Src |
Date (GMT) |
Titre |
Description |
Tags |
Stories |
Notes |
|
2024-07-28 00:00:00 |
The Goals of Cyber Public Health (lien direct) |
La santé publique cyber provoque des conversations fascinantes
Cyber Public Health is prompting fascinating conversations |
|
|
★★
|
|
2024-07-25 00:00:00 |
Hard Problems + Cyber Public Health (lien direct) |
Présentation d'Adam \\ à un panel des académies nationales
Adam\'s presentation to a National Academies Panel |
|
|
★★★
|
|
2024-07-22 00:00:00 |
Google sur la santé publique cyber-public Google on Cyber Public Health (lien direct) |
Google attire l'attention sur nos travaux de santé publique cyber-public
Google calls attention to our Cyber Public Health work |
|
|
★★★
|
|
2024-07-18 00:00:00 |
Problèmes difficiles + Cyber Santé publique Hard Problems + Cyber Public Health (lien direct) |
Adam se présentera à un panel des académies nationales
Adam will be presenting to a National Academies Panel |
|
|
★★★
|
|
2024-06-17 00:00:00 |
Premier atelier sur la santé publique cyber-public First Workshop on Cyber Public Health (lien direct) |
Le premier atelier sur la santé publique cyber a été tellement excitant.Découvrez le rapport!
The first workshop on cyber public health was so exciting. Check out the report! |
|
|
★★
|
|
2023-09-26 00:00:00 |
La cyber-guide finale de la FDA est sortie FDA Final Cyber Guidance is out (lien direct) |
La FDA a publié ses nouvelles directives, qui auront un impact largement percutant.
The FDA has released their new guidance, which will be broadly impactful. |
|
|
★★★
|
|
2023-05-25 00:00:00 |
Le comité d'examen de la cyber-sécurité devrait enquêter sur les principaux incidents historiques The Cyber Safety Review Board Should Investigate Major Historical Incidents (lien direct) |
Tarah Wheeler et Adam écrivent en CFR
Tarah Wheeler and Adam write in CFR |
|
|
★★★
|
|
2023-01-30 00:00:00 |
Application Security Roundup - January (lien direct) |
So many interesting articles from AI to an organizatoion of socio-technical harms, fascinating incident reports about Uber and Circle CI and some history of attack trees. |
|
Uber
Uber
|
★★
|
|
2022-07-19 00:00:00 |
Major Cyber Incidents Investigations (lien direct) |
I'm thrilled this how to guide for standing up new investigations is available. |
|
|
|
|
2022-02-09 00:00:00 |
Ten Questions we hope the CSRB answers (lien direct) |
The new Cyber Safety Review Board is an opportunity to get better faster. |
|
|
|
|
2021-09-02 23:38:04 |
Turning off the lights? (lien direct) |
Soon, soon we’ll turn off the lights, migrate these posts, and have everything at our shiny new blog at https://shostack.org/blog. And if you’re seeing this in an RSS feed, please update to https://shostack.org/feed.xml. And by the way, you’ll know you’re in the right place when you see new content about threat modeling and the JoHari… |
Threat
|
|
|
|
2021-09-02 23:35:30 |
Training Discount (lien direct) |
Hey you! Out there beyond the wall, breaking bottles in the hall, you haven’t removed this feed from your RSS reader! If you add this feed there’s a training discount on my next open training course, kicking off October 11. |
|
|
|
|
2021-08-25 15:18:13 |
Star Wars Jokes? (lien direct) |
If you’re seeing this in your feed, have you also seen a bad Star Wars joke? Because I’ve got one on the new blog. Please add https://shostack.org/feed.xml, or replace the feed you’re reading with it. (This is the adam.shostack.org version of this post; the new post is just at shostack.org) |
|
|
|
|
2021-08-23 23:24:42 |
Blog updates (lien direct) |
I’m in the process of replacing this site, threatmodelingbook.com, and the associates.shostack.org site with a new, unified https://shostack.org. I’ll be saying more about the redesign, but as part of it, I’m migrating the blog over there. There are a few new posts there that I forgot to mirror here, including: Threat Modeling Through the JoHari… |
Threat
|
|
|
|
2021-08-09 22:48:27 |
25 Years In Appsec: Looking Back (lien direct) |
Twenty-five years ago I published a set of code review guidelines that I had crafted while working for a bank. I released them (thanks, SteveMac!) to get feedback and advice, because back then, there was exceptionally little in terms of practical advice on what we now call AppSec. Looking back at what’s there: it’s explicitly… |
|
|
|
|
2021-08-04 18:25:46 |
The COVID testbed and AI (lien direct) |
There’s a really interesting article in MIT Tech Review, Hundreds of AI tools have been built to catch covid. None of them helped. Oops, I think I gave away the ending. But there’s a lot of fascinating details: Many unwittingly used a data set that contained chest scans of children who did not have covid… |
|
|
|
|
2021-07-15 18:21:37 |
Threat Model Thursday: NIST\'s Code Verification Standard (lien direct) |
Earlier this week, NIST released a Recommended Minimum Standard for Vendor or Developer Verification of Code. I want to talk about the technical standard overall, the threat modeling component, and the what the standard means now and in the future. To summarize: new requirements are coming to a project near you, and getting ready now… |
Threat
|
|
|
|
2021-07-13 15:14:36 |
Collaboration in Threat Modeling (lien direct) |
It’s the latest in the World’s Shortest Threat Modeling videos! Also, I set up https://bit.ly/adam-yt to make it easy to find my Youtube channel. |
Threat
|
|
|
|
2021-07-07 15:32:06 |
Sketching to Answer “What Are We Working On?” (lien direct) |
The latest in the World’s Shortest Threat Modeling Videos: |
Threat
|
|
|
|
2021-07-01 21:43:24 |
Threat Model Thursday: 5G Infrastructure (lien direct) |
The US Government’s lead cybersecurity agencies (CISA, NSA, and ODNI) have released an interesting report, Potential Threat Vectors To 5G Infrastructure. (Press release), and I wanted to use this for a Threat Model Thursday, where we take a respectful look at threat modeling work products to see what we can learn. The first thing I… |
Threat
Guideline
|
|
★★★
|
|
2021-06-28 16:49:16 |
Applied Threat Modeling at Blackhat 2021! (lien direct) |
At Blackhat USA, I’ll be teaching Applied Threat Modeling. This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start threat modeling early on the first day and then going deep into each of the four questions: what are we working on, what can go wrong,… |
Threat
|
|
|
|
2021-06-23 15:26:23 |
Why Threat Model? (lien direct) |
The second video in my 60 second series! |
Threat
|
|
|
|
2021-06-19 15:28:50 |
Juneteenth: A New Federal Holiday (lien direct) |
I’m thrilled that Juneteenth will be a Federal holiday. We need more holidays that celebrate freedom, and there’s few events that increase freedom as much as emancipating people who were enslaved. That is, freeing them from the threat violence would be used against them, and they would have no recourse. The United States also needs… |
Threat
|
|
|
|
2021-06-17 15:53:51 |
Fast threat modeling videos (lien direct) |
I’m exploring the concept of very fast threat modeling videos, and have posted the first one. Feedback welcome! |
Threat
|
|
|
|
2021-06-15 16:12:47 |
“Not in my threat model”? (lien direct) |
You know what’s not in my threat model? A meteor hitting a volcano…And that’s ok! Your threat modeling should be focused on the threats that are likely to impact your systems. So unless your system is your evil supervillain volcano lair, a meteor is likely out of scope. And unless you have giant space lasers,… |
Threat
|
|
|
|
2021-06-09 14:40:54 |
Ransomware is Not the Problem (lien direct) |
There’s an infinite number of studies of ransomware lately, all breathlessly talking about how to fight this dangerous threat. They’re all dangerously wrong. Ransomware is not the problem. I’m being intentionally provocative in my latest Dark Reading Column |
Ransomware
Studies
|
|
|
|
2021-06-07 15:40:27 |
Thoughts on the Executive Order (lien direct) |
Finally! A Cybersecurity Safety Review Board is a new article by Steve Bellovin and myself at Lawfare. One element of President Biden's executive order on cybersecurity establishes a board to investigate major incidents involving government computers in somewhat the way that the National Transportation Safety Board investigates aviation disasters. The two of us, among many… |
|
|
|
|
2021-06-04 16:34:27 |
Van Buren (lien direct) |
The Supreme Court has ruled in the van Buren case, and there’s a good summary on the EFF’s blog: “The decision is a victory for all Internet users, as it affirmed that online services cannot use the CFAA's criminal provisions to enforce limitations on how or why you use their service…” As I said at… |
