Adam Shostack & friends – Page 3 – Security, privacy, economics and unrelated topics since 2005

2021-04-29 by adam

Threat Model Thursday: Technology Consumers

There’s an interesting paper by Becky Kazansky, ‘It depends on your threat model’: the anticipatory dimensions of resistance to data-driven surveillance. The author critiques ‘anticipatory data practices’, a collection of techniques that include my own work, as presented to civil society activists. It opens “While many forms of data-driven surveillance are now a ‘fact’ of…

2021-04-26 by adam

“Stop Vaccine Finger Wagging”

The U.S. political divide on whether to get the coronavirus vaccine suggests that “maybe there’s been too much finger wagging,” said the head of the National Institutes of Health. “I’ve done some of that; I’m going to try to stop and listen, in fact, to what people’s specific questions are,” NIH Director Francis Collins said…

2021-04-23 by adam

This time for sure, Pinky!

If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things? Read Mike Tanji’s full article, From Solar Sunrise to Solar…

2021-04-22 by adam

IoT Security & Threat Modeling

There’s a new report out from the UK Government, The UK Code of Practice for Consumer IoT Security. One of the elements I want to draw attention to is: The use of IoT devices by perpetrators of domestic abuse is a pressing and deeply concerning problem that is largely hidden from view. Collecting data (and…

2021-04-16 by adam

Thursday Threat Model: Github’s Approach

A bunch of people recently asked me about Robert Reichel’s post “How We Threat Model,” and I wanted to use it to pick up on Threat Model Thursdays, where I talk about process and practices. My goal is always to build, and sometimes that involves criticism. So let me start by saying I like the…

2021-04-14 by adam

The Updates Must Go Through

On Monday, the Department of Justice announced that it had cleaned malware (“webshells”) off of hundreds of infected mail systems running Microsoft Exchange. Microsoft has been trying to get folks to apply critical security patches to address a problem that’s being actively exploited. A few minutes ago, I posted a screencapture of Microsoft’s autoupdater going…

2021-04-14 by adam

Dear Microsoft: Please fix MAU

This is the second month running that MSAU2 on my Mac has gone haywire. Please fix it.

2021-04-13 by adam

Can Training Work Remotely?

I get this question a lot: Can distributed/remote training work as well as in person? Especially for threat modeling, where there’s a strong expectation that training involves whiteboards. (I remember one course in particular, about 15 minutes in, the buyer said: “Let’s get to the whiteboards already!”) And there’s no doubt: people learn by doing.…

2021-04-06 by adam

Behind the Scenes: Training Development

I’ve talked about our new training, and I want to provide a little behind the scenes view. I regularly talk with folks who’ve gone through the pain of developing their own training, or worse, put others through the pain of their alpha-version training, and then paid the price in having to convince people to give…

2021-04-01 by adam

Passover Pie

For Passover, we made a lamb and bitter greens pizza. Now, you may be saying to yourself that that’s wrong, but allow me to explain. A few years ago, Seattle Food Geek wrote about a No-Yeast, No-Rise, Champagne Pizza Dough. It makes use of an encapsulated leavener called WRISE. I had a sample of the…