Around the turn of the New Year, I always love to see the cartoon where the old guy of the current year gives way to the toddler of the upcoming year. Each new year becomes a logical breakpoint to take stock of where you’re at, and where you want to be 12 months from now. Some of us (like me) aren’t so worried about setting overly specific goals anymore, but it’s a good opportunity to make sure things are moving in the right direction.

This is the way to live...I recently met with a friend who knows change is coming. Being a bit older than me, with kids mostly out of the house, this person is somewhat critically evaluating daily activities and will likely come to the conclusion that the current gig isn’t how they’d like to spend the next 20 years. But you know, for a lot of people change is really hard. It’s scary and uncertain and you’ll always struggle with that pesky what-if question. So most folks just do nothing and stay the course.

I try my best to not look backwards but sometimes it’s inevitable. I still get calls from headhunters every so often about some marketing job. About two minutes after I submit this post, I’m sure Rich will request that I change my phone number. But not to worry, fearless leader, most of the time the companies are absolute crap. To the point where I wouldn’t let any of my friends consider it. Every so often there is an interesting company, but all I have to do is recall how miserable I was doing marketing (and I was), and I decline. Sometimes politely. After 20+ years, I’ve figured out what I like to do, and I’m lucky enough to be able to do it every day. Why would I screw that up?

But I fear I’m the exception, not the rule. You don’t want to have regret. Don’t look back in 2020 and wonder what happened to the past decade. Don’t let the fear of change stop you from chasing your dreams or from getting out of a miserable situation. I have probably harped on this specific topic far too often this year, but the reality is that I keep having the same conversations with people over and over again. So many folks feel trapped and won’t change because it’s scary, or for any of a million other excuses. So they meander through each year hoping it gets better. It doesn’t, and unfortunately many folks only figure that out at the bitter end.

When I look back in 10 years, I’ll know I tried some new stuff in 2012. Some of it will have worked. Most of it won’t. But that’s this game we call life and I live mine without regret.


Photo credits: “regret. nothing.” originally uploaded by Ed Yourdon

Research Update: We’ve launched the latest Quant project, digging deeply into Malware Analysis. Given the depth of that research, we’ll be posting it on the Project Quant blog. Check it out, or follow our Heavy Feed via RSS.

