It started out great. Fantastic even. The Dome was fired up. The team started fast. Field goal. Forced punt. Matty Ice throws a pick. Then the Falcons force a fumble and get the ball back. Touchdown. Forced punt. Field goal. 13-0. Red zone stop on a huge 4th and 1. Touchdown on a bomb. Huge sack to end the half. The Falcons were up 20-0. This was it. The year they finally exorcise the playoff demons.

We all cheered for the kids showing off their football prowess during halftime as national Punt, Pass & Kick finalists. Then the second half started. Seattle drives down and scores. Then the Falcons respond with a 7+ minute drive to go up 27-7 when the 3rd quarter ends. The crowd goes bonkers. Only one team has blown a 20+ point lead in the playoffs at this point in the game. Elation sets in. It’s over. Until it’s not.

Bad tackling. Mental lapses. A tight end playing on a ripped-up foot keeps making huge catches over the middle. Seattle scores. 27-14. Matt Ryan throws a pick. Seahawks drive down the field again. Touchdown Seattle. Cover that guy! 27-21. Oh crap. Now is the time. Make a play, offense. Get some first downs, burn up some clock and get this done. Come on, man! 3 and out. Falcons punt. This is not good. You can feel the tension in the Dome. All the negative thoughts creep in. All the playoff failures. How could they choke? How could they?!?!?

Falcons force a punt. OK. It’s under control now. Just a few first downs and it’s over. 3 and out. Again. Seahawks have the ball back. 5:32 left. Seahawks driving again. They are on the Falcons 3. They score. Falcons are down 28-27. WTF? This would be the choke to end all chokes. We were stunned. The Dome was in shock. 31 seconds left. How could it end like this? Again? So disappointed. So so disappointed. Sure it was a good season, but another one and done in the playoffs and it’s going to set this franchise back years. Unbelievable. It’s only a football game, but it sure doesn’t feel that way.

The Falcons get the ball back with 31 seconds on the clock. They need 40 yards to get into field goal range. First pass goes for 22 to a receiver named Harry D. Could they? Dare we have hope? The odds are long and they’ve done it before, but not with a berth in the NFC Championship at stake. 19 seconds. Another pass goes for 19 more yards to 36 year old Tony Gonzalez, a sure fire first ballot Hall of Famer who has never won a playoff game. Ever. They’re in field goal range. They set up the kick. I can’t breathe. Literally. No one can. This is it. The Boss squeezes my hand. The kick is up. The kick is good. HOLY CRAP. We scream. We hug. We embrace people we don’t even know. We scream some more. We jump up and down. You can’t hear anything because everyone is screaming. I give the Boss a huge hug. I mean huge. Instant elation emerges out of the depths of despair. It doesn’t get better than this.

But it’s not over. There are still 8 seconds left. Seattle gets the ball back in good field position due to a muffed squib kick. A short pass. 2 seconds. Seattle is on the 50. Hail Mary time. The pass is in the air. The Dome holds its breath some more. The Falcons’ Julio Jones comes down with the ball. It’s finally over. Playoff demons vanquished. We just rode a 3.5 hour emotional roller coaster. A pretty high high. Then a very low low. Then the best moment in any football game I’ve ever experienced. I had emotional whiplash. I was nauseous. I was exhausted. My whole body hurt. My voice was gone.

And I can’t wait until next Sunday to do it again. Rise up Falcons. It’s time.


Photo credits: Buddha in Neck Brace originally uploaded by bixentro

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Understanding Identity Management for Cloud Services

