Post thumbnail
As we look at what’s happened with the Russian attack on the US government and others via Solarwinds, I want to shine a spotlight on a lesson we can apply to threat modeling. An example of asset-driven thinking leads the article Hack may have exposed deep US secrets; damage yet unknown. And I don’t want…
Read More The Asset TrapI had not seen Threat modelling at the FT. In in Lisa Fiander and Costas K share their experiences with Elevation of Privilege played remotely. It’s a pleasant surprise to see how well EoP works in this remote world. I’d written about and then done a session with Agile Stationery; seeing independent reports is great!
Read More Elevation of Privilege In a Time of Cholera, Redux
Post thumbnail
Charley Pride has passed away of complications of Covid-19. I knew of his work because one of his albums, A Tribute to Jim Reeves, was initially sold with digital rights management. I bought a copy to explore the DRM before news came out that you could just take a sharpie and draw over the bits…
Read More Charley Pride (1934-2020)[Update: 3 comments] Fireeye’s announcement of their discovery of a breach is all over the news. The Reuters article quotes a ‘Western security official’ as saying “Plenty of similar companies have also been popped like this.” I have two comments. First, it’s easy for anyone to label attackers “sophisticated.” Fireeye certainly has more data and…
Read More Fireeye Hack & Culture
Post thumbnail
A few weeks back, I mentioned the Distinguished Lecture I gave at Ruhr University Bochum. I’m happy to say that the video is now online, and I also want to share the references.
Read More We Need a Discipline of Cybersecurity Public HealthThere’s an interesting paper, Mitigating social bias in knowledge graph embeddings from a team at Amazon, which was presented at an academic workshop on bias in knowledge graph construction. The work is interesting, and the availability of approaches like this will be a welcome shift in how we deal with these important issues. Of course,…
Read More Mitigating Social Bias in Knowledge GraphsAs we launched the threat modeling manifesto, we ran into some trouble with TLS. Some of you even reported those troubles, by saying “it’s not working.” Thanks. That’s so helpful. Sarcasm aside, there’s a basic form to a helpful bug report: “I did A, and observed B.” If you want to make it really useful,…
Read More It’s Not Working!
Post thumbnail
We get many things from whiteboards. One of those is a sense of impermanence – that the work on them is a work in progress. That it’s a sketch, rather than a final product. And I missed whiteboards, so working with my partners at Agile Stationery, we created not only whiteboards, but also stencils to…
Read More Stencils and Sketch BooksI’ve signed onto a letter to the European Commission on end to end encrypted communications.
Read More Breaking Encryption Myths (EU Commission on Encryption)
Post thumbnail
There’s a threat modeling manifesto being released today by a diverse set of experts and advocates for threat modeling. We consciously modeled it after the agile manifesto and it’s focused on values and principles. Also, there’s a podcast that gives you a chance to listen, behind-the-scenes at The Threat Modeling Manifesto – Part 1.
Read More A Threat Modeling Manifesto