CyberSecurity 2.0 Humble Bundle

Cybersecurity 2.0 is a new promo from Humble Bundle. Nearly $800 worth of books, including my Threat Modeling, Schneier’s Secrets and Lies, and a whole lot more! Source:

July 30, 2018

Emoji are wierd

So I put a “man shrugging” emoji in my last post; it shows up strangely in RSS as displayed by NetNewsWire, showing “woman shrugging”, the “mars zodiac” sign and a bar code. No idea. Chaos, emergent. Source:

July 27, 2018

Half the US population will live in 8 states

In about 20 years, half the population will live in eight states“, and 70% of Americans will live in 15 states. “Meaning 30 percent will choose 70 senators. And the 30% will be older, whiter, more rural, more male than the 70 percent.” Of course, as the census shows the population shifting, the makeup of the House will also change dramatically. Maybe you think that’s good, maybe you think that’s…

July 25, 2018

Games and Cards

Emergynt has created the Emergynt Risk Deck, a set of 51 cards, representing actors, vulnerabilities, targets, consequences and risks. It’s more a discussion tool than a game, but I have a weakness for the word “emergent,” and I’ve added it to my list of security games Also, Lancaster University has created an Agile Security Game. Source:

July 17, 2018

Threat Modeling Thursday: 2018

So this week’s threat model Thursday is simply two requests: What would you like to see in the series? What would you like me to cover in my Blackhat talk, “Threat Modeling in 2018?” “Attacks always get better, and that means your threat modeling needs to evolve. This talk looks at what’s new and important in threat modeling, organizes it into a simple conceptual framework, and makes it actionable. This…

July 13, 2018

Threat Model Thursdays: Crispin Cowan

Over at the Leviathan blog, Crispin Cowan writes about “The Calculus Of Threat Modeling.” Crispin and I have collaborated and worked together over the years, and our approaches are explicitly aligned around the four question frame. What are we working on? One of the places where Crispin goes deeper is definitional. He’s very precise about what a security principal is: A principal is any active entity in system with access…

July 5, 2018


The decision in Carpenter v. United States is an unusually positive one for privacy. The Supreme Court ruled that the government generally can’t access historical cell-site location records without a warrant. (SCOTUS Blog links to court documents. The court put limits on the “third party” doctrine, and it will be fascinating to see how those limits play out. A few interesting links: “First Thoughts on Carpenter v. United States” by…

June 26, 2018

Threat Model Thursday: Architectural Review and Threat Modeling

For Threat Model Thursday, I want to use current events here in Seattle as a prism through which we can look at technology architecture review. If you want to take this as an excuse to civilly discuss the political side of this, please feel free. Seattle has a housing and homelessness crisis. The cost of a house has risen nearly 25% above the 2007 market peak, and has roughly doubled…

June 21, 2018

So nice that you’ve stayed!

I was looking at the server logs here, and I discovered that a lot of readers are still showing up. Thank you! I’ve moved my blogging to That’s where I post. However, since you’re still here, I’m going to sometimes cross-post. Source:

June 11, 2018