A reminder, this blog has moved! If you’re seeing this in your RSS, you should take a second to update your feed.
From now on, I’ll be posting at Adam Shostack and Friends/. If you read the site via RSS, please take a moment to update your feed to https://adam.shostack.org/blog/feed/. Oh, and everyone who’s been part of the jazz combo has an account over at the new blog, and I expect a new Mordaxus post any day.
If there’s too much content here (there?) and you’d like a lowe
When I started blogging a dozen years ago, the world was different. Over time, I ended up with at least two main blogs (Emergent Chaos and New School), and guest posting at Dark Reading, IANS, various Microsoft blogs, and other places. It made less and less sense, even to me.
I decided it’s time to bring all that under a single masthead, and move all the archives over.
From now on, I’ll be posting at Adam Shostack and Friends. If you read the site via RSS, please take a mome
After the February, 2017 S3 incident, Amazon posted this:
We are making several changes as a result of this operational event. While removal of capacity is a key operational practice, in this instance, the tool used allowed too much capacity to be removed too quickly. We have modified this tool to remove capacity more slowly and added safeguards to prevent capacity from being removed when it will take any subsystem below its minimum required capacity level. This will prevent an incor
At RSA’17, I spoke on “Security Leadership Lessons from the Dark Side.”
Leading a security program is hard. Fortunately, we can learn a great deal from Sith lords, including Darth Vader and how he managed security strategy for the Empire. Managing a distributed portfolio is hard when rebel scum and Jedi knights interfere with your every move. But that doesn’t mean that you have to throw the CEO into a reactor core. “Better ways you will learn, mmmm?”
In the talk, I discussed
In September, Steve Bellovin and I asked “Why Don’t We Have an Incident Repository?.”
I’m continuing to do research on the topic, and I’m interested in putting together a list of such things. I’d like to ask you for two favors.
First, if you remember such things, can you tell me about it? I recall “Computers at Risk,” the National Cyber Leap Year report, and the Bellovin & Neumann editorial in IEEE S&P. Oh, and “The New School of Information Security.” But I’m sure t
There are two great blog posts at Securosis to kick off the new year: Tidal Forces: The Trends Tearing Apart Security As We Know It (Rich Mogull) Network Security in the Cloud Age: Everything Changes (Mike Rothman)
Both are deep and important and worth pondering. I want to riff on something that Rich said:
On the security professional side I have trained hundreds of practitioners on cloud security, while working with dozens of organizations to secure cloud deployments. It can
[Dec 20 update: The first draft of this post ended up with both consumer and enterprise advice, which made it complex. The enterprise half is now on the IANS blog: Never Waste a Good Crisis: Yahoo Edition.]
Yesterday, Yahoo disclosed that attackers broke into Yahoo in 2013 and stole details on a billion accounts. Brian Krebs summarizes what was taken, and also has a more general FAQ.
The statement says that for “potentially affected accounts, the stolen user account informat
This quote from Bob Iger, head of Disney, is quite interesting for his perspective as a leader of a big company:
There is a human side to it that I try to apply and consider. [But] the harder thing is to balance with the reality that not everything is perfect. In the normal course of running a company this big, you’re going to see, every day, things that are not as great as you would have hoped or wanted them to be. You have to figure out how to absorb that without losing your sense
There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments
Gamification of classroom assignments and online tools has grown significantly in recent years. There have been a number of card games designed for teaching various cybersecurity concepts. However, effectiveness of these card games is unknown for the most par
Over the decade or so since The New School book came out, there’s been a sea change in how we talk about breaches, and how we talk about those who got breached. We agree that understanding what’s going wrong should be a bigger part of how we learn. I’m pleased to have played some part in that movement.
As I consider where we are today, a question that we can’t answer sufficiently is “what’s in it for me?” “Why should I spend time on this?” The benefits may take too long to appear. An