Newly Published Papers

Incite 4 U

  1. Control via cloud: A lot of people focus on cloud computing as a security risk, but few look upon it as a security control. I suspect this is due to its newness – anything that disrupts our current models is nearly always seen as a risk to defenders at first. But as this article at points out, the cloud can play an awesome role in improving security. Specifically, if you adopt Platform as a Service for your application environment, you expand your security control scope, gaining the ability to enforce development standards be eliminating the variability of platform configurations. All the apps now run on a pre-configured platform, and there just isn’t much opportunity to screw it up. Plus you can enforce other code standards and practices based on the interfaces exposed via centralized platform management. Since it is faster and easier to use the PaaS, you aren’t fighting the developers. Sweet, eh? – RM
  2. Guessing for dollars: Does anyone really believe that the market for financial critical infrastructure security will reach $17 BILLION by 2017? Even if you could pin down what “financial critical infrastructure” even meant, and thought that you could estimate the portion of those dollars going to security products or services, do you really think you could extrapolate the amount 5 years out? If we sum the revenue from all computer security products today – across multiple industries – we don’t exceed $17 billion, so how can anyone make these ridiculous claims? Because there is no accountability, that’s how. As Rich likes to say, a guess multiplied by a guess is a wild-assed guess. And market size numbers are all little more than wild-assed guesses. – AL
  3. Sustaining the momentum: If you can get past James DeLuccia’s consultant speak (and it’s pretty thick), there is a key message in his post on whether your security compliance program is sustainable. Far too many organizations view compliance as the goal, and the job as done once the ROC is delivered. As long as they have the ROC, there are no issues, right? Of course we all know better than that. So James points out that without a structured security program the likelihood of sustainability is nil. Yes, we are painfully aware that it’s hard to establish a security program while the house is burning down and you are fighting fires. But you can never turn the tide until the structure of the program is in place. And I think that’s what James is trying to say. But I can’t be sure, because consultant speak is tougher to decipher than Klingon (not entirely accidentally). – MR
  4. WIF – Writing Is Fundamental: Possibly my biggest frustration in our industry is the number of folks who just do half-assed jobs. I just wish the person who did the work in the first place actually did a good job and gave a crap about their work, instead of just trying to do “good enough that they won’t get fired.” One of the particularly egregious examples of this is useful and meaningful documentation. I understand that we’re not all excellent writers (ask Mike, who has to edit the drivel we send him!), but it’s not that hard to at least fulfill the syntax requirements of the language. One frequently terrible example of this problem is vulnerability disclosure documents. I know that writing about technical topics is… haaaaaaaaaaaaaaaaaaard. But grow up and do a good job. I’m not the only one with this point of view and thankfully, the Open Security Foundation (OSF) has put together a Guideline for Writing Security Advisories, which is awesome and badly needed. – JA
  5. Proactive breach detection: The Washington Post has a story about intentional storage of fake data. I have been hearing from a few CISOs in the last year about seeding their financial and customer data with bogus records. Adding disinformation to their data stores. These records form a digital fingerprint that allows the company to uniquely identify their information if it shows up in other databases. It’s like a form of watermarking – polluting data with identifiable garbage. The idea is that if their data is stolen, then shows up on pastebin, they can tell there has been a breach and know what has been compromised. Part of this involves active scanning of web sites for their data to detect loss, which is much more proactive than having your customers – or worse yet the FBI – tell you. Some companies are even dynamically seeding data they give different partners and cloud service providers – that way they know exactly who lost what. And who to blame when the finger pointing begins. – AL
  6. The security vendor ostrich game: Last year I spent a fair bit of time calling BS on the entire “security is losing” meme. We lost some battles and won others, and clearly much of what we do has an impact – when we are smart about things. For example, adding anti-exploitation to modern operating systems is having a huge impact on the malware market that will play out over another decade. Jeremiah Grossman highlights a key indicator of how we know this, with specific examples. By tracking how attackers adapt to the defenses they face, we can see what is actually working. It is an extension of outcomes-based analysis. Jer then points out that our security products may find themselves part of the attack surface. Which we have known since Matasano was breaking security products in Black Hat presentations 5 years ago. As the Witty worm showed in stark reality, this is clearly possible – and happening. Security vendors are no different than anyone else. They sell software products and their software has bugs. But I agree with Jeremiah that security vendors are rarely open about these vulnerabilities – preferring to stick their heads in the sand and hope the issues just go away. But hope is not a strategy, and they are exposing customers to greater risk. – RM
  7. YouTube as DoS arbiter: You have to hand it to the hacktivists. They sure know how to get attention. David Holmes of F5 points out that the Cyber Fighters are using a calculation based on YouTube likes and dislikes to determine how long they’ll attack US financials. Like the inflammatory video, and the attack goes on longer. Dislike it and it’s shorter. The current count means the attack will continue unabated for the next year. But don’t minimize the novelty of what they’ve done. In a culture suffering from severe ADD, moving onto the next negative story in mere minutes, these folks have figured out a way to make their attack sticky. To get folks to continue talking about it, if only to see how much longer it will continue. At some point DoS fatigue will set in and we’ll kind of forget about it. We’ll move on to the next hack, attack, and breach. But the anti-DoS providers will continue to run to the bank with their bags of money. And that, my friends, is the American way. – MR