Adam Shostack  

@[email protected]
4.2K Followers
680 Following
11.4K Posts

Author, game designer, technologist, teacher.

Helped to create the CVE and many other things. Fixed autorun for XP. On Blackhat Review board.

Books include Threats: What Every Engineer Should Learn from Star Wars (2023), Threat Modeling: Designing for Security, and The New School of Information Security.

Following back if you have content.

Websitehttps://shostack.org
Latest bookhttps://threatsbook.com
Opsec statusCurrently clean
Youtubehttps://youtube.com/shostack
Adam Shostack  13h ago

Whoa, archive.ph was altering its archives...

https://arstechnica.com/tech-policy/2026/02/wikipedia-bans-archive-today-after-site-executed-ddos-and-altered-web-captures/

Wikipedia blacklists Archive.today, starts removing 695,000 archive links

If DDoSing a blog wasn't bad enough, archive site also tampered with web snapshots.

Ars Technica
Adam Shostack  22h ago

We have altered the terms of the deal.

https://www.seattletimes.com/nation-world/parents-who-borrowed-for-childs-college-face-major-policy-changes/

Adam Shostack  23h ago
Geng1d ago

Great to catch up with @adamshostack
at #RSAC—author of the threat modeling book that shaped how so many of us think about secure design. 🛡️

Always a privilege to learn from the pioneers who built the security practices we rely on every day.

Adam Shostack  23h ago
Marcio Aleksandravicius2d ago
Each sphere is moving in a straight line, but the final motion is circular
Adam Shostack  1d ago
Tanya Janca | SheHacksPurple  1d ago

On April 10th, I’m kicking off something new… and I would LOVE for you to join me 💜

I’ll be diving into Chapter 1 of Alice & Bob Learn Secure Coding live, and I’m bringing an awesome guest with me: Dr. Gerald Auger (Simply Cyber)!

For 2 hours, we’re going to chat through the foundations of application security, things like:
✨ The CIA Triad
✨ Zero trust & defense in depth
✨ Supply chain security
✨ Threat modeling

This is NOT a lecture. It’s a conversation.

https://twp.ai/ImxExB

Adam Shostack  1d ago
DEF CONMar 10

DEF CON 34’s theme is ‘Agency’. We’re focusing on self-determination in our use of tech. Charting our own course and helping others do the same.

Let’s start moving our valuable attention to tech that supports our agency. Let’s find the places we can help and choose to act.

Read more at: https://defcon.org/html/defcon-34/dc-34-theme.html

Visual style guide and homework assignments coming soon!

#defcon #defcon34 #agency

Adam Shostack  1d ago
omg! ubuntu1d ago

Bit of a left-field PSA this, but… if you own an iPhone/iPad in the UK and:

- you DON'T own a credit card
- you DON'T have a driving license
- you have NOT had your Apple account for more than 18 years

…don't upgrade to iOS 26.4 if you want to install (or some cases, use) 17+ rated apps or stream 18+ films/tv on itvX, netflix, etc.

The update adds mandatory OS-level age verification to meet UK law and Apple doesn't currently accept passports (!) to prove age.

#Apple #iOS26

Adam Shostack  1d ago
Show threadTindra1d ago
@chillybot @adamshostack @paul_ipv6 @boblord @wendynather the best incident report ive read was written by someone who was given zero guidance on how to investigate, but he was previously an aviator, so he just did what he knew.
Adam Shostack  1d ago
Show threadChilly  🛡️ 1d ago
@adamshostack
Yupppp, exactly. Bring back the CSRB! Aviation makes me jealous. We as an industry have much to learn from them.
@paul_ipv6 @boblord @wendynather
Adam Shostack  1d ago
Show threadChilly  🛡️ 1d ago

Okay I watched the second NTSB press briefing twice yesterday and have some juicy deets to dish out for you fine folks. Some of this was previously available/self evident but I wanted to wait a bit for the NTSB to do its thing. Here we go  Longer post so maybe bookmark and read later.

  • First off, as the chairwoman succinctly emphasized: If a airline crash happens, many things likely went wrong. Flying is so safe because it has defense in depth built in. I personally would like to say we must resist the very natural desire to focus on "okay, who f'ed up". This is a search for the truth.

  • The controller clearly at least twice told the truck to stop before the crash

  • Two controllers were in the air traffic control tower cab (in layman's terms, the top most part of the tower with windows where the active ATCs oversee things and work) at the time. They had just gone on duty for the "midnight" (22:30-06:30) shift at ~22:30ish local time.

  • There is conflicting information on which air traffic controller was in charge of operations on the ground.

  • The controllers at the time were dealing with another emergency on the ground. So there was a heavy workload on controllers who were also working multiple positions. NTSB cautions about talking about "controller distraction" as they were doing their job.

  • The controllers were doing combined positions since it was the midnight shift. This is the standard operating procedure for a lot of airports, including Newark. (See other #ChillyATCAdventures posts). The chairwoman has concerns about this nationwide common practice and so do I.

  • Conflicting reports on how many certified ATCs were in the facility overall. ATCs are supposed to take periodic breaks and be relieved by another controller.

  • The truck did not have a transponder to report its location. The airport did have airport surface detection equipment (ASDE-X) but the ground radar did not alert since the proximity of multiple ARFF trucks caused the system to have low confidence.

  • The automatic runway status lights were operational and indicated it was not clear to cross the runway

  • Chairwoman Homendy is awesome, as usual

#AvGeek