Papers and Talks by Adam Shostack

 

This page has a relatively complete list of my work. You can see subsets of my work at Google, ResearchGate, or Semantic Scholar. I don’t ensure they’re accurate.

2024

The Four Question Framework for Threat Modeling (Whitepaper)
The Four Question Framework for Threat Modeling is Shostack + Associates fifth whitepaper. It takes a deep look at the specific design of the Four Questions. The questions provide a framework and language for effective threat modeling, and have been called “deceptively simple.” (PDF)
Handling Pandemic-Scale Cyber Threats: Lessons from COVID-19

Abstract: The devastating health, societal, and economic impacts of the COVID-19 pandemic illuminate potential dangers of unpreparedness for catastrophic pandemic-scale cyber events. While the nature of these threats differs, the responses to COVID-19 illustrate valuable lessons that can guide preparation and response to cyber events. Drawing on the critical role of collaboration and pre-defined roles in pandemic response, we emphasize the need for developing similar doctrine and skill sets for cyber threats. We provide a framework for action by presenting the characteristics of a pandemic-scale cyber event and differentiating it from smaller-scale incidents the world has previously experienced. The framework is focused on the United States. We analyze six critical lessons from COVID-19, outlining key considerations for successful preparedness, acknowledging the limitations of the pandemic metaphor, and offering actionable steps for developing a robust cyber defense playbook. By learning from COVID-19, government agencies, private sector, cybersecurity professionals, academic researchers, and policy makers can build proactive strategies that safeguard critical infrastructure, minimize economic damage, and ensure societal resilience in the face of future cyber events.

Citation: Adam Shostack, Josiah Dykstra, Handling Pandemic-Scale Cyber Threats: Lessons from COVID-19, pre-print, 15 August 2024, https://doi.org/10.48550/arXiv.2408.08417

Inaugural workshop on Cyber Public Health (2024)

The first workshop on Cyber Public Health was hosted by Google in New York on Jan 9, 2024. The final report is now available. (For archival purposes, the summary report is here). My keynote was Towards a Science of Cyber Public Health.

Suggested citation: Adam Shostack, Inaugural Workshop on Cyber Public Health, CyberGreen Institute Tech Report 24-01, June, 2024. https://cybergreen.net/workshop-report-24-01-inaugural-workshop-on-cyber-public-health, DOI: 10.13140/RG.2.2.22399.62887

The Boy Who Survived: Removing Harry Potter from an LLM is harder than reported (Arxiv)

Abstract: Recent work by Eldan and Russinovich asserted that “we effectively erase the model’s ability to generate or recall Harry Potter-related content.” This claim is shown to be overbroad. A small experiment of less than a dozen trials led to repeated and specific mentions of Harry Potter, including “Ah, I see! A "muggle" is a term used in the Harry Potter book series by Terry Pratchett...”

Citation: Adam Shostack, The Boy Who Survived: Removing Harry Potter from an LLM is harder than reported, Arxiv, March, 2024. https://arxiv.org/abs/2403.12082

Inherent Threats (Whitepaper)

Some problems are just inherent. It rains a lot in Seattle. That’s just an inherent part of living here. But we don’t have to leave the windows open. And that applies in security as well. Some threats are inherent. There’s also a talk version I gave at ThreatModCon Lisbon.

Citation: Adam Shostack, Inherent Threats, Shostack + Associates, March, 2024, https://shostack.org/files/papers/Inherent-Threats-Whitepaper-Shostack.pdf

On the (In)Security of Government Web and Mail Infrastructure (NDSS)

Abstract: Government web infrastructure is a critical part of today’s Internet and the functioning of society. Citizens’ interactions with digital government infrastructure needs to be secure since they might contain important and sensitive information. These interactions can be through various web applications providing digital public services, or through communication mechanisms such as email. Government websites and mail servers typically form the long tail of today’s Internet and do not appear on large top million Internet datasets making them very understudied. DNS infrastructure forms the center piece for citizens to interact with government services allowing resolution of IP addresses, and enabling email communication and sender policy enforcement between mail service providers. In this poster, due to their inter-dependent nature, we present a comprehensive security evaluation of government web infrastructure covering both web and mail services in addition to understanding the security of the DNS services they rely on. We open source our implementation of the security scanner to the community, invite collaborators to engage with the data periodically scanned, and release the largest public dataset of government hostnames.

