Adam on “Silver Bullet Security” Podcast

The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book The New School of Information Security. They go on to chat about Adam’s aversion to the term “best practices,” the role IEEE Security & Privacy magazine plays in bringing the science of security to a practical level, and whether the biggest problem of the CardSystems breach was the following the letter, rather than the spirit, of PCI. Also on the agenda, duck-billed platypuses, Kandinski, and books by Pynchon.

Show 026 – An Interview with Adam Shostack.

The one thing I’d like to add is that we mentioned Frank Abagnale’s Catch Me If You Can.

It was a fun interview.

Jack Jones on Risk Management


I really enjoyed watching the podcast version of a talk that Jack Jones gave at Purdue, “Shifting focus: Aligning security with risk management.”

I liked the opener, about what it’s like for executives to talk to security professionals, and the difference between what might happen and what’s likely to happen. The screenshot is from a discussion of how to play Russian Roulette.

I also like the way he critiqued best practices (you’ll have to watch). It’s a little hard for me to assess his risk management methodology from a podcast, but it’s a very worthwhile 45 minutes.

(Now only if he had some Kandinsky in there, I’d have no doubt that the Risk Management Insight Institute, which Jack heads, is part of what we call the “New School.”)

More New School Reviews

Gary McGraw says buy it for the cover:

The New School of Information Security is a book worth buying for the cover alone. I know of no other computer security book with a Kandinski on the front. Even though I know Adam Shostack from way back (and never could have predicted that he would become a Microsoft guy), I saw his book at RSA, bought it for the cover, and only then discovered that he was the author! My plan was to give the book to a good friend who I know is a huge Kandinski fan. On the way to complete that errand, I had a chance to look though the book and now I need a copy of my own! If you’re a follower of the economics of security school (which Ross and Bruce Schneier have helped spearhead), you’ll like this book. (Gary McGraw)

while Ben Rothke says buy it for what’s in between:

The New School of Information Security is a ground-breaking text in that it attempts to remove the reader from the hype of information security, and enables the reader to focus on the realities of security. The fact that such a book needs to be written in 2008 shows the sorry state of information security.

Let’s hope The New School of Information Security is indeed a new start for information security. The book is practical and pragmatic, and one of the most important security books of the last few years. Those serious about information security should definitely read it, and encourage others to do the same.
(Ben Rothke’s review on Slashdot)

Thanks very much for the awesome review, Ben!

RSA Crazy Busy, book notes

I’m sorry blogging has been light, but RSA has been really busy. I did want to post a quick reminder, I’ll be doing a book singing at 2.30 at the RSA bookstore.

PS: I know, that should really say “signing,” not “singing” but I decided I like the typo. If enough people show up and ask me to sing, maybe I will. But then again, maybe I’ll spare all of your ears from that horrid fate.

Amazon and The New School

Several of you have mailed or commented about the New School being “delayed” from Amazon. I apologize, this was a surprise to me. What our publisher says:

Because of their set-up, Amazon has been taking longer to get a book
available for shipping. As you can see this causes problems when they
list the pub date as being the same date books are available from the
publisher. They have just very recently changed their practices and now
post pub dates on their sites that better reflect when THEY will be
set-up to ship the book to customer. However, they had not put this into
practice when originally setting your book up in their systems hence the
“change in availability” date.

So the pipeline is working, although it didn’t set expectations properly here. Next time, I’ll link to the publisher site, not Amazon.

New School of Information Security: book signing at RSA

I’ll be at RSA next week, and have a book signing scheduled for 2:30 PM Wednesday (April 9) at the RSA bookstore. To be more clear: The RSA bookstore will have copies for sale.

I know many of you are waiting for copies. Many of our reviewers emailed me in the last day or two to say that they’d gotten their copies, and so I know that they’re starting to ship. I had a very few copies to hand out at the IAPP meeting recently.

In the deeply ironic department, the second copy ever delivered went to a ChoicePoint employee. (After much consideration, we’ll respect their privacy.) I tried hard to rig the drawing, but Sagi Leizerov, from E&Y, was too good for me, and ensured it was fair.

Anyway, I remain tremendously excited about the launch of the book, and hope to see many of you next Wenesday at 2:30 in the RSA bookstore.

A Crime That Flourishes Because Victims Remain Silent

There’s a fascinating article in the New York Times, “Report Sketches Crime Costing Billions: Theft From Charities.”

“I gave a talk to a group of nonprofit executives a few weeks ago, and every single one of them had a fraud story to tell,” said one of the report’s authors, Janet S. Greenlee, an associate professor of accounting at the University of Dayton. “This has been going on for years, but there’s a feeling that it shouldn’t be discussed,” because of the effect it might have on donations.

