remember their aunt who brought them a gift […]

I got an email recently me asking if I had experience running an Elevation of Privilege tournament. I haven’t, and wanted to ask if anyone out there has done so, please share your experiences and suggestions One element that I thought about is a scoring system to help with the tournament’s goals. For examples, you […]

In Star Wars, the Empire is presented as a monolith. Storm Troopers, TIE Fighters and even Star Destroyers are supposedly just indistinguishable cogs in a massive military machine, single-mindedly pursuing a common goal. This is, of course, a façade – like all humans, the soldiers and Officers of the Imperial Military will each have their […]

At SOURCE Seattle, I had the pleasure of seeing Jeff Lowder and Patrick Florer present on “The Base Rate Fallacy.” The talk was excellent, lining up the idea of the base rate fallacy, how and why it matters to infosec. What really struck me about this talk was that about a week before, I had […]

So as Facebook continues to trade at a little over half of their market capitalization of 3 months ago, I think we can learn a few very interesting things. My goal here is not to pick on Facebook, but rather to see what we can take away and perhaps apply elsewhere. I think there are […]

I was struck by the lead of Kelly Jackson Higgins’ article on the Defcon Social Engineering Contest: Walmart was the toughest nut to crack in last year’s social engineering competition at the DefCon hacker conference in Las Vegas, but what a difference a year makes: this year, the mega retailer scored the worst among the […]

Recently, Lance Armstrong decided to forgo arbitration in his fight against the USADA over allegations of his use of certain performance enhancing drugs. His statement is “Full text of Armstrong statement regarding USADA arbitration.” What I found interesting about the story is the contrast between what might be termed a “compliance” mindset and a “you’re […]

I’ll be at SOURCE Seattle this week. I’m really excited to be speaking on “Security Lessons from Star Wars” at 10AM today.

I’d meant to post this at BlackHat. I think it’s worth sharing, even a bit later on: I’m excited to have be a part of a discussion with others who spoke at the first Blackhat: Bruce Schneier, Marcus Ranum, Jeff Moss, and Jennifer Granick. We’ve been asked to think about what the future holds, and […]

I am the very model of an amateur grammarian I have a little knowledge and I am authoritarian But I make no apology for being doctrinarian We must not plummet to the verbal depths of the barbarian I’d sooner break my heart in two than sunder an infinitive And I’d disown my closest family within […]

If someone could suggest a specific way to make the blog title image work to bring you to the home page, that’d be most appreciated. Update, I think I fixed most of it. Thanks in particular to commenter “M”, who got me on the path to the fix, removing the inline CSS that the theme […]

The blog header image is repeating because of something in the stylesheets. I can’t see where the bug is. If someone can help out, I’d be much obliged. Expanded to add: It appears that there’s a computed “repeat” on the bg img which is the header, but why that repeat is being computed is unclear […]

We here at Emergent Chaos have long been frustrated with the Obama Administration. Their failure to close Guantanamo, their failure to prosecute war crimes including torture, their choice to murder American citizens (never mind without due process), their invocation of the state secrets privilege, their persecution of whistleblowers, their TSA running rampant, the list of […]

I’d like to offer up a thought with regards to the latest swirl of discussion around ‘information sharing’ in security: Don’t share, publish. I want to talk about this because more and more folks are starting to question the value of information sharing frameworks and forums. Andrew and I share that skepticism in The New […]

Neil Armstrong died August 25, aged 82. It’s difficult to properly memorialize this man, because, to a degree almost unheard of in our media-saturated times, he avoided the limelight. A statement by his family notes: As much as Neil cherished his privacy, he always appreciated the expressions of good will from people around the world […]

A friend is trying to track down a science fiction story in which the president had a death sentence at the end of their term. I know you’re all smart and good looking and at least one of you will know the exact author and title.

Over at Lexology.com, there’s a story which starts: Medical-data blackmail is becoming more common as more health care providers adopt electronic health records systems and store patient data digitally. (“Hackers demand ransom to keep medical records private“) The trouble with this opening sentence is that it has nothing to do with the story. It’s a […]

There’s a fascinating story in the New York Times, “Profits on Carbon Credits Drive Output of a Harmful Gas“: [W]here the United Nations envisioned environmental reform, some manufacturers of gases used in air-conditioning and refrigeration saw a lucrative business opportunity. They quickly figured out that they could earn one carbon credit by eliminating one ton […]

There’s a very cool story on NPR about “A New Species Discovered … On Flickr“. A entomologist was looking at some photos, and saw a bug he’d never seen. Check out the photographer’s site or Flickr pages. The paper is “A charismatic new species of green lacewing discovered in Malaysia (Neuroptera, Chrysopidae): the confluence of […]

Oh, what the heck, it hasn’t been chaotic enough around here. So, I’ll give you a topic: Paul Ryan. Commentary from The Economist starts: IN THE polarised world of American politics, achieving bipartisan agreement on any topic is a rare feat nowadays. So perhaps it’s worth celebrating the fact that, had it been put to […]

National Geographic reports “Caffeinated Seas Found off U.S. Pacific Northwest.” The problem, of course, is salinity. They should totally be pumping that caffine into somewhere we can make good use of it.

I’m a big fan of learning from our experiences around breaches. Claims like “your stock will fall”, or “your customers will flee” are shown to be false by statistical analysis, and I expect we’d see the same if we looked at people losing their jobs over breaches. (We could do this, for example, via LinkedIn […]

Someone reached out to me about a job that looks really interesting: The Director of Security Experience, Education & Research (SEER) will be responsible for defining the customer-facing security strategy for PayPal , define product roadmaps to enhance feature security and usability, drive customer security best practices adoption throughout our industry, and drive customer security […]

Lately I’ve been savoring Kahneman’s “Thinking, Fast and Slow”. Kahneman is one of the originators of behavioral economics and a Nobel prize winner. The book is tremendously thought provoking, insanely well written, jargon-minimizing, and just comes together beautifully. It’s a book where you struggle with the ideas and their implications, rather than struggle through the […]

I’ll be speaking twice at BlackHat. First on the “Smashing the Future” panel with Bruce Schneier, Marcus Ranum, Jeff Moss and Jennifer Granick (10AM Wednesday, main hall). My second talk is also on Wednesday, on a new game, Control-Alt-Hack. I’ve been helping Tamara Denning and Yoshi Kohno create Control-Alt-Hack, and we’ll be speaking Wednesday at […]

Yesterday, Dave Aitel wrote a fascinating article “Why you shouldn’t train employees for security awareness,” arguing that money spent on training employees about awareness is wasted. While I don’t agree with everything he wrote, I submit that your opinion on this (and mine) are irrelevant. The key question is “Is money spent on security awareness […]

Around the 4th of July, some smart, public minded folks put forth a “Declaration of Internet Freedom“. And while it’s good in a motherhood and apple pie sense of good, wholesome fun for the whole family, it lacks the punch and panache of the Declaration of Independence to which men pledged their lives, fortunes and […]

So following up on our tradition of posting the Declaration of Independence from Great Britain on the 4th, I wanted to use one of those facts submitted to a candid world to comment on goings on in…Great Britain. There, the government has decided to place anti-aircraft missiles on the roof of a residential building near […]

A little while back, a colleague at the NSA reached out to me for an article for their “Next Wave” journal, with a special topic of the science of information security. I’m pleased with the way the article and the entire issue came out, and so I’m glad that the NSA has decided to release […]

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]

In an article with absolutely no relevance for Seattle, the New York Times reports “With No Vote, Taxpayers Stuck With Tab on Bonds.” In another story to which Seattle residents should pay not attention, the city of Stockton is voting to declare bankruptcy, after risking taxpayer money on things like a … sports arena. Of […]

Every now and then, a headline helps us see the answer to the question “Will people ever pay for Privacy?” Quoth the Paper of record: The seclusion may be the biggest selling point of the estate belonging to Robert Hurst, a former executive at Goldman Sachs, which was just listed by Debbie Loeffler of the […]

CNET ran a truly ridiculous article last week titled “Flame can sabotage computers by deleting files, says Symantec”. And if that’s not goofy enough, the post opens with The virus can not only steal data but disrupt computers by removing critical files, says a Symantec researcher. ZOMG! A virus that deletes files! Now that is […]

Over at the Proskauer blog, Cecile Martin writes “Is data breach notification compulsory under French law?” On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers. The guidance was issued with reference to European Directive […]

Over the last few days, there’s been a lot of folks in my twitter feed talking about “active defense.” Since I can’t compress this into 140 characters, I wanted to comment quickly: show me the money. And if you can’t show me the money, show me the data. First, I’m unsure what’s actually meant by […]

I’ve observed a phenomenon in computer security: when you want something to be easy, it’s hard, and when you want the same thing to be hard, it’s easy. For example, hard drives fail at seemingly random, and it’s hard to recover data. When you want to destroy the data, it’s surprisingly hard. I call this […]

The Future of Privacy Forum (FPF) is an interesting mix of folks trying to help shape, well, the future of privacy. They have an interesting mix of academic and industry support, and a fair amount of influence. They’re inviting authors with an interest in privacy issues to submit papers to be considered for FPF’s third […]

Did you notice exactly how much of my post on Cloudflare was confirmation bias? Here, let me walk you through it. In our continuing series of disclosure doesn’t hurt, Continuing series are always dangerous, doubly so on blogs. I wanted to point out Cloudflare’s “Post Mortem: Today’s Attack; Apparent Google Apps/Gmail Vulnerability; and How to […]

The fine folks at Mozilla have announced that they’ll be hosting a BBQ in Dallas to thank all their supporters. And the cool thing about that BBQ is it’s gonna be vegan by default. You know, vegan. No animal products. It’s good for you. It’s the right default. They’ll have dead cow burgers, but you’ll […]

On Twitter, Phil Venables said “More new school thinking from the Feynman archives. Listen to this while thinking of InfoSec.” During the Middle Ages there were all kinds of crazy ideas, such as that a piece of rhinoceros horn would increase potency. Then a method was discovered for separating the ideas–which was to try one […]

RT @hellNbak_ @adamshostack @derekcslater anything with Scott Blake has to be worth reading. # RT @Beaker Updated BYOD security profile/policy pushed to my iPhone this morning. String passwords on phone unlock (really?) = PiTA. # Bad password policies give no benefit while absorbing your people's willingness to help with security. #Fail (cc @beaker) # RT […]

RT @DeathStarPR Easy way to feel like Darth Vader: stand over a heap of dirty laundry and imagine you've just killed a Jedi. #StarWars # RT @runasand We have managed to determine exactly how Ethiopia blocks #Tor and we have developed a workaround: https://t.co/snTjeVbN # RT @derekcslater What I learned when I left security http://t.co/AexcK8NN […]

Maybe we could just edit attorneys’ memories of copyright laws?

In our continuing series of disclosure doesn’t hurt, I wanted to point out Cloudflare’s “Post Mortem: Today’s Attack; Apparent Google Apps/Gmail Vulnerability; and How to Protect Yourself.” Go take a look, it’s worth reading, especially the updates. I take three lessons from this: Disclosing an attack allows you to control the story, and is better […]

Cool Stuff RT @SPACEdotcom SPLASHDOWN! @SpaceX #Dragon Space Capsule Ends Historic Mission with Pacific Ocean Splash http://t.co/3H3J1cXz Cool! IE10 in Win8 Release Preview has "Do Not Track" on by default! http://t.co/HHZv8cBw #privacy # RT @gabrielgironda WE ENCOURAGED PEOPLE TO LEARN TO PROGRAM AND JUST LOOK AT WHAT HAPPENED http://t.co/IE9HeNt3 # New blog: "Washington State Frees […]

I hate to let an increase in liberty go by without a little celebration. For the past 78 years, Washington State has had a set of (effectively) state-operated liquor stores, with identical pricing and inventory. Today, that system is gone, replaced by private liquor sales. The law was overturned by a ballot initiative, heavily backed […]

Congratulations to the Egyptian people for claiming the right to vote for their President! # The ACLU of WA is looking for a technology & liberty director http://t.co/sUAFuDq7 # Things that shod not surprise me: Koalas smell like eucalyptus. # Powered by Twitter Tools

RT @votescannell Mother of 3 Arrested for Taking Pictures of Tourist Attraction at Airport http://t.co/Id8TKH9r // I feel safer already. # Freedom gropes for all @seatac! /cc @tsastatus. # RT @ashk4n WiFi Pineapple lets anyone with $90 to "compromise the sh*t out of anyone using WiFi in the area" http://t.co/TnR3n56k #armsrace # Great question for […]

At AusCert, I had the privilege to share a the gala dinner stage with LaserMan and Axis of Awesome, and talk about a few security lessons from Star Wars. I forgot to mention onstage that I’ve actually illustrated all eight of the Saltzer and Schroeder principles, and collected them up as a single page. That […]

RT @Ellen_CK It appears that putting a contest in one's internal newsletter leads to people actually reading it #SEingmycoworkers # RT @bfist I like my risk like I like my steak << with blue cheese sauce? # RT @451wendy "Q: How many of the Fortune 500 are hacked right now? A: 500." http://t.co/I090fJmp <- Lovely […]

Bob Rudis has a nice post up “Off By One : The Importance Of Fact Checking Breach Reports,” in which he points out some apparent errors in the Massachusetts 2011 breach report, and also provides some graphs. Issues like this are why it’s important to release data. It enables independent error checking, but also allows […]

Former TSA Administrator Kip Hawley was on NPR a few minutes ago, opining on the 2nd panty bomber. He said two remarkable things. First, that the operators of nudatrons, who see thousands of naked people per day, would notice the bomb. Second, he didn’t understand why Al Qaeda would continue to focus on underwear bombs. […]

RT @netik You program in Rails? Check out Brakeman from our security team & make your code safer. http://t.co/nFPQ3cxx (go @presidentbeef!) # RT @KimZetter Equipment Maker Caught Installing Backdoor Vows to Fix After Public Pressure – http://t.co/EZfe7s27 # Pro tip: "Blackhat talks get lots of publicity" is not a reason *your* submission will make a […]

That’s my takeaway from a new study of 2,000 households by Consumer Reports: There are more than 150 million Americans using Facebook at this point, and that number is growing. … a new exhaustive study from Consumer Reports on social networking privacy found that 13 million American Facebook users have never touched their privacy settings. […]

Jan-Tilo Kirchhoff asked on Twitter for a printer (ideally in Germany) to print up some Elevation of Privilege card sets. Deb Richardson then suggested Kickstarter. I wanted to comment, but this doesn’t fit in a tweet, so I’ll do it here. I would be totally excited for someone to Kickstarter production of Elevation of Privilege. […]

So it’s cool that this “S.M.A.R.T” stuff tells the computer when the hard drive is failing. The next step in user interface is to take the message out of /Applications/Utilities/Disk Utility and into an interruptive UI, so that I don’t discover this problem when I happen to get an extra drive for backup. I know […]

So the announcement for Toorcamp is out, and it looks like an exciting few days. A few talks already announced look very new school, including “How you can be an ally to us females” by Danielle Hulton and Leigh Honeywell, and “Cognitive Psychology for Hackers.” It’s in the far northwester corner of the US, and […]

I’m concerned about issues of research being locked behind paywalls. The core of my reason is that research builds on other research, and wide availability helps science move forward. There’s also an issue that a great deal of science is funded by taxpayers, who are prevented from seeing their work. One of the organizations which […]

RT @calyxinstitute We've reached over $50,000 in donations and are 44 donors shy of breaking 1,000! Help us keep the momentum going. # RT @deviantollam "It's a sad day in America when you're driving down the road one of these pulls up next to you: http://t.co/1Ksxn5ja " # RT @markrussinovich Debunking of exaggerated cybercrime stats […]

Hey! Jam Jarr has a new album and its free today. They asked for a Facebook link, and since I can’t do that, I figured a blog was in the right spirit. So go check it out: Jam Jarr: Suck My Underground. It’s free. Why not take a listen? PS: When I say free, I […]

You probably know Dennis Fisher because of his writings on Threatpost or his Digital Underground podcast, where I’ve appeared several times. I wanted to help him spread the news that his first novel “Motherless Children” is now available. You should check it out. I’ll get my review done shortly, but I wanted to help spread […]

So there’s a new startup in town, The Calyx Institute, which is raising money to create a privacy-protecting ISP and phone company. I think that’s cool, and have kicked in a little cash, and I wanted to offer up some perspective on the market for privacy, having tried to do this before. From 1999 until […]

RT @bruces http://t.co/7BfPuW40 *TSA really keen on putting the electronics border-crunch on dissidents << Worse, add http://t.co/3qTkucub # RT @justintroutman @csoghoian If there's one thing that will identify the right privacy expert, it's the urinalysis and one-year probation. # I bet Facebook is going to start auto-sepia toning everyone's pictures as they age. # New […]

