I enjoy living in the South (of the US). I’m far enough North that we get seasons. But far enough South to not really be subjected to severe winter weather. It’s kind of like porridge in the story of the 3 bears. Living in ATL is just right for me. Usually.

This may be a two shovel job...In a typical year, we’ll see snow maybe twice. And it will be a dusting, usually gone within an hour. Only once in the 6 years I’ve lived in Atlanta has there been enough snow to even make a snowman – and Frosty it wasn’t. Which is fine by me. But this weekend we got hammered. 6 inches in most places. I know, you rough and tumble Northerners laugh at 6 inches. That’s not enough to even start up your snow blower. I get that.

But you are prepared and you have the right equipment to deal with the snow. We don’t. I’ve seen it written that Chicago has 200 snow plows. Atlanta has 8. Seriously. And I live about 30 miles north of Atlanta, so we have zero snow plows. Even if you get a few inches of snow, it’s usually above freezing, so it melts enough to clear the roads and get on with business. Not this time. When it got above freezing, we got frozen rain. And then it got colder, so anything that melted (or rained) then froze on the roads. I’m a good winter driver and I know enough to not mess with ice. I even had to shovel. Thankfully, I didn’t toss my good shovel from up North. It still worked like a charm – though my back, not so much.

So basically I’m trapped. And so are the Boss and kids. They canceled school for the past two days, and it’s not clear (given the forecast for more freezing weather) that they will have school at all this week. Thankfully the snow is still novel for them, so they go out and sled down a hill in our back yard in a laundry basket. Yes, a laundry basket. That’s a southern kids’ sled, don’t you know? I’ll give the kids props for creativity. But a week at home with the kids without the ability to go do stuff is going to be hard. For the Boss. I’ll be sequestered in my cave looking busy. Very very busy.

OK, I’m not totally trapped. I did escape for an hour this afternoon to brave the slush and other wacky drivers. I had to pick up a prescription and get some bread. The roads were passable, but bad. And to add insult to injury, Starbucks closed about 20 minutes after I got there, so I couldn’t even get much writing done. My routine is all screwed up this week.

I know this too shall pass. The snow will melt, the kids will go back to school, and things will return to normal. But to be honest, it can’t pass soon enough. We love the kids. But we also love it when they get on the bus each morning and become their teachers’ problems for 6 hours.


Photo credits: “Snowed in Snowdon” originally uploaded by zalgon

Vote for Me. I’ll buy you a beer.

OK, I’ll finally come clean. I’m an attention whore. Why else do you think I’d write this drivel every week? Yes, my therapist has plenty of theories. But it seems that some of you think this stuff is entertaining. Well, at least the judges of the Social Security Blogger Awards do. I’m both flattered and excited to once again be nominated in the Most Entertaining Security Blog Category.

I actually won the award in 2008, but was crushed like a grape in 2009 by Hoff. And deservedly so. But this year Hoff is thankfully in another category, so my fellow nominees are Jack Daniel’s Uncommon Sense, the Naked Sophos folks, and some Symantec bunker dwellers from the UK. All very entertaining and worthy competition.

I’ll reiterate an offer to buy a beer for anyone who votes for me, but there is a catch. You can only collect at the Security Bloggers meet-up at RSA. Seems Shimmy is on to my evil plans.

So if you like beer. Or if you like me. Or if you feel sorry for me. Or if you want my Mom to be able to kibbitz with her group of Yentas in Florida about her entertaining blogger son. Help out a brother with a vote.

