Threat Modeling Fails In Practice

Would be interested in readers thoughts on Ian G’s post here: https://financialcryptography.com/mt/archives/001357.html

Please Participate: Survey on Metrics

I got an email from my friend John Johnson who is doing a survey about metrics.  If you have some time, please respond… ———————————————————————————————————————————————— I am seeking feedback from others who may have experience developing and presenting security metrics to various stakeholders at their organization. I have a number of questions I’ve thought of, and [...]

How to Send Adam into Hysterics

Via Nathan Yau’s awesome Flowing Data blog.

Steve Bellovin’s “Lessons from Suppressing Research”

Steve Bellovin has a good deal of very useful analysis and context about “an experiment that showed that the avian flu strain A(H5N1) could be changed to permit direct ferret-to-ferret spread. While the problem the government is trying to solve is obvious, it’s far from clear that suppression is the right answer, especially in this [...]

“It’s Time to Learn Like Experts” by Jay Jacobs

I want to call attention to a new, important and short article by Jay Jacobs. This article is a call to action to break the reliance on unvalidated expert opinions by raising awareness of our decision environment and the development of context-specific feedback loops. Everyone in the New School is a fan of feedback loops [...]

Breach disclosure and Moxie’s Convergence

Two weeks ago I finally got a chance to see Moxie’s Convergence/Trust Agility talk in person. (Since this was at work, let me just re-iterate that this blog is my personal opinions about what I saw.) It’s very good stuff, and Moxie and I had a good side chat about enhancing the usability of Convergence [...]

EFF on HTTPS

The Electronic Frontier Foundation has published a report on the State of HTTPS Security that promises to be the first in a series and is well worth reading on its own. The TL;DR version:  HTTPS adoption is growing rapidly, but the current system, especially the Certificate Authorities, has much room for improvement before it actually [...]

Some Thoughts on Binary Risk Assessment

Ben Sapiro showed off his Binary Risk Assessment (BRA) at SecTor recently.   While I didn’t see the presentation, I’ve taken some time and reviewed the slides and read through the documentation.  I thought I’d quickly give my thoughts on this: It’s awesome and it sucks. IT’S AWESOME That’s not damning with faint praise, rather, it’s [...]

Change.

I’ve left Verizon.  A lot of folks have come up to me and asked, so I thought I’d indulge in a rather self-important blog-post and explain something: It wasn’t about Verizon, but about the opportunity I’ve taken. Wade, Chris, Hylender, Marc, Joe, Dave, Dr. Tippett & all the rest – they were all really, really [...]

How the Epsilon Breach Hurts Consumers

Yesterday, Epsilon and Sony testified before Congress about their recent security troubles. There was a predictable hue and cry that the Epsilon breach didn’t really hurt anyone, and there was no reason for them to have to disclose it. Much of that came from otherwise respectable security experts. Before I go on, let me give [...]