|
|
|
|
2021-06-01 16:20:23 |
Recording Lectures (lien direct) |
People sometimes ask me about my recording setup, and I wanted to share some thoughts about recording good learning content. The most important thing I’ve learned is the importance of conceptualizing what you want it to look like. The other thing I’ve learned is that the more expensive gear is usually more expensive for decent… |
|
|
|
|
2021-05-26 21:11:24 |
Review: Practical Security Architecture (lien direct) |
There’s an insightful comment, “Everybody has a testing environment. Some people are lucky enough enough to have a totally separate environment to run production in.” Similarly, everybody has both enterprise and product architecture. Some people are lucky enough to be able to design them. I have to say that because “architecture” is much maligned for… |
|
|
|
|
2021-05-20 23:58:51 |
NSF Wants Data on Your Data Needs (lien direct) |
The National Science Foundation is looking for information on needs for datasets, Dear Colleague Letter: Request for Information on the specific needs for datasets to conduct research on computer and network systems. A draft of my responses is on Google Docs. Comments are due Friday at 5 PM EST. (I thought I’d posted this earlier.) |
|
|
|
|
2021-05-20 20:47:56 |
Using Threat Modeling to Improve Compliance (TM Thursday) (lien direct) |
Threat model Thursday is not just back, but live again! This week is my Using Threat Modeling to Improve Compliance at RSAC 2021. The video replay is available if you have an RSA pass, and the slides are available to all. |
Threat
|
|
|
|
2021-05-15 15:40:24 |
Colonial Pipeline, Darkside and Models (lien direct) |
The Colonial Pipeline shutdown story is interesting in all sorts of ways, and trying to talk intelligently about it just takes more time than I can devote. I did want to talk about one small aspect, which is the way responders talk about Darkside. Blog posts from Sophos and Mandiant seem really useful! Information sharing… |
|
|
|
|
2021-05-14 15:20:58 |
Pacific Northwest Appsec Conference (lien direct) |
“AppSec Pacific Northwest Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria. We love to see brand new speakers, seasoned speakers and everyone in between. Their call for presentations is now open. |
|
|
|
|
2021-05-08 16:31:06 |
Tracking Company Says 96% of iPhone Users Block Tracking (lien direct) |
So there’s some good news and some bad news in this story: Too Bad, Zuck: Just 4% of U.S. iPhone Users Let Apps Track Them After iOS Update. The good news is that, given a choice, 96% of Americans don’t accept targeted ads. I’m sure that the advertisers will accept that, move on, and not… |
|
|
|
|
2021-05-06 21:42:34 |
Apple Guidance on Intimate Partner Surveillance (lien direct) |
Apple has released (or I’ve just come across) a document Device and Data Access when Personal Safety is At Risk. Apple makes it easy to connect and share your life with the people closest to you. What you share, and whom you share it with, is up to you - including the decision to make… |
|
|
|
|
2021-04-29 23:51:50 |
Threat Model Thursday: Technology Consumers (lien direct) |
There’s an interesting paper, 'It depends on your threat model': the anticipatory dimensions of resistance to data-driven surveillance. The author critiques ‘anticipatory data practices’, a collection of techniques that include my own work, as presented to civil society activists. It opens “While many forms of data-driven surveillance are now a 'fact' of contemporary life amidst… |
Threat
|
|
|
|
2021-04-26 14:14:30 |
“Stop Vaccine Finger Wagging” (lien direct) |
The U.S. political divide on whether to get the coronavirus vaccine suggests that “maybe there's been too much finger wagging,” said the head of the National Institutes of Health. “I've done some of that; I'm going to try to stop and listen, in fact, to what people's specific questions are,” NIH Director Francis Collins said… |
|
|
|
|
2021-04-23 22:57:58 |
This time for sure, Pinky! (lien direct) |
If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things? Read Mike Tanji’s full article, From Solar Sunrise to Solar… |
