What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-01-26 15:26:16 | Irius Risk & Gary McGraw (lien direct) | I’m very excited that Gary McGraw is joining the Irius Risk Technical Advisory Board as board chair. Gary’s a pioneer in software security, and his work in machine learning was my choice to kick off blogging 2020. | |||
|
2021-01-25 19:41:58 | Podcast on Using Games (lien direct) | It would be trite writing to say it was fun to be on a podcast with Volko Ruhnke and Hadas Cassorla to talk about using games to teach. And while it was, it was really educational and inspirational. I learned from both of them, and I hope you enjoy the podcast as well! Volko Ruhnke,… | |||
|
2021-01-15 19:12:14 | Digital Guru Books (lien direct) | Rupin Gupta runs Digital Guru books. He’s one of the nicest people you’ll ever meet, a real joy to work with, and he works hard to put books on shelves so that you can discover them. With the conference business changing, Digital Guru needs some help. Borrowing some words from my editor Jim Minatel: “If… | |||
|
2021-01-10 22:21:45 | Humble Bundle: Good, Cheap Books (lien direct) | There’s a humble bundle out that includes my Threat Modeling: Designing for Security, The Shellcoders Handbook, Practical Reverse Engineering, The Art of Intrusion, Social Engineering, Crypto Engineering, a nearly complete set of Bruce Schneier, and more! And your donations benefit EFF! The deal is good through Monday morning at 11 Pacific. https://www.humblebundle.com/books/cybersecurity-cryptography-wiley-books | Threat | ||
|
2021-01-03 16:53:48 | It\'s 2021: Have you checked your backups? (lien direct) | As the expression goes, no one cares about backups, they care about restores. Do yours work? Some lessons learned over the last few days: Apple has disabled single user mode as of Mojave, and many recovery options are not available if you use a firmware password. Do not forget that availability is a security property.… | |||
|
2020-12-28 17:39:27 | Vaccines (lien direct) | You may have noticed that my end of the year posts are all science focused. Today, a set of resources on the COVID vaccines. First, the FDA has authorized two vaccines for emergency use. The review memoranda (Pfizer, Moderna) are all sorts of fascinating. As the kids say, TL;DR: both vaccines are safe and no… | |||
|
2020-12-27 16:41:41 | Just the Great Conjunction of Saturn and Jupiter…shot from the moon (lien direct) | It’s easy to forget that the Lunar Reconnaissance Orbiter has been circling the moon for nearly a dozen years.. Via DIY Photography | |||
|
2020-12-24 17:56:24 | Dinosaur Feathers (lien direct) | Scientists have discovered a chunk of amber with a dinosaur tail in it. (Poor dinosaur!) National Geographic has the story, which is not brand-new, but is a nice bit of scientific joy for the day. | |||
|
2020-12-23 16:44:48 | Chang\'e 5! (lien direct) | Congratulations to the Chinese for the success of their Chang’e 5 lunar sample return mission! The complexity of landing a robot on the moon and returning it safely to Earth is enormous. In contrast to the Apollo series of missions, which launched and returned inside of a week, Chang’e took a week to get to… | |||
|
2020-12-16 19:47:38 | The Asset Trap (lien direct) | As we look at what’s happened with the Russian attack on the US government and others via Solarwinds, I want to shine a spotlight on a lesson we can apply to threat modeling. An example of asset-driven thinking leads the article Hack may have exposed deep US secrets; damage yet unknown. And I don’t want… | Hack Threat Guideline | ||
|
2020-12-15 16:49:58 | Elevation of Privilege In a Time of Cholera, Redux (lien direct) | I had not seen Threat modelling at the FT. In in Lisa Fiander and Costas K share their experiences with Elevation of Privilege played remotely. It’s a pleasant surprise to see how well EoP works in this remote world. I’d written about and then done a session with Agile Stationery; seeing independent reports is great! | Threat | ||
|
2020-12-13 18:41:59 | Charley Pride (1934-2020) (lien direct) | Charley Pride has passed away of complications of Covid-19. I knew of his work because one of his albums, A Tribute to Jim Reeves, was initially sold with digital rights management. I bought a copy to explore the DRM before news came out that you could just take a sharpie and draw over the bits… | |||
|
