Archive for the “Amusements” category

Learning from Our Experience, Part Z

by adam on November 7, 2016

One of the themes of The New School of Information Security is how other fields learn from their experiences, and how information security’s culture of hiding our incidents prevents us from learning. Today I found yet another field where they (…)

Read the rest of this entry »

Threat modeling the Dread Pirate Roberts way

by adam on April 21, 2014

It has to be said that no one in the Princess Bride is great at threat modeling. But one scene in particular stands out. It’s while they’re planning to attack the castle and rescue Buttercup: Westley: I mean, if we (…)

Read the rest of this entry »

Security Lessons From Star Wars: Breach Response

by adam on May 4, 2013

To celebrate Star Wars Day, I want to talk about the central information security failure that drives Episode IV: the theft of the plans. First, we’re talking about really persistent threats. Not like this persistence, but the “many Bothans died (…)

Read the rest of this entry »

The best part of exploit kits

by adam on April 19, 2013

Following up on my post on exploit kit statistics (no data? really folks?), I wanted to share a bit of a head-shaker for a Friday with way too much serious stuff going on. Sometimes, researchers obscure all the information, such (…)

Read the rest of this entry »

Is there “Room for Debate?” in Breach Disclosure?

by adam on February 22, 2013

The New York Times has a “Room for Debate” on “Should Companies Tell Us When They Get Hacked?” It currently has 4 entries, 3 of which are dramatically in favor of more disclosure. I’m personally fond of Lee Tien’s “ (…)

Read the rest of this entry »

Elevation of Privilege: Drawing Developers into Threat Modeling

by adam on December 19, 2012

In the holiday spirit I wanted to share an academic-style paper on the Elevation of Privilege Threat Modeling card game (EoP_Whitepaper.pdf) The paper describes the motivation, experience and lessons learned in creating the game. As we’ve shared the game at (…)

Read the rest of this entry »

Control-Alt-Hack: Now available from Amazon!

by adam on November 22, 2012

Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route. From the website: Control-Alt-Hack™ is a (…)

Read the rest of this entry »

Where is Information Security’s Nate Silver?

by adam on November 14, 2012

So by now everyone knows that Nate Silver predicted 50 out of 50 states in the 2012 election. Michael Cosentino has a great picture: Actually, he was one of many quants who predicted what was going to happen via meta-analysis (…)

Read the rest of this entry »

Stop sinning with complaints about the coffee budget

by adam on March 6, 2012

Someone respected wrote on a private mailing list: “If you spend more on coffee than on IT security, then you will be hacked. What’s more, you deserve to be hacked.” — Richard Clarke, keynote address, RSA 2002 To which, verily (…)

Read the rest of this entry »

Particularly NewSchool Job Posting

by alex on December 8, 2011

From Keith Weinbaum, Director of Information Security of Quicken Loans Inc. https://www.quickenloanscareers.com/web/ApplyNow.aspx?ReqID=53545 From the job posting: WARNING:  If you believe in implementing security only for the sake of security or only for the sake of checking a box, then this (…)

Read the rest of this entry »