So I am finally home for a few weeks, coinciding with the kids starting school. As usual I grab my messenger bag first thing in the am and head out on my nomadic journey. With about 10 local Starbucks with Google WiFi, I am typically in one of those. I get faster Internet at Starbucks than I do at home (57mbps down FTW). It does make me a little more predictable, so that’s a bit alarming. But I’ll trade 50mb downloads for the anemic DSL speeds of AT&T WiFi every day of the week.
After a long day of reading tweets, drinking coffee, and trolling the team in our chat room, I come home to see the kids outside with a bucket. Yes, they were challenged to the Ice Bucket Challenge, an awareness campaign originated by Pete Frates – a former Boston College baseball player – suffering from ALS that has gone viral over the past week. There is a great ESPN profile of Pete and the challenges of ALS. NFL coaches and players, celebrities, families, and evidently school-age kids are dumping buckets of ice water on their heads.
Though to be candid, I was kind of annoyed. Most of the celebrities and sports stars mention ALS and talk about the cause – if only for a few seconds. But do these kids even know why they are doing it? I asked, and they had no idea. So I saw a teaching moment. I dictated that before any ice water was dumped, they would need to understand about ALS and commit to not just dousing themselves, but to giving money to the cause. After extracting a $20 commitment each, and making sure they read the online description of the disease, they dumped the water. And all was right in the universe.
Then I remembered that I saved the fantastic “A Football Life” episode on Steve Gleason because it was awesome and inspiring. The former New Orleans Saint suffers from ALS, and that show documented his life and his adventure climbing Machu Pichu. Yes, I forced the kids to watch that too.
I am good with viral campaigns. I’m ecstatic that this campaign has increased donations to research for an ALS cure tenfold. That is awesome. And it would be even more awesome if everyone who dumped a bucket of ice water on their heads actually understood why they were doing it. Then instead of just being funny, it would be educational as well.
–Mike
PS: The picture above is Bill Gates (yes, that Bill Gates) doing the ice bucket challenge. Click here to see the full clip in all its animated GIF glory.
Photo credit: “Bill Gates ice bucket challenge” originally uploaded by Waseem Ashraf
The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.
Securosis Firestarter
Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.
- August 18 – You Can’t Handle the Gartner
- July 22 – Hacker Summer Camp
- July 14 – China and Career Advancement
- June 30 – G Who Shall Not Be Named
- June 17 – Apple and Privacy
- May 19 – Wanted Posters and SleepyCon
- May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling
- May 5 – There Is No SecDevOps
- April 28 – The Verizon DBIR
- April 14 – Three for Five
Heavy Research
We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.
The Security Pro’s Guide to Cloud File Storage and Collaboration
Leveraging Threat Intelligence in Incident Response/Management
- Quick Wins
- The (New) Incident Response & Management Process Model
- Threat Intelligence + Data Collect = Responding Better
- Really Responding Faster
- Introduction
Trends in Data Centric Security
Understanding Role-based Access Control
NoSQL Security 2.0
Newly Published Papers
- The 2015 Endpoint and Mobile Security Buyer’s Guide
- Open Source Development and Application Security Analysis
- Advanced Endpoint and Server Protection
- Defending Against Network-based DDoS Attacks
- Reducing Attack Surface with Application Control
- Leveraging Threat Intelligence in Security Monitoring
- The Future of Security
- Security Management 2.5: Replacing Your SIEM Yet?
- Defending Data on iOS 7
Incite 4 U
- The path of least resistance: Clearly the easiest way to pwn an organization is just to find some Windows XP and use old malware. In our App Control paper we said there are a bunch of reasons XP may still exist in your environment. But if you still have unpatched XP you just suck at operations and security. Again, there are some mitigating circumstances (perhaps you cannot patch), but then you need some kind of whitelisting on the device to lock it down. Seriously – it’s 2014, folks. MSFT is trying their best to stop supporting the product. It’s time to upgrade. – MR
- Form letter: “Company {name} was the victim of unauthorized access to our customer systems, and attackers stole {number} of credit cards between {date1} and {date2}. Company {name} said: ‘Our customer’s trust is a top priority, and we’ve taken steps to address the {vulnerabilityXXXXXx10^3} and help law enforcement catch those naughty, malicious evil-doers that are now looting your bank account. As an added precaution we will make available {worthless-service} to protect your identity, and ask all of our customers to reset their passwords ASAP.’” There you go: an open source breach letter – my service to the security press. You no longer need to write anything – just feed this template to your mail blaster of choice to announce the next bicycle shop or vitamin store breach. If you want a small Ruby script to automatically insert random vendor names, you can find one on GitHub. – AL
- Snort for my mom: Sometimes you just scratch your head. This coverage on a new company building an IPS for your house just reinforces a bunch of things. 1) The trade press will cover anything to generate page views. 2) Some start-ups have no idea what market validation looks like. An IPS for your house? Snort on a Cavium processor? Really? If you are sophisticated enough to even know what that means, odds are you can implement IPS on a variety of home UTM devices or even use a freemium version like Sophos or Untangle. Though these folks are trying to raise the money for production via Kickstarter, their projected $149 price is laughable. Most folks don’t pay much more than that for a computer – they won’t pay that for a network security device they don’t even know they need. Good luck to those guys – they will need it. – MR
- Why so blue? IBM has been quietly picking up a few Identity and Access Management pieces for cloud services. Their latest acquisition is Lighthouse Security Group, a cloud service to assist with user provisioning and Single Sign-On. This comes on the heels of acquiring Crossideas, which provides an identity bridge to link on-premise IAM with other cloud services, and a task module which can retrofit segregation-of-duties capabilities onto existing application platforms – such as SAP. The latter capability is a major obstacle for the large firms IBM traditionally serves, so this is a pretty good fit. If they can successfully link what they have with these two products, they will have the basics of a hybrid on-premise/cloud identity services offering. IBM is late to this party but that’s okay because cloud identity services have – to date – very modest adoption rates. – AL
- Ignore the troll: Rob Graham is right. By reacting to trolls, you empower them. You embolden them. And you make them want to troll you more. So you need to stop giving them your power. But it’s hard, mostly because “we have a nation of whiners and babies who don’t want to grow up, who instead want the nanny-state to stop mean people from saying mean things.” Wow. Can’t disagree with Rob. If we just ignore folks, and repeat the sticks and stones mantra over and over again… eventually they will stop. Or move on to other victims. And that’s all we can ask for, right? – MR
Comments