I fancy myself to have significant willpower. I self-motivate to work out pretty religiously, and in the blink of an eye gave up meat two and a half years ago – cold turkey (no pun intended). But I’m no superhero – in fact over the past few weeks I’ve been abnormally human. You see I have a weakness for chips. Well I actually have a number of food weaknesses, but chips are close to the top of the list. And it’s not like a few potato chips or tortilla chips will kill me in moderation. But that’s the rub – I don’t do ‘moderation’ very well.

Halloween. Dental Public Enemy #1...As I mentioned last week, for XX1’s birthday weekend we had a number of parties, which meant we had to have snacks around for all the visiting kiddies. Rut Roh. Yeah, the big bag of Kettle Chips from Costco. Untouched by the kids. Mowed through by me. Not in one sitting, so I guess I’m improving a bit. But over the course of 4-5 days I systematically dismantled the bag one bowl at a time. I guess I figured I couldn’t have a full-on binge if I did one bowl at a time, right? I’d have to get up and down to keep filling the bowl. I guess that’s how I got a portion of my exercise last week. Moderation, no so much.

And of course, hot on the heels of the parties was Halloween. So the kids came back with bags and bags of candy. Normally my sweet tooth is contained. Maybe once a week I’ll have some ice cream with chocolate syrup. But with Almond Joys and Butterfingers and Peanut M&Ms around, you might as well put a crack pipe in Lindsay Lohan’s bedroom. Even worse, the Boss (who can’t eat chocolate – food allergies) got a 56oz bag of M&Ms. My hands aren’t big, but they can grab about 30 M&Ms in one swoop. And they did. Arghhh.

So on Saturday night I put my foot down. The candy had to go. Thankfully they were collecting candy bars for the troops – and by the way, what the hell is that about? What better to send to the frackin’ desert than a couple of truckloads of chocolate bars. I heard those don’t melt on the surface of the sun, and that speaks nothing of their nutritional value (or lack thereof). But I guess they don’t want us donating produce to send to the troops, even though that makes a lot more sense. So, I put my foot down and decreed that the candy must go. The kids dutifully sorted their candy and we let them keep about 10 pieces to be doled out over the next few weeks. The Boss also stashed away some surplus for movie days, so we could use that instead of paying $10 for a box of Raisinettes at the theater.

Maybe that’s kind of a dick move, getting rid of the candy because I struggle with self-control. But I’m cool with it. You don’t stock your fridge with beer if you are an alcoholic. You don’t buy a bong for a pothead’s birthday. And you don’t leave the Halloween candy in the house for those who struggle with their weight. Yes, I’ve made progress and working out hard 5-6 days a week gives me some buffer, but having that stuff around is just stupid. So we won’t…

– Mike.

Photo credits: “That’s a lot of Halloween candy. Bartell’s Drugs, Queen Anne, Seattle, 09/01/06” originally uploaded by photophonic


