From Security Weekly Wiki
Jump to navigationJump to search

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 277 for Thursday February 9th, 2012

  • John Strand will be teaching Offensive Countermeasures at SANS Orlando March 23-24th: Check it out here
  • Subscribe to our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini. Wether you smoke an occasional cigar or daily, this show is for you! Tune in as we review the latest cigars being released and talk "Stogie Tech".

Interview: Adam Shostack

Adam is a principal program manager on the Usable Security team in Trustworthy Computing, which performs ongoing research into classifying and quantifying how Windows machines get compromised. Before joining Microsoft, Adam helped found the CVE, the Privacy Enhancing Technologies Symposium and the International Financial Cryptography Association. He is co-author of the book, The New School of Information Security.

Adam writes at the Emergent Chaos blog and The New School of Information Security blog


  1. Can you briefly describe the idea of the New School?
  2. The New School of Information Security has been out for almost four years, what are the most encouraging changes you have seen in that time? And the least encouraging?
    1. The title of chapter five is an Alan Schiffman quote, "Amateurs study cryptography, professionals study economics", a great quote, but I assume some people took exception to that.
    2. The book challenges some sacred cattle, such as user education. Do you still struggle to make people understand the importance of understanding the human element of Information Security?
    3. An interesting human element covered in the book was that visible security measures appear to make people less cautious. I have certainly seen people who believed the firewall and anti-virus meant that they didn't have to take any personal responsibility for their actions online. This "dealing with people" thing is tricky.
    4. The book also promotes what some now call the operationalization of security. While some are picking up the idea, others seem entrenched and are content with the status quo. Have you seen any successes in this area in large enterprises?
  3. Reports such as those from Verizon, Mandiant, Veracode, Trustwave and others are giving us more information, but the formats vary and the raw data isn't always available. How can we make the most of these reports?
  4. You have done some creative things to educate people about security. Can you tell us how you came up with the idea for the Elevation of Privilege card game, what it was like promoting it internally at Microsoft, and how it has been received?
  5. Tell us about Saltzer and Schroeder, their 8 principles, and why a paper that was written in 1974 still makes a whole lot of freaking sense to the computer security industry.
  6. I was going to post this as a story, but I'd like to hear your thoughts on why breach disclosure is expensive, and will this discourage companies from reporting breaches, even at the expense of fines, etc,


Paul's Stories

Darren's Stories

Larry's Stories

Jack's Stories