Adam Shostack :donor: :rebelverified:
@adamshostack.infosec.exchange.ap.brid.gy
Author, game designer, technologist, teacher.
Helped to create the CVE and many other things. Fixed autorun for XP. On Blackhat Review board.
Books […]
[bridged from https://infosec.exchange/@adamshostack on the fediverse by https://fed.brid.gy/ ]
Helped to create the CVE and many other things. Fixed autorun for XP. On Blackhat Review board.
Books […]
[bridged from https://infosec.exchange/@adamshostack on the fediverse by https://fed.brid.gy/ ]
Doctor conferences get different door junk!
November 8, 2025 at 11:27 PM
Doctor conferences get different door junk!
twenty twenty twenty four hours to go....stop managing risk!
https://shostack.org/blog/stop-trying-to-manage-risk/
https://shostack.org/blog/stop-trying-to-manage-risk/
November 6, 2025 at 1:05 PM
twenty twenty twenty four hours to go....stop managing risk!
https://shostack.org/blog/stop-trying-to-manage-risk/
https://shostack.org/blog/stop-trying-to-manage-risk/
Stop Trying To Manage Risk! That’s the title of my keynote for OWASP Global Appsec in Washington DC on Friday. And if you’re saying “WTF,” well, good. That’s the goal: to make you stop and think.
People hope risk management will solve all their cyber […]
[Original post on infosec.exchange]
People hope risk management will solve all their cyber […]
[Original post on infosec.exchange]
November 6, 2025 at 2:58 AM
Stop Trying To Manage Risk! That’s the title of my keynote for OWASP Global Appsec in Washington DC on Friday. And if you’re saying “WTF,” well, good. That’s the goal: to make you stop and think.
People hope risk management will solve all their cyber […]
[Original post on infosec.exchange]
People hope risk management will solve all their cyber […]
[Original post on infosec.exchange]
@UKFilmNerd Seriously? That's their Enterprise? With 3600 bricks, I'd really expect much a rounder look to the saucer
November 2, 2025 at 10:40 PM
@UKFilmNerd Seriously? That's their Enterprise? With 3600 bricks, I'd really expect much a rounder look to the saucer
If you're in Boston, Houston, Paris, or London, you should go see the Moonwalkers. Some notes start:
While in Boston, I had the chance to see “The Moonwalkers: A Journey with Tom Hanks,” and highly recommend it, not because I was wowed (I was) but because […]
[Original post on infosec.exchange]
While in Boston, I had the chance to see “The Moonwalkers: A Journey with Tom Hanks,” and highly recommend it, not because I was wowed (I was) but because […]
[Original post on infosec.exchange]
October 30, 2025 at 8:53 PM
If you're in Boston, Houston, Paris, or London, you should go see the Moonwalkers. Some notes start:
While in Boston, I had the chance to see “The Moonwalkers: A Journey with Tom Hanks,” and highly recommend it, not because I was wowed (I was) but because […]
[Original post on infosec.exchange]
While in Boston, I had the chance to see “The Moonwalkers: A Journey with Tom Hanks,” and highly recommend it, not because I was wowed (I was) but because […]
[Original post on infosec.exchange]
October 26, 2025 at 7:09 PM
New blog, Prompt Engineering Requires Evaluation (1/10)
This morning, two strands of work intersected. The first is the upcoming launch of our Threat Modeling Intensive with AI. I’m excited about this course as it brings together all these essential skills […]
[Original post on infosec.exchange]
This morning, two strands of work intersected. The first is the upcoming launch of our Threat Modeling Intensive with AI. I’m excited about this course as it brings together all these essential skills […]
[Original post on infosec.exchange]
October 20, 2025 at 8:14 PM
New blog, Prompt Engineering Requires Evaluation (1/10)
This morning, two strands of work intersected. The first is the upcoming launch of our Threat Modeling Intensive with AI. I’m excited about this course as it brings together all these essential skills […]
[Original post on infosec.exchange]
This morning, two strands of work intersected. The first is the upcoming launch of our Threat Modeling Intensive with AI. I’m excited about this course as it brings together all these essential skills […]
[Original post on infosec.exchange]
Found in a cookbook.
October 15, 2025 at 6:39 PM
Found in a cookbook.
New blog post: AI Insurance Won't Save You https://is.gd/e0MKz5
There’s press about AI insurance, and I don’t want to critique any specific firm, I’d like to offer a prediction: No customer will ever see a payout. We can see the dynamic that’s emerged in cybersecurity and learn from it.