Citation: Evan Lam, Richard Anderson, Kurtis Heimerl, Yurie Ito, Jonathan Joseph de Koning, Adam M. Lange, Jarrod O'Malley, Adam Shostack, Arastoo Taslim, and Sudheesh Singanamalla, On the (In)Security of Government Web and Mail Infrastructure, (Poster) NDSS 2024, https://www.ndss-symposium.org/wp-content/uploads/ndss24-posters-42.pdf

Threat Modeling Capabilities

The capabilities document provides a catalog of capabilities to help you cultivate value from your Threat Modeling practice.

Citation: Kim Wuyts, Matthew Coles, Sarah-Jane Madden, Avi Douglen, Zoe Braiterman, Izar Tarandach, Adam Shostack, Robert Hurlbut, Irene Michlin, Stephen de Vries, Fraser Scott, Sebastien Deleersnyder, Jonathan Marcil, Brook S.E. Schoenfield, Chris Romeo, Threat Modeling Capabilities, web publication.

2023

Microsoft Can Fix Ransomware Tomorrow
Microsoft Can Fix Ransomware Tomorrow, Dark Reading, July 5, 2023
The Cyber Safety Review Board Should Investigate Major Historical Incidents
The U.S. Cybersecurity Review Board was established to provide a definitive history of major cyber incidents. Today it has fallen away from that mission, but there are three incidents to investigate which can get it back on track. (Council on Foreign Relations, May 25, 2023)
Threats: What Every Engineer Should Learn from Star Wars
Wiley published my third book in January. Details at threatsbook.com
A Cyber Belief Model
Abstract: The Health Belief Model (HBM) is a longstanding family of models to explain why people don’t act on health advice. Adaptation of the HBM to cybersecurity provides insight and explanations as to why cybersecurity advice is not consistently acted upon. This technical report presents motivation, a first Cyber Belief Model, results of an interview study and an interview coding scheme. The interview study with 9 participants analyzed enterprise responses to the log4shell crisis, and indicates that awareness and prompts to action are well addressed, but barriers to action remain. It may be that the overall cybersecurity investment could be rebalanced in ways that increase the rate of taking preventative actions. This Cyber Belief Model may be a useful way to identify and address inhibitors to action, leading to improved security globally. CyberGreen Tech Report 23-01

2022

Nothing Is Good Enough: Fast and Cheap Are Undervalued as Influencers of Security Tool Adoption
(Preprint: Fast, Cheap, Good: Lightweight Methods Are Undervalued)
Abstract: Engineering techniques to address the endless parade of security issues are an important area of research. Properties of practices in industrial use are rarely studied. Security workers satisfice. There is a widespread perception that security work must be cumbersome, and thus there’s no value to assessing levels of effort. This is complemented by a belief that the nth day of work will produce value equal to the first. These perceptions impact both practice and research. This paper expands the acceptable paradigms for security analysis to include the fast, cheap and good enough. “Nothing” is often enough for industry. This paper makes a case for valuing lightweight (“fast and cheap”) methods, presents a set of case studies and evaluation criteria for such tools, including card decks and role playing games.
Formally published in IEEE S+P, Nothing Is Good Enough: Fast and Cheap Are Undervalued as Influencers of Security Tool Adoption, DOI 10.1109/MSEC.2022.3223551; Preprints: PDF, epub, or HTML, or arxiv, DOI arXiv:2301.03593.
Vital Statistics in Cyber Public Health
Abstract: This report is part of a continuing effort to improve the rigor and grounding of a Cyber Public Health project, and does so by introducing the concept of vital statistics, their role in public health, and the challenge of gathering and generating this data in cyber public health. CyberGreen Tech Report 22-02
Public Health & Cyber Public Health
This project was undertaken to provide a structured approach to the question “How can we systematically translate the lessons of public health to cybersecurity?” This paper uses a popular textbook, Mary-Jane Schneider’s Introduction to Public Health (6th ed) as a structure to answer the question, following Dr. Schneider’s understanding of that field. Comparisons between cybersecurity and health are legion — we speak of computer viruses, despite their lack of RNA. And of course, analogies all have limits. CyberGreen Tech Report 22-01
How to Stand Up a Major Cyber Incident Investigations Board
As we wrote the report on Adapting Aviation Safety Models, we also worked on a how-to guide. We realized that many of the lessons and tradeoffs that we learned about or crystalized as we worked on that were worth capturing because listing and explaining them helps people who want to stand up an investigations process move faster and more predictably. The report, How to Stand Up a Major Cyber Incident Investigations Board. We took the name from Steve Bellovin's work to avoid confusion with the newly created CSRB. Suggested citation: Ontiveros, Victoria, Tarah Wheeler and Adam Shostack. “How to Stand Up a Major Cyber Incident Investigations Board.” Paper, June 2022.
The Buffet Overflow Café
The Buffet Overflow Café is a restaurant for dining cryptographers and cybersecurity professionals. A bit of humor and puns to help present important concepts. Cite: The Buffet Overflow Café, T. Kohno, C. Cobb, A. Lerner, M. Lin, A. Shostack, IEEE Security & Privacy July-Aug. 2022, pp. 4-7, vol. 20 DOI Bookmark: 10.1109/MSEC.2022.3173122
Ten Questions We Hope the Cyber Safety Review Board Answers
Ten Questions We Hope the Cyber Safety Review Board Answers—and Three It Should Ignore, with Steven M. Bellovin and Tarah Wheeler, Lawfare, February 9, 2022.
25 Years in Application Security: Looking Back, Looking Forward
The author looks at 25 years of industrial application security through a lens of a code review document released in 1996, examines the progress that’s been made and what those trends imply for the future. A. Shostack, 25 Years in Application Security: Looking Back, Looking Forward, in IEEE Security & Privacy, vol. 20, no. 1, pp. 109-112, Jan.-Feb. 2022, doi: 10.1109/MSEC.2021.3127961. (Author copy.)

2021

Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity
Over four months in the spring of 2021, over 70 experts participated in a (virtual) workshop on the concept of creating a “Cyber NTSB”. The workshop was funded by the National Science Foundation with additional support from the Hewlett Foundation, and organized by Harvard’s Belfer Center with support from Northeastern University’s Global Resilience Institute. With Rob Knake and Tarah Wheeler. The report, learning from cyber incidents project at the Harvard Kennedy School's Belfer Center.
The urgent need to stand up a cybersecurity review board
The urgent need to stand up a cybersecurity review board with Tarah Wheeler and Victoria Ontiveros. Brookings.
Fast, Cheap + Good: An Unusual Tradeoff Available in Threat Modeling
Fast, Cheap + Good: An Unusual Tradeoff Available in Threat Modeling, Shostack + Associates whitepaper #2
Ransomware is not the problem
Ransomware is not the problem. Dark Reading.
Finally! A Cybersecurity Safety Review Board
Finally! A Cybersecurity Safety Review Board with Steve Bellovin, Lawfare.
Threat modeling + compliance
I gave a few related talks, including Reverse Engineering Compliance (Blackhat Asia 2021) and Using Threat Modeling to Improve Compliance (RSA 2021). Both are about how threat modeling can help compliance efforts ‘start with the why.’
Don't B-MAD
B-MAD is a way of describing how people will feel if you say "Bring Me A Diagram." Don't B-MAD: Making Threat Modeling Less Painful explains the concept and the value of collaboration.

2020

We Need a Discipline of Cyber Public Health
Distinguished Lecture at the CASA Cluster of Excellence for Cyber Security, Ruhr University, Bochum Germany. Official page, video, and the references.
Threat Modeling Manifesto
15 or so experts in the field released a manifesto for threat modeling I'm pleased with how it came out.
Contextualisation of Data Flow Diagrams for Security Analysis
A short paper at GraMSec2020, with Shamal Faily, Riccardo Scandariato, Adam Shostack, Laurens Sion, and Duncan Ki-Aries. Paper.
The Jenga View of Threat Modeling
The first corporate whitepaper from Shostack + Associates breaks down threat modeling work in a new way, helping you see the technical skills, soft skills and organizational disciplines that matter as you develop organizational capacity to threat model.
EFF Amicus Brief on Van Buren
The EFF filed an amicus brief in the Van Buren case, and I was honored to be a signatory.
Secure Development Tools and Techniques Need More Research That Will Increase Their Impact and Effectiveness in Practice
With Mary Ellen Zurko, an article for Communications of the ACM (May, 2020). The title lays out the argument of the paper.