First, congratulations to the folks at Instagram, who built something that was so valuable to Facebook and managed to get a great exit. Me, I suspect that Facebook did it so they can gradually sepia-tone all your photos, but that’s not important right now. I was struck by the nature of this article by the […]

I’ve never been a fan of checklists. Too often, checklists replace thinking and consideration. In the book, Andrew and I wrote: CardSystems had the required security certification, but its security was compromised, so where did things goo wrong? Frameworks such as PCI are built around checklists. Checklists compress complex issues into a list of simple […]

Things I said: Google continues to hobble their services, push accounts/wallet names, now w/ Scholar http://t.co/IIQ7xk15 (cc @rileycrane @tgoetz @skud) # In other words, why not create timelines for every scholar who's published? That would be organizing the worlds info & making it useful. # You need a Google account to get that citation history, […]

On the off chance that you’ve been hiding under a rock, there’s been a stack of news stories about organizations (both private and governmental) demanding people’s Facebook passwords as part of the process of applying for jobs, with much associated hand-wringing. In “I hereby Resign“, Raganwald discusses the downside to employers of demanding to look […]

In a widely discussed op-ed, Richard Clarke wrote: It’s not hard to imagine what happens when an American company pays for research and a Chinese firm gets the results free; it destroys our competitive edge. Shawn Henry, who retired last Friday as the executive assistant director of the F.B.I. (and its lead agent on cybercrime), […]

Back in October, I posted on “Maria Klawe on increasing Women in Technology.” Now the New York Times has a story, “Giving Women The Access Code:” “Most of the female students were unwilling to go on in computer science because of the stereotypes they had grown up with,” said Zachary Dodds, a computer scientist at […]

That’s what I said: Photographers should check out these awesome lens physics simulations from Stanford http://t.co/hlNrqQT3 # Good article by @elinormills "Why data breach isn't a dirty word anymore" http://t.co/JXtTOTbT # New blog with a TED talk, "Doctors Make Mistakes, can we talk about that?" http://t.co/c00zcvMr # .@RSAConference can we go so far as "highly […]

From “Warned of an Attack on the Internet, and Getting Ready“

Congratulations to Visa and Mastercard, the latest companies to not notify consumers in a prompt and clear manner, thus inspiring a shrug and a sigh from consumers. No, wait, there isn’t a clear statement, but there is rampant speculation and breathless commentary. It’s always nice to see clear reminders that the way to get people […]

Photographers should check out Flash applets on some technical aspects of photography at Stanford. The apps help you understand things like “Variables that Affect Exposure” (the aperture/time/ISO tradeoffs) as well as how lenses work, create depth of field, or how a telephoto lens bends the light. Very cool.

That’s the title of this TED Talk, “Doctors Make Mistakes. Can we talk about that?” When was the last time you heard somebody talk about failure after failure after failure? Oh yeah, you go to a cocktail party and you might hear about some other doctor, but you’re not going to hear somebody talking about […]

I’m continuing to tweak in the hopes of balancing useful & overwhelming. This week I’m not only cutting down the chaos a bit, but adding the emergent categories. Also, my tweets precede the Re-Tweets. Comments welcome. Where can I send people new to infosec for security mentoring, confident that they'll get broad, data-centered advice? (#newschool) […]

BSides LV 2012 tickets sold out in under 30 hours last week. I have acquired five tickets to give away. More details later, but the tickets will go to the person or people who have the best story of how they applied the principles of the New School in a real life situation. Start planning […]

In ““Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?” Andrey Belenko and Dmitry Sklyarov write quite a bit about a lot of password management tools. This is admirable work, and I’m glad BlackHat provided a forum for it. However, as a user of 1Password, I was concerned to read the following about that […]

RT @curphey amazing how many serial entrepreneurs, visionaries & thought leaders in security are wanting to contract @ $75/hour # MT @GammaCounter Chinese spies impersonated US Navy admiral on Facebook, friended NATO officials: http://t.co/FFnpdJ9p via @adam_orbit # I really want @robinsage to RT this: Chinese spies impersonated US Navy admiral on Facebook, friended NATO officials: […]

At BSides San Francisco, I met David Sparks, whose blog post on 25 security professionals admit their mistakes I commented on here. And in the department of putting my money where my mouth is, I talked him through the story on camera. The video is here: “Security Guru Tells Tale of How His Blog Became […]

I really like what Adrian Lane had to say about the cars at RSA: I know several other bloggers have mentioned the exotic cars this year in vendor booths on the conference floor. What’s the connection with security? Nothing. Absolutely nothing. But they sure pulled in the crowds. Cars and booth babes with matching attire. […]

This Week in Law is a fascinating podcast on technology law issues, although I’m way behind on listening. Recently, I was listening to Episode #124, and they had a discussion of Kind of Bloop, “An 8-Bit Tribute to Miles Davis’ Kind of Blue.” There was a lawsuit against artist Andy Baio, which he discusses in […]

Photo: "Barcelino Per Donna Welcomes RSA Conference 2012" somehow I perceive a mismatch http://t.co/qlKZIdId # RT @mikko Sony said that they lost Michael Jackson's entire unreleased back catalog in one of the 2011 breaches: http://t.co/KeYM9VyD # I sorta like this print, but I'm not sure I'd pay $12 Trillion for it. http://t.co/dzW8iEEl # RT @normative […]

Ivan Szekely writes in email: A team of young researchers – my colleagues – at the Budapest University of Technology and Economics developed a cross-browser fingerprinting system in order to demonstrate the weaknesses of the most popular browsers. Taking Panopticlick’s idea as a starting point, they developed a new, browser-independent fingerprinting algorithm and started to […]

See more at How anyone can get anything past the TSA’s Nude body Scanners.

Last week at RSA, I was talking to some folks who have reasons to deeply understand a big and publicly discussed breach. I asked them why we didn’t know more about the breach, given that they’d been fairly publicly named and shamed. The story seems to be that after the initial (legal-department-driven) clampdown on talking, […]

Someone respected wrote on a private mailing list: “If you spend more on coffee than on IT security, then you will be hacked. What’s more, you deserve to be hacked.” — Richard Clarke, keynote address, RSA 2002 To which, verily I say: Doom! Doom! You commit the sin of false comparison! You have angered Furlongeous, […]

RT @tedfrank If you're having trouble getting Sudafed, here's how to make it with more readily available crystal meth. http://t.co/THaQZzov # RT @digiphile "Privacy breaches keep getting worse. Facebook admits reading txt msgs of users who installed phone app" http://t.co/v8CMM222 # RT @threatpost #Microsoft partners w/ Good Technology to bring encrypted email to Windows Phone. […]

Our sincere congratulations to all the winners of the Social Security Blogger awards.

So it’s early Sunday AM, and I’m getting my RSA Schedule together finally.  So here’s what I’m looking forward to this week, leave us stuff in the comments if you’ve identified other cool stuff: =============== Monday:  8 freaking AM – I’m talking with Rich Mogull of @securosis about Risk Management.  Fun! Monday is also Metricon, […]

RT @internetlibre Twitter Censors Accounts Unfavorable To Nicolas Sarkozy http://t.co/wMGMuifY #netfreedom #internetlibre #sarkoCensure # RT @Dakami Pretty cool: @joncallas looked at all public keys signed by Entrust; none of them had reused RSA primes http://t.co/8JOsYQ9e # New blog: "It's a Lie: Seattle Taxpayers Will Pay for a Stadium" http://t.co/tkg3JxZi (cc @seattletimes) # Help Find the […]

Tripwire’s blog has “25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them.” I’m glad to see attention paid to the simple reality that we all make mistakes. Extra points to Bill Brenner, Pete Lindstrom, Andrew Hay, Chris Wysopal, Rob Ton and Larry Ponemon for being willing to talk about mistakes that had […]

I’ve noticed a couple of times lately that as people discuss talking about security incidents, they don’t only default to the idea of anonymization, they often insert an “of course” after it. But today I want to talk about the phrase “anonymized, of course”, what it means, why people might say it, and how members […]

The family of Ulf Möller are asking for help in finding the people who murdered him, and asking for help spreading the word: They have a web site with details in English, German, Polish and Lithuanian: The two men are described as slim, both about 1.75 m to 1.80 m tall, between 20 and 30 […]

The Seattle Times carries a press release: “Arena plan as solid as it looks?” The intricate plan offered for an NBA and NHL arena in Sodo hinges on the untested strategy of building a city-owned, self-supporting arena, without the aid of new taxes, and with team owners — not taxpayers — obligated to absorb any […]

RT @csoghoian If Path-like apps that pilfered user contact data suffered a data breach, existing laws wouldn't require disclosure to users. # New quickie blog: Bismark's Voice http://t.co/zk01Biec # RT @paulmadsen Sharingfreude, n. – pleasure derived from inadvertent sharing of personal information on social media by friends & colleagues # .@dakami @jeremiahg @tqbf see also […]

A lot of people I trust are suggesting that the “Collins-Lieberman” bill has a substantial chance of passing. I have some really interesting (and time-consuming) work tasks right now, and so I’m even more curious than usual what you all think, especially how this According to the press release, the “Collins-Lieberman” bill would: The Department […]

Wh1t3Rabbit has a great post “Understanding the apathetic response to a cyber attack:” Look, Dana’s right. His business is the organizing and promotion of the UFC fights. Secondary to that business is the merchandising and other aspects of the UFC – but that probably is a significantly smaller portion of the overall company revenue. Now […]

Tucked away for decades in a cabinet in Thomas Edison’s laboratory, just behind the cot in which the great inventor napped, a trove of wax cylinder phonograph records has been brought back to life after more than a century of silence. The cylinders, from 1889 and 1890, include the only known recording of the voice […]

RT @tkeanini Overcoming the fear of disclosure http://t.co/DZdkeyNh << TK is spot on. Our fear blocks feedback loops. # MT @qld_oic ..empowering young people to establish good cyber safety behaviour #oicprivacycomp http://t.co/vkr3VZ3A [$1000 prize for video] # RT @mortman Yet More On Threat Modeling: A Mini-Rant http://t.co/ZPxVa9HE cc @adamshostack @alexhutton #newschool # RT @securityskeptic @mortman […]

A while back, Kai Roer graciously sent me an electronic copy of the book Cloud Security Rules that he co-authored with an all-start cast including luminaries Wendy Nather and our very own New School’s Alex Hutton. All in all, it’s a solid read covering the gamut of topics from Risk and Compliance to technology versus […]

Apparently, the project manager who found a vendor for the Vermont State Police car decals failed to consider a few things. Such as the risk that prisoners might want to have a little fun at the expense of the police. You can see the fun if you study the image carefully here, or in a […]

Mr. Tripathi went to work assembling a crisis team of lawyers and customers and a chief security officer. They hired a private investigator to scour local pawnshops and Craigslist for the stolen laptop. The biggest headache, he says, was deciphering how much about the breach his nonprofit needed to disclose…Mr. Tripathi said he quickly discovered […]

Yesterday Adam responded to Alex’s question on what people thought about IanG’s claim that threat modeling fails in practice and I wanted to reiterate what I said on twitter about it: It’s a tool! No one claimed it was a silver bullet! Threat modeling is yet another input into an over all risk analysis. And […]

Alex recently asked for thoughts on Ian Grigg’s “Why Threat Modeling Fails in Practice.” I’m having trouble responding to Ian, and have come to think that how Ian frames the problem is part of my problem in responding to him. So, as another Adam likes to say, “

RT @Entropologist Passwords should be a mix of letters, numbers, special characters and longer than 8 characters… like "' or 1=1;–" # RT @ioerror Researchers taking a stand against Elsevier: http://t.co/TMZqj2E9 # RT @ashk4n Even experts are having a hard time differentiating between android malware & mobile ads these days http://t.co/t5qAQANP # Tinker, Tailor is […]

On their blog, Verisign made the following statement, which I’ll quote in full: As disclosed in an SEC filing in October 2011, parts of Verisign’s non-production corporate network were penetrated. After a thorough analysis of the attacks, Verisign stated in 2011, and reaffirms, that we do not believe that the operational integrity of the Domain […]

Found on that other bastion of privacy .

Would be interested in readers thoughts on Ian G’s post here: https://financialcryptography.com/mt/archives/001357.html

Calling something in the cloud a DMZ is just weird. Realistically, everything is a DMZ. After all, you are sharing data center space, and if your provider is using virtualization, hardware with all of their other customers. As such, each and every network segment you have is (or should be) isolated and have only a […]

Yesterday, DAn Kaminsky said “There should be a yearly award for Best Security Data, for the best collection and disbursement of hard data and cogent analysis in infosec.” I think it’s a fascinating idea, but think that a yearly award may be premature. However, what I think is sorta irrelevant, absent data. So I’m looking […]

There were a couple of excellent posts about Google+ which I wanted to link in, but the post took a different path: “Google+ and The Trouble With Tribbles” The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook […]

I wanted to share an article from the November issue of the Public Library of Science, both because it’s interesting reading and because of what it tells us about the state of security research. The paper is “Willingness to Share Research Data Is Related to the Strength of the Evidence and the Quality of Reporting […]

One of the most common bits of feedback about my post “Google+ Failed Because of Real Names” is that Google+ is now a huge service, and that the word failed is an exaggeration, or a trick of the rhetorician. Some folks might advise me to stop digging a hole, put down the shovel and walk […]

I wrote a blog post regarding the BSidesSF/RSA conf dust-up. (If I knew how to work Adam’s twitter integration thingy, you’d have been spared this)

Vincent Brown (@politico_ie) should be given an uninterrupted hour with the ECB execs: https://t.co/SZYOtveo # RT @marciahofmann Supreme Court: government installation & use of a GPS device to monitor a vehicle's movements is a 4th Amendment search. # RT @normative RT @thinkprogress: BREAKING: Rand Paul is being detained by TSA in Nashville (via @moirabagley) < […]

The past 10 years have been the best in the country’s aviation history with 153 fatalities. That’s two deaths for every 100 million passengers on commercial flights, according to an Associated Press analysis of government accident data. The improvement is remarkable. Just a decade earlier, at the time the safest, passengers were 10 times as […]

It’s now been a few months since the launch of Google+, and it’s now fairly clear that it’s not a mortal threat to Facebook, or even Orkut. I think it’s worth thinking a bit about why Google+ isn’t doing better, despite its many advantages. Obviously, Google wants to link Google+ profiles to things in the […]

For @weldpond: Please turn off JavaScript. We don’t require it and it only increases your vulnerability.

You know those random parts of kitchen appliances that break, and the manufacturer is no longer making, and so you buy a new one that breaks after 4 months? Yeah, you know what I’m talking about. Next time, look to Gourmet Depot and see if they have replacement parts. It was easy to find their […]

In the past, we have has some decidedly critical words for the Ponemon Institute reports, such as “A critique of Ponemon Institute methodology for “churn”” or “Another critique of Ponemon’s method for estimating ‘cost of data breach’“. And to be honest, I’d become sufficiently frustrated that I’d focused my time on other things. So I’d […]

What's the best history of @Defcon Capture the Flag? (cc @rileycaezar @thedarktangent ) # RT @thedarktangent What's the best history of #DEFCON Capture the Flag? @adamshostack asks, & we need to update the site. Send your links! # RT @jccannon7 My sci fi book launches today. More info at http://t.co/bVd8mUSg # RT @mortman New posts: […]

(Available here.)

There’s been a lot of noise of late because Oracle just released their latest round of patches and there are a total of 78 of them. There’s no doubt that that is a lot of patches. But in and of itself the number of patches is a terrible metric for how secure a product is. […]

(From The Oatmeal.) It’s widely understood that Seattle needs a better way to measure snowfall. However, what’s lacking is a solid proposal for how to measure snowfall around here. And so I have a proposal. We should create a new unit of measurement: The Nickels. Named after Greg Nickels, who lost the mayorship of Seattle […]

I am saddened to pass on the news that Ulf Müller, a colleague at Zero-Knowledge Systems, has died in tragic and violent circumstances. I remember Ulf as quiet, gentle, kind and am tremendously saddened by his loss. The most recent news story is “Computer-Experte in Transporter erschlagen“. Nils Kammenhuber of the Technical University of Munich […]

I got an email from my friend John Johnson who is doing a survey about metrics.  If you have some time, please respond… ———————————————————————————————————————————————— I am seeking feedback from others who may have experience developing and presenting security metrics to various stakeholders at their organization. I have a number of questions I’ve thought of, and […]

From an operations and security perspective, continuous deployment is either the best idea since sliced bread or the worst idea since organic spray pancakes in a can. It’s all of matter of execution. Continuos deployment is the logical extension of the Agile development methodology. Adam recently linked to an study that showed that a 25% […]

Too good not to share (inspired by: Chocolate-Hazelnut Waffles with Frangelico-Brown-Butter Syrup) Ingredients : 6 oz. (1-1/3 cups) fresh ground whole-wheat flour 2 oz. (2/3 cup) natural cocoa powder 1-1/2 tsp. baking powder 1/2 tsp. baking soda 1 tsp. kosher salt 3/4 cup granulated palm sugar 2 large eggs, at room temperature 3 oz. (6 […]

New blog: Shocking News of the Day: Social Security Numbers Suck http://t.co/VuMV3faO # RT @PogoWasRight Does *any* federal govt agency actually respond to FOI requests within 20 days? << Send GAO a FOIA with that question? 🙂 # RT @Digital4rensics On Computer Security Incident Information Sharing: http://t.co/GhGYOOjP – New Post Up! # New worst practice: […]

We’re honored to be nominated in three categories for the Security Bloggers Awards: Most Educational Most Entertaining Hall of Fame On behalf of all of us who blog here, we’re honored by the nomination, and would like to ask for your vote. We’d also like to urge you to vote for our friends at Securosis […]

We’re honored to be nominated in three categories for the Security Bloggers Awards: Most Educational Most Entertaining Hall of Fame On behalf of all of us who blog here, we’re honored by the nomination, and would like to ask for your vote. We’d also like to urge you to vote for our friends at Securosis […]

This is a great video about how much of software engineering runs on folk knowledge about how software is built: “Greg Wilson – What We Actually Know About Software Development, and Why We Believe It’s True” There’s a very strong New School tie here. We need to study what’s being done and how well it […]

Earlier today I noticed something funny. My Google profile picture — the picture associated with my Gmail account, my GChat account, my Google+ account, etc — had vanished. A bug? Nope. It turns out, Google — without telling me — went into my account and deleted my profile picture. See “Dear Google+” for the details […]

Adam Montville left a comment on my post, “Paper: The Security of Password Expiration“, and I wanted to expand on his question: Passwords suck when they’re not properly cared for. We know this. Any other known form of authentication we have is difficult because of the infrastructure required to pull it off. That sucks too. […]

Via Nathan Yau’s awesome Flowing Data blog.

The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over […]

RT @RegoftheDay Happy new year! 40,000 new laws take effect starting today. http://t.co/EOVyRya9 # RT @StevenLevy Always suspected those xray "backscatter" machines will kill more of us than terrorists will. Now this. http://t.co/ag2lFWWc # New podcast with @dgwbirch: http://t.co/HKeKOVyW # New short blog: "The irony overfloweth" http://t.co/6VsrF9JO # Wow. The Wikipedia article on Infosec certifications […]

The security of modern password expiration: an algorithmic framework and empirical analysis, by Yingian Zhang, Fabian Monrose and Michael Reiter. (ACM DOI link) This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account’s […]

Steve Bellovin has a good deal of very useful analysis and context about “an experiment that showed that the avian flu strain A(H5N1) could be changed to permit direct ferret-to-ferret spread. While the problem the government is trying to solve is obvious, it’s far from clear that suppression is the right answer, especially in this […]

I really enjoyed a conversation with Dave Birch for Consult Hyperion’s “Tomorrow’s Transactions” podcast series. The episode is here. We covered the New School, lessons learned from Zero-Knowledge Systems, and games for security and privacy.

@RobArnold tweeted: “Someone thinks targeted Facebook ads are an effective way to ask for Firefox features. Any other Mozillians see this?” The irony of using a targeted ad, on Facebook, to ask for more privacy protection…

RT @timoreilly Amazon patents inferring religion from choice of wrapping paper http://t.co/MmCMx2OO << Over the "creepy" line # RT @kevinmitnick Did you ever want a blue box to make free calls? Now you can in the Apple app store. Search for "blue box". EPIC!!! # I wonder what Woz thinks of being able to get […]

For your holiday amusement: Thanks, Jeff!

Check out this amazing house by Arquitectura Organica:

Weekend NewSchool blog: "APT Didn't Eat our Theme. Adam Did." http://t.co/JDvLTayG (cc @RealGeneKim, @alexhutton ) # Really, TSA? The airline isn't allowed to auto-enter my freakin' date of birth? Has anyone calculated lifetimes wasted on red tape? # RT @BillBrenner70 Stop them before they predict again! http://t.co/7qzuTchU # I predict 90% of 2012 infosec predictions […]

Norm Marks of the famous Marks On Governance blog has posted his 2012 wishlist.  His blog limits the characters you can leave in a reply, so I thought I’d post mine here. 1.  Norm Wishes for “A globally-accepted organizational governance code, encompassing both risk management and internal control” Norm, if you mean encompassing both so […]

There’s been much talk of predictions lately, for some reason. Since I don’t sell anything, I almost never make them, but I did offer two predictions early in 2010, during the germination phase of a project a colleague was working on. Since these sort of meet Adam’s criteria by having both numbers and dates, I […]

Bill Brenner started it with “Stop them before they predict again!:” My inbox has been getting hammered with 2012 vendor security predictions since Halloween. They all pretty much state the obvious: Mobile malware is gonna be a big deal Social networking will continue to be riddled with security holes Technologies A, B and C will […]

Not my headline, but the New York Times: Beyond the effort was the challenge of getting different families to work together. When matters as personal as education, values and children are at stake, intense emotions are sure to follow, whether the issue is snacks (organic or not?), paint (machine washable?) or what religious holidays, if […]

On Saturday, I discussed how “I bolluxed our blog theme.” “More to the point, we here at the New School talk a good game about how we need to talk about problems, rather than cover them up. So here’s our money where our mouths are. I, Adam Shostack, screwed up the blog presentation by not […]

RT @jeremiahg "HBGary not only didnt lose biz customers in the past year, but "got additional business" -Hoglund http://t.co/ap9pP39F # RT @bobblakley @Judgenap "Timid men prefer the calm of despotism to the tempestuous sea of liberty." Thomas Jefferson # Weekend blog "Threat Modeling & Risk Assessment" follows up on conversation with @451wendy http://t.co/iFCRCJW3 # RT […]

If you read this blog with a web-reader, you’ll note our (ahem) excellent new theme, and may be saying, wow, guys, “nice job” Yeah. Ooops. I upgraded to WordPress 3.3, and upgraded our theme, and in so doing, overwrote some of the CSS that Alex had tweaked. I didn’t test, and so things were wonky. […]

Last week I did a podcast with Dennis Fisher. In it, we touched on what I might change in the book. Take a listen at: “Adam Shostack on Methods of Compromise, the New School and Learning“

Imagine if the US government, with no notice or warning, raided a small but popular magazine’s offices over a Thanksgiving weekend, seized the company’s printing presses, and told the world that the magazine was a criminal enterprise with a giant banner on their building. Then imagine that it never arrested anyone, never let a trial […]

Wendy Nather has continued the twitter conversation which is now a set of blog posts. (My comments are threat modeling and risk assessment, and hers: “That’s not a bug, it’s a creature. “) I think we agree on most things, but I sense a little semantic disconnect in some things that he says: The only […]

I really like Gunnar Peterson’s post on “Top 5 Security Influencers:” Its December and so its the season for lists. Here is my list of Top 5 Security Influencers, this is the list with the people who have the biggest (good and/or bad) influence on your company and user’s security: My list is slightly different: […]

There are semi-regular suggestions to allow people to copyright facts about themselves as a way to fix privacy problems. At Prawfsblog, Brooklyn Law School Associate Professor Derek Bambauer responds in “Copyright and your face.” Key quote: One proposal raised was to provide people with copyright in their faceprints or facial features. This idea has two […]

RT @daveaitel Tests Show Most Store Honey Isn't Honey http://t.co/2oI3O6RK << Will anyone go to jail for fraud? # RT @jdp23 Look at the list of the FTC complaints — huge issues. And basically no consequnces to FB. So why should they change? #privchat # RT @threatpost $56 Billion Later and Airport #Security Is Still […]

Yesterday, I got into a bit of a back and forth with Wendy Nather on threat modeling and the role of risk management, and I wanted to respond more fully. So first, what was said: (Wendy) As much as I love Elevation of Privilege, I don’t think any threat modeling is complete without considering probability […]

When the LAPD finally began arresting those of us interlocked around the symbolic tent, we were all ordered by the LAPD to unlink from each other (in order to facilitate the arrests). Each seated, nonviolent protester beside me who refused to cooperate by unlinking his arms had the following done to him: an LAPD officer […]

From Keith Weinbaum, Director of Information Security of Quicken Loans Inc. https://www.quickenloanscareers.com/web/ApplyNow.aspx?ReqID=53545 From the job posting: WARNING:  If you believe in implementing security only for the sake of security or only for the sake of checking a box, then this is not the job for you.  ALSO, if your primary method of justifying security solutions […]

It turns out that it’s very hard to subscribe to many podcasts without talking to Podtrac.com servers. (Technical details in the full post, below.) So I took a look at their privacy statement: Podtrac provides free services to podcasters whereby Podtrac gathers data specific to individual podcasts (e.g. audience survey data, content ratings, measurement data, […]

from Biostatistics Ryan Gosling Including my favorite:             Thanks to my friend Bob Rudis for the headsup.

New School blog "'Its Time to Learn Like Experts' by @jayjacobs" http://t.co/lnXTqyp8 # RT @dmolnar Help me shop for furniture http://t.co/rXxLrB4O # RT @moxie__ WhisperSystems has been acquired! http://t.co/M5i1g6D0 < Congratulations! I hope it leads to great things for Twitter privacy # RT @tsastatus A few new features, and a bunch of status updates, at […]

It’s a bit of a Christmas tradition here at Emergent Chaos to keep you informed about the Gävle Goat. Ok, technically, our traditions seem hit and miss, but whaddaya want from a site with Chaos in the name? You want precision, read a project management blog. Project management blogs probably set calendar reminders to kick […]

My colleague Ross Smith has just presented an important new paper, “The Future of Work is Play” at the IEEE International Games Innovation Conference. There’s a couple of very useful lessons in this paper. One is the title, and the mega-trends driving games into the workplace. Another is Ross’s lessons of when games work: Over […]

Over at the Office of Inadequate Security, Dissent says everything you need to know about a new report from the UK’s Big Brother Watch: Extrapolating from what we have seen in this country, what the ICO learns about is clearly only the tip of the iceberg there. I view the numbers in the BBW report […]

This looks like it has the potential to be a very interesting event: The University of Miami School of Law seeks submissions for “We Robot” – an inaugural conference on legal and policy issues relating to robotics to be held in Coral Gables, Florida on April 21 & 22, 2012. We invite contributions by academics, […]

Three stories, related by the telephone, and their impact on privacy: CNN reports that your cell phone is being tracked in malls: Starting on Black Friday and running through New Year’s Day, two U.S. malls — Promenade Temecula in southern California and Short Pump Town Center in Richmond, Va. — will track guests’ movements by […]

I want to call attention to a new, important and short article by Jay Jacobs. This article is a call to action to break the reliance on unvalidated expert opinions by raising awareness of our decision environment and the development of context-specific feedback loops. Everyone in the New School is a fan of feedback loops […]

MT @attractr Bejtlich: SEC Guidance Emphasizes Materiality for disclosing sec incidents: "new audience: shareholders" http://t.co/mlMts2Wd # RT @doctorow Just got to Occupy New School http://t.co/VjfVhFcN << I think Cory means something other than I would mean by this statement 🙂 # NYTimes reports man bites dog, I mean "Screening Still a Pain at Airports, Fliers […]

Two changes here at Emergent Chaos this weekend: first, a new, variable width theme which is a little tighter, so there’s more on a screen. Second, I’ve moved the twitter summary to weekly, as comments were running about 50-50 on the post asking for opinion. I think that may be a better balance. And a […]

In possibly the worst article on risk assessment I’ve seen in a while, David Lacey of Computerworld gives us the “Six Myth’s Of Risk Assessment.”  This article is so patently bad, so heinously wrong, that it stuck in my caw enough to write this blog post.  So let’s discuss why Mr. Lacey has no clue […]

Let me start with an extended quote from “Why I Feel Bad for the Pepper-Spraying Policeman, Lt. John Pike“: They are described in one July 2011 paper by sociologist Patrick Gillham called, “Securitizing America.” During the 1960s, police used what was called “escalated force” to stop protesters. “Police sought to maintain law and order often […]

RT @marciahofmann Carrier IQ backpedals on bogus legal threat, apologizes to security researcher. http://t.co/yY5o6JJk < Nice work Marcia! # Powered by Twitter Tools

RT @risktical #riskhose pocast, Episode 14 http://t.co/5hF9YKlZ @adamshostack & 'feedback loops' – great content! @jayjacobs @alexhutton # New "blog" points to Risk Hose podcast #14 with me, @alexhutton, @risktical @jayjacobs http://t.co/8zaBLD8x # RT @CYBERLAWRADIO About to go live on CLBR with CMU Proff @lorrietweet on Why Johnny Can't Opt Out – on webmasterradio.fm # RT […]

I’m on episode 14 of the Risk Hose podcast, with co-blogger Alex. Chris, Jay and Alex are joined by Adam Shostack and we dig into the topic of feedback loops within Information Security. You should check it out! Episode 14: Feedback Loops

NYTimes reports man bites dog, I mean "Screening Still a Pain at Airports, Fliers Say" http://t.co/vlPAH1n0 # New School blog post, "AT&T Hack Attempt" I'm looking for polling software http://t.co/d4YooBv9 # I missed a great opportunity in a recent podcast to say "controls implemented in a way that makes both auditors & attackers happy" # […]

First, good on AT&T for telling people that there’s been an attempt to hack their account. (My copy of the letter that was sent is after the break.) I’m curious what we can learn by discussing the attack. An AT&T spokesperson told Fox News that “Fewer than 1 percent of customers were targeted.” I’m currently […]

RT @doctorow Just got to Occupy New School http://t.co/VjfVhFcN << I think Cory means something other than I would mean by this statement 🙂 # Powered by Twitter Tools

MT @attractr Bejtlich: SEC Guidance Emphasizes Materiality for disclosing sec incidents: "new audience: shareholders" http://t.co/mlMts2Wd # Powered by Twitter Tools

New School blog post "Privacy is Security, Part LXII: The Steakhouse" http://t.co/cEjWix7N # MT @_nomap More on [obvious] Saudi airport fingerprint fail. It was mostly immigrant workers stranded for 12 hours. http://t.co/g3ih69Sk # MT @dgwbirch Heard on BBC that poor people use cash, end up paying up to £185 per annum more for utilities << […]

But in the last year and a half, at least 50 diners at restaurants like the Capital Grille, Smith & Wollensky, JoJo and Wolfgang’s Steakhouse ended up paying for more than just a fine piece of meat. Their card information — and, in effect, their identities [sic] — had been stolen by waiters in a […]

RT @alexhutton @adamshostack @bobblakley @threatpost I thought blogging was dead? << apparently! # RT @dostlund: NYPD has sidewalk checkpoints requiring ID to pass down Broadway. Iranian-born co-worker said "they used to do that in Tehran" # New Blog: Emergent Chaos endorses @wimremes for ISC(2) Board http://t.co/oAWTljcC # This post by Steve Bellovin reminded me of […]

Wade Baker has a quick response to my “Thoughts on the 2011 DBIR and APT,” including the data that I was unable to extract. Thanks!

