I’m getting ready for to announce a new project that I’ve been working on for quite a while.
As I get ready, I was talking to friends in PR and marketing, and they were shocked and appalled that I don’t have a mailing list. It was a little like telling people in security that you don’t fuzz your code.
Now, I don’t know a lot about marketing, but I do know that look which implies table stakes. So I’ve set up a mailing list. I’ve cleverly named it “Adam Shostack’s New Thing.” It’ll be the first place to hear about the new things I’m creating — books, games or anything else.
People who sign up will be the first to hear my news.
[Update: Some people are asking why I don't just use Twitter or blogs? I plan to, but there are people who'd like more concentrated news in their inbox. Cool. I can help them. And much as I love Twitter, it's easy for a tweet to be lost, and easy to fall into the trap of retweeting yourself every hour to overcome that. That's annoying to your followers who see you repeating yourself.]
Alan Shimmy has the nominations for the 2014 Social Security bloggers award!
New School has been nominated for most entertaining, while Emergent Chaos has been nominated for best representing the security industry and the hall of fame.
Now, I have no idea what it means that Emergent Chaos would represent the security industry. I’m hopeful that it’s intended as a complement.
I blogged yesterday about all the new works that have entered the public domain as their copyright expired in the United States. If you missed it, that’s because exactly nothing entered the public domain yesterday.
Read more — but only commentary, because there’s no newly free work — at “What Could Have Entered the Public Domain on January 1, 2014?”
It’s near-impossible to see how our insanely long copyright terms, or their never-ending extensions encourage Dr. Seuss, Ayn Rand, Jack Kerouac or Ian Fleming to keep producing new work. Those authors have been richly rewarded for their work. But it’s easy to see how keeping those works under copyright reduces creative re-use of our collective cultural heritage.
In light of recent news, such as “FreeBSD washing Intel-chip randomness” and “alleged NSA-RSA scheming,” what advice should we give engineers who want to use randomness in their designs?
My advice for software engineers building things used to be to rely on the OS to get it right. That defers the problem to a small number of smart people. Is that still the right advice, despite recent news? The right advice is pretty clearly not that a normal software engineer building in Ruby on Rails or asp.net should go and roll their own. It also cannot be that they spend days wading through debates. Experts ought to be providing guidance on what to do.
Is the right thing to hash together the OS and something else? If so, precisely what something else?
The Gavle Goat has burned again, according to The Local.Se, and of course, it’s Twitter account (yet one more way in which real name policies inhibit natural behavior).
Two quick comments. First, the goat survived longer this year than usual. Second, I think it illustrates something. I’m not sure what. But my yule would be incomplete without a giant straw goat set ablaze.
There’s a new study on what people would pay for privacy in apps. As reported by Techflash:
A study by two University of Colorado Boulder economists, Scott Savage and Donald Waldman, found the average user would pay varying amounts for different kinds of privacy: $4.05 to conceal contact lists, $2.28 to keep their browser history private, $2.12 to eliminate advertising on apps, $1.19 to conceal personal locations, $1.75 to conceal the phone’s ID number and $3.58 to conceal the contents of text messages.
Those numbers seem small, but they’re in the context of app pricing, which is generally a few bucks. If those numbers combine linearly, people being willing to pay up to $10 more for a private version is a very high valuation. (Of course, the numbers will combine in ways that are not strictly rational. Consumers satisfice.
A quick skim of the article leads me to think that they didn’t estimate app maker benefit from these privacy changes. How much does a consumer contact list go for? (And how does that compare to the fines for improperly revealing it?) How much does an app maker make per person whose eyeballs they sell to show ads?
Emergent Chaos has migrated. It’s a long story, and perhaps better left untold. Please let us know if you see issues with the new site.
Recently the kind folks at No Starch Press sent me a review copy of Rich Bejtlich’s newest book The Practice of Network Security Monitoring and I can’t recommend it enough. It is well worth reading from a theory perspective, but where it really shines is digging into the nuts and bolts of building an NSM program from the ground up. He has essentially built a full end to end tutorial on a broad variety of tools (especially Open Source ones) that will help with every aspect of the program, from collection to analysis to reporting.
As someone who used to own security monitoring and incident response for various organizations, the book was a great refresher on the why and wherefores of building an NSM program and it was really interesting to see how much the tools have evolved over the last 10 years or so since I was in the trenches with the bits and bytes. This is a great resource though regardless of your level of experience and will be a great reference work for years to come. Go read it…
Over at the BBC, we read that the “home of Anakin Skywalker threatened by dune,” with awesome pictures:
So my question is, what will archaeologists think in 1,000 years when they dig this up? How many careers will be wasted trying to link the bizarre architecture to some real culture? How many anthropologists will be confused by the strange objects they find?
I hope someone has at least left them a note.
Can we just agree that “which” and “that” are pretty much interchangable? If you’re relying on a modern audience to be able to perceive the difference in meaning between restrictive and non-restrictive clauses, you’ve pretty much already lost.
Which, as they say, makes a mockery of that rule.
Alternately, “That, as they say, makes a mockery of that rule.”
Alternately, “That, as they say, makes a mockery of which rule.”
I think we may be taking this too far.