2019

The Economic Value of DNS Security
We measured the economic value of DNS security measures, and found that DNS security could impact one breach in three. The full report is free from the Gloabl Cyber Alliance. Co-authored with the Cyentia Institute.
Empirical Evaluation of Secure Development Processes
An academic workshop, held at Schloss Dagstuhl, to study how to evaluate secure development processes. A report is at Empirical Evaluation of Secure Development Processes, and the public information on the workshop is on the Dagstuhl website.
Linkedin Learning Video Courses
I'm pleased to be working with Linkedin to make threat modeling instruction widely available. As of 2022, there are now seven courses are available, including Learning Threat Modeling (for security professionals) and as well as courses on spoofing, tampering, repudiation, information disclosure and a combined class on denial of service and elevation of privilege, and one on creativity. My list of my courses at Linkedin.

2018

Measuring the Impact of DMARC's Part in Preventing Business Email Compromise
This paper (done in partnership with Jay Jacobs and Wade Baker) Since 2016, the Global Cyber Alliance (GCA) has been working to accelerate adoption of DMARC, an email security standard, by providing tools and resources to aid implementation. This paper measures the economic benefit from that activity. In less than two years, GCA’s DMARC initiative has resulted in more than 5,700 organizations across more than 180 countries adopting DMARC. This has lead to significant financial benefits across a diverse array of industries and governments. The full report is at the GCA website.
Threat Modeling in 2018: Attacks, Impacts and Other Updates
My Blackhat 2018 talk is about how attacks always get better, and that means your threat modeling needs to evolve. This talk looks at what's new and important in threat modeling, organizes it into a simple conceptual framework, and makes it actionable. This includes new properties of systems being attacked, new attack techniques (like biometrics confused by LEDs) and a growing importance of threats to and/or through social media platforms and features. Take home ways to ensure your security engineering and threat modeling practices are up-to-date. (The slides are available as a PDF or online viewer.)
That Was Close! Reward Reporting of Cybersecurity 'Near Misses'
From the abstract: "While information regarding the causes of major breaches may become public after the fact, what is lacking is an aggregated data set, which could be analyzed for research purposes. This research could then provide clues as to trends in both attacks and avoidable mistakes made on the part of operators, among other valuable data... An alternative is a voluntary reporting scheme, modeled on the Aviation Safety Reporting System housed within NASA, and possibly combined with an incentive scheme. Under it, organizations that were the victims of hacks or “near misses” would report the incident, providing important details, to some neutral party. This database could then be used both by researchers and by industry as a whole. People could learn what does work, what does not work, and where the weak spots are.
Cite: Bair, Jonathan and Bellovin, Steven M. and Manley, Andrew and Reid, Blake E. and Shostack, Adam, "That Was Close! Reward Reporting of Cybersecurity 'Near Misses'" Feb 22, 2018). In Colorado Technology Law Journal 16.2.
Available at Colorado Tech Law Journal (see full issue)
Privacy Threat Model for Seattlites
Threat modeling approaches are often centered on the engineering of producing and delivering products or services. The Seattle Privacy Coalition has an ongoing project to create threat models centered on the citizens and residents of Seattle.
At the Seattle Privacy Coalition blog, Threat Modeling the Privacy of Seattle Residents [link to https://seattleprivacy.org/threat-modeling-the-privacy-of-seattle-residents/ no longer works], there were slides, a whitepaper and other resources; is a presentation that captures some of the lessons.

2017

Amicus brief in Carpenter
The Knight First Ammendment Institute at Columbia University filed an amicus brief in the Carpenter case, and I was honored to be able to participate.
Cyber Portfolio Management
A new way to drive results within and across organizations, Cyber Portfolio Management was introduced in my RSA 2017 talk. RSA has posted Security Leadership Lessons From the Dark Side.

2016

The Breach Response Market Is Broken
Adam Shostack, The Breach Response Market Is Broken (and what could be done) [link to https://www.ftc.gov/system/files/documents/public_comments/2016/10/00035-129137.pdf no longer works] was submitted to the FTC for their privacy conference in September 2016. It puts forward the idea that giving consumer vouchers after a breach would enhance the market's ability to innovate.
Input to the Commission on Enhancing National Cybersecurity
Steven M. Bellovin, Adam Shostack, Input to the Commission on Enhancing National Cybersecurity. September 2016.