(1/6)
There’s press about AI insurance, and I don’t want to critique any specific firm, I’d like to offer a prediction: No customer will ever see a payout. We can see the dynamic that’s emerged in cybersecurity and learn from it.
(1/6)
October 8, 2025 at 4:42 PM
New blog post: AI Insurance Won't Save You https://is.gd/e0MKz5
There’s press about AI insurance, and I don’t want to critique any specific firm, I’d like to offer a prediction: No customer will ever see a payout. We can see the dynamic that’s emerged in cybersecurity and learn from it.
(1/6)
There’s press about AI insurance, and I don’t want to critique any specific firm, I’d like to offer a prediction: No customer will ever see a payout. We can see the dynamic that’s emerged in cybersecurity and learn from it.
(1/6)
Secure By Design roundup - September 2025 (Full, links at https://is.gd/ZlSj90)
Threat Modeling
The Secret Service announced they’d busted a SIM farm “used for swatting” and set off a bit of a firestorm. CNN has one of the more detailed stories. 404Media […]
[Original post on infosec.exchange]
Threat Modeling
The Secret Service announced they’d busted a SIM farm “used for swatting” and set off a bit of a firestorm. CNN has one of the more detailed stories. 404Media […]
[Original post on infosec.exchange]
October 1, 2025 at 10:10 PM
Secure By Design roundup - September 2025 (Full, links at https://is.gd/ZlSj90)
Threat Modeling
The Secret Service announced they’d busted a SIM farm “used for swatting” and set off a bit of a firestorm. CNN has one of the more detailed stories. 404Media […]
[Original post on infosec.exchange]
Threat Modeling
The Secret Service announced they’d busted a SIM farm “used for swatting” and set off a bit of a firestorm. CNN has one of the more detailed stories. 404Media […]
[Original post on infosec.exchange]
How can half a word be misspelled?
October 1, 2025 at 3:40 PM
How can half a word be misspelled?
Scaling threat modeling isn't about perfect methodology—it's about everyone on your team being able to answer four fundamental questions.
Don't let complexity prevent you from starting. Begin with these questions and improve iteratively.
Full discussion […]
[Original post on infosec.exchange]
Don't let complexity prevent you from starting. Begin with these questions and improve iteratively.
Full discussion […]
[Original post on infosec.exchange]
September 29, 2025 at 6:15 PM
Scaling threat modeling isn't about perfect methodology—it's about everyone on your team being able to answer four fundamental questions.
Don't let complexity prevent you from starting. Begin with these questions and improve iteratively.
Full discussion […]
[Original post on infosec.exchange]
Don't let complexity prevent you from starting. Begin with these questions and improve iteratively.
Full discussion […]
[Original post on infosec.exchange]
“Modern attackers are using ai to drive undetectable attacks!”
Modern attacker, “nah this works fine”
Modern attacker, “nah this works fine”
September 20, 2025 at 9:13 PM
“Modern attackers are using ai to drive undetectable attacks!”
Modern attacker, “nah this works fine”
Modern attacker, “nah this works fine”
Apparently only some of the instances of Word.app need to restart today.
September 17, 2025 at 11:14 PM
Apparently only some of the instances of Word.app need to restart today.
New blog, Lunar Rover Vehicle, Redux https://shostack.org/blog/lunar-rover-vehicle-redux/
While I'm talking about the Lunar Rover, I want to tell a tale of two models. One you've met: the Lego model. The other is a model, currently on display at the Museum […]
[Original post on infosec.exchange]
While I'm talking about the Lunar Rover, I want to tell a tale of two models. One you've met: the Lego model. The other is a model, currently on display at the Museum […]
[Original post on infosec.exchange]
September 17, 2025 at 5:41 PM
New blog, Lunar Rover Vehicle, Redux https://shostack.org/blog/lunar-rover-vehicle-redux/
While I'm talking about the Lunar Rover, I want to tell a tale of two models. One you've met: the Lego model. The other is a model, currently on display at the Museum […]
[Original post on infosec.exchange]
While I'm talking about the Lunar Rover, I want to tell a tale of two models. One you've met: the Lego model. The other is a model, currently on display at the Museum […]
[Original post on infosec.exchange]
New blog on Apollo 15 Lunar Rover Vehicle starts:
I was thrilled to find this photo at a thrift store. There’s a typewritten letter on the back from Earl Houtz, LRV program manager, which is .. not exceptionally personal, leading me to think this could have […]
[Original post on infosec.exchange]
I was thrilled to find this photo at a thrift store. There’s a typewritten letter on the back from Earl Houtz, LRV program manager, which is .. not exceptionally personal, leading me to think this could have […]
[Original post on infosec.exchange]
September 15, 2025 at 5:39 PM
New blog on Apollo 15 Lunar Rover Vehicle starts:
I was thrilled to find this photo at a thrift store. There’s a typewritten letter on the back from Earl Houtz, LRV program manager, which is .. not exceptionally personal, leading me to think this could have […]
[Original post on infosec.exchange]
I was thrilled to find this photo at a thrift store. There’s a typewritten letter on the back from Earl Houtz, LRV program manager, which is .. not exceptionally personal, leading me to think this could have […]
[Original post on infosec.exchange]
Bellingham https://flic.kr/p/2rt2nYF
September 13, 2025 at 3:12 AM
Bellingham https://flic.kr/p/2rt2nYF
I, too, am too ignorant of engineering history to have any idea why this is a bad naming choice for a project.
