Showing posts from 2019

Seven Security Strategies, Summarized

This is the sort of story that starts as a comment on Twitter, then becomes a blog post when I realize I can't fit all the ideas into one or two Tweets. (You know how much I hate Tweet threads, and how I encourage everyone to capture deep thoughts in blog posts!) In the interest of capturing the thought, and not in the interest of thinking too deeply or comprehensively (at least right now), I offer seven security strategies, summarized. When I mention the risk equation, I'm talking about the idea that one can conceptually image the risk of some negative event using this "formula": Risk (of something) is the product of some measurements of Vulnerability X Threat X Asset Value, or R = V x T x A. Denial and/or ignorance. This strategy assumes the risk due to loss is low, because those managing the risk assume that one or more of the elements of the risk equation are zero or almost zero, or they are apathetic to the cost. Loss acceptance. This strategy may assume

Five Thoughts on the Internet Freedom League

In the September/October issue of Foreign Affairs magazine, Richard Clarke and Rob Knake published an article titled " The Internet Freedom League: How to Push Back Against the Authoritarian Assault on the Web ," based on their recent book The Fifth Domain . The article proposes the following: The United States and its allies and partners should stop worrying about the risk of authoritarians splitting the Internet.  I nstead, they should split it themselves, by creating a digital bloc within which data, services, and products can flow freely, excluding countries that do not respect freedom of expression or privacy rights, engage in disruptive activity, or provide safe havens to cybercriminals... The league would not raise a digital Iron Curtain; at least initially, most Internet traffic would still flow between members and nonmembers, and the league would primarily block companies and organizations that aid and abet cybercrime, rather than entire countries.  Governm

Happy Birthday

Nineteen years ago this week I registered the domain Creation Date: 2000-07-04T02:20:16Z This was 2 1/2 years before I started blogging, so I don't have much information from that era. I did create the first Web site shortly thereafter. I first started hosting it on space provided by my then-ISP, Road Runner of San Antonio, TX. According to, it looked like this in February 2002 . That is some fine-looking vintage hand-crafted HTML. Because I lived in Texas I apparently reached for the desert theme with the light tan background. Unfortunately I didn't have the "under construction" gif working for me. As I got deeper into the security scene, I decided to simplify and adopt a dark look. By this time I had left Texas and was in the DC area, working for Foundstone. According to, the site look like this in April 2003 . Notice I've replaced the oh-so-cool picture of me doing Ame

Reference: TaoSecurity Press

I started appearing in media reports in 2000. I used to provide this information on my Web site, but since I don't keep that page up-to-date anymore, I decided to publish it here. As of 2017 , Mr. Bejtlich generally declines press inquiries on cybersecurity matters, including those on background. 2016 Mr. Bejtlich was cited in the Forture story Meet the US's First Ever Cyber Chief , published 8 September 2016. Mr. Bejtlich was interviewed for the NPR story Cybersecurity: Who's Vulnerable To Attack? , aired 30 July 2016. Mr. Bejtlich was interviewed for the Washington Post story It’s not just the DNC; we all send emails we probably shouldn’t , published 25 July 2016. Mr. Bejtlich was interviewed for the New Scientist story NATO says the internet is now a war zone – what does that mean? , published 22 June 2016. Mr. Bejtlich was interviewed for the Military Times story The Pentagon's controversial plan to hire military leaders off the street , published 19 June