Posts by adamshostack@infosec.exchange
(DIR) Post #AsrVXjqQyjsss8ZFNA by adamshostack@infosec.exchange
2025-04-07T22:40:11Z
0 likes, 1 repeats
"For transporting us beyond Seas to be tried for pretended offences"
(DIR) Post #Asryl4TkTDDPIqfN4q by adamshostack@infosec.exchange
2025-04-07T23:14:03Z
0 likes, 1 repeats
Today's "history is boring" lesson: The Declaration of Independence lists "For transporting us beyond Seas to be tried for pretended offences" as one of the reasons Independence was important.
(DIR) Post #AszDQ0bwVwcUe2dKHg by adamshostack@infosec.exchange
2025-04-11T15:04:15Z
0 likes, 1 repeats
New blog: Assets, Again 1/3Appsec leaders come to me all the time, looking for feedback on their threat modeling approach. A recent request exemplified a couple of the problems that we see over and over: The system model provides a framework for identifying and analyzing potential threats by thoroughly describing the assets, attributes, and their interactions within the information system. These assets include infrastructure, software, protocols, and data storage, among others. [...] Identify and classify the organization's assets, including network devices, servers, endpoints, and applications. Explore the key functions of each asset and understand their roles in the organization's business processes.full post https://is.gd/BPSCwT
(DIR) Post #AszDQ6jFlg25cS6FVo by adamshostack@infosec.exchange
2025-04-11T15:04:34Z
0 likes, 0 repeats
In Threat Modeling, I talk about there being three types of assets: things you want to protect, things attackers care about, and stepping stones. I talk — at length — about why the term asset doesn’t help us threat model. This approach magnifies those problems, and adds more.Why are “protocols” assets? What sort of “classification” is involved, and what goal does it serve? Why is “infrastructure” an “assets?” Can’t we have the ops team threat model it and assume that it works, especially when we’re talking about the business processes? In the second list, can’t you just say “computers and applications?” What does jargoning it up as “assets” do for you? Why do you need to understand the functions or the business process at this stage? (Not saying you don’t, I’m saying that you need to justify it.)What's more, what's the value of ‘thoroughness?’ How thorough do we need to be?(2/3)
(DIR) Post #AszDQC3zvyb6AEqO2a by adamshostack@infosec.exchange
2025-04-11T15:05:14Z
0 likes, 0 repeats
These problems are addressed by starting with the question “what are we working on?” If you’re not working on infrastructure... you don’t need to ask questions about it. That’s someone else’s job and threat model. If you’re not working on the whole organization, you don’t need to identify all its assets and go develop and understanding of them...By the way folks, I can’t do these for the whole world as a hobby project. When we do it for a customer, the request and response are private, and when they're not, sometimes they end up in the blog. If you’d like my team to do a review, please get in touch using the contact us form. Be warned: our rabid sales team will never stop calling (unless you ask them to).(3/3, full post, links https://is.gd/BPSCwT)
(DIR) Post #At88CLXd9Dea9nvC2i by adamshostack@infosec.exchange
2025-04-15T22:27:58Z
0 likes, 1 repeats
CVE funding is apparently not being renewed. I’m not alone in having strong feelings, and I want to talk about some of the original use cases that informed us as we set up the system. (You might also enjoy my thoughts on 25 Years of CVE for some context.) Those included comparing between vulnerability posts. It’s a lot of work to decide if two vulns are the same. Tagging both with a name was an important use case in 1997, and one that I got to revisit around 2010 when I was doing work to understand how malware got into PCs. Most of the attacks in exploit kits were not CVE-labeled. So deciding what they were was hours per vuln, with a high failure rate, versus minutes when they had a CVE assigned.CVE achieved public good status exceptionally quickly, in part because of support from thoughtful leaders like Tony Sager while he was at NSA. Finding support from outside the government was, as I recall, harder because MITRE is Congressionally chartered and has difficulty taking money from anyone but the US Government.There are other used cases, and I want to mention them because I was talking in private to friends, and they weren’t aware of these. All vendor names are used as examples.Did redhat fix this python bug or do we need to find a patch is way easier with cves.Did Apple fix this OpenSSL bug after getting version locked to OpenSSL .9.8?Having a name lets you discuss “did Microsoft fix this yet?” and if there’s a tool that tests it, you can cross-check the bug, the proof of concept, and the patch.Having an authoritative public timetable, including issuance, helped everyone understand when a vendor was slow-rolling a fix.
(DIR) Post #AtlDPXONZs7sMbmfHk by adamshostack@infosec.exchange
2025-05-04T19:27:31Z
0 likes, 1 repeats
This May the Fourth, remember that rebellions are built on hope.
