Bob Rudis has a nice post up “Off By One : The Importance Of Fact Checking Breach Reports,” in which he points out some apparent errors in the Massachusetts 2011 breach report, and also provides some graphs. Issues like this are why it’s important to release data. It enables independent error checking, but also allows [...]
So the announcement for Toorcamp is out, and it looks like an exciting few days. A few talks already announced look very new school, including “How you can be an ally to us females” by Danielle Hulton and Leigh Honeywell, and “Cognitive Psychology for Hackers.” It’s in the far northwester corner of the US, and [...]
I’ve never been a fan of checklists. Too often, checklists replace thinking and consideration. In the book, Andrew and I wrote: CardSystems had the required security certification, but its security was compromised, so where did things goo wrong? Frameworks such as PCI are built around checklists. Checklists compress complex issues into a list of simple [...]
In a widely discussed op-ed, Richard Clarke wrote: It’s not hard to imagine what happens when an American company pays for research and a Chinese firm gets the results free; it destroys our competitive edge. Shawn Henry, who retired last Friday as the executive assistant director of the F.B.I. (and its lead agent on cybercrime), [...]
Back in October, I posted on “Maria Klawe on increasing Women in Technology.” Now the New York Times has a story, “Giving Women The Access Code:” “Most of the female students were unwilling to go on in computer science because of the stereotypes they had grown up with,” said Zachary Dodds, a computer scientist at [...]
Congratulations to Visa and Mastercard, the latest companies to not notify consumers in a prompt and clear manner, thus inspiring a shrug and a sigh from consumers. No, wait, there isn’t a clear statement, but there is rampant speculation and breathless commentary. It’s always nice to see clear reminders that the way to get people [...]
That’s the title of this TED Talk, “Doctors Make Mistakes. Can we talk about that?” When was the last time you heard somebody talk about failure after failure after failure? Oh yeah, you go to a cocktail party and you might hear about some other doctor, but you’re not going to hear somebody talking about [...]
At BSides San Francisco, I met David Sparks, whose blog post on 25 security professionals admit their mistakes I commented on here. And in the department of putting my money where my mouth is, I talked him through the story on camera. The video is here: “Security Guru Tells Tale of How His Blog Became [...]
I really like what Adrian Lane had to say about the cars at RSA: I know several other bloggers have mentioned the exotic cars this year in vendor booths on the conference floor. What’s the connection with security? Nothing. Absolutely nothing. But they sure pulled in the crowds. Cars and booth babes with matching attire. [...]
Last week at RSA, I was talking to some folks who have reasons to deeply understand a big and publicly discussed breach. I asked them why we didn’t know more about the breach, given that they’d been fairly publicly named and shamed. The story seems to be that after the initial (legal-department-driven) clampdown on talking, [...]