Research

I have never been a fan of large gatherings of people. You would never find me at a giant convention center listening to some evangelist, motivational speaker, politician, or business ‘guru’ tell me how to improve my life. I don’t stalk celebrities; participate in “million man marches”, tea party gatherings, promise-keepers, or any something-a-palooza to support a cause. I don’t have a cult-like appreciation of ‘successful’ people. It has nothing to do with a political or religious bent and I don’t fear crowds – it is a personality trait. To me group-think is a danger signal. I’m a skeptic. A contrarian. If everyone’s doing it, it must be wrong. But it’s not like I never attend large events: AC/DC concerts are a go, and I’ll wait in long lines to get an iPhone. But it’s just as likely to bite you as be rewarding – you know, like the last Star Trek movie, the one with the terrible plot you’ve seen six times, because the cast and cinematography are oddly appealing. Anyway, when lots of people think something’s great I usually walk the other way. So what the heck was I doing at the Berkshire Hathaway Shareholders meeting last weekend? In Omaha, Nebraska, of all places? Forty thousand finance geeks standing in near-freezing rain, waiting for the doors to open at the CenturyLink center to hear Warren Buffett and Charlie Munger talk about stock performance? Are you kidding me? But there I was, with Gunnar Peterson, listening to the “Oracle of Omaha” talk about Berkshire Hathaway and investment philosophy. And it was a bit like a cult – a pilgrimage to listen to two of the greatest investors in history. But despite all my reservations I had a great time. You wouldn’t expect it from the topic but the meeting was entertaining. They were funny, insightful, and incredibly rational. They are politically incorrect and unapologetic about it. They are totally transparent, and as likely to remind you of their failures as successes. And they are more than happy to critique one another for their flaws (I’m certain I have seen these traits at another company before). As much as I have read about Munger and Buffett in the last 18 months – I think I read most of their funny quips before the meeting – there is something about hearing all of it in one place that weaves their concepts into a single cohesive tapestry of thought. You see the core set of values repeated consistently as they answer questions, no matter what the subject. If you are interested in a recap of the event, the Motley Fool blog did an excellent job of capturing the questions and some of the humor. I only started to follow Charlie and Warren about 18 months ago, because Gunnar’s use of sage Charlie Munger quotes got me curious. Now I am hooked, but not because I want investment ideas – instead I am fascinated by an incredibly simple investment philosophy, that involves an incredibly complex set of rational models, that forms the foundation of their decision process. Both men are contrarians – they choose to invest in a method that for decades people thought was a fluke. Berkshire has been called a 6-sigma outlier. They have been derided for not investing in tech companies during the tech boom – a profound critique when you consider Apple, Google, and Microsoft are some of the fastest-growing and 3 out of of 5 of the largest companies in the world. They have been mocked in the press as being “out of touch” when the market was going crazy during the whole mortgage/CDO fiasco. But they have stayed the course, despite fickle and fashionable trends, on their way to become the most successful investors in history. Berkshire is now one of the top 5 companies in the world, but ultimately their approach to decisions is what fascinates me. Had I heard about them during college, and comprehended their message as I do today, I would probably have gone into finance instead of computer science. Oh, before I forget, the majority of the Securosis team will be at Secure360 next week. Mort and I will be presenting on big data security. Ping us if you’re in Minneapolis/St. Paul and want to get together! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s Security Implications of Big Data. Favorite Securosis Posts Rich: My “Peak Experience” article in The Magazine. I am really excited about this one, so even though it is technically an ‘Outside’ item I picked it as my favorite post. It’s the story of a mountain rescue I was on over a decade ago, for a really exciting publication, which I am honored to write for. David Mortman: The CISO’s Guide to Advanced Attackers: Evolving the Security Program. Mike Rothman: Some (re)assembly required. Need to show some love for our contributor Gal, who posted his first solo piece on the blog. He makes a great point about never forgetting the data security lifecycle. Adrian Lane: Finger-pointing is step 1 of the plan. Other Securosis Posts Database Breach Results in $45M Theft. Security Earnings Season in Full Swing. McAfee Gets Some NGFW Stones. Incite 5/8/2013: One step at a time. 2FA isn’t a big enough gun. Now China is stealing our porn. The CISO’s Guide to Advanced Attackers: Breaking the Kill Chain. Friday Summary: May 3, 2013. IaaS Encryption: How to Choose. IaaS Encryption: Object Storage. Favorite Outside Posts Rich: White House close to backing FBI’s wiretap backdoor proposal, says NYT. This is a short piece, but insanely important. Backdoors for wiretapping are horrible for security, with a long history of misuse and compromise. David Mortman: Google unveils 5-year roadmap for strong authentication. Mike Rothman: FUDwatch: Armenia. Marcus Ranum determines (with tongue firmly in cheek) that the biggest threat in the known world is… Armenia. Which just goes to show that you can make data say pretty much whatever you want it to. So interpret the breach reports and other data sources carefully, and figure out what you want them to say. Adrian Lane: The State of Web

Big news, big money – hackers stole $45M in a flash attack. They hacked into the bank system, focused on debit and pre-paid cards that lack the usual credit card anti-fraud detection, then made massive rapid withdrawals using mules scattered around the world. Not new. Viktor Pleshchuk, Sergei Tsurikov, Oleg Covelin and a fourth man, identified only as “Hacker 3,” pooled their talents, and with the help of a worldwide network of “cashers” in more than 280 cities, they were able to walk away with $9 million of RBS WorldPay’s money. The attack, detailed in a federal indictment announced Tuesday by the Department of Justice, illustrates clearly the level of organization and sophistication involved in ATM and payment-card fraud, as well as the difficulty banks face in guarding against these schemes. The scam began simply and came together quickly. In early November 2008, prosecutors allege that Covelin discovered a vulnerability in the network of RBS WorldPay, a subsidiary of the Royal bank of Scotland that handles payroll and other payment-processing transactions for companies around the world. As Gal Shpantzer said in our chat room today: this is the sort of ATM hack that should be in the Verizon DBIR – not necessarily skimming. Share:

From the New York Post, of all places: Goldman later learned that Bloomberg staffers could determine not only which of its employees had logged into Bloomberg’s proprietary terminals but how many times they had used particular functions, insiders said. The matter raised serious concerns for the firm about how secure information exchanged through the terminals within the firm actually was – and if the privacy of their business strategy had been compromised. Oops. Imagine if AWS or Salesforce did something like this? They won’t because it is a kiss-of-death type mistake if there are viable alternatives, but Bloomberg is too entrenched for this to damage them materially. Share: