The Future Is So Cool

When you were growing up, 2014 was the future. And it’s become cliche to bemoan that we don’t have the flying cars we were promised, but did get early delivery on a dystopian surveillance state.

So living here in the future, I just wanted to point out how cool it is that you can detect extrasolar planets with a home kit.

A camera mounted on a clever set of hinges to track the sky

Read the story at IEEE Spectrum: DIY Exoplanet Detector.

Hate-watching, breaking and building

Listening to the radio, there was a discussion of how the folks at NBC were worried that people were going to “hatewatch” their new version of Peter Pan.

Hatewatch. Like it’s a word.

It’s fascinating. They discussed how people wanted to watch it to tweet cynically at its expense. The builder/breaker split isn’t just present in systems engineering, it’s everywhere. It’s easier to snark than to contribute. Any idiot with a crowbar can break things. And maybe it feels good.

The PR folks were also talking about how people had trouble watching a non-ironic version of Peter Pan. That sincerely enjoying a lovely children’s story had become culturally unacceptable.

It’s hard to build. We don’t appreciate it enough. In fact, we don’t appreciate enough. It’s hard to be appreciative in 140 characters. It can be hard to take appreciation seriously. Too often, appreciation is the lead-in to harsh feedback, and the appreciation is perfunctorily delivered, gotten out of the way to get to the “important” part. So many people have been reasonably trained to be wary when the positive feedback shows up.

Let’s try to do better.

Chaos and Legitimacy

At BruCon 0x06, I was awoken from a nap to the sound of canons, and looked out my window to see soldiers marching through the streets. It turns out they were celebrating the 200th anniversary of the Treaty of Ghent. As I’m sure you’ll recall from history class Wikipedia, the Treaty of Ghent ended the war of 1812, and was the second war between Great Britain and the less Canadian parts of its North American colonies.

Treaty of Ghent Anniversary Celebration

Lately, I’ve been thinking a lot about that and what it tells us about Iraq, ISIS and more recently, Ferguson, and I want to write some of it down to see if it makes sense.

Much of our policy in Iraq and Afghanistan seems to operate on a model of history which goes something like this: after the revolutionary war, town meetings coalesced into the Constitution, and we all lived democratically ever after. It’s an ahistorical view that forgets the Articles of Confederation, the Whiskey Rebellion, Shays Rebellion, and what some in the American south still call “the War of Northern Aggression.” It takes time to develop the institutions of a functioning democratic society.

Is it any surprise that after years of dictatorships, torture of dissidents, children growing up under sanctions (in the case of Iraq), occupation, and civil war, the people of Iraq are not using democracy to solve their problems? That they fight over how to run their country?

While each has a unique history and set of circumstances, it appears to me that there is, across Afghanistan, Iraq, Syria, a crisis of legitimacy. The people who live in those areas have disagreements about not only who should lead them, or what policies should be in place, but about the process for selecting their leaders or governments, and the powers those governments should have.

Their disagreements are strong enough that many people are willing to take up arms rather than acquiesce to other visions. Our understanding of these disagreements is muddied by use of terms like “militia”, “the legitimate security forces” or “the so-called Islamic State.”

The Islamic State, with territory, an army, and a currency, is in many ways, no more or no less legitimate than the army and currency of Prince Assad of Syria. (He is a prince in all but name, having inherited power from his father, that literal inheritance of power being the defining feature of princes.) Assad has taken the step of staging a Potemkin village election, because he understands that legitimacy (rather than power) comes from the consent and agreement of the governed.

This is why Churchill said that democracy is the worst form of government, save all those others that have been tried. No one really thinks that asking a bunch of people who can’t be bothered to vote who should lead them is a great way to get the best people into government. But democracy is a unique way to give people a voice, and in that voice, get their consent. The form democracy, that everyone has a voice, is what gives it its legitimacy. Another way to say that is it’s the ballot or the bullet. (If you haven’t listened to Malcom X give that speech, it’s really an outstanding use of your time. Ballot or Bullet Part I, Ballot or Bullet Part II. In two parts from 100 American Speeches, not sure why it’s two-parted.)

Developing legitimacy requires both institutions and time. The institutions must show that they are reliably better than other choices, or people will pursue those other choices. When Federal grand juries return indictments in 162,000 out of 162,011 cases brought to them, it is reasonable to question if they are a worthwhile or trustworthy institution, or act simply as an instrument of power. From that same 538 Story, grand juries in Dallas reviewed 81 shootings by officers, and returns a single indictment. It is easy to think something is out of whack.

What I think I see in Ferguson is that the institutions of justice have failed, again and again. They didn’t just fail when Darren Wilson shot Michael Brown. Police officers can and will make bad decisions. But afterwards, they continued to fail. The medical examiner didn’t take photos because the battery in his camera died. The prosecutor led Darren Wilson’s testimony.
The institutions didn’t just failed in the moment, they couldn’t be made to work under an intense spotlight. The figures about grand jury indictments indicate that they system is failing victims of police violence. (Although Law Proffesor Paul Cassell makes a case that the grand jury did the right thing, and Wilson had a strong self-defense claim.) However, the institutions didn’t fail completely. A grand jury met, its activity was transcribed and the transcript was released. These elements of transparency allow us to judge the system, and find it wanting. But even while wanting, it’s better than judgement in the ‘court of public opinion,’ and its better than mob justice or lynchings.

