Adam Shostack
Contents:

Things I've built
Papers
Tools
Documentation

Adam Shostack's Personal Homepage

With some of the things I've done.

Things I've built (or helped build)

The New School of Information Security
The New School of Information Security (book)
Adam Shostack and Andrew Stewart. We examine some of the ongoing shortcomings of the information security profession, and propose some very practical steps that any individual or organization can take to improve things. Available from fine booksellers now. (Amazon or Addison Wesley's InformIT). There's now a blog inspired by the book at http://newschoolsecurity.com
Microsoft SDL Threat Modeling Tool
I've been driving the creation of the SDL Threat Modeling Tool available as a free download from MSDN.
Emergent Chaos (ongoing)
The Emergent Chaos Jazz combo blog.
CVE (1997-present)
After the 2nd Workshop on Vulnerability Databases at Purdue, I worked hard to make the Common Vulnerabilities and Exposures list a reality. The CVE is now broadly used and I'm an Emeritus Advisor.
Zero Knowledge Systems, Evil Genius Team (1999-2002)
At Zero-Knowledge Systems, I had the privilege of building and leading a team of Evil Geniuses who helped build some really amazing technologies.
Privacy Enhancing Technologies Symposium
I've been a member of the steering committee for this academic series of workshops. I organized the second workshop on Privacy Enhancing Technologies, which was a great success. (April 14-15, 2002, San Francisco.)
International Financial Cryptography Conference (1997-2003)
I was the Vice-President of the International Financial Cryptography Association, which is dedicated to bringing together cryptographers, bankers, and others to advance the theory and practice of Financial Cryptography. I also helped run a weeklong workshop, and held other roles.

Papers and talks and slides

2009

Microsoft SDL Threat Modeling Tool
The easiest way yet to get started threat modeling. Available here
The 9th Symposium on Privacy Enhancing Technologies (conference)
I organized everything except the program for this very successful conference.

2008

The New School of Information Security (book)
Adam Shostack and Andrew Stewart. We examine some of the ongoing shortcomings of the information security profession, and propose some very practical steps that any individual or organization can take to improve things. Available from fine booksellers now.
Writing on Threat Modeling
At a Security Modeling workshop, I presented "Experiences Threat Modeling at Microsoft," a title which is pretty self explanatory. (Slightly updated from the workshop version.)

In MSDN magazine, "Reinvigorate your Threat Modeling Process" is about how I'm thinking about threat modeling and some lessons learned, as well as "Getting Started With The SDL Threat Modeling Tool."

A series of blog posts on lessons learned threat modeling at Microsoft. The series can be downloaded as a Word doc, "The Trouble with Threat Modeling."

2007

Privacy Summer Symposium
At the Privacy Summer Symposium organized by Harvard Law School, I gave a short talk on Microsoft's SDL and how it impacted privacy. (With Sue Glueck.)
Security Breaches are good for you (conference presentation, ShmooCon)
At Shmoocon 2007, I gave a short talk entitled "Security Breaches Are Good for you."

2006

Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach
In MSDN magazine, with Shawn Hernan, Scott Lambert and Tomasz Ostwald. "Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach."
Balancing Information Sharing and Privacy, (Panel presentation, National Conference on Science, Technology, and the Law)
At the National Institute of Justice's National Conference on Science, Technology, and the Law, I participated in a panel on "Balancing Information Sharing and Privacy," and presented "Protecting Society By Protecting Information: Reducing Crime by Better Information Sharing" (Or get the powerpoint slides. I don't know why it makes all the speaker notes that ugly orange.)

2005

Preserving the Internet Channel Against Phishers (essay)
A short essay, derived from some blog posts about phishing. Preserving the Internet Channel Against Phishers
Security Rituals Enabling the Pair-wise Union of Two Unbound Variables (Crypto 2005 rump presentation)
M. Briceno, J. Callas, T. Cannoy, J. Merchant, A. Shostack, N. van Someren, and R. Wagner. Slides are not being shared
Anonymous blogging project overview (Conference talk, RECon)
RECon are available as web pages, Keynote, or Powerpoint.
Effective Patch Management: How to make the pain go away (Security Leadership talk)
Slides from my Security Leadership Series talk are online as web, Keynote and PDF
Avoiding Liability: An Alternative Route to More Secure Products (Conference Rump talk, WEIS05)
I've been thinking about liability in information security lately, and have a short draft essay at Avoiding Liability: An Alternative Route to More Secure Product (also available in PDF)
Evidence-based Security Assessment (Panel, ShmooCon)
At Shmoocon, Crispin Cowan, Ed Reed, Al Potter and I ran a BOF entitled "Evidence Based Security." Our slides are all here: Crispin Cowan's (Powerpoint or PDF), Ed Reed's (Powerpoint or PDF), Al Potter's (Powerpoint or PDF) and mine (Powerpoint or PDF)

2004

Beyond Patch and Pray: Security By Design (Security Leadership talk)
My presentation at The Security Leadership Conference was on using tools to improve the quality of software and operations. You can see the Powerpoint or pdf. This was where I first publicly commented that "security people are from Mars, business people are from Wharton"
Evite, a rant
A few words about evite, and why I'm silently ignoring your lovely invitation.

2003

Quantifying Patch Management (Secure Business Quarterly)
Quantifying Patch Management was written for @Stake's Secure Business Quarterly Q2 2003 special issue on patch management. Managing the flood of patches out there requires more than brute force.
Identity and Economics: Terrorism and Privacy (BlackHat Briefings)
At the Blackhat Briefings in Las Vegas, I spoke on "Identity and Economics: Terrorism and Privacy" The talk focuses on the limits to the security that multi-purpose ID cards can offer, and suggests that we should spend our money in more useful places. pdf or Powerpoint
Paying for Privacy: Consumers and Infrastructures (Referereed paper, 2nd Workshop on Economics and Information Security)
At the 2nd Annual Workshop on Economics and Information Security, I presented on Paying for Privacy: Consumers and Infrastructures (or PDF or Powerpoint) in which I look at consumer's willingness to pay for privacy, and the subsidy given to privacy invasion by government ID cards.

Will People Ever Pay For Privacy? (Blackhat Briefings, Amsterdam)
After Zero-Knowledge's failure to sell gazillions of subscriptions to our very cool Freedom software, I'm often asked, "Will People Ever Pay For Privacy?" (or PDF or Powerpoint) My answer is yes, they have, do, and will continue to. I'm working on a long essay on this subject, and gave a talk at the Blackhat Briefings in Amsterdam

2002

Timing the Application of Security Patches for Optimal Uptime
Timing the Application of Security Patches for Optimal Uptime or [.pdf] Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack.  Presented at the USENIX 16th Systems Administration Conference (LISA 2002), Philadelphia, PA, December 2002
Economic Barriers to the Deployment of Existing Privacy Technologies (Position paper, First WEIS)
Economic Barriers to the Deployment of Existing Privacy Technologies (Position Paper). Joan Feigenbaum, Michael J. Freedman, Tomas Sander, and Adam Shostack. Proceedings of the Workshop on Economics and Information Security. Berkeley, CA.
Towards Technology for Data Protection (Cutter IT Journal)
Towards Technology for Data Protection May 2002, Cutter IT Journal. (Not Online).
Results, Not Resolutions (essay)
Results, Not Resolutions with Bruce Schneier. Originally appeared in Security Focus, but the Crypto-Gram version has several corrections.

Microsoft hired me anyway.

A philosophical digression on the relationship of liberty and security

"The freedom which we enjoy in our democratic government extends also to our ordinary life. We throw open our city to the world, and never by alien acts exclude foreigners from any opportunity of learning or observing although the eyes of an enemy may occasionally profit by our liberality. We live exactly as we please and yet are just as ready to encounter every legitimate danger. If with habits not of labor but of ease, and courage not of art but of nature, we are still willing to encounter anger, we have the double advantage of not suffering hardships before we need to, and of facing them in the hour of need as fearlessly as those who are never free from them. The price of courage will surely be awarded most justly to those who best know the difference between hardship and pleasure and yet are never tempted to shrink from danger. And it is only democratic people who, fearless of consequences, confer their benefits not from calculations of expediency but in the confidence of liberality.

From The Funeral Oration by Pericles of Athens, 431 B.C.
Added September 18th, 2001.

2001

Privacy Engineering for Digital Rights Management Systems (ACM Workshop on Security and Privacy in DRM)
Privacy Engineering for Digital Rights Management Systems, Michael J. Freedman, Joan Feigenbaum, Tomas Sander, Adam Shostack, ACM Workshop on Security and Privacy in Digital Rights Management 2001, LNCS 2320.
Trust, Ethics and Privacy (Boston University Law Review)
Trust, Ethics and Privacy with Ian Goldberg, Austin Hill, Adam Shostack, Boston University Law Review, Volume 81, number 2, April, 2001. (Not online)

1999

Zero-Knowledge Systems whitepapers
Freedom is the most secure, easiest to use privacy software ever made. The Freedom Whitepapers have been archived here. I was a primary author of three original 1.0 whitepapers: an overview, a similar overview with far more details, and one on security issues.
Towards a Taxonomy of Network Security Assessment Techniques (Blackhat Briefings)
At the BlackHat briefings, I presented some work done with Scott Blake working Towards a Taxonomy of Network Security Assessment Techniques. This work came out of the work that we did, together with the outstanding team of people at Netect (now part of Bindview Development) in creating the HackerShield vulnerability scanner. This paper is an attempt to share some of the things we learned in building it.
Breaking Up Is Hard to Do (Best paper, First Usenix Workshop on Smartcards)
My paper with Bruce Schneier, Breaking Up Is Hard To Do: Modeling Security Threats for Smartcards won Best of Show at the First Usenix workshop on Smartcard Technology.

1997

Perspectives on Obscurity(Financial Cryptography, rump talk)
At the conference, I gave two rump session talks, one of which, Perspectives On Obscurity, is available as an outline. (I think this has stood up pretty well.)
Apparent Weaknesses in the Security Dynamics Client Server Protocol (DIMACS Workshop on network threats)
Apparent Weaknesses in the Security Dynamics Client Server Protocol. This paper was presented at the DIMACS workshop on Network Threats, and describes a substantial weakness in the Security Dynamics client server model, which was apparently fixed in versions of the software later than the ones I was working with. Security Dynamics responded to my work before publication. I'm very pleased that they will be publishing their protocols in the future. The postscript file submitted to DIMACS is available, as is an html version, but the html version is missing two diagrams.
Source Code Review Guidelines
Source code reviews are an important part of writing secure code. I've written some guidelines on how to conduct a review and what to look for.

Tools I've built or helped build
Microsoft SDL Threat Modeling Tool
The easiest way yet to get started threat modeling. Available here
P3P Analyzer
I was heavily involved in the creation of Zero-Knowledge's P3P Analyzer, a tool to help companies deal with IE6, its interaction with P3P compact policies.
HackerShield (tool)
I was a leader of the core design team for Hackershield. We introduced a large number of innovations in security scanning, including scheduled scans, drill-down style reporting and RapidFire Updates which have now become standard features in these products.
Freedom Network (Source Release)
Drove the release of the source code to The Freedom Network, some supporting code released under a non-commercial use license. The client and some build instructions are also available. The encrypted files are encrypted with some traditional magic words. Researchers are encouraged to check out the chainsaw directory within the tarballs.
PGP Key Auto-retriever (Procmail)
I turned a procmail script that does PGP key retrieval for any (signed, encrypted) message you get. Requires UNIX. Nothing flashy, but useful.

Technical Documentation
StartTLS For Postfix (Technical instructions)
A short page on the use of StartTLS for Postfix to do opportunistic encryption of email between servers. Five minutes to more email confidentiality! Why wait? (There are good reasons that Homeport.org's mail server is not yet doing this which are too complex to fit in this margin.)
Chrooting DNS
After (1996) problems with DNS, I decided that chroot'ing it would be a good step. Here's instructions. This is now obsolete, as the ability to chroot is now part of BIND.
How to Write a Proxy
I've written a document on How to write a proxy.
Free Crypto Libraries
After someone claimed that what the world needed was a crypto library, I assembled information comparing freely available crypto libraries.
Overview of SSL (version 2) and S-HTTP
An overview of SSL (version 2) and S-HTTP, technologies for keeping web pages confidential. Helps answer the question "What part of secure socket layer 128 bit encryption don't you understand?!!"
S/Key Documentation
Documentation I wrote while at the Brigham & Women's Hospital regarding S/Key. An introduction, technical notes, and a step by step users guide. (If you look at the document titles, there was originally a #3, which was a where to find PGP, but thats been replaced by a few links.)

Things I'm too sentimental to unlink

Disclaimers

I work for a large software company in Redmond, WA. The opinions here are my own. This is a web page, not a c.v.

Image Credit

Excerpt from Kandinsky, Impressions (III) Concert, with overlay. The painting is used as the cover of my new book.