Shostack + Friends Blog


Posts in category "science"

The Grimes model of scams

The Grimes Model of Scams

Roger Grimes has an exciting new model of scams that's going to transform how we teach people ot defend against them.

Cover of a workshop report: learning from cyber incidents

Learning Lessons from Aviation

The definition of insanity is doing the same thing over and over and expecting different results. We can do better, and a major new report explains how.

quote from article cited in the post

The COVID testbed and AI

The pandemic gives us a chance to evaluate AI'll be shocked to discover how they did.

Mandian Darkside May15 2021

Colonial Pipeline, Darkside and Models

The Colonial Pipeline shutdown story is interesting in all sorts of ways, and I can't delve into all of it.I did want to talk about one small aspect, which is the way responders talk about Darkside.

microscopic rendering of a COVID-19 spike protein


You may have noticed that my end of the year posts are all science focused. Today, a set of resources on the COVID vaccines.


Code: science and production

Phil Bull presents an interesting, generally convincing, argument in 'Why you can ignore reviews of scientific code by commercial software developers', with a couple of exceptions.

logo for BlackHat conference

Blackhat and Human Factors

As a member of the BlackHat Review Board, I would love to see more work on Human Factors presented there.

small pile of legos in various shapes

Threat Modeling Building Blocks

Threat modeling isn’t one task — its a collection of tasks that build on each other to produce more valuable insights.

screenshot of article mentioned in this post

Valuing CyberSecurity Research Datasets

A paper at the Workshop on the Economics of Information Security titled “Valuing CyberSecurity Research Datasets” focuses on the value of the IMPACT data sharing platform at DHS, and how the availability of data shapes research.

Report all near misses

Doing Science with Near Misses

Near misses are an important source of information for avoiding accidents, and it's a shame we don't use them in cybersecurity.