September 10, 2025 at 11:49 PM
I, too, am too ignorant of engineering history to have any idea why this is a bad naming choice for a project.
New blog, "Thoughts on how LLMs could change threat modeling", starts:
Is threat modeling a journey or a destination? Is it a noun or a verb? This nuance pervades our conversations. The model of lightweight approaches with a whiteboard that found important […]
[Original post on infosec.exchange]
Is threat modeling a journey or a destination? Is it a noun or a verb? This nuance pervades our conversations. The model of lightweight approaches with a whiteboard that found important […]
[Original post on infosec.exchange]
September 9, 2025 at 4:49 PM
New blog, "Thoughts on how LLMs could change threat modeling", starts:
Is threat modeling a journey or a destination? Is it a noun or a verb? This nuance pervades our conversations. The model of lightweight approaches with a whiteboard that found important […]
[Original post on infosec.exchange]
Is threat modeling a journey or a destination? Is it a noun or a verb? This nuance pervades our conversations. The model of lightweight approaches with a whiteboard that found important […]
[Original post on infosec.exchange]
My July/Aug appsec roundup post is now live at https://is.gd/3eukga
Not doing the full post here, its a lot of work...
Not doing the full post here, its a lot of work...
September 2, 2025 at 5:14 PM
My July/Aug appsec roundup post is now live at https://is.gd/3eukga
Not doing the full post here, its a lot of work...
Not doing the full post here, its a lot of work...
New blog Mansplaining your threat model, as a service
This is the second part of a short series. The first post looks at threat modeling tooling more broadly; this one is focused on LLMs in threat modeling.
It seems like you can’t turn around without […]
[Original post on infosec.exchange]
This is the second part of a short series. The first post looks at threat modeling tooling more broadly; this one is focused on LLMs in threat modeling.
It seems like you can’t turn around without […]
[Original post on infosec.exchange]
August 26, 2025 at 6:53 PM
New blog Mansplaining your threat model, as a service
This is the second part of a short series. The first post looks at threat modeling tooling more broadly; this one is focused on LLMs in threat modeling.
It seems like you can’t turn around without […]
[Original post on infosec.exchange]
This is the second part of a short series. The first post looks at threat modeling tooling more broadly; this one is focused on LLMs in threat modeling.
It seems like you can’t turn around without […]
[Original post on infosec.exchange]
Timo Jagush presenting on off boarding at #soups2025 , points out that frameworks are hard to navigate… framework creators have every motive to be “comprehensive”, but little motive to be usable.
https://www.usenix.org/conference/soups2025/presentation/detsika
https://www.usenix.org/conference/soups2025/presentation/detsika
August 11, 2025 at 5:51 PM
Timo Jagush presenting on off boarding at #soups2025 , points out that frameworks are hard to navigate… framework creators have every motive to be “comprehensive”, but little motive to be usable.
https://www.usenix.org/conference/soups2025/presentation/detsika
https://www.usenix.org/conference/soups2025/presentation/detsika
Yoshi Wong presenting at #soups2025 on LLM Agrnt explainers of spam. Uses FTC data …
August 11, 2025 at 5:11 PM
Yoshi Wong presenting at #soups2025 on LLM Agrnt explainers of spam. Uses FTC data …
Lyft is set to allow location services “while using”. Wtf happened here? Is “running in the background” using? Do I need to kill apps to make that work? (I used it this morning to get to the airport)
August 10, 2025 at 7:53 PM
Lyft is set to allow location services “while using”. Wtf happened here? Is “running in the background” using? Do I need to kill apps to make that work? (I used it this morning to get to the airport)