Heading down into Atlanta last week for the BSides ATL conference, I got into my car and the magic began. I whipped out my magic box and pulled up the address on the Maps app, just to make sure I remembered where it is. Then I fired up Pandora, which dutifully streamed rocking music to my Bluetooth-equipped car stereo. I checked out the NaviGAtor mobile site for real-time traffic data; then I was set and on my way.

Wait. What? Think about this for a second. None of what I just described was even possible 4 years ago. I normally just take all this rapid technology evolution for granted, but that day I reflected a bit on how surreal that entire trip was. The idea of having a personalized radio station streaming from the Internet and playing through my car stereo? Ha! Having a fairly accurate map and an idea of traffic before I stumbled into bumper to bumper mayhem? Maybe in a science fiction movie, or something.

But no, this stuff happens every day on a variety of smartphones, enabled by fairly ubiquitous wireless Internet connectivity. As another example, Rich just texted me on Monday to let me know he deposited my monthly commission check to our bank from his device, while taking a potty break during a strategy day. Yeah, that’s probably TMI. My bad.

Our recently departed leader talked about the sense of “childlike wonder” you get when discovering these applications that enable totally different ways of communicating and living. And it’s true. As I drove down the highway, jamming to my music, with no traffic because I routed around the congestion, I could only marvel at how things have changed.

It’s a far cry from my first bag phone. Or that ancient StarTac, which was state of the art, what, five years ago? How can you not be excited by the future? We have only just scratched the surface on how these little computers will change the way we do things. Bandwidth will get broader. Devices will get smarter. Apps will get more capable. And we’ll all benefit. Maybe.

It takes a lot of self-control to just enjoy the music while I’m driving. The inclination is to multi-task, at all times. You know, checking Twitter, texting, and catching up on email, in a metal projectile traveling about 70mph, surrounded by other metal projectiles traveling just as fast. That can’t end well. As with everything, there is a downside to this connectivity. It’s hard to just shut down the distractions and think, or to focus enough to stay on the road. It seems the only place I can get some peace is on a plane, and even there I can get WiFi (though I tend not to connect on most flights).

The good news is that nothing I do is really that urgent. My Twitter can wait 15 minutes until I stop moving. But it doesn’t mean I don’t have to make a conscious effort to stay focused on the road. I do, and you probably do as well.

I guess what is most amazing to me is that my kids have no idea that there was a time when all this stuff didn’t exist. The idea of not being able to text whenever they wanted? Madness. A world without Words with Friends? A time when they could only listen to 10 CDs because that’s all they could carry in their travel bag? They can hardly remember what a CD is. Nor should they. It’s not like when I was a kid I had any concept of a world where we hung out by the radio to get news, sports, entertainment – basically everything. But that’s how my folks grew up.

I wonder if someday SkyNet will look back and wonder what things were like before it was self-aware? Oy, that’s a slippery slope.

-Mike

Photo credits: “Childlike Wonder” originally uploaded by SashaW

Incite 4 U

1. Peeking into Dan’s brain: There are a select few folks who really make me think. Like every time I talk to them (which isn’t enough), I have to bring my A game, just to hold a conversation. Dan Geer is one of those folks. So when the Threatpost folks asked Dan about the research agenda in security, he didn’t disappoint. He starts by proposing that we’d need a lot less research if we put into practice what we already know, and that we should research why we don’t do that. Yeah, Dan makes recursive thinking cool. Then there are other nuggets about building systems too complex to effectively manage, the strategic importance of traffic analysis, and the security implications of IPv6. He may not have all those research-grade answers yet, but Dan certainly knows the questions to ask. – MR
2. Johnny doesn’t care: Carnegie Mellon released a research paper called Why Johnny Can’t Opt Out, an examination of tools to thwart online behavioral monitoring, and how users use them. I recommend downloading the paper and taking a quick look at the study – it contains some interesting stuff, but I am a bit disappointed by several aspects. First, the executive summary makes it sound like the tools they surveyed are ineffective, when that’s clearly not the case. They found users were confused by the UIs of the respective products and failed to configure the products correctly. OK, that’s reasonable – most utilities leave a bit to be desired from a user experience standpoint. But not all offerings are like that; for example Ghostery’s setup wizard is dead simple to use, but the data is the data. The other thing that bothered me was not testing NoScript (a fantastic tool!) as another privacy tactic. The final annoyance was their assumption that users do not want privacy tools to hinder usability! WTF? They do understand behavioral advertising is woven into the web’s fabric, right? That “no hindrance” requirement eliminates NoScript, and stymies any effective product, because there’s no way to eliminate certain risks without changing behavior. How effective are privacy products for users who are uninterested in privacy and unwilling to change their behavior to gain privacy? Who needs research to see how well that works out? – AL
3. Accentuating differences to sell security: Everyone is selling, even you, Mr./Ms. Security Practitioner. You need to evangelize why not clicking on this or that is the right thing to do. You need to spend time helping your ops team understand why messing with the firewall rules is a bad idea, and you have to pitch your senior team on continued investment in security. Seth Godin has some wisdom here about drawing a contrast between two competing options. But the real genius of this short post is to remind us that doing nothing remains a viable and popular option, so whatever project you are pushing must compete not only against other product/service alternatives, but also against the status quo. – MR
4. IOC a standard? Not so much, but valuable nonetheless: The folks at Mandiant recently announced they are publishing the XML schema of their Indicators of Compromise (IOC) under an Apache 2 license, and along with their existing IOC Editor tool, a new tool to find these IOCs on potentially compromised devices (IOC Finder) to make the data useful. This is great stuff – incident responders need all the help they can get – but calling it a standard? Yeah, not so much. Though this does follow the tried and true pattern of having a vendor build some technology for their own use, and then calling it a standard in an attempt to gain market leverage. It looks like Mandiant just forgot to submit it to a standards body for legitimacy, or even to have some non-employees say they will supporting the brand-new ‘standard’. Details, details… I guess they realize the folly of a 3-4 year standards effort, so they just decided to skip the time-consuming review and approval process – they just skipped ahead calling it a standard so they could get back to work. – MR
5. No money fun: Mikhael Felkner posted on Zero Budget Security Projects on the Tom’s Hardware site. Most of his recommendations center on identity and access management policies, along with some discovery work in the existing environment. We complain all too often about not being able to get our jobs done because of lack of budget, so here are some steps you can go through to improve security without a purchase requisition. But this is work, and it will take some time. Mikhael is offering ways to trade time for money you don’t have. But it’s work you should do in order to understand your environment and your issues. On the off chance you get some budget, you’ll know where best to invest it. – AL
6. Voodoo math and brand damage: You all know how much I love surveys. For those of you new to our site, let’s just say I’m not the biggest fan of vendor-sponsored surveys – given the inherent bias of the answer the vendor needs to merchandise. So when I see yet another Ponemon survey, sponsored by Experian, talking about the brand/reputation damage of a breach, I just have to laugh. The survey asked 800+ people to estimate brand damage, which basically means they asked them to pull numbers out of their butts. The average loss of $184 million? C’mon, man! Nobody really knows how to value a company’s brand, even marketing types rub their antennae at conferences and talk about how valuable the Google and Apple brands are. I am not saying data breaches don’t impact organizations. But estimating brand damage is just idiotic marketing. Get off my lawn! – MR