Good Morning:

Maybe it’s the hard-wired pessimist in me, but I never thought I’d live a long life. I know that’s kind of weird to think about, but with my family history of health badness (lots of the Big C), I didn’t give myself much of a chance.

Do you see the future? This is your future...At the time, I must have forgotten that 3 out of my 4 grandparents lived past 85, and my paternal grandma is over 100 now (yes, still alive). But when considering your own mortality, logic doesn’t come into play. I also think my lifestyle made me think about my life expectancy.

3 years ago I decided I needed an attitude adjustment. I was fat and stressed out. Yes, I was running my own business and happy doing that, but it was pretty stressful (because I made it that way) and it definitely took a toll. Then I decided I was tired of being a fat guy. Literally in a second the decision was made. So I joined a gym and actually went. I started eating better and it kind of worked. I’m not where I want to be yet, but I’m getting there.

I’m the kind of guy that needs a goal, so I decided I want to live to 90. I guess 88 would be OK. Or maybe even 92. Much beyond that I think I’ll be intolerably grumpy. I want to be old enough that my kids need to change my adult diapers. Yes, I’m plotting my revenge. Even if it takes 50 years, the tables will be turned.

So how am I going to get there? I stopped eating red meat and chicken. I’m eating mostly plants and I’m exercising consistently and intensely. That’s my plan for now, but I’m also monitoring information sources to figure out what else I can be doing.

That’s when I stumbled upon an interesting video from a TED conference featuring Dan Buettner (the guy from National Geographic) who talked about 9 ways to live to 100, based upon his study of a number of “Blue Zones” around the world where folks have great longevity. It’s interesting stuff and Dan is an engaging speaker. Check it out.

Wish me luck on my journey. It’s a day by day thing, but the idea of depending on my kids to change my diaper in 50 years pretty motivating. And yes, I probably need to talk to my therapist about that.

– Mike

Photo credit: “and adult diapers” originally uploaded by &y

Incite 4 U

It seems everyone still has APT on the brain. The big debate seems to be whether it’s an apt description of the attack vector. Personally, I think it’s just ridiculous vibrations from folks trying to fathom what the adversary is capable of. Rich did a great FireStarter on Monday that goes into how we are categorizing APT and deflating this ridiculous “cyber-war” mumbo jumbo.