But it will now be harder for charities to hide fraud, because beginning with tax forms they must file for 2008, the Internal Revenue Service has added a question requiring them to disclose whether they have experienced theft, embezzlement or other fraud during the year.

This resonated pretty strongly with points we make in the New School. It’s about how problems fester when we don’t talk about them. There’s a principal-agent problem here, where charities, acting as agents for their donors, are actively concealing problems. And it shows yet another example of diverse perspectives helping to solve problems.

The report is available at “An Investigation of Fraud in Nonprofit Organizations.”

First in-depth review

Andre Gironda writes “Implications of The New School:”

Additionally, the authors immediately begin the book with how they are going to write it — how they don’t reference anything in great detail, but that the endnotes should suffice. This also put me off a bit… that is — until I got to the endnotes! Certainly from the beginning to the end of the book I was also kept in a state of constant interest thanks to the excellent writing. Even if you have read all of their past work, this book is certainly worth a read or two or three, maybe even quarterly.

He has a lot of detail in his review, while I’m just quoting the intro, blown away and grateful that someone would suggest reading it quarterly.

Thanks Andre!

More New School feedback


Our editor says that the Safari e-book edition of The New School is now available. Hardcopies should be out in a week or so.

Jon Pincus gives us a mention in his long article “Indeed! The Economist on “computer science as a social science”” and comments that we “explicitly include discussions of diversity in the social science sense.” (As he discusses, Jon has long been focused on computer science as a social science, and he gave us some great help in improving the diversity section.

Nick Owen thinks he won’t be invited to the prom in the New School, but he’s wrong. He turned me on to Bennett Stewart’s work, which influenced how we talk about ROI.

KJW/Code likes the first chapter. Decius on Memstreams says that our editorial blurb “makes a lot of bold claims without explaining how those claims are met. I eagerly await further reviews and shorter articles written by the authors to promote their book…”

Also, a couple of people emailed me asking for a table of contents and more sample content. Here’s the table of contents, and yes, Decius, there will be more that we’ll release over the next little while. We have a first couple of interviews lined up, and are eager to get the ideas out there in forms which are easy to digest.

Table of Contents


Spam, and Other Problems with Email 4
Hostile Code 7
Security Breaches 9
Identity and the Theft of Identity 11
Should We Just Start Over? 14
The Need for a New School 15


Where the Security Industry Comes From 19
Orientations and Framing 25
What Does the Security Industry Sell? 27
How Security Is Sold 33


The Trouble with Surveys 46
The Trade Press 50
Vulnerabilities 52
Instrumentation on the Internet 54
Organizations and Companies with Data 55


How Do Companies Lose Data? 64
Disclose Breaches 68
Possible Criticisms of Breach Data 70
Moving from Art to Science 74
Get Involved 76


The Economics of Information Security 82
Psychology 95
Sociology 99


Reasons to Spend on Security Today 106
Non-Reasons to Spend on Security 110
Emerging Reasons to Spend 112
How Much Should a Business
Spend on Security? 116
The Psychology of Spending 122
On What to Spend 126


People Are People 132
Breach Data Is Not Actuarial Data 136
Powerful Externalities 137
The Human Computer Interface and
Risk Compensation 139
The Use and Abuse of Language 142
Skills Shortages, Organizational
Structure, and Collaboration 144


Join the New School 149
Embrace the New School 153
Make Money from the New School 157
Final Words 159




Reactions to “The New School:” Thank you!

A big thank you to those of you who picked up the New school in your blogs and mailing lists.

Ryan Hurst says:

This is a concept I know I beleive in, one I have discussed numerous times with folks over beer; with that being said I can’t wait to get my copy to see what the Most Evil Genius thinks. (““)

John Quarterman:

…if it’s like the material he posts in his blog, it’s a good thing.

Also, thanks to Canadian Privacy Law Blog, SamaBlog, and TechnoFlak.

Most of all, thank you to those who decided to pre-order. This was yesterday afternoon:



I don’t know when the “people who bought this also bought” gets updated, but we have no idea what’s up with the search engine optimization overlap.

Which doesn’t prevent us from again, saying “thank you!”

The New School of Information Security


A few days ago, we turned in the very last edits to The New School of Information Security to Addison-Wesley.

My co-author, Andrew Stewart, and I are both really excited. The New School is a systemic look at dysfunction within information security, and a look at some of the ways people are looking to make things better. We think there’s an emerging way of approaching the world, which we call the New School.

We start with a look at some persistent issues like spam and identity theft. From there, we look at why the information security industry hasn’t just fixed them, and some of the data sources which we rely on and how poor they are. We then look at some new sources of data, and new ways of interpreting them, and close with some very practical steps that any individual or organization can take to make things better.

Incidentally, this isn’t an official project for either of us. (We wouldn’t want anyone to get confused about who gets the credit or blame.)