Essays, link dumps, and opinion pieces about current events in the software landscape, offering what I hope is new perspective.
You can reach out to me with constructive criticism or insights at infosec.exchange@lmk.
I applaud CISA leadership speaking out aggressively at the mWISE Conference 2024 about the dismal state of software security (based on reporting in The Register, but it would be nice for www.cisa.gov to publish transcripts in order to ensure we are interpreting remarks with full context, given that the videos are paywalled).
[Read More](2300 words) Threat modeling isn’t just for software security; you can even threat model threat modeling. When a major software incident occurs, the first thing we should be asking is “show us the threat model”.
[Read More]
In a debunking blog post, Crowdstrike finally starts to describe that content files are digitally signed for deployment. The initial report oddly referenced file timestamps instead of hashes to designate the bad and good versions of the infamous Channel File 291, but now we know these were signed.
[Read More]The Crowdstrike July incident root cause analysis report provides new detail and requires reading between the lines to interpret (I welcome corrections with references if I got it wrong).
[Read More]Say what you will about LLM technology, it’s remarkable that we can do computations on the scale of billions of parameters training on large chunks of humanity’s collective text and media at all — and then it’s remarkable how you can talk to “it” in everyday language and get any kind of recognizable response out of it all, often (but not always) a pretty good one, and this is all based on the simple but powerful “select the best next token” algorithm run in a loop. The concept would have made a terrific sci-fi series, and here we are with it working in our cloud at scale.
[Read More]July 30, 2024 — When will we address the unacceptable status quo of scam phone calls, SMS text, and email?
[Read More]
Threat-based questions to understand the Crowdstrike incident (1081 words)
Every chance I get I’ve been offering this guidance: We understand software security best through specific threats and mitigations, articulated by threat models shared openly. While I doubt the folks at Crowdstrike are interested in my help, this is a great opportunity to test how this works in practice.
[Read More]In search of standard terminology to talk about software security
Someone referred to Crowdstrike as not being a “security incident” to which someone else responded that according to NIST it is. I’d like to think that the US National Institute of Standards and Technology (NIST) would provide standard definitions of technical terms for the software community which is awash in vague nomenclature that leads to much confusion, however, I see that the situation is unexpectedly complicated. According https://csrc.nist.gov/glossary/term/security_incident there are eight different definitions of “security incident”. This strikes me as fundamentally unhelpful: if we are having a discussion and referencing the NIST definition, we can disagree about the meaning and both be completely accurate. If there is some rule to determine which of the definitions to apply in different contexts the webpage appears to be silent on what that is.
[Read More]Threat modeling methodology centers on asking, “What could go wrong?” and then considering mitigations to address such an eventuality. The unending calamities of history vividly demonstrate how human intuition repeatedly fails to foresee many such events until after they happen, and even then we sometimes fail to learn and act. For example, consider the 2008 financial crisis: after all the bailout money was handed out around Wall Street, Congress never confronted the glaringly obvious problem of “too big to fail” institutions. As a result, large firms continued to consolidate, concentrating power and risk in still fewer institutions, creating conditions for a repetition that appears to be a matter of “when” rather than “if”. Traditionally threat modeling has been deployed exclusively within the context of secure software engineering, but I posit that it is just as effective and important a tool for anticipating potential harms of all kinds — not just malicious exploitations.
[Read More]Secret questions as credentials for online account authentication are simply a bad idea in my view: I have never seen them done well, often seem them done atrociously, and my most generous assessment would be that they are extremely hard to do well. But keeping an open mind, here's a brief reasoning why these are problematic, and I invite anyone interested to do a brilliant design and prove me wrong.
[Read More]