(DIR) Post #AuNFNlPXwRmXpFtHm4 by adamshostack@infosec.exchange
2025-05-23T03:03:55Z
0 likes, 1 repeats
You can still opt out of the #biometric exit permission machines at #SeaTac, and it’s faster than being photographed. They do lie and claim you need to go to the desk before boarding begins in loud announcements. Thanks to the #acluwa and @ehasbrouck who fought for those rights to be preserved.
(DIR) Post #AvKTcn4Z2AVcuiLCNc by adamshostack@infosec.exchange
2025-06-20T17:48:13Z
0 likes, 0 repeats
I am so grateful we saved a few million bucks by DOGEing the Voice of America's Farsi service. There's no possible value in having a way to send the Iranian people a message.Oh, wait, maybe it was incredibly stupid and shortsighted. Yeah, I'm going with that. DOGEy, even.
(DIR) Post #AvND5VhJb5Uhg4SGzQ by adamshostack@infosec.exchange
2025-06-22T01:35:53Z
0 likes, 1 repeats
With his party in control of both houses of Congress, the President didn’t bother to get a declaration of war, nor did he bother to explain his reasons to the American people.
(DIR) Post #AwhyTLyobDHWN5KRDU by adamshostack@infosec.exchange
2025-07-30T23:04:43Z
0 likes, 0 repeats
Are there sshd state machines? I'm looking for one that covers "root," "running as user" and "spawning shell"*?I've found https://www.researchgate.net/figure/Abstract-description-of-SSH2-with-Diffie-Hellman-key-exchange_fig2_241880255 and Figure 5 of https://www.cs.ru.nl/bachelors-theses/2017/Toon_Lenaerts___4321219___Improving-protocol-state-fuzzing-of-SSH.pdf) (*This assumes my recollection that sshd replaced /bin/login is accurate)
(DIR) Post #AwhyTP5J3XFy05OAFc by adamshostack@infosec.exchange
2025-07-31T22:27:16Z
0 likes, 0 repeats
@msw Yeah, that! cc @mwl
(DIR) Post #AwhyTQIoWnehmGiSwa by adamshostack@infosec.exchange
2025-07-31T22:29:16Z
0 likes, 0 repeats
@msw @mwl Also cc @bsdphk @jawnsy @ricci
(DIR) Post #AwhyTS2a47rJAV8Wv2 by adamshostack@infosec.exchange
2025-07-31T22:47:36Z
0 likes, 0 repeats
@msw These are really useful, thank you! Do you know of more modern examples?(cc @mwl @bsdphk @jawnsy @ricci )
(DIR) Post #AwhyTToTTXlOfKYID2 by adamshostack@infosec.exchange
2025-07-31T23:02:45Z
0 likes, 0 repeats
@msw @mwl @bsdphk @jawnsy @ricci Any system whose security matters where the system is depicted with a state machine.
(DIR) Post #AyBFdSCjgsm5B4ayP2 by adamshostack@infosec.exchange
2025-09-13T16:43:41Z
0 likes, 0 repeats
It won’t work. (Dunking on mastodon here, not Don. ) https://techhub.social/@BrentD/115197950000197643
(DIR) Post #AyBFdWBosEPzXOCIWu by adamshostack@infosec.exchange
2025-09-13T16:46:10Z
0 likes, 0 repeats
The issue is you cannot control clients. The clients are under the control of the people who write them and are on the far side of a boundary from you. Maybe you can limit (at the server) posts that contain links to other posts, images of other posts, url shortners that link to other posts, but you’re in an arms race and you’re not deploying effective controls.
(DIR) Post #AyBFdaSH0zxMlZvUjQ by adamshostack@infosec.exchange
2025-09-13T16:51:36Z
0 likes, 0 repeats
Another way to say this: What, precisely, is the policy language or algorithm you're going to deploy, and where will it be enforced?
(DIR) Post #B08vwYet1qIZQMuy3s by adamshostack@infosec.exchange
2025-11-11T17:39:54Z
0 likes, 0 repeats
@ricci @greatquux What a cool find! Also, I hope y'all have a very strong fireproof box. :)
(DIR) Post #B2zLEePNBQV0iuXGU4 by adamshostack@infosec.exchange
2026-02-04T19:21:56Z
0 likes, 0 repeats
@dangoodin I think they can force your finger onto the sensor (much like they can force fingerprints on an ink pad) and force you to open your eyes. Those are "non-testimonial" where if your password was, I dunno, "IkilledBob" then that's testimonial and the courts can't force you to self-incriminate.