Adam Shostack
@adamshostack.bsky.social
Threat modeling. BH Review Board. Affiliate Professor, UW. Fixed autorun. Helped create CVE.
Not sure why we're building graphs on yet another (effectively) centralized system. https://infosec.exchange/@adamshostack
Not sure why we're building graphs on yet another (effectively) centralized system. https://infosec.exchange/@adamshostack
Here I thought,” the baker does not bake bread to be nice” but whadda I know about the Wealth of Nations?
California alone produces a third of all the food America eats. So this is a lie.
But let’s break down the food produced by the red states:
Guess what percent is harvested by people from Latin America?
But let’s break down the food produced by the red states:
Guess what percent is harvested by people from Latin America?
November 11, 2025 at 1:39 AM
Here I thought,” the baker does not bake bread to be nice” but whadda I know about the Wealth of Nations?
Reposted by Adam Shostack
TODAY ONLY the publisher of the #ebook edition of this antifascist cyberpunk #sf trilogy is offering ALL THREE BOOKS for $3.99. This promotion is to try and interest libraries in the books for their #ebooks stacks but also is today available to anyone. The 3 books are normally 30 dollars!
The Eclipse Trilogy: Eclipse, Eclipse: Penumbra, and Eclipse: Corona
The Eclipse Trilogy: Eclipse, Eclipse: Penumbra, and Eclipse: Corona - Kindle edition by Shirley, John. Download it once and read it on your Kindle device, PC, phones or tablets. Use features like bookmarks, note taking and highlighting while reading The Eclipse Trilogy: Eclipse, Eclipse: Penumbra, and Eclipse: Corona.
www.amazon.com
November 10, 2025 at 9:50 PM
Reposted by Adam Shostack
Living through the Cape Town water crisis was intense. You don't want this, believe me. We were limited to 90 second showers, only flushing the toilet when absolutely necessary, with the looming threat of the worst case scenario of Day Zero, where we'd have to queue daily for our 50 litres...
All those people who think they can dodge the effects of the climate crisis because they live in a nice developed country are about to get punched in the face. It’s coming in hard everywhere.
England facing drastic measures due to extreme drought next year
Government and water companies are devising emergency plans for worst water shortage in decades
www.theguardian.com
November 8, 2025 at 9:19 PM
Living through the Cape Town water crisis was intense. You don't want this, believe me. We were limited to 90 second showers, only flushing the toilet when absolutely necessary, with the looming threat of the worst case scenario of Day Zero, where we'd have to queue daily for our 50 litres...
One thing to keep in mind: The choice to make ChatGPT pretend to be human was a choice; they could have easily added a sentence "don't pretend to be human" to the system prompt.
Without that, would people treat it as a person with a "final adios" obligation, or let it have the same influence?
Without that, would people treat it as a person with a "final adios" obligation, or let it have the same influence?
Panera’s moderately caffeinated lemonade was loosely associated with 2 deaths before it was taken off market.
This article alone has 4 examples of ChatGPT encouraging young people to commit suicide, and OpenAI’s own public stats estimate over a million users discuss suicide with ChatGPT each week.
This article alone has 4 examples of ChatGPT encouraging young people to commit suicide, and OpenAI’s own public stats estimate over a million users discuss suicide with ChatGPT each week.
I fully believe in the corporate death penalty and believe we would be a better world if OpenAI lost its corporate charter and was forcibly dissolved.
www.cnn.com/2025/11/06/u...
www.cnn.com/2025/11/06/u...
November 8, 2025 at 12:17 PM
One thing to keep in mind: The choice to make ChatGPT pretend to be human was a choice; they could have easily added a sentence "don't pretend to be human" to the system prompt.
Without that, would people treat it as a person with a "final adios" obligation, or let it have the same influence?
Without that, would people treat it as a person with a "final adios" obligation, or let it have the same influence?
Publish your threat models? It's sparking debate. Join our discussion with OSTIF to talk about the benefits, dangers, and "why" of publication.
🗓️ Nov 12, 2pm CST 🔗 luma.com/zwsqlhs2
🗓️ Nov 12, 2pm CST 🔗 luma.com/zwsqlhs2
Threat Modeling w/ Adam Shostack · Zoom · Luma
Description Publish your threat models! This talk will cover the idea of publishing threat models, the dangers associated with the idea, and why open source…
luma.com
November 7, 2025 at 6:30 PM
Publish your threat models? It's sparking debate. Join our discussion with OSTIF to talk about the benefits, dangers, and "why" of publication.
🗓️ Nov 12, 2pm CST 🔗 luma.com/zwsqlhs2
🗓️ Nov 12, 2pm CST 🔗 luma.com/zwsqlhs2
Reposted by Adam Shostack
If you aren't seeing skeets from some of your fave people, they might have been labeled "Rude" by bsky mods. Idk what they are thinking, I don't need a mommy to tell me who to be buddies with. Anyway, go into Settings > moderation > bluesky moderation (advanced) and turn Rude off.
