A friend asked me to get on instagram so they could send me reels. So I played with it a little today, and … huh? I can’t turn the phone to make a landscape video play in landscape? All the content is “sponsored”? I can’t find posts from the small set of folks I followed? I’m baffled.

Is there any meaningful security benefit to one time codes being more than 4-6 digits? (For *any* of TOTP, email, or sms delivery.)

"Insurance can help cybersecurity" is a hypothesis, not an axiom.

New blog: Risk talk at JPL Before Thanksgiving, I was in Southern California, and I was honored to be able to give a talk at the Jet Propulsion Lab. The talk is titled “Threat Modeling: Engineering and Science.” The first part of the talk puts threat modeling in context for engineering secure systems, while the second part considers why we do what we do and asks some questions about how we think about risk. (1/4

Shostack + Friends Blog > Risk Talk at JPL

My talk at JPL

For Cyber Monday, Shostack + Associates has released a free white paper on my Four Question Framework on Threat Modeling. shostack.org/whitepapers

Fascinating for privacy and "Turn off your phone before you go to the secret location" threat models: "What's more, even phones that are powered off or that have dead batteries can be located for "several hours" after they go dark. However, this only applies to certain handsets, including the Pixel 8 series and Pixel 9 series from Google; the phone needs specialized hardware that enables a low-power Bluetooth signal to be broadcast, even if the handset itself isn't turned on."

WIRED

Android ‘Find My Device’ Has Gotten a Major Upgrade. Here’s What’s New

Google’s device location service is catching up to Apple’s.

new blog, Is Cybersecurity Awareness Month Worth the Money? As we wrap up another cybersecurity awareness month, I’d like to ask: Is it worth the money and effort? If it is, we should be able to see evidence of that in reductions of successful attacks in October/November, slowly rising over time as the effect of the awareness campaign drips evaporates, and then renewing the next year. The shifts should be bigger than the variance the data shows. I am quite serious about this. Cybersecurity awareness month was invented by Microsoft’s marketing department, and it now absorbs a huge amount of time and energy: (1/4)