Incite 4 U

  1. In the beginning: My start in security was completely accidental. I was in Navy ROTC and as a fundraiser we all worked security for home football games. Technically I should have been pouring beer or cleaning floors, but since I was in color guard the guy in charge of security got confused and treated me like an upperclassman. With those haircuts we all looked the same anyway. Three years later I was the guy in charge, and weirdly enough that experience (plus some childhood hacking) kicked off my security career after I started in IT as an admin and (later) developer. So I have no direct experience of what it takes to get started in security today, but @fornalm is about to graduate with a degree in computer security and talks about the challenges and opportunities he faces. This is great reading even for old hands, as it gives us an idea of what it’s like to start today, and perhaps ways to help bring up some young blood. We can certainly use the help. – RM
  2. Silent, but deadly: I’m a bit surprised that there wasn’t more buzz and/or angst about Microsoft’s decision to silently update IE in 2012. That’s right, the software will update in the background and you (most likely) won’t know about it. Google does this already with Chrome, so it’s not unprecedented. Enterprise customers will still be able to control updates in accordance with their change management processes. On balance, this is likely a good thing for all those consumers who can’t be bothered to click the button on Windows Update. Obviously there is some risk here (ask McAfee about the challenges of a bad update), but given the hard unchanging reality that bad guys find the path of least resistance – which is usually an unpatched machine – this is good news. – MR
  3. Browser Bits: Interesting tidbits on Twitter this week. Joe Walker has a good idea to combat self-XSS to help protect against socially engineered cross site scripting attacks. In essence, the protection is built into the browser, and enabled with a configuration flag. With XSS a growing attack vector, this would be a welcome addition to protect the majority of users without major effort. And in case you missed it, here is a clever little frame script to detect whether the browser has NoScript enabled. Check the page source to see how it works. It goes to show that there are ways marketing organizations can learn about you and browser, as most protection leaves fingerprints. – AL
  4. Why compete in the field, when you can compete in the courts? It was inevitable, but Juniper is the first to sue Palo Alto based on patents relating to “firewall technology used to protect communications networks from intrusion.” Yeah, I’m sure they could have similar claims against other network security companies. You know, small companies like Cisco, Check Point, and McAfee. But the first rule of patent prosecution is to go after small fry, who are more likely to settle rather than spend zillions in legal fees on fighting – and where even winning can be expensive enough to wreck a company. It’s hard for me to see Nir Zuk settling anything. That guy would fight a crippled monk if he sold a competing firewall. But this is predictable given how PAN is effectively printing money, competing well in large deals, and likely working on their S-1 filing to go public. Without being a patent lawyer, and as I am unwilling to take the time to actually read the case (that crap bores me to tears), this feels like a shakedown. And that’s a shame because you usually only try to shake someone down when you can’t compete. – MR
  5. Pre-browsing: I am fascinated by this story. Not because I think the Summly app is cool (I do think it’s cool) and not because I think Mr. D’Aloisio is a boy genius (although he’s creatively addressed some pain points), but rather for the many possible applications of this method of browsing. What would be cool from a security standpoint is being able to see what crap a web site is trying to infect my machine with before I point a browser at it – without having to use other developer tools to interrogate the site first. Or better yet, to grab a non-hostile version of the content for me so my browser is insulated from malware. I always wanted RSS readers like NetNewsWire to do this – only they fail miserably as they include insecure browsers, leaking as much information as they gather. I think conceptually this is what some of the browser security tools envisioned, but failed to deliver: getting meaningful content without the garbage. – AL
  6. The probability of threat modeling? Not enough: It’s great to see our friend Wendy Nather with a new blog (under her own name, imagine that!) and talking about cool stuff like threat modeling. Obviously we are big fans of building security in, a process that starts with threat modeling. Wendy expands a bit on a post from Adam Shostack to talk about the need to assess the probably of the attack (modeled) to figure out the urgency of changing the code, design, etc. The reality is that not enough folks actually do proper threat modeling before building their code, but those who have embraced both an SDLC and strong threat modeling can learn a lot by following both Wendy and Adam. So do that. – MR
  7. Are we there yet?: When Microsoft first announced the Trustworthy Computing Initiative I think I was quoted in an article as saying that it would take a good 5-10 years to see how well it worked. Basically we wouldn’t see the results until we went through a series of software development cycles that pushed most/all components of Microsoft products through the Secure Development Lifecycle. I think the first big product out of the gate that had been through the entire process was SQL Server 2005, which went completely (publicly) bug free for a looong time (you might be surprised if you compare security vulns between the current versions of SQL Server and Oracle). This is just one example showing that secure development works, and according to this Dark Reading article we are seeing success all over the place. Are we done yet? Not even close. Will this solve everything? Not a chance – only a handful of products have gone through a formal SDLC from start to finish. But I do believe life is getting harder for the bad guys with bigger bars to hurdle on some major platforms. Don’t worry, they’ll still pwn you through that stupid Flash game your kid installed. – RM
  8. Lo and Behold, another security IPO: This time the lucky winner is Proofpoint. So now they can look forward to constant quarterly scrutiny, the whims of mo-mo investors, and the need to curry favor with sell-side analysts (so they say nice things about the stock). Yeah, have fun with that. But you can learn a lot about a business by reading its S-1 filing with the SEC. Things like the fact that Proofpoint did $XX over the first 9 months of 2011, which represented growth of XX%. It also shows these guys are spending like it’s 1999. Or at least considerably more than they earned. But clearly profitability isn’t a requirement for a stock offering anymore (still?). Reminds me of the go-go days of [bubble to be named later]. Still, having companies growing and going public (like Imperva as well) is good for the security ecosystem. And that’s good for all of us, so good luck to Proofpoint – let’s all hope for a successful offering. – MR
  • *PS: Happy Holidays to everyone.** We won’t be posting an Incite (or Friday Summary, I presume) next week, so have a safe and happy Xmas and New Year holiday, and we’ll start another year of Incite on January 4, 2012.