Lightnews — Scholar-powered news

Original post on federate.social

Reposted by Adam Shostack :donor: :rebelverified:

cremevax👩🏻‍💻🏳️‍🌈🇨🇦🇺🇦 @cremevax.infosec.exchange.ap.brid.gy · 9h

The last of the three King County sites is King County South (KCS) treatment plant, and its Sars-CoV-2 7DRA numbers are ayi-yi-yi. If you're on Team Glass Half Full, well, then, you like the fact that it's trending down a bit. But there's no getting around […]

[Original post on infosec.exchange]

A screencap of the Washington State Department of Health's Covid wastewater data for the King County South Wastewater Treatment Plant. The trend line of the graph is described in the toot text.

1 1 1

Reposted by Adam Shostack :donor: :rebelverified:

Jonathan Kamens 86 47 @jik.federate.social.ap.brid.gy · 1d

When you log into #bluesky, it emails a security code you need to enter.
Here's a recent code I was sent: FPTQS-MPJJG
This is dumb.
6-digit codes are the gold standard for two critical reasons: (1) the range of a million possible codes is more than enough for adequate security; (2) most people […]

federate.social

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 1d

@TindrasGrove Fair point.

Reposted by Adam Shostack :donor: :rebelverified:

Tindra @tindrasgrove.infosec.exchange.ap.brid.gy · 1d

@adamshostack I’ll quibble on the point about it not being cost-effective to check the responses to the questionnaire. This is generally true for smaller organizations (like the ones Coalition works with) but for large/mega (like the producers of the major models)? The underwriters are […]

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 1d

@ferrix Entertainingly, Coalition's data shows exactly that. (MFA doesn't reduce claims from enterprises). I think it was the report linked from ttps://www.linkedin.com/posts/daniel-woods-82555199_unpacking-insights-from-coalitions-cyber-activity-7305222262469677057-alp-

But it might have been […]

Original post on mastodon.online

Reposted by Adam Shostack :donor: :rebelverified:

Greg Bell @ferrix.mastodon.online.ap.brid.gy · 1d

@adamshostack I see a second-order effect of this too. When insurance requires a control but they don't understand or specify the way it needs to work under various threat models.

Example: mandating the use of MFA on privileged accounts. Cool; customer can use Duo for domain admin logins and […]

mastodon.online

Shostack + Friends Blog > AI Insurance Won't Save You

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 1d

Should my company buy AI insurance?

No.

(6/6) Full, links, formatting at https://is.gd/e0MKz5

LLM Insurance is, and will remain, a great source of insurer profits.

shostack.org

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 1d

But, I hear you asking: Won’t insurers want to pay out to show they’re not selling team-moral-hazard journeys, and so push for effective controls? Yes, Virginia, there is a Santa Claus.

More seriously, it’s not inconcievable, except that by design, LLMs hallucinate, and we don’t yet know how to […]

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 1d

How does this translate to AI?

Insurance companies will rake it in. Execs at AI companies will make billions because they can sell more AI. The venture capitalists backing new insurance businesses will make piles of cash. The companies relying on insurance to “manage risk” will get “disrupted” […]

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 1d

Back to the general case, cyber insurers have a set of exceptions that lead to policies not paying out, including act of war, but much more importantly, misrepresentation.

A cynical way to think about this is because insurance is competitive, the way new policies are sold is that they ask a […]

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 1d

Cybersecurity insurance

First and foremost, in cybersecurity, insurers generally have little idea of what leads to bad problems, and so premiums have been consistently mis-priced as they've learned, often draining reserves, after which premiums shot sky high.

The only insurer I see […]

Sam Bowne :donor: (@[email protected])

2 1

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 1d

New blog post: AI Insurance Won't Save You https://is.gd/e0MKz5

There’s press about AI insurance, and I don’t want to critique any specific firm, I’d like to offer a prediction: No customer will ever see a payout. We can see the dynamic that’s emerged in cybersecurity and learn from it.

(1/6)

a photograph of a room full of robots, at desks. each rapidly reading and rejecting insurance claims. Each has a ‘reject’ stamp. In the background is a sign that says ‘Claims processing’ 1950s style

2 1 1

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 2d

Ahh yes, I look forward to eating at a place that serves (checks notes) goop. https://infosec.exchange/@sambowne/115335777042130758

Gwyneth Paltrow’s Goop Kitchen Is Opening Three Locations in the San Francisco Bay Area | Eater SF https://sf.eater.com/restaurant-news/208683/goop-kitchen-san-francisco-bay-area-opening-gwyneth-paltrow-208683

Flawtinet - Your Most Trusted Vulnerable Product

Reposted by Adam Shostack :donor: :rebelverified:

hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 @hrbrmstr.mastodon.social.ap.brid.gy · 2d

To the wonderful nerd[s] who made this: you have won the internet for Q4.

https://www.flawtinet.com/

www.flawtinet.com

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 5d

I'm old enough to remember when Republicans said government talking with a technology company about removing content was censorship.

2 1

Reposted by Adam Shostack :donor: :rebelverified:

Dave Mangot @davemangot.hachyderm.io.ap.brid.gy · 7d

Because there are exactly zero mentions of this in my feed today.

https://www.nytimes.com/2025/10/02/world/europe/terrorist-attack-uk-synagogue-manchester.html?unlocked_article_code=1.qU8.Tubk.L_b0Nz3XYcst&smid=nytcore-android-share

3 1

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 7d

As we use AI to scale, you need to know how to threat model to evaluate what the AIs produce (or hallucinate).

That's why my team and I are revamping Adam Shostack's Threat Modeling Intensive just for OWASP 2025 Global AppSec USA from Nov 3-5, 2025 in Washington, D.C.

By the end of this course […]

Reposted by Adam Shostack :donor: :rebelverified:

Matt Blaze @mattblaze.federate.social.ap.brid.gy · 8d

A few people have asked about the talks from the Voting Village. The full program is online! Here's a the Youtube playlist: https://www.youtube.com/playlist?list=PLltrHIXltfGLotq79TBgIK9QK4O29Z2FF

7 2

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 8d

Shostack + Associates News

We’re launching a new course at OWASP Appsec Global DC: Threat Modeling Intensive with AI. How can we use LLMs to help us threat model effectively, and how can we use them to help scale? We’re a bit over a month away, and the content’s coming together nicely.
Adam […]

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 8d

Regulation

Jeff Greene (who led the team that drafted EO 14028 which created the CSRB) has an article What’s Next for the Cyber Safety Review Board? It highlights the strange state of the board not being canceled by revisions to the EO, but also not being staffed, and makes suggestions for a […]

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 8d

AI

A team at the University of Wisconsin Madison has released Breaking to Build: A Threat Model of Prompt-Based Attacks for Securing LLMs, a remarkably concise review of prompt-based attacks. Because prompt injection is so funny, it’s easy to miss that it generally obviates any safeguard that […]

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 8d

Appsec

Apple released an extensive blog post on Memory Integrity Enforcement. Nice work, and its important to recognize the value of platforms in enabling “undifferentiated” appsec, letting software producers focus on their unique threats.

(2/5)

Adam Shostack :donor: :rebelverified: @adamshostack.infosec.exchange.ap.brid.gy · 8d

Secure By Design roundup - September 2025 (Full, links at https://is.gd/ZlSj90)

Threat Modeling

The Secret Service announced they’d busted a SIM farm “used for swatting” and set off a bit of a firestorm. CNN has one of the more detailed stories. 404Media […]

[Original post on infosec.exchange]