It’s the end of January, which means my favorite day of the year is coming up. Yup, Super Bowl Sunday. It’s a huge bummer that the Falcons couldn’t close it out in the NFC Championship, but it was a great season nonetheless. But now on to the important stuff. We will be hosting our 8th Super Bowl party, and we get pretty festive. After this many years we have it down to a system. Pretty much.

This past weekend we consulted the running list of who brings what. We track what went fast last year, so we can ask for more. And we also note what was left over so we don’t have too much surplus. For instance, a few years ago we mowed through 150+ chicken wings. This past year we barely consumed 75. For some reason, the wing surplus seemed to correlate to when I stopped eating meat. Go figure. I got plenty of beer, and I am prepped to drink my annual Super Bowl Snake Bite. Or 10. Though it should be interesting this year, as XX1 will tell me at least 10 times that drinking is bad for me and I should stop. I usually just smile and go back to refill my glass.

Unfortunately we don’t have infinite space at the house. As it is, we invite some 25 families, which usually equates to 80-90 people. It’s friggin’ packed, which is great. But we do have to make some tough choices, as we can’t accommodate everyone. At this point we have RSVPs from most of the folks we invited. But there are always those stragglers we need to chase for the RSVP.

So as my head was about to hit the pillow Monday night, the Boss came in to wish me a good night. Or so I thought. That’s when I learned about the email faux pas where she meant to send a note to confirm attendance, but she actually sent the email to someone we didn’t invite. Oops. Email autofill fail. I hate when that happens. What to do? What to do? We can’t accommodate any more folks or the fire chief may make a visit.

I thought about making light of the situation, and saying it could be worse. Then telling her the story of the poor sap in a big Pharma company who inadvertently sent poor clinical test results to a NY Times reporter with the same last name as his intended recipient. That was a true email autofill fail. In comparison, this situation was pretty minor. But I though better of it because at that moment it was a problem.

Turns out serendipity comes into play sometimes – we had a spot open up for our inadvertent invitee. Which is probably the way it was supposed to happen. We have randomly run into that family around town twice in the last two weeks, so the universe clearly wanted us to invite them to the party. Hopefully the Boss learned the old carpenter’s adage – measure twice, cut once. Or the modern day version: check the recipient list twice, hit Send once.


Photo credits: Fail Road originally uploaded by Dagny Mol

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Understanding Identity Management for Cloud Services

