Threat Modeling Thursday: 2018

So this week’s threat model Thursday is simply two requests: What would you like to see in the series? What would you like me to cover in my Blackhat talk, “Threat Modeling in 2018?” “Attacks always get better, and that means your threat modeling needs to evolve. This talk looks at what’s new and important in threat modeling, organizes it into a simple conceptual framework, and makes it actionable. This…

July 13, 2018

Threat Model Thursdays: Crispin Cowan

Over at the Leviathan blog, Crispin Cowan writes about “The Calculus Of Threat Modeling.” Crispin and I have collaborated and worked together over the years, and our approaches are explicitly aligned around the four question frame. What are we working on? One of the places where Crispin goes deeper is definitional. He’s very precise about what a security principal is: A principal is any active entity in system with access…

July 5, 2018


The decision in Carpenter v. United States is an unusually positive one for privacy. The Supreme Court ruled that the government generally can’t access historical cell-site location records without a warrant. (SCOTUS Blog links to court documents. The court put limits on the “third party” doctrine, and it will be fascinating to see how those limits play out. A few interesting links: “First Thoughts on Carpenter v. United States” by…

June 26, 2018

Threat Model Thursday: Architectural Review and Threat Modeling

For Threat Model Thursday, I want to use current events here in Seattle as a prism through which we can look at technology architecture review. If you want to take this as an excuse to civilly discuss the political side of this, please feel free. Seattle has a housing and homelessness crisis. The cost of a house has risen nearly 25% above the 2007 market peak, and has roughly doubled…

June 21, 2018

So nice that you’ve stayed!

I was looking at the server logs here, and I discovered that a lot of readers are still showing up. Thank you! I’ve moved my blogging to That’s where I post. However, since you’re still here, I’m going to sometimes cross-post. Source:

June 11, 2018

Nothing to see here, move along!

A reminder, this blog has moved! If you’re seeing this in your RSS, you should take a second to update your feed. From now on, I’ll be posting at Adam Shostack and Friends/. If you read the site via RSS, please take a moment to update your feed to Oh, and everyone who’s been part of the jazz combo has an account over at the new blog, and I…

May 10, 2017

More Chaos, New Site!

When I started blogging a dozen years ago, the world was different. Over time, I ended up with at least two main blogs (Emergent Chaos and New School), and guest posting at Dark Reading, IANS, various Microsoft blogs, and other places. It made less and less sense, even to me. I decided it’s time to bring all that under a single masthead, and move all the archives over. From now…

April 17, 2017


So I’m curious: on what basis is the President of the United States able to issue orders to attack the armed forces of Syria? It is not on the basis of the 2001 “Authorization for Use of Military Force,” cited in many instances, because there has been no claim that Syria was involved in the 9/11 attacks. (Obama stretched this basis incredibly, and worryingly, far.) It is not on the…

April 7, 2017

More Satellites Than You Can Shake a Stick At

This video is really amazingly inspiring: Not only does it show more satellites than I’ve ever seen in a single frame of video, but the rocket that took them up was launched by the Indian Space Research Organisation, who managed to launch not only the largest satellite constellation ever, but had room for a few more birds in the launch. It’s an impressive achievement, and it (visually) crystalizes a shift…

March 9, 2017

Groundrules on Complaining About Security

Groundrules on Complaining About Security In this article, I want to lead into some other articles I’m working on. In those, I’m going to complain about security. But I want those complaints to be thoughtful and within a proper context. You will hear many of us in security talk about threat models. Adam literally wrote the book on threat models and if you don’t have a copy, you should get…

February 19, 2017