2020-12-09 16:32:16 | Fireeye Hack & Culture (lien direct) | Fireeye’s announcement of their discovery of a breach is all over the news. The Reuters article quotes a ‘Western security official’ as saying “Plenty of similar companies have also been popped like this.” I have two comments. First, it’s easy for anyone to label attackers “sophisticated.” Fireeye certainly has more data and experience in assessing… | Hack | ||
|
2020-12-07 20:41:21 | We Need a Discipline of Cybersecurity Public Health (lien direct) | A few weeks back, I mentioned the Distinguished Lecture I gave at Ruhr University Bochum. I’m happy to say that the video is now online, and I also want to share the references. | |||
|
2020-12-04 18:55:16 | Mitigating Social Bias in Knowledge Graphs (lien direct) | There’s an interesting paper, Mitigating social bias in knowledge graph embeddings from a team at Amazon, which was presented at an academic workshop on bias in knowledge graph construction. The work is interesting, and the availability of approaches like this will be a welcome shift in how we deal with these important issues. Of course,… | |||
|
2020-11-25 15:52:52 | It\'s Not Working! (lien direct) | As we launched the threat modeling manifesto, we ran into some trouble with TLS. Some of you even reported those troubles, by saying “it’s not working.” Thanks. That’s so helpful. Sarcasm aside, there’s a basic form to a helpful bug report: “I did A, and observed B.” If you want to make it really useful,… | Threat | ||
|
2020-11-23 19:44:32 | Stencils and Sketch Books (lien direct) | We get many things from whiteboards. One of those is a sense of impermanence – that the work on them is a work in progress. That it’s a sketch, rather than a final product. And I missed whiteboards, so working with my partners at Agile Stationery, we created not only whiteboards, but also stencils to… | |||
|
2020-11-22 20:57:15 | Breaking Encryption Myths (EU Commission on Encryption) (lien direct) | I’ve signed onto a letter to the European Commission on end to end encrypted communications. | |||
|
2020-11-17 17:28:45 | A Threat Modeling Manifesto (lien direct) | There’s a threat modeling manifesto being released today by a diverse set of experts and advocates for threat modeling. We consciously modeled it after the agile manifesto and it’s focused on values and principles. Also, there’s a podcast that gives you a chance to listen, behind-the-scenes at The Threat Modeling Manifesto – Part 1. | Threat | ||
|
2020-11-13 17:02:45 | We Need A Discipline of Cyber Public Health (lien direct) | I’m very excited that, on Monday, I’ll be giving a Distinguished Lecture, “We Need A Discipline of Cyber Public Health” at Ruhr University Bochum. It ties together some deeper analysis of where we are with the discipline of security engineering, some of the challenges we face, and how we can solve them. The abstract is:… | |||
|
2020-11-11 22:05:05 | On Legitimacy (After the Election) (lien direct) | Before the election, I wrote about legitimacy. In that, I said “The second function of democracy is to convince everyone that it produces legitimate and correct choices.” There are two important things worth watching. First, President Trump is attempting to cast doubt on an election in which he was thoroughly rejected by voters. Second, we… | |||
|
2020-11-06 16:54:18 | Friday Star Wars: Lego Holiday Celebration (lien direct) | A little something to make you smile today: | |||
|
2020-11-04 19:37:47 | Maps and Visualization (lien direct) | I posted this image in 2004. It’s even more relevant now. While we have a country that is clearly divided, the dividing lines are not so neat as the maps showing states going one way or the other. | |||
|
2020-11-02 00:08:38 | On Legitimacy (lien direct) | The first function of democracy is to enable the peaceful handover of power from one group to another. For this, all its myriad sins are forgiven. The peaceful handover of power from one group to another is not a sure thing. Historically, it’s something of an aberration. There are all sorts of reasons, when you… | |||
|
2020-10-31 20:36:25 | Notice the Outrage Machines (lien direct) | With three days to the US election, the outrage machines are running on all cylinders. It’ll be easier to stay happy if you remember to notice them. To be clear, I’m not using a metaphor. Websites from news to social media use data to drive stories. Twitter’s top tweets, Facebook’s timeline, your local newspaper, but… | |||
|