November 5, 2025 at 7:10 AM
If you aren't seeing skeets from some of your fave people, they might have been labeled "Rude" by bsky mods. Idk what they are thinking, I don't need a mommy to tell me who to be buddies with. Anyway, go into Settings > moderation > bluesky moderation (advanced) and turn Rude off.
Reposted by Adam Shostack
Am I misunderstanding but is llmstxt.org saying you need to double your documentation burden to provide markdown files for every doc you produce for your programming frameworks and tooling?
Fuck off
Fuck off
The /llms.txt file – llms-txt
A proposal to standardise on using an /llms.txt file to provide information to help LLMs use a website at inference time.
llmstxt.org
November 6, 2025 at 3:11 AM
Am I misunderstanding but is llmstxt.org saying you need to double your documentation burden to provide markdown files for every doc you produce for your programming frameworks and tooling?
Fuck off
Fuck off
Nice to see Geekwire refer to 90% of Seattle's businesses no longer having to pay the B+O tax and associated bookkeeping costs as "a tax hike."
www.geekwire.com/2025/seattle...
www.geekwire.com/2025/seattle...
Seattle tax hike on big businesses set to pass after early voting returns
Proposition 2 will reshape the city’s business and occupation (B&O) tax that applies to gross revenue — impacting both small startups and large tech companies such as Amazon.
www.geekwire.com
November 5, 2025 at 12:43 PM
Nice to see Geekwire refer to 90% of Seattle's businesses no longer having to pay the B+O tax and associated bookkeeping costs as "a tax hike."
www.geekwire.com/2025/seattle...
www.geekwire.com/2025/seattle...
Reposted by Adam Shostack
📢 Call for Proposals: we're seeking projects to create Security-Informed Safety teaching materials.
💷 Up to £5,000 funding
🗓 Deadline: 30 Nov 2025
Details 👉 buff.ly/QBsk82L
#CyBOK #CyberSecurity #FundingOpportunity #CyberEducation
💷 Up to £5,000 funding
🗓 Deadline: 30 Nov 2025
Details 👉 buff.ly/QBsk82L
#CyBOK #CyberSecurity #FundingOpportunity #CyberEducation
November 4, 2025 at 2:45 PM
📢 Call for Proposals: we're seeking projects to create Security-Informed Safety teaching materials.
💷 Up to £5,000 funding
🗓 Deadline: 30 Nov 2025
Details 👉 buff.ly/QBsk82L
#CyBOK #CyberSecurity #FundingOpportunity #CyberEducation
💷 Up to £5,000 funding
🗓 Deadline: 30 Nov 2025
Details 👉 buff.ly/QBsk82L
#CyBOK #CyberSecurity #FundingOpportunity #CyberEducation
Reposted by Adam Shostack
Strictly speaking, because snap isn't paying anybody anything right now. So nobody is a snap paying customer, the discounts are not subject to the equal treatment clause.
These are just people with snap cards, not paying what snap cards
These are just people with snap cards, not paying what snap cards
The USDA sent an email to grocery stores telling them they are prohibited from offering special discounts to customers affected by the SNAP funding lapse.
I'm aware of at least 2 stores that had offered struggling customers a discount, then withdrew it after receiving this email
I'm aware of at least 2 stores that had offered struggling customers a discount, then withdrew it after receiving this email
November 2, 2025 at 10:16 PM
Strictly speaking, because snap isn't paying anybody anything right now. So nobody is a snap paying customer, the discounts are not subject to the equal treatment clause.
These are just people with snap cards, not paying what snap cards
These are just people with snap cards, not paying what snap cards
Reposted by Adam Shostack
Naturally the dev team not ONCE thought to consider how this unasked for feature could be weaponized as an attack vector.
October 31, 2025 at 11:12 PM
Naturally the dev team not ONCE thought to consider how this unasked for feature could be weaponized as an attack vector.
Risk isn’t a hammer—and most problems aren’t nails.
I show why quantifying risk won’t fix cyber’s hardest decisions at USENIX '25.
🔨 tinyurl.com/4dj5mj3w
I show why quantifying risk won’t fix cyber’s hardest decisions at USENIX '25.
🔨 tinyurl.com/4dj5mj3w
USENIX Security '25 (Enigma Track) - Risk Is Not a Hammer, and Most Hazards Aren't Nails
Risk Is Not a Hammer, and Most Hazards Aren't Nails
Adam Shostack, Shostack + Associates
"Risk management" has been given a privileged position in security, that of an axiomatic truth. It doesn't…
youtu.be
October 31, 2025 at 5:04 PM
Risk isn’t a hammer—and most problems aren’t nails.
I show why quantifying risk won’t fix cyber’s hardest decisions at USENIX '25.
🔨 tinyurl.com/4dj5mj3w
I show why quantifying risk won’t fix cyber’s hardest decisions at USENIX '25.
🔨 tinyurl.com/4dj5mj3w
Reposted by Adam Shostack
"Many of the deals OpenAI has struck — with chipmakers, cloud computing companies and others — are strangely circular. OpenAI receives billions from tech companies before sending those billions back to the same companies to pay for computing power and other services." www.nytimes.com/interactive/...
How OpenAI Uses Complex and Circular Deals to Fuel Its Multibillion-Dollar Rise
Here are seven unusual financial agreements helping to drive the ambitions of the poster child of the A.I. revolution.
www.nytimes.com
October 31, 2025 at 10:58 AM
"Many of the deals OpenAI has struck — with chipmakers, cloud computing companies and others — are strangely circular. OpenAI receives billions from tech companies before sending those billions back to the same companies to pay for computing power and other services." www.nytimes.com/interactive/...
Reposted by Adam Shostack
Today's winner of the "Please STFU" Award is Kat Abughazaleh.
She was right to hang up! Don't talk about the facts of your federal indictment on a podcast! Or anywhere except your lawyer's office!
Sincerely,
Every Lawyer, Literally All Of Us, Heed Our Counsel And Shut The Fuck Up
She was right to hang up! Don't talk about the facts of your federal indictment on a podcast! Or anywhere except your lawyer's office!
Sincerely,
Every Lawyer, Literally All Of Us, Heed Our Counsel And Shut The Fuck Up
October 30, 2025 at 9:18 PM
Today's winner of the "Please STFU" Award is Kat Abughazaleh.
She was right to hang up! Don't talk about the facts of your federal indictment on a podcast! Or anywhere except your lawyer's office!
Sincerely,
Every Lawyer, Literally All Of Us, Heed Our Counsel And Shut The Fuck Up
She was right to hang up! Don't talk about the facts of your federal indictment on a podcast! Or anywhere except your lawyer's office!
Sincerely,
Every Lawyer, Literally All Of Us, Heed Our Counsel And Shut The Fuck Up
Reposted by Adam Shostack
14/ Coadministration:
All combinations showed non-inferior immune responses. COVID+flu: more side effects (42-46% vs 18%) but mild. Triple vaccination (COVID+RSV+flu) met immunogenicity goals. No serious safety signals - no myocarditis, pericarditis, or stroke in any coadmin RCTs."
All combinations showed non-inferior immune responses. COVID+flu: more side effects (42-46% vs 18%) but mild. Triple vaccination (COVID+RSV+flu) met immunogenicity goals. No serious safety signals - no myocarditis, pericarditis, or stroke in any coadmin RCTs."
October 30, 2025 at 4:12 PM
14/ Coadministration:
All combinations showed non-inferior immune responses. COVID+flu: more side effects (42-46% vs 18%) but mild. Triple vaccination (COVID+RSV+flu) met immunogenicity goals. No serious safety signals - no myocarditis, pericarditis, or stroke in any coadmin RCTs."
All combinations showed non-inferior immune responses. COVID+flu: more side effects (42-46% vs 18%) but mild. Triple vaccination (COVID+RSV+flu) met immunogenicity goals. No serious safety signals - no myocarditis, pericarditis, or stroke in any coadmin RCTs."
As it turns out the nuclear test ban treaty hasn’t come into full effect 30 years later. Oops!
en.wikipedia.org/wiki/Compreh...
en.wikipedia.org/wiki/Compreh...
Comprehensive Nuclear-Test-Ban Treaty - Wikipedia
en.wikipedia.org
October 30, 2025 at 2:24 AM
As it turns out the nuclear test ban treaty hasn’t come into full effect 30 years later. Oops!
en.wikipedia.org/wiki/Compreh...
en.wikipedia.org/wiki/Compreh...
Reposted by Adam Shostack
Thank you, @cidrap.bsky.social, for covering our new @nejm.org review of Covid-19, RSV, and influenza immunizations.
Check it out: cidrap.umn.edu/covid-19/meta-analysis-covid-rsv-flu-vaccines-fall-provides-sea-data-showing-efficacy-safety
Check it out: cidrap.umn.edu/covid-19/meta-analysis-covid-rsv-flu-vaccines-fall-provides-sea-data-showing-efficacy-safety
Meta-analysis of COVID, RSV, flu vaccines for fall provides 'sea of data' showing efficacy, safety
cidrap.umn.edu
October 30, 2025 at 1:37 AM
Thank you, @cidrap.bsky.social, for covering our new @nejm.org review of Covid-19, RSV, and influenza immunizations.
