by alex on February 26, 2012

So it’s early Sunday AM, and I’m getting my RSA Schedule together finally.  So here’s what I’m looking forward to this week, leave us stuff in the comments if you’ve identified other cool stuff: =============== Monday:  8 freaking AM – (…)

Read the rest of this entry »

Admitting Mistakes

by adam on February 24, 2012

Tripwire’s blog has “25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them.” I’m glad to see attention paid to the simple reality that we all make mistakes. Extra points to Bill Brenner, Pete Lindstrom, Andrew Hay, Chris (…)

Read the rest of this entry »

“Anonymized, of course”

by adam on February 21, 2012

I’ve noticed a couple of times lately that as people discuss talking about security incidents, they don’t only default to the idea of anonymization, they often insert an “of course” after it. But today I want to talk about the (…)

Read the rest of this entry »

New Cyber Security Bill: Crowdsource Analysis?

by adam on February 15, 2012

A lot of people I trust are suggesting that the “Collins-Lieberman” bill has a substantial chance of passing. I have some really interesting (and time-consuming) work tasks right now, and so I’m even more curious than usual what you all (…)

Read the rest of this entry »

Predictably Apathetic responses to Cyber Attack

by adam on February 13, 2012

Wh1t3Rabbit has a great post “Understanding the apathetic response to a cyber attack:” Look, Dana’s right. His business is the organizing and promotion of the UFC fights. Secondary to that business is the merchandising and other aspects of the UFC (…)

Read the rest of this entry »

Why Breach Disclosures are Expensive

by adam on February 7, 2012

Mr. Tripathi went to work assembling a crisis team of lawyers and customers and a chief security officer. They hired a private investigator to scour local pawnshops and Craigslist for the stolen laptop. The biggest headache, he says, was deciphering (…)

Read the rest of this entry »

Yet More On Threat Modeling: A Mini-Rant

by David Mortman on February 7, 2012

Yesterday Adam responded to Alex’s question on what people thought about IanG’s claim that threat modeling fails in practice and I wanted to reiterate what I said on twitter about it: It’s a tool! No one claimed it was a (…)

Read the rest of this entry »

On Threat Modeling

by adam on February 6, 2012

Alex recently asked for thoughts on Ian Grigg’s “Why Threat Modeling Fails in Practice.” I’m having trouble responding to Ian, and have come to think that how Ian frames the problem is part of my problem in responding to him. (…)

Read the rest of this entry »

Dear Verisign: Trust requires Transparency

by adam on February 3, 2012

On their blog, Verisign made the following statement, which I’ll quote in full: As disclosed in an SEC filing in October 2011, parts of Verisign’s non-production corporate network were penetrated. After a thorough analysis of the attacks, Verisign stated in (…)

Read the rest of this entry »

Threat Modeling Fails In Practice

by alex on February 2, 2012

Would be interested in readers thoughts on Ian G’s post here: https://financialcryptography.com/mt/archives/001357.html