Incite 4 U

  1. SCADA hysteria, coming to critical infrastructure near you: As I mentioned in my Storytellers post last week, I was at SecTor, and a lot of great discussion emerged from the conference. I have to give a shout-out to our contributor James Arlen, who from all indications did a great job of deflating the hype around SCADA attacks. Yes, Stuxnet happened and showed what is possible, but the sky isn’t falling. James points out that these systems are built for fault tolerance, and that compromising one control system isn’t likely to take down the power grid. Listen, I don’t want to minimize the risk – we all know these systems are vulnerable. But we do need to be wary of overhyping the issues, and James did a good job presenting both sides. His conclusion is key: “But, he encouraged security professionals to take a deep breath and assess the situation rationally.” Look for this one when it gets posted by the SecTor folks. – MR
  2. Cutting out the middle man: The Wall Street Journal highlights how major websites are limiting the number of tracking technologies they allow leeches ‘partner’ sites embed into their web pages. Why? Are they doing this for privacy concerns? Hell, no! And they’re not doing it to save the children, lower your cholesterol, reduce carbon emissions, or any other smokescreen. It’s about money and control, as always. The have lost control by allowing marketing firms to directly gather customer data, resulting in less data and money for site owners. Some firms found tracking software that they did not know about, while others found partners gathering information they did not even know was available. With many web sites desperately trying to stay in business, there will be significant investment into their own tracking software and data marts on the back ends, in order to monetize their data directly. We’ll see them code their own, and we will also see spyware “marketing software” vendors selling more plug-ins. And user privacy will be exactly the same as before, only the web sites will get a bigger slice of the financial pie. But that’s okay … it says so in the new end user (you have no) privacy agreement. – AL
  3. If you can’t beat ‘em, sue ‘em: There is no doubt that Microsoft once abused their position with anti-competative practices. I don’t mean in terms of what features they included in Windows, but all that back-room dealing and wrangling with hardware providers. That’s why I’m so amused by Trend trying to drum up antitrust interest over Microsoft including their free antivirus as an update in Windows Update. Keep in mind that it’s only offered if you don’t have any AV on your system, and is an optional install. Back when MS first announced they would offer free AV, I said it would be good for consumers. As the latest NSS Labs report shows, all AV generally sucks, but MS is at least in the middle of the pack on suckiness. Considering how many free and paid AV options are out there, Trend’s move is a long shot. And who ultimately wins? The lawyers, for a change. – RM
  4. Endgame for bots? Any time a company raises $29MM from top-tier venture capitalists, it makes news. When the management team has a long history in the security space, it makes news. And when the company focuses on a hot market like botnets, right – it makes news. So there was a lot of buzz around Endgame and its ipTrust intelligence service. I haven’t gotten a formal briefing yet, but the Endgame guys collect a bunch of data and are building (amongst other things) a big-ass reputation system designed to be integrated into security products. Sounds to me like a feature rather than a company, and I suspect these guys have more up their sleeves, especially as all the big security companies already heavily invest in data collection and analysis. But of course they aren’t alone. Another company, Umbra Data, announced last week and founded by former Trend Micro folks, does largely the same thing. To be clear, data for tracking botnets is a good thing. But you have to use the data for it to matter. And we are a long way from network and system defenses really leveraging reputation data. But having the data is a necessary first step. – MR
  5. Do I hear $600?: Following up on last week’s Incite on Google’s Bug Bounty (Winnning on pennies a day), Barracuda is now offering their own bug bounty of $500. Bravo to Barracuda for jumping into the mix on this one. As I said, it’s a cheap way to find security bugs/errors, and a great way to reach out to your community. But at $500 I doubt they will get active participation from the security research community because it’s simply too small a sum to motivate professionals. It will prompt average users to file bug reports, as there is now a reward for finding something new, and that’s a good first step. What Barracuda should also do is allow the community to contribute to firewall rule sets. Let users fill out policies and reports to help reduce deployment costs for small businesses that have trouble developing their own policies. You want to help your customers and the security community at large? Help them with filtering and rules. – AL
  6. Oh goody, we’re ‘empowered’ now: One of the things that bugs me the most about the analyst industry is the stupid drive to brand industry trends, often refusing to use a common term because you can’t ‘own’ it. This is especially common among two types of analysts. First, those who no longer know WTF they are talking about since they gave up on real practical research, because it has no place in their pontification business model. And second, those who missed a trend and are playing catch-up to their competitors. So I sadly shake my head at Forrester’s “Empowered Enterprise”. Empowered? Does that mean the Supreme Court has finally caved in to the right and given corporations the right to vote? No, it turns out they mean the consumerization of IT, something the rest of us have been talking about for 5+ years. Even the summary of their advice (I don’t have access to the full report) sounds all fluffy – the sort of thing you could get from an article in Horizons magazine. – RM
  7. Tracking the bad guys, inside intelligence gathering: There is a lot of cool research happening to try to understand the tactics of the bad guys and (hopefully) get to a place where we can more effectively detect their tactics. The folks at NetWitness did an interesting analysis of Bredolab, showing how multi-faceted these attacks are and how they utilize friendly ISPs to host the command and control networks. Of course, friendly doesn’t mean proactive – more that these ISPs don’t have the expertise or resources to monitor the fraud happening on their servers and within their networks. I suggest you spend some time with this post, at least to understand the amount of work it takes to track these attackers, and also to gain an appreciation for their sophistication. And realize that without this kind of data collection and analysis, you have no idea what is coming at you. This is a key principle of our SIEM/Log ManagementMonitoring up the Stack, and ongoing React Faster and Better research. – MR
Share: