Adam Shostack
Contents:

Things I've built
Papers
Tools
Blogs
Documentation
Disclaimers
Image Credit

Adam Shostack's Personal Homepage

With some of the things I've done. If you'd like to hear about new things as I build them, please sign up for my mailing list.

Things I've built (or helped build)

Threat Modeling: Designing for Security
If you're a software developer, systems manager, or security professional, this deeply practical book will show you how to use threat modeling in the security development lifecycle and the overall software and systems design processes. The book's website is threatmodelingbook.com.
Control-Alt-Hack
Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve Jackson Games (Munchkin and GURPS) and developed in collaboration with Tammy Denning and Yoshi Kohno.
Elevation of Privilege: the Threat Modeling Game
The easy way to get started threat modeling. You can download a copy from the official page at Microsoft, and there's a blog post with the announcement. My Black Hat 2010 talk "The easy way to get started threat modeling" covers some of why the game works, and there's also "Drawing Developers into Threat Modeling", a longer, academic-style paper on the game. I've also started maintaining a list of "Tabletop Security Games," since there's now enough to list.
The New School of
                  Information Security
The New School of Information Security (book)
We examine some of the ongoing shortcomings of the information security profession, and propose some very practical steps that any individual or organization can take to improve things. Available from fine booksellers now. (Amazon or Addison Wesley's InformIT). By Adam Shostack and Andrew Stewart. There's now a blog inspired by the book at http://newschoolsecurity.com
Microsoft SDL Threat Modeling Tool
I drove the creation and release of several revisions of the SDL Threat Modeling Tool, which is available as a free download from MSDN.
CVE (1997-present)
After the 2nd Workshop on Vulnerability Databases at Purdue, I worked hard to make the Common Vulnerabilities and Exposures list a reality. The CVE is now broadly used and I'm an Emeritus Advisor.
Zero Knowledge Systems, Evil Genius Team (1999-2002)
At Zero-Knowledge Systems, I had the privilege of building and leading a team of Evil Geniuses who helped build some really amazing technologies.
Privacy Enhancing Technologies Symposium
I've been a member of the steering committee for this academic series of workshops. I organized the second in 2002 in San Francisco and the 9th in Seattle.
International Financial Cryptography Conference (1997-2003)
I was the Vice-President of the International Financial Cryptography Association, which is dedicated to bringing together cryptographers, bankers, and others to advance the theory and practice of Financial Cryptography.

Papers and talks

2013

Submission to Royal Society
The Royal Society is engaged in a project, "Cybersecurity research: a vision for the UK." I submitted a short note suggesting a line of research.
Control-Alt-Hack: The Design and Evaluation of a Card Game for Computer Security Awareness and Education
Tamara Denning, Adam Lerner, Adam Shostack, and Tadayoshi Kohno, "Control-Alt-Hack: The Design and Evaluation of a Card Game for Computer Security Awareness and Education." In Proceedings of ACM Conference on Computer and Communications Security (CCS '13), 2013.
Building a Science of Security
My SIRACon 2013 talk is titled "Building a Science of Security." It's part of an ongoing exploration of some of the ideas that Andrew Stewart and I explored in "The New School of Information Security."

2012

Elevation of Privilege: Drawing Developers into Threat Modeling
This paper describes my experiences creating the Elevation of Privilege Threat Modeling game, and some lessons learned. You can get the paper from Official EoP download site or a direct link: Elevation of Privilege: Drawing Developers into Threat Modeling (PDF).
The Evolution of Information Security
The NSA had a special issue of their journal, "The Next Wave" focused on the science of security. You can get the entire journal at Next Wave, Vol 19 #2 or my article in html or here: The Evolution of Information Security (PDF).

2011

Zeroing in on Malware Propagation Methods
Volume 11 of the Microsoft Security Intelligence report opened with a featured article on how malware propagates. Much of the key data in that is my work, and I was one of the authors of the featured article. You can download the featured article here, or see the full SIR at the Security Intelligence Report site.
Engineers are People Too
Keynote at I3P SAUSAGE workshop ("Software And Usable Security Aligned for Good Engineering"). Similar to my SOUPS keynote, this fully dislosed the NEAT approach to usable warnings, and included thoughts on how to create a learning environment. Slides for Engineers are People Too v 1.1
Helping Engineers Design NEAT Security Warnings
Rob Reeder with myself and Ellen Cram Kowalczyk. We present our wallet card distillation of how to design security warnings in this short paper. Some additional context is in the blog post, "Adding Usable Security to the SDL." The paper can be downloaded from here.
Risk Hose Podcast: Feedback Loops
I joined Chris Hayes, Alex Hutton and Jay Jacobs, and thought the discussion was particularly good. You can listen or download at "Risk Hose Episode 14"

2009-2010

Engineers are People Too
Keynote at SOUPS 2010. In "Engineers Are People Too" Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the engineer. All too often, engineers are assumed to have infinite time and skills for usability testing and iteration. They have time to read papers, adapt research ideas to the specifics of their product, and still ship cool new features. This talk will bring together lessons from enabling Microsoft's thousands of engineers to threat modeling effectively, share some new approaches to engineering security usability, and propose new directions for research.
The Crisis In Information Security
This is a high level and very well reviewed talk that I'm giving discussing some of the lessons from the New School. I've also been speaking on threat modeling.

2008

The New School of Information Security (book)
Adam Shostack and Andrew Stewart. We examine some of the ongoing shortcomings of the information security profession, and propose some very practical steps that any individual or organization can take to improve things. Available from fine booksellers now.
Writing on Threat Modeling
At a Security Modeling workshop, I presented "Experiences Threat Modeling at Microsoft," a title which is pretty self explanatory. (Slightly updated from the workshop version.)

In MSDN magazine, "Uncover Security Design Flaws Using The STRIDE Approach" and "Reinvigorate your Threat Modeling Process" is about how I'm thinking about threat modeling and some lessons learned. MSDN also published "Getting Started With The SDL Threat Modeling Tool."

A series of blog posts on lessons learned threat modeling at Microsoft. The series can be downloaded as a Word doc, "The Trouble with Threat Modeling."

As mentioned above, Elevation of Privilege: the Threat Modeling Game is the easy way to get started threat modeling. You can download a copy from the official page at Microsoft, and there's a blog post with the announcement. My Black Hat 2010 talk "The easy way to get started threat modeling" covers some of why the game works, as does a longer paper, "Elevation of Privilege: Drawing Developers into Threat Modeling" (PDF).

Silver Bullet Podcast #26
After the launch of the New School, Gary McGraw interviewed me for his Silver Bullet Security podcast. "Episode 26" has links to listen or download, and Gary edited it into an article.

2007

Privacy Summer Symposium
At the Privacy Summer Symposium organized by Harvard Law School, I gave a short talk on Microsoft's SDL and how it impacted privacy. (With Sue Glueck.)
Security Breaches are good for you (conference presentation, ShmooCon)
At Shmoocon 2007, I gave a short talk entitled "Security Breaches Are Good for you."

2006

Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach
In MSDN magazine, with Shawn Hernan, Scott Lambert and Tomasz Ostwald. "Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach."
Balancing Information Sharing and Privacy, (Panel presentation, National Conference on Science, Technology, and the Law)
At the National Institute of Justice's National Conference on Science, Technology, and the Law, I participated in a panel on "Balancing Information Sharing and Privacy," and presented "Protecting Society By Protecting Information: Reducing Crime by Better Information Sharing" (Or get the powerpoint slides. I don't know why it makes all the speaker notes that ugly orange.)

2005

The Security Principles of Saltzer and Schroeder
Saltzer and Schroeder's classic principles of information security, illustrated with scenes from Star Wars.
Preserving the Internet Channel Against Phishers (essay)
A short essay, derived from some blog posts about phishing. Preserving the Internet Channel Against Phishers
Security Rituals Enabling the Pair-wise Union of Two Unbound Variables (Crypto 2005 rump presentation)
M. Briceno, J. Callas, T. Cannoy, J. Merchant, A. Shostack, N. van Someren, and R. Wagner. Slides are not being shared
Anonymous blogging project overview (Conference talk, RECon)
RECon are available as web pages, Keynote, or Powerpoint.
Effective Patch Management: How to make the pain go away (Security Leadership talk)
Slides from my Security Leadership Series talk are online as web, Keynote and PDF
Avoiding Liability: An Alternative Route to More Secure Products (Conference Rump talk, WEIS05)
I've been thinking about liability in information security lately, and have a short draft essay at Avoiding Liability: An Alternative Route to More Secure Product (also available in PDF)
Evidence-based Security Assessment (Panel, ShmooCon)
At Shmoocon, Crispin Cowan, Ed Reed, Al Potter and I ran a BOF entitled "Evidence Based Security." Our slides are all here: Crispin Cowan's (Powerpoint or PDF), Ed Reed's (Powerpoint or PDF), Al Potter's (Powerpoint or PDF) and mine (Powerpoint or PDF)

2004

Beyond Patch and Pray: Security By Design (Security Leadership talk)
My presentation at The Security Leadership Conference was on using tools to improve the quality of software and operations. You can see the Powerpoint or pdf. This was where I first publicly commented that "security people are from Mars, business people are from Wharton"
Evite, a rant
A few words about evite, and why I'm silently ignoring your lovely invitation.

2003

Quantifying Patch Management (Secure Business Quarterly)
Quantifying Patch Management was written for @Stake's Secure Business Quarterly Q2 2003 special issue on patch management. Managing the flood of patches out there requires more than brute force.
Identity and Economics: Terrorism and Privacy (BlackHat Briefings)
At the Blackhat Briefings in Las Vegas, I spoke on "Identity and Economics: Terrorism and Privacy" The talk focuses on the limits to the security that multi-purpose ID cards can offer, and suggests that we should spend our money in more useful places. pdf or Powerpoint
Paying for Privacy: Consumers and Infrastructures (Referereed paper, 2nd Workshop on Economics and Information Security)
At the 2nd Annual Workshop on Economics and Information Security, I presented on Paying for Privacy: Consumers and Infrastructures (or PDF or Powerpoint) in which I look at consumer's willingness to pay for privacy, and the subsidy given to privacy invasion by government ID cards.

Will People Ever Pay For Privacy? (Blackhat Briefings, Amsterdam)
After Zero-Knowledge's failure to sell gazillions of subscriptions to our very cool Freedom software, I'm often asked, "Will People Ever Pay For Privacy?" (or PDF or Powerpoint) My answer is yes, they have, do, and will continue to. I also gave a talk at the Blackhat Briefings in Amsterdam

2002

Timing the Application of Security Patches for Optimal Uptime
Timing the Application of Security Patches for Optimal Uptime or [.pdf] Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack.  Presented at the USENIX 16th Systems Administration Conference (LISA 2002), Philadelphia, PA, December 2002
Economic Barriers to the Deployment of Existing Privacy Technologies (Position paper, First WEIS)
Economic Barriers to the Deployment of Existing Privacy Technologies (Position Paper). Joan Feigenbaum, Michael J. Freedman, Tomas Sander, and Adam Shostack. Proceedings of the Workshop on Economics and Information Security. Berkeley, CA.
Towards Technology for Data Protection (Cutter IT Journal)
Towards Technology for Data Protection May 2002, Cutter IT Journal. (Not Online).
Results, Not Resolutions (essay)
Results, Not Resolutions with Bruce Schneier. Originally appeared in Security Focus, but the Crypto-Gram version has several corrections.

Microsoft hired me anyway.

A philosophical digression on the relationship of liberty and security

"The freedom which we enjoy in our democratic government extends also to our ordinary life. We throw open our city to the world, and never by alien acts exclude foreigners from any opportunity of learning or observing although the eyes of an enemy may occasionally profit by our liberality. We live exactly as we please and yet are just as ready to encounter every legitimate danger. If with habits not of labor but of ease, and courage not of art but of nature, we are still willing to encounter anger, we have the double advantage of not suffering hardships before we need to, and of facing them in the hour of need as fearlessly as those who are never free from them. The price of courage will surely be awarded most justly to those who best know the difference between hardship and pleasure and yet are never tempted to shrink from danger. And it is only democratic people who, fearless of consequences, confer their benefits not from calculations of expediency but in the confidence of liberality.

From The Funeral Oration by Pericles of Athens, 431 B.C.
Added September 18th, 2001.

2001

Privacy Engineering for Digital Rights Management Systems (ACM Workshop on Security and Privacy in DRM)
Privacy Engineering for Digital Rights Management Systems, Michael J. Freedman, Joan Feigenbaum, Tomas Sander, Adam Shostack, ACM Workshop on Security and Privacy in Digital Rights Management 2001, LNCS 2320.
Trust, Ethics and Privacy (Boston University Law Review)
Trust, Ethics and Privacy with Ian Goldberg, Austin Hill, Adam Shostack, Boston University Law Review, Volume 81, number 2, April, 2001. (Not online)

1999

Zero-Knowledge Systems whitepapers
Freedom is the most secure, easiest to use privacy software ever made. The Freedom Whitepapers have been archived here. I was a primary author of three original 1.0 whitepapers: an overview, a similar overview with far more details, and one on security issues.
Towards a Taxonomy of Network Security Assessment Techniques (Blackhat Briefings)
At the BlackHat briefings, I presented some work done with Scott Blake working Towards a Taxonomy of Network Security Assessment Techniques. This work came out of the work that we did, together with the outstanding team of people at Netect (now part of Bindview Development) in creating the HackerShield vulnerability scanner. This paper is an attempt to share some of the things we learned in building it.
Breaking Up Is Hard to Do (Best paper, First Usenix Workshop on Smartcards)
My paper with Bruce Schneier, Breaking Up Is Hard To Do: Modeling Security Threats for Smartcards won Best of Show at the First Usenix workshop on Smartcard Technology.

1997

Perspectives on Obscurity(Financial Cryptography, rump talk)
At the conference, I gave two rump session talks, one of which, Perspectives On Obscurity, is available as an outline. (I think this has stood up pretty well.)
Apparent Weaknesses in the Security Dynamics Client Server Protocol (DIMACS Workshop on network threats)
Apparent Weaknesses in the Security Dynamics Client Server Protocol. This paper was presented at the DIMACS workshop on Network Threats, and describes a substantial weakness in the Security Dynamics client server model, which was apparently fixed in versions of the software later than the ones I was working with. Security Dynamics responded to my work before publication. I'm very pleased that they will be publishing their protocols in the future. The postscript file submitted to DIMACS is available, as is an html version, but the html version is missing two diagrams.
Source Code Review Guidelines
Source code reviews are an important part of writing secure code. I've written some guidelines on how to conduct a review and what to look for.

Software I've built or helped build

Microsoft SDL Threat Modeling Tool
I drove the creation of several revisions of this tool, which is available here
P3P Analyzer
I was heavily involved in the creation of Zero-Knowledge's P3P Analyzer, a tool to help companies deal with IE6, its interaction with P3P compact policies.
HackerShield (tool)
I was a leader of the core design team for Hackershield. We introduced a large number of innovations in security scanning, including scheduled scans, drill-down style reporting and RapidFire Updates which have now become standard features in these products.
Freedom Network (Source Release)
Drove the release of the source code to The Freedom Network, some supporting code released under a non-commercial use license. The client and some build instructions are also available. The encrypted files are encrypted with some traditional magic words. Researchers are encouraged to check out the chainsaw directory within the tarballs.
PGP Key Auto-retriever (Procmail)
I turned a procmail script that does PGP key retrieval for any (signed, encrypted) message you get. Requires UNIX. Nothing flashy, but useful.

Blogs and Such

Blogs
The Emergent Chaos Jazz combo is a group blog on security, liberty, privacy and economics. And whatever else we feel like.

The New School of Information Security: Another group blog, this one inspired by the book

Microsoft's Security Development LifeCycle blog is a work blog

Twitter
@adamshostack

Technical Documentation

StartTLS For Postfix (Technical instructions)
A short page on the use of StartTLS for Postfix to do opportunistic encryption of email between servers. Five minutes to more email confidentiality! Why wait? (There are good reasons that Homeport.org's mail server is not yet doing this which are too complex to fit in this margin.)
Chrooting DNS
After (1996) problems with DNS, I decided that chroot'ing it would be a good step. Here's instructions. This is now obsolete, as the ability to chroot is now part of BIND.
How to Write a Proxy
I've written a document on How to write a proxy.
Free Crypto Libraries
After someone claimed that what the world needed was a crypto library, I assembled information comparing freely available crypto libraries.
Overview of SSL (version 2) and S-HTTP
An overview of SSL (version 2) and S-HTTP, technologies for keeping web pages confidential. Helps answer the question "What part of secure socket layer 128 bit encryption don't you understand?!!"
S/Key Documentation
Documentation I wrote while at the Brigham & Women's Hospital regarding S/Key. An introduction, technical notes, and a step by step users guide. (If you look at the document titles, there was originally a #3, which was a where to find PGP, but thats been replaced by a few links.)

Things I'm too sentimental to unlink

Disclaimers

I work for a large software company in Redmond, WA. The opinions here and the work in everything linked here are my own or part of a collaboration, except when explicitly stated. This is a web page, not a c.v.

Image Credit

Excerpt from Kandinsky, Impressions (III) Concert, with overlay. The painting is used as the cover of my book.

Translation

Alexander Ovsov maintains a version of this page in Romanian.