2020-10-09 15:27:23 | On Monopolies (lien direct) | In a simpler age, Matt Stoller famously lost his job for critiquing Google. He has a really interesting article summarizing and analyzing the massive anti-trust report at Congress Gets Ready to Smash Big Tech Monopolies. If you’re like me, unsure if or how this might matter, take the time to read what he said. (Via… | |||
|
2020-10-07 17:17:24 | Training: Threat Modeling for Security Champions (lien direct) | I haven’t talked about it much, but I spent the first few months of the pandemic learning how to deliver effective training in a distributed (online) model. I’m really proud that our distributed class NPS customer satisfaction scores are now comparable to our in-person classes. Also it’s been a lot of hard work, and in… | Threat | ||
|
2020-09-24 22:48:42 | A PCI Threat Model (lien direct) | The reason I hate compliance programs is because they’re lists of things we need to do, and many times, those things don’t seem to make a great deal of sense. In threat modeling, I talk about the interplay between threats, controls, and requirements, and I joke that “a requirement to have a control absent any… | Threat | ||
|
2020-09-23 14:10:06 | Mentions (lien direct) | I joined Vin Nelsen for the Multi-Hazards podcast. If you’re looking for me to go beyond the bounds of technology threat modeling, this was, an interesting, far-ranging conversation about the state of the world. He also creates a study guide per episode - don’t miss the subtly labeled pdf there. I didn’t join in Security… | Threat | ||
|
2020-09-17 18:52:35 | Starting Threat Modeling: Focused Retrospectives are Key (lien direct) | There’s a good, long article at MartinFowler.com “A Guide to Threat Modelling for Developers.” It’s solid work and I’m glad its out there. And I want to do something I don’t usually do, which is quibble with footnotes. Jim writes in footnote 2: Adam Shostack, who has written extensively on threat modelling and has provided… | Threat | ||
|
2020-09-10 21:21:07 | Threat Modeling, Insiders and Incentives (lien direct) | There’s been a lot of talk over the last week about “updating threat models” in light of the Tesla insider story. (For example.) I’m getting this question a fair bit, and so wanted to talk about insiders in particular, and how to use the news in threat modeling more generally. This also is a great… | Threat | ||
|
2020-09-07 15:54:09 | Phil Venables Blogging (lien direct) | Phil Venables is one of the more reflective and thoughtful CSOs out there, and in this era where everything is a tweet or a linkedin post (sigh) you may have missed that Phil has a blog. This Labor day, why not take the time to catch up on his writing? | |||
|
2020-08-28 16:47:49 | The Uber CSO indictment (lien direct) | Mark Rasch, who created the Computer Crime Unit at the United States Department of Justice, has an essay, “Conceal and Fail to Report – The Uber CSO Indictment.” The case is causing great consternation in the InfoSec community partly because it is the first instance in which a CSO or CISO has been personally held… | Uber | ||
|
2020-08-26 17:25:54 | Podcast with Sidney Dekker (lien direct) | This is a really interesting podcast interview with Sidney Dekker, who’s one of the most important thinkers in safety. The Jay Allen Show on Safety. (Fast forward through the first 3 minutes, the content is quite interesting.) Particularly interesting is his discussion of some ‘best practices’ which come out of a poorly supported chain of… | |||
|
2020-08-24 15:25:20 | Elevation of Privilege In The Time of Cholera (lien direct) | The Elevation of Privilege game has had way more staying power than I would have expected. But the online experience in this time of global pandemic has left out some of the magic that made it work. So I was really skeptical when Simon Gibbs from Agile Stationery mailed me about an approach to playing… | |||
|
2020-08-19 16:22:32 | Worthwhile books Q2 2020 (lien direct) | These are the books that I read in Q2 2020 that I think are worth your time. Sorry it’s late. They’re still worthwhile. 🙂 Cyber You’ll See This Message When It Is Too Late, by Josephine Wolff. This is an interesting examination of the effects of finger-pointing and blame avoidance on the cybersecurity landscape, with… | |||
|
2020-08-18 16:47:12 | Better Taught Than Caught! (lien direct) | So Chris Romeo has a blog post, “Threat modeling: better caught than taught.” In it, he advocates for threat modeling being a skill passed on informally. And, like many things in threat modeling, that’s attractive, sounds fun, and is utterly wrong. Let’s threat model this: What are we working on? Scaling threat modeling across all… | Threat | ||
|
2020-08-14 14:51:55 | Information Disclosure In Depth! (lien direct) | I have something to disclose: the release of my new course on information disclosurehas just launched on Linkedin! 🎉🥂 To celebrate, I’ve made it easier to disclose the contents by making it free for you link here Please help me disclose this information to the world! | |||
|
2020-08-13 17:24:00 | MDIC Annual Public Forum (lien direct) | I’ll be speaking at the MDIC’s Annual Public Forum today, discussing how threat modeling helps bring maturity to the medtech sector. Join us shortly! | Threat | ||
|
2020-08-12 14:55:52 | When to Threat Model (lien direct) | At Defcon’s biohacking village, there was an interesting talk on Includes No Dirt threat modeling. I thought this slide was particularly interesting. As threat modeling moves from an idea through pilots and deployments, and we develop the organizational disciplines of threat modeling, the question of ‘when do we do this’ comes up. There’s good appsec… | Threat | ||
|
2020-07-31 20:44:43 | Maximizing The Value of Virtual Security Conferences (lien direct) | Nathan Hamiel has a really good post on Maximizing The Value of Virtual Security Conferences. To his key point of ‘know what you want to get out of it’ and ‘know what it would take to make it happen,’ I want to add two ideas: First, take notes with a pen and paper. This is… | |||
|
2020-07-24 19:12:08 | Sociotechnical Approach to Cyber Security (lien direct) | There’s a post from Helen L. of the UK’s NCSC, A sociotechnical approach to cyber security. Her post shares the context of socio-technical approaches, discussed the (re-named) RISCS institute, and shares the current problem book. The post and the problem book are both worth a careful read. (I’m honored to be an advisor to the… | |||
|
2020-07-21 18:44:30 | Video series (lien direct) | It will come as no surprise to regular readers of this blog that I prefer the written word to audio and video, but 2020 being 2020, I now have a YouTube Channel, with the first video below: | |||
|
2020-07-20 20:56:59 | Happy Apollo 11 Day! (lien direct) | With engineering, courage, and leadership, we can do amazing things. | Guideline | ||
|
2020-07-15 00:58:37 | Software Engineering Radio (lien direct) | I enjoyed being a guest on Software Engineering Radio: Adam Shostack on Threat Modeling. It’s a substantial, in depth interview, running nearly 80 minutes, and covering a wide variety of topics. | Threat | ||
|
2020-07-13 23:06:29 | Amicus Brief on CFAA (lien direct) | The EFF has filed an amicus brief on the Computer Fraud and Abuse Act: Washington, D.C.-The Electronic Frontier Foundation (EFF) and leading cybersecurity experts today urged the Supreme Court to rein in the scope of the Computer Fraud and Abuse Act (CFAA)-and protect the security research we all rely on to keep us safe-by holding… | Guideline | ||
|
2020-07-07 15:46:14 | Internet Society Opposition to LAED Act (lien direct) | The Internet Society Open Letter Against Lawful Access to Encrypted Data Act was published this morning. It’s an important and broad coalition to protect the ability of American companies to deliver security to their customers. I’m honored to be one of the signers. | |||
|
2020-07-02 15:52:46 | Threat Model In My Devops (lien direct) | This talk by Alyssa Miller is fascinating and thought provoking. She frames a focus on integrating threat modeling into devops. The question of ‘what are we working on’ is answered with use cases, and threat modeling for that sprint is scoped to the use cases. ‘What can go wrong’ is focused on a business analysis… | Threat | ||
|
2020-06-30 15:11:02 | Threat Modeling & the SAFE Framework (lien direct) | There’s an interesting and detailed blog post from Antti Vähä-Sipilä and Heli Syväoja at the F-Secure blog, Using SAFe® to align cyber security and executive goals in an agile setting. What I find most useful is the detailed and specific elements of how to bring threat modeling into the Scaled Agile Framework, in particular: Security… | Threat | ||
|
2020-06-22 16:13:20 | The Cyentia Library Relaunches (lien direct) | I’m excited to see that they’re Re-introducing the Cyentia Research Library, with cool (new?) features like an RSS feed. There are over 1,000 corporate research reports with data that companies paid to collect, massage, and release in a way they felt would be helpful to the rest of the world. The Cyentia Library lets us… |
To see everything:
Our RSS (filtrered)
