About the Shostack + Friends Blog


Adam Shostack & friends is the successor to both the Emergent Chaos blog and the New School of Information Security blog. Set up for different purposes, over time they converged. Archives for both blogs are maintained here, and below you'll find the “about” pages from each.

We've been included on many best of lists over the years. Lately, that includes Peerlyst's “52 Influential Cyber Security Bloggers and Speakers” [link to https://www.peerlyst.com/posts/peerlyst-community-ebook-52-influential-cyber-security-bloggers-and-speakers-peerlyst no longer works] (2019), CyberDB's “Best Cyber Security News Blogs 2018, “The Top 20 Online Security Blogs to Look Out For in 2017” or the “The Industry Standard's Top 25 B-to-Z list blogs.” [link to http://www.thestandard.com/news/2008/05/14/industry-standards-top-25-b-z-list-blogs?page=0%2C0 no longer works]

Resident & Guest Bloggers on this and site are speaking only for themselves, not their employers, the other bloggers, or for Adam Shostack or Andrew Stewart or their employers, or for anyone else who may publish or republish our work.

Additionally, this site is insecure. The fact that it sends pages over TLS does not make it secure, and neither does our ironic use of a lock as a favicon. We might be hosting the 0day of the week to pwn you. We recommend not trusting this site or putting it into your whitelist. Our privacy policy is here.

If you find a broken link that should go to one of our sites, please leave a comment. We do not fix broken out-links, take sponsored posts or your infographics, and think the Oxford comma was invented by Oxford's own flying circus, who died laughing at their joke about Ayn Rand, the queen of absurdists and god.

We earn money from affiliate links, including but not limited to Amazon Associates. “As an Amazon Associate we earn from qualifying purchases.”

Guests on Adam & friends include:

About Emergent Chaos

Emergent Chaos is a group blog on security, privacy, liberty, and economics. We declared ourselves the Emergent Chaos jazz combo here.

Adam Shostack is bandleader, and founded the blog. His homepage is here. He's also the author of Threat Modeling: Designing for Security and co-author of The New School of Information Security

Chris Walsh is longtime contributor, and motivated us to turn into a combo.

Arthur's bio is too long to fit in the margin of this page.

Mordaxus is a sharp-tongued Valley technologist who got into security when it became trendy. He's been there since.

When speaking here, we speak for the President of the United States more often than we speak for our employers. We speak for each other only when we say so. You can speak to us by mailing bloggername@emergentchaos.com

The image in our header (was) a cropped version of an untitled Creative commons licensed image by Dave Mathis. The original is here.

About the New School

The New School of Information Security is a book by Adam Shostack and Andrew Stewart, published by Addison-Wesley Professional in 2008. (Amazon page, Addison Wesley page)

The blog is inspired by the book and the movement towards a New School. We have a page on the book itself, including reviews and some podcasts which Adam has done. Writing for the New School blog is our roster of resident writers, as well as guest bloggers who appear from time to time (if you think you're New School and would like to guest blog – please get in touch with us by emailing nssbloggers at Google's mail service.)

Resident & Guest Bloggers on NewSchoolSecurity.com are speaking only for themselves, not their employers, the other bloggers, Addison-Wesley, or for Adam Shostack or Andrew Stewart or their employers.

Lastly, the bloggers here collectively have decades of experience and spend a great deal of time deeply understanding problems which are presented to them in their professional capacities. What they write here is generalized perspective, and you would be foolish to believe that it is customized for your situation.

We agree with resident blogger Chandler Howell when he says, “biographies are hard…how to self-promote enough that I sound like I'm worth reading, yet not so much that it sounds like BS or something the marketing folks would write…”

So with that in mind, here's a bit about who we are:

Adam Shostack is co-author of the New School of Information Security (the book). He helped found the CVE, the International Financial Cryptography Association, and the Privacy Enhancing Technologies Symposium. He has been a leader at several successful startups including Netect, Zero-Knowledge Systems and Reflective. He currently< works for a software company in the pacific northwest. His personal site is Adam Shostack's home page.

Chandler Howell was one of the first bloggers to focus on Information Risk rather than IT Security. Prior to moving into Information Protection, he spent time as a *NIX Admin and coded risk management models for a global investment bank. He has formed and led the Information and IT Security functions at both start-ups and Fortune 500 companies.

Currently, he lives in Chicago where he leads the Information & IT Security functions for a mid-size gaming machine manufacturer.

Alex Hutton has been involved in InfoSec in some capacity since 1994 when he was asked to educate customers as to why they needed these expensive “firewall things”. Sometimes his role has been marketing, sometimes management, sometimes consultant, sometimes analyst. Alex likes blogging about risk and security management (both in their more traditional, non-industry connotations). He works in Risk Intelligence for a Fortune-something company.

David Mortman is the CSO-in-Residence for Echelon One, where he is responsible for their Research and Analysis program and also writes regularly for SearchSecurity.com. Formerly, the CISO for Siebel Systems, David and his team were responsible for both IT and Product Security as well as Siebel's Privacy program. He was also heavily involved in Siebel's compliance efforts. David sits on several advisory boards and is a well known speaker with regular appearances at RSA, Blackhat and Defcon to name a few conferences. Currently residing in Columbus, OH, David is an alumnus of the University of Chicago.

Brooke Paul is the former Senior Vice President and Chief Information Security Officer of American Financial Group (AFG), a Fortune 500 insurance company. He has also been CEO & President of Neohapsis, one of the premier information security and IT risk management service organizations in the world.