Schneier on Security
A blog covering security and security technology.
« The Continuing Slide Towards Thoughtcrime |
| Border Security: the Weakest Link »
March 19, 2008
More Threat Modeling at Microsoft
This is another excellent series of posts on threat modeling, this time from Microsoft's Adam Shostack. (I already blogged this series by Larry Osterman.)
Posted on March 19, 2008 at 6:47 AM
• 6 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I am not sure whether I like this series so much. The first item started quite interesting, but the later ones made me loose my flow, and not because they are very challenging...
You can save some time; the entire series is also available as document
A tall fence - who would have thought of that !
I guess if a fence-manufacturer could charge millions for consultancy and state-of-the-art chain-link fencing, it would have happened.
However as it's just a few quid at the DIY store, and doesn't involve officials going to foreign 'conferences' in the sun, I guess it'll never happen.
At a quick glance, it's kinda hard to tell that "of" and "posts" link to two different articles; the underlink flows through the space between the words; you simply forgot to the close the
A simple " " should fix it. ;)
Thanks for the links, and the kickass blog!
I tend to agree with Richard Bejtlich - Microsoft still doesn't have their terminology right. Threat modeling has nothing to do with threats, but rather vulnerabilities (http://taosecurity.blogspot.com/2007/10/someone-please-explain-threats-to.html).
I'm also unimpressed with this series, and frustrated that it contributes to confusion over important terms that we should - by this day and age - all be in agreement upon within our profession. It's already difficult to communicate complex security issues to management. When mixed signals are sent on key terms, we do ourselves no favors.
I wonder, though. Microsoft has a lot of people who are individually very smart, but I can't help thinking that, collectively, a lot of that smartness tends to cancel out, so that, as a body, the company ends up doing stupid things.
For instance, Mark Russinovich posted a long description of all the effort that went into speeding up file copying in Windows Vista. He's a smart guy--he was with the Sysinternals outfit that Microsoft bought. And yet we still have people complaining about how slow file-copying is in Vista.
[this is a humorous aside, not really related to security]
About 10 years ago MS created a business strategy or something (i.e., not an actual product), and called it "Digital Nervous System", DNS for short. IIRC all the URLs had "dns" in there. Ads for it appeared in magazines like Life and Time (I remember reading one in a doctor's waiting room once).
I sometimes wonder why they "invented" a non-product, hyped it in glossy magazines, and gave it that particular abbreviation.
I know what, for instance, my dad (decidely non-techie) would have thought if he'd seen it: "hmm, I know this thing called DNS is very important to the internet, but I didn't know Microsoft made it. Wow..."
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.