|
|
|
|
2021-04-22 17:34:48 |
IoT Security & Threat Modeling (lien direct) |
There’s a new report out from the UK Government, The UK Code of Practice for Consumer IoT Security. One of the elements I want to draw attention to is: The use of IoT devices by perpetrators of domestic abuse is a pressing and deeply concerning problem that is largely hidden from view. Collecting data (and… |
Threat
|
|
|
|
2021-04-16 00:01:21 |
Thursday Threat Model: Github\'s Approach (lien direct) |
A bunch of people recently asked me about Robert Reichel’s post “How We Threat Model,” and I wanted to use it to pick up on Threat Model Thursdays, where I talk about process and practices. My goal is always to build, and sometimes that involves criticism. So let me start by saying I like the… |
Threat
|
|
★★★
|
|
2021-04-14 22:58:52 |
The Updates Must Go Through (lien direct) |
On Monday, the Department of Justice announced that it had cleaned malware (“webshells”) off of hundreds of infected mail systems running Microsoft Exchange. Microsoft has been trying to get folks to apply critical security patches to address a problem that’s being actively exploited. A few minutes ago, I posted a screencapture of Microsoft’s autoupdater going… |
Malware
|
|
|
|
2021-04-14 22:13:58 |
Dear Microsoft: Please fix MAU (lien direct) |
This is the second month running that MSAU2 on my Mac has gone haywire. Please fix it. |
|
|
|
|
2021-04-13 17:14:43 |
Can Training Work Remotely? (lien direct) |
I get this question a lot: Can distributed/remote training work as well as in person? Especially for threat modeling, where there’s a strong expectation that training involves whiteboards. (I remember one course in particular, about 15 minutes in, the buyer said: “Let’s get to the whiteboards already!”) And there’s no doubt: people learn by doing.… |
Threat
|
|
|
|
2021-04-06 16:48:44 |
Behind the Scenes: Training Development (lien direct) |
I’ve talked about our new training, and I want to provide a little behind the scenes view. I regularly talk with folks who’ve gone through the pain of developing their own training, or worse, put others through the pain of their alpha-version training, and then paid the price in having to convince people to give… |
|
|
|
|
2021-04-01 15:23:59 |
Passover Pie (lien direct) |
For Passover, we made a lamb and bitter greens pizza. Now, you may be saying to yourself that that’s wrong, but allow me to explain. A few years ago, Seattle Food Geek wrote about a No-Yeast, No-Rise, Champagne Pizza Dough. It makes use of an encapsulated leveler called WRISE. I had a sample of the… |
|
|
|
|
2021-03-30 20:00:08 |
Threat Modeling Classes (lien direct) |
I have been lucky through these unprecendented and challenging times, and I’m grateful to have avoided many of the awful problems that others have faced. In my own little way, I spent a lot of time worried that delivering threat modeling training was only possible with us in the same room together. Through the pandemic,… |
Threat
|
|
|
|
2021-03-26 23:24:37 |
Ever Given & Suez (lien direct) |
There’s lots of fascinating details in The Ship Blocking the Suez Canal Could Take Weeks to Remove at Interesting Engineering. Two tidbits: first, the denial of service is blocking $9.6 billion dollars a day of cargo, but the eventual cost may be lower. Second, Egypt didn’t outlaw slavery until 1863. (Happy Passover, everyone!) This CNBC… |
|
|
|
|
2021-03-26 18:02:55 |
Microsoft Autoupdate hangs Excel 16.47.21032301 (lien direct) |
Microsoft AutoUpdate for Mac has gotten exceptionally aggressive about running. Even if you use launchctl to disable it, you get a pop up roughly every 15 minutes of using an Office program. That’s probably a good thing, overall. There’s plenty of evidence that update failures leave folks vulnerable. Note that I’m saying “update failures,” rather… |
|
|
|
|
2021-03-24 23:01:00 |
Mmmm, Pandemic Puppies (lien direct) |
This is a really encouraging set of trends that Sandy Carielli reports on: My latest report, “The State Of Application Security, 2021,” draws heavily from that security survey mentioned above, and by far the most encouraging piece of data I share in the report is about how security pros are prioritizing application security. When asked… |
|
|
|