One of my first encounters with Adam Shostack was at Microsoft when he was driving a new way of thinking around a type of problem. In this specific case, it was how to defeat the Conficker worm (https://en.wikipedia.org/wiki/Conficker). Conficker was a particularly nasty malware program that first appeared at the end of 2008. It had several ways of spreading (such as “vectors”), including guessing at weakly password‐protected file shares, a desktop.ini trick, patched software vulnerabilities, and via USB drives using Windows’s built‐in Autorun feature. Conficker was infecting millions of machines a year and was showing no signs of abating. Anti‐malware vendors were readily detecting it and Microsoft had put out several articles on how to stop it from spreading, but it was still prolific.

Shostack proposed using data analysis to look at the problem. He and Microsoft started looking at which attack vectors were allowing Conficker to spread the most. Our initial assumption had been that most of the people being infected had not applied a long‐available patch. And that was indeed one of the most popular vectors early on. But now, nearly two years later, Shostack found out that it was largely due to infected USB keys. Using his collected data, he proposed that Microsoft disable the Autorun feature, which was a huge decision. It meant changing the way Windows worked and was going to force all users, infected or not, to now do something extra to make executables ...