June 2026


June 2026

This month the link dump continues to evolve: breaking out a few article length posts and then various links and quick thoughts to share. As always this is all quick takes so please read with a grain of salt and I’m happy to get criticism where needed.

We have Least Privilege and Least Information, but the recent Age verification hubbub — with no threat modeling analysis in sight — suggests a new Least Credentials pattern that looks useful to factor out. Speaking of age verification, from Australia’s recent attempt comes a wonderful turn of phrase useful in so many ways for the internet age and software in particular.

From a friend I learned how a vibe coded video game is helping education administrators understand budget issues.

Looking into the origins of the term “waterfall” development I learned it was not from anyone proposing doing that: quite the opposite they were saying please don’t do this.

I stumbled onto a nice way to pierce at least one paywall quite easily courtesy of Google.

Neil Postman’s book, Amusing Ourselves to Death: Public Discourse in the Age of Show Business, has certainly aged. Rereading it was a revelation and it’s packed with insights from the days of (pre-cable!) television that are applicable even more so in our hyper mediated internet age.

Since its inception the R (repudiation) of STRIDE has always been the toughest to explain. I think I finally realized a better way: “Responsibility shirked”. Please help spread the word if you like it! Alternatively, if you have a simple way to explain the concept of repudiation and/or better update please let me know.

Threat modeling certainly needs to be more widely used than it is (so far as can be told since it’s 99.9% done behind closed doors locked by NDA). That’s why Scaling Threat Modeling from Adam Shostack is so important.

Threat modeling is not just for cybersecurity: it can help with software in general (and more but that’s a separate discussion). Here’s a clear example of not thinking it through that could have been avoided.

I’ve always wondered how much test coverage ensures the quality of modern software products: this recent flaw seems to prove the answer is, “not much”.
Replying to or forwarding an email does not include the original message in the email body in legacy Outlook for Mac
I thought this might be The Onion for a second: forwarding that doesn’t include the original message, really?

Don’t Get Hacked! by Steve Bellovin — We all know folks who need computer advice: this from a fellow who knows security looks promising (I have not reviewed it) and it’s free.

Finally, an artificially intelligent clown parade: CVE-2026-LGTM. To be honest I’m so far behind the rapid generative AI evolution of the development process these days that it took me a while to register that this must be parody, but at the rate things are going we may actually be headed there. In a year from now if we aren’t careful we might be a little closer to this kind of world.