Newly Published Papers

Incite 4 U

  1. Alien invasions and intelligence-driven integration: Here is a good thought provoking piece by EMA’s Scott Crawford about what he sees ahead in 2013. Much of it is about the need to share information better (intelligence) and deliver integrated defenses. Scott was very early on the Security Big Data bandwagon, and this makes some of those concepts more real and tangible. Thankfully Scott provides some cautions on our collective ability to do the things we need to. For a while I worried that Scott had been taken over by an overly optimistic alien – from a planet where they actually get folks to work together, share bad news, and deliver an end-to-end solution. Clearly that is nothing we see on Earth… – MR
  2. *Forget plastics: the future is automation: Automation. Automation. Automation. Did I say Automation? As we continue our advancement to the cloud and the continual decoupling of assets from the underlying infrastructure, the only way to manage these environments is through extensive automation. Actually, we have always needed more automation, but it sort of worked as well as a square wheel. Thanks largely to cloud computing, IT operations is making massive strides in automation, as indicated by VMWare investing $30M in Puppet Labs. Puppet Labs produces Open Source software for managing application and system configurations based on templates, at massive scale (that’s a simplification but you get the idea). Why am I writing about it here? Because security is woefully behind on these advancements, led by dev and ops, or DevOps (see what I did there?). We know how the story ends when security can’t scale and adapt as quickly as the rest of the organization. The Texas Chainsaw Massacre seems tame by comparison. – RM
  3. Identity calculus: DBA Village is one of my favorite Oracle blogs. It offers a lot of pragmatic information on how to administer Oracle, and they have a handful of very knowledgeable people who take on all technical questions, no matter how hard or obscure. But I was shocked this week when someone asked how they integrate LDAP with Oracle to handle authorization duties, and the response was to contact Oracle and hire a consultant for 5 days. LDAP integration is critical for central identity management, and something organizations have been doing for a decade, but it remains a pain in the, well you know… For those of you who thought Identity Management was a solved problem, think again. It’s easy to see why there is a market for IDaaS providers as more applications and database services move to the cloud. – AL
  4. Moving Targets ‘R’ Us: I love the breathless tone of the mainstream press when technological innovation comes along. This week’s fainting spell comes from The Economist: Watch This Space. The next tech battleground may be your wrist!!!!!!!! Sigh. You’re absolutely right, there will be a battleground – but it won’t be limited to your wrist. By now the average card-carrying hipster technorat exists in a veritable cloud of digital radio frequency noise. Between the trifecta of MacBook, iPad, and iPhone, one person might be carrying 8 active radios at one time. Add in the Nike Fuel / Jawbone UP or Fitbit Ultra (easy to lose) for another radio, but who’s counting? If it’s an over-quantified hipster there will be a heart-rate monitor as well. All these radios running represent a huge attack surface – usually fronting some of your most personal and private information. I won’t worry though – I’m a “Hacker Backer” of the Pebble Watch and I have been wearing an extra target on my wrist since mid-December. What has two thumbs and is a card-carrying member of the hipster technorati? This guy right here! – JA
  5. You say privacy potato: What’s the difference between marketing and Phishing? Both are ways to entice you you do something – perhaps buy a product you don’t need. Both appeal to your interests to get you to act a certain way. Both place unwanted software on your machine. Both collect information about you – directly and surreptitiously. And I’m willing to bet it’s data you would not provide to anyone if you had the choice. So I ask myself one question when contemplating Facebook’s new Graph Search and how it helps phishers and attackers (otherwise called markets of ill repute) identify promising individuals. I can’t figure out how this is different than ‘marketing’, or how the post differentiates the activity of attackers. Data mining, targeted ad placement, tracking software, browser framing, code alteration and manipulation, have all been going on for a long time in the service of both kinds of ‘marketing’. Why the sudden worry about phishers when we have long opened doors to shady and reputable companies alike? I am all for privacy and security, but we are not fixing issues of CSRF or XSS in the browser for the same reason no one will stop collecting and mining personal information. It benefits others without penalty. – AL
  6. Fight the future: Any new security technology introduces new vulnerabilities. Repeat that sentence until it becomes clear. That’s the nature of attack surface – no matter what you add it grows. One thing that annoys the heck out of me is the rash of FUD that hits any time a new technology shows up, usually with a few ripe quotes from various security vendors or researchers who are still worried the wheel will enable attackers and reduce the ability of leg-limited responders to catch them. But I don’t mind articles like this one on Software Defined Networking which list specific concerns and potential mitigations (note: the author works for a network vendor). SDN is already here, even if you aren’t using it, and it introduces new risks we need to keep an eye on and plan for. But the train has left the station, and no amount of FUD will change that. But risk is no reason to block adoption completely. – RM
  7. What does quantum have to do with it? When I read an article called The Five Skills of the Quantum IT Professional, it’s pretty exciting. Can they levitate? Redirect bits using telekinesis? There must be some magic to call something Quantum, besides a terrible Bond movie, right? Of course, the author is really talking about some of the softer skills needed to perform IT at a high level. Stuff we have been talking about for years. Novel ideas like having skills in financial management, critical thinking, marketing, and collaboration. Come on, man! This isn’t the world of COBOL any more, and every employee needs to understand and know about the business. Not just their little slice of the world – whether it’s IT, security, marketing, or manufacturing. Without business context employees cannot be expected to make rational decisions for the business. Duh. – MR