Today, we are sticking our noses in a place about which we know fairly little: the ISC(2) elections. We’re endorsing a guy we don’t know, Wim Remes, to shake stuff up. Because, really, we ought to care about the biggest and oldest certification in security, but hey, we don’t. And really, that’s a bit of […]

MT @ashk4n Most [Android?] Phones Ship w/ CarrierIQ "Rootkit" that allows carrier to keylog & record browser history http://t.co/90vYRCHR # MT @bobblakley @threatpost Orgs that ban social networks on company PCs ++more likely to be hacked http://t.co/z7oy4rYF http://t.co/9iIb4BBg # New School blog, "Block Social Media, Get Pwned" http://t.co/dWzuCyzz quick comments on @TELUSBusiness report. (Thanks @bobblakley!) […]

At least, that’s the conclusion of a study from Telus and Rotman. (You might need this link instead) A report in IT security issued jointly by Telus and the Rotman School of Management surveyed 649 firms and found companies that ban employees from using social media suffer 30 percent more computer security breaches than ones […]

RT @timoreilly TSA Puts Off Safety Study of X-ray Body Scanners http://t.co/GO4uHLN0 Meanwhile, Europe has banned them http://t.co/rmK3ZSTc # Powered by Twitter Tools

Three newly discovered elements were given names on Friday by the General Assembly of the International Union of Pure and Applied Physics at a meeting in London. They are Darmstadtium, or Ds, which has 110 protons in its nucleus and was named after the town in which it was discovered; Roentgenium, or Rg, with 111 […]

New School blog post "Breach disclosure and Moxie’s Convergence" http://t.co/mu5iLU2n (cc @moxie__ ) # New School blog post "Breach disclosure and Moxie’s Convergence" http://t.co/mu5iLU2n # Powered by Twitter Tools

Two weeks ago I finally got a chance to see Moxie’s Convergence/Trust Agility talk in person. (Since this was at work, let me just re-iterate that this blog is my personal opinions about what I saw.) It’s very good stuff, and Moxie and I had a good side chat about enhancing the usability of Convergence […]

RT @exiledsurfer @KforKallisti: Dan Siegel, Mayor Jean Quan's legal adviser quits over #OccupyOakland police raid http://t.co/c5brsq5u #ows # MT @mikko Somebody forgot a vacuum cleaner in a Swedish nuke plant, causing $267M in damages: http://t.co/kLRbV90h << someone tell stuxnet! # RT @dgwbirch was it a Freeman Dyson? (retires to cheers for making first ever physicist/vacuum […]

RT @WC2A_2AE Indian Communist Party General Sectry 'Let's fingerprint all Americans entering the country, like Brazil' http://t.co/GRBoQfYC # Powered by Twitter Tools

Nice of Apple to fix CVE-2011-0997, published in April (http://t.co/kOh6kTvs) # RT @jeremiahg "Steam Web sites hacked, gamer data exposed" http://t.co/daqkExWj < anyone see an attack vector? << Probably social eng 🙂 # RT @josephmenn @daveweigel The winner. RT @KagroX: Why didn't we just make 10/10/10 louder? # RT @WC2A_2AE Anyone interested in border security […]

So about a month ago, I started flowing my tweets over here. I’d love your thoughts on if it’s helpful, hurtful, or you just ignore it in your reader. [Update: currently arguments run 3:2 against continuing Twitter in the main feed. More (and civil) debate is invited.]

MT @normative How Far Will the Government Go in Collecting and Storing Data about us? New FBI Documents Shed Light http://t.co/zylCo3ES # RT @tqbf If the infosec community was a real influencer in crypto, we'd all be using Twofish instead of AES because of http://t.co/e21kDcwM # .@tqbf has the crypto or vuln community given us […]

MT @samablog More States Accept [fail to arrest?] TSA VIPR Teams at Transportation Hubs http://t.co/h3wdaQ3N via @zite # Are others seeing ICMP timeouts for http://t.co/y2uU0Qvt? /cc @moxie__ # RT @arj: @chenxiwang busts out her dog-eared copy of the Orange Book … < I've never seen a dog-eared copy of the Orange Book! # RT @dakami […]

RT @Fiona: Go watch The Muppets hang out on Google+. Me: Thank you: http://t.co/HacZWzBA << Is "Cookie Monster" an approved name? # RT @Jim_Harper When I describe @Cato's argument–"reasonable expectation of #privacy quot; FAIL–lawyers steeped in doctrine get confused. #Jones # New blog: "Slow thoughts on Occupy Seattle" http://t.co/13RTo5NE # RT @csoghoian Jones oral argument […]

I headed down to Occupy Seattle before a recent vacation, and have been mulling a bit on what I saw, because the lack of a coherent message or leadership or press make it easy to project our own opinions or simply mis-understand what the “Occupy” protests mean, and I wanted to avoid making that mistake. […]

New blog: "Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)" http://t.co/yXdAPMqv # New School blog: "Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)" http://t.co/yXdAPMqv # Powered by Twitter Tools

So Verizon has recently released their 2011 DBIR. Or perhaps more accurately, I’ve managed to pop enough documents off my stack that my scribbled-on notes are at the top, and I wanted to share some with you. A lot have gone to the authors, in the spirit of questions only they can answer. Here, I […]

RT @moxie__ Sarah's reflections on solitary confinement: http://t.co/z46aZjgM # RT @marcan42 RSA keys generated by Ruby didn't actually encrypt anything (e=1). "Oops". http://t.co/9vYNFVlI << I Ruby-encrypted this tweet # RT @ioerror We demand a vapid, condescending, meaningless, politically safe response to this petition: http://t.co/ndtf8tI4 # RT @bratling @mrkoot @adamshostack @ioerror Broken URL, not site. Here's […]

RT @k8em0 Thanks to speakers, attendees, organizers & volunteers for a fantastic & memorable #bluehat ! # RT @bengoldacre I'm leaving journalism for 6 months. Here's what I've learnt from writing about nonsense for 8 years http://t.co/GZlDnQ18 # RT @AdasBooks Book signing with @johncsh tomorrow at 1pm! http://t.co/pHqhbTv3 # RT @normative Profoundly depressed this is […]

RT @StephieShaver They say there's no rest for the wicked but at least there's espresso! FridayWHAT? << friday at BlueHat! # RT @Beaker: Congrats to @mortman on joining @enstratus! First @jamesurquhart then @botchagalupe and now Dave! All good friends together # As I watch @moxie__ give his trust talk at BlueHat, I realize how valuable […]

RT @at1as: Instead of useless Presidential Debates, how about a #wargame where we get to see how candidates respond to crisis situations? # RT @wikidsystems @adamshostack @at1as Kobayashi Maru! << Cyberyashi Maru! # Getting ready to give my #BlueHat talk on "How Computers Are Compromised." # Oooh, @jeremiahg wants us to play a game at […]

MT @samablog TSA Ignored Cancer Risks from TSA Scanners http://t.co/r72RAw2d via @zite # RT @k8em0 This year's #bluehat should be exciting, check out the lineup – http://t.co/Ee1LoHVK # RT @k8em0 #bluehat is on! Andrew Cushman reflects on past and future threats. http://t.co/w0GpjTQC # What do the comments from ISS World(http://t.co/51Z5ULNQ) mean for surveillance law in […]

RT @ioerror IEEE Global Humanitarian Technology Conference in Seattle http://t.co/VefGa4yy < Looks very exciting, wish I'd known sooner # Follow @ioerror for reporting of Patrick Ball, @alexvans for London Cyber-security event # New blog because my main email is down: "Email chaos: How to reach Adam Shostack" http://t.co/to9lKHKK # RT @GamingPrivacy reflecting on game design […]

The servers that host my personal email have been taken offline by a surprise attack by the evil forces of snow and ice, and my email is likely to start bouncing soon. If you need to reach me, you can use nameofthisblog @ google, or first.last @ microsoft. You can also ask me to follow […]

Short blog: "McWrap Chevre" http://t.co/K1LkXnFU # RT @lorrietweet Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising http://t.co/5DDWfhVd # My personal email server is down because of the snow on the east coast. # RT @STRATFOR If #Anonymous does #OpCartel it will almost certainly lead to deaths for members: […]

The Electronic Frontier Foundation has published a report on the State of HTTPS Security that promises to be the first in a series and is well worth reading on its own. The TL;DR version:  HTTPS adoption is growing rapidly, but the current system, especially the Certificate Authorities, has much room for improvement before it actually […]

Normally, I like the overlap of cultures, the boundaries of exploration and what comes from that exploration. But this three-way Frankenstien’s combination of French cheese, wraps (not sure where to attribute those–I think the US version is mostly from burritos, but there’s also Arabic pita wraps) and American is somehow best posted on Halloween:

RT @alexhutton Seriously? DHS doesn't *do* threat modeling? My rage is like a 1000 TSA exposed to cancer causing back scatter devices. # RT @ACLU FBI issued 143,074 National Security Letters '03-05 & reported 0 terrorism prosecutions as a result. Zilch. http://t.co/JM8FBFyf # RT @EthanZ Background on @alaa's detention for refusal to accept legitimacy of […]

"Plankytronixx" has a nice blog post on Elevation of Privilege at http://t.co/CFFrWAfF # RT @mattblaze Attention NYPD sign makers: "Just following orders" is not a great slogan. http://t.co/LHBOvQ8f # I'd missed @BillBrenner70 on Security Horror Show http://t.co/5nS0KHOH What can we do to stop the madness? # RT @AudryT Police confirmed: Pepper spray & rubber bullets […]

RT @attackresearch Occupy EIP << occupy system 1! 🙂 # Powered by Twitter Tools

RT @dgwbirch I'm sure talks will be fun, but am looking forward to playing the new version of "Privacy" the card game http://t.co/PZGcFf9l # I accidentally clicked allow Firefox to share my location. Where the hell is the undo and why isn't it in privacy preferences? # ("Location" doesn't bring up anything in help) # […]

RT @PogoWasRight Congressman: Secret Report On #TSA Pat Downs, Body Scanner Failures Will “Knock Your Socks Off” http://t.co/pjFmd0Zz # RT @peterhoneyman i fly DTW where they are testing chat down. i opt out and clam up. they get all dour and nasty. # RT @e3i5: Every picture ULed to Facebook is examined for possible matches […]

RT @georgevhulme RT @msksecurity: The Dark Side Of Biometrics: 9 Million Israelis' Hacked Info Hits The Web http://t.co/817TMklU # Actually, @danphilpott, the best line is "Crews determined the land mines were benign and removed them from the bag." http://t.co/KobPO94k # RT @k8em0 This year's #bluehat should be exciting, check out the lineup – http://t.co/Ee1LoHVK # […]

Very short version: Finding a DLNA player that supported the Mac and my new Oppo player was time consuming. Twonky is ok, but I would like something prettier, more reliable, and reasonably secure. I wanted to blog my experience in case it helps other folks. Also, as I posted this, I came across Ed Bott’s […]

New School blog: "Maria Klawe on increasing Women in Technology" http://t.co/NDugVafW # RT @Jim_Harper How Much Homeland Security is Enough? Live now at: http://t.co/XtUXmzp1 << Right question is "how much is too much?" 🙂 # RT @TheOnion American Voices: Should bikers have to register their trips with the government? Tell us #whatdoyouthink http://t.co/1NbLi5Rb # RT […]

I talk a lot about the importance of data in enabling us to bring the scientific method to bear on information security. There’s a reason for that: more data will let us know the falsehoods, and knowing the falsehoods will set us free. But discovering what claims don’t stand up to scrutiny is a matter […]

Ben Sapiro showed off his Binary Risk Assessment (BRA) at SecTor recently.   While I didn’t see the presentation, I’ve taken some time and reviewed the slides and read through the documentation.  I thought I’d quickly give my thoughts on this: It’s awesome and it sucks. IT’S AWESOME That’s not damning with faint praise, rather, it’s […]

New blog chaos: "CIA Reveals Identity of Bin Laden Hunter" http://t.co/m4oNTyl8 # Powered by Twitter Tools

Reportedly, Seattle police have begun issuing tickets to drivers who honk their horns after 10 PM in support of the Occupy protest there. To the extent that the police are only doing this to those expressing a specific point of view, there seems to be a legitimate issue. I am certain that the police would […]

In the Atlantic Wire, Uri Friedman writes “Did the CIA Do Enough to Protect Bin Laden’s Hunter?” The angle Friedman chose quickly turns to outrage that John Young of Cryptome, paying close attention, was able to figure out from public statements made by the CIA, what the fellow looks like. After you’re done being outraged, […]

RT @stuxnet420 #twitter oh, yeah, it's on now. I'll see your Stuxnet and raise u a predator with an irc server. 🙂 http://t.co/hKpfDMBt # RT @drunkenpredator Phew. Think I kicked that software virus. Was really messing with my DEAR SIR I HAVE FOR YOU LUCRATIVE PROPOSAL # RT @runasand The CCC has reverse engineered, analyzed […]

Thanks to the announcement of Apple’s iCloud, I’ve been forced to answer several inquiries about The Cloud this week.  Now, I’m coming out of hiding to subject all of you to some of it… The thing that you must never forget about The Cloud is that once information moves to The Cloud, you’ve inherently ceded […]

RT @ethicalhack3r @floatingatoll: The UNIX time zone database has been destroyed by its authors due to a legal threat. http://t.co/1zQIKZm8 # RT @radleybalko Unreal. CA appeals court upholds warrantless cell phone searches during traffic stops. http://t.co/KnklNSat # If you haven't seen it, @ErrataRob "Independent reporting of #OccupyWallStreet quot; http://t.co/qDYxPdFx is a long thoughtful engagement # […]

I’ve decided to experiment with pushing my Twitter feed onto the blog. What do you think? For non-Twitter users, the RT means “re-tweet,” amplifying things that others have said and MT means modified tweet, where the RT plus comment don’t quite fit. If someone has php code to resolve t.co URLs into real URLs, that […]

Sad to say I can find nothing to say beyond thanks, Steve. # Hey @beaker, if you support http://t.co/ObdJFd79 they have Squirrel t-shirts! # I think that @asteingruebl raises some really good questions in http://t.co/nnbdDNBe # Eric Rachner continues to need to sue for accountability from Seattle police & their videos http://t.co/S3fHkcSM # RT @jilliancyork […]

(I saw this here, would appreciate the right attribution.)

Last Sunday, I did a book reading at Ada’s Technical Books. As I say in the video, I was excited because while I’ve talked about the New School, and I’ve given talks about the New School, I hadn’t done a book reading, in part because of the nature of the book, and my personal comfort […]

Go read this excellent article by Ed Bellis.

I often say that breaches don’t drive companies out of business. Some people are asking me to eat crow because Vasco is closing its subsidiary Diginotar after the subsidiary was severely breached, failed to notify their reliant parties, mislead people when they did, and then allowed perhaps hundreds of thousands of people to fall victim […]

This Sunday I’ll be reading from the New School at 4PM on Sunday at Ada’s Technical Books in Capitol Hill. If you’re in the area, you should come!

On Friday, I watched Eric Ries talk about his new Lean Startup book, and wanted to talk about how it might relate to security. Ries concieves as startups as businesses operating under conditions of high uncertainty, which includes things you might not think of as startups. In fact, he thinks that startups are everywhere, even […]

For more than a decade, California and other states have kept their newest teen drivers on a tight leash, restricting the hours when they can get behind the wheel and whom they can bring along as passengers. Public officials were confident that their get-tough policies were saving lives. Now, though, a nationwide analysis of crash […]

Following the Diginotar breach, FOX-IT has released analysis and a nifty video showing OCSP requests. As a result, lots of people are quoting a number of “300,000”. Cem Paya has a good analysis of what the OCSP numbers mean, what biases might be introduced at “DigiNotar: surveying the damage with OCSP.” To their credit, FoxIt […]

There’s an interesting article over at CIO Insight: The disclosure of an email-only data theft may have changed the rules of the game forever. A number of substantial companies may have inadvertently taken legislating out of the hands of the federal and state governments. New industry pressure will be applied going forward for the loss […]

Governor Brown of California has signed a strengthened breach notification bill, which amends Sections 1798.29 and 1798.82 of the California Civil Code in important ways. Previous versions had been repeatedly vetoed by Arnold Schwarzenegger. As described[.DOC] by its sponsor’s office, this law: Establishes standard, core content — such as the type of information breached, time […]

As Brad Feld says, this is the best auto-responder in a long time: I am currently out of the office on vacation. I know I’m supposed to say that I’ll have limited access to email and won’t be able to respond until I return — but that’s not true. My blackberry will be with me […]

Fifteen years ago, I posted a copy of “Source Code Review Guidelines” to the web. I’d created them for a large bank, because at the time, there was no single document on writing or reviewing for security that was broadly available. (This was a about four years before Michael Howard and Dave LeBlanc published Writing […]

I’ve left Verizon.  A lot of folks have come up to me and asked, so I thought I’d indulge in a rather self-important blog-post and explain something: It wasn’t about Verizon, but about the opportunity I’ve taken. Wade, Chris, Hylender, Marc, Joe, Dave, Dr. Tippett & all the rest – they were all really, really […]

There’s something important happening around Google+. It’s the start of a rebellion against the idea of “government authorized names.” (A lot of folks foolishly allow the other side to name this as “real names,” but a real name is a name someone calls you.) Let’s start with “Why Facebook and Google’s Concept of ‘Real Names’ […]

The fine folks at Securosis are starting a blog series on “Fact-based Network Security: Metrics and the Pursuit of Prioritization“, starting in a couple of weeks.  Sounds pretty New School to me!  I suggest that you all check it out and participate in the dialog.  Should be interesting and thought provoking. [Edit — fixed my […]

From the app store: I hope this doesn’t cause Apple to ban snarky update messages.

It’s occurring to me this morning that in terms of benefit/cost, purely in “damage to society” terms, the decision to put html in emails could be one of the worst ideas in the past 25 years. But that’s just me.  Your thoughts on others in the comments?

