All I wanted to do on Monday night was go to sleep. I had a flight in the morning and thought it would be a good idea to get some rest. So I sit down with the Boss and we catch up on the day, discuss some tactics to deal with issues the kids face, and I’m ready to hit the rack. Then I notice she’s watching a movie called One Week (Netflix streaming FTW) where basically a guy is given a week to live and sets off on a cross-Canada jaunt on a motorcycle to discover himself, meet some interesting people, and do stuff that happens in movies.

Oh yeah, one week to escape...Movie trap, awesome. 90 minutes later, we start discussing the movie and she asks me point blank, “what would you do?” Crap, hate that question. I start thinking about the right answer, and then unconsciously I blurt out, “I’d write. A lot.” Wow. I’m given a week (or whatever) to live and my first thought is to write. Not travel. Not do exciting things. But write. Huh.

She then asks why. I respond that I’ve been to lots of places. I’ve done some fairly interesting things. So, I don’t have a great desire to see places or check items off some bucket list. Of course that doesn’t mean I don’t want to see more places and do more things. But if I had to really prioritize given a very limited amount of time, I’d focus on teaching – which for me means writing. I like to think I’ve learned a bunch of stuff (mostly by screwing it up), and I’d want to document that.

I figure my road rash and stories would be useful to my kids. But maybe other folks too. Or maybe that’s just my arrogance talking. I’d write about the stuff I’ve screwed up. I’d write about the stuff I’ve done right. I’d write about the stuff I’d do differently (which wouldn’t be much, by the way). I’d focus on the importance of relationships, and the unimportance of collecting things. And I’d make sure the people I care about had something to remember me. I’ve got a face made for radio, so I’d write.

Then I thought about how lucky I was. If I had a week to live, I’d write. Which, by the way, is pretty much what I do every day. I try to impart some wisdom through each week’s Incite. And our other research all strives to relay the perspectives we build through our travels, hoping it’s all useful to someone. The topics would be a bit different with a different sort of deadline – pun intended. But the tactics wouldn’t. Very interesting.

Then something utterly profound happened. My wife said, “You know, you don’t have to wait to get a death sentence to write that kind of stuff.” Holy crap. She’s right. Sure, life gets in the way, but those are just excuses. Obviously I’ll need to work around my day job a bit, but what the hell am I waiting for? Just write. I think I will. It’s going to be an interesting summer.

