I’m a pretty typical guy. I like beer, football, action movies, and power tools. I’ve never been overly interested in kids, even though I wanted them eventually. It isn’t that I don’t like kids, but until they get old enough to challenge me in Guitar Hero, they don’t exactly hold my attention. And babies? I suppose they’re cute, but so are puppies and kittens, and they’re actually fun to play with, and easier to tell apart.
This all, of course, changed when I had my daughter (just under 6 months ago). Oh, I still have no interest in anyone else’s baby, and until the past couple weeks was pretty paranoid about picking up the wrong one from daycare, but she definitely holds my attention better than (most) puppies. I suppose it’s weird that I always wanted kids, just not anyone else’s kids.
Riley is in one of those accelerated learning modes right now. It’s fascinating to watch her eyes, expressions, and body language as she struggles to grasp the world around her (literally, anything within arms reach + 10). Her powers of observation are frightening… kind of like a superpower of some sort. It’s even more interesting when her mind is running ahead of her body as she struggles on a task she clearly understands, but doesn’t have the muscle control to pull off. And when she’s really motivated to get that toy/cat? You can see every synapse and sinew strain to achieve her goal with complete and utter focus. (That cats do that too, but only if it involves food or the birds that taunt them through the window).
On the Ranting Roundtable a few times you hear us call security folks lazy or apathetic. We didn’t mean everyone, but it’s also a general statement that extends far beyond security. To be honest, most people, even hard working people, are pretty resistent to change; to doing things in new ways, even if they’re better. In every industry I’ve ever worked, the vast majority of people didn’t want to be challenged. Even in my paramedic and firefighter days people would gripe constantly about changes that affected their existing work habits. They might hop on some new car-crushing tool, but god forbid you change their shift structure or post-incident paperwork. And go take any CPR class these days, with the new procedures, and you’ll hear a never-ending rant by the old timers who have no intention of changing how many stupid times they pump and blow per minute.
Not to over-do an analogy (well, that is what we analysts tend to do), but I wish more security professionals approached the world like my daughter. With intense observation, curiosity, adaptability, drive, and focus. Actually, she’s kind of like a hacker – drop her by something new, and her little hands start testing (and breaking) anything within reach. She’s constantly seeking new experiences and opportunities to learn, and I don’t think those are traits that have to stop once she gets older. No, not all security folks are lazy, but far too many lack the intellectual curiosity that’s so essential to success.
Security is the last fracking profession to join if you want stability or consistency. An apathetic, even if hardworking, security professional is as dangerous as he or she is worthless. That’s why I love security; I can’t imagine a career that isn’t constantly changing and challenging. I think it’s this curiosity and drive that defines ‘hacker’, no matter the color of the hat.
All security professionals should be hackers. (Despite that silly CISSP oath).
Don’t forget that you can subscribe to the Friday Summary via email.
And now for the week in review:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich was quoted several times in the Dark Reading article “Mega-Breaches Employed Familiar, Preventable Attacks”.
- Rich’s Macworld article on totally paranoid web browsing went live. It will also be in the upcoming print edition.
- Dan Goodin at the Register mentioned our article on the Heartland breach details.
- Our Heartland coverage also hit Slashdot (and the server didn’t get crushed, which is always nice).
- Rich and Martin hit the usual spectrum of security issues in Episode 163 of The Network Security Podcast.
- Rich, Mike Rothman, Nick Selby, Alex Hutton, and Josh Corman let loose in the very first Ranting Roundtable – PCI Edition.
Favorite Securosis Posts
- Rich: With all the discussion around Heartland, Adrian’s post on Understanding and Choosing a Database Assessment Solution, Part 2: Buying Decisions is very timely. Any time we talk about technology we should be providing a business justification.
- Adrian: With all the discussion around Heartland, it’s nice to get some confirmation from various parties with New Details, and Lessons, on Heartland Breach.
Other Securosis Posts
- The Ranting Roundtable, PCI Edition
- Understanding and Choosing a Database Assessment Solution, Part 3: Data Collection
- Smart Grids and Security (Intro)
- New Details, and Lessons, on Heartland Breach
- Understanding and Choosing a Database Assessment Solution, Part 2: Buying Decisions
- Recent Breaches: We May Have All the Answers
- Heartland Hackers Caught; Answers and Questions
Project Quant Posts
We are close to releasing the next round of Quant data… so stand by…
Favorite Outside Posts
- Adrian: Maybe not my favorite post of the week, as this is sad. Strike three! My offer still stands. Are you listening, University of California at Berkeley?
- Rich: It’s easy to preach security, “trust no one” and be all cynical. Now drop yourself in the middle of Africa, with limited resources and few local contacts, and see if you can get by without taking a few leaps of faith. Johnny Long’s post at the Hacker’s for Charity blog shows what happens when a security pro is forced to jump off the cliff of trust.
Top News and Posts
- Indictments handed out for Heartland and Hannaford breaches.
- Nice post by Brickhouse Security on iPhone Spyware.
- The role of venture funding in the security market – is the well dry?
- I swear Corman wrote up his 8 Dirty Secrets of the Security Industry a year ago, but here it is in interview format.
- Adam for Cybertsar!
- FTC guidelines on health records breach disclosure. This is for health record aggregators who may not be covered by HIPAA.
- Immunet kicks off their new cloud AV offering. I haven’t had a chance to look at it yet, but I like the team behind it.
- Massachusetts data protection law updated. Will be interesting to see the final version, and how it’s enforced.
- Always blame the hackers first. Hotel in Italy first blames hackers for a $.01 room rate, then admits internal error.
- Jeremiah says Web Security is About Scalability.
- Adam Engst on post-literacy in computing. This isn’t a security article, but a very interesting read.
- DNA evidence can be fabricated.
Blog Comment of the Week
This week’s best comment comes from Arthur in response to the New Details and Lessons on Heartland Breach post:
Great advice. Remember folks, that vulnerability scanning is more then just running Qualys or nessus, you need web app scanning tools and database scanning tools as well, to look for issues there as well. Similarly, you want to be looking for more then just vulns per se, but services and tools you don’t need (case in point xp_cmdshell stored procedures)