This is really cool. All Streets is a map of the United States made of nothing but roads. A surprisingly accurate map of the country emerges from the chaos of our roads: All Streets consists of 240 million individual road segments. No other features — no outlines, cities, or types of terrain — are marked, […]

Dear Apple, In the software update, you tell us that we should see http://support.apple.com/kb/HT1222 for the security content of this update: However, on visiting http://support.apple.com/kb/HT1222, and searching for “10.3”, the phrase doesn’t appear. Does that imply that there’s no security content? Does it mean there is security content but you’re not telling us about it? […]

Emergent Chaos has a long tradition of posting the American Declaration of Independence here to celebrate the holiday. It’s a good document in many ways. It’s still moving, more than two centuries after it was written. It’s clearly written, and many people can learn from its structured approach to presenting a case. And last but […]

So MySpace sold for $35 million, which is nice for a startup, and pretty poor for a company on which Rupert Murdoch spent a billion dollars. I think this is the way of centralized social network software. The best of them learn from their predecessors, but inevitably end up overcrowded. Social spaces change. You don’t […]

Over at the Office of Inadequate Security, Pogo was writing about the Lulzsec hacking of Arizona State Police. Her article is “A breach that crosses the line?” I’ve been blogging for years about the dangers of breaches. I am concerned about dissidents who might be jailed or killed for their political views, abortion doctors whose […]

On Tuesday in a ceremony in Rome, the United Nations is officially declaring that for only the second time in history, a disease has been wiped off the face of the earth. The disease is rinderpest. Everyone has heard of smallpox. Very few have heard of the runner-up. That’s because rinderpest is an epizootic, an […]

My colleagues Dinei Florencio and Cormac Herley have a new paper out, “Sex, Lies and Cyber-crime Surveys.” Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings. We are not alone in this judgement. Most research teams who have […]

On Friday, I ranted a bit about “Are Lulz our best practice?” The biggest pushback I heard was that management doesn’t listen, or doesn’t make decisions in the best interests of the company. I think there’s a lot going on there, and want to unpack it. First, a quick model of getting executives to do […]

Over at Risky.biz, Patrick Grey has an entertaining and thought-provoking article, “Why we secretly love LulzSec:” LulzSec is running around pummelling some of the world’s most powerful organisations into the ground… for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn’t any. And […]

Yesterday, Epsilon and Sony testified before Congress about their recent security troubles. There was a predictable hue and cry that the Epsilon breach didn’t really hurt anyone, and there was no reason for them to have to disclose it. Much of that came from otherwise respectable security experts. Before I go on, let me give […]

In “It’s Time to Start Sharing Attack Details,” Dennis Fisher says: With not even half of the year gone, 2011 is becoming perhaps the ugliest year on record for major attacks, breaches and incidents. Lockheed Martin, one of the larger suppliers of technology and weapons systems to the federal government, has become the latest high-profile […]

Eric Fischer is doing work on comparing locals and tourists and where they photograph based on big Flickr data. It’s fascinating to try to identify cities from the thumbnails in his “Locals and Tourists” set. (I admit, I got very few right, either from “one at a time” or by looking for cities I know.) […]

After I wrote “The future of education is chaotic and fun“, I came across “The Montessori Mafia” about the unusual levels of successfulness that Montessori produces. In my post, I opened discussing how our current system of funding education in the US is to force everything through a government department. That department is constrained by […]

In honor of rapture day, the Flying Spaghetti Monster has chosen to manifest his tentacly goodness in Stanley Park in Vancouver:

I wanted to let people know that Microsoft is making the source files for the Elevation of Privilege game available. They are Adobe Illustrator and InDesign files, and are now on the EoP download site. They’re the 85mb of zipped goodness. They can be used under the same Creative Commons Attribution 3.0 US license under […]

Science fiction author Walter John Williams wants to get his out of print work online so you can read it: To this end, I embarked upon a Cunning Plan. I discovered that my work had been pirated, and was available for free on BitTorrent sites located in the many outlaw server dens of former Marxist […]

First, for those who might have missed it, Google has released Google Refine, a free tool for cleaning dirty data sets.  It allows you to pull in disparate data, then organize and clean it for consistency. Next, some interesting thoughts on how “anonymized” data sets aren’t, and some thoughts on the implications of this from […]

Last week, I had the pleasure of attending the ACM conference on Computer Human Interaction, CHI. As I mentioned in a work blog post, “Adding Usable Security to the SDL,” I’m now focused on usable security issues at work. I’m planning to say more about the conference in a little bit, but for right now, […]

In “Is Your Religion Your Financial Destiny?,” the New York Times presents the following chart of income versus religion: Note that it doesn’t include the non-religious, which one might think an interesting group as a control. Now, you might think that’s because the non-religious aren’t in the data set. But you’d be wrong. In the […]

There’s a very interesting discussion on C-SPAN about the consumer’s right to know about breaches and how the individual is best positioned to decide how to react. “Representative Bono Mack Gives Details on Proposed Data Theft Bill.” I’m glad to see how the debate is maturing, and how no one bothered with some of the […]

Lately, I’ve seen three interesting bits on the future of education, and I wanted to share some thoughts on what they mean. The first is a quickie by Don Boudreaux at Cafe Hayek, titled “Grocery School.” It starts “Suppose that we were supplied with groceries in same way that we are supplied with K-12 education.” […]

There’s an excellent column in the old liberal tradition of celebrating liberty in this week’s New Yorker. It’s Memorials by Adam Goptnick, and includes a quote from John Stuart Mill at his rhetorical peak.

Here’s your Friday dose of Star Wars. Leave the volume on, even if you don’t speak French. That way your over-achieving cube neighbors will be distracted, too.

From Krugman (commentary is his): “Without metrics, you’re just another guy with an opinion. — Stephan Leschka, Hewlett Packard When I hear words from almost anyone about how their approach is better than some other approach, I think of this quote. And as Daniel Patrick Moynihan said: Every man is entitled to his own opinion, […]

So I haven’t had a chance to really digest the new DBIR yet, but one bit jumped out at me: “86% were discovered by a third party.” I’d like to offer up an explanatory story of why might that be, and muse a little on what it might mean for the deployment of intrusion detection […]

So I’m listening to the “Larry, Larry, Larry” episode of the Risk Hose podcast, and Alex is talking about data-driven pen tests. I want to posit that pen tests are already empirical. Pen testers know what techniques work for them, and start with those techniques. What we could use are data-driven pen test reports. “We […]

Seriously. Interesting.  Go check this out: http://securityblog.verizonbusiness.com/2011/04/12/veris-community-project-update/ Take a look, impact information!

Hey Kids, Reader Mark Wallace wrote in a comment to the blog yesterday, and I wanted to answer the comment in an actual blog post. So here goes: — Mark, Thanks for reading! There’s a point where publicly writing forces me to answer a few questions that I’m not ready to make a quick decision […]

Today, April 12, 2011 is the 50th Anniversary of Yuri Gagarin’s historic first flight. Why not join a celebration? Invite to the Kremlin event via Xeni Jardin.

The thread “What is Risk?” came up on a linkedin Group. Thought you might enjoy my answer: ———————- Risk != uncertainty (unless you’re a Knightian frequentist, and then you don’t believe in measurement anyway), though if you were to account for risk in an equation, the amount of uncertainty would be a factor. risk != […]

There’s a story in the New York Times, “To Get In, Push Buttons, or Maybe Swipe a Magnet” which makes interesting allusions to the meaning of fair trade in locks, implied warranties and the need for empiricism in security: In court filings, Kaba argued that it had “never advertised or warranted in any way that […]

Via Investors.com

In “Why The New School Is Important,” Alex writes: Being New School won’t solve your problems. What a New School mindset will do for you is help you begin to understand what your problems actually are. So without arguing with the rest of Alex’s post, I’m forced to beg to differ. The New School is […]

I participated in another security metrics and risk discussion yesterday (yeah, me talk about metrics & risk –  you don’t say).  As part of this discussion someone echoed a sentiment I’ve been hearing more and more of recently.  A casual acceptance of the logic of metrics and data followed quickly by a dismissive, skeptical statement […]

Hey!   Tomorrow at 1pm ET reg now: @joshcorman & I redux our (in)famous ‘Metrics are Bunk!?’ debate from RSAC 2011: http://bit.ly/i6z1BL              

Not crazy like Sammy-Hagar-has-clearly-abused-his-brain-and-its-giving-him-bad-information-to-come-out-of-his-mouth crazy, but crazy like, there-are-so-many-good-talks-you-can’t-possibly-not-get-value-out-of-the-conference crazy. For example, I’ll be talking twice. Once with Dan Geer and Greg Shannon about Prediction Markets in InfoSec.  Then I’ll be giving one of THE FIRST EVER (!) debriefings of the 2011 DBIR (which is going to be crazy like both of the above). I’m […]

According to Groklaw, Microsoft is backing laws that forbid the use of Windows outside of the US. Groklaw doesn’t say that directly. Actually, they pose charmingly with the back of the hand to the forehead, bending backwards dramatically and asking, “ Why Is Microsoft Seeking New State Laws That Allow it to Sue Competitors For […]

Several weeks back, I was listening to the Technometria podcast on “Personal Data Ecosystems,” and they talked a lot about putting the consumer in the center of various markets. I wrote this post then, and held off posting it in light of the tragic events in Japan. One element of this is the “VRM” or […]

“Maine Town Declares Food Sovereignty, Nullifies Conflicting Laws.” So reads the headline at the 10th Amendment center blog: The Maine town of Sedgwick took an interesting step that brings a new dynamic to the movement to maintain sovereignty: Town-level nullification. Last Friday, the town passed a proposed ordinance that would empower the local level to […]

Rob is apparently confused about what risk management means. I tried to leave this as a comment, but apparently there are limitations in commenting.  So here go:   Rob, Nowhere did I imply you were a bad pen tester.  I just said that you should have a salient view of failure in complex systems (which […]

OR – RISK ANALYSIS POST-INCIDENT, HOW TO DO IT RIGHT Rob Graham called me out on something I retweeted here (seriously, who calls someone out on a retweet?  Who does that?): http://erratasec.blogspot.com/2011/03/fukushima-too-soon-for-hindsight.html And that’s cool, I’m a big boy, I can take it.  And Twitter doesn’t really give you a means to explain why you […]

After spending a while crowing about the ChoicePoint breach, I decided that laughing about breaches doesn’t help us as much as analyzing them. In the wake of RSA’s recent breach, we should give them time to figure out what happened, and look forward to them fulfilling their commitment to share their experiences. Right now we […]

With the crisis in Japan, attention to the plight of those trying to remove Colonel Kaddafi from power in Libya has waned, but there are still calls, including ones from the Arab League, to impose a no-fly zone. Such a zone would “even the fight” between the rebels and Kaddafi’s forces. There are strong calls […]

In “Shaking Down Science,” Matt Blaze takes issue with academic copyright policies. This is something I’ve been meaning to write about since Elsevier, a “reputable scientific publisher,” was caught publishing a full line of fake journals. Matt concludes: So from now on, I’m adopting my own copyright policies. In a perfect world, I’d simply refuse […]

THURSDAY, THURSDAY, THURSDAY!!!!!!! Hi everyone! SIRA’s March monthly webinar is this Thursday, March 10th from 12-1 PM EST. We are excited to have Mr. Nicholas Percoco, Head of SpiderLabs at Trustwave, talk to us about the 2011 Trustwave Global Security Report. Block off your calendars now! Hello , Alexander Hutton invites you to attend this […]

In watching this TEDMed talk by Thomas Goetz, I was struck by what a great lesson it holds for information security. You should watch at least the first 7 minutes or so. (The next 9 minutes are interesting, but less instructive for information security.) The key lesson that I’d like you to take from this […]

Seth Godin asks an excellent question: Is something important because you measure it, or is it measured because it’s important? I find that we tend to measure what we can, rather than working toward being able to measure what we should, in large part because some variation of this question is not asked. I’m going […]

In two recent blog posts (here and here), Chris Wysopal (CTO of Veracode) proposed a metric called “Application Security Debt”.  I like the general idea, but I have found some problems in his method.  In this post, I suggest corrections that will be both more credible and more accurate, at least for half of the […]

Mike Rothman’s “Firestarter” on “Risk Metrics are Crap“. It’s very difficult to argue with a poorly constructed argument.  Especially when I have no idea what a “risk metric” is.  But best as I can tell, Mike’s position is that unless you are smart and/or have strong resources allocated to your InfoSec team, things like metrics, […]

Last month, I wrote: But after 50 years of meddling in the market, reducing the support for housing is going to be exceptionally complex and chaotic. And the chaos isn’t going to be evenly distributed. It’s going to be a matter of long, complex laws whose outcomes are carefully and secretly influenced. Groups who aren’t […]

The New School blog will shortly be publishing a stunning expose of Anonymous, and before we do, we’re looking for security advice we should follow to ensure our cloud-hosted blog platform isn’t pwned out the wazoo. So, where’s the checklist of all best practices we should be following? What’s that you say? There isn’t a […]

Symantec’s new Norton Cybercrime Index looks like it is mostly a marketing tool. They present it as though there is solid science, data, and methods behind it, but an initial analysis shows that this is probably not the case. The only way to have confidence in this is if Symantec opens up about their algorthms and data.

I got this in email and wanted to amplify it: Law Enforcement Against Prohibition prides itself on the willingness of our members to stand up and take action against drug prohibition. Last fall, LEAP member Joe Miller did exactly that. A California police officer for eight years before taking a position as a deputy probation […]

HEY Y’ALL @securosis’ own @rmogull for today’s “al desco” SIRA meeting.  Details, details: SIRA’s February monthly online meeting is TODAY; February 10th from 12-1 PM EST. We are excited to have Mr. Rich Mogull from Securosis talk to us with a behind-the-scene look at Securosis’ “2010 Data Security Survey”. Block off your calendars now! The […]

If a CISO is expected to be an executive officer (esp. for a large, complex technology- or information-centered organization), then he/she will need the MBA-level knowledge and skill. MBA is one path to getting those skills, at least if you are thoughtful and selective about the school you choose. Other paths are available, so it’s not just about an MBA credential.

Otherwise, if a CISO is essentially the Most Senior Information Security Manager, then MBA education wouldn’t be of much value.

Someone wrote to me to ask: A few cards are not straightforward to apply to a webapp situation (some seem assume a proprietary client) – do you recommend discarding them or perhaps you thought of a way to rephrase them somehow? For example: “An attacker can make a client unavailable or unusable but the problem […]

Over at their blog, i.Materialise (a 3D printing shop) brags about not taking an order. The post is “ATTENTION: ATM skimming device.” It opens: There is no doubt that 3D printing is a versatile tool for materializing your 3D ideas. Unfortunately, those who wish to break the law can also try to use our technology. […]

In “Close Look at a Flu Outbreak Upends Some Common Wisdom,” Nicholas Bakalar writes: If you or your child came down with influenza during the H1N1, or swine flu, outbreak in 2009, it may not have happened the way you thought it did. A new study of a 2009 epidemic at a school in Pennsylvania […]

Hey, I know it’s late notice, but I’ll be speaking at 10:30 EST today on EBRM and the Verizon DBIR: https://www.techwebonlineevents.com/ars/eventregistration.do?mode=eventreg&F=1002809&K=CAA1BC&tab=agenda Alex

Yesterday, I said on Twitter that “If you work in information security, what’s happening in Egypt is a trove of metaphors and lessons for your work. Please pay attention.” My goal is not to say that what’s happening in Egypt is about information security, but rather to say that we can be both professional and […]

Self Promotion time, sorry for the spam, but I think the stuff I’ll be participating in at RSA is pretty NewSchool.  Here’s an interview that talks about both of the things I’ll be doing and you can see if they’ll be interesting: http://itacidentityblog.com/rsa-podcast-alex-hutton-principal-in-research-and-risk-intelligence-verizon-business

In “TSA shuts door on private airport screening program,” CNN reports that “TSA chief John Pistole said Friday he has decided not to expand the program beyond the current 16 airports, saying he does not see any advantage to it.” The advantage, of course, is that it generates pressure on his agency to do better. […]

I have fundamental objections to Ponemon’s methods used to estimate ‘indirect costs’ due to lost customers (‘abnormal churn’) and the cost of replacing them (‘customer acquisition costs’). These include sloppy use of terminology, mixing accounting and economic costs, and omitting the most serious cost categories.

Both Dissent and George Hulme took issue with my post Thursday, and pointed to the Ponemon U.S. Cost of a Data Breach Study, which says: Average abnormal churn rates across all incidents in the study were slightly higher than last year (from 3.6 percent in 2008 to 3.7 percent in 2009), which was measured by […]

So before I respond to some of the questions that my “A day of reckoning” post raises, let me say a few things. First, proving that a breach has no impact on brand is impossible, in the same way that proving the non-existence of god or black swans is impossible. It will always be possible […]

Analysis of Heartland’s business as a going concern by @oneraindrop. Especially interesting after comments on the CMO video.

Over at The CMO Site, Terry Sweeney explains that “Hacker Attacks Won’t Hurt Your Company Brand.” Take a couple of minutes to watch this. Let me call your attention to this as a turning point for a trend. Those of us in the New School have been saying this for several years, but the idea […]

The people of Tunisia have long been living under an oppressive dictator who’s an ally of the US in our ‘war on terror.’ Yesterday, after substantial loss of life, street protests drove the dictator to abdicate. There’s lots of silly technologists claiming it was twitter. A slightly more nuanced comment is in “Sans URL” Others, […]

It’s MLK Day. Here’s a pdf of the speech. Or watch it online:

Hey everybody! I was just reading Gunnar Peterson’s fun little back of the napkin security spending exercise, in which he references his post on a security budget “flat tax” (Three Steps To A Rational Security Budget).  This got me to thinking a bit  – What if, instead of in the world of compliance where we […]

The visual metaphor of a dashboard is a dumb idea for management-oriented information security metrics. It doesn’t fit the use cases and therefore doesn’t support effective user action based on the information. Dashboards work when the user has proportional controllers or switches that correspond to each of the ‘meters’ and the user can observe the effect of using those controllers and switches in real time by observing the ‘meters’. Dashboards don’t work when there is a loose or ambiguous connection between the information conveyed in the ‘meters’ and the actions that users might take. Other visual metaphors should work better.

For a great many years, US taxpayers have been able to deduct interest paid on a home mortgage from their taxes. That made owning property cost roughly 20% less than it otherwise would have (estimating a 25% tax rate on interest on 80% of a property). So everyone could afford 20% “more” house, which meant […]

You might argue that insiders are dangerous. They’re dangerous because they’re authorized to do things, and so monitoring throws up a great many false positives, and raises privacy concerns. (As if anyone cared about those.) And everyone in information security loves to point to insiders as the ultimate threat. I’m tempted to claim this as […]

Event: The Carnegie Institute for Science will be hosting “The Stripping of Freedom: A Careful Scan of TSA Security Procedures” Outrage: “SFO pilot exposes airport security flaws.” Apparently, pilots allowed to carry guns give up their free speech rights “causes the loss of public confidence in TSA…” (does anyone have a copy of the letter?) […]

No doubt my “Why I Don’t Like CRISC” blog post has created a ton of traffic and comments.  Unfortunately, I’m not a very good writer because the majority of readers miss the point.  Let me try again more succinctly: Just because you can codify a standard or practice doesn’t mean that this practice is sane. […]

There’s just something about skinny girls in pouffy skirts…and stormtrooper helmets. More at http://redandjonny.tumblr.com/

Back in September, a group of Czech artists called EPOS 257 camouflaged themselves as city-workers, went to the Palackeho square in Prague and installed a fence. The fence was left on the square with no apparent intent or explanation. At first, the city council didn’t know about it, and when there were told, they didn’t […]

Over at We Won’t Fly, George Donnelly writes: I was about to delete an offensive comment on this blog – one of the very few we get – and thought, hmm, I wonder where this guy is posting from? Because, really, it is quite unusual for us to get nasty comments. Lo and behold, the […]

Lately there has been quite a bit of noise about the concept of “trust” in information security.  This has always confused me, because I tend towards @bobblakley when he says: “trust is for suckers.” But security is keen on having trendy new memes, things to sell you, and I thought that I might as well […]

Act: Get this 2-page Passenger’s Rights Sheet: http://saizai.com/tsa_rights.pdf Outrage: “Gaping Holes in Airline Security: Loaded Gun Slips Past TSA Screeners” (Matthew Mosk, Angela Hill and Timothy Fleming, ABC News) “TSA + Police + JetBlue Conspire Against Peaceful Individual at JFK” (George Donnelly, WeWontFly.org) “TSA Lies Again Over Capture, Storage Of Body Scanner Images” (Steve Watson, […]

This is a fascinating visualization of 10MM Facebook Friends™ as described in Visualizing Friendships by Paul Butler. A couple of things jump out at me in this emergent look at geography. The first is that Canada is a figment of our imaginations. Sorry to my Canadian friends (at least the anglophones!) The second is that […]

We at the New School blog use WordPress with some plugins. Recently, Alex brought up the question of how we manage to stay up to date. It doesn’t seem that WordPress has a security announcements list, nor do any of our plugins. So I asked Twitter “What’s the best way to track security updates for […]

Paul Kedrosky writes: Most of us have heard the story of armoring British bombers, as it’s too good not to share, not to mention being straight from the David Brent school of management motivation. Here is the Wikipedia version: Bomber Command’s Operational Research Section (BC-ORS), analysed a report of a survey carried out by RAF […]

From The Fine Article: Under these circumstances, then, it becomes more likely that the charges are indeed weak (or false) ones made to seem as though they are strong. Conversely, if there were no political motivation, then the merits of the charges would be more closely related to authorities’ zealousness in pursing them, and we […]

But you can still evaluate the quality of the effort Likewise, there’s a lot that you can’t measure about security and risk, but you can still infer something from how the effort is pursued.

Intrusiveness and outrage: “Homeland Security Is Also Monitoring Your Tweets” “‘Baywatch’ Beauty Feels Overexposed After TSA Scan” (David Moye, AOLnews) “the agent responded, ‘Because you caught my eye, and they’ — pointing to the other passengers — ‘didn’t.’” “POLICE STATE – TSA, Homeland Security & Tampa Police Set Up Nazi Checkpoints At Bus Stations ” […]

A couple of things caught Stuart Schechter’s eye about the spam to which this image was attached, but what jumped out at me was the name on the criminal’s passport: Frank Moss, former deputy assistant secretary of state for passport services, now of Identity Matters, LLC. And poor Frank was working so hard to claim […]

Hey, remember when blogging was new and people would sometimes post links instead of making “the $variable Daily” out of tweets?  Well even though I’m newschool with the security doesn’t mean I can’t kick it oldschool every so often.  So here are some links I thought you might enjoy, probably worth discussion and review even […]

“I understand people’s frustrations, and what I’ve said to the TSA is that you have to constantly refine and measure whether what we’re doing is the only way to assure the American people’s safety. And you also have to think through are there other ways of doing it that are less intrusive,” Obama said. “But […]

National Institute of Standards and Technology Gaithersburg, MD USA April 5-6, 2011 Call for Participation The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant […]

National Institute of Standards and Technology Gaithersburg, MD USA April 5-6, 2011 Call for Participation The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant […]

I really enjoyed District 9. Thought I understood some of it. But that was before I read “becoming the alien: apartheid, racism and district 9” by Andries du Toit. Now I need to watch the movie again.

I’d like some feedback on my data analysis, below, from anyone who is an expert on spam or anti-spam technologies. I’ve analyzed data from John Graham-Cumming’s “Spammers’ Compendium” to estimate the technical capabilities of spammers and the evolution path of innovations.

Rachel Tayse over at Hounds In The Kitchen, has an awesome Repeal Day Rant on why repeal day isn’t as good as it sounds. Yet again I feel a lot less free.

Thanks to Chris Eng for making this!

HEY! – At 3pm today Alex (@alexhutton) will be doing an interview over the twitters with Dark Reading’s (@DarkReading) Kelly Jackson Higgins  (@kjhiggins). Follow along with the hashtag #verizonDR! We’ll be talking risk, metrics, data, – you know, the new school-y stuff.

“Towards Better Usability, Security and Privacy of Information Technology” is a great survey of the state of usable security and privacy: Usability has emerged as a significant issue in ensuring the security and privacy of computer systems. More-usable security can help avoid the inadvertent (or even deliberate) undermining of security by users. Indeed, without sufficient […]

Outrage “Adam Savage: TSA saw my junk, missed 12″ razor blades” (Ben Kuchera, Ars Technica with video) “DHS & TSA: Making a list, checking it twice” (Doug Hadmann, Canada Free Press) claims that DHS has an internal memo calling those 59% of Americans who oppose pat downs “domestic extremists.” No copies of the memo have […]

Recently, I’ve heard some bits and pieces about how Information Security (InfoSec) can be “threat-centric” or “vulnerability-centric”.  This stuck me funny for a number of reasons, mainly  it showed a basic bias towards what InfoSec *is*.  And to me, InfoSec is too complex to be described as “threat-centric” or “vulnerability-centric” and yet still simple enough […]

A senior officer said they had found examples of young women who had declared themselves exempt posting photographs of themselves on Facebook in immodest clothing, or eating in non-kosher restaurants. Others were caught by responding to party invitations on Friday nights – the Jewish Sabbath. (“Israeli army uses Facebook to expose draft dodgers,” Wyre Davies, […]

Hey y’all, Please think about getting on twitter and joining Dark Reading on Mon., Nov. 29@2:30pm ET for a twitterview ME!  (Verizon’s @alexhutton). The hashtag you wanna use and track is: #VerizonDR

“baseball’s rich in wonderful statistics, but it’s hard to find one more beautiful than Stan Musial’s hitting record.” – George Will “When you first hear about this guy, you say, ‘it can’t be true.’ When you first meet him you say, ‘It must be an act.’ But as you watch him and watch him and […]

I’ll be contributing to a new group blog, “I will opt out“. I think that concentrating and combining resources will help the people who care find all the news they want. My first post is at “More news from around the web”

It’s been hard to miss the story on cat tongues (“For Cats, a Big Gulp With a Touch of the Tongue:)” Writing in the Thursday issue of Science, the four engineers report that the cat’s lapping method depends on its instinctive ability to calculate the balance between opposing gravitational and inertial forces. …After calculating things […]

On my work (“Microsoft Security Development Lifecycle”) blog, I’ve posted “Make Your Own Game! (My BlueHat lightning talk).”

Analysis: “‘Strip-or-Grope’ vs. Risk Management” Jim Harper, Cato@Liberty blog. Really solid thinking, although I usually don’t like asset-centric approaches, I think that for the physical world they make more sense than they do in software threat modeling. TSA more likely to kill you than a terrorist. thread at Flyertalk (thanks Doug!) “Has Airport Security Gone […]

Outrage: Transcript: Senate hearing on TSA, full-body scanners (yesterday, not one Senator cared.) Today’s hearing: http://www.c-span.org/Watch/C-SPAN3.aspx TSA Success Story (You can win in line.) If someone had done that to me at a nightclub I’d call the cops. Violated Traveling with scars Search this one for “pump” to learn about a diabetic’s experience. What would […]

In this instance, it’s for science, helping a friend do some work on analyzing web traffic. If you don’t like it, please install software that blocks these 1 pixel images from tracking you. Edit: removed the web bug

You may have heard me say in the past that one of the more interesting aspects of security breaches, for me at least, is the concept of reputation damage.  Maybe that’s because I heard so many sales tactics tied to defacement in the 90’s, maybe because it’s so hard to actually quantify brand equity and […]

There’s no news roundup today, the stories are flying, unlike people, who are sick and tired of the indignities, the nudeatrons and the groping. If you want to see them, you can follow me on twitter or National Opt Out day Tomorrow, there’s a Transportation Security Administration Oversight Hearing whose only witness is TSA Administrator […]

“‘Naked’ scanners at U.S. airports may be dangerous: scientists” (National Post) The head of the X-ray lab at Johns Hopkins says “statistically, someone is going to get skin cancer from these X-rays.” “DHS chief tells pilot, tourism reps scans and patdowns will continue ” (Infowars.com) includes link to a CNN story “Growing backlash against TSA […]

PEOPLE OF EARTH – The VERIS Community Application is out: Announcement here:  http://bit.ly/cDAUhy  Website here:  http://bit.ly/9dZwEJ  From Wade’s announcement: If the VERIS framework describes what information should be shared, the VERIS application provides how to actually share it. Anyone wishing to classify and report an incident can do so responsibly and anonymously using the application. In taking […]

“Terror chief tries to board plane with banned liquids” (Mirror, UK) Obviously, the UK needs to get with the TSA program and exempt Ministers from search. Flight attendants union upset over new pat-down procedures “Airport security reaches new levels of absurdity” (Salon’s Ask the Pilot blog) “Know Your Options at the Airport” (ACLU of Massachusetts) […]

Facebook Changes Photo Memories to No Longer Show Your Ex-Boyfriends or Ex-Girlfriends: In response to numerous complaints, Facebook has changed its Photo Memories sidebar module to no longer display friends who a user was formally listed as in a relationship with. [Sic] But it’s not just about selective remembering because “Your Memories Will Be Rewritten.” […]

Another friendly reminder: Alexander Hutton invites you to attend this online meeting. Topic: RISK ANALYST MEETING Date: Thursday, November 11, 2010 Time: 12:00 pm, Eastern Standard Time (New York, GMT-05:00) Meeting Number: 749 697 377 Meeting Password: riskisswell ——————————————————- To join the online meeting (Now from iPhones and other Smartphones too!) ——————————————————- 1. Go to […]

Via Boing Boing, where Maggie Koerth-Baker gave a delightful pointer to this film of Feynman explaining for seven-and-a-half minutes why he can’t really explain why magnets repel each other. Or attract, either. And trumping him in time and space, Bierce gave us this in 1906: MAGNET, n. Something acted upon by magnetism. MAGNETISM, n. Something […]

Body scanners that the TSA is basically encouraging use of by threatening to otherwise grope, fondle, or molest you or your children are basically perfectly safe.  Well, unless you happen to be any one of the following: a woman at risk to breast cancer a pregnant woman an immunocompromised individual (HIV and cancer patients) a […]

Hey everyone.  The Society of Information Risk Analysts (SIRA) would like to invite you to our November meeting this Thursday at 12 noon EST. Here’s a link to a meeting invite: http://bit.ly/d7IHn7 This month, we’ll have Sam Savage, author of the excellent book, The Flaw Of Averages join us.  He’ll be talking about the book […]

A number of faculty at UCSF have a letter to John Holdren, the President’s advisor on science and technology. There’s a related story on NPR.org, but I’d missed the letter. It appears the concerns of 3 members of the National Academy of Sciences have been completely ignored.

Thanks, N! (Added link)

Dissent reports “State Department official admits looking at passport files for more than 500 celebrities.” A passport specialist curious about celebrities has admitted she looked into the confidential files of more than 500 famous Americans without authorization. This got me thinking: how does someone peep at 500 files before anyone notices? What’s wrong with the […]

A reminder for those of you who haven’t read or watched “V for Vendetta” one time too many, it’s Guy Fawkes Day today: The plan was to blow up the House of Lords during the State Opening of Parliament on 5 November 1605… …Fawkes, who had 10 years of military experience fighting in the Spanish Netherlands in […]

UPDATE: Should have known Chris Hoff would have been all over this already. From the Twitter Conversation I missed last night: Chris, I award you an honorary NewSchool diploma for that one. ——————————————————————————- From:  Amazon Says Cloud Beats Data Center Security where Steve Riley says, “in no uncertain terms: it’s more secure there than in […]

First, a quick news roundup: EPIC is suing DHS for improper rulemaking, violations of the fouth ammendment, the privacy act, the religious freedom restoration act, and the video voyerism prevention act. The ACLU has a news roundup and a form to report on TSA behavior. The Airline Pilots Association advises pilots to show resistance. So […]

See what happened when Portishead, England turned off their traffic lights in September 2009 in this video. And don’t miss “Portishead traffic lights set to stay out after trial” in the Bristol Evening Post.

I’m a nerd, yes.

Apparently, the TSA is now protecting us so well that they make women cry by touching them inappropriately. According to (CNN Employee Rosemary) Fitzpatrick, a female screener ran her hands around her breasts, over her stomach, buttocks and her inner thighs, and briefly touched her crotch. “I felt helpless, I felt violated, and I felt […]

Very entertaining video: I love it because curtains are privacy people will pay for, but even more, because, ironically for a privacy-enhancing technology, it generates more attention than not using it.

October 18th’s bad news for the TSA includes a pilot declining the choice between aggressive frisking and a nudatron. He blogs about it in “Well, today was the day:” On the other side I was stopped by another agent and informed that because I had “opted out” of AIT screening, I would have to go […]

Researchers in the United States have found that putting individual geniuses together into a team doesn’t add up to one intelligent whole. Instead, they found, group intelligence is linked to social skills, taking turns, and the proportion of women in the group. […] “We didn’t expect that the proportion of women would be a significant […]

In the comments to “Why I Don’t Like CRISC” where I challenge ISACA to show us in valid scale and in publicly available models, the risk reduction of COBIT adoption, reader Sid starts to get it, but then kinda devolves into a defense of COBIT or something.  But it’s a great comment, and I wanted […]

These days I’m giving a DBIR presentation that highlights the fact that SQLi is 10 years old, and yet is still one of the favorite vectors for data breaches. And while CISO’s love it when I bring this fact up in front of their dev. teams, in all deference to software developers and any ignorance […]

Information Security.com reports that: [Richard Clarke] controversially declared “that spending more money on technology like anti-virus and IPS is not going to stop us losing cyber-command. Instead, we need to re-architect our networks to create a fortress. Let’s spend money on research to create a whole new architecture, which will cost just a fraction of […]

Just about anything a database might store about a person can change. People’s birthdays change (often because they’re incorrectly reported or recorded). People’s gender can change. One thing I thought didn’t change was blood type, but David Molnar pointed out to me that I’m wrong: Donors for allogeneic stem-cell transplantation are selected based on their […]

In the general case, you are not anonymous on the interweb, but economically-anonymous, which I propose to label “enonymous”, and that’s not the same thing at all. If you threaten to kill the President, you will be tracked down, and the state will spend the money it takes on it. But if you call Lily […]

Hey everyone. I wanted to mention that Josh Corman of the 451 Group has graciously decided to make a webinar with me on the Data Breach Investigations Report , and has even made the webinar open to the public. So as such, Josh is collecting questions ahead of time.  If you want to submit some […]

Brian Krebs has an interesting article on “Java: A Gift to Exploit Pack Makers.” What makes it interesting is that since information security professionals share data so well, Brian was able to go to the top IDS makers and get practical advice on what really works to secure a system. Sorry, dreaming there for a […]

HEY! SIRA Meeting on Thursday – click here for a calendar invite/reminder thingy/.ics file -> http://bit.ly/b5RKl9 In long format: Topic: SIRA RISK OCT – SANS! Date: Thursday, October 14, 2010 Time: 10:30 am, Eastern Daylight Time (New York, GMT-04:00) Meeting Number: 745 433 825 Meeting Password: sira ——————————————————- To join the online meeting (Now from […]

PHIPrivacy asks “do the HHS breach reports offer any surprises?” It’s now been a full year since the new breach reporting requirements went into effect for HIPAA-covered entities. Although I’ve regularly updated this blog with new incidents revealed on HHS’s web site, it might be useful to look at some statistics for the first year’s […]

[via PunditKitchen]

(9 Oct 2010)

Apparently, the Iranian Government has sentenced Hossein “Hoder” Derakhshan to 19.5 years in jail for “collaborating with enemy states, creating propaganda against the Islamic regime, insulting religious sanctity, and creating propaganda for anti-revolutionary groups.” If you think putting bloggers or journalists in jail is wrong, please, please take a moment to sign the petition to […]

Via the Miami Herald: An underwire bra stopped a Miami attorney from seeing her client held at the Miami Federal Detention Center, setting off controversy over the inmate facility’s dress code. The issue here isn’t so much the dress code (though it is problematic) but inconsistent enforcement of previously agreed upon rules. It’s hard to […]

NASA claims that: At least four distinct plumes of water ice spew out from the south polar region of Saturn’s moon Enceladus in this dramatically illuminated image. Light reflected off Saturn is illuminating the surface of the moon while the sun, almost directly behind Enceladus, is backlighting the plumes. See Bursting at the Seams to […]

Over at the Office of Inadequate Security, Dissent does excellent work digging into several perspectives on Discover Card breaches: Discover’s reports, and the (apparent) silence of breached entities. I’m concerned that for many of the breaches they report, we have never seen breach reports filed by the entities themselves nor media reports on the incidents. […]

There seems to be no notification that these files are publicly available and no web page listing all the submissions. Therefore, unless you know they are there, you won’t find them. But you can find them all through Google using this search string “NOI site:http://www.nist.gov/itl/upload/”

In the past, I’ve been opposed to calling impersonation frauds “identity theft.” I’ve wondered why the term impersonation isn’t good enough. As anyone who’s read the ID Theft Resource Center’s ‘ID Theft Aftermath’ reports (2009 report) knows that a lot of the problem with longterm impersonation problems is the psychological impact of disassociation from your […]

The New York Times has a story, “Fatal Crashes of Airplanes Decline 65% Over 10 Years:” …part of the explanation certainly lies in the payoff from sustained efforts by American and many foreign airlines to identify and eliminate small problems that are common precursors to accidents. If only we did the same for security. This […]

James Reason’s entire career was full of mistakes. Most of them were other people’s. And while we all feel that way, in his case, it was really true. As a professor of psychology, he made a career of studying human errors and how to prevent them. He has a list of awards that’s a full […]

In 6502 visual simulator, Bunnie Huang writes: It makes my head spin to think that the CPU from the first real computer I used, the Apple II, is now simulateable at the mask level as a browser plug-in. Nothing to install, and it’s Open-licensed. How far we have come…a little more than a decade ago, […]

Hear it at “Adam Shostack on User-Centric Privacy and the Need for Smarter Regulation.”

@pogowasright pointed to “HOW many patient privacy breaches per month?:” As regular readers know, I tend to avoid blogging about commercial products and am leery about reporting results from studies that might be self-serving, but a new paper from FairWarning has some data that I think are worth mentioning here. In their report, they provide […]

NPR is talking about fraudulent ID cards and people voting multiple times. What happened to the purple ink solution? How did we end up exporting bad thinking about security to Afghanistan?

The Securosis 2010 Data Security Survey results are out! http://bit.ly/aR4MuY Go, go and be NewSchool!  Seriously, don’t spend anymore time here, click the link!

A little ways back, Gunnar Peterson said “passwords are like hamburgers, taste great but kill us in long run wean off password now or colonoscopy later.” I responded: “Use crypto. Not too confusing. Mostly asymmetric.” I’d like to expand on that a little. Not quite so much as Michael Pollan, but a little. The first […]

Some guy recently posted a strangely self-defeating link/troll/flame in an attempt to (I think) argue with Alex and/or myself regarding the relevance or lack thereof of ISACA’s CRISC certification.  Now given that I think he might have been doing it to drive traffic to his CRISC training site, I won’t show him any link love […]

@GeorgeResse pointed out this article http://www.infoworld.com/d/cloud-computing/five-facts-every-cloud-computing-pro-should-know-174 from @DavidLinthicum today.  And from a Cloud advocate point of view I like four of the assertions.  But his point about Cloud Security is off: “While many are pushing back on cloud computing due to security concerns, cloud computing is, in fact, as safe as or better than most […]

Richard Bejtlich has a post responding to an InformationWeek article written by Michael Healey, ostensibly about end user security.  Richard  upbraids Michael for writing the following: Too many IT teams think of security as their trump card to stop any discussion of emerging tech deemed too risky… Are we really less secure than we were […]

CSO Online has an article based on an unlinked Forrester study that claims: The survey of 2,803 IT decision-makers worldwide found improving business continuity and disaster recovery capabilities is the number one priority for small and medium businesses and the second highest priority for enterprises. (emphasis mine). The WTF Pie Chart Says:

You never cease to amaze me with your specialness. You’ve defined a way to send MMS on a network you own, with message content you control, and there’s no way to see the full message: In particular, I can’t see the password that I need to see the message.

Hey everyone! Pete Lindstrom will be giving us his “Risk 2.0” presentation tomorrow via webex at 10:30 EST. I’ve seen the deck, and it will be a great preso. Topic: Risk Analysis Date: Thursday, September 9, 2010 Time: 10:30 am, Eastern Daylight Time (New York, GMT-04:00) Meeting Number: 748 861 569 Meeting Password: risk?whatrisk? ——————————————————- […]

The UK’s Financial Services Authority has imposed a £2.28 million fine for losing a disk containing the information about 46,000 customers. (Who was fined is besides the point here.) I agree heartily with John Dunn’s “Data breach fines will not stop the rot,” but I’d like to go further: Data breach fines will prolong the […]

Gideon Rasmussen, CISSP, CISA, CISM, CIPP, writes in his latest blog post (http://www.gideonrasmussen.com/article-22.html) about the BP Oil spill and operational risk, and the damages the spill is causing BP.  Ignoring the hindsight bias of the article here… “This oil spill is a classic example of a black swan (events with the potential for severe impact […]

Well, following on Arthur’s post on baking bread, I wanted to follow up with “how to bake corn:” Please go read “Baked Buttered Corn” A way to bring some happiness to the end of summer is to take this corn and simply bake it with butter. It’s fabulous. The starchy corn juices create a virtual […]

A few folks have asked, so here’s my general bread recipe in bakers percentages. In bakers percentages everything is based on a ratio compared to the weight of the flour. The formula for my bread is: 100% Whole wheat flour (I’m a geek, I grind my own) 72% Water (or whey) 2% Salt 1% Yeast […]

As I was reading the (very enjoyable) “To Engineer is Human,” I was struck by this quote, in which Petroski first quotes Victorian-era engineer Robert Stephenson, and then comments: …he hoped that all the casualties and accidents, which had occurred during their progress, would be noticed in revising the Paper; for nothing was so instructive […]

Nature reports that Quantum Cryptography has been completely broken in “Hackers blind quantum cryptographers.” Researcher Vadim Makarov of the Norwegian University of Science and Technology constructed an attack on a quantum cryptography system that “gave 100% knowledge of the key, with zero disturbance to the system,” as Makarov put it. There have been other attacks […]

The folks running the Open Security Foundation’s DataLossDB are asking for some fully tax-deuctible help meeting expenses. I’ve blogged repeatedly about the value of this work, and hope that interested EC readers can assist in supporting it. With new FOIA-able sources of information becoming available, now seems to be a great time to help out.

India’s EVMs are Vulnerable to Fraud. And for pointing that out, Hari Prasad has been arrested by the police in India, who wanted to threaten and intimidate him question him about where he got the machine that he studied. That’s a shame. The correct response is to fund Hari Prasad’s work, not use the police […]

Friday night an arrest warrant went out, and was then rescinded, for Wikileaks founder Julian Assange. He commented “We were warned to expect “dirty tricks”. Now we have the first one.” Even the New York Times was forced to call it “strange.” I think that was the wrong warning. Wikileaks is poking at a very […]

These came across the SIRA mailing list. They were so good, I had to share: https://eight2late.wordpress.com/2009/07/01/cox%E2%80%99s-risk-matrix-theorem-and-its-implications-for-project-risk-management/ http://eight2late.wordpress.com/2009/12/18/visualising-content-and-context-using-issue-maps-an-example-based-on-a-discussion-of-coxs-risk-matrix-theorem/ http://eight2late.wordpress.com/2009/10/06/on-the-limitations-of-scoring-methods-for-risk-analysis/ Thanks to Kevin Riggins for finding them and pointing them out.

There’s been a lot of discussion about the paper written by mathematician Vinay Deolalikar on this interesting problem. The P!=NP problem is so interesting that there’s a million-dollar prize for solving it. It might even be interesting because there’s a million-dollar prize for solving it. It might also have some applicability to computer science and […]

From Dan Froomkin, “FBI Lab’s Forensic Testing Backlog Traced To Controversial DNA Database,” we see this example of the mis-direction of key funds: The pressure to feed results into a controversial, expansive DNA database has bogged down the FBI’s DNA lab so badly that there is now a two-year-and-growing backlog for forensic DNA testing needed […]

(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” […]

So if you don’t follow the folks over at OKCupid, you are missing out on some hot data. In case you’re not aware of it, OKCupid is: the best dating site on earth. Compiling our observations and statistics from the hundreds of millions of user interactions we’ve logged, we use this outlet to explore the […]

I used to use “Galerie” on my Mac to put nice pretty frames around pictures I posted here. (See some examples.) Galerie was dependent on … blah, blah, won’t work anymore without some components no longer installed by default. So I’m looking for a replacement that will, with little effort, put pictures in a nice […]

If you don’t have time to develop a data-driven, business focused security strategy, we sympathize. It’s a lot of hard work. So here to help you is “What the fuck is my information security ‘strategy?’ “: Thanks, N!

Prompted by Peter Gutmann: [0] I’ve never understood why this is a comedy of errors, it seems more like a tragedy of errors to me. Jon Callas of PGP fame wrote the following for the cryptography mail list, which I’m posting in full with his permission: That is because a tragedy involves someone dying. Strictly […]

It’s not just a 3d pie chart with lighting effects and reflection. Those are common. This one has been squished. It’s wider than it is tall. While I’m looking closely, isn’t “input validation” a superset of “buffer errors” “code injection” and “command injection?” You can get the “Application Security Trends report for Q1-Q2 2010” from […]

In “Feds Save Thousands of Body Scan Images,” EPIC reports: In an open government lawsuit against the United States Marshals Service, EPIC has obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of […]

Last we learned, Peter Coffee was Director of Platform Research for salesforce.com.  He also blogs on their corporate weblog, CloudBlog, a blog that promises “Insights on the Future of Cloud Computing”. He has a post up from last week that called “Private Clouds, Flat Earths, and Unicorns” within which he tries to “bust some myths” […]

Interesting interactive data app from the Wall Street Journal about your privacy online and what various websites track/know about you. http://blogs.wsj.com/wtk/ Full disclosure, our site uses Mint for traffic analytics.

My talk at Black Hat this year was “Elevation of Privilege, the Easy Way to Get Started Threat Modeling.” I covered the game, why it works and where games work. The link will take you to the PPTX deck.

Frank Pasquale follows a Joe Nocera article on credit scores with a great roundup of issues that the credit system imposes on American citizens, including arbitrariness, discriminatory effects and self-fulfilling prophecies. His article is worth a look even if you think you understand credit scores. I’d like to add one more danger of credit scores: […]

Breath mints Ricola Purell Advil Gatorade.

Cisco has their security report up – find it here.  My favorite part?  “The Artichoke of Attack”

This week, the annual Symposium on Usable Privacy and Security (SOUPS) is being held on the Microsoft campus. I delivered a keynote, entitled “Engineers Are People Too:” In “Engineers Are People, Too” Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the […]

Hey, just so you all know, SOIRA is having our lunch (or breakfast) Al-Desko Webex.  This month we have the pleasure of watching Chris Hayes show how to use quantitative risk analysis for real, pragmatic business purposes.  It’s going to be seriously useful. Join SOIRA here:  http://groups.google.com/group/InfoRiskSociety?hl=en for the invite.

First, thanks to everyone who took the unscientific, perhaps poorly worded survey. I appreciate you taking time to help out.  I especially appreciate the feedback from the person who took the time to write in: “Learn the proper definition of “Control Systems” as in, Distributed Control Systems or Industrial Control systems. These are the places […]

Over the last week, there’s been a set of entertaining stories around Blizzard’s World of Warcraft games and forums. First, “World of Warcraft maker to end anonymous forum logins,” in a bid to make the forums less vitriolic: Mr Brand said that one Blizzard employee posted his real name on the forums, saying that there […]

Hi, I’m very interested right now in finding the quality of risk analysis as it relates to operational security. If you’re a risk analyst, a security executive, or operational security analyst, would you mind taking a one question survey? It’s on SurveyMonkey, here: http://www.surveymonkey.com/s/GCSXZ2Q”

adapted from the t-shirt seen in the anton corbijn work here. With all apologies to both Paul  Morely and Katherine Hamnett. And that’s about all I have to say on the subject.

In looking at Frank Pasquale’s very interesting blog post “Secrecy & the Spill,” a phrase jumped out at me: I have tried to give the Obama Administration the benefit of the doubt during the Gulf/BP oil disaster. There was a “grand ole party” at Interior for at least eight years. Many Republicans in Congress would […]

This GAO Report is a good overall summary of the state of Federal cyber security R&D and why it’s not getting more traction.    Their recommendations (p22) aren’t earth-shaking: “…we are recommending that the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, direct the Subcommittee on Networking and […]

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]

In comments to my “Why I Don’t Like CRISC” article, Oliver writes: CobIT allows to segregate what is called IT in analysable parts.  Different Risk models apply to those parts. e.g. Information Security, Architecture, Project management. In certain areas the risk models are more mature (Infosec / Project Management) and in certain they are not […]

When opining on security in “the cloud” we, as an industry, speak very much in terms of real and imagined threat actions.  And that’s a good thing: trying to anticipate security issues is a natural, prudent task. In Lori McVittie’s blog article, “Risk is not a Synonym for “Lack of Security”, she brings up an […]

It’s hard not to be impressed by an ad like this.

Just to pile on a bit…. You ever hear someone say something, and all of the sudden you realize that you’ve been trying to say exactly that, in exactly that manner, but hadn’t been so succinct or elegant at it?  That someone much smarter than you had already thought about the subject a whole lot […]

Alex’s posts on Posts on CRISC are, according to Google, is more authoritative than the CRISC site itself: Not that it matters.  CRISC is proving itself irrelevant by failing to make anyone care.  By way of comparison, I googled a few other certifications for the audit and security world, then threw in the Certified Public […]

PREFACE:  You might interpret this blog post as being negative about risk management here, dear readers.  Don’t. This isn’t a diatrabe against IRM, only why “certification” around information risk is a really, really silly idea. Apparently, my blog about why I don’t like the idea of CRISC has long-term stickiness.  Just today, Philip writes in […]

So the news is all over the web about Apple changing their privacy policy. For example, Consumerist says “Apple Knows Where Your Phone Is And Is Telling People:” Apple updated its privacy policy today, with an important, and dare we say creepy new paragraph about location information. If you agree to the changes, (which you […]

Lurnene Grenier has a post up on the Google/Microsoft vunlerability disclosure topic. I commented on the SourceFire blog (couldn’t get the reminder from Zdnet about my password, and frankly I’m kind of surprised I already had an account – so I didn’t post there), but thought it was worth discussing my comments here a bit […]

Using a dish full of marshmallows.  We’re doing this with my oldest kids, and while I was reading up on it, I had to laugh out loud at the following: …now you have what you need to measure the speed of light. You just need to know a very fundamental equation of physics: Speed of […]

Alex Hutton has an excellent post on his work blog: Jim Tiller of British Telecom has published a blog post called “Risk Appetite, Counting Security Calories Won’t Help”. I’d like to discuss Jim’s blog post because I think it shows a difference in perspectives between our organizations. I’d also like to counter a few of […]

Perry Metzger recently drew this to my attention: The title of my talk is, “You and Your Research.” It is not about managing research, it is about how you individually do your research. I could give a talk on the other subject – but it’s not, it’s about you. I’m not talking about ordinary run-of-the-mill […]

In “Jon Stewart on Obama’s executive power record” Glenn Greenwald writes: When ACLU Executive Director Anthony Romero last week addressed the progressive conference America’s Future Now, he began by saying: “I’m going to start provocatively . . . I’m disgusted with this president.” Last night, after Obama’s Oval Office speech, Jon Stewart began his show […]

Well, Amazon has a new update for Kindle (with folders! OMG!), and I’m planning to apply it. However, last time I installed an update, I noticed that it lost the “wireless off” setting, and was apparently contacting Amazon. I don’t want it to do so, and leave wireless off. It’s safer that way, whatever promises […]

Ireland has proposed a new Data Breach Code of Practice, and Brian Honan provides useful analysis: The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small […]

I like this one a lot. Go vote for your favorite at BP Logo Redesign contest.

This is cool: The Bill & Melinda Gates Foundation is using its financial clout to push the Haitian marketplace toward change by offering $10 million in prizes to the first companies to help Haitians send and receive money with their cell phones… The fund will offer cash awards to companies that initiate mobile financial services […]

http://raffy.ch/blog/2010/06/07/maturity-scale-for-log-management-and-analysis/ Raffael Marty’s great  post on how to measure the maturity level for your log management program.   Excellent as always.

Ada’s Technical Books is Seattle’s only technical book store located in the Capitol Hill neighborhood of Seattle, Washington. Ada’s specifically carries new, used, & rare books on Computers, Electronics, Physics, Math, and Science as well as hand-picked inspirational and leisure reading, puzzles, brain teasers, and gadgets geared toward the technically minded customer. From the store’s […]

Andrew and I want to say thank you to Dave Marsh. His review of our book includes this: I’d have to say that the first few pages of this book had more of an impact on me that the sum of all the pages of any other security-related book I had ever read It’s really […]

There’s been a lot of pushback against using Risk Management in Information Security because we don’t have enough information to make a good decision. Yet every security professional makes decisions despite a lack of information. If we didn’t we’d never get anything done. Hell we’d never get out of bed in the morning. There’s a […]

Some worthwhile reads on Facebook and privacy: Facebook’s Privacy Reboot: Is That all You’ve Got for Us? “The devil is in the defaults” Entire Facebook Staff Laughs As Man Tightens Privacy Settings

For your consideration, two articles in today’s New York Times. First, “How to Remind a Parent of the Baby in the Car?:” INFANTS or young children left inside a vehicle can die of hyperthermia in a few hours, even when the temperature outside is not especially hot. It is a tragedy that kills about 30 […]

Friend of the blog and TV’s own <grin> Chris Nickerson has firmed up B-Sides for Las Vegas and is looking for a few good people to submit a few good presos. I spoke last year with David Mortman and it was awesome.  Chris put on some real good event/space for us all. I encourage you […]

I was talking with (the now nationally famous) Rich Mogull at Secure360 last week in St. Paul (fabulous security gathering, btw, I highly recommend it), and he reiterated his position that we had too much “echo chamber” and not enough engagement with everyone – especially our peers who are down in the trenches and too […]

Today will be remembered along with the landing on the moon and the creation of the internet: Researchers at the J. Craig Venter Institute (JCVI), a not-for-profit genomic research organization, published results today describing the successful construction of the first self-replicating, synthetic bacterial cell. The team synthesized the 1.08 million base pair chromosome of a […]

Waitress Is Fired for Her Complaint on Facebook: Lesson Learned for Employers?. From [German Consumer Protection] Minister Aigner to Mark Zuckerberg: the importance of privacy Farewell, Facebook “Why one super-connected internet enthusiast decided it was time to pull the plug” 5 WTFs: I quit Facebook Today Quit Facebook Day versus 10 Reasons You’ll Never Quit […]

In “The Quest for French Fry Supremacy 2: Blanching Armageddon,” Dave Arnold of the French Culinary Institute writes: Blanching fries does a lot for you – such as: killing the enzymes that make the potatoes turn purpley-brown. Blanching is always necessary if the potatoes will be air-dried before frying. gelatinizing the starch. During frying, pre-cooked […]

[Update: See Barry’s comments, I seem to misunderstand the proposal.] The New York Times headlines “ Britain’s New Leaders Aim to Set Parliament Term at 5 Years.” Unlike the US, where we have an executive branch of government, the UK’s executive is the Prime Minister, selected by and from Parliament. As I understand things, the […]

I’m doing some work that involves seeing what people are saying about the state of malware in 2010, and search terms like “malware report” get a lot of results, they don’t always help me find thinks like the Symantec ISTR, the McAfee threats report or the Microsoft SIR. To date, I’ve found reports from Cisco, […]

As EC readers may know, I’ve been sort of a collector of breach notices, and an enthusiastic supporter of the Open Security Foundation’s DataLossDB project. Recently, I had an opportunity to further support DataLossDB, by making an additional contribution to their Primary Sources archive – a resource I find particularly valuable. Unfortunately, that contribution was […]

If you haven’t seen http://mattmckeon.com/facebook-privacy/‘s graphic of how Facebook’s default privacy settings have evolved, it’s worth a look:

If you are developing or using security metrics, it’s inevitable that you’ll have to deal with the dimension of time. “Data” tells you about the past. “Security” is a judgement about the present. “Risk” is a cost of the future, brought to the present. The way to marry these three is through social learning processes.

We show that malicious TeX, BibTeX, and METAPOST files can lead to arbitrary code execution, viral infection, denial of service, and data exfiltration, through the file I/O capabilities exposed by TeX’s Turing-complete macro language. This calls into doubt the conventional wisdom view that text-only data formats that do not access the network are likely safe. […]

Let me tell you how it will be There’s one for you, nineteen for me Chorus: If privacy appear too small Be grateful I don’t take it all Thanks to Jim Harper for the link.

This event will be the first discussion of these Federal cybersecurity R&D objectives and will provide insights into the priorities that are shaping the direction of Federal research activities. One of the three themes is “Cyber economic incentives — foundations for cyber security markets, to establish meaningful metrics, and to promote economically sound secure practices.”

I really love these redesigns of the US Dollar: There’s a contest, and I like these designs by Michael Tyznik the most. On a graphical level, they look like money. He’s integrated micro-printing, aligned printing (that $5 in the upper left corner, it’s really hard to print so it works when you look at light) […]

I will be entering the PhD program in Computational Social Science (with certificates in InfoSec and Economic Systems Design) at George Mason University, Fairfax VA, starting in the Fall of 2010.

There’s a notion that government can ‘nudge’ people to do the right thing. Big examples include letting people opt-out of organ donorship, rather than opting in (rates of organ donorship go from 10-20% to 80-90%, which is pretty clearly a better thing than putting those organs in the ground or crematoria). Another classic example was […]

This is the first image ever taken of Earth from the surface of a planet beyond the Moon. It was taken by the Mars Exploration Rover Spirit one hour before sunrise on the 63rd Martian day, or sol, of its mission. (March 8, 2004) Credit: NASA Goadard’s flickr stream.

There have been a spate of articles lately with titles like “The First Steps to a Career in Information Security” and “How young upstarts can get their big security break in 6 steps.” Now, neither Bill Brenner nor Marisa Fagan are dumb, but both of their articles miss the very first step. And it’s important […]

Thomas Ricks wrote a blog on Foreign Policy titled “Another reason to support Obamacare.” In it, he cited a Stars & Stripes report that one of out five veterans under the age of 24 is out of work. However, Stars and Stripes compares total unemployment to 18-24 male vet unemployment. It took me less than […]

According to new research at Duke University, identifying an easy-to-spot prohibited item such as a water bottle may hinder the discovery of other, harder-to-spot items in the same scan. Missing items in a complex visual search is not a new idea: in the medical field, it has been known since the 1960s that radiologists tend […]

…a Bad Homburg business man won millions in damages in a suit against the [Liechtenstein] bank for failing to reveal that his information was stolen along with hundreds of other account holders and sold to German authorities for a criminal investigation. He argued that if the bank had informed those on the list that their […]

Dominic Deville stalks young victims for a week, sending chilling texts, making prank phone calls and setting traps in letterboxes. He posts notes warning children they are being watched, telling them they will be attacked. But Deville is not an escaped lunatic or some demonic monster. He is a birthday treat, hired by mum and […]

I could pretend to tie this to information security, talking about risk and information sharing, but really, it’s just beautiful to watch these folks learn to play:

In the “things you don’t want said of your work” department, Ars Technica finds these gems in a GAO report: This estimate was contained in a 2002 FBI press release, but FBI officials told us that it has no record of source data or methodology for generating the estimate and that it cannot be corroborated…when […]

JC Penney, Wet Seal: Gonzalez Mystery Merchants JCPenney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August […]

Please check back, we may have sarcasm available in the future. Emergent Chaos apologizes for any inconvenience.

I’ve seen some cool Walmart visualizations before, and this one at FlowingData is no exception. The one thing I wondered about as I watched was if it captured store closings–despite the seemingly inevitable march in the visualization, there have been more than a few.

Things are busy and chaotic, but while I’m unable to blog, here’s some audio and video I’ve done recently that you might enjoy: “Meeting of the Minds” with Andy Jaquith and myself in either text or audio. Face-Off with Hugh Thompson “Has social networking changed data privacy forever?” Video

One of the reasons I like climate studies is because the world of the climate scientist is not dissimilar to ours.  Their data is frought with uncertainty, it has gaps, and it might be kind of important (regardless of your stance of anthropomorphic global warming, I think we can all agree that when the climate […]

Adam Harvey is investigating responses to the growing ubiquity of surveillance cameras with facial recognition capabilities. He writes: My thesis at ITP, is to research and develop privacy enhancing counter technology. The aim of my thesis is not to aid criminals, but since artists sometimes look like criminals and vice versa, it is important to […]

For you football fans, from Advanced NFL Stats we get the equation for  Surplus Coach Value! That couldn’t be more brilliant if it tried.

This just came past my inbox: The National Research Council (NRC) is undertaking a project entitled “Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy.” The project is aimed at fostering a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and the possible utility of these strategies for the U.S. […]

Since it seems like I spent all of last week pronouncing that ZOMG!  SSL and Certificate Authorities is Teh Doomed!, I guess that this week I should consider the alternatives.  Fortunately, the Tor Project Blog, we learn what life is like without CA’s Browse to a secure website, like https://torproject.org/. You should get the intentionally […]

The European Digital Rights Initiative mentions that “Bits of Freedom starts campaign for data breach notification law:” A data breach notification obligation on telecom providers is already to be implemented on the basis of the ePrivacy Directive, but Bits of Freedom insisted that this obligation should be extended also to other corporations and organisations. It […]

…so important that we didn’t even proofread our rivacy policy. I’m hopeful that they apply more due care to how they administer their policy, but fear it’s like a dirty restaurant bathroom. If they don’t bother to take care of what the public sees, what are they doing in the kitchen? From “Commercial Terms of […]

I haven’t read the paper yet, but Schneier has a post up which points to a paper “Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow,” by Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang.about a new side-channel attack which allows an eavesdropper to infer information about the contents of an SSL […]

Where there’s smoke, there’s fire, goes the adage. And in the case of an allegedly-theoretical exploit outlined in a new paper by Chris Soghoian and Sid Stamm (the compelled certificate creation attack), the presence of a product whose only use it to exploit it probably indicates that there’s more going on than one would like […]

The Guardian has reported the first official incident of misuse of full-body scanner information The police have issued a warning for harassment against an airport worker after he allegedly took a photo of a female colleague as she went through a full-body scanner at Heathrow airport. The incident, which occurred at terminal 5 on 10 […]

Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science. For Lady Ada Day, Andrew and I want to thank Jessica Goldstein, our editor at Addison Wesley. Without her encouragement, feedback and championing, we never would have published the New School. The first proposal we […]

The sweet interactive version is here: http://www.weforum.org/documents/riskbrowser2010/risks/# Beyond the cool visualization, I’m really interested in the likelihood/impact of data fraud/data loss over on the left there…

Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science. For Lady Ada Day, I wanted to call out the inspiring work of Aleecia McDonald. In a privacy world full of platonic talk of the value of notice and consent, Aleecia did something very simple: […]

Over in the Securosis blog, Rich Mogull wrote a post “There is No Market for Security Innovation.” Rich is right that there’s currently no market, but that doesn’t mean there’s no demand. I think there are a couple of inhibitors to the market, but the key one is that transaction costs are kept high by […]

In “White House Cyber Czar: ‘There Is No Cyberwar’,” Ryan Singel writes: As for his priorities, Schmidt says education, information sharing and better defense systems rank high. That includes efforts to train more security professionals and have the government share more information with the private sector — including the NSA’s defensive side. “One thing we […]

Passage of this bill is too big for my little brain, and therefore I’ll share some small comments. I’m going to leave out the many anecdotes which orient me around stupid red tape conflicts in the US, how much better my health care was in Canada (and how some Canadian friends flew to the US […]

A bit over a week ago, it came out that “Pennsylvania fires CISO over RSA talk.” Yesterday Jaikumar Vijayan continued his coverage with an interview, “Fired CISO says his comments never put Penn.’s data at risk.” Now, before I get into the lessons here, I want to point out that Maley is the sort of […]

A burglar who spent about five hours on a store’s computer after breaking into the business gave police all the clues they needed to track him down. Investigators said the 17-year-old logged into his MySpace account while at Bella Office Furniture and that made it easy for them to find him. He also spent time […]

Pretty much how my last NCUA 748 pre-audit went.

Some time back, a friend of mine said “Alex, I like the concept of Risk Management, but it’s a little like the United Nations – Good in concept, horrible in execution”. Recently, a couple of folks have been talking about how security should just be a “diligence” function, that is, we should just prove that […]

I know that reading the new 376 page US “National Broadband Plan” is high on all your priority lists, but section 14 actually has some interestingly New School bits. In particular: Recommendation 14.9: The Executive Branch, in collaboration with relevant regulatory authorities, should develop machine-readable repositories of actionable real-time information concerning cybersecurity threats in a […]

Industry ‘experts’ misfired when they criticized Microsoft’s Scott Chareney’s “Internet Security Tax” idea. Q: How many of these ‘experts’ know any thing about information economics and public policy responses to negative externalities? A: Zero. Thus, they aren’t really qualified to comment. This is just one small case in the on-going public policy discussions regarding economics of information security, but given the reaction of the ‘experts’, this was a step backward.

Schneier points me to lightbluetouchpaper, who note a paper analyzing the potential strength of name-based account security questions, even ignoring research-based attacks, and the findings are good: Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge […]

In “Social networking: Your key to easy credit?,” Eric Sandberg writes: In their quest to identify creditworthy customers, some are tapping into the information you and your friends reveal in the virtual stratosphere. Before calling the privacy police, though, understand how it’s really being used. … To be clear, creditors aren’t accessing the credit reports […]