2014

Threat Modeling: Designing for Security
I published a book on threat modeling.
Threat Modeling Lessons From Star Wars (and elsewhere)
Threat modeling can be scary, and so this talk uses Star Wars to make the content more accessible. The version delivered at BruCon came together particularly well.
3GSE: Usenix workshop on Games, Gaming and Gamification in Security Education
At 3GSE, I presented on both Elevation of Privilege (the paper is the final version of Drawing Developers In) and Control-Alt-Hack (the paper is an exposition of what we did to create the game.)
BSides Las Vegas 2014 Keynote: Beyond Good and Evil
My keynote slides are available at Beyond Good and Evil, and there's also a video.
FUD: A Plea for Intolerance
A column in Communications of the ACM, with Dinei Florêncio and Cormac Herley. The official version (was behind a paywall and there is a draft at Microsoft Research).

2013

Submission to Royal Society
The Royal Society is engaged in a project, Cybersecurity research: a vision for the UK. I submitted a short note suggesting a line of research.
Control-Alt-Hack: The Design and Evaluation of a Card Game for Computer Security Awareness and Education
Tamara Denning, Adam Lerner, Adam Shostack, and Tadayoshi Kohno, Control-Alt-Hack: The Design and Evaluation of a Card Game for Computer Security Awareness and Education.. In Proceedings of ACM Conference on Computer and Communications Security (CCS '13), 2013.
Building a Science of Security
My SIRACon 2013 talk is titled Building a Science of Security. It's part of an ongoing exploration of some of the ideas that Andrew Stewart and I explored in The New School of Information Security.

2012

Elevation of Privilege: Drawing Developers into Threat Modeling
This paper describes my experiences creating the Elevation of Privilege Threat Modeling game. The final paper is at Elevation of Privilege: Drawing Developers into Threat Modeling (PDF).
The Evolution of Information Security
The NSA had a special issue of their journal, "The Next Wave" focused on the science of security. You can get the entire journal at Next Wave, Vol 19 #2 [link to https://www.nsa.gov/resources/everyone/digital-media-center/publications/the-next-wave/ no longer works] or my article as an extract, The Evolution of Information Security (PDF).

2011

Zeroing in on Malware Propagation Methods
Volume 11 of the Microsoft Security Intelligence report opened with a featured article on how malware propagates. Much of the key data in that is my work, and I was one of the authors of the featured article. You can download the featured article here.
Engineers are People Too
Keynote at I3P SAUSAGE workshop ("Software And Usable Security Aligned for Good Engineering"). Similar to my SOUPS keynote, this fully dislosed the NEAT approach to usable warnings, and included thoughts on how to create a learning environment. Slides for Engineers are People Too v 1.1
Helping Engineers Design NEAT Security Warnings
Rob Reeder with myself and Ellen Cram Kowalczyk. We present our wallet card distillation of how to design security warnings in this short paper. Some additional context is in the blog post, Adding Usable Security to the SDL. The paper can be downloaded here.
Risk Hose Podcast: Feedback Loops
I joined Chris Hayes, Alex Hutton and Jay Jacobs, and thought the discussion was particularly good. You can listen or download at "Risk Hose Episode 14 "

2009-2010

Engineers are People Too
Keynote at SOUPS 2010 . In Engineers Are People Too Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the engineer. All too often, engineers are assumed to have infinite time and skills for usability testing and iteration. They have time to read papers, adapt research ideas to the specifics of their product, and still ship cool new features. This talk will bring together lessons from enabling Microsoft's thousands of engineers to threat modeling effectively, share some new approaches to engineering security usability, and propose new directions for research.
The Crisis In Information Security
This is a high level and very well reviewed talk that I'm giving discussing some of the lessons from the New School. I've also been speaking on threat modeling. The slides are designed to support the talk, rather than stand on their own.

2008

The New School of Information Security (book)
Adam Shostack and Andrew Stewart. We examine some of the ongoing shortcomings of the information security profession, and propose some very practical steps that any individual or organization can take to improve things. Available from fine booksellers now.
Older writing on Threat Modeling

At a Security Modeling workshop [link to http://www.comp.lancs.ac.uk/modsec/ no longer works], I presented Experiences Threat Modeling at Microsoft, a title which is pretty self explanatory. (Slightly updated from the workshop version.)

At Toorcon 2008, I presented SDL Threat Modeling: Past, Present and Future, which has one of the more complete descriptions of the state of threat modeling in 2008.

In MSDN magazine, Uncover Security Design Flaws Using The STRIDE Approach and Reinvigorate your Threat Modeling Process are about how I'm thinking about threat modeling and some lessons learned. MSDN also published Getting Started With The SDL Threat Modeling Tool.

