Notices by Adam Shostack :donor: :rebelverified: (adamshostack@infosec.exchange)

@inthehands Let it go Paul, it's mastodon and the HOA members need you to understand they have never made a mistake, and also their hobby-horse explains that thing perfectly.

(1/n)

I prefer text heavy slides, because they're useful to an audience who (1) loses the thread (2) doesn't speak english as a first language (3) wants to tweet screenshots.

Does anyone actually prefer a technical conference talk where the slides are all pictures? (Assuming clipart, LLM-generated, etc, not custom graphics)

I’m old enough to remember when Ronald Reagan stood in front of the Berlin Wall and said “Mr Gorbachev, how much of east Germany’s minerals are you willing to give us?”

Just normal 2025 stuff as I boost posts about multiple public exposures to measles because the CDC is … missing in action

@kataclyst @jeffowski I think you mean Connecticut. You clearly need to come south and warm up 😜

Hoarding, Debt and Threat Modeling (blog post cross post)

During a recent threat modeling course, one of our students, Aleksei*, made a striking comparison that resonated with a lot of us: starting security analysis is like tackling a hoarder’s house. That visceral image of looking at mountains of accumulated issues, feeling overwhelmed by where to begin, captures a challenge many engineering leaders face when they first attempt to systematically assess their system’s security.

Perhaps the reason it’s evocative is most of us have been in the situation of everywhere we look, there’s more problems. Where do you begin? And that feeling of being overwhelmed, of not knowing where to start... well, again, evocative

(1/4, https://shostack.org/blog/hoarding-debt-and-threat-modeling/)

@inthehands His Thinking Fast and Slow is a freaking masterpiece on many levels, including accessibility, clear science writing...

@inthehands @jannem about 15 years ago I read a book by a Berkely prof who had some very principles critiques of fMRI study designs, and advocated that a lot of our thinking is embodied. I really wish I could find it.

@inthehands My next book shall be titled "Led astray by Dan Kahneman." It shall be very, very short. ;)

@inthehands Musicians were very highly represented amongst WWII cryptographers. I always thought about that was more about patterns and variations than about space.

@rysiek @futurebird To build on what Raven said, you can often present a focus on clarity rather than ethics, and get people to see the ethical dilemmas and go do something else. This is less satisfying than a good table flip, but comes with a paycheck and a chance to do it again.

https://smallstep.com/blog/if-openssl-were-a-gui/

It’s as if 170 million voices were suddenly silenced … and then said “ok, boomer”

If states can rescind approval of Constitutional amendments, when does that end? Could we repeal the 3rd amendment by a vote of a few of the 13 original states?

@libreoffice Where is that “board report”? Where can we find release histories?

@libreoffice Also: citation needed please?

@ryanc Surely…

@ryanc Well that’ll teach me to take you seriously! 😂

@ryanc I don't mean to be snarky, but, really? Is this a studied thing?

Is there any meaningful security benefit to one time codes being more than 4-6 digits?

(For any of TOTP, email, or sms delivery.)