These failures may lead reasonable people to ask what alternatives to violence exist? It may lead people to think that violence or destruction is their best option. Perhaps the democratic bargain as a whole is no longer sufficiently legitimate to the people protesting or even rioting in Ferguson. To be clear, I don’t think that the violence or property destruction will improve their lives. In fact I believe that violence and property destruction will make their lives worse. I also think that the people rioting, if they would sit down and talk it through might even agree that burning their own community won’t help. But they’re living in a system where things are more arrest warrants than people.

The chaos in Ferguson, like the chaos in Boston in 1776, like the chaos in Iraq, like the chaos in Syria, may be stopped, for a time, by more violence. But violence will not correct the underlying issues of legitimacy.

(There’s a whole related history of the use of offices to enrich office-holders, including the sale of military commissions, the sale of tax collection jobs, etc. I think that’s too complex for me to work into a single blog post. But briefly, the idea that positions were held as a public trust was an important development. We’ve lost it to the idea that because
officials will sometimes act in their own interest, we should only expect them to act that way. In no longer holding people to an ideal, we’re losing something.)

Think Like An Attacker? Flip that advice!

For many years, I have been saying that “think like an attacker” is bad advice for most people. For example:

Here’s what’s wrong with think like an attacker: most people have no clue how to do it. They don’t know what matters to an attacker. They don’t know how an attacker spends their day. They don’t know how an attacker approaches a problem. Telling people to think like an attacker isn’t prescriptive or clear.

And I’ve been challenging people to think like a professional chef to help them understand why it’s not useful advice. But now, I’ve been one-upped, and, depending on audience, I have a new line to use.

Last week, on Veracode’s blog, Pete Chestna provides the perfect flip of “think like an attacker” to re-frame problems for security people. It’s “think like a developer.” If you, oh great security guru, cannot think like a developer, for heavens sake, stop asking developers to think like attackers.

CERT, Tor, and Disclosure Coordination

There’s been a lot said in security circles about a talk on Tor being pulled from Blackhat. (Tor’s comments are also worth noting.) While that story is interesting, I think the bigger story is the lack of infrastructure for disclosure coordination.

Coordinating information about vulnerabilities is a socially important function. Coordination makes it possible for software creators to create patches and distribute them so that those with the software can most easily protect themselves.

In fact, the function is so important that it was part of why CERT was founded to: “coordinate response to internet security incidents.” Now, incidents has always been more than just vulnerabilities, but vulnerability coordination was a big part of what CERT did.

The trouble is, it’s not a big part anymore. [See below for a clarification added August 21.] Now “The CERT Division works closely with the Department of Homeland Security (DHS) to meet mutually set goals in areas such as data collection and mining, statistics and trend analysis, computer and network security, incident management, insider threat, software assurance, and more.” (Same “about” link as before.)

This isn’t the first time that I’ve heard about an issue where CERT wasn’t able to coordinate disclosure. I want to be clear, I’m not critiquing CERT or their funders here. They’ve set priorities and strategies in a way that makes sense to them, and as far as I know, there’s been precious little pressure to have a vuln coordination function.

It’s time we as a security community talk about the infrastructure, not as a flamewar over coordination/responsibility/don’t blow your 0day, but rather, for those who would like to coordinate, how should they do so?

Heartbleed is an example of what can happen with an interesting vulnerability and incomplete coordination. (Thanks to David Mortman for pointing that out in reviewing a draft.) Systems administrators woke up Monday morning to incomplete information, a marketing campaign, and a slew of packages that hadn’t been updated.

Disclosure coordination is hard to do. There’s a lot of project management and cross-organizational collaboration. Doing that work requires a special mix of patience and urgency, along with an unusual mix of technical skill with diplomatic communication. Those requirements mean that the people who do the work are rare and expensive. What’s more, it’s helpful to have these people seated at a relatively neutral party. (In the age of governments flooding money into cyberwar, it’s not clear if there are any truly neutral parties available. Some disclosure coordination is managed by big companies with a stake in the issue, which is helpful, but it’s hard for researchers to predict and depend apon.) These issues are magnified because those who are great at vulnerability research rarely spend time to develop those skills, and so an intermediary is even more valuable.

Even setting that aside, is there anyone who’s stepping up to the plate to help researchers effectively coordinate and manage disclosure?

[Update: I had a good conversation with some people at CERT/CC, in which I learned that they still do coordination work, especially in cases where the vendor is dealing with an issue for the first time, the issue is multi-vendor, or where there’s a conflict between vendor and researcher. The best way to do that is via their vulnerability reporting form, but if things don’t work, you can also email or call their hotline (the number is on their contact us page.]


July 20, 1969.

I’ve blogged about it before.

There are people who can write eloquently about events of such significance.  I am not one of them.  I hope that doesn’t stand in the way of folks remembering the amazing accomplishment that the Apollo program was.


Mail Chaos

The mail system I’ve been using for the last 19 years is experiencing what one might call an accumulation of chaos, and so I’m migrating to a new domain,

You can email me at my, and my web site is now at

I am sorry for any inconvenience this may cause.

[Update: A number of folks have asked what happened. The simple answer is technical debt associated with maintaining servers in the basement. No drama, just life.]

Seattle event: Ada’s Books

Shostack threat modeling Adas

For Star Wars day, I’m happy to share this event poster for my talk at Ada’s Books in Seattle
Technical Presentation: Adam Shostack shares Threat Modeling Lessons with Star Wars.

This will be a less technical talk with plenty of discussion and interactivity, drawing on some of the content from “Security Lessons from Star Wars,” adapted for a more general audience.