-Mike

Photo credits: “Seven Days” originally uploaded by Laurie Pink

Incite 4 U

  1. Security = Money (again): It appears that investor interest is swinging back to security. I guess that’s inevitable, if you wait long enough. A couple weeks ago Bit9 raised $12.5MM and Verdasys raised another $15MM. That kind of money, primarily from existing investors, typically means they think they’ll get good multiples on the investment. They invest much less when they are just trying to keep a company on life support. And it even seems the IPO market could be receptive to security deals. TrustWave filed an S1 with the SEC this week and you’d expect a couple of the other high profile start-ups or private equity buyouts from the last few years to test the waters at some point. The fundamentals for continued growth in security remain good. The question is whether smaller companies can sustain growth long enough to find an upstream partner, since that’s how this movie ends regardless of whether there is an IPO somewhere in there. Some will, most won’t, and the pendulum will swing back and forth. It always does. – MR
  2. Someone needs a carder’s union: I’m going to be pretty annoyed if there isn’t any NFL this fall, and I know Mike will too. I couldn’t give a crud about baseball, but I do enjoy my Sunday football. But I have to respect the rights of the player’s union, even if I don’t like their (or the owners’) tactics. I’m not the biggest fan of unions, but can admit that in certain industries we still need them. Take carders (the credit card fraudsters). One poor bloke plead guilty to fraud involving $36M in transactions. That’s a pretty good take, right? Well, he only earned somewhere around $150K, which is only .4%. That’s a downright crappy margin. He’d be better off opening a convenience store, where at least the margins are 2-5%. Plus he has to make reparations for at least some of the $36M lost to fraud. Seriously, dude – call the Teamsters. No way would they put up with .4%, and maybe they could get you some health and retirement benefits. – RM
  3. I see you: I was not surprised that MLB programming on Apple TV would not allow me to view certain games, but I was surprised that my location was not based on my registered address – instead it’s based upon the Apple TV’s uplink IP address (assigned by the ISP). Geolocation from IP and gateway has certainly been a hot feature for service providers over the last couple years, with vendors such as PayPal factoring location into fraud detection. This capability continues to evolve, with Northwestern University recently claiming they can pinpoint user locations within half a mile. Their methodology uses a combination of known locations/IP addresses of major landmarks and government buildings, then compares against ‘ping times’ – the amount of real time it takes packets of data to arrive at a location – between your IP address and other known IPs to provide a physical distance. It requires precomputing for known locations and some guesses about speed of service in different regions, but can be impressively accurate. This is not new science – as the concepts have been around for a long time – but putting it into practice will require some work, and I am willing to bet there are thousands of companies – and governments – willing to pay for it. – AL
  4. The extinction of pickpockets (or how everything evolves): A very interesting story about how pickpocketing is pretty much a lost art. Debit cards, tougher sentences, and more surveillance all affect the risk. But that’s easy to predict considering how much easier, impersonal, and scalable impersonal online fraud is. How can you not laugh when seeing the disdain pickpockets have for folks who use guns or knives to achieve the same objectives? Ultimately we all know that Mr. Market will prevail. If it’s easier, with less risk and more upside, to use different tactics, you don’t need to be a brain surgeon to know what will happen. But – as with any major transition – most of the old guard won’t make it. There probably aren’t many good job training options for out-of-work pickpockets, eh? Who knows – maybe they’ll find work as money mules. Rich can probably help with that. He may have some contacts from his DEFCON research. DM him – he’d love that. – MR
  5. Inverse Square Law: Compliance is all about security, right? I don’t mean always in practice, but the idea is to use an economic disincentive (fines, basically) to improve at least some areas of security. Right? Well, Lenny Zeltser asks us if perhaps even well-intentioned compliance may reduce security. It’s a great question – basically, if you rely on a monetary penalty, then the end goal becomes merely to meet those requirements. The example he used was a day care center that started charging parents for late pickups. Parents interpreted this as an extra service they could pay for – like a new menu item – instead of as a failure on their part which unacceptably made employees stay late at work. This actually wasn’t too bright of the parents – who wants to piss off someone who could spend 8 hours a day telling your kid to hit you in the nuts? Does this apply to security? Sort of. I think we do develop a checklist mentality, but in many organiozations there is no social contract to begin with. Especially if you lack the monitoring systems to see the losses that can hurt your customers – eventually, anyway. So net/net, compliance has favorably impacted security. – RM
  6. Tenant’s rights? People are surprised that cell carriers have been tracking their cell phone locations? Seriously? Put yourself in their shoes and consider it from the cellular provider’s perspective. They feel they own the phones, as a rule. The OSes are theirs too. Connectivity features? Yup. They determine the apps that (can) run, and to an extent which data you are allowed to store. It’s their world and you’re just leasing space in it. Carriers are collect every piece of data that touches their stuff, which means everything you do with their phone. Privacy bills such as the one proposed by Kerry/McCain, asking providers to explain themselves, are total BS because every bit of data collected can be explained as operational data to “manage systems”, “help customers”, “improve service”, and/or “support lawful requests”. And you cannot prove it’s not – especially since the data is not viewed as your personal information, so providers collect everything that helps them make money deliver service until someone forces them not to. Understand that everything you do on these devices is, as a rule, only as private as the carrier wants it to be. – AL
  7. “I don’t know” is OK: An analyst needs to be able to think on one’s toes. You never really know what line of questioning a client will take. But my old friend Kim Angell’s post on bluffing reminded me of a truism that applies to far more than just media interviewing – it’s about communication in general. Don’t try to bluff your way out of a situation. Admit you don’t know and that you’ll get the answer. No matter who asks the question. Your spouse. Your boss. Your kids. It’s okay to not know something. Really. Kim mentions a number of examples to demonstrate her point, but there are millions. We’ve all done it. Even me. But smart people know it’s a hell of a lot worse to bullish** your way through a question, because at some point you’ll get nailed. – MR
Share: