Adam Shostack & friends – Page 4 – Security, privacy, economics and unrelated topics since 2005

2021-04-14 by adam

The Updates Must Go Through

On Monday, the Department of Justice announced that it had cleaned malware (“webshells”) off of hundreds of infected mail systems running Microsoft Exchange. Microsoft has been trying to get folks to apply critical security patches to address a problem that’s being actively exploited. A few minutes ago, I posted a screencapture of Microsoft’s autoupdater going…

2021-04-14 by adam

Dear Microsoft: Please fix MAU

This is the second month running that MSAU2 on my Mac has gone haywire. Please fix it.

2021-04-13 by adam

Can Training Work Remotely?

I get this question a lot: Can distributed/remote training work as well as in person? Especially for threat modeling, where there’s a strong expectation that training involves whiteboards. (I remember one course in particular, about 15 minutes in, the buyer said: “Let’s get to the whiteboards already!”) And there’s no doubt: people learn by doing.…

2021-04-06 by adam

Behind the Scenes: Training Development

I’ve talked about our new training, and I want to provide a little behind the scenes view. I regularly talk with folks who’ve gone through the pain of developing their own training, or worse, put others through the pain of their alpha-version training, and then paid the price in having to convince people to give…

2021-04-01 by adam

Passover Pie

For Passover, we made a lamb and bitter greens pizza. Now, you may be saying to yourself that that’s wrong, but allow me to explain. A few years ago, Seattle Food Geek wrote about a No-Yeast, No-Rise, Champagne Pizza Dough. It makes use of an encapsulated leavener called WRISE. I had a sample of the…

2021-03-30 by adam

Threat Modeling Classes

I have been lucky through these unprecendented and challenging times, and I’m grateful to have avoided many of the awful problems that others have faced. In my own little way, I spent a lot of time worried that delivering threat modeling training was only possible with us in the same room together. Through the pandemic,…

2021-03-26 by adam 1 comment

Ever Given & Suez

There’s lots of fascinating details in The Ship Blocking the Suez Canal Could Take Weeks to Remove at Interesting Engineering. Two tidbits: first, the denial of service is blocking $9.6 billion dollars a day of cargo, but the eventual cost may be lower. Second, Egypt didn’t outlaw slavery until 1863. (Happy Passover, everyone!) This CNBC…

2021-03-26 by adam

Microsoft Autoupdate hangs Excel 16.47.21032301

Microsoft AutoUpdate for Mac has gotten exceptionally aggressive about running. Even if you use launchctl to disable it, you get a pop up roughly every 15 minutes of using an Office program. That’s probably a good thing, overall. There’s plenty of evidence that update failures leave folks vulnerable. Note that I’m saying “update failures,” rather…

2021-03-24 by adam

Mmmm, Pandemic Puppies

This is a really encouraging set of trends that Sandy Carielli reports on: My latest report, “The State Of Application Security, 2021,” draws heavily from that security survey mentioned above, and by far the most encouraging piece of data I share in the report is about how security pros are prioritizing application security. When asked…

2021-03-15 by adam

Happy (Belated) Pi Day!

For pi day, we celebrated with a set of pies – a British style bacon and liver pie, a chicken pot pie, and a cherry pie. The bacon and liver pie, with roasted carrot and shallot, was intended as a joke and came out well enough that we’ll make it again. The cherry pie, with…