Incite 11/3/2010: 10 Years GoneBy Mike Rothman
A decade seems like a lifetime. And in the case of XX1 it is. You see I’m a little nostalgic this week because on Monday XX1 turned 10. I guess I could confuse her and say “XX1 turns X,” mixing metaphors and throwing some pre-algebraic confusion in for good measure – but that wouldn’t be any fun. For her – it would be plenty fun for me. 10 years. Wow. You see, I don’t notice my age. I passed 40 a few years back and noticed that my liver’s ability to deal with massive amounts of drink and my hair color seemed to be the only outward signs of aging. But to have a 10 year old kid? I guess I’m not a spring chicken anymore.
But it’s all good. I can remember like it was yesterday watching the 2000 election returns (remember that Bush/Gore thing?), with XX1 in a little briefcase under the lights to deal with jaundice. But it wasn’t yesterday. Now I have a wonderful little woman to chat with, teach, learn from, and watch grow into a fantastic person. She’s grown significantly over the past year and I expect the changes will be coming fast and furious from here on. Of course, I can’t talk about how wonderful my oldest daughter is without mentioning the true architect of her success, and that’s the Boss. She’s got the rudder on most days and is navigating the bumpy seas of helping our kids grow up masterfully.
Yet I’m also cognizant that you can’t outrun your genetics – you need to learn about them and compensate. Over the weekend, one of XX1’s closest friends mentioned how cool it was that she was turning 10, and how exciting it must be. XX1 shrugged that off and started focusing on the fact that in another 10 years, she’ll be 20. Hmmm. Not enjoying today’s accomplishment, and instantly focusing on the next milestone. Wonder where she gets that from? Thankfully her friend is more in tune with being in the moment, and chastised her instantly. I think the response was, “Why are you worrying about that? Just enjoy being 10.” Smart girl, that friend.
But it’s an important nuance. It’s taken me many years to become aware of my own idiosyncrasies, how they impact my worldview, and how to compensate. We have the opportunity to teach XX1 (XX2 and the Boy as well) about why they think in certain ways and how that will impact their capabilities. Obviously all of the kids are different, but each shows aspects of each of us. By working closely with them, helping them become aware of their own thought processes, and figuring out together how to maximize their strengths, hopefully they’ll avoid a lot of the inner turmoil that marked my first four decades.
But then again, we are the parents, and we all know how much weight we holds in the mind of a pre-teen. If they are anything like us, they’ll have to learn it for themselves. But at some point, all we can hope is that when they encounter a challenge, something in the back of their minds will trigger, and they’ll remember that their wing-nut parents told them about it when they were little.
Photo credits: “Happy 10th Birthday” originally uploaded by mmatins
Incite 4 U
Yes, we are changing things up (again). We know the last few months have been very content heavy on the blog, and we want to lighten it up a bit. So we are going to do more quick, snarky, and (hopefully) useful blog posts that we call drive-bys. We’ll also shorten up the Incite and focus on some vendor announcements and other quick topics of interest. Each of us will do two Incites a week and two drive-bys, with the goal of balancing things out a bit. Don’t be bashful – let us know what you think.
