I generally try to stay on technical topics, because my understanding is that’s what readers want. But events are overwhelming and I believe that not speaking out is now a political choice. I want to start from this Chris Rock video: I hadn’t seen it before, but I have spent a lot of time studying…
Read More One Bad AppleAs I built out my home studio to record videos for my distributed classes, I was lucky enough to be able to find an in-stock HDMI capture card, but those are harder and harder to find. As it turns out, you may be able to avoid the need for that with a mix of apps.…
Read More SLR as a WebcamThere’s an interesting article by Phil Bull, “Why you can ignore reviews of scientific code by commercial software developers“. It’s an interesting, generally convincing argument, with a couple of exceptions. (Also worth remembering: What We Can Learn From the Epic Failure of Google Flu Trends.) The first interesting point is the difference between production code…
Read More Code: science and production
Post thumbnail
Understanding the way intrusions really happen is a long-standing interest of mine. This is quite a different set of questions compared to “how long does it take to detect,” or “how many records are stolen?” How the intrusion happens is about questions like: Is it phishing emails that steal creds? Email attachments with exploits? SQL…
Read More How Are Computers Compromised (2020 Edition)
Post thumbnail
For Threat Model Thursday, I want to look at models and modeling in a tremendously high-stakes space: COVID models. There are a lot of them. They disagree. Their accuracy is subject to a wide variety of interventions. (For example, few disease models forecast a politicized response to the disease, or a massively inconsistent response within…
Read More Models and Accuracy (Threat Modeling Thursday)
Post thumbnail
The UK’s National Computer Security Center has a blog post on Drawing good architecture diagrams.
Read More NCSC on Good Architecture DiagramsMost of my time, I’m helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we’re early in developing the science around how to build an SDL that works. That’s why I spend time working with academics who can objectively study what we’re working…
Read More SDL Article in CACM
Post thumbnail
I want to talk about two books: Bounce, by Matthew Syed and Range, by David Epstein. I want to talk about them together in part because Range is explicitly framed as a response to Bounce. Bounce is focused on the relationship between talent and training. Syed starts with a discussion of ping pong stars, and…
Read More Bounce and Range
Post thumbnail
A New Hope, even! Happy Star Wars Day!
Read More The World Needs Hope
Post thumbnail
This week’s threat model Thursday looks at an academic paper, Security Threat Modeling: Are Data Flow Diagrams Enough? by Laurens Sion and colleagues. The short (4 page), readable paper looks at the strengths and weaknesses of forms of DFDs, and what we might achieve with variations on the form and different investments of effort. I…
Read More Threat Model Thursday: Data Flow Diagrams