Archive for the “argument” category

Security 101: Show Your List!

by adam on January 5, 2015

Lately I’ve noted a lot of people quoted in the media after breaches saying “X was Security 101. I can’t believe they didn’t do X!” For example, “I can’t believe that LinkedIn wasn’t salting passwords! That’s security 101!” Now, I’m (…)

Read the rest of this entry »

How to Ask Good Questions at RSA

by adam on February 26, 2013

So this week is RSA, and I wanted to offer up some advice on how to engage. I’ve already posted my “BlackHat Best Practices/Survival kit. First, if you want to ask great questions, pay attention. There are things more annoying (…)

Read the rest of this entry »

Is there “Room for Debate?” in Breach Disclosure?

by adam on February 22, 2013

The New York Times has a “Room for Debate” on “Should Companies Tell Us When They Get Hacked?” It currently has 4 entries, 3 of which are dramatically in favor of more disclosure. I’m personally fond of Lee Tien’s “ (…)

Read the rest of this entry »

The High Price of the Silence of Cyberwar

by adam on January 9, 2013

A little ways back, I was arguing [discussing cyberwar] with thegrugq, who said “[Cyberwar] by it’s very nature is defined by acts of espionage, where all sides are motivated to keep incidents secret.” I don’t agree that all sides are (…)

Read the rest of this entry »

Infosec Lessons from Mario Batali’s Kitchen

by adam on December 3, 2012

There was a story recently on NPR about kitchen waste, “No Simple Recipe For Weighing Food Waste At Mario Batali’s Lupa.” Now, normally, you’d think that a story on kitchen waste has nothing to do with information security, and you’d (…)

Read the rest of this entry »

The Boy Who Cried Cyber Pearl Harbor

by adam on October 12, 2012

There is, yet again, someone in the news talking about a cyber Pearl Harbor. I wanted to offer a few points of perspective. First, on December 6th, 1941, the United States was at peace. There were worries about the future, (…)

Read the rest of this entry »

Your career is over after a breach? Another Myth, Busted!

by adam on August 6, 2012

I’m a big fan of learning from our experiences around breaches. Claims like “your stock will fall”, or “your customers will flee” are shown to be false by statistical analysis, and I expect we’d see the same if we looked (…)

Read the rest of this entry »

Aitel on Social Engineering

by adam on July 19, 2012

Yesterday, Dave Aitel wrote a fascinating article “Why you shouldn’t train employees for security awareness,” arguing that money spent on training employees about awareness is wasted. While I don’t agree with everything he wrote, I submit that your opinion on (…)

Read the rest of this entry »

Feynman on Cargo Cult Science

by adam on June 11, 2012

On Twitter, Phil Venables said “More new school thinking from the Feynman archives. Listen to this while thinking of InfoSec.” During the Middle Ages there were all kinds of crazy ideas, such as that a piece of rhinoceros horn would (…)

Read the rest of this entry »

Lean Startups & the New School

by adam on September 20, 2011

On Friday, I watched Eric Ries talk about his new Lean Startup book, and wanted to talk about how it might relate to security. Ries concieves as startups as businesses operating under conditions of high uncertainty, which includes things you (…)

Read the rest of this entry »