Just tell me if I’m safe – For those of you who don’t want to know the gory details of SSL, cookies, and side-jacking attacks, but just what sites you can safely browse from Starbucks, check out George Ou’s Online services security report card. Last week, after the release of Firesheep, George Ou warned Forced SSL was broken on many social networking sites. Basically most cookies are still in clear text, so despite the use of SSL to pass credentials, the cookie can still be used to impersonate a user. In his follow-up this week, George produced a handy chart to show a side-by-side comparison of popular web sites and how they handle these basic security issues. And the conclusion? Not good… – AL
One guess what flavor it is – What do you think you get when a SaaS provider builds a Web Application Firewall? According to this post by Ivan Ristic I suspect we’re all going to find out. Ivan let the cat out of the bag on his blog that he’s building a “next-generation web application firewall”. And he’s at Qualys, so I’m pretty sure it will be cloud-based. WAF is actually ripe for a cloud offering. I know one company in semi-stealth mode working on one, Art of Defense has an early offering, Akamai supports some ModSecurity filtering on their edge servers, and someone recently pointed me at CloudFlare. Heck, I’ve thought about getting one for Securosis. But I shudder at cleaning the puke out of the toilet when I get the first “PCI Compliant WAF SaaS” press release. – RM
Next generation firewalls are officially a bandwagon… – In our Understanding and Selecting an Enterprise Firewall report, we intentionally avoided the term “next generation firewall”. We focused on the functionality, which has everything to do with application awareness, positive security models, and pseudo-IPS capabilities. Most vendors have announced something that hits those key capabilities, but they’re also talking at least a bit about how they are going to do it technically. The WTF announcement last week was from Sourcefire, who basically announced they are going to play in the next generation firewall market (whatever that really is), but then talked about an IPS. If this wasn’t a bandwagon (and they weren’t losing ground because they don’t have a story), why would Sourcefire make such a weak announcement? They didn’t even quote their CTO in the announcement, and you’d figure Marty Roesch would have a thing or two to say about this, wouldn’t you? It turns out Marty and I haven’t been able to sync up to discuss it over the past couple days, but I have to say this was one of the most underwhelming announcements I’ve seen in a long time. Maybe I’m reading a bit too much into one press release, but then again maybe I’m not. Sourcefire customers, you should ask your reps what this means and what is the relevance of the IPS once this mythical firewall unicorn magically appears at some point. – MR
Winning for pennies a day – Paying $500 for people in the community to find security bugs is a very smart move. First, it’s a really cheap way to test the code, as $500 is about what you would pay an in-house security tester per day. Second, you get a bunch of scripts and exploits sent your way to build a security testing library for free. Third, you get to market your dedication to security and an open development environment, and make anyone who discloses defects outside the program look like a bad guy. And as an added bonus, you can identify potential employees without paying a recruiter. Google is incredibly adept at creating simple programs that yield multiple benefits at very low cost. Kinda like “Safe Browsing”, whereby they catalog web and application usage while having browsers automatically send them malware and general surfing data. The number of security experts who will participate for much less they could get in a bidding war is open ot question; and whether public disclosures are important for padding a resume is up for debate. But one thing is certain: this is a win-win-win for Google. – AL
From the Department of You Probably Don’t Need It, But at Least It’s Free – Sophos is the latest entry into the Mac antivirus market, with a free version of their client. ESET also announced free AV for Mac, but it isn’t out yet. Here’s a hint – when the majority of vendors in a market give something away for free, odds are it’s because they don’t think they can sell it. It’s why we don’t charge for our research – I had to say it before any of you did. I’m not one of those zealots who thinks Macs are immune to malware, but the attack rate is so low that unless you fit certain criteria (listed in my TidBITS article), the odds are you don’t need AV (for now). Yes, compliance/enterprise policy is one real reason to use AV (unfortunately), and I suppose it’s nice to see added Mac support from the major endpoint vendors. Not that any of them have Mac DLP yet… – RM
Crowdsourcing anti-malware – Maybe there is something to this idea of the wisdom of crowds to tell you about an infection. Yes, I jest – every anti-malware vendor is investing in cloud-based detection and reputation, and all sorts of other leveraged activities to pinpoint bad stuff faster. The latest example is Webroot buying PrevX. Yeah, I was surprised to hear PrevX was still around as well. But whether you are talking McAfee’s Artemis, Symantec’s Ubiquity, Trend’s Smart Protection Network, or something else, it’s all based on the same ideas. Gather data, analyze it, and hope you see patterns of badness before it proliferates widely. Good thing this is a new idea, because Andy Jaquith started a debate on this topic (weighed into by lightweights such as Hoff, Amrit, Shimmy, and yours truly) over 2 years ago. The faulty assumption back then was that vendors would need to share information for this model to work. Evidently each has enough data points to be able to statistically do a decent job of pinpointing bad stuff. Whodathunkit? – MR