Adam Shostack  

@adamshostack@infosec.exchange
3.9K Followers
663 Following
10.1K Posts

Author, game designer, technologist, teacher.

Helped to create the CVE and many other things. Fixed autorun for XP. On Blackhat Review board.

Books include Threats: What Every Engineer Should Learn from Star Wars (2023), Threat Modeling: Designing for Security, and The New School of Information Security.

Following back if you have content.

Websitehttps://shostack.org
Latest bookhttps://threatsbook.com
Opsec statusCurrently clean
Youtubehttps://youtube.com/shostack
Adam Shostack  Aug 11

Timo Jagush presenting on off boarding at #soups2025 , points out that frameworks are hard to navigate… framework creators have every motive to be “comprehensive”, but little motive to be usable.

https://www.usenix.org/conference/soups2025/presentation/detsika

Adam Shostack  Aug 11
Yizhu Joy presenting at #soups2025 on LLM Agrnt explainers of spam. Uses FTC data …
Adam Shostack  Aug 10
Lyft is set to allow location services “while using”. Wtf happened here? Is “running in the background” using? Do I need to kill apps to make that work? (I used it this morning to get to the airport)
Adam Shostack  Aug 9

One of the hats I wear is editor for the @defcon Franklin Hackers' Almanack. If you see talks that policymakers should know about, please let me know here, tag me, etc.

I'm already seeing great stuff on voting security, resisting back doors, irresponsible behavior by thin-skinned vendors.. what else should I see?

https://defconfranklin.com/

Adam Shostack  Aug 8
The frenzied activity here at @defcon is just a sight to behold!
Adam Shostack  Aug 6
This 40th anniversary special release of #phrack is amazing. If you’re at #blackhat or #defcon you should aim to get one.
Adam Shostack  Aug 2
“I find your lack of font consistency disturbing!”
Adam Shostack  Aug 1
“Where we’re going, we don’t need roads!”
#aviation #737 #manufacturing
Adam Shostack  Jul 29

New blog, LLMs as Compilers (1/8)

I want to explore the relationship of LLMs to compilers, inspired in part by articles like my AI skeptic friends are all nuts, in part by a lot of time spent exploring LLMs for threat modeling. (There, I feel like I should have more useful things to say before saying them.) And by the way, by “experimenting,” I don’t mean just vibe-threat-modeling (although I’ve done some), but rather carefully constructing prompts, feeding them to multiple engines, scoring the results, and evaluating the evaluations.1 That’s a slow process, but I still feel there’s could be something meaningful, if we can get there. The other inspiration was talking with a friend who builds static analysis tools a very large firm with a famously high bar for developer interviews. He mentioned that people are now checking in their LLM prompts.

Full text: https://is.gd/qh2qKZ

Adam Shostack  Jul 21

New blog, Risk Management and Threat Modeling

One the most common questions I’m asked is “what’s the relationship of threat modeling to risk management?” The simple answer is that threat modeling always precedes and sometimes feeds into risk management. Let me offer simple definitions: A threat is a possible future problem; a risk is a quantified threat. That quantification often applies to likelihood or impact. “The bully threatened to beat him up.” “There’s a 90% chance you’ll lose all your money in this startup investment.”

(1/7, full text https://is.gd/VvP5Bx)