Larry Greenblat is releasing a series of videos titled “Passing the CISSP Exam with the help of Spock & Kirk.” I, of course, love this, because using stories to help people learn and remember is awesome, and it reminds me of my own “The Security Principles of Saltzer and Schroeder, illustrated with Star Wars.” Also, my thoughts on Star Wars vs Star Trek for these sorts of things.
I have a new Perspectives article at ISACA, Reasonable Software Security Engineering. It talks about the how, why and where you need to ground a software security engineering program.
On Tuesday, I spoke at the Seattle Privacy/TechnoActivism 3rd Monday meeting, and shared some initial results from the Seattle Privacy Threat Model project.
Overall, I’m happy to say that the effort has been a success, and opens up a set of possibilities.
- Every participant learned about threats they hadn’t previously considered. This is surprising in and of itself: there are few better-educated sets of people than those willing to commit hours of their weekends to threat modeling privacy.
- We have a new way to contextualize the decisions we might make, evidence that we can generate these in a reasonable amount of time, and an example of that form.
- We learned about how long it would take (a few hours to generate a good list of threats, a few hours per category to understand defenses and tradeoffs), and how to accelerate that. (We spent a while getting really deep into threat scenarios in a way that didn’t help with the all-up models.)
- We saw how deeply and complexly mobile phones and apps play into privacy.
- We got to some surprising results about privacy in your commute.
More at the Seattle Privacy Coalition blog, “Threat Modeling the Privacy of Seattle Residents,” including slides, whitepaper and spreadsheets full of data.
As a member of the BlackHat Review Board, I would love to see more work on Human Factors presented there. The 2018 call for papers is open and closes April 9th. Over the past few years, I think we’ve developed an interesting track with good material year over year.
I wrote a short blog post on what we look for.
The BlackHat CFP calls for work which has not been published elsewhere. We prefer fully original work, but will consider a new talk that explains work you’ve done for the BlackHat audience. Oftentimes, Blackhat does not count as “Publication” in the view of academic program committees, and so you can present something at BlackHat that you plan to publish later. (You should of course check with the other venue, and disclose that you’re doing so to BlackHat.)
If you’re considering submitting, I encourage you to read all three recommendations posts at https://usa-briefings-cfp.blackhat.com/
There’s a fundraising campaign to “Keep the Bombe on the Bletchley Park Estate.”
The Bombe was a massive intellectual and engineering achievement at the British codebreaking center at Bletchley Park during the second world war. The Bombes were all disassembled after the war, and the plans destroyed, making the reconstruction of the Bombe at Bletchley a second impressive achievement.
My photo is from the exhibit on the reconstruction.
This is very cool: “Star Trek’s secret weapon: a scientist with a mushroom fetish bent on saving the planet.”
On Star Trek: Discovery, the character Lieutenant Paul Stamets is an “astromycologist” — a mushroom expert in outer space who is passionate about the power of fungi.
Stamets is actually named after a real U.S. scientist who spends his downtime tramping through the forests of B.C.’s Cortes Island.
The real Stamets has a few books. “Mycelium Running” is a fascinating read.
[Update: Merry Christmas, Gavelbocken! You made it this year!]
On Wednesday, the supreme court will consider whether the government must obtain a warrant before accessing the rich trove of data that cellphone providers collect about cellphone users’ movements. Among scholars and campaigners, there is broad agreement that the case could yield the most consequential privacy ruling in a generation. (“Supreme court cellphone case puts free speech – not just privacy – at risk.”)
Bruce Schneier has an article in the Washington Post, “How the Supreme Court could keep police from using your cellphone to spy on you,” as does Stephen Sachs:
The Supreme Court will hear arguments this Wednesday in Carpenter v. United States, a criminal case testing the scope of the Fourth Amendment’s right to privacy in the digital age. The government seeks to uphold Timothy Carpenter’s conviction and will rely, as did the lower court, on the court’s 1979 decision in Smith v. Maryland, a case I know well.
I argued and won Smith v. Maryland when I was Maryland’s attorney general. I believe it was correctly decided. But I also believe it has long since outlived its suitability as precedent. (“The Supreme Court’s privacy precedent is outdated.”)
I am pleased to have been able to help with an amicus brief in the case, and hope that the Supreme Court uses this opportunity to protect all of our privacy. Good luck to the litigants!
http://aka.ms/pciblueprint is a fascinating collection of security documents for PCI compliance. They’re designed to cut the cost of building a secure infrastructure by providing a design pattern and details.