Post thumbnail
As a member of the BlackHat Review Board, I would love to see more work on Human Factors presented there. Over the past few years, we’ve developed an interesting track with good material year over year. The 2020 call for papers is open and closes April 6th. I wrote a short blog post on what…
Read More Blackhat and Human Factors
Post thumbnail
My course, “Repudiation in Depth” is now live on Linkedin Learning. This is the fourth course I’ve created, starting with “Learning Threat Modeling“, and courses on “spoofing“, “tampering“, and now, repudiation. (You can probably see where this is going, and I’m making great strides towards the goal. Sorry not sorry.) I’d say it’s not my…
Read More Repudiation Now Live on Linkedin LearningFor reasons I can’t quite talk about yet, this has been a super busy time, and I look forward to sharing the exciting developments that have kept me occupied. In the meantime, my friends at Agile Stationery have transcribed a talk that Mark Vinkovits and I gave at AppSec Cali last year. Their posts are…
Read More Threat Model Thursday: Games
Post thumbnail
There’s a fascinating talk by Dan Luu, “Files are Fraught With Peril.” The talk itself is fascinating, in a horrifying, nothing works, we’re going to give up and raise goats now sort of way. He starts from the startling decision of Dropbox to drop support for all Linux filesystems except Ext4. This surprising decision stems…
Read More Threat Model Thursday: Files
Post thumbnail
In the last few days, we’ve seen two big stories in the realm of cryptography. The first is that SHA-1 breaks are now practical, and those practical breaks impact things like PGP and git. If you have code that depends on SHA-1, its time to fix that. If you have a protocol that uses SHA1,…
Read More Cryptographic Excitement
Post thumbnail
Spudnet is a new game to teach networking and security concepts. The creators were kind enough to send me a pre-production copy, and I can tell you – it looks and feels super solid, and, more importantly, it plays well. The Kickstarter has already met its goals, and while all Kickstarters have risk, the creators…
Read More Enter the SpudNet
Post thumbnail
Andrew McCarthy has an amazing and impressive photographs of the moon on Instagram. To call these photographs is somewhat provocative. In his trilogy, Ansel Adams focuses (sorry! Not sorry) on the camera, the negative, and the print. In The Negagive, he specifically discusses exposing film to light in controlled ways that caused chemical reactions on…
Read More 100,00 Moon Shots
Post thumbnail
Today’s Threat Modeling Thursday is a podcast! I’m on The Humans of InfoSec Podcast, with Caroline Wong: The Human Element of Threat Modeling.
Read More Threat Modeling Thursday: The Human ElementFor my first blog post of 2020, I want to look at threat modeling machine learning systems. [Update Jan 16: Victor of the Berryville Machine Learning Security blog has some interesting analysis here. That brings up a point I forgot to mention here: it would be great to name and version these models so we…
Read More Threat Modeling Thursday: Machine LearningI’m featured in (local NPR Affiliate) KUOW’s Primed: Season 3, Episode 8. I appreciate how the sense of fun that many security people bring to their work comes through. For me, it was fun learning about how Elevation of Privilege works for non-techies. (Spoiler: not super-well, you need to select the cards pretty carefully. Maybe…
Read More Echo, Threat Modeling and Privacy