Incite 4 U

  1. Brand this: George Hulme argues against the idea that security doesn’t matter to a company’s brand. George can (on rare occasions) be a disagreeable guy, but this one is a bit of a head scratcher. If the measuring stick for is stock price, then George is wrong. There has been no negative effect on stock price from a security breach. George states that companies suffering breaches have greater churn than those that don’t. But evidently not enough to impact their stocks. I did a podcast with Shimmy yesterday and toward the end we discussed this. My point is that clearly breaches cost money, both in terms of the direct costs and the opportunity cost of not doing something more strategic with those resources. Those are real costs. But do they outweigh the additional costs incurred by trying to be secure? That is the zillion dollar question. And there isn’t any data to prove it one way or the other. As Rich always preaches to us, we need to be very careful when we infer causation without specific data. Which I think has happened on both sides of this discussion. – MR
  2. Don’t blame the hinge manufacturer if you leave the door open: I get sort of annoyed when people blame someone else for their problems. Take the latest brouhaha over the brand new Mac App Store. It turns out – and you might want to sit down for this one – that if you don’t follow Apple’s guidelines on securing your app, people can pirate it! I know, I’m TOTALLY SHOCKED (see, I even shouted). You have to use the tools they give you, folks; especially when it’s in the friggin’ documentation. (And the hyped-up headlines on this one merely amuse me). – RM
  3. Definition of ‘Is’: I’m confused. According to Forrester, SQL Azure “Raises The Bar On Cloud Computing” because of its “unique multi-tenant architecture”. I am confused because I have never heard a customer ask for a multi-tenant database. Multi-tenancy is an architectural by-product of the democratization of resources. It means cloud vendors can offer cheap, consistent and elastic resources at a very low cost as long as everyone shares from the same pool. This comes at the price of co-mingling data from multiple customers, in turn raising concerns about compliance and security. I am also confused that we could disagree on what the word ‘unique’ means: Amazon’s SimpleDB and Google’s AppEngine data store are, by definition, multi-tenant. Vendors like Database.com offer the relational model architected specifically for multi-tenant environments – just like SQL Azure. Vendors like IBM leverage different models for multi-tenancy at the web service/applications layer, but data is still stored within a multi-tenant database. They all scale, they are all multi-tenant, and they all provide high availability. SQL Azure has several specific differences – and advantages – over their competition, but pay-as-you-go, elasticity and multi-tenancy aren’t among them. You have to wonder what the words ‘leadership’ and ‘raising the bar’ really mean. At least to Forrester. – AL
  4. Sourcefire gets a flu shot: The M&A train keeps on a rolling. After last week’s Dell/SecureWorks deal, we also saw the pork loin of security acquire Immunet for $17MM with another $4MM reserved for an earn out. Immunet has some really smart guys (the founders are certifiable big brain dudes) and they’ve been out front on this community model for detecting malware. But the real question is to what degree the Immunet stuff can be used within the network. If FIRE thinks they are getting into the endpoint business (even if they have Clam), I’m not sure they understand the amount of time, money and investment required. Our pals at 451 Group voice similar concerns. They should ask Check Point about that. But if (and this is a big if) Immunet’s community malware approach can be used to accelerate the writing of IDS rules and content can drive a compelling reputation system that can be implemented on perimeter devices, $17MM will be a bargain. Did I mention that’s a big if? – MR
  5. Historically Low Fraud Rates?: Interesting post on Dark Reading about Visa’s new fraud detection capabilities. Not interesting because of their “new fraud detection” per se, but other tidbits in the press release. I am glad Visa has new fraud detection services, as they lag – in my opinion – companies like PayPal and eBay in fraud detection capabilities. Looking at location, trending, real-time behavioral analysis, and attack signatures across multiple accounts does not make them unique, but does close the gap. What caught my eye was the statement that “fraud rates within the Visa system remain flat, having fallen to historic low levels” which runs counter to what I have been hearing; fraud rates on a per-transaction basis are basically static, but the total dollar amounts are running over 3.5%. That’s huge money! I am looking for published research that corroborates what I have been told privately. This may be an issue of semantics, meaning inside the ‘Visa Advanced Authorization’ system and not in general, but the article caught my attention as it contradicts what many of us in the security field are seeing. Feels like a spin job to me. – AL
  6. Why the heck did you buy that? Again?: One of the things Mike and I have ranted about over the years is how no one ever retires a security control. Like the TSA, we never back down. Heck, we never really look to see whether something is working or not, or if there are alternatives. (Okay, I’ve talked with some orgs where this isn’t true, but they are in the distinct minority). Jeremiah Grossman highlights this in a great post where he also refers back to a quote from our very own Gunnar. The one thing I think he misses is that although applications may be our biggest asset, modern business also relies absolutely on email and basic networking, even if that isn’t where we spend the most any more. But you have to ask yourself, are we really spending on the right things? Or just the things users complain most about when they go down? – RM