Page Content

March Sadness


March is a month of changes. We see winter beginning to recede (we hope!) and spring begins to show. The vernal equinox is around March 20 and heralds a return to more light than dark.

March is the month I was born (or hatched, depending on your mythos). My wonderful sister was also born in March. So were several dear friends. March is a month of beginnings.

Unfortunately, March is also a month of endings. Two years ago, I blogged about the untimely passing of three security pioneers, all good friends of mine: Kevin Ziese, Howard Schmidt, and Becky Bace. As I noted, Becky’s passing was a particularly cruel shock, as her death unexpectedly occurred only a few days after spending time with her.

I was reminded of the three of them (and my friends Ken and Wyatt and Gene, to name a few more) as I attended this year’s RSA Conference. As I walked the exhibit floor, I had a sense that I might look up and see one of them, as I did nearly every year, walking between sessions or stopping at booths. We’d compare notes about what we thought was particularly good or particularly awful — our comparisons were usually fairly well in sync. We would have had a lot to compare this year!

I don’t mean to be maudlin; I long ago did my grieving. Plus, I still have too many things to do, including burning the rest of my sabbatical, and getting some papers finished. However, I am reminded that the friends and families of those dear friends set up memorials for them. Rather than having spent the money attending this year's RSAC, I wish I had put those funds into these worthwhile causes, to which I normally contribute each year.

If you remember any of them, below are reminders of how you can do some good in their memories, and maybe help bring a little springlike cheer to others. And if you don’t remember them, maybe you should investigate a little — too many people working in cyber security have no grasp of the rich history of the field.

BTW, and on another topic entirely, I hope to see some of you at the 20th annual CERIAS Symposium in early April. It’s a great transition into spring, and a wonderful celebration of education and research. As the emeritus director, I don’t have anything to do this year other than mingle and enjoy the presentations. That’s some change after 20 years! Please consider mingling along with me, and enjoying the hospitality of the great group at CERIAS!


If you want to make a donation in his memory, please send it to one or more of:


If you wish to make a donation in the memory of Howard Schmidt, send it to:

Brain Tumor Research Program
℅ Dr. Connelly
9200 W. Wisconsin Ave
Milwaukee, WI 53226


ACSA's top scholarship in the Scholarship for Women Studying Information Security (SWSIS.org) has been renamed as the Rebecca Gurley Bace Scholarship. Contributions to help support this scholarship are welcomed by sending a check (sorry, no online contributions) to:

Applied Computer Security Associates, Inc
2906 Covington Road
Silver Spring, MD 20910

Checks should be made payable to Applied Computer Security Associates, and note SWSIS Rebecca Gurley Bace Scholarship on the memo line.


Ken's family has indicated that memorial contributions may be given to the American Heart Association.


The ISSA Foundation has a scholarship fund in Gene's honor. Donate to:

E, Eugene Schultz Scholarship Fund
c/o Steve Haydostian
President, ISSAEF
18770 Maplewood Lane
Porter Ranch, CA 91326

All of the above are non-profit, charitable organizations, and your contributions will likely be tax-deductible, depending on your tax circumstances.

A Common Theme


A recent visit and conversation with Steve Crocker prompted me to think about how little the current security landscape has really changed from the past. I started looking through some of my archives, and that was what prompted my recent post here: Things are not getting better.

I posted that and it generated a fair bit of comment over on LinkedIn, which then led to me making some comments about how the annual RSA conference doesn’t reflect some of the real problems I worry about, and wondering about attendance. That, in turn, led me to remember a presentation I started giving about 6 years ago (when I was still invited to give talks at various places). It needed one editorial correction, and it is still valid today. I think it outlines some of the current problematic aspects of security in the commercial space, and security research. Here it is: Rethinking Security. This is a set of presentation slides without speaker notes or an audio recording of me presenting them, but I think you’ll get the ideas from it.

Coincident to this, an essay I wrote in conjunction with Steven Furnell, of the University of Plymouth in the UK, appeared in the British Computing Society’s online list. It describes how some things we’ve known about for 30 years are still problems in deployed security. Here’s that column: The Morris worm at 30.

Steve and I are thinking about putting something together to provide an overview of our 80+ years combined experience with security and privacy observations. As I delve more into my archives, I may be reposting more here. You may also be interested in some videos of some of my past talks, that I wrote about in this blog last year.

In the meantime, continue to build connected home thermostats and light bulbs that spy on the residents, and network-connected shoes that fail in ways preventing owners from being able to wear them, among other abominations. I'll be here, living in the past, trying to warn you.

PS. The 20th CERIAS Symposium is approaching! Consider attending. More details are online.

Things are not getting better


I was reminded this morning that nearly 10 years ago testimony I gave before a US Senate committee about cybersecurity. Sadly, I think things are worse and we are continuing on the same self-destructive path.

Here is a copy of that testimony.

Anybody who thinks tools and patching are the solutions doesn't understand the problems.

Now that the government has decreed our national focus should be on quantum and artificial intelligence, things are likely to get worse even faster -- those technologies will introduce new vulnerabilities faster than they may fix any, especially as vendors seek to rush items to market.

CERIAS continues to be a bright spot, but there is so much more we (at CERIAS, and more globally) could do if we had the resources.

In early April is the 20th CERIAS Symposium. I invite you to attend to see what Purdue's continuing efforts are accomplishing, and especially to meet some of our bright and motivated students, and connect with some of our tremendously talented faculty and staff.

Cybersecurity Hall of Fame Nominations Open Again!


The Cyber Security Hall of Fame was on hiatus while stable funding was secured. That has happened, and nominations are open for the class of 2019. Nominations are only open until February 15.

Current honorees are listed at the Cybersecurity Hall of Fame site. .

Help by nominating qualified candidates! See the instruction site for details of nominations..

Help spread the word!.

Spaf videos, blasts from the past, future thoughts


I created a YouTube channel a while back, and began uploading my videos and linking in videos of me that were online. Yes, it’s a dedicated Spaf channel! However, I’m not on camera eating Tide pods, or doing odd skateboard stunts. This is a set of videos with my research and views over the years on information (cyber) security, research, education, and policies.

There are two playlists under the channel — one for interviews that people have conducted with me over the years, and the other being various conference and seminar talks.

One of the seminar talks was one I did at Bellcore on the Internet Worm — about 6 weeks after it occurred (yes, that’s 1988)! Many of my observations and recommendations in that talk seem remarkably current — which I don’t think is necessarily a good observation about how current practice has (not) evolved.

My most recent talk/video is a redo of my keynote address at the 2017 CISSE conference held in June, 2017 in Las Vegas. The talk specifically addresses what I see as the needs in current information security education. CISSE was unable to record it at the time, so I redid it for posterity based on the speaker notes. It only runs about 35 minutes long (there were no introductions or Q&A to field) so it is a quicker watch than being at the conference!

I think there are some other goodies in all of those videos, including views of my bow ties over the years, plus some of my predictions (most of which seem to have been pretty good). However, I am putting these out without having carefully reviewed them — there may be some embarrassing goofs among the (few) pearls of wisdom. It is almost certain that many things changed away from the operational environment that existed at the time I gave some of these talks, so I’m sure some comments will appear “quaint” in retrospect. However, I decided that I would share what I could because someone, somewhere, might find these of value.

If you know of a recording I don’t have linked in to one of the lists, please let me know.

Comments appreciated. Give it a look!