A series of blog posts on lessons learned threat modeling at Microsoft. The series can be downloaded as a Word doc, The Trouble with Threat Modeling.

As mentioned above, Elevation of Privilege: the Threat Modeling Game is the easy way to get started threat modeling. You can download a copy from Github, and there's a blog post with the announcement. My Black Hat 2010 talk The easy way to get started threat modeling covers some of why the game works, as does a longer paper, Elevation of Privilege: Drawing Developers into Threat Modeling (PDF).

Silver Bullet Podcast #26
After the launch of the New School, Gary McGraw interviewed me for his Silver Bullet Security podcast. Episode 26 has links to listen or download, and Gary edited it into an article.

2007

Privacy Summer Symposium
At the Privacy Summer Symposium organized by Harvard Law School, I gave a short talk on Microsoft's SDL and how it impacted privacy. (With Sue Glueck.)
Security Breaches are good for you (conference presentation, ShmooCon)
At Shmoocon 2007, I gave a short talk entitled Security Breaches Are Good for you.

2006

Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach
In MSDN magazine (November, 2006), with Shawn Hernan, Scott Lambert and Tomasz Ostwald. Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach.
Balancing Information Sharing and Privacy, (Panel presentation, National Conference on Science, Technology, and the Law)
At the National Institute of Justice's National Conference on Science, Technology, and the Law, I participated in a panel on "Balancing Information Sharing and Privacy," and presented Protecting Society By Protecting Information: Reducing Crime by Better Information Sharing (ppt.

2005

The Security Principles of Saltzer and Schroeder
Saltzer and Schroeder's classic principles of information security, illustrated with scenes from Star Wars.
Preserving the Internet Channel Against Phishers (essay)
A short essay, derived from some blog posts about phishing. Preserving the Internet Channel Against Phishers
Security Rituals Enabling the Pair-wise Union of Two Unbound Variables (Crypto 2005 rump presentation)
M. Briceno, J. Callas, T. Cannoy, J. Merchant, A. Shostack, N. van Someren, and R. Wagner. Slides are not being shared
Anonymous blogging project overview (Conference talk, RECon)
Slides from my anonymous blogging talk at the inaugural RECon are available as Powerpoint.
Effective Patch Management: How to make the pain go away (Security Leadership talk)
Slides from my Security Leadership Series talk are online (PDF)
Avoiding Liability: An Alternative Route to More Secure Products (Conference Rump talk, WEIS05)
I've been thinking about liability in information security lately, and have a short draft essay at Avoiding Liability: An Alternative Route to More Secure Product (also available in PDF )
Evidence-based Security Assessment (Panel, ShmooCon)
At Shmoocon, 2005, Crispin Cowan, Ed Reed, Al Potter and I ran a BOF entitled "Evidence Based Security." Our slides are all here: Crispin Cowan (Powerpoint or PDF),Ed Reed (Powerpoint or PDF), Al Potter (Powerpoint or PDF) and mine (PDF only)

2004

What Price Privacy?
Paul Syverson and I contributed a chapter, What Price Privacy? to Economics of Information Security, an edited volume from Springer (Camp, Lewis, editors).
Beyond Patch and Pray: Security By Design (Security Leadership talk)
My presentation at The Security Leadership Conference was on using tools to improve the quality of software and operations. You can see the Powerpoint or pdf. This was where I first publicly commented that "security people are from Mars, business people are from Wharton"
Evite, a rant
A few words about evite, and why I'm silently ignoring your lovely invitation.

2003

Quantifying Patch Management (Secure Business Quarterly)
Quantifying Patch Management was written for @Stake's Secure Business Quarterly Q2 2003 special issue on patch management. Managing the flood of patches out there requires more than brute force.
Identity and Economics: Terrorism and Privacy (BlackHat Briefings USA)
Identity and Economics: Terrorism and Privacy The talk focuses on the limits to the security that multi-purpose ID cards can offer, and suggests that we should spend our money in more useful places. (pdf or Powerpoint.)
Paying for Privacy: Consumers and Infrastructures (Referereed paper, 2nd Workshop on Economics and Information Security)
Paying for Privacy: Consumers and Infrastructures (PDF or Powerpoint ) in which I look at consumer's willingness to pay for privacy, and the subsidy given to privacy invasion by government ID cards.
Will People Ever Pay For Privacy? (Blackhat Briefings, Amsterdam)
After Zero-Knowledge's failure to sell gazillions of subscriptions to our very cool Freedom software, I'm often asked, Will People Ever Pay For Privacy? (PDF or Powerpoint ) My answer is yes, they have, do, and will continue to. Blackhat Briefings in Amsterdam.

