Shostack + Friends Blog

 

Posts in category "security"

 

Ransomware is Not the Problem

Arbitrarily powerful software -- applications, operating systems -- is a problem, as is preventing it from running on enterprise systems.

 
 

Van Buren

The Supreme Court has ruled in the van Buren case, and there's a good summary on the EFF's blog: "The decision is a victory for all Internet users, as it affirmed that online services cannot use the CFAA’s criminal provisions to enforce limitations on how or why you use their service..."

 
 
Mandian Darkside May15 2021

Colonial Pipeline, Darkside and Models

The Colonial Pipeline shutdown story is interesting in all sorts of ways, and I can't delve into all of it.I did want to talk about one small aspect, which is the way responders talk about Darkside.

 

Pacific Northwest Appsec Conference

"AppSec Pacific Northwest Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria.

 
 
 
 

Podcast on Using Games

It would be trite writing to say it was fun to be on a podcast with Volko Ruhnke and Hadas Cassorla to talk about using games to teach. And while it was, it was really educational and inspirational. I learned from both of them, and I hope you enjoy the podcast as well!

 
 
 
Screenshot of Amicus Brief discussed in article

Amicus Brief on CFAA

I recently signed onto the amicus brief on the Computer Fraud and Abuse Act filed by the Electronic Frontier Foundation.

 
 
 
Survey results.

Sonatype Report on DevSecOps

The Sonatype 2020 DevSecOps Community Survey is a really interesting report. Most interesting to me is the importance of effective communication, with both tools and human communication in developer happiness.

 
screenshot of opening to quoted article

'Best Practices for IoT Security'

There's an interesting new draft, Best Practices for IoT Security: What Does That Even Mean? by Christopher Bellman and Paul C. van Oorschot.

 
 
 
 
 
 
slow exposure of busy traffic intersection at night

Cryptographic Excitement

In the last few days, we've seen two big stories in the realm of cryptography. The first is that SHA-1 breaks are now practical, and those practical breaks impact things like PGP and git.

 
 spread of cards from new game Spudnet

Enter the SpudNet

Spudnet is a new game to teach networking and security concepts. The creators were kind enough to send me a pre-production copy, and I can tell you - it looks and feels super solid, and, more importantly, it plays well.

 
 
 
 
 
 
 
 
 
screenshot of article mentioned in this post

Valuing CyberSecurity Research Datasets

A paper at the Workshop on the Economics of Information Security titled 'Valuing CyberSecurity Research Datasets' focuses on the value of the IMPACT data sharing platform at DHS, and how the availability of data shapes research.

 
 

Passwords Advice

Bruse Marshall has put together a useful comparison of password requirements from OWASP ASVS v3 and v4.

 
header: The Economic Value of DNS Security

DNS Security

I'm happy to say that some new research by Jay Jacobs, Wade Baker, and myself is now available, thanks to the Global Cyber Alliance.