Post thumbnail
The White Box, and its accompanying book, “The White Box Essays” are a FANTASTIC resource, and I wish I’d had them available to me as I designed Elevation of Privilege and helped with Control-Alt-Hack. The book is for people who want to make games, and it does a lovely job of teaching you how, including…
Read More The White Box Essays (Book Review)There’s an interesting article in Bentham’s Gaze, “Science ‘of’ or ‘for’ security?” It usefully teases apart some concepts, and, yes, it probably is consistent with the New School.
Read More Science of Security, Science for Security
Post thumbnail
When Andrew and I wrote The New School, and talked about the need to learn from other professions, we didn’t mean for doctors to learn from ‘cybersecurity thought leaders’ about hiding their problems: …Only one organism grew back. C. auris. It was spreading, but word of it was not. The hospital, a specialty lung and…
Read More ‘No need’ to tell the public(?!?)
Post thumbnail
Congratulations to the Hayabusa2 mission team, who flew to an asteroid, dropped multiple rovers, an impactor and a separate camera satellite to observe the impactor. The Hayabusa2 then flew around, to the far side of the asteroid to avoid ejecta from the impactor. In a few weeks, Hayabusa2 will probably land, collect more samples and…
Read More Hayabusa!
Post thumbnail
Cyber Making Software “What Really Works, and Why We Believe It” by Andy Oram and Greg Wilson. This collection of essays is a fascinating view into the state of the art in empirical analysis software engineering. Agile Application Security by Laura Bell, Michael Brunton-Spall, Rich Smith and Jim Bird. A really good overview of the…
Read More Books Worth Your Time (Q1 2019)“90% of attacks start with phishing!*” “Cyber attacks will cost the world 6 trillion by 2020!” We’ve all seen these sorts of numbers from vendors, and in a sense they’re April Fools day numbers: you’d have to be a fool to believe them. But vendors quote insane because there’s no downside and much upside. We…
Read More Leave Those Numbers for April 1st“Today, let me contrast two 20-year-old papers on threat modeling. My first paper on this topic, “Breaking Up Is Hard to Do,” written with Bruce Schneier, analyzed smart-card security. We talked about categories of threats, threat actors, assets — all the usual stuff for a paper of that era. We took the stance that “we…
Read More 20 Years of STRIDE: Looking Back, Looking Forward“Cybersecurity is not very important” is a new paper by the very smart Andrew Odlyzko. I do not agree with everything he says, but it’s worth reading and pondering if and why you disagree with it. I think I agree with it more than I disagree.
Read More Cybersecurity is not very importantRSA has posted a video of my talk, “Threat Modeling in 2019”
Read More Threat Modeling in 2019I’ve signed on to Access Now’s letter to the Indian Ministry of Electronics and Information Technology, asking the Government of India to withdraw the draft amendments proposed to the Information Technology (Intermediary Guidelines) Rules. As they say in their press release: Today’s letter, signed by an international coalition of 31 organizations and individuals, explains how…
Read More India’s Intermediary Guidelines