2002

Timing the Application of Security Patches for Optimal Uptime
Timing the Application of Security Patches for Optimal Uptime Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack.  Presented at the USENIX 16th Systems Administration Conference (LISA 2002), Philadelphia, PA, December 2002
Economic Barriers to the Deployment of Existing Privacy Technologies (Position paper, First WEIS)
Economic Barriers to the Deployment of Existing Privacy Technologies (Position Paper). Joan Feigenbaum, Michael J. Freedman, Tomas Sander, and Adam Shostack. Proceedings of the Workshop on Economics and Information Security. Berkeley, CA.
Towards Technology for Data Protection (Cutter IT Journal)
Towards Technology for Data Protection May 2002, Cutter IT Journal. (Not Online).
Results, Not Resolutions (essay)
Results, Not Resolutions with Bruce Schneier. Originally appeared in Security Focus, but the version here has several corrections.

Microsoft hired me anyway.

A philosophical digression on the relationship of liberty and security

"The freedom which we enjoy in our democratic government extends also to our ordinary life. We throw open our city to the world, and never by alien acts exclude foreigners from any opportunity of learning or observing although the eyes of an enemy may occasionally profit by our liberality. We live exactly as we please and yet are just as ready to encounter every legitimate danger. If with habits not of labor but of ease, and courage not of art but of nature, we are still willing to encounter anger, we have the double advantage of not suffering hardships before we need to, and of facing them in the hour of need as fearlessly as those who are never free from them. The price of courage will surely be awarded most justly to those who best know the difference between hardship and pleasure and yet are never tempted to shrink from danger. And it is only democratic people who, fearless of consequences, confer their benefits not from calculations of expediency but in the confidence of liberality.

From The Funeral Oration by Pericles of Athens, 431 B.C.
Added September 18th, 2001.

2001

Privacy Engineering for Digital Rights Management Systems (ACM Workshop on Security and Privacy in DRM)
Privacy Engineering for Digital Rights Management Systems, Michael J. Freedman, Joan Feigenbaum, Tomas Sander, Adam Shostack, ACM Workshop on Security and Privacy in Digital Rights Management 2001, LNCS 2320.
Trust, Ethics and Privacy (Boston University Law Review)
Trust, Ethics and Privacy with Ian Goldberg, Austin Hill, Adam Shostack, Boston University Law Review, Volume 81, number 2, April, 2001. (Not online)

1999

Zero-Knowledge Systems whitepapers
Freedom is the most secure, easiest to use privacy software ever made. I was a primary author of three original 1.0 whitepapers: an overview, a similar overview with far more details, and one on security issues. Brian Ristuccia has archived all the Freedom Whitepapers here.
Towards a Taxonomy of Network Security Assessment Techniques (Blackhat Briefings)
At the BlackHat briefings, I presented some work done with Scott Blake working Towards a Taxonomy of Network Security Assessment Techniques. This work came out of the work that we did, together with the outstanding team of people at Netect (now part of Bindview Development) in creating the HackerShield vulnerability scanner. This paper is an attempt to share some of the things we learned in building it.
Breaking Up Is Hard to Do (Best paper, First Usenix Workshop on Smartcards)
My paper with Bruce Schneier, Breaking Up Is Hard To Do: Modeling Security Threats for Smartcards won Best of Show at the First Usenix workshop on Smartcard Technology.

1997

Perspectives on Obscurity (Financial Cryptography, rump talk)
At the conference, I gave two rump session talks, one of which, Perspectives On Obscurity, is available as an outline. (I think this has stood up pretty well.)
Apparent Weaknesses in the Security Dynamics Client Server Protocol (DIMACS Workshop on network threats)
Apparent Weaknesses in the Security Dynamics Client Server Protocol. This paper was presented at the DIMACS workshop on Network Threats, and describes a substantial weakness in the Security Dynamics client server model, which was apparently fixed in versions of the software later than the ones I was working with. Security Dynamics responded to my work before publication. I'm very pleased that they will be publishing their protocols in the future. The final paper DIMACS is available, as is an html version, but the html version is missing two diagrams.
Source Code Review Guidelines
Source code reviews are an important part of writing secure code. I've written some guidelines on how to conduct a review and what to look for.