Check it out: cidrap.umn.edu/covid-19/meta-analysis-covid-rsv-flu-vaccines-fall-provides-sea-data-showing-efficacy-safety
Check it out: cidrap.umn.edu/covid-19/meta-analysis-covid-rsv-flu-vaccines-fall-provides-sea-data-showing-efficacy-safety
Reposted by Adam Shostack
Join us at the UW Paul G. Allen School of Computer Science & Engineering. We are hiring tenure-track faculty positions. Apply here: apply.interfolio.com/174303
Apply - Interfolio
{{$ctrl.$state.data.pageTitle}} - Apply - Interfolio
apply.interfolio.com
October 28, 2025 at 8:55 PM
Join us at the UW Paul G. Allen School of Computer Science & Engineering. We are hiring tenure-track faculty positions. Apply here: apply.interfolio.com/174303
Trick or treat, D.C.! 🎃
Don’t get haunted by AI bugs—join our Threat Modeling Intensive at OWASP Global AppSec USA, Nov 3–5! 👻 tinyurl.com/4t4df2p7
Don’t get haunted by AI bugs—join our Threat Modeling Intensive at OWASP Global AppSec USA, Nov 3–5! 👻 tinyurl.com/4t4df2p7
Training Courses ⇽ OWASP 2025 Global AppSec USA (Washington, DC) | The OWASP Foundation Inc.
tinyurl.com
October 28, 2025 at 5:02 PM
Trick or treat, D.C.! 🎃
Don’t get haunted by AI bugs—join our Threat Modeling Intensive at OWASP Global AppSec USA, Nov 3–5! 👻 tinyurl.com/4t4df2p7
Don’t get haunted by AI bugs—join our Threat Modeling Intensive at OWASP Global AppSec USA, Nov 3–5! 👻 tinyurl.com/4t4df2p7
Should we publish our threat models?
I explore a different lens with OSTIF for how transparency can benefit everyone.
Oct 29, 14:00 CT 👉 luma.com/6fvp6orm
I explore a different lens with OSTIF for how transparency can benefit everyone.
Oct 29, 14:00 CT 👉 luma.com/6fvp6orm
Threat Modeling w/ Adam Shostack · Zoom · Luma
Description Publish your threat models! This talk will cover the idea of publishing threat models, the dangers associated with the idea, and why open source…
luma.com
October 27, 2025 at 5:00 PM
Should we publish our threat models?
I explore a different lens with OSTIF for how transparency can benefit everyone.
Oct 29, 14:00 CT 👉 luma.com/6fvp6orm
I explore a different lens with OSTIF for how transparency can benefit everyone.
Oct 29, 14:00 CT 👉 luma.com/6fvp6orm
Change the whole vibe of a book by removing a word from a title
Modeling: Designing for Security
Modeling: Designing for Security
Change the whole vibe of a book by removing a word from a title
Threats: What Every Engineer Should Learn from Wars
Threats: What Every Engineer Should Learn from Wars
Change the whole vibe of a book by adding a word to a title
Interview Without a Vampire
Interview Without a Vampire
October 26, 2025 at 7:14 PM
Change the whole vibe of a book by removing a word from a title
Modeling: Designing for Security
Modeling: Designing for Security
Change the whole vibe of a book by removing a word from a title
Threats: What Every Engineer Should Learn from Wars
Threats: What Every Engineer Should Learn from Wars
Change the whole vibe of a book by adding a word to a title
Interview Without a Vampire
Interview Without a Vampire
Change the whole vibe of a book by adding a word to a title
2001: A MySpace Odyssey
2001: A MySpace Odyssey
October 26, 2025 at 7:14 PM
Change the whole vibe of a book by removing a word from a title
Threats: What Every Engineer Should Learn from Wars
Threats: What Every Engineer Should Learn from Wars
Reposted by Adam Shostack
Come celebrate Media Literacy Week with me in Toronto!
DON’T MISS! The New Age of Digital Deception, featuring @craigsilverman.bsky.social & Carolyn Jarvis, a CJF J-Talk event in partnership with @mediasmarts.bsky.social for #MediaLiteracyWeek 2025. Tickets are free and include popcorn + drink + audience Q&A 🎟️ www.eventbrite.ca/e/the-new-ag...
October 24, 2025 at 6:42 PM
Come celebrate Media Literacy Week with me in Toronto!
Reposted by Adam Shostack
It wasn't fake. It was edited. But Reagan really did spend a five-minute speech – an April 25, 1987, national radio address that the Reagan Library has published on YouTube – to rail against tariffs. It was a full-throated expression of support for free and fair trade.
https://cnn.it/4o5pBGv
https://cnn.it/4o5pBGv
October 24, 2025 at 3:00 PM
It wasn't fake. It was edited. But Reagan really did spend a five-minute speech – an April 25, 1987, national radio address that the Reagan Library has published on YouTube – to rail against tariffs. It was a full-throated expression of support for free and fair trade.
https://cnn.it/4o5pBGv
https://cnn.it/4o5pBGv