  1. Looking at everything through politically colored glasses – We have a Shrdlu admiration society here at Securosis. If you don’t read her stuff whenever she finds the time to write, you are really missing out. Like this post, which delves into how politics impacts the way we do security. As Rich says, security is about psychology and economics, which means we have to figure out what scares our customers the most. In a lot of cases, it’s auditors and lawyers – not hackers. So we have to act accordingly and “play the game.” I know, you didn’t get into technology to play the game, but too bad. If you want to prosper in any role, you need to understand how to read between the lines, how to build a power base, and how to get things done in your organization. And no, they don’t teach that in CISSP class. – MR
  2. I can haz your cloud in compliance – Even the power of cloud computing can’t evade its cousin, the dark cloud of compliance that ever looms over the security industry. As Chris Hoff notes in Cloud: Security Doesn’t Matter, organizations are far more concerned with compliance than security, and it’s even forcing structural changes in the offerings from cloud providers. Cloud providers are being forced to reduce multi-tenancy to create islands of compliance within their clouds. I spent an hour today talking with a (very very big) company about exactly this problem – how can they adopt public cloud technologies while meeting their compliance needs? Oh sure, security was also on the list – but as on many of these calls, compliance is the opener. The reality is you not only need to either select a cloud solution that meets your compliance needs (good luck), or implement compensating controls on your end, like virtual private storage, and you also need to get your regulator/auditor to sign off on it. – RM
  3. It’s just a wafer thin cookie, Mr. Creosote – Nice job by Michael Coates both on discovering and illustrating a Cookie Forcing attack. In a nutshell, an attacker can alter cookies already set regardless of whether it’s an encrypted cookie or not. By imitating the user in a man-in-the-middle attack, the attacker finds an unsecured HTML conversation, requests an unencrypted meta refresh, and then sends “set cookie” to the browser, which accepts the evil cookie. To be clear, this attack can’t view existing cookies, but can replace them. I was a little shocked by this as I was of the opinion meta refresh had not been considered safe for some time, and because the browser happily conflated encrypted and unencrypted session information. One of the better posts of the last week and worth a read! – AL
  4. IT not as a business, huh? – I read this column on not running IT as a business on and I was astounded. In the mid-90’s running IT as a business was all the rage. And it hasn’t subsided since then. It’s about knowing your customer and treating them like they have a choice in service providers (which they do). In fact, a big part of the Pragmatic CSO is to think about security like a business, with a business plan and everything. So I was a bit disturbed by the premise. Turns out the guy correctly points out that there’s a middle ground. You don’t have to actually price out your services (and do wacky internal chargebacks), but you’d better treat your users as customers. – MR
  5. Trimming the Patch Window – One of the ideas I mentioned in Low Hanging Fruit: Endpoint Security was tightening patch windows. Then I stumbled upon this good article on Dark Reading that goes a layer deeper and provides 4 tips on actually doing that. It’s good stuff, like actually developing a priority list based on criticality of a device, and matching up patch schedules with planned maintenance. Not brain surgery, but good common sense advice. – MR
  6. You like this? I have a bridging VPN to sell you. – I first saw the VPN angle of the Chinese hacker story reported on Dark Reading, much of which was sourced from this post implicating Google’s Virtual Private Network as a medium for the attack. WTF? The thread was later amended with this follow up, where Google officially confirmed the VPN Security review. I am really curious why anyone thinks that VPN security has anything to do with this issue? I still cannot locate a piece of evidence that connects the exploit with VPN security. A medium of conveyance, you know, like the Internet, is a little different than an exploit, like an IE6 0-dayPersonally I believe the entire episode was related to coffee. I have strong evidence to support this claim. The Google employee was accidentally served decaf coffee the morning the trojan was dropped onto the machine, and as many Google employees have been seen entering Starbucks since the attack, I am certain coffee played a major factor. That and those little iced lemon cookies. Google did not call me to refute this story, but their silence is telling! These two things could be entirely unrelated, but I doubt it, so I will be the first person to tell you I am not wrong about this. Trust me. – AL
  7. FUD. It tastes like chicken. – Kudos to Russell Thomas for calling out some blatant NetWitness FUD (fear, uncertainty and doubt) mongering, including the obligatory scrunched face guy. The NetWitness folks respond with a treatise on why FUD is OK. I have been on the marketing side a couple of times, and you need to deal with it. Vendors try to create a catalyst for you to return their calls, take their meetings, and hear how their widgets will make your life better. Sometimes trying to scare or confuse you gets thrown into the mix. In fact, sometimes judicious use of FUD internally can help get a project over the finish line. In dealing with vendors it’s another story. I’m a fan of driving the project, as opposed to having a vendor tell me what my problem is, but that’s just me. I think most of those messages are funny and I file them into my marketing buffoonery folder. Try it and you’ll see it’s fun to check those out on a particularly bad day to keep it all in context. At least you don’t have to resort to desperate measures to get a callback. Your customers have a way of finding you just fine. – MR
  8. Shaky Foundations – Every now and then someone sums up pretty much the entire problem with a single paragraph. Gunner nails it when he says“Here’s the bottom line – basically NONE of the F500 ever designed their systems to run on the Web, they just accreted functionality over time and added layer on top of insecure layer, straw on top of straw, until pretty much everything is connected directly or indirectly to the Web. Now this straw house would not be that big a deal if these enterprises had a half ass dependency on the Web like they did in the early 90s brochure-ware website days, but now the Web runs their businesses.” The truth is, there is only so much security we can continue to layer on top of weak foundations while still achieving results (sort of). Not that most, if any, of you can scrap everything you have and rebuild it from scratch, but as we adopt new technologies (like the cloud) it’s an excellent opportunity to insert security early on in the process and perhaps create a better, stronger, more secure generation of technology. I can dream, can’t I? – RM