The book Essentialism: The Disciplined Pursuit of Less, by Greg McKeown, carries a very important message: you shall not seek to do more, but rather to do less things, but do the ‘right’ ones. When people succeed in life (even moderate success), they are encouraged to do more and hence de-focus. In general, our society promotes the concept of doing more and more, which makes it hard for us to just say ‘no’ to additional commitments, even if those commitments invoke activities are not within our priorities. As Greg McKeown nicely puts it: if you don’t prioritize your life, someone else will. Re ..read more

An NFT (Non-Fungible Token) is a data structure that points at a particular data object in a unique way. See it as a way of naming digital objects, such as photos, texts, audio or video, in a way that allows referring to them with no ambiguity. The ability to refer to data objects allows to “mention” them in transactions. This seemingly trivial ability, when combined with the ability to create immutable records of transactions (as provided by Blockchains), allows us to create immutable records that refer to data objects. Technically, NFTs do not require blockchains. You could take a photo of a ..read more

Israel is probably the most advanced to date in terms of COVID19 vaccination. With more than one third of the residents fully inoculated, life can almost get back to pseudo-normal. This, however, requires being able to tell the vaccinated people apart from those who are not. The green pass, or vaccination certificate, is made to achieve precisely that. Technically, this government-issued certificate is not substantially different than a driver’s license, just that it’s shorter lived, can be stored in a phone app, and most importantly: was designed in a hurry. For something that was launched so ..read more

Our digital lives are more or less governed by very few providers of products and services. Our desktop computing is almost invariably based on Microsoft Windows, our document collaboration is most likely based on either Google Docs or on O365, our instant messaging is either Whatsapp or Slack, our video collaboration is either Teams or Zoom, etc. Given the prevalence of digital life and work, you would expect more options to exist. However, all those large pies seem to each be divided into just a few thick slices each. Those lucky providers that won their dominance did so by catering to the n ..read more

The term “security governance” is not widely used in the product security context. When web-searching for a decent definition, among the first results is a definition by Gartner that addresses cyber security rather than product security. Other sources I looked at also focus on IT and cyber security. But product security governance does exist in practice, and where it doesn’t – it often should. Companies that develop products that have security considerations do engage in some sort of product security activities: code reviews, pen-tests, etc.; just the “governance” part is often missing. Produc ..read more

This is a brilliant TED Talk by Niro Sivanathan. It introduces the dilution effect. Information that is less relevant is not merely discarded, but rather dilutes the impact of the information that is relevant. So next time you bring up arguments for something, remember that your arguments don’t add up – they average out. TEDTalk: The counterintuitive way to be more persuasive   ..read more

Artificial Intelligence (AI), and Machine Learning (ML) specifically, are now at the stage in which we start caring about their security implications. Why now? Because that’s the point at which we usually start caring about the security considerations of new technologies we’ve started using. Looking at previous cases, such as of desktop computing, the Internet, car networks, and IoT (Internet of Things), those technologies first gained fast momentum by the urge to capitalize on their novel use-cases. They were deployed as fast as they could possibly be, by stakeholders rushing to secure their ..read more

The book “Think Like a Rocket Scientist” by Ozan Varol (a real rocket scientist, actually), has nothing to do with Security. However, I do have the habit of sharing recommendations on such resources as well, and this piece is certainly worthy of such a recommendation. The text promotes the deployment of thought processes that are often used in engineering and science (primarily in rocket science, where mistakes are costly), by everyone. The motivation of this book is probably a quote brought by Carl Sagan: “Science is a way of thinking much more than it is a body of knowledge”; a statement wit ..read more

The term “security governance” is not widely used in the product security context. When web-searching for a decent definition, among the first results is a definition by Gartner that addresses cyber security rather than product security. Other sources I looked at also focus on IT and cyber security. But product security governance does exist in practice, and where it doesn’t – it often should. Companies that develop products that have security considerations do engage in some sort of product security activities: code reviews, pen-tests, etc.; just the “governance” part is often missing. This p ..read more

In a previous post I wrote about cases in which machine-learning adds little to the reliability of security tools, because it often does not react well to novel threats. In this post I will share a thought about overcoming the limitation of machine-learning, by properly augmenting it with other methods. The challenge we tackle is not that of finding additional methods of detection, as we assume such are already known and deployed in other systems. The challenge we tackle is of how to combine traditional detection methods with those based on machine-learning, in a way that yields the best overa ..read more